Porting syslog analyzer as another example.

The diff to this commit shows what "porting" involves ...

This also adds a small test for syslog.

scripts/base/protocols/syslog/main.bro

@@ -38,7 +38,7 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(Syslog::LOG, [$columns=Info]);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
 	}
 
 event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5

src/CMakeLists.txt

@@ -152,8 +152,6 @@ binpac_target(smb.pac
     smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
 binpac_target(socks.pac
     socks-protocol.pac socks-analyzer.pac)
-binpac_target(syslog.pac
-    syslog-protocol.pac syslog-analyzer.pac)
 binpac_target(modbus.pac
     modbus-protocol.pac modbus-analyzer.pac)
 
@@ -349,7 +347,6 @@ set(bro_SRCS
     Stats.cc
     SteppingStone.cc
     Stmt.cc
-    Syslog-binpac.cc
     TCP.cc
     TCP_Endpoint.cc
     TCP_Reassembler.cc

src/event.bif

@@ -5828,23 +5828,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%);
 ##
 event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
 
-## Generated for monitored Syslog messages.
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
-## information about the Syslog protocol.
-##
-## c: The connection record for the underlying transport-layer session/flow.
-##
-## facility: The "facility" included in the message.
-##
-## severity: The "severity" included in the message.
-##
-## msg: The message logged.
-##
-## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
-##    syslog will be added soon.
-event syslog_message%(c: connection, facility: count, severity: count, msg: string%);
-
 ## Generated when a signature matches. Bro's signature engine provides
 ## high-performance pattern matching separately from the normal script
 ## processing. If a signature with an ``event`` action matches, this event is

src/protocols/BuiltInAnalyzers.cc

@@ -37,7 +37,6 @@
 #include "POP3.h"
 #include "SOCKS.h"
 #include "SSH.h"
-#include "Syslog-binpac.h"
 #include "Teredo.h"
 #include "ConnSizeAnalyzer.h"
 #include "GTPv1.h"
@@ -90,7 +89,6 @@ void BuiltinAnalyzers::Init()
 	DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer);
 
 	DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer);
-	DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer);
 	DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer);
 
 	DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);

src/protocols/CMakeLists.txt

@@ -1,3 +1,4 @@
 
 add_subdirectory(http)
 add_subdirectory(ssl)
+add_subdirectory(syslog)

src/protocols/syslog/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Syslog)
+bro_plugin_cc(Syslog.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
+bro_plugin_end()

src/protocols/syslog/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "Syslog.h"
+
+BRO_PLUGIN_BEGIN(Syslog)
+	BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)";
+	BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/protocols/syslog/Syslog.cc

@@ -1,21 +1,22 @@
-#include "Syslog-binpac.h"
+
+#include "Syslog.h"
 #include "TCP_Reassembler.h"
 
-Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn)
-: Analyzer("SYSLOG_BINPAC", conn)
+Syslog_Analyzer::Syslog_Analyzer(Connection* conn)
+: Analyzer("SYSLOG", conn)
 	{
 	interp = new binpac::Syslog::Syslog_Conn(this);
 	did_session_done = 0;
-	//ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer,
+	//ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer,
 	//		network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
 	}
 
-Syslog_Analyzer_binpac::~Syslog_Analyzer_binpac()
+Syslog_Analyzer::~Syslog_Analyzer()
 	{
 	delete interp;
 	}
 
-void Syslog_Analyzer_binpac::Done()
+void Syslog_Analyzer::Done()
 	{
 	Analyzer::Done();
 
@@ -23,13 +24,13 @@ void Syslog_Analyzer_binpac::Done()
 		Event(udp_session_done);
 	}
 
-void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->NewData(orig, data, data + len);
 	}
 
-//void Syslog_Analyzer_binpac::ExpireTimer(double t)
+//void Syslog_Analyzer::ExpireTimer(double t)
 //	{
 //	// The - 1.0 in the following is to allow 1 second for the
 //	// common case of a single request followed by a single reply,
@@ -40,22 +41,22 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori
 //		sessions->Remove(Conn());
 //		}
 //	else
-//		ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer,
+//		ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer,
 //				t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
 //	}
 
-//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn)
+//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn)
 //: TCP_ApplicationAnalyzer(conn)
 //	{
 //	interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this);
 //	}
 
-//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac()
+//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer()
 //	{
 //	delete interp;
 //	}
 
-//void Syslog_TCP_Analyzer_binpac::Done()
+//void Syslog_TCP_Analyzer::Done()
 //	{
 //	TCP_ApplicationAnalyzer::Done();
 //
@@ -63,13 +64,13 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori
 //	interp->FlowEOF(false);
 //	}
 
-//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 //	{
 //	TCP_ApplicationAnalyzer::EndpointEOF(endp);
 //	interp->FlowEOF(endp->IsOrig());
 //	}
 
-//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data,
+//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data,
 //						bool orig)
 //	{
 //	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
@@ -83,7 +84,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori
 //	interp->NewData(orig, data, data + len);
 //	}
 
-//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig)
 //	{
 //	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 //	interp->NewGap(orig, len);

src/protocols/syslog/Syslog.h

@@ -1,22 +1,23 @@
-#ifndef Syslog_binpac_h
-#define Syslog_binpac_h
+
+#ifndef Syslog_h
+#define Syslog_h
 
 #include "UDP.h"
 #include "TCP.h"
 
 #include "syslog_pac.h"
 
-class Syslog_Analyzer_binpac : public analyzer::Analyzer {
+class Syslog_Analyzer : public analyzer::Analyzer {
 public:
-	Syslog_Analyzer_binpac(Connection* conn);
-	virtual ~Syslog_Analyzer_binpac();
+	Syslog_Analyzer(Connection* conn);
+	virtual ~Syslog_Analyzer();
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
-		{ return new Syslog_Analyzer_binpac(conn); }
+		{ return new Syslog_Analyzer(conn); }
 
 protected:
 	void ExpireTimer(double t);
@@ -28,10 +29,10 @@ protected:
 
 // #include "Syslog_tcp_pac.h"
 //
-//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer {
 //public:
-//	Syslog_TCP_Analyzer_binpac(Connection* conn);
-//	virtual ~Syslog_TCP_Analyzer_binpac();
+//	Syslog_TCP_Analyzer(Connection* conn);
+//	virtual ~Syslog_TCP_Analyzer();
 //
 //	virtual void Done();
 //	virtual void DeliverStream(int len, const u_char* data, bool orig);
@@ -39,7 +40,7 @@ protected:
 //	virtual void EndpointEOF(TCP_Reassembler* endp);
 //
 //	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
-//		{ return new Syslog_TCP_Analyzer_binpac(conn); }
+//		{ return new Syslog_TCP_Analyzer(conn); }
 //
 //protected:
 //	binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp;

src/protocols/syslog/events.bif

@@ -0,0 +1,17 @@
+
+## Generated for monitored Syslog messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+## information about the Syslog protocol.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## facility: The "facility" included in the message.
+##
+## severity: The "severity" included in the message.
+##
+## msg: The message logged.
+##
+## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
+##    syslog will be added soon.
+event syslog_message%(c: connection, facility: count, severity: count, msg: string%);

src/protocols/syslog/syslog.pac

@@ -1,3 +1,8 @@
+
+%extern{
+        #include "events.bif.h"
+%}
+
 %include binpac.pac
 %include bro.pac
 

testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	syslog
+#open	2013-04-05-20-06-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	facility	severity	message
+#types	time	string	addr	port	addr	port	enum	string	string	string
+1365191811.424495	UWkUyAuUGXf	127.0.0.1	57067	127.0.0.1	514	udp	LOCAL0	NOTICE	Apr  5 12:56:51 robin: Hello, syslog!\x00
+#close	2013-04-05-20-06-27

testing/btest/scripts/base/protocols/syslog/trace.test

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/syslog-single-udp.trace %INPUT
+# @TEST-EXEC: btest-diff syslog.log
+
+@load base/protocols/syslog