mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
Test-suite passes.
All tests pass with one exception: some Broxygen tests are broken because dpd_config doesn't exist anymore. Need to update the mechanism for auto-documenting well-known ports.
This commit is contained in:
Robin Sommer
parent
eef4858692
commit
2be985433c
28 changed files with 84 additions and 62 deletions
|
|
@ -16,6 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal)
|
|||
rest_target(${psd} base/init-default.bro internal)
|
||||
rest_target(${psd} base/init-bare.bro internal)
|
||||
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
|
||||
|
|
@ -24,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
|
|||
rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)
|
||||
rest_target(${psd} base/frameworks/analyzer/main.bro)
|
||||
rest_target(${psd} base/frameworks/cluster/main.bro)
|
||||
rest_target(${psd} base/frameworks/cluster/nodes/manager.bro)
|
||||
rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro)
|
||||
|
|
|
|||
|
|
@ -54,11 +54,13 @@ global example_ports = {
|
|||
443/tcp, 562/tcp,
|
||||
} &redef;
|
||||
|
||||
# redefinitions of "dpd_config" are self-documenting and
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
# Registering a well-known port is self-documenting and
|
||||
# go into the generated doc's "Port Analysis" section
|
||||
redef dpd_config += {
|
||||
[ANALYZER_SSL] = [$ports = example_ports]
|
||||
};
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports);
|
||||
}
|
||||
|
||||
# redefinitions of "Notice::Type" are self-documenting, but
|
||||
# more information can be supplied in two different ways
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ export {
|
|||
## XXX.
|
||||
global registered_ports: function(tag: Analyzer::Tag) : set[port];
|
||||
|
||||
## XXX
|
||||
global all_registered_ports: function() : table[Analyzer::Tag] of set[port];
|
||||
|
||||
## Translate an analyzer type to an ASCII string.
|
||||
##
|
||||
## atype: The analyzer tag.
|
||||
|
|
@ -106,6 +109,11 @@ function registered_ports(tag: Analyzer::Tag) : set[port]
|
|||
return tag in ports ? ports[tag] : set();
|
||||
}
|
||||
|
||||
function all_registered_ports(): table[Analyzer::Tag] of set[port]
|
||||
{
|
||||
return ports;
|
||||
}
|
||||
|
||||
function name(atype: Analyzer::Tag) : string
|
||||
{
|
||||
return __name(atype);
|
||||
|
|
|
|||
|
|
@ -126,6 +126,8 @@ event bro_init() &priority=5
|
|||
{
|
||||
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
|
||||
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports);
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports);
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports);
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ export {
|
|||
}
|
||||
|
||||
# Table that tracks currently active dynamic analyzers per connection.
|
||||
global conns: table[conn_id] of set[count];
|
||||
global conns: table[conn_id] of set[Analyzer::Tag];
|
||||
|
||||
# Table of reports by other analyzers about the protocol used in a connection.
|
||||
global protocols: table[conn_id] of set[string];
|
||||
|
|
@ -80,7 +80,7 @@ type protocol : record {
|
|||
sub: string; # "sub-protocols" reported by other sources
|
||||
};
|
||||
|
||||
function get_protocol(c: connection, a: count) : protocol
|
||||
function get_protocol(c: connection, a: Analyzer::Tag) : protocol
|
||||
{
|
||||
local str = "";
|
||||
if ( c$id in protocols )
|
||||
|
|
@ -97,7 +97,7 @@ function fmt_protocol(p: protocol) : string
|
|||
return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a;
|
||||
}
|
||||
|
||||
function do_notice(c: connection, a: count, d: dir)
|
||||
function do_notice(c: connection, a: Analyzer::Tag, d: dir)
|
||||
{
|
||||
if ( d == BOTH )
|
||||
return;
|
||||
|
|
@ -113,7 +113,7 @@ function do_notice(c: connection, a: count, d: dir)
|
|||
|
||||
NOTICE([$note=Protocol_Found,
|
||||
$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
|
||||
$sub=s, $conn=c, $n=a]);
|
||||
$sub=s, $conn=c]);
|
||||
|
||||
# We report multiple Server_Found's per host if we find a new
|
||||
# sub-protocol.
|
||||
|
|
@ -129,7 +129,7 @@ function do_notice(c: connection, a: count, d: dir)
|
|||
NOTICE([$note=Server_Found,
|
||||
$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
|
||||
c$id$resp_p, (known ? " (update)" : "")),
|
||||
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]);
|
||||
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]);
|
||||
|
||||
if ( ! known )
|
||||
servers[c$id$resp_h, c$id$resp_p, p$a] = set();
|
||||
|
|
@ -214,7 +214,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
|
|||
}
|
||||
}
|
||||
|
||||
function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string)
|
||||
function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string)
|
||||
{
|
||||
# Don't report anything running on a well-known port.
|
||||
if ( c$id$resp_p in Analyzer::registered_ports(atype) )
|
||||
|
|
|
|||
|
|
@ -42,10 +42,16 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer)
|
|||
string arg = str.substr(0, pos);
|
||||
analyzer = analyzer_mgr->GetAnalyzerTag(arg);
|
||||
|
||||
if ( ! analyzer )
|
||||
reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str());
|
||||
|
||||
if ( pos != string::npos )
|
||||
{
|
||||
arg = str.substr(pos + 1);
|
||||
child_analyzer = analyzer_mgr->GetAnalyzerTag(arg);
|
||||
|
||||
if ( ! child_analyzer )
|
||||
reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str());
|
||||
}
|
||||
else
|
||||
child_analyzer = analyzer::Tag::ERROR;
|
||||
|
|
|
|||
|
|
@ -41,15 +41,20 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer,
|
|||
|
||||
analyzer::ID Analyzer::id_counter = 0;;
|
||||
|
||||
const string& Analyzer::GetAnalyzerName() const
|
||||
{
|
||||
return analyzer_mgr->GetAnalyzerName(tag);
|
||||
}
|
||||
|
||||
bool Analyzer::IsAnalyzer(const char* name)
|
||||
{
|
||||
return analyzer_mgr->GetAnalyzerName(Tag()) == name;
|
||||
return analyzer_mgr->GetAnalyzerName(tag) == name;
|
||||
}
|
||||
|
||||
// Used in debugging output.
|
||||
static string fmt_analyzer(Analyzer* a)
|
||||
{
|
||||
return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID());
|
||||
return a->GetAnalyzerName() + fmt("[%d]", a->GetID());
|
||||
}
|
||||
|
||||
Analyzer::Analyzer(const char* name, Connection* arg_conn)
|
||||
|
|
@ -320,7 +325,7 @@ void Analyzer::ForwardEndOfData(bool orig)
|
|||
|
||||
void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init)
|
||||
{
|
||||
if ( HasChildAnalyzer(analyzer->GetTag()) )
|
||||
if ( HasChildAnalyzer(analyzer->GetAnalyzerTag()) )
|
||||
{
|
||||
analyzer->Done();
|
||||
delete analyzer;
|
||||
|
|
@ -381,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id)
|
|||
LOOP_OVER_CHILDREN(i)
|
||||
if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) )
|
||||
{
|
||||
DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id,
|
||||
DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id,
|
||||
fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str());
|
||||
// See comment above.
|
||||
(*i)->removing = true;
|
||||
|
|
@ -460,7 +465,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i)
|
|||
|
||||
void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer)
|
||||
{
|
||||
if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) )
|
||||
if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) )
|
||||
{
|
||||
DBG_LOG(DBG_DPD, "%s already has %s %s",
|
||||
fmt_analyzer(this).c_str(),
|
||||
|
|
|
|||
|
|
@ -140,7 +140,8 @@ public:
|
|||
|
||||
bool IsFinished() const { return finished; }
|
||||
|
||||
Tag GetTag() const { return tag; }
|
||||
Tag GetAnalyzerTag() const { return tag; }
|
||||
const string& GetAnalyzerName() const;
|
||||
bool IsAnalyzer(const char* name);
|
||||
|
||||
// Management of the tree.
|
||||
|
|
|
|||
|
|
@ -316,10 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn)
|
|||
return a;
|
||||
}
|
||||
|
||||
string Manager::GetAnalyzerName(Tag tag)
|
||||
const string& Manager::GetAnalyzerName(Tag tag)
|
||||
{
|
||||
static string error = "<error>";
|
||||
|
||||
if ( ! tag )
|
||||
return "<error>";
|
||||
return error;
|
||||
|
||||
PluginComponent* c = Lookup(tag);
|
||||
|
||||
|
|
@ -329,7 +331,7 @@ string Manager::GetAnalyzerName(Tag tag)
|
|||
return c->Name();
|
||||
}
|
||||
|
||||
string Manager::GetAnalyzerName(Val* val)
|
||||
const string& Manager::GetAnalyzerName(Val* val)
|
||||
{
|
||||
return GetAnalyzerName(Tag(val->AsEnumVal()));
|
||||
}
|
||||
|
|
@ -354,13 +356,13 @@ EnumType* Manager::GetTagEnumType()
|
|||
|
||||
PluginComponent* Manager::Lookup(const string& name)
|
||||
{
|
||||
analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name);
|
||||
analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name));
|
||||
return i != analyzers_by_name.end() ? i->second : 0;
|
||||
}
|
||||
|
||||
PluginComponent* Manager::Lookup(const char* name)
|
||||
{
|
||||
analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name);
|
||||
analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name));
|
||||
return i != analyzers_by_name.end() ? i->second : 0;
|
||||
}
|
||||
|
||||
|
|
@ -598,7 +600,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
|
|||
{
|
||||
if ( IsEnabled(analyzer_connsize) )
|
||||
// Add ConnSize analyzer. Needs to see packets, not stream.
|
||||
udp->AddChildAnalyzer(new ConnSize_Analyzer(conn));
|
||||
root->AddChildAnalyzer(new ConnSize_Analyzer(conn));
|
||||
}
|
||||
|
||||
if ( pia )
|
||||
|
|
|
|||
|
|
@ -88,8 +88,8 @@ public:
|
|||
|
||||
Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled.
|
||||
|
||||
string GetAnalyzerName(Tag tag);
|
||||
string GetAnalyzerName(Val* val);
|
||||
const string& GetAnalyzerName(Tag tag);
|
||||
const string& GetAnalyzerName(Val* val);
|
||||
Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known.
|
||||
Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known.
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ public:
|
|||
PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial);
|
||||
PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial);
|
||||
|
||||
std::string Name() const { return name; }
|
||||
const std::string& Name() const { return name; }
|
||||
factory_callback Factory() const { return factory; }
|
||||
bool Partial() const { return partial; }
|
||||
bool Enabled() const { return enabled; }
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2012-07-20-14-34-11
|
||||
#open 2013-03-26-20-58-03
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -29,5 +29,8 @@ scripts/base/init-bare.bro
|
|||
scripts/base/frameworks/input/./readers/ascii.bro
|
||||
scripts/base/frameworks/input/./readers/raw.bro
|
||||
scripts/base/frameworks/input/./readers/benchmark.bro
|
||||
scripts/base/frameworks/analyzer/__load__.bro
|
||||
scripts/base/frameworks/analyzer/./main.bro
|
||||
build/src/base/analyzer.bif.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2012-07-20-14-34-11
|
||||
#close 2013-03-26-20-58-03
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2013-02-11-18-44-43
|
||||
#open 2013-03-26-20-58-16
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -29,6 +29,9 @@ scripts/base/init-bare.bro
|
|||
scripts/base/frameworks/input/./readers/ascii.bro
|
||||
scripts/base/frameworks/input/./readers/raw.bro
|
||||
scripts/base/frameworks/input/./readers/benchmark.bro
|
||||
scripts/base/frameworks/analyzer/__load__.bro
|
||||
scripts/base/frameworks/analyzer/./main.bro
|
||||
build/src/base/analyzer.bif.bro
|
||||
scripts/base/init-default.bro
|
||||
scripts/base/utils/site.bro
|
||||
scripts/base/utils/./patterns.bro
|
||||
|
|
@ -119,4 +122,4 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/syslog/./main.bro
|
||||
scripts/base/misc/find-checksum-offloading.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2013-02-11-18-44-43
|
||||
#close 2013-03-26-20-58-16
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ http_all_headers
|
|||
http_content_type
|
||||
http_end_entity
|
||||
http_message_done
|
||||
http_signature_found
|
||||
http_reply
|
||||
http_begin_entity
|
||||
http_header
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ http_all_headers
|
|||
http_content_type
|
||||
http_end_entity
|
||||
http_message_done
|
||||
http_signature_found
|
||||
http_reply
|
||||
http_begin_entity
|
||||
http_header
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2012-07-20-01-53-03
|
||||
#open 2013-03-26-21-06-26
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
||||
1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2012-07-20-01-53-04
|
||||
1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2013-03-26-21-06-27
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2012-07-20-01-53-03
|
||||
#open 2013-03-26-21-06-26
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
||||
1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2012-07-20-01-53-04
|
||||
1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2013-03-26-21-06-27
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ http_all_headers
|
|||
http_content_type
|
||||
http_end_entity
|
||||
http_message_done
|
||||
http_signature_found
|
||||
http_reply
|
||||
http_begin_entity
|
||||
http_header
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ http_all_headers
|
|||
http_content_type
|
||||
http_end_entity
|
||||
http_message_done
|
||||
http_signature_found
|
||||
http_reply
|
||||
http_begin_entity
|
||||
http_header
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2012-07-20-01-53-12
|
||||
#open 2013-03-26-21-06-18
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
||||
1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2012-07-20-01-53-13
|
||||
1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2013-03-26-21-06-19
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2012-07-20-01-53-12
|
||||
#open 2013-03-26-21-06-17
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
||||
1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2012-07-20-01-53-13
|
||||
1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
||||
#close 2013-03-26-21-06-18
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
|Analyzer::all_registered_ports()|, 0
|
||||
signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
|
||||
ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
|
||||
ftp_request 141.142.220.235:50003 - USER anonymous
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
|Analyzer::all_registered_ports()|, 0
|
||||
signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
|Analyzer::all_registered_ports()|, 0
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
|Analyzer::all_registered_ports()|, 0
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
local a = 1;
|
||||
print analyzer_name(a);
|
||||
local a = Analyzer::ANALYZER_PIA_TCP;
|
||||
print Analyzer::name(a);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152,
|
||||
# it is just a UDP packet, but not another GTP tunnel.
|
||||
|
||||
event protocol_violation(c: connection, atype: count, aid: count, reason: string)
|
||||
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string)
|
||||
{
|
||||
print "protocol_violation", c$id, reason;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ signature my_ftp_server {
|
|||
event bro_init()
|
||||
{
|
||||
# no analyzer attached to any port by default, depends entirely on sigs
|
||||
print "dpd_config", dpd_config;
|
||||
print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|;
|
||||
}
|
||||
|
||||
event signature_match(state: signature_state, msg: string, data: string)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue