Add all new policy scripts to doc generation target.

Minor script tweaks along the way to get rid of reST format warnings
or @load dependency issues.

doc/scripts/CMakeLists.txt

@@ -129,29 +129,117 @@ endmacro(REST_TARGET)
 # Schedule Bro scripts for which to generate documentation.
 # Note: the script may be located in a subdirectory off of one of the main
 # directories in BROPATH.  In that case, just list the script as 'foo/bar.bro'
-rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro            internal)
+rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro           internal)
-rest_target(${POLICY_SRC_DIR} conn.bro                         user)
+
-rest_target(${POLICY_SRC_DIR} site.bro                         user)
+rest_target(${POLICY_SRC_DIR} conn.bro                        user)
-rest_target(${POLICY_SRC_DIR} dns.bro                          policy/dns-index)
+
-rest_target(${POLICY_SRC_DIR} dns/auth-addl.bro                policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns.bro                         policy/dns-index)
-rest_target(${POLICY_SRC_DIR} dns/base.bro                     policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns/auth-addl.bro               policy/dns-index)
-rest_target(${POLICY_SRC_DIR} dns/consts.bro                   policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns/base.bro                    policy/dns-index)
-rest_target(${POLICY_SRC_DIR} dns/detect.bro                   policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns/consts.bro                  policy/dns-index)
-rest_target(${POLICY_SRC_DIR} dns/passive-replication.bro      policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns/detect.bro                  policy/dns-index)
+rest_target(${POLICY_SRC_DIR} dns/passive-replication.bro     policy/dns-index)
+
+# TODO: these don't currently work due to something that looks like a
+# circular dependency.  They'll also change to the 'default' group once
+# loaded from bro.init.
+#rest_target(${POLICY_SRC_DIR} dpd.bro                         policy/dpd-index)
+#rest_target(${POLICY_SRC_DIR} dpd/base.bro                    policy/dpd-index)
+#rest_target(${POLICY_SRC_DIR} dpd/dyn-disable.bro             policy/dpd-index)
+#rest_target(${POLICY_SRC_DIR} dpd/packet-segment-logging.bro  policy/dpd-index)
+
+rest_target(${POLICY_SRC_DIR} ftp.bro                         policy/ftp-index)
+rest_target(${POLICY_SRC_DIR} ftp/base.bro                    policy/ftp-index)
+rest_target(${POLICY_SRC_DIR} ftp/detect.bro                  policy/ftp-index)
+rest_target(${POLICY_SRC_DIR} ftp/file-extract.bro            policy/ftp-index)
+rest_target(${POLICY_SRC_DIR} ftp/software.bro                policy/ftp-index)
+rest_target(${POLICY_SRC_DIR} ftp/utils-commands.bro          policy/ftp-index)
+
+rest_target(${POLICY_SRC_DIR} functions.bro                   user)
+
+# TODO: hot.conn.bro currently won't load because hot.bro doesn't exist
+#rest_target(${POLICY_SRC_DIR} hot.conn.bro                    user)
+
+# TODO: http.bro doesn't load because http/detect-webapps.bro doesn't load
+#rest_target(${POLICY_SRC_DIR} http.bro                        policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/base-extended.bro          policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/base.bro                   policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/detect-intel.bro           policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/detect-sqli.bro            policy/http-index)
+# TODO: http/detect-webapps.bro doesn't load in doc mode, not sure why yet
+#rest_target(${POLICY_SRC_DIR} http/detect-webapps.bro         policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/file-extract.bro           policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/file-hash.bro              policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/file-ident.bro             policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/headers.bro                policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/software.bro               policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/utils.bro                  policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/var-extraction-cookies.bro policy/http-index)
+rest_target(${POLICY_SRC_DIR} http/var-extraction-uri.bro     policy/http-index)
+
+rest_target(${POLICY_SRC_DIR} irc.bro                         policy/irc-index)
+rest_target(${POLICY_SRC_DIR} irc/base.bro                    policy/irc-index)
+rest_target(${POLICY_SRC_DIR} irc/dcc-send.bro                policy/irc-index)
+
+rest_target(${POLICY_SRC_DIR} known-services.bro              user)
+rest_target(${POLICY_SRC_DIR} known-hosts.bro                 user)
+
+# TODO: metrics.bro doesn't load because of http/detect-webapps.bro
+#rest_target(${POLICY_SRC_DIR} metrics.bro                  policy/metrics-index)
+rest_target(${POLICY_SRC_DIR} metrics/base.bro             policy/metrics-index)
+rest_target(${POLICY_SRC_DIR} metrics/conn-example.bro     policy/metrics-index)
+# TODO: metrics/http-example.bro doesn't load because of http/detect-webapps.bro
+#rest_target(${POLICY_SRC_DIR} metrics/http-example.bro     policy/metrics-index)
+
+rest_target(${POLICY_SRC_DIR} mime.bro                        policy/mime-index)
+rest_target(${POLICY_SRC_DIR} mime/base.bro                   policy/mime-index)
+rest_target(${POLICY_SRC_DIR} mime/file-extract.bro           policy/mime-index)
+rest_target(${POLICY_SRC_DIR} mime/file-hash.bro              policy/mime-index)
+rest_target(${POLICY_SRC_DIR} mime/file-ident.bro             policy/mime-index)
+
+rest_target(${POLICY_SRC_DIR} notice-action-filters.bro       user)
+rest_target(${POLICY_SRC_DIR} notice.bro                      user)
+rest_target(${POLICY_SRC_DIR} site.bro                        user)
+
+rest_target(${POLICY_SRC_DIR} signatures.bro                  policy/sig-index)
+rest_target(${POLICY_SRC_DIR} signatures/base.bro             policy/sig-index)
+
+rest_target(${POLICY_SRC_DIR} smtp.bro                        policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/base-extended.bro          policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/base.bro                   policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/detect.bro                 policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/software.bro               policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/utils.bro                  policy/smtp-index)
+rest_target(${POLICY_SRC_DIR} smtp/webmail-ident.bro          policy/smtp-index)
+
+rest_target(${POLICY_SRC_DIR} software.bro                policy/software-index)
+rest_target(${POLICY_SRC_DIR} software/base.bro           policy/software-index)
+rest_target(${POLICY_SRC_DIR} software/vulnerable.bro     policy/software-index)
+
+rest_target(${POLICY_SRC_DIR} ssh.bro                         policy/ssh-index)
+rest_target(${POLICY_SRC_DIR} ssh/base.bro                    policy/ssh-index)
+rest_target(${POLICY_SRC_DIR} ssh/software.bro                policy/ssh-index)
+
+rest_target(${POLICY_SRC_DIR} ssl-ciphers.bro                 policy/ssl-index)
+rest_target(${POLICY_SRC_DIR} ssl-errors.bro                  policy/ssl-index)
+rest_target(${POLICY_SRC_DIR} ssl.bro                         policy/ssl-index)
+
+rest_target(${POLICY_SRC_DIR} utils/pattern.bro               user)
+rest_target(${POLICY_SRC_DIR} weird.bro                       user)
 
 # Finding out what scripts bro will generate documentation for by default
 # can be done like: `bro --doc-scripts --exec ""`
-rest_target(${POLICY_SRC_DIR} bro.init                          default)
+rest_target(${POLICY_SRC_DIR} bro.init                         default)
-rest_target(${POLICY_SRC_DIR} logging-ascii.bro                 default)
+rest_target(${POLICY_SRC_DIR} logging-ascii.bro                default)
-rest_target(${POLICY_SRC_DIR} logging.bro                       default)
+rest_target(${POLICY_SRC_DIR} logging.bro                      default)
-rest_target(${POLICY_SRC_DIR} pcap.bro                          default)
+rest_target(${POLICY_SRC_DIR} pcap.bro                         default)
-rest_target(${POLICY_SRC_DIR} server-ports.bro                  default)
+rest_target(${POLICY_SRC_DIR} server-ports.bro                 default)
-rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro                 bifs)
+rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro                bifs)
-rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro               bifs)
+rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro              bifs)
-rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro               bifs)
+rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro              bifs)
-rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro             bifs)
+rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro            bifs)
-rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro             bifs)
+rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro            bifs)
-rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro               bifs)
+rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro              bifs)
 
 # create temporary list of all docs to include in the master policy/index file
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/tmp_policy_index

doc/scripts/source/index.rst

@@ -15,6 +15,16 @@ Contents:
    bifs
    user
    policy/dns-index
+   policy/ftp-index
+   policy/http-index
+   policy/irc-index
+   policy/metrics-index
+   policy/mime-index
+   policy/sig-index
+   policy/smtp-index
+   policy/software-index
+   policy/ssh-index
+   policy/ssl-index
    internal
    policy/index
 

doc/scripts/source/policy/ftp-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+FTP Policy Scripts
+==================
+

doc/scripts/source/policy/http-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+HTTP Policy Scripts
+===================
+

doc/scripts/source/policy/irc-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+IRC Policy Scripts
+==================
+

doc/scripts/source/policy/metrics-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+Metrics Policy Scripts
+======================
+

doc/scripts/source/policy/mime-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+MIME Policy Scripts
+===================
+

doc/scripts/source/policy/sig-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+Signature Policy Scripts
+========================
+

doc/scripts/source/policy/smtp-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+SMTP Policy Scripts
+===================
+

doc/scripts/source/policy/software-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+Software Policy Scripts
+=======================
+

doc/scripts/source/policy/ssh-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+SSH Policy Scripts
+==================
+

doc/scripts/source/policy/ssl-index.rst

@@ -0,0 +1,5 @@
+.. This is a stub doc to which the build process can append.
+
+SSL Policy Scripts
+==================
+

policy/ftp/base.bro

@@ -4,7 +4,8 @@
 ##! file name.  
 ##! 
 ##! TODO:
-##!  * Handle encrypted sessions correctly (get an example?)
+##!
+##! * Handle encrypted sessions correctly (get an example?)
 
 @load functions
 @load ftp/utils-commands

policy/ftp/software.bro

@@ -1,8 +1,10 @@
 ##! Software detection with the FTP protocol.
-##! TODO::
+##!
-##!  * Detect server software with initial 220 message
+##! TODO:
-##!  * Detect client software with password given for anonymous users 
+##!
-##!    (e.g. cyberduck@example.net)
+##! * Detect server software with initial 220 message
+##! * Detect client software with password given for anonymous users
+##!   (e.g. cyberduck@example.net)
 
 @load ftp/base
 @load software
@@ -21,4 +23,4 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
 		local si = Software::parse(arg, c$id$orig_h, FTP_CLIENT);
 		Software::found(c$id, si);
 		}
-	}
+	}

policy/http.bro

@@ -1,7 +1,5 @@
 ##! This script is the wrapper script for HTTP analysis.
-
+##! :Author: Seth Hall <seth@icir.org> - Inspired by the work of many others.
-## Author: Seth Hall <seth@icir.org> - Inspired by the work of many others.
-
 
 @load http/utils
 @load http/base
@@ -12,4 +10,4 @@
 @load http/software
 @load http/headers
 
-@load http/detect-webapps
+@load http/detect-webapps

policy/http/detect-intel.bro

@@ -1,3 +1,3 @@
-## Intelligence based HTTP detections.
+##! Intelligence based HTTP detections.
 
-module HTTP;
+module HTTP;

policy/http/detect-webapps.bro

@@ -1,4 +1,6 @@
 
+@load http/utils
+
 @load software
 @load signatures
 
@@ -47,4 +49,4 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
 		}
 	
 	Software::found(c$id, si);
-	}
+	}

policy/http/headers.bro

@@ -8,7 +8,7 @@ redef record Info += {
 	## The vector of HTTP headers.  No header values are included here, just
 	## the header names.
 	## TODO: with an empty vector as &default, the vector isn't coerced to the
-	##       correct type.
+	## correct type.
 	headers:  vector of string &log &optional;
 };
 
@@ -20,4 +20,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	if ( ! c$http?$headers )
 		c$http$headers = vector();
 	c$http$headers[|c$http$headers|] = name;
-	}
+	}

policy/http/var-extraction-cookies.bro

@@ -1,6 +1,7 @@
-## This script extracts and logs variables from cookies sent by clients
+##! This script extracts and logs variables from cookies sent by clients
 
-@load http
+@load http/base
+@load http/utils
 
 module HTTP;
 
@@ -12,4 +13,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	{
 	if ( is_orig && name == "COOKIE" )
 		c$http$cookie_vars = extract_keys(value, /;[[:blank:]]*/);
-	}
+	}

policy/http/var-extraction-uri.bro

@@ -1,4 +1,4 @@
-## This script extracts and logs variables from the requested URI
+##! This script extracts and logs variables from the requested URI
 
 @load http/utils
 
@@ -12,4 +12,4 @@ event http_request(c: connection, method: string, original_URI: string,
                    unescaped_URI: string, version: string) &priority=2
 	{
 	c$http$uri_vars = extract_keys(original_URI, /&/);
-	}
+	}

policy/irc/dcc-send.bro

@@ -5,9 +5,10 @@
 ##! but that connection will actually be between B and C which could be 
 ##! analyzed on a different worker.
 ##!
+##! Example line from IRC server indicating that the DCC SEND is about to start:
+##!    PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A
 
-## Example line from IRC server indicating that the DCC SEND is about to start:
+@load irc/base
-##    PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A
 
 module IRC;
 

policy/notice.bro

@@ -25,13 +25,14 @@ export {
 		uid:            string  &log &optional;
 		id:             conn_id &log &optional; ##< connection-ID, if we don't have a connection handy
 		## This is the relevant host for this notice.  It could be set because
-		## either::
+		## either:
-		##   1. There is no connection associated with this notice.
+		##
-		##   2. There is some underlying semantic of the notice where either
+		## 1. There is no connection associated with this notice.
-		##      orig_h or resp_h is the relevant host in the associated
+		## 2. There is some underlying semantic of the notice where either
-		##      connection.  For example, if a host is detected scanning, the
+		##    orig_h or resp_h is the relevant host in the associated
-		##      particular connection taking place when the notice is generated
+		##    connection.  For example, if a host is detected scanning, the
-		##      is irrelevant and only the host detected scanning is relevant.
+		##    particular connection taking place when the notice is generated
+		##    is irrelevant and only the host detected scanning is relevant.
 		relevant_host:  addr    &log &optional;
 		
 		note:           Type    &log;

policy/smtp/utils.bro

@@ -1,4 +1,6 @@
 
+@load functions
+
 module SMTP;
 
 function find_address_in_smtp_header(header: string): string

policy/smtp/webmail-ident.bro

@@ -2,11 +2,14 @@
 ##! with the USER-AGENT (or other) header unless not possible and will resort
 ##! to heuristics if necessary.
 ##!
-##! TODO::
+##! TODO:
-##!     * Find some heuristic to determine if email was sent through 
+##!
-##!       a MS Exhange webmail interface as opposed to a desktop client.
+##! * Find some heuristic to determine if email was sent through 
+##!   a MS Exhange webmail interface as opposed to a desktop client.
 ##! 
 
+@load smtp/base
+
 module SMTP;
 
 redef record Info += {

policy/software.bro

@@ -1,2 +1,2 @@
 @load software/base
-@load software/vulnerable
+@load software/vulnerable

policy/software/base.bro

@@ -1,8 +1,8 @@
-## This script provides the framework for software version detection and
+##! This script provides the framework for software version detection and
-## parsing, but doesn't actually do any detection on it's own.  It relys on
+##! parsing, but doesn't actually do any detection on it's own.  It relys on
-## other protocol specific scripts to parse out software from the protocol(s)
+##! other protocol specific scripts to parse out software from the protocol(s)
-## that they analyze.  The entry point for providing new software detections
+##! that they analyze.  The entry point for providing new software detections
-## to this framework is through the Software::found function.
+##! to this framework is through the Software::found function.
 
 @load functions
 @load notice
@@ -67,9 +67,9 @@ export {
 	} &redef;
 	
 	## Other scripts should call this function when they detect software.
-	## @param unparsed_version: This is the full string from which the
+	## unparsed_version: This is the full string from which the
 	##                          Software::Info was extracted.
-	## @return: T if the software was logged, F otherwise.
+	## Returns: T if the software was logged, F otherwise.
 	global found: function(id: conn_id, info: Software::Info): bool;
 	
 	## This function can take many software version strings and parse them into 
@@ -80,7 +80,7 @@ export {
 	                       software_type: Type): Info;
 	
 	## Compare two versions.
-	## @return:  Returns -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
+	## Returns:  -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
 	##           If the numerical version numbers match, the addl string
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;