diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index c7bfd1ce34..e6c98dec5b 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -10,6 +10,8 @@ ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. +@load base/frameworks/packet-filter/utils + module Analyzer; export { @@ -96,7 +98,21 @@ export { ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, - analyzer: Analyzer::Tag, tout: interval) : bool; + analyzer: Analyzer::Tag, tout: interval) : bool; + + ## Automatically creates a BPF filter for the specified protocol based + ## on the data supplied for the protocol through the + ## :bro:see:`Analyzer::register_for_ports` function. + ## + ## tag: The analyzer tag. + ## + ## Returns: BPF filter string. + global analyzer_to_bpf: function(tag: Analyzer::Tag): string; + + ## Create a BPF filter which matches all of the ports defined + ## by the various protocol analysis scripts as "registered ports" + ## for the protocol. + global get_bpf: function(): string; ## A set of analyzers to disable by default at startup. The default set ## contains legacy analyzers that are no longer supported. @@ -177,3 +193,25 @@ function schedule_analyzer(orig: addr, resp: addr, resp_p: port, return __schedule_analyzer(orig, resp, resp_p, analyzer, tout); } +function analyzer_to_bpf(tag: Analyzer::Tag): string + { + # Return an empty string if an undefined analyzer was given. + if ( tag !in ports ) + return ""; + + local output = ""; + for ( p in ports[tag] ) + output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(p)); + return output; + } + +function get_bpf(): string + { + local output = ""; + for ( tag in ports ) + { + output = PacketFilter::combine_filters(output, "or", analyzer_to_bpf(tag)); + } + return output; + } + diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 45c2488c00..011885e8b7 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,4 +1,3 @@ @load ./utils @load ./main -@load ./shunt @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index c5a0677add..b4885a19f2 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -5,7 +5,7 @@ ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. @load base/frameworks/notice -@load base/frameworks/protocols +@load base/frameworks/analyzer @load ./utils module PacketFilter; @@ -64,13 +64,13 @@ export { ## The maximum amount of time that you'd like to allow for BPF filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results in - ## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice. + ## the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. const max_filter_compile_time = 100msec &redef; ## Install a BPF filter to exclude some traffic. The filter should positively ## match what is to be excluded, it will be wrapped in a "not". ## - ## filter_id: A somewhat arbitrary string that can be used to identify + ## filter_id: An arbitrary string that can be used to identify ## the filter. ## ## filter: A BPF expression of traffic that should be excluded. @@ -83,7 +83,7 @@ export { ## the BPF filter. The filter should match the traffic you don't want ## to see (it will be wrapped in a "not" condition). ## - ## filter_id: A somewhat arbitrary string that can be used to identify + ## filter_id: An arbitrary string that can be used to identify ## the filter. ## ## filter: A BPF expression of traffic that should be excluded. @@ -119,11 +119,8 @@ export { global dynamic_restrict_filters: table[string] of string = {}; -# Set the default capture filter. -redef capture_filters += { ["default"] = default_capture_filter }; - -# Track if a filter is currenlty building so functions that would ultimately -# install a filter immediately can still be used buy they won't try to build or +# Track if a filter is currently building so functions that would ultimately +# install a filter immediately can still be used but they won't try to build or # install the filter. global currently_building = F; @@ -239,7 +236,7 @@ function build(): string cfilter = combine_filters(cfilter, "or", capture_filters[id]); if ( enable_auto_protocol_capture_filters ) - cfilter = combine_filters(cfilter, "or", Protocols::to_bpf()); + cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf()); # Apply the restriction filters. local rfilter = ""; @@ -269,6 +266,10 @@ function install(): bool local tmp_filter = build(); + # No need to proceed if the filter hasn't changed. + if ( tmp_filter == current_filter ) + return F; + local ts = current_time(); if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) { @@ -283,8 +284,8 @@ function install(): bool local diff = current_time()-ts; if ( diff > max_filter_compile_time ) NOTICE([$note=Too_Long_To_Compile_Filter, - $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); - + $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]); + # Set it to the current filter if it passed precompiling current_filter = tmp_filter; diff --git a/scripts/base/frameworks/protocols/__load__.bro b/scripts/base/frameworks/protocols/__load__.bro deleted file mode 100644 index d551be57d3..0000000000 --- a/scripts/base/frameworks/protocols/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./main \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/main.bro b/scripts/base/frameworks/protocols/main.bro deleted file mode 100644 index 43ea3b49f8..0000000000 --- a/scripts/base/frameworks/protocols/main.bro +++ /dev/null @@ -1,59 +0,0 @@ - -@load base/frameworks/packet-filter/utils - -module Protocols; - -export { - - const common_ports: table[string] of set[port] = {} &redef; - - ## Automatically creates a BPF filter for the specified protocol based - ## on the data supplied for the protocol in the :bro:id:`common_ports` - ## variable. - ## - ## protocol: A string representation for a protocol, e.g. "HTTP" - ## - ## Returns: BPF filter string. - global protocol_to_bpf: function(protocol: string): string; - - ## Create a BPF filter which matches all of the ports defined - ## by the various protocol analysis scripts as "common ports" - ## for the protocol. - global to_bpf: function(): string; - - ## Maps between human readable protocol identifiers (like "HTTP") - ## and the internal Bro representation for an analyzer (like ANALYZER_HTTP). - ## This is typically fully populated by the base protocol analyzer scripts. - const analyzer_map: table[string] of set[AnalyzerTag] = {} &redef; -} - -event bro_init() &priority=10 - { - for ( proto in common_ports ) - { - for ( p in common_ports[proto] ) - dpd_analyzer_ports[p] = analyzer_map[proto]; - for ( a in analyzer_map[proto] ) - dpd_config[a] = [$ports=common_ports[proto]]; - } - } - -function protocol_to_bpf(protocol: string): string - { - # Return an empty string if an undefined protocol was given. - if ( protocol !in common_ports ) - return ""; - - local output = ""; - for ( one_port in common_ports[protocol] ) - output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(one_port)); - return output; - } - -function to_bpf(): string - { - local output = ""; - for ( p in common_ports ) - output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p)); - return output; - } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 15da9aa7b7..ea3ec016de 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -122,14 +122,6 @@ redef record connection += { dns_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["dns"] = "port 53", - ["mdns"] = "udp and port 5353", - ["llmns"] = "udp and port 5355", - ["netbios-ns"] = "udp port 137", -}; - const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index e524c32c4b..448eccd454 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -111,21 +111,18 @@ redef record connection += { ftp_data_reuse: bool &default=F; }; -# Configure DPD -redef capture_filters += { ["ftp"] = "port 21 and port 2811" }; - const ports = { 21/tcp, 2811/tcp }; redef likely_server_ports += { ports }; -# Establish the variable for tracking expected connections. -global ftp_data_expected: table[addr, port] of Info &read_expire=5mins; - event bro_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } +# Establish the variable for tracking expected connections. +global ftp_data_expected: table[addr, port] of Info &read_expire=5mins; + ## A set of commands where the argument can be expected to refer ## to a file or directory. const file_cmds = { diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 1c9c1cad2d..6d06376183 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -123,19 +123,12 @@ redef record connection += { http_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" -}; - const ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; - redef likely_server_ports += { ports }; - # Initialize the HTTP logging stream and ports. event bro_init() &priority=5 { diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 490c39f54f..a57fc95448 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -38,13 +38,6 @@ redef record connection += { irc: Info &optional; }; -# Some common IRC ports. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; -redef capture_filters += { ["irc-6668"] = "port 6668" }; -redef capture_filters += { ["irc-6669"] = "port 6669" }; - -# DPD configuration. const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index a418873306..d484e7582b 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -29,9 +29,6 @@ redef record connection += { modbus: Info &optional; }; -# Configure DPD and the packet filter. -redef capture_filters += { ["modbus"] = "tcp port 502" }; - const ports = { 502/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index c7b3a452d2..d53128b06c 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -81,9 +81,6 @@ redef record connection += { smtp_state: State &optional; }; -# Configure DPD -redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; - const ports = { 25/tcp, 587/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index a188646515..f697b355c1 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -47,10 +47,6 @@ redef record connection += { socks: SOCKS::Info &optional; }; -# Configure DPD -redef capture_filters += { ["socks"] = "tcp port 1080" }; -redef likely_server_ports += { 1080/tcp }; - function set_session(c: connection, version: count) { if ( ! c?$socks ) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index ddd3e8b834..53b61f00d8 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -70,17 +70,13 @@ export { global log_ssh: event(rec: Info); } -# Configure DPD and the packet filter - -const ports = { 22/tcp }; - -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef likely_server_ports += { ports }; - redef record connection += { ssh: Info &optional; }; +const ports = { 22/tcp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 61d8d2fdb4..65526182ac 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -94,26 +94,10 @@ redef record Info += { delay_tokens: set[string] &optional; }; -redef capture_filters += { - ["ssl"] = "tcp port 443", - ["nntps"] = "tcp port 563", - ["imap4-ssl"] = "tcp port 585", - ["sshell"] = "tcp port 614", - ["ldaps"] = "tcp port 636", - ["ftps-data"] = "tcp port 989", - ["ftps"] = "tcp port 990", - ["telnets"] = "tcp port 992", - ["imaps"] = "tcp port 993", - ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995", - ["xmpps"] = "tcp port 5223", -}; - const ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -} &redef; - +}; redef likely_server_ports += { ports }; event bro_init() &priority=5 @@ -154,7 +138,7 @@ function log_record(info: Info) { log_record(info); } - timeout max_log_delay + timeout SSL::max_log_delay { Reporter::info(fmt("SSL delay tokens not released in time (%s tokens remaining)", |info$delay_tokens|)); diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 7c15fb4fae..afe562c890 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -26,15 +26,13 @@ export { }; } -redef capture_filters += { ["syslog"] = "port 514" }; - -const ports = { 514/udp }; -redef likely_server_ports += { ports }; - redef record connection += { syslog: Info &optional; }; +const ports = { 514/udp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/policy/frameworks/packet-filter/shunt.bro similarity index 99% rename from scripts/base/frameworks/packet-filter/shunt.bro rename to scripts/policy/frameworks/packet-filter/shunt.bro index fcbdac85aa..fba66e60f3 100644 --- a/scripts/base/frameworks/packet-filter/shunt.bro +++ b/scripts/policy/frameworks/packet-filter/shunt.bro @@ -1,6 +1,5 @@ @load base/frameworks/notice -@load ./main -@load ./utils +@load base/frameworks/packet-filter module PacketFilter;