From be7110f6c09dba2c255cd28cf1454d38cc8ee02f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 14 Mar 2019 18:47:32 -0700
Subject: [PATCH] Make Syslog analyzer accept messages that omit Priority

Essentially, it will now process/parse priority values if they are
there, or else just accept whatever remaining data/text is there as the
syslog message.  Reasoning is that there's syslog producers out there
that may have simply forgotten/neglected to send the priority value
and technically won't conform to what the standard says, though we can
infer the intent (some syslog consumers already may do similarly, but
I didn't verify).
---
 doc                                           |   2 +-
 scripts/base/protocols/syslog/consts.bro      |   4 ++-
 .../protocol/syslog/syslog-analyzer.pac       |  25 +++++++++++++-----
 .../protocol/syslog/syslog-protocol.pac       |  23 +++++++++++++---
 .../syslog.log                                |  10 +++++++
 testing/btest/Traces/syslog-missing-pri.trace | Bin 0 -> 143 bytes
 .../base/protocols/syslog/missing-pri.bro     |   4 +++
 7 files changed, 55 insertions(+), 13 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log
 create mode 100755 testing/btest/Traces/syslog-missing-pri.trace
 create mode 100644 testing/btest/scripts/base/protocols/syslog/missing-pri.bro

diff --git a/doc b/doc
index 5849f875ea..11db899c89 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 5849f875ea6cae038d4881eba326256202e711be
+Subproject commit 11db899c89686d551b539c069b4d2aec2ffd49c9
diff --git a/scripts/base/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.bro
index dce1877ecf..c68cbda658 100644
--- a/scripts/base/protocols/syslog/consts.bro
+++ b/scripts/base/protocols/syslog/consts.bro
@@ -29,6 +29,7 @@ export {
 		[21] =  "LOCAL5",
 		[22] =  "LOCAL6",
 		[23] =  "LOCAL7",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
 	
 	## Mapping between the constants and string values for syslog severities.
@@ -41,5 +42,6 @@ export {
 		[5] = "NOTICE",
 		[6] = "INFO",
 		[7] = "DEBUG",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
-}
\ No newline at end of file
+}
diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac
index 6657a63699..46e2cc171d 100644
--- a/src/analyzer/protocol/syslog/syslog-analyzer.pac
+++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac
@@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer)
 
 flow Syslog_Flow
 {
-	datagram = Syslog_Message withcontext(connection, this);
+	datagram = Syslog_Message_Optional_PRI withcontext(connection, this);
 
 	function process_syslog_message(m: Syslog_Message): bool
 		%{
-		BifEvent::generate_syslog_message(connection()->bro_analyzer(),
-		                                  connection()->bro_analyzer()->Conn(),
-		                                  ${m.PRI.facility},
-		                                  ${m.PRI.severity},
-		                                  new StringVal(${m.msg}.length(), (const char*) ${m.msg}.begin())
-		                                  );
+		if ( ${m.has_pri} )
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    ${m.PRI.facility},
+			    ${m.PRI.severity},
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+		else
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    999,
+			    999,
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac
index c1502fc534..41c42eba59 100644
--- a/src/analyzer/protocol/syslog/syslog-protocol.pac
+++ b/src/analyzer/protocol/syslog/syslog-protocol.pac
@@ -1,12 +1,27 @@
-type Syslog_Message = record {
-	PRI: Syslog_Priority;
+type Syslog_Message_Optional_PRI = record {
+	lt:       uint8;
+	after_lt: bytestring &restofdata &transient;
+}
+&byteorder = littleendian
+&exportsourcedata
+&let {
+	standard:    Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<'
+	nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60);
+};
+
+type Syslog_Message(has_pri: bool) = record {
+	opt_pri: case has_pri of {
+		true  -> PRI: Syslog_Priority;
+		false -> nothing: empty;
+	};
+
 	msg: bytestring &restofdata;
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8; # &check(lt == 60); # '<'
+	lt    : uint8 &enforce(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8; # &check(gt == 62); # '>'
+	gt    : uint8 &enforce(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);
diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log
new file mode 100644
index 0000000000..2a1faf440e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	syslog
+#open	2019-03-15-01-41-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	facility	severity	message
+#types	time	string	addr	port	addr	port	enum	string	string	string
+1552584410.781231	CHhAvVGS1DHFjwGM9	192.168.2.118	60786	192.168.2.21	514	udp	UNSPECIFIED	UNSPECIFIED	This is not really a syslog message #173538 1552584410.781186
+#close	2019-03-15-01-41-39
diff --git a/testing/btest/Traces/syslog-missing-pri.trace b/testing/btest/Traces/syslog-missing-pri.trace
new file mode 100755
index 0000000000000000000000000000000000000000..625ecddf749c9e3966d3e6f1ac8012e008965bb5
GIT binary patch
literal 143
zcmca|c+)~A1{MYcU}0bca&Gl?#jJnL&5#acgYcx~4+AU`K1j@1=qSO#;L5-d`7NG-
z!9nm}#DNt|Wk4+Ywup&|!PUzyBqOs}0f_SQOB9My6LWGZ6%rMSD~ogT(-m@4i;EM}
fQx%jA&5ccsEffq*O^r+~OiT<7^vo>`4K2(79x5n@

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/syslog/missing-pri.bro b/testing/btest/scripts/base/protocols/syslog/missing-pri.bro
new file mode 100644
index 0000000000..c33eb1638b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/syslog/missing-pri.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/syslog-missing-pri.trace %INPUT
+# @TEST-EXEC: btest-diff syslog.log
+
+@load base/protocols/syslog