diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index a213d2b238..776a7204de 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -129,29 +129,117 @@ endmacro(REST_TARGET) # Schedule Bro scripts for which to generate documentation. # Note: the script may be located in a subdirectory off of one of the main # directories in BROPATH. In that case, just list the script as 'foo/bar.bro' -rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) -rest_target(${POLICY_SRC_DIR} conn.bro user) -rest_target(${POLICY_SRC_DIR} site.bro user) -rest_target(${POLICY_SRC_DIR} dns.bro policy/dns-index) -rest_target(${POLICY_SRC_DIR} dns/auth-addl.bro policy/dns-index) -rest_target(${POLICY_SRC_DIR} dns/base.bro policy/dns-index) -rest_target(${POLICY_SRC_DIR} dns/consts.bro policy/dns-index) -rest_target(${POLICY_SRC_DIR} dns/detect.bro policy/dns-index) -rest_target(${POLICY_SRC_DIR} dns/passive-replication.bro policy/dns-index) +rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) + +rest_target(${POLICY_SRC_DIR} conn.bro user) + +rest_target(${POLICY_SRC_DIR} dns.bro policy/dns-index) +rest_target(${POLICY_SRC_DIR} dns/auth-addl.bro policy/dns-index) +rest_target(${POLICY_SRC_DIR} dns/base.bro policy/dns-index) +rest_target(${POLICY_SRC_DIR} dns/consts.bro policy/dns-index) +rest_target(${POLICY_SRC_DIR} dns/detect.bro policy/dns-index) +rest_target(${POLICY_SRC_DIR} dns/passive-replication.bro policy/dns-index) + +# TODO: these don't currently work due to something that looks like a +# circular dependency. They'll also change to the 'default' group once +# loaded from bro.init. +#rest_target(${POLICY_SRC_DIR} dpd.bro policy/dpd-index) +#rest_target(${POLICY_SRC_DIR} dpd/base.bro policy/dpd-index) +#rest_target(${POLICY_SRC_DIR} dpd/dyn-disable.bro policy/dpd-index) +#rest_target(${POLICY_SRC_DIR} dpd/packet-segment-logging.bro policy/dpd-index) + +rest_target(${POLICY_SRC_DIR} ftp.bro policy/ftp-index) +rest_target(${POLICY_SRC_DIR} ftp/base.bro policy/ftp-index) +rest_target(${POLICY_SRC_DIR} ftp/detect.bro policy/ftp-index) +rest_target(${POLICY_SRC_DIR} ftp/file-extract.bro policy/ftp-index) +rest_target(${POLICY_SRC_DIR} ftp/software.bro policy/ftp-index) +rest_target(${POLICY_SRC_DIR} ftp/utils-commands.bro policy/ftp-index) + +rest_target(${POLICY_SRC_DIR} functions.bro user) + +# TODO: hot.conn.bro currently won't load because hot.bro doesn't exist +#rest_target(${POLICY_SRC_DIR} hot.conn.bro user) + +# TODO: http.bro doesn't load because http/detect-webapps.bro doesn't load +#rest_target(${POLICY_SRC_DIR} http.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/base-extended.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/base.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/detect-intel.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/detect-sqli.bro policy/http-index) +# TODO: http/detect-webapps.bro doesn't load in doc mode, not sure why yet +#rest_target(${POLICY_SRC_DIR} http/detect-webapps.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/file-extract.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/file-hash.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/file-ident.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/headers.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/software.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/utils.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/var-extraction-cookies.bro policy/http-index) +rest_target(${POLICY_SRC_DIR} http/var-extraction-uri.bro policy/http-index) + +rest_target(${POLICY_SRC_DIR} irc.bro policy/irc-index) +rest_target(${POLICY_SRC_DIR} irc/base.bro policy/irc-index) +rest_target(${POLICY_SRC_DIR} irc/dcc-send.bro policy/irc-index) + +rest_target(${POLICY_SRC_DIR} known-services.bro user) +rest_target(${POLICY_SRC_DIR} known-hosts.bro user) + +# TODO: metrics.bro doesn't load because of http/detect-webapps.bro +#rest_target(${POLICY_SRC_DIR} metrics.bro policy/metrics-index) +rest_target(${POLICY_SRC_DIR} metrics/base.bro policy/metrics-index) +rest_target(${POLICY_SRC_DIR} metrics/conn-example.bro policy/metrics-index) +# TODO: metrics/http-example.bro doesn't load because of http/detect-webapps.bro +#rest_target(${POLICY_SRC_DIR} metrics/http-example.bro policy/metrics-index) + +rest_target(${POLICY_SRC_DIR} mime.bro policy/mime-index) +rest_target(${POLICY_SRC_DIR} mime/base.bro policy/mime-index) +rest_target(${POLICY_SRC_DIR} mime/file-extract.bro policy/mime-index) +rest_target(${POLICY_SRC_DIR} mime/file-hash.bro policy/mime-index) +rest_target(${POLICY_SRC_DIR} mime/file-ident.bro policy/mime-index) + +rest_target(${POLICY_SRC_DIR} notice-action-filters.bro user) +rest_target(${POLICY_SRC_DIR} notice.bro user) +rest_target(${POLICY_SRC_DIR} site.bro user) + +rest_target(${POLICY_SRC_DIR} signatures.bro policy/sig-index) +rest_target(${POLICY_SRC_DIR} signatures/base.bro policy/sig-index) + +rest_target(${POLICY_SRC_DIR} smtp.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/base-extended.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/base.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/detect.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/software.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/utils.bro policy/smtp-index) +rest_target(${POLICY_SRC_DIR} smtp/webmail-ident.bro policy/smtp-index) + +rest_target(${POLICY_SRC_DIR} software.bro policy/software-index) +rest_target(${POLICY_SRC_DIR} software/base.bro policy/software-index) +rest_target(${POLICY_SRC_DIR} software/vulnerable.bro policy/software-index) + +rest_target(${POLICY_SRC_DIR} ssh.bro policy/ssh-index) +rest_target(${POLICY_SRC_DIR} ssh/base.bro policy/ssh-index) +rest_target(${POLICY_SRC_DIR} ssh/software.bro policy/ssh-index) + +rest_target(${POLICY_SRC_DIR} ssl-ciphers.bro policy/ssl-index) +rest_target(${POLICY_SRC_DIR} ssl-errors.bro policy/ssl-index) +rest_target(${POLICY_SRC_DIR} ssl.bro policy/ssl-index) + +rest_target(${POLICY_SRC_DIR} utils/pattern.bro user) +rest_target(${POLICY_SRC_DIR} weird.bro user) # Finding out what scripts bro will generate documentation for by default # can be done like: `bro --doc-scripts --exec ""` -rest_target(${POLICY_SRC_DIR} bro.init default) -rest_target(${POLICY_SRC_DIR} logging-ascii.bro default) -rest_target(${POLICY_SRC_DIR} logging.bro default) -rest_target(${POLICY_SRC_DIR} pcap.bro default) -rest_target(${POLICY_SRC_DIR} server-ports.bro default) -rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro bifs) -rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro bifs) -rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro bifs) -rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro bifs) -rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro bifs) -rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro bifs) +rest_target(${POLICY_SRC_DIR} bro.init default) +rest_target(${POLICY_SRC_DIR} logging-ascii.bro default) +rest_target(${POLICY_SRC_DIR} logging.bro default) +rest_target(${POLICY_SRC_DIR} pcap.bro default) +rest_target(${POLICY_SRC_DIR} server-ports.bro default) +rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro bifs) +rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro bifs) +rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro bifs) +rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro bifs) +rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro bifs) +rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro bifs) # create temporary list of all docs to include in the master policy/index file file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/tmp_policy_index diff --git a/doc/scripts/source/index.rst b/doc/scripts/source/index.rst index 166f4a2c40..91864f1881 100644 --- a/doc/scripts/source/index.rst +++ b/doc/scripts/source/index.rst @@ -15,6 +15,16 @@ Contents: bifs user policy/dns-index + policy/ftp-index + policy/http-index + policy/irc-index + policy/metrics-index + policy/mime-index + policy/sig-index + policy/smtp-index + policy/software-index + policy/ssh-index + policy/ssl-index internal policy/index diff --git a/doc/scripts/source/policy/ftp-index.rst b/doc/scripts/source/policy/ftp-index.rst new file mode 100644 index 0000000000..01aafb28f0 --- /dev/null +++ b/doc/scripts/source/policy/ftp-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +FTP Policy Scripts +================== + diff --git a/doc/scripts/source/policy/http-index.rst b/doc/scripts/source/policy/http-index.rst new file mode 100644 index 0000000000..67216d6f1f --- /dev/null +++ b/doc/scripts/source/policy/http-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +HTTP Policy Scripts +=================== + diff --git a/doc/scripts/source/policy/irc-index.rst b/doc/scripts/source/policy/irc-index.rst new file mode 100644 index 0000000000..5b34d3795f --- /dev/null +++ b/doc/scripts/source/policy/irc-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +IRC Policy Scripts +================== + diff --git a/doc/scripts/source/policy/metrics-index.rst b/doc/scripts/source/policy/metrics-index.rst new file mode 100644 index 0000000000..3cef07d231 --- /dev/null +++ b/doc/scripts/source/policy/metrics-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +Metrics Policy Scripts +====================== + diff --git a/doc/scripts/source/policy/mime-index.rst b/doc/scripts/source/policy/mime-index.rst new file mode 100644 index 0000000000..87d73dd392 --- /dev/null +++ b/doc/scripts/source/policy/mime-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +MIME Policy Scripts +=================== + diff --git a/doc/scripts/source/policy/sig-index.rst b/doc/scripts/source/policy/sig-index.rst new file mode 100644 index 0000000000..2ba63ea28c --- /dev/null +++ b/doc/scripts/source/policy/sig-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +Signature Policy Scripts +======================== + diff --git a/doc/scripts/source/policy/smtp-index.rst b/doc/scripts/source/policy/smtp-index.rst new file mode 100644 index 0000000000..ba0b29996c --- /dev/null +++ b/doc/scripts/source/policy/smtp-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +SMTP Policy Scripts +=================== + diff --git a/doc/scripts/source/policy/software-index.rst b/doc/scripts/source/policy/software-index.rst new file mode 100644 index 0000000000..01683de20b --- /dev/null +++ b/doc/scripts/source/policy/software-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +Software Policy Scripts +======================= + diff --git a/doc/scripts/source/policy/ssh-index.rst b/doc/scripts/source/policy/ssh-index.rst new file mode 100644 index 0000000000..31c3455f3d --- /dev/null +++ b/doc/scripts/source/policy/ssh-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +SSH Policy Scripts +================== + diff --git a/doc/scripts/source/policy/ssl-index.rst b/doc/scripts/source/policy/ssl-index.rst new file mode 100644 index 0000000000..348b91584c --- /dev/null +++ b/doc/scripts/source/policy/ssl-index.rst @@ -0,0 +1,5 @@ +.. This is a stub doc to which the build process can append. + +SSL Policy Scripts +================== + diff --git a/policy/ftp/base.bro b/policy/ftp/base.bro index 3b4a81ea99..7a716bdcd2 100644 --- a/policy/ftp/base.bro +++ b/policy/ftp/base.bro @@ -4,7 +4,8 @@ ##! file name. ##! ##! TODO: -##! * Handle encrypted sessions correctly (get an example?) +##! +##! * Handle encrypted sessions correctly (get an example?) @load functions @load ftp/utils-commands diff --git a/policy/ftp/software.bro b/policy/ftp/software.bro index 467e5acfcf..dd88be07f7 100644 --- a/policy/ftp/software.bro +++ b/policy/ftp/software.bro @@ -1,8 +1,10 @@ ##! Software detection with the FTP protocol. -##! TODO:: -##! * Detect server software with initial 220 message -##! * Detect client software with password given for anonymous users -##! (e.g. cyberduck@example.net) +##! +##! TODO: +##! +##! * Detect server software with initial 220 message +##! * Detect client software with password given for anonymous users +##! (e.g. cyberduck@example.net) @load ftp/base @load software @@ -21,4 +23,4 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4 local si = Software::parse(arg, c$id$orig_h, FTP_CLIENT); Software::found(c$id, si); } - } \ No newline at end of file + } diff --git a/policy/http.bro b/policy/http.bro index 176dc0db33..a4226640d9 100644 --- a/policy/http.bro +++ b/policy/http.bro @@ -1,7 +1,5 @@ ##! This script is the wrapper script for HTTP analysis. - -## Author: Seth Hall - Inspired by the work of many others. - +##! :Author: Seth Hall - Inspired by the work of many others. @load http/utils @load http/base @@ -12,4 +10,4 @@ @load http/software @load http/headers -@load http/detect-webapps \ No newline at end of file +@load http/detect-webapps diff --git a/policy/http/detect-intel.bro b/policy/http/detect-intel.bro index 2a1cf053c4..d1cd99ea7b 100644 --- a/policy/http/detect-intel.bro +++ b/policy/http/detect-intel.bro @@ -1,3 +1,3 @@ -## Intelligence based HTTP detections. +##! Intelligence based HTTP detections. -module HTTP; \ No newline at end of file +module HTTP; diff --git a/policy/http/detect-webapps.bro b/policy/http/detect-webapps.bro index 27a6deea99..1e9249cfdc 100644 --- a/policy/http/detect-webapps.bro +++ b/policy/http/detect-webapps.bro @@ -1,4 +1,6 @@ +@load http/utils + @load software @load signatures @@ -47,4 +49,4 @@ event signature_match(state: signature_state, msg: string, data: string) &priori } Software::found(c$id, si); - } \ No newline at end of file + } diff --git a/policy/http/headers.bro b/policy/http/headers.bro index da32ccbd9c..bd3a5cfe4b 100644 --- a/policy/http/headers.bro +++ b/policy/http/headers.bro @@ -8,7 +8,7 @@ redef record Info += { ## The vector of HTTP headers. No header values are included here, just ## the header names. ## TODO: with an empty vector as &default, the vector isn't coerced to the - ## correct type. + ## correct type. headers: vector of string &log &optional; }; @@ -20,4 +20,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( ! c$http?$headers ) c$http$headers = vector(); c$http$headers[|c$http$headers|] = name; - } \ No newline at end of file + } diff --git a/policy/http/var-extraction-cookies.bro b/policy/http/var-extraction-cookies.bro index 6d56ad8d6d..19adda8679 100644 --- a/policy/http/var-extraction-cookies.bro +++ b/policy/http/var-extraction-cookies.bro @@ -1,6 +1,7 @@ -## This script extracts and logs variables from cookies sent by clients +##! This script extracts and logs variables from cookies sent by clients -@load http +@load http/base +@load http/utils module HTTP; @@ -12,4 +13,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr { if ( is_orig && name == "COOKIE" ) c$http$cookie_vars = extract_keys(value, /;[[:blank:]]*/); - } \ No newline at end of file + } diff --git a/policy/http/var-extraction-uri.bro b/policy/http/var-extraction-uri.bro index c85e73de87..f0a9a9c160 100644 --- a/policy/http/var-extraction-uri.bro +++ b/policy/http/var-extraction-uri.bro @@ -1,4 +1,4 @@ -## This script extracts and logs variables from the requested URI +##! This script extracts and logs variables from the requested URI @load http/utils @@ -12,4 +12,4 @@ event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=2 { c$http$uri_vars = extract_keys(original_URI, /&/); - } \ No newline at end of file + } diff --git a/policy/irc/dcc-send.bro b/policy/irc/dcc-send.bro index af162e77c2..649fddb1a1 100644 --- a/policy/irc/dcc-send.bro +++ b/policy/irc/dcc-send.bro @@ -5,9 +5,10 @@ ##! but that connection will actually be between B and C which could be ##! analyzed on a different worker. ##! +##! Example line from IRC server indicating that the DCC SEND is about to start: +##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A -## Example line from IRC server indicating that the DCC SEND is about to start: -## PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A +@load irc/base module IRC; diff --git a/policy/notice.bro b/policy/notice.bro index 29454d9ee2..750065153e 100644 --- a/policy/notice.bro +++ b/policy/notice.bro @@ -25,13 +25,14 @@ export { uid: string &log &optional; id: conn_id &log &optional; ##< connection-ID, if we don't have a connection handy ## This is the relevant host for this notice. It could be set because - ## either:: - ## 1. There is no connection associated with this notice. - ## 2. There is some underlying semantic of the notice where either - ## orig_h or resp_h is the relevant host in the associated - ## connection. For example, if a host is detected scanning, the - ## particular connection taking place when the notice is generated - ## is irrelevant and only the host detected scanning is relevant. + ## either: + ## + ## 1. There is no connection associated with this notice. + ## 2. There is some underlying semantic of the notice where either + ## orig_h or resp_h is the relevant host in the associated + ## connection. For example, if a host is detected scanning, the + ## particular connection taking place when the notice is generated + ## is irrelevant and only the host detected scanning is relevant. relevant_host: addr &log &optional; note: Type &log; diff --git a/policy/smtp/utils.bro b/policy/smtp/utils.bro index 1e51d940cd..aaf395b0b4 100644 --- a/policy/smtp/utils.bro +++ b/policy/smtp/utils.bro @@ -1,4 +1,6 @@ +@load functions + module SMTP; function find_address_in_smtp_header(header: string): string diff --git a/policy/smtp/webmail-ident.bro b/policy/smtp/webmail-ident.bro index d448d6f270..b8b0db98ec 100644 --- a/policy/smtp/webmail-ident.bro +++ b/policy/smtp/webmail-ident.bro @@ -2,11 +2,14 @@ ##! with the USER-AGENT (or other) header unless not possible and will resort ##! to heuristics if necessary. ##! -##! TODO:: -##! * Find some heuristic to determine if email was sent through -##! a MS Exhange webmail interface as opposed to a desktop client. +##! TODO: +##! +##! * Find some heuristic to determine if email was sent through +##! a MS Exhange webmail interface as opposed to a desktop client. ##! +@load smtp/base + module SMTP; redef record Info += { diff --git a/policy/software.bro b/policy/software.bro index 3a79178558..678597793b 100644 --- a/policy/software.bro +++ b/policy/software.bro @@ -1,2 +1,2 @@ @load software/base -@load software/vulnerable \ No newline at end of file +@load software/vulnerable diff --git a/policy/software/base.bro b/policy/software/base.bro index 9e49a0d332..dcc0d90186 100644 --- a/policy/software/base.bro +++ b/policy/software/base.bro @@ -1,8 +1,8 @@ -## This script provides the framework for software version detection and -## parsing, but doesn't actually do any detection on it's own. It relys on -## other protocol specific scripts to parse out software from the protocol(s) -## that they analyze. The entry point for providing new software detections -## to this framework is through the Software::found function. +##! This script provides the framework for software version detection and +##! parsing, but doesn't actually do any detection on it's own. It relys on +##! other protocol specific scripts to parse out software from the protocol(s) +##! that they analyze. The entry point for providing new software detections +##! to this framework is through the Software::found function. @load functions @load notice @@ -67,9 +67,9 @@ export { } &redef; ## Other scripts should call this function when they detect software. - ## @param unparsed_version: This is the full string from which the + ## unparsed_version: This is the full string from which the ## Software::Info was extracted. - ## @return: T if the software was logged, F otherwise. + ## Returns: T if the software was logged, F otherwise. global found: function(id: conn_id, info: Software::Info): bool; ## This function can take many software version strings and parse them into @@ -80,7 +80,7 @@ export { software_type: Type): Info; ## Compare two versions. - ## @return: Returns -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2. + ## Returns: -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2. ## If the numerical version numbers match, the addl string ## is compared lexicographically. global cmp_versions: function(v1: Version, v2: Version): int;