diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index 04772f57aa..9a14b2f49f 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -196,12 +196,9 @@ function setup_peer(p: event_peer, node: Node) request_remote_events(p, node$events); } - if ( node?$capture_filter ) + if ( node?$capture_filter && node$capture_filter != "" ) { local filter = node$capture_filter; - if ( filter == "" ) - filter = PacketFilter::default_filter; - do_script_log(p, fmt("sending capture_filter: %s", filter)); send_capture_filter(p, filter); } diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 1d72e1ebe0..45c2488c00 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,2 +1,4 @@ +@load ./utils @load ./main +@load ./shunt @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 16e3ff9789..7706c2669f 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -1,10 +1,11 @@ ##! This script supports how Bro sets it's BPF capture filter. By default -##! Bro sets an unrestricted filter that allows all traffic. If a filter +##! Bro sets a capture filter that allows all traffic. If a filter ##! is set on the command line, that filter takes precedence over the default ##! open filter and all filters defined in Bro scripts with the ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. @load base/frameworks/notice +@load base/frameworks/protocols module PacketFilter; @@ -19,6 +20,9 @@ export { ## This notice is generated if a packet filter is fails to install. Install_Failure, + + ## Generated when a notice takes too long to compile. + Too_Long_To_Compile_Filter }; ## The record type defining columns to be logged in the packet filter @@ -41,94 +45,220 @@ export { ## Indicate if the filter was applied successfully. success: bool &log &default=T; }; - - ## By default, Bro will examine all packets. If this is set to false, - ## it will dynamically build a BPF filter that only select protocols - ## for which the user has loaded a corresponding analysis script. - ## The latter used to be default for Bro versions < 2.0. That has now - ## changed however to enable port-independent protocol analysis. - const all_packets = T &redef; + + ## The BPF filter that is used by default to define what traffic should + ## be captured. Filters defined in :bro:id:`restrict_filters` will still + ## be applied to reduce the captured traffic. + const default_capture_filter = "ip or not ip" &redef; ## Filter string which is unconditionally or'ed to the beginning of every ## dynamically built filter. const unrestricted_filter = "" &redef; + ## The maximum amount of time that you'd like to allow for filters to compile. + ## If this time is exceeded, compensation measures may be taken by the framework + ## to reduce the filter size. This threshold being crossed also results in + ## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice. + const max_filter_compile_time = 100msec &redef; + + ## Install a BPF filter to exclude some traffic. The filter should positively + ## match what is to be excluded, it will be wrapped in a "not". + ## + ## filter_id: A somewhat arbitrary string that can be used to identify + ## the filter. + ## + ## filter: A BPF expression of traffic that should be excluded. + ## + ## Returns: A boolean value to indicate if the fitler was successfully + ## installed or not. + global exclude: function(filter_id: string, filter: string): bool; + + ## Install a temporary filter to traffic which should not be passed through + ## the BPF filter. The filter should match the traffic you don't want + ## to see (it will be wrapped in a "not" condition). + ## + ## filter_id: A somewhat arbitrary string that can be used to identify + ## the filter. + ## + ## filter: A BPF expression of traffic that should be excluded. + ## + ## length: The duration for which this filter should be put in place. + ## + ## Returns: A boolean value to indicate if the filter was successfully + ## installed or not. + global exclude_for: function(filter_id: string, filter: string, span: interval): bool; + ## Call this function to build and install a new dynamically built ## packet filter. global install: function(); + ## A data structure to represent filter generating factories. + type FilterFactory: record { + ## A function that is directly called when generating the complete filter. + func : function(); + }; + + ## API function to register a new factory for dynamic restriction filters. + global register_filter_factory: function(ff: FilterFactory); + + ## Enables the old filtering approach of "only watch common ports for + ## analyzed protocols". + ## Unless you know what you are doing, leave this set to F. + const enable_auto_protocol_capture_filters = F &redef; + ## This is where the default packet filter is stored and it should not ## normally be modified by users. - global default_filter = ""; + global current_filter = ""; } +global dynamic_restrict_filters: table[string] of string = {}; + +# Set the default capture filter. +redef capture_filters += { ["default"] = default_capture_filter }; + +# Track if a filter is currenlty building so functions that would ultimately +# install a filter immediately can still be used buy they won't try to build or +# install the filter. +global currently_building = F; + +global filter_factories: set[FilterFactory] = {}; + redef enum PcapFilterID += { DefaultPcapFilter, + FilterTester, }; -function combine_filters(lfilter: string, rfilter: string, op: string): string +function test_filter(filter: string): bool { - if ( lfilter == "" && rfilter == "" ) - return ""; - else if ( lfilter == "" ) - return rfilter; - else if ( rfilter == "" ) - return lfilter; - else - return fmt("(%s) %s (%s)", lfilter, op, rfilter); + if ( ! precompile_pcap_filter(FilterTester, filter) ) + { + # The given filter was invalid + # TODO: generate a notice. + return F; + } + return T; } -function build_default_filter(): string +event bro_init() &priority=6 + { + Log::create_stream(PacketFilter::LOG, [$columns=Info]); + + # Preverify the capture and restrict filters to give more granular failure messages. + for ( id in capture_filters ) + { + if ( ! test_filter(capture_filters[id]) ) + Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, capture_filters[id])); + } + + for ( id in restrict_filters ) + { + if ( ! test_filter(restrict_filters[id]) ) + Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id])); + } + + install(); + } + +function register_filter_factory(ff: FilterFactory) + { + add filter_factories[ff]; + } + +event remove_dynamic_filter(filter_id: string) + { + if ( filter_id in dynamic_restrict_filters ) + { + delete dynamic_restrict_filters[filter_id]; + install(); + } + } + +function exclude(filter_id: string, filter: string): bool + { + if ( ! test_filter(filter) ) + return F; + + dynamic_restrict_filters[filter_id] = filter; + install(); + return T; + } + +function exclude_for(filter_id: string, filter: string, span: interval): bool + { + if ( exclude(filter_id, filter) ) + { + schedule span { remove_dynamic_filter(filter_id) }; + return T; + } + return F; + } + +function build(): string { if ( cmd_line_bpf_filter != "" ) # Return what the user specified on the command line; return cmd_line_bpf_filter; - - if ( all_packets ) - { - # Return an "always true" filter. - if ( bro_has_ipv6() ) - return "ip or not ip"; - else - return "not ip6"; - } - - # Build filter dynamically. - # First the capture_filter. + currently_building = T; + + # Install the default capture filter. local cfilter = ""; - for ( id in capture_filters ) - cfilter = combine_filters(cfilter, capture_filters[id], "or"); + + if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters ) + cfilter = default_capture_filter; - # Then the restrict_filter. + for ( id in capture_filters ) + cfilter = combine_filters(cfilter, "or", capture_filters[id]); + + if ( enable_auto_protocol_capture_filters ) + cfilter = combine_filters(cfilter, "or", Protocols::to_bpf()); + + # Apply the restriction filters. local rfilter = ""; for ( id in restrict_filters ) - rfilter = combine_filters(rfilter, restrict_filters[id], "and"); - + rfilter = combine_filters(rfilter, "and", restrict_filters[id]); + + # Apply the dynamic restriction filters. + for ( filt in dynamic_restrict_filters ) + rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); + + # Generate all of the plugin factory based filters. + for ( factory in filter_factories ) + { + factory$func(); + } + # Finally, join them into one filter. - local filter = combine_filters(rfilter, cfilter, "and"); + local filter = combine_filters(cfilter, "and", rfilter); + if ( unrestricted_filter != "" ) - filter = combine_filters(unrestricted_filter, filter, "or"); - - # Exclude IPv6 if we don't support it. - if ( ! bro_has_ipv6() ) - filter = combine_filters(filter, "not ip6", "and"); + filter = combine_filters(unrestricted_filter, "or", filter); + currently_building = F; return filter; } function install() { - default_filter = build_default_filter(); - - if ( ! precompile_pcap_filter(DefaultPcapFilter, default_filter) ) + if ( currently_building ) + return; + + current_filter = build(); + + #local ts = current_time(); + if ( ! precompile_pcap_filter(DefaultPcapFilter, current_filter) ) { NOTICE([$note=Compile_Failure, $msg=fmt("Compiling packet filter failed"), - $sub=default_filter]); - Reporter::fatal(fmt("Bad pcap filter '%s'", default_filter)); + $sub=current_filter]); + Reporter::fatal(fmt("Bad pcap filter '%s'", current_filter)); } + #local diff = current_time()-ts; + #if ( diff > max_filter_compile_time ) + # NOTICE([$note=Too_Long_To_Compile_Filter, + # $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); + # Do an audit log for the packet filter. local info: Info; info$ts = network_time(); @@ -138,7 +268,7 @@ function install() info$ts = current_time(); info$init = T; } - info$filter = default_filter; + info$filter = current_filter; if ( ! install_pcap_filter(DefaultPcapFilter) ) { @@ -146,15 +276,10 @@ function install() info$success = F; NOTICE([$note=Install_Failure, $msg=fmt("Installing packet filter failed"), - $sub=default_filter]); + $sub=current_filter]); } + if ( reading_live_traffic() || reading_traces() ) Log::write(PacketFilter::LOG, info); } - -event bro_init() &priority=10 - { - Log::create_stream(PacketFilter::LOG, [$columns=Info]); - PacketFilter::install(); - } diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/base/frameworks/packet-filter/shunt.bro new file mode 100644 index 0000000000..b001da0640 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/shunt.bro @@ -0,0 +1,74 @@ +@load base/frameworks/notice + +module PacketFilter; + +export { + const max_bpf_shunts = 100 &redef; + + global shunt_conn: function(id: conn_id): bool; + + redef enum Notice::Type += { + ## Indicative that :bro:id:`max_bpf_shunts` connections are already + ## being shunted with BPF filters and no more are allowed. + No_More_Conn_Shunts_Available, + }; +} + +global shunted_conns: set[conn_id]; +global shunted_conns_non_flag_tracking: set[conn_id]; + +function conn_shunt_filters() + { + # TODO: this could wrongly match if a connection happens with the ports reversed. + local filter = ""; + local ipv4_tcp_filter = ""; + for ( id in shunted_conns ) + { + local prot = get_port_transport_proto(id$resp_p); + + # TODO: add ipv6 + #if ( prot == udp ) #|| is_ipv6_addr(id$orig_h) ) + # { + # next; + # shunt_for() + # } + + if ( prot == tcp ) + ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", fmt("host %s and port %d and host %s and port %d and %s", id$orig_h, id$orig_p, id$resp_h, id$resp_p, prot)); + } + + ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", "tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"); + + if ( ipv4_tcp_filter == "" ) + return; + PacketFilter::exclude("conn_shunt_filters", ipv4_tcp_filter); + } + +event bro_init() &priority=5 + { + register_filter_factory([ + $func()={ return conn_shunt_filters(); } + ]); + } + +function shunt_conn(id: conn_id): bool + { + if ( |shunted_conns| + |shunted_conns_non_flag_tracking| > max_bpf_shunts ) + { + NOTICE([$note=No_More_Conn_Shunts_Available, + $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]); + return F; + } + + add shunted_conns[id]; + install(); + return T; + } + +event connection_state_remove(c: connection) &priority=-5 + { + # Don't rebuild the filter right away because the packet filter framework will check every few minutes + # and update the filter if things have changed. + if ( c$id in shunted_conns ) + delete shunted_conns[c$id]; + } \ No newline at end of file diff --git a/scripts/base/frameworks/packet-filter/utils.bro b/scripts/base/frameworks/packet-filter/utils.bro new file mode 100644 index 0000000000..6ee2993050 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/utils.bro @@ -0,0 +1,43 @@ +module PacketFilter; + +export { + ## Takes a :bro:type:`port` and returns a BPF expression which will + ## match the port. + ## + ## p: The port. + ## + ## Returns: A valid BPF filter string for matching the port. + global port_to_bpf: function(p: port): string; + + ## Combines two valid BPF filter strings with a string based operator + ## to form a new filter. + ## + ## lfilter: Filter which will go on the left side. + ## + ## op: Operation being applied (typically "or" or "and"). + ## + ## rfilter: Filter which will go on the right side. + ## + ## Returns: A new string representing the two filters combined with + ## the operator. Either filter being an empty string will + ## still result in a valid filter. + global combine_filters: function(lfilter: string, op: string, rfilter: string): string; +} + +function port_to_bpf(p: port): string + { + local tp = get_port_transport_proto(p); + return cat(tp, " and ", fmt("port %d", p)); + } + +function combine_filters(lfilter: string, op: string, rfilter: string): string + { + if ( lfilter == "" && rfilter == "" ) + return ""; + else if ( lfilter == "" ) + return rfilter; + else if ( rfilter == "" ) + return lfilter; + else + return fmt("(%s) %s (%s)", lfilter, op, rfilter); + } \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/__load__.bro b/scripts/base/frameworks/protocols/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/protocols/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/main.bro b/scripts/base/frameworks/protocols/main.bro new file mode 100644 index 0000000000..8924c4c259 --- /dev/null +++ b/scripts/base/frameworks/protocols/main.bro @@ -0,0 +1,49 @@ + +@load base/frameworks/packet-filter + +module Protocols; + +export { + const common_ports: table[string] of set[port] = {} &redef; + + ## Automatically creates a BPF filter for the specified protocol based + ## on the data supplied for the protocol in the :bro:id:`common_ports` + ## variable. + ## + ## protocol: A string representation for a protocol, e.g. "HTTP" + ## + ## Returns: BPF filter string. + global protocol_to_bpf: function(protocol: string): string; + + global to_bpf: function(): string; + + ## Maps between human readable protocol identifiers (like "HTTP") + ## and the internal Bro representation for an analyzer (like ANALYZER_HTTP). + ## This is typically fully populated by the base protocol analyzer scripts. + const analyzer_map: table[string] of set[count] = {} &redef; +} + +function protocol_to_bpf(protocol: string): string + { + # Return an empty string if an undefined protocol was given. + if ( protocol !in common_ports ) + return ""; + + local output = ""; + for ( one_port in common_ports[protocol] ) + output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(one_port)); + return output; + } + +function to_bpf(): string + { + local output = ""; + for ( p in common_ports ) + output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p)); + return output; + } + + + + + \ No newline at end of file diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 200947938d..81ebf27cc8 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -607,19 +607,6 @@ global signature_files = "" &add_func = add_signature_file; ## ``p0f`` fingerprint file to use. Will be searched relative to ``BRO_PATH``. const passive_fingerprint_file = "base/misc/p0f.fp" &redef; -# todo::testing to see if I can remove these without causing problems. -#const ftp = 21/tcp; -#const ssh = 22/tcp; -#const telnet = 23/tcp; -#const smtp = 25/tcp; -#const domain = 53/tcp; # note, doesn't include UDP version -#const gopher = 70/tcp; -#const finger = 79/tcp; -#const http = 80/tcp; -#const ident = 113/tcp; -#const bgp = 179/tcp; -#const rlogin = 513/tcp; - # TCP values for :bro:see:`endpoint` *state* field. # todo::these should go into an enum to make them autodoc'able. const TCP_INACTIVE = 0; ##< Endpoint is still inactive. diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 1cf125c3ab..b2e52cedfb 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -29,6 +29,7 @@ @load base/frameworks/metrics @load base/frameworks/intel @load base/frameworks/reporter +@load base/frameworks/protocols @load base/protocols/conn @load base/protocols/dns diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 56107fd02d..4fa4b229f7 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,6 +1,7 @@ ##! Base DNS analysis script which tracks and logs DNS queries along with ##! their responses. +@load base/frameworks/protocols @load ./consts module DNS; @@ -109,23 +110,11 @@ redef record connection += { dns_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["dns"] = "port 53", - ["mdns"] = "udp and port 5353", - ["llmns"] = "udp and port 5355", - ["netbios-ns"] = "udp port 137", -}; - -const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - -const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; -const dns_tcp_ports = { 53/tcp }; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; - -redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +# Not attaching ANALYZER_DNS_UDP_BINPAC and ANALYZER_DNS_TCP_BINPAC right now. +global analyzers = { ANALYZER_DNS }; +redef Protocols::analyzer_map["DNS"] = analyzers; +global ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef Protocols::common_ports["DNS"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9e16804a32..80a0e0a796 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -3,10 +3,12 @@ ##! will take on the full path that the client is at along with the requested ##! file name. +@load base/frameworks/protocols @load ./utils-commands @load base/utils/paths @load base/utils/numbers + module FTP; export { @@ -92,12 +94,10 @@ redef record connection += { ftp: Info &optional; }; -# Configure DPD -const ports = { 21/tcp } &redef; -redef capture_filters += { ["ftp"] = "port 21" }; -redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; - -redef likely_server_ports += { 21/tcp }; +global analyzers = { ANALYZER_FTP }; +redef Protocols::analyzer_map["FTP"] = analyzers; +global ports = { 21/tcp }; +redef Protocols::common_ports["FTP"] = ports; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 6571548145..dbfbe4b6ff 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -2,6 +2,7 @@ ##! to log request/response pairs and all relevant metadata together in ##! a single record. +@load base/frameworks/protocols @load base/utils/numbers @load base/utils/files @@ -110,17 +111,15 @@ event bro_init() &priority=5 Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); } -# DPD configuration. -const ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { - [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], -}; -redef capture_filters += { - ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" -}; + +global analyzers = { ANALYZER_HTTP, ANALYZER_HTTP_BINPAC }; +redef Protocols::analyzer_map["HTTP"] = analyzers; +global ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp }; +redef Protocols::common_ports["HTTP"] = ports; + +#redef dpd_config += { +# [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = Protocols::common_ports["HTTP"]], +#}; redef likely_server_ports += { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 2bf2a9bbb9..a59e5043f6 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -2,6 +2,8 @@ ##! IRC commands along with the associated response and some additional ##! metadata about the connection if it's available. +@load base/frameworks/protocols + module IRC; export { @@ -36,17 +38,10 @@ redef record connection += { irc: Info &optional; }; -# Some common IRC ports. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; -redef capture_filters += { ["irc-6668"] = "port 6668" }; -redef capture_filters += { ["irc-6669"] = "port 6669" }; - -# DPD configuration. -const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +global analyzers = { ANALYZER_IRC }; +redef Protocols::analyzer_map["IRC"] = analyzers; +global ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp, 7000/tcp }; +redef Protocols::common_ports["IRC"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 513b85e342..5676878b18 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -1,4 +1,5 @@ @load base/frameworks/notice +@load base/frameworks/protocols @load base/utils/addrs @load base/utils/directions-and-hosts @@ -66,11 +67,9 @@ redef record connection += { smtp_state: State &optional; }; -# Configure DPD -redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; - -redef likely_server_ports += { 25/tcp, 587/tcp }; +global analyzers = { ANALYZER_SMTP }; +redef Protocols::analyzer_map["SMTP"] = analyzers; +redef Protocols::common_ports["SMTP"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 0d3439bb1f..7ca71ba9df 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -6,6 +6,7 @@ ##! is not attempted if the connection size analyzer isn't enabled. @load base/frameworks/notice +@load base/frameworks/protocols @load base/utils/site @load base/utils/thresholds @load base/utils/conn-ids @@ -73,11 +74,10 @@ export { global log_ssh: event(rec: Info); } -# Configure DPD and the packet filter -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] }; - -redef likely_server_ports += { 22/tcp }; +global analyzers = { ANALYZER_SSH }; +redef Protocols::analyzer_map["SSH"] = analyzers; +global ports = { 22/tcp }; +redef Protocols::common_ports["SSH"] = ports; redef record connection += { ssh: Info &optional; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 0b280a6bcf..6a75e01735 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -1,6 +1,7 @@ ##! Base SSL analysis script. This script logs information about the SSL/TLS ##! handshaking and encryption establishment process. +@load base/frameworks/protocols @load ./consts module SSL; @@ -70,35 +71,13 @@ event bro_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); } + +global analyzers = { ANALYZER_SSL }; +redef Protocols::analyzer_map["SSL"] = analyzers; +global ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, + 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp }; +redef Protocols::common_ports["SSL"] = ports; -redef capture_filters += { - ["ssl"] = "tcp port 443", - ["nntps"] = "tcp port 563", - ["imap4-ssl"] = "tcp port 585", - ["sshell"] = "tcp port 614", - ["ldaps"] = "tcp port 636", - ["ftps-data"] = "tcp port 989", - ["ftps"] = "tcp port 990", - ["telnets"] = "tcp port 992", - ["imaps"] = "tcp port 993", - ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995", - ["xmpps"] = "tcp port 5223", -}; - -const ports = { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; - -redef dpd_config += { - [[ANALYZER_SSL]] = [$ports = ports] -}; - -redef likely_server_ports += { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; function set_session(c: connection) { diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 79f89d5e71..786e3668a4 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -1,6 +1,7 @@ ##! Core script support for logging syslog messages. This script represents ##! one syslog message as one logged record. +@load base/frameworks/protocols @load ./consts module Syslog; @@ -24,11 +25,10 @@ export { }; } -redef capture_filters += { ["syslog"] = "port 514" }; -const ports = { 514/udp } &redef; -redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] }; - -redef likely_server_ports += { 514/udp }; +global analyzers = { ANALYZER_SYSLOG_BINPAC }; +redef Protocols::analyzer_map["SYSLOG"] = analyzers; +global ports = { 514/udp }; +redef Protocols::common_ports["SYSLOG"] = ports; redef record connection += { syslog: Info &optional; diff --git a/scripts/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.bro index 30d7e23729..24b18d5917 100644 --- a/scripts/policy/tuning/defaults/packet-fragments.bro +++ b/scripts/policy/tuning/defaults/packet-fragments.bro @@ -3,7 +3,9 @@ ## This normally isn't used because of the default open packet filter ## but we set it anyway in case the user is using a packet filter. -redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; +## Note: This was removed because the default model now is to have a wide +## open packet filter. +#redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; ## Shorten the fragment timeout from never expiring to expiring fragments after ## five minutes.