diff --git a/NEWS b/NEWS
index a394cb6e35..aa7c86f74e 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ New Dependencies
New Functionality
-----------------
+- Bro now includes the NetControl framework. The framework allows the easy
+ interaction of Bro with hard- and software switches, firewalls, etc.
+
- Bro now supports the Radiotap header for 802.11 frames.
- Bro now tracks VLAN IDs. To record them inside the connection log,
@@ -37,6 +40,27 @@ New Functionality
argument that will be used for decoding errors into weird.log
(instead of reporter.log).
+- Two new built-in functions for handling set[subnet] and table[subnet]:
+
+ - check_subnet(subnet, table) checks if a specific subnet is a member
+ of a set/table. This is different from the "in" operator, which always
+ performs a longest prefix match.
+
+ - matching_subnets(subnet, table) returns all subnets of the set or table
+ that contain the given subnet.
+
+- Several built-in functions for handline IP addresses and subnets were added:
+
+ - is_v4_subnet(subnet) checks whether a subnet specification is IPv4.
+
+ - is_v6_subnet(subnet) checks whether a subnet specification is IPv6.
+
+ - addr_to_subnet(addr) converts an IP address to a /32 subnet.
+
+ - subnet_to_addr(subnet) returns the IP address part of a subnet.
+
+ - subnet_width(subnet) returns the width of a subnet.
+
- The IRC analyzer now recognizes StartTLS sessions and enable the SSL
analyzer for them.
diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro
index 580d9b6d30..5b60f8d955 100644
--- a/scripts/base/frameworks/netcontrol/main.bro
+++ b/scripts/base/frameworks/netcontrol/main.bro
@@ -515,7 +515,11 @@ function check_plugins()
if ( all_active )
{
plugins_active = T;
- log_msg_no_plugin("plugin initialization done");
+
+ # Skip log message if there are no plugins
+ if ( |plugins| > 0 )
+ log_msg_no_plugin("plugin initialization done");
+
event NetControl::init_done();
}
}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index b247670177..25808a20d8 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -228,7 +228,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -346,7 +346,9 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
+0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) ->
0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) ->
@@ -624,6 +626,7 @@
0.000000 MetaHookPost LoadFile(base<...>/urls) -> -1
0.000000 MetaHookPost LoadFile(base<...>/utils) -> -1
0.000000 MetaHookPost LoadFile(base<...>/x509) -> -1
+0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false
0.000000 MetaHookPost QueueEvent(bro_init()) -> false
0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false
0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR))
@@ -856,7 +859,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -974,7 +977,9 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
+0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
0.000000 MetaHookPre CallFunction(PacketFilter::build, , ())
0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, ))
@@ -1252,6 +1257,7 @@
0.000000 MetaHookPre LoadFile(base<...>/urls)
0.000000 MetaHookPre LoadFile(base<...>/utils)
0.000000 MetaHookPre LoadFile(base<...>/x509)
+0.000000 MetaHookPre QueueEvent(NetControl::init())
0.000000 MetaHookPre QueueEvent(bro_init())
0.000000 MetaHookPre QueueEvent(filter_change_tracking())
0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
@@ -1483,7 +1489,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1601,7 +1607,9 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1455741196.212164, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction NetControl::check_plugins()
+0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
0.000000 | HookCallFunction PacketFilter::build()
0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1640,6 +1648,7 @@
0.000000 | HookLoadFile <...>/bro
0.000000 | HookLoadFile base<...>/bif
0.000000 | HookLoadFile base<...>/bro
+0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()
1362692526.869344 MetaHookPost BroObjDtor() ->
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 5b75945aeb..b69c74b717 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -1,5 +1,6 @@
0.000000 bro_init
0.000000 filter_change_tracking
+ 0.000000 NetControl::init
1254722767.492060 protocol_confirmation
1254722767.492060 ChecksumOffloading::check
1254722767.492060 filter_change_tracking
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 485c4318e2..27cf2dab34 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -1,5 +1,6 @@
0.000000 bro_init
0.000000 filter_change_tracking
+ 0.000000 NetControl::init
1254722767.492060 protocol_confirmation
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]
[1] atype: enum = Analyzer::ANALYZER_DNS
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
index c476751d57..5c42f0d8eb 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -21,12 +21,26 @@ redef Log::default_rotation_interval = 0secs;
@load base/frameworks/netcontrol
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
+ {
+ suspend_processing();
+ }
+@endif
+
event NetControl::init()
{
local netcontrol_debug = NetControl::create_debug(T);
NetControl::activate(netcontrol_debug, 0);
}
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event remote_connection_handshake_done(p: event_peer)
+ {
+ continue_processing();
+ }
+@endif
+
event connection_established(c: connection)
{
local id = c$id;