Updates for the PacketFilter framework to simplify it.

scripts/base/frameworks/analyzer/main.bro

@@ -10,6 +10,8 @@
 ##! the analyzers themselves, and documented in their analyzer-specific
 ##! description along with the events that they generate.
 
+@load base/frameworks/packet-filter/utils
+
 module Analyzer;
 
 export {
@@ -98,6 +100,20 @@ export {
 	global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port,
 	                                   analyzer: Analyzer::Tag, tout: interval) : bool;
 
+	## Automatically creates a BPF filter for the specified protocol based
+	## on the data supplied for the protocol through the 
+	## :bro:see:`Analyzer::register_for_ports` function.
+	##
+	## tag: The analyzer tag.
+	##
+	## Returns: BPF filter string.
+	global analyzer_to_bpf: function(tag: Analyzer::Tag): string;
+
+	## Create a BPF filter which matches all of the ports defined 
+	## by the various protocol analysis scripts as "registered ports"
+	## for the protocol.
+	global get_bpf: function(): string;
+
 	## A set of analyzers to disable by default at startup. The default set
 	## contains legacy analyzers that are no longer supported.
 	global disabled_analyzers: set[Analyzer::Tag] = {
@@ -177,3 +193,25 @@ function schedule_analyzer(orig: addr, resp: addr, resp_p: port,
 	return __schedule_analyzer(orig, resp, resp_p, analyzer, tout);
 	}
 
+function analyzer_to_bpf(tag: Analyzer::Tag): string
+	{
+	# Return an empty string if an undefined analyzer was given.
+	if ( tag !in ports )
+		return "";
+	
+	local output = "";
+	for ( p in ports[tag] )
+		output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(p));
+	return output;
+	}
+
+function get_bpf(): string
+	{
+	local output = "";
+	for ( tag in ports )
+		{
+		output = PacketFilter::combine_filters(output, "or", analyzer_to_bpf(tag));
+		}
+	return output;
+	}
+

scripts/base/frameworks/packet-filter/__load__.bro

@@ -1,4 +1,3 @@
 @load ./utils
 @load ./main
-@load ./shunt
 @load ./netstats

scripts/base/frameworks/packet-filter/main.bro

@@ -5,7 +5,7 @@
 ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables.
 
 @load base/frameworks/notice
-@load base/frameworks/protocols
+@load base/frameworks/analyzer
 @load ./utils
 
 module PacketFilter;
@@ -64,13 +64,13 @@ export {
 	## The maximum amount of time that you'd like to allow for BPF filters to compile.
 	## If this time is exceeded, compensation measures may be taken by the framework
 	## to reduce the filter size.  This threshold being crossed also results in
-	## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice.
+	## the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
 	const max_filter_compile_time = 100msec &redef;
 	
 	## Install a BPF filter to exclude some traffic.  The filter should positively
 	## match what is to be excluded, it will be wrapped in a "not".
 	##
-	## filter_id: A somewhat arbitrary string that can be used to identify 
+	## filter_id: An arbitrary string that can be used to identify 
 	##            the filter.
 	##
 	## filter: A BPF expression of traffic that should be excluded.
@@ -83,7 +83,7 @@ export {
 	## the BPF filter.  The filter should match the traffic you don't want
 	## to see (it will be wrapped in a "not" condition).
 	##
-	## filter_id: A somewhat arbitrary string that can be used to identify 
+	## filter_id: An arbitrary string that can be used to identify 
 	##            the filter.
 	##
 	## filter: A BPF expression of traffic that should be excluded.
@@ -119,11 +119,8 @@ export {
 
 global dynamic_restrict_filters: table[string] of string = {};
 
-# Set the default capture filter.
+# Track if a filter is currently building so functions that would ultimately 
-redef capture_filters += { ["default"] = default_capture_filter };
+# install a filter immediately can still be used but they won't try to build or
-
-# Track if a filter is currenlty building so functions that would ultimately 
-# install a filter immediately can still be used buy they won't try to build or
 # install the filter.
 global currently_building = F;
 
@@ -239,7 +236,7 @@ function build(): string
 		cfilter = combine_filters(cfilter, "or", capture_filters[id]);
 	
 	if ( enable_auto_protocol_capture_filters )
-		cfilter = combine_filters(cfilter, "or", Protocols::to_bpf());
+		cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf());
 	
 	# Apply the restriction filters.
 	local rfilter = "";
@@ -269,6 +266,10 @@ function install(): bool
 	
 	local tmp_filter = build();
 	
+	# No need to proceed if the filter hasn't changed.
+	if ( tmp_filter == current_filter )
+		return F;
+
 	local ts = current_time();
 	if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) )
 		{
@@ -283,7 +284,7 @@ function install(): bool
 	local diff = current_time()-ts;
 	if ( diff > max_filter_compile_time )
 		NOTICE([$note=Too_Long_To_Compile_Filter,
-		        $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]);
+		        $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]);
 
 	# Set it to the current filter if it passed precompiling
 	current_filter = tmp_filter;

scripts/base/frameworks/protocols/__load__.bro

@@ -1 +0,0 @@
-@load ./main

scripts/base/frameworks/protocols/main.bro

@@ -1,59 +0,0 @@
-
-@load base/frameworks/packet-filter/utils
-
-module Protocols;
-
-export {
-	
-	const common_ports: table[string] of set[port] = {} &redef;
-
-	## Automatically creates a BPF filter for the specified protocol based
-	## on the data supplied for the protocol in the :bro:id:`common_ports`
-	## variable.
-	##
-	## protocol: A string representation for a protocol, e.g. "HTTP"
-	##
-	## Returns: BPF filter string.
-	global protocol_to_bpf: function(protocol: string): string;
-	
-	## Create a BPF filter which matches all of the ports defined 
-	## by the various protocol analysis scripts as "common ports"
-	## for the protocol.
-	global to_bpf: function(): string;
-	
-	## Maps between human readable protocol identifiers (like "HTTP")
-	## and the internal Bro representation for an analyzer (like ANALYZER_HTTP).
-	## This is typically fully populated by the base protocol analyzer scripts.
-	const analyzer_map: table[string] of set[AnalyzerTag] = {} &redef;
-}
-
-event bro_init() &priority=10
-	{
-	for ( proto in common_ports )
-		{
-		for ( p in common_ports[proto] )
-			dpd_analyzer_ports[p] = analyzer_map[proto];
-		for ( a in analyzer_map[proto] )
-			dpd_config[a] = [$ports=common_ports[proto]];
-		}
-	}
-
-function protocol_to_bpf(protocol: string): string
-	{
-	# Return an empty string if an undefined protocol was given.
-	if ( protocol !in common_ports )
-		return "";
-	
-	local output = "";
-	for ( one_port in common_ports[protocol] )
-		output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(one_port));
-	return output;
-	}
-	
-function to_bpf(): string
-	{
-	local output = "";
-	for ( p in common_ports )
-		output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p));
-	return output;
-	}

scripts/base/protocols/dns/main.bro

@@ -122,14 +122,6 @@ redef record connection += {
 	dns_state: State &optional;
 };
 
-# DPD configuration.
-redef capture_filters += {
-	["dns"] = "port 53",
-	["mdns"] = "udp and port 5353",
-	["llmns"] = "udp and port 5355",
-	["netbios-ns"] = "udp port 137",
-};
-
 const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
 redef likely_server_ports += { ports };
 

scripts/base/protocols/ftp/main.bro

@@ -111,21 +111,18 @@ redef record connection += {
 	ftp_data_reuse: bool &default=F;
 };
 
-# Configure DPD
-redef capture_filters += { ["ftp"] = "port 21 and port 2811" };
-
 const ports = { 21/tcp, 2811/tcp };
 redef likely_server_ports += { ports };
 
-# Establish the variable for tracking expected connections.
-global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
-
 event bro_init() &priority=5
 	{
 	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
 
+# Establish the variable for tracking expected connections.
+global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
+
 ## A set of commands where the argument can be expected to refer
 ## to a file or directory.
 const file_cmds = {

scripts/base/protocols/http/main.bro

@@ -123,19 +123,12 @@ redef record connection += {
 	http_state:  State &optional;
 };
 
-# DPD configuration.
-redef capture_filters +=  {
-	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
-};
-
 const ports = {
 	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
 	8000/tcp, 8080/tcp, 8888/tcp,
 };
-
 redef likely_server_ports += { ports };
 
-
 # Initialize the HTTP logging stream and ports.
 event bro_init() &priority=5
 	{

scripts/base/protocols/irc/main.bro

@@ -38,13 +38,6 @@ redef record connection += {
 	irc:  Info &optional;
 };
 
-# Some common IRC ports.
-redef capture_filters += { ["irc-6666"] = "port 6666" };
-redef capture_filters += { ["irc-6667"] = "port 6667" };
-redef capture_filters += { ["irc-6668"] = "port 6668" };
-redef capture_filters += { ["irc-6669"] = "port 6669" };
-
-# DPD configuration.
 const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
 redef likely_server_ports += { ports };
 

scripts/base/protocols/modbus/main.bro

@@ -29,9 +29,6 @@ redef record connection += {
 	modbus: Info &optional;
 };
 
-# Configure DPD and the packet filter.
-redef capture_filters += { ["modbus"] = "tcp port 502" };
-
 const ports = { 502/tcp };
 redef likely_server_ports += { ports };
 

scripts/base/protocols/smtp/main.bro

@@ -81,9 +81,6 @@ redef record connection += {
 	smtp_state: State &optional;
 };
 
-# Configure DPD
-redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
-
 const ports = { 25/tcp, 587/tcp };
 redef likely_server_ports += { ports };
 

scripts/base/protocols/socks/main.bro

@@ -47,10 +47,6 @@ redef record connection += {
 	socks: SOCKS::Info &optional;
 };
 
-# Configure DPD
-redef capture_filters += { ["socks"] = "tcp port 1080" };
-redef likely_server_ports += { 1080/tcp };
-
 function set_session(c: connection, version: count)
 	{
 	if ( ! c?$socks )

scripts/base/protocols/ssh/main.bro

@@ -70,17 +70,13 @@ export {
 	global log_ssh: event(rec: Info);
 }
 
-# Configure DPD and the packet filter
-
-const ports = { 22/tcp };
- 
-redef capture_filters += { ["ssh"] = "tcp port 22" };
-redef likely_server_ports += { ports };
-
 redef record connection += {
 	ssh: Info &optional;
 };
 
+const ports = { 22/tcp };
+redef likely_server_ports += { ports };
+
 event bro_init() &priority=5
 {
 	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);

scripts/base/protocols/ssl/main.bro

@@ -94,26 +94,10 @@ redef record Info += {
 		delay_tokens: set[string] &optional;
 };
 
-redef capture_filters += {
-	["ssl"] = "tcp port 443",
-	["nntps"] = "tcp port 563",
-	["imap4-ssl"] = "tcp port 585",
-	["sshell"] = "tcp port 614",
-	["ldaps"] = "tcp port 636",
-	["ftps-data"] = "tcp port 989",
-	["ftps"] = "tcp port 990",
-	["telnets"] = "tcp port 992",
-	["imaps"] = "tcp port 993",
-	["ircs"] = "tcp port 994",
-	["pop3s"] = "tcp port 995",
-	["xmpps"] = "tcp port 5223",
-};
-
 const ports = {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-} &redef;
+};
-
 redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
@@ -154,7 +138,7 @@ function log_record(info: Info)
 			{
 			log_record(info);
 			}
-		timeout max_log_delay
+		timeout SSL::max_log_delay
 			{
 			Reporter::info(fmt("SSL delay tokens not released in time (%s tokens remaining)",
 			                   |info$delay_tokens|));

scripts/base/protocols/syslog/main.bro

@@ -26,15 +26,13 @@ export {
 	};
 }
 
-redef capture_filters += { ["syslog"] = "port 514" };
-
-const ports = { 514/udp };
-redef likely_server_ports += { ports };
-
 redef record connection += {
 	syslog: Info &optional;
 };
 
+const ports = { 514/udp };
+redef likely_server_ports += { ports };
+
 event bro_init() &priority=5
 	{
 	Log::create_stream(Syslog::LOG, [$columns=Info]);

scripts/policy/frameworks/packet-filter/shunt.bro

@@ -1,6 +1,5 @@
 @load base/frameworks/notice
-@load ./main
+@load base/frameworks/packet-filter
-@load ./utils
 
 module PacketFilter;