Initial rework of packet filter framework.

- Large rework on packet filter framework to make many things easier.
   - Removed the PacketFilter::all_packets variable because it was confusing.
   - New variable (PacketFilter::enable_auto_protocol_capture_filters) to re-enable the old filtering model of only sniffing ports for analyzed protocols.
   - In progress plugin model for adding filtering mechanisms.
   - New default single item for capture_filters = { ["default"] = PacketFilter::default_capture_filter };
   - Mechanism and helper functions to "shunt" traffic with filters.

- Created the Protocols framework to assist with reworking how base protocol scripts are registered with DPD and other things.
   - Protocols framework creates BPF filters for registered analyzers. (if using PacketFilter framework in that mode).

scripts/base/protocols/dns/main.bro

@@ -1,6 +1,7 @@
 ##! Base DNS analysis script which tracks and logs DNS queries along with
 ##! their responses.
 
+@load base/frameworks/protocols
 @load ./consts
 
 module DNS;
@@ -109,23 +110,11 @@ redef record connection += {
 	dns_state: State &optional;
 };
 
-# DPD configuration.
-redef capture_filters += {
-	["dns"] = "port 53",
-	["mdns"] = "udp and port 5353",
-	["llmns"] = "udp and port 5355",
-	["netbios-ns"] = "udp port 137",
-};
-
-const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
-redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
-
-const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
-const dns_tcp_ports = { 53/tcp };
-redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
-redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
-
-redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+# Not attaching ANALYZER_DNS_UDP_BINPAC and ANALYZER_DNS_TCP_BINPAC right now.
+global analyzers = { ANALYZER_DNS };
+redef Protocols::analyzer_map["DNS"] = analyzers;
+global ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+redef Protocols::common_ports["DNS"] = ports;
 
 event bro_init() &priority=5
 	{

scripts/base/protocols/ftp/main.bro

@@ -3,10 +3,12 @@
 ##! will take on the full path that the client is at along with the requested 
 ##! file name.
 
+@load base/frameworks/protocols
 @load ./utils-commands
 @load base/utils/paths
 @load base/utils/numbers
 
+
 module FTP;
 
 export {
@@ -92,12 +94,10 @@ redef record connection += {
 	ftp: Info &optional;
 };
 
-# Configure DPD
-const ports = { 21/tcp } &redef;
-redef capture_filters += { ["ftp"] = "port 21" };
-redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
-
-redef likely_server_ports += { 21/tcp };
+global analyzers = { ANALYZER_FTP };
+redef Protocols::analyzer_map["FTP"] = analyzers;
+global ports = { 21/tcp };
+redef Protocols::common_ports["FTP"] = ports;
 
 # Establish the variable for tracking expected connections.
 global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;

scripts/base/protocols/http/main.bro

@@ -2,6 +2,7 @@
 ##! to log request/response pairs and all relevant metadata together in 
 ##! a single record.
 
+@load base/frameworks/protocols
 @load base/utils/numbers
 @load base/utils/files
 
@@ -110,17 +111,15 @@ event bro_init() &priority=5
 	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
 	}
 
-# DPD configuration.
-const ports = {
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
-	8000/tcp, 8080/tcp, 8888/tcp,
-};
-redef dpd_config += { 
-	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
-};
-redef capture_filters +=  {
-	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
-};
+
+global analyzers = { ANALYZER_HTTP, ANALYZER_HTTP_BINPAC };
+redef Protocols::analyzer_map["HTTP"] = analyzers;
+global ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp };
+redef Protocols::common_ports["HTTP"] = ports;
+
+#redef dpd_config += {
+#	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = Protocols::common_ports["HTTP"]],
+#};
 
 redef likely_server_ports += { 
 	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,

scripts/base/protocols/irc/main.bro

@@ -2,6 +2,8 @@
 ##! IRC commands along with the associated response and some additional 
 ##! metadata about the connection if it's available.
 
+@load base/frameworks/protocols
+
 module IRC;
 
 export {
@@ -36,17 +38,10 @@ redef record connection += {
 	irc:  Info &optional;
 };
 
-# Some common IRC ports.
-redef capture_filters += { ["irc-6666"] = "port 6666" };
-redef capture_filters += { ["irc-6667"] = "port 6667" };
-redef capture_filters += { ["irc-6668"] = "port 6668" };
-redef capture_filters += { ["irc-6669"] = "port 6669" };
-
-# DPD configuration.
-const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
-redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
-
-redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+global analyzers = { ANALYZER_IRC };
+redef Protocols::analyzer_map["IRC"] = analyzers;
+global ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp, 7000/tcp };
+redef Protocols::common_ports["IRC"] = ports;
 
 event bro_init() &priority=5
 	{

scripts/base/protocols/smtp/main.bro

@@ -1,4 +1,5 @@
 @load base/frameworks/notice
+@load base/frameworks/protocols
 @load base/utils/addrs
 @load base/utils/directions-and-hosts
 
@@ -66,11 +67,9 @@ redef record connection += {
 	smtp_state: State &optional;
 };
 
-# Configure DPD
-redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
-redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
-
-redef likely_server_ports += { 25/tcp, 587/tcp };
+global analyzers = { ANALYZER_SMTP };
+redef Protocols::analyzer_map["SMTP"] = analyzers;
+redef Protocols::common_ports["SMTP"] = ports;
 
 event bro_init() &priority=5
 	{

scripts/base/protocols/ssh/main.bro

@@ -6,6 +6,7 @@
 ##! is not attempted if the connection size analyzer isn't enabled.
 
 @load base/frameworks/notice
+@load base/frameworks/protocols
 @load base/utils/site
 @load base/utils/thresholds
 @load base/utils/conn-ids
@@ -73,11 +74,10 @@ export {
 	global log_ssh: event(rec: Info);
 }
 
-# Configure DPD and the packet filter
-redef capture_filters += { ["ssh"] = "tcp port 22" };
-redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
-
-redef likely_server_ports += { 22/tcp };
+global analyzers = { ANALYZER_SSH };
+redef Protocols::analyzer_map["SSH"] = analyzers;
+global ports = { 22/tcp };
+redef Protocols::common_ports["SSH"] = ports;
 
 redef record connection += {
 	ssh: Info &optional;

scripts/base/protocols/ssl/main.bro

@@ -1,6 +1,7 @@
 ##! Base SSL analysis script.  This script logs information about the SSL/TLS
 ##! handshaking and encryption establishment process.
 
+@load base/frameworks/protocols
 @load ./consts
 
 module SSL;
@@ -70,35 +71,13 @@ event bro_init() &priority=5
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
 	}
+	
+global analyzers = { ANALYZER_SSL };
+redef Protocols::analyzer_map["SSL"] = analyzers;
+global ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
+                 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp };
+redef Protocols::common_ports["SSL"] = ports;
 
-redef capture_filters += {
-	["ssl"] = "tcp port 443",
-	["nntps"] = "tcp port 563",
-	["imap4-ssl"] = "tcp port 585",
-	["sshell"] = "tcp port 614",
-	["ldaps"] = "tcp port 636",
-	["ftps-data"] = "tcp port 989",
-	["ftps"] = "tcp port 990",
-	["telnets"] = "tcp port 992",
-	["imaps"] = "tcp port 993",
-	["ircs"] = "tcp port 994",
-	["pop3s"] = "tcp port 995",
-	["xmpps"] = "tcp port 5223",
-};
-
-const ports = {
-	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
-	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
-
-redef dpd_config += {
-	[[ANALYZER_SSL]] = [$ports = ports]
-};
-
-redef likely_server_ports += {
-	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
-	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
 
 function set_session(c: connection)
 	{

scripts/base/protocols/syslog/main.bro

@@ -1,6 +1,7 @@
 ##! Core script support for logging syslog messages.  This script represents 
 ##! one syslog message as one logged record.
 
+@load base/frameworks/protocols
 @load ./consts
 
 module Syslog;
@@ -24,11 +25,10 @@ export {
 	};
 }
 
-redef capture_filters += { ["syslog"] = "port 514" };
-const ports = { 514/udp } &redef;
-redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
-
-redef likely_server_ports += { 514/udp };
+global analyzers = { ANALYZER_SYSLOG_BINPAC };
+redef Protocols::analyzer_map["SYSLOG"] = analyzers;
+global ports = { 514/udp };
+redef Protocols::common_ports["SYSLOG"] = ports;
 
 redef record connection += {
 	syslog: Info &optional;