diff --git a/policy/all.bro b/policy/all.bro index fdba9d391e..c29e23bfc6 100644 --- a/policy/all.bro +++ b/policy/all.bro @@ -19,3 +19,5 @@ @load frameworks/cluster @load tuning/defaults + +@load support/loaded-scripts diff --git a/policy/frameworks/cluster/base/__load__.bro b/policy/frameworks/cluster/base/__load__.bro index 4ba567f046..8e97e7f6ec 100644 --- a/policy/frameworks/cluster/base/__load__.bro +++ b/policy/frameworks/cluster/base/__load__.bro @@ -14,7 +14,6 @@ @if ( Cluster::node in Cluster::nodes ) -@load frameworks/cluster/base/external-events @load frameworks/cluster/base/setup-connections # Don't start the listening process until we're a bit more sure that the diff --git a/policy/frameworks/cluster/base/main.bro b/policy/frameworks/cluster/base/main.bro index b4c5b2f898..b3a29b67fa 100644 --- a/policy/frameworks/cluster/base/main.bro +++ b/policy/frameworks/cluster/base/main.bro @@ -28,7 +28,7 @@ export { ## Events sent by the manager host (i.e. BroControl) when dynamically ## connecting to a running instance to update settings or request data. - const control_events = /Cluster::(configuration_update|request_id|get_peer_status)/ &redef; + const control_events = /Remote::(configuration_update|id_request|net_stats_request|peer_status_request)/ &redef; ## Directory where the cluster is archiving logs. ## TODO: we need a sane default here. @@ -49,7 +49,7 @@ export { proxy: string &optional; ## Worker nodes that this node connects with. For managers and proxies. workers: set[string] &optional; - time_machine: string &optional; + time_machine: string &optional; }; const nodes: table[string] of Node = {} &redef; diff --git a/policy/frameworks/cluster/base/setup-connections.bro b/policy/frameworks/cluster/base/setup-connections.bro index 32ea9a6f2f..4ed88ac7c3 100644 --- a/policy/frameworks/cluster/base/setup-connections.bro +++ b/policy/frameworks/cluster/base/setup-connections.bro @@ -1,7 +1,7 @@ module Cluster; -event bro_init() +event bro_init() &priority=9 { local me = nodes[node]; @@ -12,9 +12,14 @@ event bro_init() # Connections from the control node for runtime control and update events. # Every node in a cluster is eligible for control from this host. if ( n$node_type == CONTROL ) - Communication::nodes["control"] = [$host = n$ip, $connect=F, + Communication::nodes["control"] = [$host=n$ip, $connect=F, $class="control", $events=control_events]; + # The node being started up is this node so we create a dummy + # communication entry to point at this host for control. + if ( i == node ) + Communication::nodes[i] = [$host=n$ip, $p=n$p, $connect=F, $class="control", $sync=F]; + if ( me$node_type == MANAGER ) { if ( n$node_type == WORKER && n$manager == node ) @@ -24,7 +29,7 @@ event bro_init() if ( n$node_type == PROXY && n$manager == node ) Communication::nodes[i] = - [$host=n$ip, $connect=F, + [$host=n$ip, $connect=F, $class=i, $events=proxy_events, $request_logs=T]; if ( n$node_type == TIME_MACHINE && me?$time_machine && me$time_machine == i ) diff --git a/policy/frameworks/communication/base/main.bro b/policy/frameworks/communication/base/main.bro index baf8cee976..ac8e820796 100644 --- a/policy/frameworks/communication/base/main.bro +++ b/policy/frameworks/communication/base/main.bro @@ -17,9 +17,9 @@ export { type Info: record { ts: time &log; + peer: string &log &optional; level: string &log &optional; src_name: string &log &optional; - peer: string &log &optional; msg: string &log; }; diff --git a/policy/frameworks/communication/listen-clear.bro b/policy/frameworks/communication/listen-clear.bro index 0f246441ff..38a5d80897 100644 --- a/policy/frameworks/communication/listen-clear.bro +++ b/policy/frameworks/communication/listen-clear.bro @@ -13,7 +13,7 @@ export { } -event bro_init() +event bro_init() &priority=-10 { listen(listen_if_clear, listen_port_clear, F); } diff --git a/policy/frameworks/communication/listen-ssl.bro b/policy/frameworks/communication/listen-ssl.bro index 7b822ec013..e5a3c588f1 100644 --- a/policy/frameworks/communication/listen-ssl.bro +++ b/policy/frameworks/communication/listen-ssl.bro @@ -14,7 +14,7 @@ export { } -event bro_init() +event bro_init() &priority=-10 { listen(listen_if_ssl, listen_port_ssl, T); } diff --git a/policy/support/loaded-scripts.bro b/policy/support/loaded-scripts.bro new file mode 100644 index 0000000000..2077e6c99a --- /dev/null +++ b/policy/support/loaded-scripts.bro @@ -0,0 +1,20 @@ +module LoadedScripts; + +export { + redef enum Log::ID += { LOADED_SCRIPTS }; + + type Info: record { + depth: count &log; + name: string &log; + }; +} + +event bro_init() + { + Log::create_stream(LOADED_SCRIPTS, [$columns=Info]); + } + +event bro_script_loaded(path: string, level: count) + { + Log::write(LOADED_SCRIPTS, [$depth=level, $name=path]); + } \ No newline at end of file diff --git a/policy/support/remote/__load__.bro b/policy/support/remote/__load__.bro new file mode 100644 index 0000000000..b97af39388 --- /dev/null +++ b/policy/support/remote/__load__.bro @@ -0,0 +1 @@ +@load support/remote/events \ No newline at end of file diff --git a/policy/support/remote/analysis-groups.bro b/policy/support/remote/analysis-groups.bro new file mode 100644 index 0000000000..e7cc102158 --- /dev/null +++ b/policy/support/remote/analysis-groups.bro @@ -0,0 +1,30 @@ +##! This script gives the capability to selectively enable and disable event +##! groups at runtime. No events will be raised for all memmbers of a disabled +##! event group. + +@load support/remote + +module Remote; + +export { + # By default, all event groups are enabled. We disable all groups in this table. + const disabled_analysis_groups: set[string] &redef; # = { "ftp" } +} + +# Set to remember all groups which were disabled by the last update(). +global currently_disabled: set[string]; + +event configuration_update() + { + # Reenable those which are not to be disabled anymore. + for ( g in currently_disabled ) + if ( g !in disabled_analysis_groups ) + enable_event_group(g); + + # Disable those which are not already. + for ( g in disabled_analysis_groups ) + if ( g !in currently_disabled ) + disable_event_group(g); + + currently_disabled = copy(disabled_analysis_groups); + } \ No newline at end of file diff --git a/policy/frameworks/cluster/send-config.bro b/policy/support/remote/config.bro similarity index 52% rename from policy/frameworks/cluster/send-config.bro rename to policy/support/remote/config.bro index e0c3ba90fc..18aa073316 100644 --- a/policy/frameworks/cluster/send-config.bro +++ b/policy/support/remote/config.bro @@ -2,27 +2,29 @@ ##! consts to a remote Bro then sends the :bro:id:`configuration_update` event ##! and terminates processing. ##! -##! Intended to be used from the command line as in: -##! bro Cluster::config_node= frameworks/cluster/send-config +##! Intended to be used from the command line like this: +##! bro Remote::config_node= support/remote/send-config ##! -##! The :bro:id:`config_node` value should contain the node name of one of the -##! nodes of the configured cluster. +##! The :bro:id:`Remote::config_node` value should contain the node name of one of the +##! nodes of the configured communications. @load frameworks/communication -@load frameworks/cluster +@load support/remote -module Cluster; +module Remote; export { - ## This is the name of the node configured in the cluster that the - ## updated configuration should be sent to. + ## This is the name of the node configured in the communication framework + ## that you want to send new variables to. const config_node = "" &redef; ## Variable IDs that are to be ignored by the update process. const ignore_ids: set[string] = { - "Communication::nodes", - "Cluster::config_node" + # TODO: Bro crashes if it tries to send this ID. + "Log::rotation_control", }; + + ## } event terminate_event() @@ -51,11 +53,11 @@ event remote_connection_handshake_done(p: event_peer) # We don't want to update non-const globals because that's usually # where state is stored and those values will frequently be declared # with &redef so that attributes can be redefined. - if ( ! t$redefinable || ! t$constant ) - next; - - send_id(p, id); - ++cnt; + if ( t$constant && t$redefinable ) + { + send_id(p, id); + ++cnt; + } } print fmt("sent %d IDs", cnt); @@ -70,39 +72,21 @@ event remote_connection_handshake_done(p: event_peer) event terminate_event(); } -function make_dest(tag: string, ip: addr, p: port) - { - Communication::nodes[fmt("%s-update", tag)] - = [$host=ip, $p=p, $sync=F, $class="update"]; - } - -# This handler is executed after the other bro_inits() so that we can -# actually delete all previous destinations and fill the table ourselves. -event bro_init() &priority=-1 - { - clear_table(Communication::nodes); - - for ( n in workers ) - make_dest(workers[n]$tag, workers[n]$ip, workers[n]$p); - - for ( n in proxies ) - make_dest(proxies[n]$tag, proxies[n]$ip, proxies[n]$p); - - make_dest(manager$tag, manager$ip, manager$p); - } - -event bro_init() &priority=-2 +event bro_init() &priority=-3 { + if ( config_node == "" ) + return; + if ( config_node !in Communication::nodes ) { - if ( config_node == "" ) - print "You must supply a value to the Cluster::config_node variable."; - else - print fmt("Unknown peer '%s'", config_node); + print fmt("Unknown peer '%s'", config_node); terminate(); return; } - Communication::connect_peer(config_node); + local n = Communication::nodes[config_node]; + n$connect=T; + n$sync=F; + n$class="control"; + Communication::nodes = table(["control"] = n); } - diff --git a/policy/frameworks/cluster/base/external-events.bro b/policy/support/remote/events.bro similarity index 59% rename from policy/frameworks/cluster/base/external-events.bro rename to policy/support/remote/events.bro index 72784e4f7f..49d3ddd4c4 100644 --- a/policy/frameworks/cluster/base/external-events.bro +++ b/policy/support/remote/events.bro @@ -1,9 +1,12 @@ ##! Events which can be sent dynamically to Bro instances to retrieve ##! information about the running process. -module Cluster; +module Remote; export { + # This event is generated when Bro's configuration may have been updated. + global configuration_update: event(); + ## Event for requesting the value of an ID (a variable). global id_request: event(id: string); ## Event for returning the value of an ID after an :bro:id:`id_request` event. @@ -14,14 +17,16 @@ export { ## Returns the current communication status. global peer_status_response: event(s: string); + ## Requests the current net_stats. global net_stats_request: event(); + ## Returns the current net_stats. global net_stats_response: event(s: string); } event id_request(id: string) { - local msg = fmt("%.6f got event id_request(%s)", network_time(), id); - Log::write(CLUSTER, [$ts=network_time(), $msg=msg]); + #local msg = fmt("%.6f got event id_request(%s)", network_time(), id); + #Log::write(CLUSTER, [$ts=network_time(), $msg=msg]); local val = lookup_ID(id); event id_response(id, fmt("%s", val)); @@ -29,14 +34,14 @@ event id_request(id: string) event id_response(id: string, val: string) { - local msg = fmt("%.6f raised event id_response(%s, %s)", network_time(), id, val); - Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); + #local msg = fmt("%.6f raised event id_response(%s, %s)", network_time(), id, val); + #Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); } event peer_status_request() { - local msg = fmt("%.6f got event peer_status_request()", network_time()); - Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); + #local msg = fmt("%.6f got event peer_status_request()", network_time()); + #Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); local status = ""; for ( p in Communication::nodes ) @@ -54,8 +59,8 @@ event peer_status_request() event peer_status_response(s: string) { - local msg = fmt("%.6f raised event peer_status_response(%s)", network_time(), s); - Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); + #local msg = fmt("%.6f raised event peer_status_response(%s)", network_time(), s); + #Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); } event net_stats_request() @@ -68,7 +73,7 @@ event net_stats_request() event net_stats_response(s: string) { - local msg = fmt("%.6f raised event net_stats_response(%s)", network_time(), s); - Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); + #local msg = fmt("%.6f raised event net_stats_response(%s)", network_time(), s); + #Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]); }