Merge remote-tracking branch 'origin/topic/jsiwek/autodoc-fixes' into topic/gregor/tunnel

scripts/CMakeLists.txt

@@ -1,9 +1,8 @@
 include(InstallPackageConfigFile)
 
-install(DIRECTORY ./ DESTINATION ${POLICYDIR} FILES_MATCHING
+install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING
         PATTERN "all.bro" EXCLUDE
         PATTERN "site/local.bro" EXCLUDE
-        PATTERN "bro.init"
         PATTERN "*.bro"
         PATTERN "*.sig"
         PATTERN "*.osf"
@@ -13,6 +12,6 @@ install(DIRECTORY ./ DESTINATION ${POLICYDIR} FILES_MATCHING
 # user modify-able.
 InstallPackageConfigFile(
     ${CMAKE_CURRENT_SOURCE_DIR}/site/local.bro
-    ${POLICYDIR}/site
+    ${BRO_SCRIPT_INSTALL_PATH}/site
     local.bro)
 

scripts/base/frameworks/cluster/setup-connections.bro

@@ -1,3 +1,5 @@
+@load base/frameworks/communication
+
 module Cluster;
 
 event bro_init() &priority=9

scripts/base/frameworks/communication/__load__.bro

@@ -2,4 +2,4 @@
 # TODO: get rid of this as soon as the Expr.cc hack is changed.
 @if ( getenv("ENABLE_COMMUNICATION") != "" )
 @load ./main
-@endif
+@endif

scripts/base/frameworks/metrics/conn-example.bro

@@ -1,4 +1,4 @@
-@load frameworks/metrics
+@load base/frameworks/metrics
 
 redef enum Metrics::ID += { 
 	CONNS_ORIGINATED, 
@@ -16,4 +16,4 @@ event connection_established(c: connection)
 	Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1);
 	Metrics::add_data(CONNS_RESPONDED,  [$host=c$id$resp_h], 1);
 	}
-	
+	

scripts/base/frameworks/metrics/http-example.bro

@@ -1,4 +1,4 @@
-@load frameworks/metrics
+@load base/frameworks/metrics
 
 redef enum Metrics::ID += {
 	HTTP_REQUESTS_BY_STATUS_CODE,
@@ -17,4 +17,4 @@ event HTTP::log_http(rec: HTTP::Info)
 		Metrics::add_data(HTTP_REQUESTS_BY_HOST, [$index=rec$host], 1);
 	if ( rec?$status_code )
 		Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $index=fmt("%d", rec$status_code)], 1);
-	}
+	}

scripts/base/frameworks/notice/actions/email_admin.bro

@@ -1,4 +1,3 @@
-
 module Notice;
 
 export {
@@ -25,4 +24,4 @@ event notice(n: Notice::Info) &priority=-5
 		if ( email != "" )
 			email_notice_to(n, email, T);
 		}
-	}
+	}

scripts/base/frameworks/notice/extend-email/hostnames.bro

@@ -8,7 +8,7 @@ event Notice::notice(n: Notice::Info) &priority=10
 		return;
 	
 	# This should only be done for notices that are being sent to email.
-	if ( ACTION_EMAIL !in n$action )
+	if ( ACTION_EMAIL !in n$actions )
 		return;
 		
 	local output = "";
@@ -37,4 +37,4 @@ event Notice::notice(n: Notice::Info) &priority=10
 	
 	if ( output != "" )
 		n$email_body_sections[|n$email_body_sections|] = output;
-	}
+	}

scripts/base/frameworks/notice/weird.bro

@@ -1,4 +1,3 @@
-
 module Weird;
 
 export {

scripts/base/init-default.bro

@@ -1,10 +1,8 @@
 ##! This script loads everything in the base/ script directory.  If you want
-##! to run Bro without all of these scripts loaded by default, you can define
-##! the BRO_NO_BASE_SCRIPTS environment variable to any value.  You can also
-##! copy the "@load" lines from this script to your own script to load only
-##! the scripts that you actually want.
-
-@if ( getenv("BRO_NO_BASE_SCRIPTS") == "" )
+##! to run Bro without all of these scripts loaded by default, you can use
+##! the -b (--bare-mode) command line argument.  You can also copy the "@load"
+##! lines from this script to your own script to load only the scripts that 
+##! you actually want.
 
 @load base/utils/site
 @load base/utils/addrs
@@ -17,7 +15,8 @@
 @load base/utils/strings
 @load base/utils/thresholds
 
-# This has some weird interplay between types and BiFs so it's loaded in bro.init
+# This has some deep interplay between types and BiFs so it's 
+# loaded in base/init-bare.bro
 #@load base/frameworks/logging
 @load base/frameworks/notice
 @load base/frameworks/dpd
@@ -40,5 +39,3 @@
 @load base/protocols/ssh
 @load base/protocols/ssl
 @load base/protocols/syslog
-
-@endif

scripts/base/protocols/mime/base.bro

@@ -1,7 +1,7 @@
 ##! The mime script does analysis of MIME encoded messages seen in certain
 ##! protocols (only SMTP and POP3 at the moment).
 
-@load utils/strings
+@load base/utils/strings
 
 module MIME;
 

scripts/base/protocols/mime/file-extract.bro

@@ -1,5 +1,5 @@
-@load protocols/mime/file-ident
-@load utils/files
+@load ./file-ident
+@load base/utils/files
 
 module MIME;
 
@@ -57,4 +57,4 @@ event mime_end_entity(c: connection) &priority=-3
 	if ( c$mime?$extraction_file )
 		close(c$mime$extraction_file);
 	}
-	
+	

scripts/base/protocols/mime/file-hash.bro

@@ -1,4 +1,4 @@
-@load protocols/mime/file-ident
+@load ./file-ident
 
 module MIME;
 
@@ -75,4 +75,4 @@ event mime_end_entity(c: connection) &priority=-3
 		NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h),
 		        $sub=c$mime$md5, $conn=c]);
 		}
-	}
+	}

scripts/base/protocols/mime/file-ident.bro

@@ -1,4 +1,4 @@
-@load protocols/mime/base
+@load ./base
 
 module MIME;
 

scripts/policy/frameworks/communication/listen-clear.bro

@@ -1,5 +1,7 @@
 ##! Listen for other Bro instances to make unencrypted connections.
 
+@load base/frameworks/communication
+
 module Communication;
 
 export {

scripts/policy/frameworks/communication/listen-ssl.bro

@@ -1,5 +1,7 @@
 ##! Listen for other Bro instances and encrypt the connection with SSL.
 
+@load base/frameworks/communication
+
 module Communication;
 
 export {

scripts/policy/frameworks/control/controller.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/communication
 
 module Control;
 
@@ -99,4 +100,4 @@ event remote_connection_handshake_done(p: event_peer) &priority=-10
 		# Signal configuration update to peer.
 		event Control::configuration_update_request();
 		}
-	}
+	}

scripts/policy/protocols/conn/scan.bro

@@ -1,4 +1,4 @@
-@load frameworks/notice
+@load base/frameworks/notice
 @load port-name
 
 module Scan;

scripts/site/local.bro

@@ -1,4 +1,5 @@
-##! Local site policy. Customize as appropriate.
+##! Local site policy. Customize as appropriate. This file will not be 
+##! overwritten when upgrading or reinstalling.
 
 # Load the script to log which script were loaded during each run
 @load misc/loaded-scripts
@@ -8,7 +9,8 @@
 
 # Vulnerable versions of software to generate notices for when discovered.
 # The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more information.
+# as "local".  Refer to the software framework's documentation for more 
+# information.
 @load frameworks/software/vulnerable
 redef Software::vulnerable_versions += {
 	["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
@@ -18,3 +20,27 @@ redef Software::vulnerable_versions += {
 # This adds signatures to detect cleartext forward and reverse windows shells.
 redef signature_files += "frameworks/signatures/detect-windows-shells.sig";
 
+# Load all of the scripts that detect software in various protocols.
+@load protocols/http/software
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+
+# Load the script to detect DNS results pointing toward your Site::local_nets 
+# where the name is not part of your local DNS zone and is being hosted 
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# Load the script to enable SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs