From 0325b5ea32f9b86c89ca020097de4586d782f636 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 20 Nov 2011 21:41:41 -0800 Subject: [PATCH 01/35] to_port() now parses a string instead of a count. Addresses #684. --- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/bro.bif | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index b2a48a472a..669cc03e55 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -99,7 +99,7 @@ event irc_dcc_message(c: connection, is_orig: bool, return; c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; - local p = to_port(dest_port, tcp); + local p = count_to_port(dest_port, tcp); expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/bro.bif b/src/bro.bif index a2f97356a7..6d4d7ce1dd 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -586,9 +586,27 @@ function raw_bytes_to_v4_addr%(b: string%): addr return new AddrVal(htonl(a)); %} -function to_port%(num: count, proto: transport_proto%): port +function to_port%(s: string%): port %{ - return new PortVal(num, (TransportProto)proto->AsEnum()); + int port = 0; + if ( s->Len() < 10 ) + { + char* slash; + port = strtol(s->CheckString(), &slash, 10); + if ( port ) + { + ++slash; + if ( streq(slash, "tcp") ) + return new PortVal(port, TRANSPORT_TCP); + else if ( streq(slash, "udp") ) + return new PortVal(port, TRANSPORT_UDP); + else if ( streq(slash, "icmp") ) + return new PortVal(port, TRANSPORT_ICMP); + } + } + + builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/"); + return new PortVal(port, TRANSPORT_UNKNOWN); %} function mask_addr%(a: addr, top_bits_to_keep: count%): subnet From 6a563c88291eb5967e9bb43597d06c6ae52e206b Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 22:30:53 -0800 Subject: [PATCH 02/35] Make exit() parameterizable. The exit() BiF used to have no arguments and always invoked exit(0) from libc. This small fix allows for non-zero exit values of the Bro process. --- src/bro.bif | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 6d4d7ce1dd..8b4c8d3038 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -845,9 +845,9 @@ function log10%(d: double%): double return new Val(log10(d), TYPE_DOUBLE); %} -function exit%(%): int +function exit%(code: int%): any %{ - exit(0); + exit(code); return 0; %} From 1179c1a598602ffbdb08086c8edc3c709d7a4669 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 22:55:14 -0800 Subject: [PATCH 03/35] Remove redundant active_connection() BiF. The BiF connection_exists has a more intuitive name and provides the same functionality, thus we can remove active_connection(). --- src/bro.bif | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 8b4c8d3038..fd3a738126 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -720,12 +720,6 @@ function active_file%(f: file%): bool return new Val(f->IsOpen(), TYPE_BOOL); %} -function active_connection%(id: conn_id%): bool - %{ - Connection* c = sessions->FindConnection(id); - return new Val(c ? 1 : 0, TYPE_BOOL); - %} - # Note, you *must* first make sure that the connection is active # (e.g., by calling active_connection()) before invoking this. function connection_record%(cid: conn_id%): connection @@ -1027,12 +1021,10 @@ static Val* parse_port(const char* line) %%} # Returns true if the given connection exists, false otherwise. -function connection_exists%(c: conn_id%): bool +function connection_exists%(id: conn_id%): bool %{ - if ( sessions->FindConnection(c) ) - return new Val(1, TYPE_BOOL); - else - return new Val(0, TYPE_BOOL); + Connection* c = sessions->FindConnection(id); + return new Val(c ? 1 : 0, TYPE_BOOL); %} # For a given connection ID, returns the corresponding "connection" record. From c04b261376b9f00d3be9e2a93a132e7d5ebec923 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 23:03:46 -0800 Subject: [PATCH 04/35] Remove redundant connection_record() BiF. The function lookup_connection() provides the same functionality and has more graceful failure semantics. --- src/bro.bif | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index fd3a738126..842535b657 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -720,22 +720,6 @@ function active_file%(f: file%): bool return new Val(f->IsOpen(), TYPE_BOOL); %} -# Note, you *must* first make sure that the connection is active -# (e.g., by calling active_connection()) before invoking this. -function connection_record%(cid: conn_id%): connection - %{ - Connection* c = sessions->FindConnection(cid); - if ( c ) - return c->BuildConnVal(); - else - { - // Hard to recover from this until we have union types ... - builtin_error("connection ID not a known connection (fatal)", cid); - exit(0); - return 0; - } - %} - %%{ EnumVal* map_conn_type(TransportProto tp) { From e9f05348b003492c5a269501f4eac636663bcbe8 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 22 Nov 2011 09:04:22 -0800 Subject: [PATCH 05/35] Perform type checking on count-to-port conversion. Related to #684. --- src/bro.bif | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 842535b657..65b9d9791a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -540,9 +540,9 @@ function port_to_count%(p: port%): count return new Val(p->Port(), TYPE_COUNT); %} -function count_to_port%(c: count, t: transport_proto%): port +function count_to_port%(num: count, proto: transport_proto%): port %{ - return new PortVal(c, (TransportProto)(t->InternalInt())); + return new PortVal(num, (TransportProto)proto->AsEnum()); %} function floor%(d: double%): double From 8f8290c8521ebccde2023b3d41c939649fffbf6d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Sun, 27 Nov 2011 15:57:18 -0600 Subject: [PATCH 06/35] Add simple profiling class to accumulate Stmt usage stats across runs. Use the BROFILER_FILE environment variable to point to a file in which Stmt usage statistics from Bro script-layer can be output. This should be able to be used to check Bro script coverage that that e.g. the entire test suite covers. --- src/Brofiler.cc | 82 ++++++++++++++++++++++++++++++++++++++++++++++ src/Brofiler.h | 65 ++++++++++++++++++++++++++++++++++++ src/CMakeLists.txt | 1 + src/Stmt.cc | 1 + src/Stmt.h | 1 + src/main.cc | 6 ++++ src/parse.y | 25 +++++++++++++- src/util.cc | 1 + 8 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 src/Brofiler.cc create mode 100644 src/Brofiler.h diff --git a/src/Brofiler.cc b/src/Brofiler.cc new file mode 100644 index 0000000000..fc23f10a7d --- /dev/null +++ b/src/Brofiler.cc @@ -0,0 +1,82 @@ +#include +#include +#include +#include "Brofiler.h" +#include "util.h" + +Brofiler::Brofiler() + : delim('\t') + { + } + +Brofiler::~Brofiler() + { + } + +void Brofiler::ReadStats() + { + char* bf = getenv("BROFILER_FILE"); + if ( ! bf ) return; + FILE* f = fopen(bf, "r"); + if ( ! f ) + { + fprintf(stderr, "Failed to open Brofiler file '%s' for reading\n", bf); + return; + } + + char line[16384]; + string delimiter; + delimiter = delim; + while( fgets(line, sizeof(line), f) ) + { + line[strlen(line) - 1] = 0; //remove newline + string cnt(strtok(line, delimiter.c_str())); + string location(strtok(0, delimiter.c_str())); + string desc(strtok(0, delimiter.c_str())); + pair location_desc(location, desc); + uint64 count; + atoi_n(cnt.size(), cnt.c_str(), 0, 10, count); + usage_map[location_desc] = count; + } + + fclose(f); + } + +void Brofiler::WriteStats() + { + char* bf = getenv("BROFILER_FILE"); + if ( ! bf ) return; + + FILE* f = fopen(bf, "w"); + if ( ! f ) + { + fprintf(stderr, "Failed to open Brofiler file '%s' for writing\n", bf); + return; + } + + for ( list::const_iterator it = stmts.begin(); + it != stmts.end(); ++it ) + { + ODesc location_info; + (*it)->GetLocationInfo()->Describe(&location_info); + ODesc desc_info; + (*it)->Describe(&desc_info); + string desc(desc_info.Description()); + for_each(desc.begin(), desc.end(), canonicalize_desc()); + pair location_desc(location_info.Description(), desc); + if ( usage_map.find(location_desc) != usage_map.end() ) + usage_map[location_desc] += (*it)->GetAccessCount(); + else + usage_map[location_desc] = (*it)->GetAccessCount(); + } + + map, uint64 >::const_iterator it; + for ( it = usage_map.begin(); it != usage_map.end(); ++it ) + { + fprintf(f, "%"PRIu64"%c%s%c%s\n", it->second, delim, + it->first.first.c_str(), delim, it->first.second.c_str()); + } + + fclose(f); + } + diff --git a/src/Brofiler.h b/src/Brofiler.h new file mode 100644 index 0000000000..6ded906698 --- /dev/null +++ b/src/Brofiler.h @@ -0,0 +1,65 @@ +#ifndef BROFILER_H_ +#define BROFILER_H_ + +#include +#include +#include +#include + + +/** + * A simple class for managing stats of Bro script coverage across Bro runs. + */ +class Brofiler { +public: + Brofiler(); + virtual ~Brofiler(); + + /** + * Imports Bro script Stmt usage information from file pointed to by + * environment variable BROFILER_FILE. + */ + void ReadStats(); + + /** + * Combines usage stats from current run with any read from ReadStats(), + * then writes information to file pointed to by environment variable + * BROFILER_FILE. + */ + void WriteStats(); + + void SetDelim(char d) { delim = d; } + + /** + * The current, global Brofiler instance creates this list at parse-time. + */ + list stmts; + +private: + /** + * + * This maps Stmt location-desc pairs to the total number of times that + * Stmt has been executed. The map can be initialized from a file at + * startup time and modified at shutdown time before writing back + * to a file. + */ + map, uint64> usage_map; + + /** + * The character to use to delimit Brofiler output files. Default is '\t'. + */ + char delim; + + /** + * A canonicalization routine for Stmt descriptions containing characters + * that don't agree with the output format of Brofiler. + */ + struct canonicalize_desc { + void operator() (char& c) + { + if ( c == '\n' ) c = ' '; + } + }; +}; + +#endif /* BROFILER_H_ */ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 897acc9d37..f755895eae 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -281,6 +281,7 @@ set(bro_SRCS BPF_Program.cc BroDoc.cc BroDocObj.cc + Brofiler.cc BroString.cc CCL.cc ChunkedIO.cc diff --git a/src/Stmt.cc b/src/Stmt.cc index 6a83940b3b..669dc5565e 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -258,6 +258,7 @@ static BroFile* print_stdout = 0; Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const { + RegisterAccess(); if ( ! print_stdout ) print_stdout = new BroFile(stdout); diff --git a/src/Stmt.h b/src/Stmt.h index 8e3a4b4118..7c3b42609b 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -52,6 +52,7 @@ public: void RegisterAccess() const { last_access = network_time; access_count++; } void AccessStats(ODesc* d) const; + uint32 GetAccessCount() const { return access_count; } virtual void Describe(ODesc* d) const; diff --git a/src/main.cc b/src/main.cc index dfa46c3050..68ab8b14a5 100644 --- a/src/main.cc +++ b/src/main.cc @@ -47,9 +47,12 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "ConnCompressor.h" #include "DPM.h" #include "BroDoc.h" +#include "Brofiler.h" #include "binpac_bro.h" +Brofiler brofiler; + #ifndef HAVE_STRSEP extern "C" { char* strsep(char**, const char*); @@ -260,6 +263,8 @@ void terminate_bro() terminating = true; + brofiler.WriteStats(); + EventHandlerPtr bro_done = internal_handler("bro_done"); if ( bro_done ) mgr.QueueEvent(bro_done, new val_list); @@ -335,6 +340,7 @@ static void bro_new_handler() int main(int argc, char** argv) { + brofiler.ReadStats(); bro_argc = argc; bro_argv = new char* [argc]; diff --git a/src/parse.y b/src/parse.y index 495931aae0..420e995ae1 100644 --- a/src/parse.y +++ b/src/parse.y @@ -80,10 +80,12 @@ #include "Reporter.h" #include "BroDoc.h" #include "BroDocObj.h" +#include "Brofiler.h" #include #include +extern Brofiler brofiler; extern BroDoc* current_reST_doc; extern int generate_documentation; extern std::list* reST_doc_comments; @@ -1330,93 +1332,111 @@ stmt: { set_location(@1, @3); $$ = new PrintStmt($2); + brofiler.stmts.push_back($$); } | TOK_EVENT event ';' { set_location(@1, @3); $$ = new EventStmt($2); + brofiler.stmts.push_back($$); } | TOK_IF '(' expr ')' stmt { set_location(@1, @4); $$ = new IfStmt($3, $5, new NullStmt()); + //brofiler.stmts.push_back($$); } | TOK_IF '(' expr ')' stmt TOK_ELSE stmt { set_location(@1, @4); $$ = new IfStmt($3, $5, $7); + //brofiler.stmts.push_back($$); } | TOK_SWITCH expr '{' case_list '}' { set_location(@1, @2); $$ = new SwitchStmt($2, $4); + //brofiler.stmts.push_back($$); } | for_head stmt - { $1->AsForStmt()->AddBody($2); } + { + $1->AsForStmt()->AddBody($2); + //brofiler.stmts.push_back($1); + } | TOK_NEXT ';' { set_location(@1, @2); $$ = new NextStmt; + brofiler.stmts.push_back($$); } | TOK_BREAK ';' { set_location(@1, @2); $$ = new BreakStmt; + brofiler.stmts.push_back($$); } | TOK_RETURN ';' { set_location(@1, @2); $$ = new ReturnStmt(0); + brofiler.stmts.push_back($$); } | TOK_RETURN expr ';' { set_location(@1, @2); $$ = new ReturnStmt($2); + brofiler.stmts.push_back($$); } | TOK_ADD expr ';' { set_location(@1, @3); $$ = new AddStmt($2); + brofiler.stmts.push_back($$); } | TOK_DELETE expr ';' { set_location(@1, @3); $$ = new DelStmt($2); + brofiler.stmts.push_back($$); } | TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';' { set_location(@1, @7); $$ = add_local($2, $3, $4, $5, $6, VAR_REGULAR); + brofiler.stmts.push_back($$); } | TOK_CONST local_id opt_type init_class opt_init opt_attr ';' { set_location(@1, @6); $$ = add_local($2, $3, $4, $5, $6, VAR_CONST); + brofiler.stmts.push_back($$); } | TOK_WHEN '(' expr ')' stmt { set_location(@3, @5); $$ = new WhenStmt($3, $5, 0, 0, false); + brofiler.stmts.push_back($$); } | TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}' { set_location(@3, @8); $$ = new WhenStmt($3, $5, $9, $7, false); + brofiler.stmts.push_back($$); } @@ -1424,18 +1444,21 @@ stmt: { set_location(@4, @6); $$ = new WhenStmt($4, $6, 0, 0, true); + brofiler.stmts.push_back($$); } | TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}' { set_location(@4, @9); $$ = new WhenStmt($4, $6, $10, $8, true); + brofiler.stmts.push_back($$); } | expr ';' { set_location(@1, @2); $$ = new ExprStmt($1); + brofiler.stmts.push_back($$); } | ';' diff --git a/src/util.cc b/src/util.cc index f81eff8f22..a48feb9828 100644 --- a/src/util.cc +++ b/src/util.cc @@ -345,6 +345,7 @@ template int atoi_n(int len, const char* s, const char** end, int base, // Instantiate the ones we need. template int atoi_n(int len, const char* s, const char** end, int base, int& result); template int atoi_n(int len, const char* s, const char** end, int base, int64_t& result); +template int atoi_n(int len, const char* s, const char** end, int base, uint64_t& result); char* uitoa_n(uint64 value, char* str, int n, int base, const char* prefix) { From 5666448a482601a9890e0f495cc3ebcead950c0d Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 27 Nov 2011 15:11:13 -0800 Subject: [PATCH 07/35] Change some BiF return values from bool to any. The BiFs - do_profiling - make_connection_persistent - expect_connection used to unconditionally return true. Since such a return value is meaningless, returning 'any' is more appropriate. --- src/bro.bif | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 65b9d9791a..16b18b0d48 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2231,12 +2231,12 @@ function send_current_packet%(p: event_peer%) : bool return new Val(remote_serializer->SendPacket(&info, id, pkt), TYPE_BOOL); %} -function do_profiling%(%) : bool +function do_profiling%(%) : any %{ if ( profiling_logger ) profiling_logger->Log(); - return new Val(1, TYPE_BOOL); + return 0; %} function get_event_peer%(%) : event_peer @@ -2279,10 +2279,10 @@ function send_capture_filter%(p: event_peer, s: string%) : bool return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL); %} -function make_connection_persistent%(c: connection%) : bool +function make_connection_persistent%(c: connection%) : any %{ c->MakePersistent(); - return new Val(1, TYPE_BOOL); + return 0; %} function is_local_interface%(ip: addr%) : bool @@ -2959,11 +2959,11 @@ function continue_processing%(%) : any # Schedule analyzer for a future connection. function expect_connection%(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval%) : bool + analyzer: count, tout: interval%) : any %{ dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0); - return new Val(1, TYPE_BOOL); + return 0; %} # Disables the analyzer which raised the current event (if the analyzer From 707926aaa441c24eae491768e82f194ff3bd3b0a Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Wed, 7 Dec 2011 12:12:46 -0800 Subject: [PATCH 08/35] Software framework stores ports for server software. --- scripts/base/frameworks/software/main.bro | 66 ++++++++++++------- .../policy/protocols/http/detect-webapps.bro | 2 +- scripts/policy/protocols/http/software.bro | 6 +- scripts/policy/protocols/ssh/software.bro | 2 +- 4 files changed, 49 insertions(+), 27 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 574886288a..9abac9e575 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -34,7 +34,11 @@ export { ## The time at which the software was first detected. ts: time &log; ## The IP address detected running the software. - host: addr &log; + host_a: addr &log; + ## The Port on which the software is running. Only sensible for server software. + host_p: port &log &optional; + ## The transport protocol that is being used. Only sensible for server software. + proto: transport_proto &log &optional; ## The type of software detected (e.g. WEB_SERVER) software_type: Type &log &default=UNKNOWN; ## Name of the software (e.g. Apache) @@ -71,7 +75,13 @@ export { ## still many cases where scripts may have to have their own specific ## version parsing though. global parse: function(unparsed_version: string, - host: addr, + host_a: addr, + software_type: Type): Info; + + ## This function is the equivalent to parse for software that has a specific + ## source port (i.e. server software) + global parse_with_port: function(unparsed_version: string, + host_a: addr, host_p: port, software_type: Type): Info; ## Compare two versions. @@ -107,7 +117,7 @@ event bro_init() } function parse_mozilla(unparsed_version: string, - host: addr, + host_a: addr, software_type: Type): Info { local software_name = ""; @@ -119,7 +129,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Opera [0-9\.]*$/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } else if ( / MSIE / in unparsed_version ) { @@ -134,7 +144,7 @@ function parse_mozilla(unparsed_version: string, { parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) @@ -143,7 +153,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) { - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } @@ -153,7 +163,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); if ( 2 in parts ) { - local tmp_s = parse(parts[2], host, software_type); + local tmp_s = parse(parts[2], host_a, software_type); software_name = tmp_s$name; v = tmp_s$version; } @@ -163,7 +173,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Chrome"; parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } else if ( /^Opera\// in unparsed_version ) { @@ -174,12 +184,12 @@ function parse_mozilla(unparsed_version: string, software_name = parts[2]; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; else { parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } } else @@ -187,7 +197,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) @@ -195,17 +205,17 @@ function parse_mozilla(unparsed_version: string, software_name = "Unspecified WebKit"; parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2], host_a, software_type)$version; } - return [$ts=network_time(), $host=host, $name=software_name, $version=v, + return [$ts=network_time(), $host_a=host_a, $name=software_name, $version=v, $software_type=software_type, $unparsed_version=unparsed_version]; } # Don't even try to understand this now, just make sure the tests are # working. function parse(unparsed_version: string, - host: addr, + host_a: addr, software_type: Type): Info { local software_name = ""; @@ -214,7 +224,7 @@ function parse(unparsed_version: string, # Parse browser-alike versions separately if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version ) { - return parse_mozilla(unparsed_version, host, software_type); + return parse_mozilla(unparsed_version, host_a, software_type); } else { @@ -276,11 +286,23 @@ function parse(unparsed_version: string, v$major = extract_count(version_numbers[1]); } } - return [$ts=network_time(), $host=host, $name=software_name, + return [$ts=network_time(), $host_a=host_a, $name=software_name, $version=v, $unparsed_version=unparsed_version, $software_type=software_type]; } +function parse_with_port(unparsed_version: string, + host_a: addr, host_p: port, + software_type: Type): Info +{ + local i: Info; + i = parse(unparsed_version, host_a, software_type); + i$host_p = host_p; + i$proto = get_port_transport_proto(host_p); + + return i; +} + function cmp_versions(v1: Version, v2: Version): int { @@ -340,9 +362,9 @@ function cmp_versions(v1: Version, v2: Version): int } } -function software_endpoint_name(id: conn_id, host: addr): string +function software_endpoint_name(id: conn_id, host_a: addr): string { - return fmt("%s %s", host, (host == id$orig_h ? "client" : "server")); + return fmt("%s %s", host_a, (host_a == id$orig_h ? "client" : "server")); } # Convert a version into a string "a.b.c-x". @@ -366,10 +388,10 @@ function software_fmt(i: Info): string event software_register(id: conn_id, info: Info) { # Host already known? - if ( info$host !in tracked ) - tracked[info$host] = table(); + if ( info$host_a !in tracked ) + tracked[info$host_a] = table(); - local ts = tracked[info$host]; + local ts = tracked[info$host_a]; # Software already registered for this host? We don't want to endlessly # log the same thing. if ( info$name in ts ) @@ -389,7 +411,7 @@ event software_register(id: conn_id, info: Info) function found(id: conn_id, info: Info): bool { - if ( info$force_log || addr_matches_host(info$host, asset_tracking) ) + if ( info$force_log || addr_matches_host(info$host_a, asset_tracking) ) { event software_register(id, info); return T; diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro index 4a94d1adbd..63f481422a 100644 --- a/scripts/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -23,7 +23,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori if ( /^webapp-/ !in state$sig_id ) return; local c = state$conn; - local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION); + local si = Software::parse_with_port(msg, c$id$resp_h, c$id$resp_p, WEB_APPLICATION); si$url = build_url_http(c$http); if ( c$id$resp_h in Software::tracked && si$name in Software::tracked[c$id$resp_h] ) diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro index 8732634359..0a07ba0331 100644 --- a/scripts/policy/protocols/http/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -25,13 +25,13 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else { if ( name == "SERVER" ) - Software::found(c$id, Software::parse(value, c$id$resp_h, SERVER)); + Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, SERVER)); else if ( name == "X-POWERED-BY" ) - Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER)); + Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER)); else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" ) { value = cat("SharePoint/", value); - Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER)); + Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER)); } } } diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro index a239655270..0bb6ebc43f 100644 --- a/scripts/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -24,6 +24,6 @@ event ssh_server_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, ""); - local si = Software::parse(cleaned_version, c$id$resp_h, SERVER); + local si = Software::parse_with_port(cleaned_version, c$id$resp_h, c$id$resp_p, SERVER); Software::found(c$id, si); } From 7e3ebc181755aacc65670e9ddd0bcfa38776569b Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Wed, 7 Dec 2011 15:03:36 -0800 Subject: [PATCH 09/35] forgotten policy files. --- .../frameworks/software/version-changes.bro | 4 +- .../policy/frameworks/software/vulnerable.bro | 2 +- .../frameworks/software/version-parsing.bro | 98 +++++++++---------- 3 files changed, 52 insertions(+), 52 deletions(-) diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro index 6d46151f0f..8365f28ae4 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -27,7 +27,7 @@ export { event log_software(rec: Info) { - local ts = tracked[rec$host]; + local ts = tracked[rec$host_a]; if ( rec$name in ts ) { @@ -40,7 +40,7 @@ event log_software(rec: Info) network_time(), rec$software_type, software_fmt_version(old$version), software_fmt(rec), rec$software_type); - NOTICE([$note=Software_Version_Change, $src=rec$host, + NOTICE([$note=Software_Version_Change, $src=rec$host_a, $msg=msg, $sub=software_fmt(rec)]); } } diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index 0ce949b83d..cdf7db89fc 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -18,6 +18,6 @@ event log_software(rec: Info) if ( rec$name in vulnerable_versions && cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 ) { - NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]); + NOTICE([$note=Vulnerable_Version, $src=rec$host_a, $msg=software_fmt(rec)]); } } diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index dda3edea4b..8833b3aab6 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -2,112 +2,112 @@ # @TEST-EXEC: btest-diff output global ts = network_time(); -global host = 0.0.0.0; +global host_a = 0.0.0.0; global matched_software: table[string] of Software::Info = { ["OpenSSH_4.4"] = - [$name="OpenSSH", $version=[$major=4,$minor=4], $host=host, $ts=ts], + [$name="OpenSSH", $version=[$major=4,$minor=4], $host_a=host_a, $ts=ts], ["OpenSSH_5.2"] = - [$name="OpenSSH", $version=[$major=5,$minor=2], $host=host, $ts=ts], + [$name="OpenSSH", $version=[$major=5,$minor=2], $host_a=host_a, $ts=ts], ["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host_a=host_a, $ts=ts], ["Apache/1.3.19 (Unix)"] = - [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host_a=host_a, $ts=ts], ["ProFTPD 1.2.5rc1 Server (Debian)"] = - [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host=host, $ts=ts], + [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host_a=host_a, $ts=ts], ["wu-2.4.2-academ[BETA-18-VR14](1)"] = - [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host=host, $ts=ts], + [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host_a=host_a, $ts=ts], ["wu-2.6.2(1)"] = - [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host=host, $ts=ts], + [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host_a=host_a, $ts=ts], ["Java1.2.2-JDeveloper"] = - [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host_a=host_a, $ts=ts], ["Java/1.6.0_13"] = - [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host_a=host_a, $ts=ts], ["Python-urllib/3.1"] = - [$name="Python-urllib", $version=[$major=3,$minor=1], $host=host, $ts=ts], + [$name="Python-urllib", $version=[$major=3,$minor=1], $host_a=host_a, $ts=ts], ["libwww-perl/5.820"] = - [$name="libwww-perl", $version=[$major=5,$minor=820], $host=host, $ts=ts], + [$name="libwww-perl", $version=[$major=5,$minor=820], $host_a=host_a, $ts=ts], ["Wget/1.9+cvs-stable (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=host, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host_a=host_a, $ts=ts], ["Wget/1.11.4 (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host=host, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host_a=host_a, $ts=ts], ["curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18"] = - [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host=host, $ts=ts], + [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host_a=host_a, $ts=ts], ["Apache"] = - [$name="Apache", $host=host, $ts=ts], + [$name="Apache", $host_a=host_a, $ts=ts], ["Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown"] = - [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host=host, $ts=ts], + [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host_a=host_a, $ts=ts], ["The Bat! (v2.00.9) Personal"] = - [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host=host, $ts=ts], + [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host_a=host_a, $ts=ts], ["Flash/10,2,153,1"] = - [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host=host, $ts=ts], + [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host_a=host_a, $ts=ts], ["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = - [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host=host, $ts=ts], + [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host_a=host_a, $ts=ts], ["CacheFlyServe v26b"] = - [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host=host, $ts=ts], + [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host_a=host_a, $ts=ts], ["Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host_a=host_a, $ts=ts], # I have no clue how I'd support this without a special case. #["Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635"] = - # [$name="Apache", $version=[], $host=host, $ts=ts], + # [$name="Apache", $version=[], $host_a=host_a, $ts=ts], ["Apple iPhone v4.3.1 Weather v1.0.0.8G4"] = - [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host=host, $ts=ts], + [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16"] = - [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host=host, $ts=ts], + [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host_a=host_a, $ts=ts], ["Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01"] = - [$name="Opera", $version=[$major=11,$minor=1], $host=host, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=1], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5"] = - [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host=host, $ts=ts], + [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host_a=host_a, $ts=ts], ["iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9"] = - [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host=host, $ts=ts], + [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host_a=host_a, $ts=ts], ["Java1.3.1_04"] = - [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"] = - [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host=host, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7"] = - [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host_a=host_a, $ts=ts], ["Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54"] = - [$name="Opera Mini", $version=[$major=10,$minor=54], $host=host, $ts=ts], + [$name="Opera Mini", $version=[$major=10,$minor=54], $host_a=host_a, $ts=ts], ["Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15"] = - [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host=host, $ts=ts], + [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host_a=host_a, $ts=ts], ["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] = - [$name="Opera Mobi", $version=[$major=10,$minor=0], $host=host, $ts=ts], + [$name="Opera Mobi", $version=[$major=10,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] = - [$name="Opera", $version=[$major=11,$minor=0], $host=host, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] = - [$name="Netscape", $version=[$major=7,$minor=2], $host=host, $ts=ts], + [$name="Netscape", $version=[$major=7,$minor=2], $host_a=host_a, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] = - [$name="MSIE", $version=[$major=7,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] = - [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host_a=host_a, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)"] = - [$name="MSIE", $version=[$major=8,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=8,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $host_a=host_a, $ts=ts], ["Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"] = - [$name="MSIE", $version=[$major=10,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=10,$minor=0], $host_a=host_a, $ts=ts], ["The Bat! (3.0.1 RC3) Professional"] = - [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host=host, $ts=ts], + [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host_a=host_a, $ts=ts], # This is an FTP client (found with CLNT command) ["Total Commander"] = - [$name="Total Commander", $version=[], $host=host, $ts=ts], + [$name="Total Commander", $version=[], $host_a=host_a, $ts=ts], ["(vsFTPd 2.0.5)"] = - [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host=host, $ts=ts], + [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host_a=host_a, $ts=ts], ["Apple Mail (2.1084)"] = - [$name="Apple Mail", $version=[$major=2,$minor=1084], $host=host, $ts=ts], + [$name="Apple Mail", $version=[$major=2,$minor=1084], $host_a=host_a, $ts=ts], }; event bro_init() { for ( sw in matched_software ) { - local output = Software::parse(sw, host, Software::UNKNOWN); + local output = Software::parse(sw, host_a, Software::UNKNOWN); local baseline: Software::Info; baseline = matched_software[sw]; if ( baseline$name == output$name && From 311cd1b1165f256a1dc89b58bd3b6219aadc5c10 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 8 Dec 2011 14:25:46 -0800 Subject: [PATCH 10/35] after talking to seth - change host_a field in record back to host. --- scripts/base/frameworks/software/main.bro | 50 +++++----- .../frameworks/software/version-changes.bro | 4 +- .../policy/frameworks/software/vulnerable.bro | 2 +- .../frameworks/software/version-parsing.bro | 98 +++++++++---------- 4 files changed, 77 insertions(+), 77 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 9abac9e575..817ae92e40 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -34,7 +34,7 @@ export { ## The time at which the software was first detected. ts: time &log; ## The IP address detected running the software. - host_a: addr &log; + host: addr &log; ## The Port on which the software is running. Only sensible for server software. host_p: port &log &optional; ## The transport protocol that is being used. Only sensible for server software. @@ -75,13 +75,13 @@ export { ## still many cases where scripts may have to have their own specific ## version parsing though. global parse: function(unparsed_version: string, - host_a: addr, + host: addr, software_type: Type): Info; ## This function is the equivalent to parse for software that has a specific ## source port (i.e. server software) global parse_with_port: function(unparsed_version: string, - host_a: addr, host_p: port, + host: addr, host_p: port, software_type: Type): Info; ## Compare two versions. @@ -117,7 +117,7 @@ event bro_init() } function parse_mozilla(unparsed_version: string, - host_a: addr, + host: addr, software_type: Type): Info { local software_name = ""; @@ -129,7 +129,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Opera [0-9\.]*$/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } else if ( / MSIE / in unparsed_version ) { @@ -144,7 +144,7 @@ function parse_mozilla(unparsed_version: string, { parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) @@ -153,7 +153,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) { - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } @@ -163,7 +163,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); if ( 2 in parts ) { - local tmp_s = parse(parts[2], host_a, software_type); + local tmp_s = parse(parts[2], host, software_type); software_name = tmp_s$name; v = tmp_s$version; } @@ -173,7 +173,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Chrome"; parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } else if ( /^Opera\// in unparsed_version ) { @@ -184,12 +184,12 @@ function parse_mozilla(unparsed_version: string, software_name = parts[2]; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; else { parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } } else @@ -197,7 +197,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) @@ -205,17 +205,17 @@ function parse_mozilla(unparsed_version: string, software_name = "Unspecified WebKit"; parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host_a, software_type)$version; + v = parse(parts[2], host, software_type)$version; } - return [$ts=network_time(), $host_a=host_a, $name=software_name, $version=v, + return [$ts=network_time(), $host=host, $name=software_name, $version=v, $software_type=software_type, $unparsed_version=unparsed_version]; } # Don't even try to understand this now, just make sure the tests are # working. function parse(unparsed_version: string, - host_a: addr, + host: addr, software_type: Type): Info { local software_name = ""; @@ -224,7 +224,7 @@ function parse(unparsed_version: string, # Parse browser-alike versions separately if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version ) { - return parse_mozilla(unparsed_version, host_a, software_type); + return parse_mozilla(unparsed_version, host, software_type); } else { @@ -286,17 +286,17 @@ function parse(unparsed_version: string, v$major = extract_count(version_numbers[1]); } } - return [$ts=network_time(), $host_a=host_a, $name=software_name, + return [$ts=network_time(), $host=host, $name=software_name, $version=v, $unparsed_version=unparsed_version, $software_type=software_type]; } function parse_with_port(unparsed_version: string, - host_a: addr, host_p: port, + host: addr, host_p: port, software_type: Type): Info { local i: Info; - i = parse(unparsed_version, host_a, software_type); + i = parse(unparsed_version, host, software_type); i$host_p = host_p; i$proto = get_port_transport_proto(host_p); @@ -362,9 +362,9 @@ function cmp_versions(v1: Version, v2: Version): int } } -function software_endpoint_name(id: conn_id, host_a: addr): string +function software_endpoint_name(id: conn_id, host: addr): string { - return fmt("%s %s", host_a, (host_a == id$orig_h ? "client" : "server")); + return fmt("%s %s", host, (host == id$orig_h ? "client" : "server")); } # Convert a version into a string "a.b.c-x". @@ -388,10 +388,10 @@ function software_fmt(i: Info): string event software_register(id: conn_id, info: Info) { # Host already known? - if ( info$host_a !in tracked ) - tracked[info$host_a] = table(); + if ( info$host !in tracked ) + tracked[info$host] = table(); - local ts = tracked[info$host_a]; + local ts = tracked[info$host]; # Software already registered for this host? We don't want to endlessly # log the same thing. if ( info$name in ts ) @@ -411,7 +411,7 @@ event software_register(id: conn_id, info: Info) function found(id: conn_id, info: Info): bool { - if ( info$force_log || addr_matches_host(info$host_a, asset_tracking) ) + if ( info$force_log || addr_matches_host(info$host, asset_tracking) ) { event software_register(id, info); return T; diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro index 8365f28ae4..6d46151f0f 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -27,7 +27,7 @@ export { event log_software(rec: Info) { - local ts = tracked[rec$host_a]; + local ts = tracked[rec$host]; if ( rec$name in ts ) { @@ -40,7 +40,7 @@ event log_software(rec: Info) network_time(), rec$software_type, software_fmt_version(old$version), software_fmt(rec), rec$software_type); - NOTICE([$note=Software_Version_Change, $src=rec$host_a, + NOTICE([$note=Software_Version_Change, $src=rec$host, $msg=msg, $sub=software_fmt(rec)]); } } diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index cdf7db89fc..0ce949b83d 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -18,6 +18,6 @@ event log_software(rec: Info) if ( rec$name in vulnerable_versions && cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 ) { - NOTICE([$note=Vulnerable_Version, $src=rec$host_a, $msg=software_fmt(rec)]); + NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]); } } diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index 8833b3aab6..dda3edea4b 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -2,112 +2,112 @@ # @TEST-EXEC: btest-diff output global ts = network_time(); -global host_a = 0.0.0.0; +global host = 0.0.0.0; global matched_software: table[string] of Software::Info = { ["OpenSSH_4.4"] = - [$name="OpenSSH", $version=[$major=4,$minor=4], $host_a=host_a, $ts=ts], + [$name="OpenSSH", $version=[$major=4,$minor=4], $host=host, $ts=ts], ["OpenSSH_5.2"] = - [$name="OpenSSH", $version=[$major=5,$minor=2], $host_a=host_a, $ts=ts], + [$name="OpenSSH", $version=[$major=5,$minor=2], $host=host, $ts=ts], ["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host_a=host_a, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host=host, $ts=ts], ["Apache/1.3.19 (Unix)"] = - [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host_a=host_a, $ts=ts], + [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host=host, $ts=ts], ["ProFTPD 1.2.5rc1 Server (Debian)"] = - [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host_a=host_a, $ts=ts], + [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host=host, $ts=ts], ["wu-2.4.2-academ[BETA-18-VR14](1)"] = - [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host_a=host_a, $ts=ts], + [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host=host, $ts=ts], ["wu-2.6.2(1)"] = - [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host_a=host_a, $ts=ts], + [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host=host, $ts=ts], ["Java1.2.2-JDeveloper"] = - [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host_a=host_a, $ts=ts], + [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host=host, $ts=ts], ["Java/1.6.0_13"] = - [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host_a=host_a, $ts=ts], + [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host=host, $ts=ts], ["Python-urllib/3.1"] = - [$name="Python-urllib", $version=[$major=3,$minor=1], $host_a=host_a, $ts=ts], + [$name="Python-urllib", $version=[$major=3,$minor=1], $host=host, $ts=ts], ["libwww-perl/5.820"] = - [$name="libwww-perl", $version=[$major=5,$minor=820], $host_a=host_a, $ts=ts], + [$name="libwww-perl", $version=[$major=5,$minor=820], $host=host, $ts=ts], ["Wget/1.9+cvs-stable (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host_a=host_a, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=host, $ts=ts], ["Wget/1.11.4 (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host_a=host_a, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host=host, $ts=ts], ["curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18"] = - [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host_a=host_a, $ts=ts], + [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host=host, $ts=ts], ["Apache"] = - [$name="Apache", $host_a=host_a, $ts=ts], + [$name="Apache", $host=host, $ts=ts], ["Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown"] = - [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host_a=host_a, $ts=ts], + [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host=host, $ts=ts], ["The Bat! (v2.00.9) Personal"] = - [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host_a=host_a, $ts=ts], + [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host=host, $ts=ts], ["Flash/10,2,153,1"] = - [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host_a=host_a, $ts=ts], + [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host=host, $ts=ts], ["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = - [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host_a=host_a, $ts=ts], + [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host=host, $ts=ts], ["CacheFlyServe v26b"] = - [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host_a=host_a, $ts=ts], + [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host=host, $ts=ts], ["Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host_a=host_a, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host=host, $ts=ts], # I have no clue how I'd support this without a special case. #["Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635"] = - # [$name="Apache", $version=[], $host_a=host_a, $ts=ts], + # [$name="Apache", $version=[], $host=host, $ts=ts], ["Apple iPhone v4.3.1 Weather v1.0.0.8G4"] = - [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host_a=host_a, $ts=ts], + [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host=host, $ts=ts], ["Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host_a=host_a, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host=host, $ts=ts], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16"] = - [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host_a=host_a, $ts=ts], + [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host=host, $ts=ts], ["Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01"] = - [$name="Opera", $version=[$major=11,$minor=1], $host_a=host_a, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=1], $host=host, $ts=ts], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5"] = - [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host_a=host_a, $ts=ts], + [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host=host, $ts=ts], ["iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9"] = - [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host_a=host_a, $ts=ts], + [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host=host, $ts=ts], ["Java1.3.1_04"] = - [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host_a=host_a, $ts=ts], + [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host=host, $ts=ts], ["Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"] = - [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host_a=host_a, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host=host, $ts=ts], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host_a=host_a, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host=host, $ts=ts], ["Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7"] = - [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host_a=host_a, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host=host, $ts=ts], ["Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54"] = - [$name="Opera Mini", $version=[$major=10,$minor=54], $host_a=host_a, $ts=ts], + [$name="Opera Mini", $version=[$major=10,$minor=54], $host=host, $ts=ts], ["Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15"] = - [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host_a=host_a, $ts=ts], + [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host=host, $ts=ts], ["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] = - [$name="Opera Mobi", $version=[$major=10,$minor=0], $host_a=host_a, $ts=ts], + [$name="Opera Mobi", $version=[$major=10,$minor=0], $host=host, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] = - [$name="Opera", $version=[$major=11,$minor=0], $host_a=host_a, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=0], $host=host, $ts=ts], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] = - [$name="Netscape", $version=[$major=7,$minor=2], $host_a=host_a, $ts=ts], + [$name="Netscape", $version=[$major=7,$minor=2], $host=host, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] = - [$name="MSIE", $version=[$major=7,$minor=0], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0], $host=host, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] = - [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=host, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)"] = - [$name="MSIE", $version=[$major=8,$minor=0], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=8,$minor=0], $host=host, $ts=ts], ["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], ["Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"] = - [$name="MSIE", $version=[$major=10,$minor=0], $host_a=host_a, $ts=ts], + [$name="MSIE", $version=[$major=10,$minor=0], $host=host, $ts=ts], ["The Bat! (3.0.1 RC3) Professional"] = - [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host_a=host_a, $ts=ts], + [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host=host, $ts=ts], # This is an FTP client (found with CLNT command) ["Total Commander"] = - [$name="Total Commander", $version=[], $host_a=host_a, $ts=ts], + [$name="Total Commander", $version=[], $host=host, $ts=ts], ["(vsFTPd 2.0.5)"] = - [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host_a=host_a, $ts=ts], + [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host=host, $ts=ts], ["Apple Mail (2.1084)"] = - [$name="Apple Mail", $version=[$major=2,$minor=1084], $host_a=host_a, $ts=ts], + [$name="Apple Mail", $version=[$major=2,$minor=1084], $host=host, $ts=ts], }; event bro_init() { for ( sw in matched_software ) { - local output = Software::parse(sw, host_a, Software::UNKNOWN); + local output = Software::parse(sw, host, Software::UNKNOWN); local baseline: Software::Info; baseline = matched_software[sw]; if ( baseline$name == output$name && From dcc7fe3c38a56f1941375ad30ab5cf4d533324a0 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 8 Dec 2011 15:27:47 -0800 Subject: [PATCH 11/35] start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface... --- scripts/base/frameworks/software/main.bro | 112 ++++++++++-------- scripts/policy/protocols/ftp/software.bro | 3 +- .../http/software-browser-plugins.bro | 7 +- scripts/policy/protocols/http/software.bro | 8 +- scripts/policy/protocols/smtp/software.bro | 3 +- scripts/policy/protocols/ssh/software.bro | 6 +- .../frameworks/software/version-parsing.bro | 104 ++++++++-------- 7 files changed, 124 insertions(+), 119 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 817ae92e40..5cfd249982 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -30,6 +30,12 @@ export { addl: string &optional; ##< Additional version string (e.g. "beta42") } &log; + type SoftwareDescription: record { + version: Version; + name: string; + unparsed_version: string; + }; + type Info: record { ## The time at which the software was first detected. ts: time &log; @@ -48,6 +54,21 @@ export { ## The full unparsed version string found because the version parsing ## doesn't work 100% reliably and this acts as a fall back in the logs. unparsed_version: string &log &optional; + }; + + type AddItem: record { + ## The connection + id: conn_id; + ## The unparsed string representing the software version + banner: string; + ## Pre-parsed version. If this field is present, banner should only contain the name of the software + version: Version &optional; + ## The IP address detected running the software. + host: addr; + ## The port on which the software is running (if applicable). + host_p: port &optional; + ## The type of software detected (e.g. WEB_SERVER) + sw_type: Type; ## This can indicate that this software being detected should ## definitely be sent onward to the logging framework. By @@ -58,7 +79,7 @@ export { ## needs to happen in a specific way to the software. force_log: bool &default=F; }; - + ## The hosts whose software should be detected and tracked. ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS const asset_tracking = LOCAL_HOSTS &redef; @@ -68,22 +89,14 @@ export { ## unparsed_version: This is the full string from which the ## :bro:type:`Software::Info` was extracted. ## Returns: T if the software was logged, F otherwise. - global found: function(id: conn_id, info: Software::Info): bool; + global found: function(i: AddItem): bool; ## This function can take many software version strings and parse them ## into a sensible :bro:type:`Software::Version` record. There are ## still many cases where scripts may have to have their own specific ## version parsing though. - global parse: function(unparsed_version: string, - host: addr, - software_type: Type): Info; + global parse: function(unparsed_version: string): SoftwareDescription; - ## This function is the equivalent to parse for software that has a specific - ## source port (i.e. server software) - global parse_with_port: function(unparsed_version: string, - host: addr, host_p: port, - software_type: Type): Info; - ## Compare two versions. ## Returns: -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2. ## If the numerical version numbers match, the addl string @@ -116,9 +129,7 @@ event bro_init() Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software]); } -function parse_mozilla(unparsed_version: string, - host: addr, - software_type: Type): Info +function parse_mozilla(unparsed_version: string): SoftwareDescription { local software_name = ""; local v: Version; @@ -129,7 +140,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Opera [0-9\.]*$/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } else if ( / MSIE / in unparsed_version ) { @@ -144,7 +155,7 @@ function parse_mozilla(unparsed_version: string, { parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) @@ -153,7 +164,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) { - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } @@ -163,7 +174,7 @@ function parse_mozilla(unparsed_version: string, parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); if ( 2 in parts ) { - local tmp_s = parse(parts[2], host, software_type); + local tmp_s = parse(parts[2]); software_name = tmp_s$name; v = tmp_s$version; } @@ -173,7 +184,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Chrome"; parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } else if ( /^Opera\// in unparsed_version ) { @@ -184,12 +195,12 @@ function parse_mozilla(unparsed_version: string, software_name = parts[2]; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; else { parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } } else @@ -197,7 +208,7 @@ function parse_mozilla(unparsed_version: string, software_name = "Opera"; parts = split_all(unparsed_version, /Version\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) @@ -205,26 +216,24 @@ function parse_mozilla(unparsed_version: string, software_name = "Unspecified WebKit"; parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); if ( 2 in parts ) - v = parse(parts[2], host, software_type)$version; + v = parse(parts[2])$version; } - return [$ts=network_time(), $host=host, $name=software_name, $version=v, - $software_type=software_type, $unparsed_version=unparsed_version]; + return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; } # Don't even try to understand this now, just make sure the tests are # working. -function parse(unparsed_version: string, - host: addr, - software_type: Type): Info +function parse(unparsed_version: string): SoftwareDescription { local software_name = ""; local v: Version; - + + # Parse browser-alike versions separately if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version ) { - return parse_mozilla(unparsed_version, host, software_type); + return parse_mozilla(unparsed_version); } else { @@ -249,7 +258,7 @@ function parse(unparsed_version: string, if ( 4 in version_numbers && version_numbers[4] != "" ) v$addl = strip(version_numbers[4]); else if ( 3 in version_parts && version_parts[3] != "" && - version_parts[3] != ")" ) + version_parts[3] != ")" ) { if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] ) { @@ -286,22 +295,10 @@ function parse(unparsed_version: string, v$major = extract_count(version_numbers[1]); } } - return [$ts=network_time(), $host=host, $name=software_name, - $version=v, $unparsed_version=unparsed_version, - $software_type=software_type]; + + return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; } -function parse_with_port(unparsed_version: string, - host: addr, host_p: port, - software_type: Type): Info -{ - local i: Info; - i = parse(unparsed_version, host, software_type); - i$host_p = host_p; - i$proto = get_port_transport_proto(host_p); - - return i; -} function cmp_versions(v1: Version, v2: Version): int @@ -385,7 +382,7 @@ function software_fmt(i: Info): string # Insert a mapping into the table # Overides old entries for the same software and generates events if needed. -event software_register(id: conn_id, info: Info) +event software_register(id: conn_id, force_log: bool, info: Info) { # Host already known? if ( info$host !in tracked ) @@ -401,7 +398,7 @@ event software_register(id: conn_id, info: Info) # If the version hasn't changed, then we're just redetecting the # same thing, then we don't care. This results in no extra logging. # But if the $force_log value is set then we'll continue. - if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 ) + if ( ! force_log && cmp_versions(old$version, info$version) == 0 ) return; } ts[info$name] = info; @@ -409,11 +406,26 @@ event software_register(id: conn_id, info: Info) Log::write(Software::LOG, info); } -function found(id: conn_id, info: Info): bool +function found(i: AddItem): bool { - if ( info$force_log || addr_matches_host(info$host, asset_tracking) ) + if ( i$force_log || addr_matches_host(i$host, asset_tracking) ) { - event software_register(id, info); + + local sw: SoftwareDescription; + + if ( i?$version ) # already fully parsed, banner should contain the software name + { + sw = [$version=i$version, $name=i$banner, $unparsed_version=i$banner]; + } + else + { + sw = parse(i$banner); + } + + event software_register(i$id, i$force_log, [$ts=network_time(), $host=i$host, $host_p=i$host_p, $name=sw$name, + $version=sw$version, $unparsed_version=sw$unparsed_version, + $software_type=i$sw_type] ); + return T; } else diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro index 622357a608..24e7ff0b0a 100644 --- a/scripts/policy/protocols/ftp/software.bro +++ b/scripts/policy/protocols/ftp/software.bro @@ -21,7 +21,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4 { if ( command == "CLNT" ) { - local si = Software::parse(arg, c$id$orig_h, FTP_CLIENT); - Software::found(c$id, si); + Software::found([$id=c$id, $banner=arg, $host=c$id$orig_h, $sw_type=FTP_CLIENT]); } } diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro index db9eafd1a7..21bc8d07cb 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.bro +++ b/scripts/policy/protocols/http/software-browser-plugins.bro @@ -26,8 +26,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr # Flash doesn't include it's name so we'll add it here since it # simplifies the version parsing. value = cat("Flash/", value); - local flash_version = Software::parse(value, c$id$orig_h, BROWSER_PLUGIN); - Software::found(c$id, flash_version); + Software::found([$id=c$id, $banner=flash_version, $host=c$id$orig_h, $sw_type=BROWSER_PLUGIN]); } } else @@ -54,7 +53,7 @@ event log_http(rec: Info) local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) - Software::found(rec$id, Software::parse(plugins[i], rec$id$orig_h, BROWSER_PLUGIN)); + Software::found([$id=rec$id, $banner=plugins[i], $host=rec$id$orig_h, $sw_type=BROWSER_PLUGIN]); } } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro index 0a07ba0331..43552798e6 100644 --- a/scripts/policy/protocols/http/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -20,18 +20,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { if ( name == "USER-AGENT" && ignored_user_agents !in value ) - Software::found(c$id, Software::parse(value, c$id$orig_h, BROWSER)); + Software::found([$id=c$id, $banner=value, $host=c$id$orig_h, $sw_type=BROWSER]); } else { if ( name == "SERVER" ) - Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, SERVER)); + Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]); else if ( name == "X-POWERED-BY" ) - Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER)); + Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]); else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" ) { value = cat("SharePoint/", value); - Software::found(c$id, Software::parse_with_port(value, c$id$resp_h, c$id$resp_p, APPSERVER)); + Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]); } } } diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.bro index 3c4c870885..881848abc2 100644 --- a/scripts/policy/protocols/smtp/software.bro +++ b/scripts/policy/protocols/smtp/software.bro @@ -75,8 +75,7 @@ event log_smtp(rec: Info) if ( addr_matches_host(rec$id$orig_h, detect_clients_in_messages_from) ) { - local s = Software::parse(rec$user_agent, client_ip, s_type); - Software::found(rec$id, s); + Software::found([$id=rec$id, $banner=rec$user_agent, $host=client_ip, $sw_type=s_type]); } } } diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro index 0bb6ebc43f..a0160ee7ba 100644 --- a/scripts/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -16,14 +16,12 @@ event ssh_client_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, ""); - local si = Software::parse(cleaned_version, c$id$orig_h, CLIENT); - Software::found(c$id, si); + Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$orig_h, $sw_type=CLIENT]); } event ssh_server_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, ""); - local si = Software::parse_with_port(cleaned_version, c$id$resp_h, c$id$resp_p, SERVER); - Software::found(c$id, si); + Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]); } diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index dda3edea4b..c0c2147313 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -1,116 +1,114 @@ # @TEST-EXEC: bro %INPUT > output # @TEST-EXEC: btest-diff output -global ts = network_time(); -global host = 0.0.0.0; - -global matched_software: table[string] of Software::Info = { +global matched_software: table[string] of Software::SoftwareDescription = { ["OpenSSH_4.4"] = - [$name="OpenSSH", $version=[$major=4,$minor=4], $host=host, $ts=ts], + [$name="OpenSSH", $version=[$major=4,$minor=4], $unparsed_version=""], ["OpenSSH_5.2"] = - [$name="OpenSSH", $version=[$major=5,$minor=2], $host=host, $ts=ts], + [$name="OpenSSH", $version=[$major=5,$minor=2], $unparsed_version=""], ["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $unparsed_version=""], ["Apache/1.3.19 (Unix)"] = - [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $unparsed_version=""], ["ProFTPD 1.2.5rc1 Server (Debian)"] = - [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host=host, $ts=ts], + [$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $unparsed_version=""], ["wu-2.4.2-academ[BETA-18-VR14](1)"] = - [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host=host, $ts=ts], + [$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $unparsed_version=""], ["wu-2.6.2(1)"] = - [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host=host, $ts=ts], + [$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $unparsed_version=""], ["Java1.2.2-JDeveloper"] = - [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $unparsed_version=""], ["Java/1.6.0_13"] = - [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $unparsed_version=""], ["Python-urllib/3.1"] = - [$name="Python-urllib", $version=[$major=3,$minor=1], $host=host, $ts=ts], + [$name="Python-urllib", $version=[$major=3,$minor=1], $unparsed_version=""], ["libwww-perl/5.820"] = - [$name="libwww-perl", $version=[$major=5,$minor=820], $host=host, $ts=ts], + [$name="libwww-perl", $version=[$major=5,$minor=820], $unparsed_version=""], ["Wget/1.9+cvs-stable (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=host, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $unparsed_version=""], ["Wget/1.11.4 (Red Hat modified)"] = - [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host=host, $ts=ts], + [$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $unparsed_version=""], ["curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18"] = - [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host=host, $ts=ts], + [$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $unparsed_version=""], ["Apache"] = - [$name="Apache", $host=host, $ts=ts], + [$name="Apache", $unparsed_version=""], ["Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown"] = - [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host=host, $ts=ts], + [$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $unparsed_version=""], ["The Bat! (v2.00.9) Personal"] = - [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host=host, $ts=ts], + [$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""], ["Flash/10,2,153,1"] = - [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host=host, $ts=ts], + [$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $unparsed_version=""], ["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = - [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host=host, $ts=ts], + [$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $unparsed_version=""], ["CacheFlyServe v26b"] = - [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host=host, $ts=ts], + [$name="CacheFlyServe", $version=[$major=26,$addl="b"], $unparsed_version=""], ["Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4"] = - [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host=host, $ts=ts], + [$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $unparsed_version=""], # I have no clue how I'd support this without a special case. #["Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635"] = - # [$name="Apache", $version=[], $host=host, $ts=ts], + # [$name="Apache", $version=[], $unparsed_version=""], ["Apple iPhone v4.3.1 Weather v1.0.0.8G4"] = - [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host=host, $ts=ts], + [$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $unparsed_version=""], ["Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $unparsed_version=""], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16"] = - [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host=host, $ts=ts], + [$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $unparsed_version=""], ["Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01"] = - [$name="Opera", $version=[$major=11,$minor=1], $host=host, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=1], $unparsed_version=""], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5"] = - [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host=host, $ts=ts], + [$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $unparsed_version=""], ["iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9"] = - [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host=host, $ts=ts], + [$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $unparsed_version=""], ["Java1.3.1_04"] = - [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host=host, $ts=ts], + [$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $unparsed_version=""], ["Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"] = - [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $unparsed_version=""], ["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"] = - [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host=host, $ts=ts], + [$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $unparsed_version=""], ["Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7"] = - [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host=host, $ts=ts], + [$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $unparsed_version=""], ["Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54"] = - [$name="Opera Mini", $version=[$major=10,$minor=54], $host=host, $ts=ts], + [$name="Opera Mini", $version=[$major=10,$minor=54], $unparsed_version=""], ["Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15"] = - [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host=host, $ts=ts], + [$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $unparsed_version=""], ["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] = - [$name="Opera Mobi", $version=[$major=10,$minor=0], $host=host, $ts=ts], + [$name="Opera Mobi", $version=[$major=10,$minor=0], $unparsed_version=""], ["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] = - [$name="Opera", $version=[$major=11,$minor=0], $host=host, $ts=ts], + [$name="Opera", $version=[$major=11,$minor=0], $unparsed_version=""], ["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] = - [$name="Netscape", $version=[$major=7,$minor=2], $host=host, $ts=ts], + [$name="Netscape", $version=[$major=7,$minor=2], $unparsed_version=""], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] = - [$name="MSIE", $version=[$major=7,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0], $unparsed_version=""], ["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] = - [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $unparsed_version=""], ["Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)"] = - [$name="MSIE", $version=[$major=8,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=8,$minor=0], $unparsed_version=""], ["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""], ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)"] = - [$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""], ["Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"] = - [$name="MSIE", $version=[$major=10,$minor=0], $host=host, $ts=ts], + [$name="MSIE", $version=[$major=10,$minor=0], $unparsed_version=""], ["The Bat! (3.0.1 RC3) Professional"] = - [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host=host, $ts=ts], + [$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $unparsed_version=""], # This is an FTP client (found with CLNT command) ["Total Commander"] = - [$name="Total Commander", $version=[], $host=host, $ts=ts], + [$name="Total Commander", $version=[], $unparsed_version=""], ["(vsFTPd 2.0.5)"] = - [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host=host, $ts=ts], + [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $unparsed_version=""], ["Apple Mail (2.1084)"] = - [$name="Apple Mail", $version=[$major=2,$minor=1084], $host=host, $ts=ts], + [$name="Apple Mail", $version=[$major=2,$minor=1084], $unparsed_version=""], }; event bro_init() { for ( sw in matched_software ) { - local output = Software::parse(sw, host, Software::UNKNOWN); - local baseline: Software::Info; + local output = Software::parse(sw); + local baseline: Software::SoftwareDescription; baseline = matched_software[sw]; if ( baseline$name == output$name && + sw == output$unparsed_version && Software::cmp_versions(baseline$version,output$version) == 0 ) print fmt("success on: %s", sw); else From 50d5571939b74b4a9c91a00339bfdba390d564cc Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 11 Dec 2011 18:49:00 -0800 Subject: [PATCH 12/35] Give mode2string a more generic name. --- src/bro.bif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bro.bif b/src/bro.bif index 16b18b0d48..d0569716b0 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3542,7 +3542,7 @@ function x509_err2str%(err_num: count%): string return new StringVal(X509_verify_cert_error_string(err_num)); %} -function NFS3::mode2string%(mode: count%): string +function file_mode%(mode: count%): string %{ char str[12]; char *p = str; From bd5dadf427b3dcbd5832274617addfd4d4a21068 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 16 Dec 2011 11:24:52 -0800 Subject: [PATCH 13/35] change software framework interface again. At the moment everything should worl. --- scripts/base/frameworks/software/main.bro | 63 +++++++++---------- scripts/policy/protocols/ftp/software.bro | 2 +- .../policy/protocols/http/detect-webapps.bro | 3 +- .../http/software-browser-plugins.bro | 4 +- scripts/policy/protocols/http/software.bro | 8 +-- scripts/policy/protocols/smtp/software.bro | 2 +- scripts/policy/protocols/ssh/software.bro | 4 +- 7 files changed, 43 insertions(+), 43 deletions(-) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 5cfd249982..e451ebd218 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -36,9 +36,10 @@ export { unparsed_version: string; }; + ## Record that is used to add and log software information. type Info: record { ## The time at which the software was first detected. - ts: time &log; + ts: time &log &optional; ## The IP address detected running the software. host: addr &log; ## The Port on which the software is running. Only sensible for server software. @@ -48,27 +49,12 @@ export { ## The type of software detected (e.g. WEB_SERVER) software_type: Type &log &default=UNKNOWN; ## Name of the software (e.g. Apache) - name: string &log; + name: string &log &optional; ## Version of the software - version: Version &log; + version: Version &log &optional; ## The full unparsed version string found because the version parsing ## doesn't work 100% reliably and this acts as a fall back in the logs. unparsed_version: string &log &optional; - }; - - type AddItem: record { - ## The connection - id: conn_id; - ## The unparsed string representing the software version - banner: string; - ## Pre-parsed version. If this field is present, banner should only contain the name of the software - version: Version &optional; - ## The IP address detected running the software. - host: addr; - ## The port on which the software is running (if applicable). - host_p: port &optional; - ## The type of software detected (e.g. WEB_SERVER) - sw_type: Type; ## This can indicate that this software being detected should ## definitely be sent onward to the logging framework. By @@ -89,7 +75,7 @@ export { ## unparsed_version: This is the full string from which the ## :bro:type:`Software::Info` was extracted. ## Returns: T if the software was logged, F otherwise. - global found: function(i: AddItem): bool; + global found: function(id: conn_id, info: Info): bool; ## This function can take many software version strings and parse them ## into a sensible :bro:type:`Software::Version` record. There are @@ -382,7 +368,7 @@ function software_fmt(i: Info): string # Insert a mapping into the table # Overides old entries for the same software and generates events if needed. -event software_register(id: conn_id, force_log: bool, info: Info) +event software_register(id: conn_id, info: Info) { # Host already known? if ( info$host !in tracked ) @@ -398,7 +384,7 @@ event software_register(id: conn_id, force_log: bool, info: Info) # If the version hasn't changed, then we're just redetecting the # same thing, then we don't care. This results in no extra logging. # But if the $force_log value is set then we'll continue. - if ( ! force_log && cmp_versions(old$version, info$version) == 0 ) + if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 ) return; } ts[info$name] = info; @@ -406,25 +392,38 @@ event software_register(id: conn_id, force_log: bool, info: Info) Log::write(Software::LOG, info); } -function found(i: AddItem): bool +function found(id: conn_id, info: Info): bool { - if ( i$force_log || addr_matches_host(i$host, asset_tracking) ) + if ( info$force_log || addr_matches_host(info$host, asset_tracking) ) { - local sw: SoftwareDescription; - if ( i?$version ) # already fully parsed, banner should contain the software name + if ( !info?$ts ) + info$ts=network_time(); + + if ( info?$version ) # we have a version number and don't have to parse. check if the name is also set... { - sw = [$version=i$version, $name=i$banner, $unparsed_version=i$banner]; - } - else + if ( !info?$name ) + { + Reporter::error("Required field name not present in Software::found"); + return F; + } + } + else # no version present, we have to parse... { - sw = parse(i$banner); + if ( !info?$unparsed_version ) + { + Reporter::error("No unparsed version string present in Info record with version in Software::found"); + return F; + } + local sw = parse(info$unparsed_version); + info$unparsed_version = sw$unparsed_version; + info$name = sw$name; + info$version = sw$version; + } - event software_register(i$id, i$force_log, [$ts=network_time(), $host=i$host, $host_p=i$host_p, $name=sw$name, - $version=sw$version, $unparsed_version=sw$unparsed_version, - $software_type=i$sw_type] ); + event software_register(id, info); return T; } diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro index 24e7ff0b0a..1f5262fcab 100644 --- a/scripts/policy/protocols/ftp/software.bro +++ b/scripts/policy/protocols/ftp/software.bro @@ -21,6 +21,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4 { if ( command == "CLNT" ) { - Software::found([$id=c$id, $banner=arg, $host=c$id$orig_h, $sw_type=FTP_CLIENT]); + Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=FTP_CLIENT]); } } diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro index 63f481422a..b9cc309069 100644 --- a/scripts/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -23,7 +23,8 @@ event signature_match(state: signature_state, msg: string, data: string) &priori if ( /^webapp-/ !in state$sig_id ) return; local c = state$conn; - local si = Software::parse_with_port(msg, c$id$resp_h, c$id$resp_p, WEB_APPLICATION); + local si = Software::Info; + si = [$unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION]; si$url = build_url_http(c$http); if ( c$id$resp_h in Software::tracked && si$name in Software::tracked[c$id$resp_h] ) diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro index 21bc8d07cb..7316595e7f 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.bro +++ b/scripts/policy/protocols/http/software-browser-plugins.bro @@ -26,7 +26,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr # Flash doesn't include it's name so we'll add it here since it # simplifies the version parsing. value = cat("Flash/", value); - Software::found([$id=c$id, $banner=flash_version, $host=c$id$orig_h, $sw_type=BROWSER_PLUGIN]); + Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]); } } else @@ -53,7 +53,7 @@ event log_http(rec: Info) local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) - Software::found([$id=rec$id, $banner=plugins[i], $host=rec$id$orig_h, $sw_type=BROWSER_PLUGIN]); + Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]); } } } diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro index 43552798e6..99b9a534f7 100644 --- a/scripts/policy/protocols/http/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -20,18 +20,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { if ( name == "USER-AGENT" && ignored_user_agents !in value ) - Software::found([$id=c$id, $banner=value, $host=c$id$orig_h, $sw_type=BROWSER]); + Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]); } else { if ( name == "SERVER" ) - Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]); + Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]); else if ( name == "X-POWERED-BY" ) - Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]); + Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]); else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" ) { value = cat("SharePoint/", value); - Software::found([$id=c$id, $banner=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=APPSERVER]); + Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]); } } } diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.bro index 881848abc2..f520485338 100644 --- a/scripts/policy/protocols/smtp/software.bro +++ b/scripts/policy/protocols/smtp/software.bro @@ -75,7 +75,7 @@ event log_smtp(rec: Info) if ( addr_matches_host(rec$id$orig_h, detect_clients_in_messages_from) ) { - Software::found([$id=rec$id, $banner=rec$user_agent, $host=client_ip, $sw_type=s_type]); + Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]); } } } diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro index a0160ee7ba..a47f198c56 100644 --- a/scripts/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -16,12 +16,12 @@ event ssh_client_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, ""); - Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$orig_h, $sw_type=CLIENT]); + Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]); } event ssh_server_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, ""); - Software::found([$id=c$id, $banner=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $sw_type=SERVER]); + Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]); } From aae60a6d765da39a9659a9b9174d2cb3ebaba7fe Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 4 Jan 2012 16:44:25 -0600 Subject: [PATCH 14/35] Allow local table variables to be initialized with {} list expressions. --- src/Expr.cc | 19 +++++++++++++++--- src/Expr.h | 4 ++-- src/Var.cc | 3 ++- .../btest/Baseline/language.table-init/output | 10 ++++++++++ testing/btest/language/table-init.bro | 20 +++++++++++++++++++ 5 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/language.table-init/output create mode 100644 testing/btest/language/table-init.bro diff --git a/src/Expr.cc b/src/Expr.cc index c34c44a7d1..ee2d90aeed 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -2435,7 +2435,7 @@ bool RefExpr::DoUnserialize(UnserialInfo* info) } AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init, - Val* arg_val) + Val* arg_val, attr_list* arg_attrs) : BinaryExpr(EXPR_ASSIGN, arg_is_init ? arg_op1 : arg_op1->MakeLvalue(), arg_op2) { @@ -2455,14 +2455,14 @@ AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init, // We discard the status from TypeCheck since it has already // generated error messages. - (void) TypeCheck(); + (void) TypeCheck(arg_attrs); val = arg_val ? arg_val->Ref() : 0; SetLocationInfo(arg_op1->GetLocationInfo(), arg_op2->GetLocationInfo()); } -bool AssignExpr::TypeCheck() +bool AssignExpr::TypeCheck(attr_list* attrs) { TypeTag bt1 = op1->Type()->Tag(); TypeTag bt2 = op2->Type()->Tag(); @@ -2494,6 +2494,19 @@ bool AssignExpr::TypeCheck() return true; } + if ( bt1 == TYPE_TABLE && op2->Tag() == EXPR_LIST ) + { + attr_list* attr_copy = 0; + if ( attrs ) + { + attr_copy = new attr_list; + loop_over_list(*attrs, i) + attr_copy->append((*attrs)[i]); + } + op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy); + return true; + } + if ( bt1 == TYPE_VECTOR && bt2 == bt1 && op2->Type()->AsVectorType()->IsUnspecifiedVector() ) { diff --git a/src/Expr.h b/src/Expr.h index 95016a8d13..8676a1ad7e 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -623,7 +623,7 @@ class AssignExpr : public BinaryExpr { public: // If val is given, evaluating this expression will always yield the val // yet still perform the assignment. Used for triggers. - AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0); + AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0, attr_list* attrs = 0); virtual ~AssignExpr() { Unref(val); } Expr* Simplify(SimplifyType simp_type); @@ -638,7 +638,7 @@ protected: friend class Expr; AssignExpr() { } - bool TypeCheck(); + bool TypeCheck(attr_list* attrs = 0); bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2); DECLARE_SERIAL(AssignExpr); diff --git a/src/Var.cc b/src/Var.cc index 897a454670..d54d94a078 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -202,7 +202,8 @@ Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init, Ref(id); Stmt* stmt = - new ExprStmt(new AssignExpr(new NameExpr(id), init, 0)); + new ExprStmt(new AssignExpr(new NameExpr(id), init, 0, 0, + id->Attrs() ? id->Attrs()->Attrs() : 0 )); stmt->SetLocationInfo(init->GetLocationInfo()); return stmt; diff --git a/testing/btest/Baseline/language.table-init/output b/testing/btest/Baseline/language.table-init/output new file mode 100644 index 0000000000..0272e12319 --- /dev/null +++ b/testing/btest/Baseline/language.table-init/output @@ -0,0 +1,10 @@ +{ +[2] = two, +[1] = one +} +global table default +{ +[4] = four, +[3] = three +} +local table default diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.bro new file mode 100644 index 0000000000..5df682c5d2 --- /dev/null +++ b/testing/btest/language/table-init.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: btest-diff output + +global global_table: table[count] of string = { + [1] = "one", + [2] = "two" +} &default = "global table default"; + +event bro_init() + { + local local_table: table[count] of string = { + [3] = "three", + [4] = "four" + } &default = "local table default"; + + print global_table; + print global_table[0]; + print local_table; + print local_table[0]; + } From 9aefeec4ce8f4a3952dc9874a99b570310fe8b39 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 11 Jan 2012 16:30:25 -0600 Subject: [PATCH 15/35] Integrate Bro script coverage profiling with the btest suite. --- src/Brofiler.cc | 20 +++++++-------- src/Brofiler.h | 8 ++++-- testing/btest/.gitignore | 1 + testing/btest/Makefile | 2 ++ testing/btest/btest.cfg | 5 +++- testing/scripts/btest-bg-run | 7 ++++++ testing/scripts/coverage-calc | 46 +++++++++++++++++++++++++++++++++++ 7 files changed, 75 insertions(+), 14 deletions(-) create mode 100755 testing/scripts/btest-bg-run create mode 100755 testing/scripts/coverage-calc diff --git a/src/Brofiler.cc b/src/Brofiler.cc index fc23f10a7d..8db5861d20 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -13,16 +13,12 @@ Brofiler::~Brofiler() { } -void Brofiler::ReadStats() +bool Brofiler::ReadStats() { char* bf = getenv("BROFILER_FILE"); - if ( ! bf ) return; + if ( ! bf ) return false; FILE* f = fopen(bf, "r"); - if ( ! f ) - { - fprintf(stderr, "Failed to open Brofiler file '%s' for reading\n", bf); - return; - } + if ( ! f ) return false; char line[16384]; string delimiter; @@ -40,18 +36,19 @@ void Brofiler::ReadStats() } fclose(f); + return true; } -void Brofiler::WriteStats() +bool Brofiler::WriteStats() { char* bf = getenv("BROFILER_FILE"); - if ( ! bf ) return; + if ( ! bf ) return false; FILE* f = fopen(bf, "w"); if ( ! f ) { - fprintf(stderr, "Failed to open Brofiler file '%s' for writing\n", bf); - return; + reporter->Error("Failed to open Brofiler file '%s' for writing\n", bf); + return false; } for ( list::const_iterator it = stmts.begin(); @@ -78,5 +75,6 @@ void Brofiler::WriteStats() } fclose(f); + return true; } diff --git a/src/Brofiler.h b/src/Brofiler.h index 6ded906698..0a284c62c8 100644 --- a/src/Brofiler.h +++ b/src/Brofiler.h @@ -18,15 +18,19 @@ public: /** * Imports Bro script Stmt usage information from file pointed to by * environment variable BROFILER_FILE. + * + * @return: true if usage info was read, otherwise false. */ - void ReadStats(); + bool ReadStats(); /** * Combines usage stats from current run with any read from ReadStats(), * then writes information to file pointed to by environment variable * BROFILER_FILE. + * + * @return: true when usage info is written, otherwise false. */ - void WriteStats(); + bool WriteStats(); void SetDelim(char d) { delim = d; } diff --git a/testing/btest/.gitignore b/testing/btest/.gitignore index 0c143f664e..5282177d90 100644 --- a/testing/btest/.gitignore +++ b/testing/btest/.gitignore @@ -1,2 +1,3 @@ .tmp diag.log +coverage.log diff --git a/testing/btest/Makefile b/testing/btest/Makefile index 7489d761fb..2ebd66edd2 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -5,7 +5,9 @@ BTEST=../../aux/btest/btest all: # Showing all tests. @rm -f $(DIAG) + @rm -f .tmp/script-coverage* @$(BTEST) -f $(DIAG) + @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd` brief: # Brief output showing only failed tests. diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 7d8283587c..b37b3063be 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -10,9 +10,12 @@ BROPATH=`bash -c %(testbase)s/../../build/bro-path-dev` BRO_SEED_FILE=%(testbase)s/random.seed TZ=UTC LC_ALL=C -PATH=%(testbase)s/../../build/src:%(testbase)s/../../aux/btest:%(default_path)s +BTEST_PATH=%(testbase)s/../../aux/btest +PATH=%(testbase)s/../../build/src:%(testbase)s/../scripts:%(testbase)s/../../aux/btest:%(default_path)s TRACES=%(testbase)s/Traces SCRIPTS=%(testbase)s/../scripts DIST=%(testbase)s/../.. BUILD=%(testbase)s/../../build TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier +TMPDIR=%(testbase)s/.tmp +BROFILER_FILE=%(testbase)s/.tmp/script-coverage diff --git a/testing/scripts/btest-bg-run b/testing/scripts/btest-bg-run new file mode 100755 index 0000000000..462ae23fa2 --- /dev/null +++ b/testing/scripts/btest-bg-run @@ -0,0 +1,7 @@ +#! /usr/bin/env bash + +# This is a wrapper script to btest's real btest-bg-run. It's used +# when collecting Bro script coverage statistics so that two independent +# Bro processing don't try to write those usage statistics to the same file. + +BROFILER_FILE=`mktemp -t script-coverage` $BTEST_PATH/btest-bg-run $@ diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc new file mode 100755 index 0000000000..a146667595 --- /dev/null +++ b/testing/scripts/coverage-calc @@ -0,0 +1,46 @@ +#! /usr/bin/env python + +# This script aggregates many files containing Bro script coverage information +# into a single file and reports the overall coverage information. Usage: +# +# coverage-calc +# +# The last argument is used to ignore Bro scripts that are part of the test +# suite itself as those should not count towards the coverage calculation. + +import os +import sys +import glob + +stats = {} +inputglob = sys.argv[1] +outputfile = sys.argv[2] +ignoredir = os.path.abspath(sys.argv[3]) + +for filename in glob.glob(inputglob): + with open(filename, 'r') as f: + for line in f.read().splitlines(): + parts = line.split("\t") + exec_count = int(parts[0]) + location = os.path.normpath(parts[1]) + # ignore scripts that don't appear to be part of Bro distribution + if location.startswith(ignoredir) or not location.startswith("/"): + continue + desc = parts[2] + key = location + desc + if key in stats: + stats[key][0] += exec_count + else: + stats[key] = [exec_count, location, desc] + +with open(outputfile, 'w') as f: + for k in sorted(stats, key=lambda i: stats[i][1]): + f.write("%s\t%s\t%s\n" % (stats[k][0], stats[k][1], stats[k][2])) + +num_covered = 0 +for k in stats: + if stats[k][0] > 0: + num_covered += 1 + +if len(stats) > 0: + print "%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100) From 9c42f02082c41b088ae9313680091eebc28a2d47 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 11 Jan 2012 16:57:09 -0600 Subject: [PATCH 16/35] fixed some broken links --- doc/reporting-problems.rst | 2 +- doc/signatures.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/reporting-problems.rst b/doc/reporting-problems.rst index a1105708eb..fa3f32a620 100644 --- a/doc/reporting-problems.rst +++ b/doc/reporting-problems.rst @@ -29,7 +29,7 @@ following: * The output you're seeing along with a description what you'd expect Bro to do instead. -* A *small* trace in `libpcap format `__ +* A *small* trace in `libpcap format `__ demonstrating the effect (assuming the problem doesn't happen right at startup already). diff --git a/doc/signatures.rst b/doc/signatures.rst index a1e70f8e6f..c44e1b571a 100644 --- a/doc/signatures.rst +++ b/doc/signatures.rst @@ -338,7 +338,7 @@ Things to keep in mind when writing signatures signature engine and can be matched with ``\r`` and ``\n``, respectively. Generally, Bro follows `flex's regular expression syntax - `_. + `_. See the DPD signatures in ``base/frameworks/dpd/dpd.sig`` for some examples of fairly complex payload patterns. From b6c3567ba40e513cbdb303099d921f693ff65914 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 12 Jan 2012 11:58:13 -0600 Subject: [PATCH 17/35] Test coverage integration for external tests and complete suite. coverage.log files are output to each testing dir and reflect the number of times statement locations of Bro scripts are executed. --- testing/.gitignore | 1 + testing/Makefile | 5 +++++ testing/external/subdir-btest.cfg | 1 + 3 files changed, 7 insertions(+) create mode 100644 testing/.gitignore diff --git a/testing/.gitignore b/testing/.gitignore new file mode 100644 index 0000000000..a664c1d684 --- /dev/null +++ b/testing/.gitignore @@ -0,0 +1 @@ +coverage.log diff --git a/testing/Makefile b/testing/Makefile index 7f03a55f49..4b4e87d82f 100644 --- a/testing/Makefile +++ b/testing/Makefile @@ -3,6 +3,11 @@ DIRS=btest external all: @for repo in $(DIRS); do (cd $$repo && make ); done + @cp btest/coverage.log `mktemp brocov.tmp.XXX` + @for f in external/*/coverage.log; do cp $$f `mktemp brocov.tmp.XXX`; done + @echo "Complete test suite code coverage:" + @./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd` + @rm -f brocov.tmp.* brief: @for repo in $(DIRS); do (cd $$repo && make brief ); done diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index dd9a57c879..e24f89255a 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -17,3 +17,4 @@ TRACES=%(testbase)s/Traces SCRIPTS=%(testbase)s/../scripts DIST=%(testbase)s/../../.. BUILD=%(testbase)s/../../../build +BROFILER_FILE=%(testbase)s/.tmp/script-coverage From 713e3ac5d0ff63313fa2b6b8df25e41b1045519a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Jan 2012 14:52:58 -0600 Subject: [PATCH 18/35] Add "# @no-test" tag to blacklist statements from test coverage analysis. It can apply to either single statements: print "don't cover"; # @no-test or a block of statements: if ( F ) { # @no-test ... } --- src/Brofiler.cc | 2 +- src/Brofiler.h | 14 ++- src/parse.y | 89 +++++++++++-------- src/scan.l | 2 + .../coverage.coverage-blacklist/output | 5 ++ testing/btest/coverage/coverage-blacklist.bro | 29 ++++++ 6 files changed, 99 insertions(+), 42 deletions(-) create mode 100644 testing/btest/Baseline/coverage.coverage-blacklist/output create mode 100644 testing/btest/coverage/coverage-blacklist.bro diff --git a/src/Brofiler.cc b/src/Brofiler.cc index 8db5861d20..75c054a681 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -5,7 +5,7 @@ #include "util.h" Brofiler::Brofiler() - : delim('\t') + : delim('\t'), ignoring(0) { } diff --git a/src/Brofiler.h b/src/Brofiler.h index 0a284c62c8..58c23f06b1 100644 --- a/src/Brofiler.h +++ b/src/Brofiler.h @@ -34,14 +34,24 @@ public: void SetDelim(char d) { delim = d; } + void IncIgnoreDepth() { ignoring++; } + void DecIgnoreDepth() { ignoring--; } + + void AddStmt(const Stmt* s) { if ( ignoring == 0 ) stmts.push_back(s); } + +private: /** * The current, global Brofiler instance creates this list at parse-time. */ list stmts; -private: /** - * + * Indicates whether new statments will not be considered as part of + * coverage statistics because it was marked with the @no-test tag. + */ + unsigned int ignoring; + + /** * This maps Stmt location-desc pairs to the total number of times that * Stmt has been executed. The map can be initialized from a file at * startup time and modified at shutdown time before writing back diff --git a/src/parse.y b/src/parse.y index fb731d9555..35eae155b5 100644 --- a/src/parse.y +++ b/src/parse.y @@ -29,6 +29,8 @@ %token TOK_DOC TOK_POST_DOC +%token TOK_NO_TEST + %left ',' '|' %right '=' TOK_ADD_TO TOK_REMOVE_FROM %right '?' ':' TOK_USING @@ -42,6 +44,7 @@ %right '!' %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR +%type opt_no_test opt_no_test_block %type TOK_ID TOK_PATTERN_TEXT single_pattern TOK_DOC TOK_POST_DOC %type opt_doc_list opt_post_doc_list %type local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func @@ -196,6 +199,7 @@ static std::list* concat_opt_docs (std::list* pre, %} %union { + bool b; char* str; std::list* str_l; ID* id; @@ -1315,121 +1319,117 @@ attr: ; stmt: - '{' stmt_list '}' + '{' opt_no_test_block stmt_list '}' { - set_location(@1, @3); - $$ = $2; + set_location(@1, @4); + $$ = $3; + if ( $2 ) brofiler.DecIgnoreDepth(); } - | TOK_PRINT expr_list ';' + | TOK_PRINT expr_list ';' opt_no_test { set_location(@1, @3); $$ = new PrintStmt($2); - brofiler.stmts.push_back($$); + if ( ! $4 ) brofiler.AddStmt($$); } - | TOK_EVENT event ';' + | TOK_EVENT event ';' opt_no_test { set_location(@1, @3); $$ = new EventStmt($2); - brofiler.stmts.push_back($$); + if ( ! $4 ) brofiler.AddStmt($$); } | TOK_IF '(' expr ')' stmt { set_location(@1, @4); $$ = new IfStmt($3, $5, new NullStmt()); - //brofiler.stmts.push_back($$); } | TOK_IF '(' expr ')' stmt TOK_ELSE stmt { set_location(@1, @4); $$ = new IfStmt($3, $5, $7); - //brofiler.stmts.push_back($$); } | TOK_SWITCH expr '{' case_list '}' { set_location(@1, @2); $$ = new SwitchStmt($2, $4); - //brofiler.stmts.push_back($$); } | for_head stmt { $1->AsForStmt()->AddBody($2); - //brofiler.stmts.push_back($1); } - | TOK_NEXT ';' + | TOK_NEXT ';' opt_no_test { set_location(@1, @2); $$ = new NextStmt; - brofiler.stmts.push_back($$); + if ( ! $3 ) brofiler.AddStmt($$); } - | TOK_BREAK ';' + | TOK_BREAK ';' opt_no_test { set_location(@1, @2); $$ = new BreakStmt; - brofiler.stmts.push_back($$); + if ( ! $3 ) brofiler.AddStmt($$); } - | TOK_RETURN ';' + | TOK_RETURN ';' opt_no_test { set_location(@1, @2); $$ = new ReturnStmt(0); - brofiler.stmts.push_back($$); + if ( ! $3 ) brofiler.AddStmt($$); } - | TOK_RETURN expr ';' + | TOK_RETURN expr ';' opt_no_test { set_location(@1, @2); $$ = new ReturnStmt($2); - brofiler.stmts.push_back($$); + if ( ! $4 ) brofiler.AddStmt($$); } - | TOK_ADD expr ';' + | TOK_ADD expr ';' opt_no_test { set_location(@1, @3); $$ = new AddStmt($2); - brofiler.stmts.push_back($$); + if ( ! $4 ) brofiler.AddStmt($$); } - | TOK_DELETE expr ';' + | TOK_DELETE expr ';' opt_no_test { set_location(@1, @3); $$ = new DelStmt($2); - brofiler.stmts.push_back($$); + if ( ! $4 ) brofiler.AddStmt($$); } - | TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';' + | TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';' opt_no_test { set_location(@1, @7); $$ = add_local($2, $3, $4, $5, $6, VAR_REGULAR); - brofiler.stmts.push_back($$); + if ( ! $8 ) brofiler.AddStmt($$); } - | TOK_CONST local_id opt_type init_class opt_init opt_attr ';' + | TOK_CONST local_id opt_type init_class opt_init opt_attr ';' opt_no_test { set_location(@1, @6); $$ = add_local($2, $3, $4, $5, $6, VAR_CONST); - brofiler.stmts.push_back($$); + if ( ! $8 ) brofiler.AddStmt($$); } | TOK_WHEN '(' expr ')' stmt { set_location(@3, @5); $$ = new WhenStmt($3, $5, 0, 0, false); - brofiler.stmts.push_back($$); } - | TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}' + | TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' opt_no_test_block stmt_list '}' { - set_location(@3, @8); - $$ = new WhenStmt($3, $5, $9, $7, false); - brofiler.stmts.push_back($$); + set_location(@3, @9); + $$ = new WhenStmt($3, $5, $10, $7, false); + if ( $9 ) brofiler.DecIgnoreDepth(); } @@ -1437,21 +1437,20 @@ stmt: { set_location(@4, @6); $$ = new WhenStmt($4, $6, 0, 0, true); - brofiler.stmts.push_back($$); } - | TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}' + | TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' opt_no_test_block stmt_list '}' { - set_location(@4, @9); - $$ = new WhenStmt($4, $6, $10, $8, true); - brofiler.stmts.push_back($$); + set_location(@4, @10); + $$ = new WhenStmt($4, $6, $11, $8, true); + if ( $10 ) brofiler.DecIgnoreDepth(); } - | expr ';' + | expr ';' opt_no_test { set_location(@1, @2); $$ = new ExprStmt($1); - brofiler.stmts.push_back($$); + if ( ! $3 ) brofiler.AddStmt($$); } | ';' @@ -1649,6 +1648,18 @@ opt_doc_list: { $$ = 0; } ; +opt_no_test: + TOK_NO_TEST + { $$ = true; } + | + { $$ = false; } + +opt_no_test_block: + TOK_NO_TEST + { $$ = true; brofiler.IncIgnoreDepth(); } + | + { $$ = false; } + %% int yyerror(const char msg[]) diff --git a/src/scan.l b/src/scan.l index 623e0d2ed6..4914783c44 100644 --- a/src/scan.l +++ b/src/scan.l @@ -216,6 +216,8 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) } } +#{OWS}@no-test.* return TOK_NO_TEST; + #.* /* eat comments */ {WS} /* eat whitespace */ diff --git a/testing/btest/Baseline/coverage.coverage-blacklist/output b/testing/btest/Baseline/coverage.coverage-blacklist/output new file mode 100644 index 0000000000..6d3d243220 --- /dev/null +++ b/testing/btest/Baseline/coverage.coverage-blacklist/output @@ -0,0 +1,5 @@ +1 /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 13 print cover me; +1 /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 17 print always executed; +0 /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 26 print also impossible, but included in code coverage analysis; +1 /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 29 print success; +1 /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 5 print first; diff --git a/testing/btest/coverage/coverage-blacklist.bro b/testing/btest/coverage/coverage-blacklist.bro new file mode 100644 index 0000000000..04983a921f --- /dev/null +++ b/testing/btest/coverage/coverage-blacklist.bro @@ -0,0 +1,29 @@ +# @TEST-EXEC: BROFILER_FILE=coverage bro -b %INPUT +# @TEST-EXEC: grep %INPUT coverage | sort -k2 >output +# @TEST-EXEC: btest-diff output + +print "first"; + +if ( F ) + { # @no-test + print "hello"; + print "world"; + } + +print "cover me"; + +if ( T ) + { + print "always executed"; + } + +print "don't cover me"; # @no-test + +if ( 0 + 0 == 1 ) print "impossible"; # @no-test + +if ( 1 == 0 ) + { + print "also impossible, but included in code coverage analysis"; + } + +print "success"; From ec6560a6ed9235deb6d3976c544688abd494bab9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Jan 2012 16:06:44 -0600 Subject: [PATCH 19/35] Make communication log baseline test more reliable. --- .../send.log | 26 ++++++++++--------- .../communication_log_baseline.bro | 5 ++-- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log index e5dfb59592..d3c14c8603 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log +++ b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log @@ -5,15 +5,17 @@ #path communication #fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message #types time string string string addr port string string -1324314302.411344 bro parent - - - info [#1/127.0.0.1:47757] added peer -1324314302.414978 bro child - - - info [#1/127.0.0.1:47757] connected -1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] peer connected -1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] phase: version -1324314302.417446 bro script - - - info connection established -1324314302.417446 bro script - - - info requesting events matching /^?(NOTHING)$?/ -1324314302.417446 bro script - - - info accepting state -1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake -1324314302.418003 bro parent - - - info warning: no events to request -1324314302.418003 bro parent - - - info terminating... -1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro -1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] closing connection +1326492291.485390 bro parent - - - info [#1/127.0.0.1:47757] added peer +1326492291.491731 bro child - - - info [#1/127.0.0.1:47757] connected +1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] peer connected +1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] phase: version +1326492291.492740 bro script - - - info connection established +1326492291.492740 bro script - - - info requesting events matching /^?(NOTHING)$?/ +1326492291.492740 bro script - - - info accepting state +1326492291.493800 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake +1326492291.493800 bro parent - - - info warning: no events to request +1326492291.494161 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro +1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] peer supports keep-in-cache; using that +1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] phase: running +1326492291.494404 bro parent - - - info terminating... +1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] closing connection diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro index 3a4c1253eb..dc3b43ad67 100644 --- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro +++ b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro @@ -15,7 +15,7 @@ redef Communication::nodes += { ["foo"] = [$host = 127.0.0.1, $events = /NOTHING/, $connect=T] }; -event remote_connection_established(p: event_peer) +event remote_connection_handshake_done(p: event_peer) { terminate_communication(); terminate(); @@ -29,8 +29,9 @@ event remote_connection_established(p: event_peer) @load frameworks/communication/listen -event remote_connection_closed(p: event_peer) +event remote_connection_handshake_done(p: event_peer) { + terminate_communication(); terminate(); } From 0287f7adc2b6c43f3cd3e199d44a47b72bfe7a6e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 18 Jan 2012 11:45:53 -0600 Subject: [PATCH 20/35] Fix superfluous/duplicate data getting in to testing coverage log. --- testing/Makefile | 2 +- testing/btest/Makefile | 2 +- testing/scripts/coverage-calc | 17 +++++++++++------ 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/testing/Makefile b/testing/Makefile index 4b4e87d82f..9a9a02fe47 100644 --- a/testing/Makefile +++ b/testing/Makefile @@ -6,7 +6,7 @@ all: @cp btest/coverage.log `mktemp brocov.tmp.XXX` @for f in external/*/coverage.log; do cp $$f `mktemp brocov.tmp.XXX`; done @echo "Complete test suite code coverage:" - @./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd` + @./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts @rm -f brocov.tmp.* brief: diff --git a/testing/btest/Makefile b/testing/btest/Makefile index 2ebd66edd2..e764dd2b15 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -7,7 +7,7 @@ all: @rm -f $(DIAG) @rm -f .tmp/script-coverage* @$(BTEST) -f $(DIAG) - @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd` + @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts brief: # Brief output showing only failed tests. diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc index a146667595..53e818fc32 100755 --- a/testing/scripts/coverage-calc +++ b/testing/scripts/coverage-calc @@ -3,10 +3,12 @@ # This script aggregates many files containing Bro script coverage information # into a single file and reports the overall coverage information. Usage: # -# coverage-calc +# coverage-calc