mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Removing event groups.
This commit is contained in:
Robin Sommer
parent
1a30a57816
commit
52cd02173d
15 changed files with 46 additions and 157 deletions
|
|
@ -25,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
|
|||
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
|
||||
rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)
|
||||
|
|
@ -134,7 +135,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro)
|
|||
rest_target(${psd} policy/integration/barnyard2/main.bro)
|
||||
rest_target(${psd} policy/integration/barnyard2/types.bro)
|
||||
rest_target(${psd} policy/integration/collective-intel/main.bro)
|
||||
rest_target(${psd} policy/misc/analysis-groups.bro)
|
||||
rest_target(${psd} policy/misc/capture-loss.bro)
|
||||
rest_target(${psd} policy/misc/loaded-scripts.bro)
|
||||
rest_target(${psd} policy/misc/profiling.bro)
|
||||
|
|
|
|||
|
|
@ -1,31 +0,0 @@
|
|||
##! This script gives the capability to selectively enable and disable event
|
||||
##! groups at runtime. No events will be raised for all members of a disabled
|
||||
##! event group.
|
||||
|
||||
module AnalysisGroups;
|
||||
|
||||
export {
|
||||
## By default, all event groups are enabled.
|
||||
## We disable all groups in this table.
|
||||
const disabled: set[string] &redef;
|
||||
}
|
||||
|
||||
# Set to remember all groups which were disabled by the last update.
|
||||
global currently_disabled: set[string];
|
||||
|
||||
# This is the event that the control framework uses when it needs to indicate
|
||||
# that an update control action happened.
|
||||
event Control::configuration_update()
|
||||
{
|
||||
# Reenable those which are not to be disabled anymore.
|
||||
for ( g in currently_disabled )
|
||||
if ( g !in disabled )
|
||||
enable_event_group(g);
|
||||
|
||||
# Disable those which are not already disabled.
|
||||
for ( g in disabled )
|
||||
if ( g !in currently_disabled )
|
||||
disable_event_group(g);
|
||||
|
||||
currently_disabled = copy(disabled);
|
||||
}
|
||||
|
|
@ -34,7 +34,6 @@
|
|||
@load integration/barnyard2/types.bro
|
||||
@load integration/collective-intel/__load__.bro
|
||||
@load integration/collective-intel/main.bro
|
||||
@load misc/analysis-groups.bro
|
||||
@load misc/capture-loss.bro
|
||||
@load misc/loaded-scripts.bro
|
||||
@load misc/profiling.bro
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ EventHandler::EventHandler(const char* arg_name)
|
|||
used = false;
|
||||
local = 0;
|
||||
type = 0;
|
||||
group = 0;
|
||||
error_handler = false;
|
||||
enabled = true;
|
||||
}
|
||||
|
|
@ -19,7 +18,6 @@ EventHandler::~EventHandler()
|
|||
{
|
||||
Unref(local);
|
||||
delete [] name;
|
||||
delete [] group;
|
||||
}
|
||||
|
||||
EventHandler::operator bool() const
|
||||
|
|
|
|||
|
|
@ -41,10 +41,6 @@ public:
|
|||
void SetErrorHandler() { error_handler = true; }
|
||||
bool ErrorHandler() { return error_handler; }
|
||||
|
||||
const char* Group() { return group; }
|
||||
void SetGroup(const char* arg_group)
|
||||
{ group = copy_string(arg_group); }
|
||||
|
||||
void SetEnable(bool arg_enable) { enabled = arg_enable; }
|
||||
|
||||
// We don't serialize the handler(s) itself here, but
|
||||
|
|
@ -54,7 +50,6 @@ public:
|
|||
|
||||
private:
|
||||
const char* name;
|
||||
const char* group;
|
||||
Func* local;
|
||||
FuncType* type;
|
||||
bool used; // this handler is indeed used somewhere
|
||||
|
|
|
|||
|
|
@ -85,17 +85,6 @@ void EventRegistry::PrintDebug()
|
|||
}
|
||||
}
|
||||
|
||||
void EventRegistry::SetGroup(const char* name, const char* group)
|
||||
{
|
||||
return; // FIXME. THis triggers the error below for plugin events.
|
||||
|
||||
EventHandler* eh = Lookup(name);
|
||||
if ( ! eh )
|
||||
reporter->InternalError("unknown event handler %s in SetGroup()", name);
|
||||
|
||||
eh->SetGroup(group);
|
||||
}
|
||||
|
||||
void EventRegistry::SetErrorHandler(const char* name)
|
||||
{
|
||||
EventHandler* eh = Lookup(name);
|
||||
|
|
@ -105,18 +94,3 @@ void EventRegistry::SetErrorHandler(const char* name)
|
|||
eh->SetErrorHandler();
|
||||
}
|
||||
|
||||
void EventRegistry::EnableGroup(const char* group, bool enable)
|
||||
{
|
||||
IterCookie* c = handlers.InitForIteration();
|
||||
|
||||
HashKey* k;
|
||||
EventHandler* v;
|
||||
while ( (v = handlers.NextEntry(k, c)) )
|
||||
{
|
||||
delete k;
|
||||
|
||||
if ( v->Group() && strcmp(v->Group(), group) == 0 )
|
||||
v->SetEnable(enable);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -26,17 +26,11 @@ public:
|
|||
typedef PList(constchar) string_list;
|
||||
string_list* Match(RE_Matcher* pattern);
|
||||
|
||||
// Associates a group with the given event.
|
||||
void SetGroup(const char* name, const char* group);
|
||||
|
||||
// Marks a handler as handling errors. Error handler will not be called
|
||||
// recursively to avoid infinite loops in case they trigger an error
|
||||
// themselves.
|
||||
void SetErrorHandler(const char* name);
|
||||
|
||||
// Enable/disable all members of the group.
|
||||
void EnableGroup(const char* group, bool enable);
|
||||
|
||||
string_list* UnusedHandlers();
|
||||
string_list* UsedHandlers();
|
||||
void PrintDebug();
|
||||
|
|
|
|||
16
src/ID.cc
16
src/ID.cc
|
|
@ -221,21 +221,7 @@ void ID::UpdateValAttrs()
|
|||
|
||||
if ( Type()->Tag() == TYPE_FUNC )
|
||||
{
|
||||
Attr* attr = attrs->FindAttr(ATTR_GROUP);
|
||||
|
||||
if ( attr )
|
||||
{
|
||||
Val* group = attr->AttrExpr()->ExprVal();
|
||||
if ( group )
|
||||
{
|
||||
if ( group->Type()->Tag() == TYPE_STRING )
|
||||
event_registry->SetGroup(Name(), group->AsString()->CheckString());
|
||||
else
|
||||
Error("&group attribute takes string");
|
||||
}
|
||||
}
|
||||
|
||||
attr = attrs->FindAttr(ATTR_ERROR_HANDLER);
|
||||
Attr* attr = attrs->FindAttr(ATTR_ERROR_HANDLER);
|
||||
|
||||
if ( attr )
|
||||
event_registry->SetErrorHandler(Name());
|
||||
|
|
|
|||
25
src/bro.bif
25
src/bro.bif
|
|
@ -4342,31 +4342,6 @@ function skip_smtp_data%(c: connection%): any
|
|||
return 0;
|
||||
%}
|
||||
|
||||
## Enables all event handlers in a given group. One can tag event handlers with
|
||||
## the :bro:attr:`&group` attribute to logically group them together, e.g,
|
||||
## ``event foo() &group="bar"``. This function enables all event handlers that
|
||||
## belong to such a group.
|
||||
##
|
||||
## group: The group.
|
||||
##
|
||||
## .. bro:see:: disable_event_group
|
||||
function enable_event_group%(group: string%) : any
|
||||
%{
|
||||
event_registry->EnableGroup(group->CheckString(), true);
|
||||
return 0;
|
||||
%}
|
||||
|
||||
## Disables all event handlers in a given group.
|
||||
##
|
||||
## group: The group.
|
||||
##
|
||||
## .. bro:see:: enable_event_group
|
||||
function disable_event_group%(group: string%) : any
|
||||
%{
|
||||
event_registry->EnableGroup(group->CheckString(), false);
|
||||
return 0;
|
||||
%}
|
||||
|
||||
# ===========================================================================
|
||||
#
|
||||
# Files and Directories
|
||||
|
|
|
|||
|
|
@ -2219,7 +2219,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
|
|||
##
|
||||
## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
|
||||
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
|
||||
event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
|
||||
event ftp_request%(c: connection, command: string, arg: string%);
|
||||
|
||||
## Generated for server-side FTP replies.
|
||||
##
|
||||
|
|
@ -2239,7 +2239,7 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
|
|||
##
|
||||
## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
|
||||
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
|
||||
event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp";
|
||||
event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%);
|
||||
|
||||
## Generated for client-side SMTP commands.
|
||||
##
|
||||
|
|
@ -2264,7 +2264,7 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro
|
|||
## smtp_data smtp_reply
|
||||
##
|
||||
## .. note:: Bro does not support the newer ETRN extension yet.
|
||||
event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp";
|
||||
event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
|
||||
|
||||
## Generated for server-side SMTP commands.
|
||||
##
|
||||
|
|
@ -2295,7 +2295,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
|
|||
## smtp_data smtp_request
|
||||
##
|
||||
## .. note:: Bro doesn't support the newer ETRN extension yet.
|
||||
event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp";
|
||||
event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
|
||||
|
||||
## Generated for DATA transmitted on SMTP sessions. This event is raised for
|
||||
## subsequent chunks of raw data following the ``DATA`` SMTP command until the
|
||||
|
|
@ -2320,7 +2320,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s
|
|||
## .. note:: This event receives the unprocessed raw data. There is a separate
|
||||
## set of ``mime_*`` events that strip out the outer MIME-layer of emails and
|
||||
## provide structured access to their content.
|
||||
event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
|
||||
event smtp_data%(c: connection, is_orig: bool, data: string%);
|
||||
|
||||
## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks
|
||||
## the state of SMTP sessions and reports commands and other activity with this
|
||||
|
|
@ -2340,7 +2340,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
|
|||
## detail: The actual SMTP line triggering the event.
|
||||
##
|
||||
## .. bro:see:: smtp_data smtp_request smtp_reply
|
||||
event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp";
|
||||
event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%);
|
||||
|
||||
## Generated when starting to parse an email MIME entity. MIME is a
|
||||
## protocol-independent data format for encoding text and files, along with
|
||||
|
|
@ -4014,7 +4014,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data:
|
|||
## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
|
||||
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns";
|
||||
event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
|
||||
|
||||
## Generated for DNS requests. For requests with multiple queries, this event
|
||||
## is raised once for each.
|
||||
|
|
@ -4041,7 +4041,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
|
||||
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
|
||||
|
||||
## Generated for DNS replies that reject a query. This event is raised if a DNS
|
||||
## reply either indicates failure via its status code or does not pass on any
|
||||
|
|
@ -4070,7 +4070,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
|
||||
event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
|
||||
|
||||
## Generated for DNS replies with an *ok* status code but no question section.
|
||||
##
|
||||
|
|
@ -4097,7 +4097,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
|
|||
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_query_reply%(c: connection, msg: dns_msg, query: string,
|
||||
qtype: count, qclass: count%) &group="dns";
|
||||
qtype: count, qclass: count%);
|
||||
|
||||
## Generated when the DNS analyzer processes what seems to be a non-DNS packet.
|
||||
##
|
||||
|
|
@ -4108,7 +4108,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
|
|||
##
|
||||
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
|
||||
## detection framework.
|
||||
event non_dns_request%(c: connection, msg: string%) &group="dns";
|
||||
event non_dns_request%(c: connection, msg: string%);
|
||||
|
||||
## Generated for DNS replies of type *A*. For replies with multiple answers, an
|
||||
## individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4133,7 +4133,7 @@ event non_dns_request%(c: connection, msg: string%) &group="dns";
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
|
||||
event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
|
||||
|
||||
## Generated for DNS replies of type *AAAA*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4158,7 +4158,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &grou
|
|||
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
||||
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
|
||||
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
|
||||
|
||||
## Generated for DNS replies of type *A6*. For replies with multiple answers, an
|
||||
## individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4183,7 +4183,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g
|
|||
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
||||
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
|
||||
event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
|
||||
|
||||
## Generated for DNS replies of type *NS*. For replies with multiple answers, an
|
||||
## individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4208,7 +4208,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
|
||||
event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
|
||||
|
||||
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4233,7 +4233,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
|
|||
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
||||
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
|
||||
event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
|
||||
|
||||
## Generated for DNS replies of type *PTR*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4258,7 +4258,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
|
||||
event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
|
||||
|
||||
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4283,7 +4283,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
|
||||
event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%);
|
||||
|
||||
## Generated for DNS replies of type *WKS*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4306,7 +4306,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
|
||||
event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
|
||||
|
||||
## Generated for DNS replies of type *HINFO*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4329,7 +4329,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"
|
|||
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
||||
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
|
||||
event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
|
||||
|
||||
## Generated for DNS replies of type *MX*. For replies with multiple answers, an
|
||||
## individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4356,7 +4356,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
|
||||
event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%);
|
||||
|
||||
## Generated for DNS replies of type *TXT*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4381,7 +4381,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
|
||||
event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
|
||||
|
||||
## Generated for DNS replies of type *SRV*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4404,7 +4404,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%)
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
|
||||
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
|
||||
|
||||
## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4427,7 +4427,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"
|
|||
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
||||
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
|
||||
event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
|
||||
|
||||
## Generated for DNS replies of type *TSIG*. For replies with multiple answers,
|
||||
## an individual event of the corresponding type is raised for each.
|
||||
|
|
@ -4450,7 +4450,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &gr
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
|
||||
event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%);
|
||||
|
||||
## Generated at the end of processing a DNS packet. This event is the last
|
||||
## ``dns_*`` event that will be raised for a DNS query/reply and signals that
|
||||
|
|
@ -4472,7 +4472,7 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr
|
|||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
||||
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
event dns_end%(c: connection, msg: dns_msg%) &group="dns";
|
||||
event dns_end%(c: connection, msg: dns_msg%);
|
||||
|
||||
## Generated for DHCP messages of type *discover*.
|
||||
##
|
||||
|
|
@ -6610,7 +6610,7 @@ event gaobot_signature_found%(c: connection%);
|
|||
##
|
||||
## .. todo:: Unclear what this event is for; it's never raised. We should just
|
||||
## remove it.
|
||||
event dns_full_request%(%) &group="dns";
|
||||
event dns_full_request%(%);
|
||||
|
||||
## Deprecated. Will be removed.
|
||||
event anonymization_mapping%(orig: addr, mapped: addr%);
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
%}
|
||||
|
||||
%expect 88
|
||||
%expect 85
|
||||
|
||||
%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
|
||||
%token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
|
||||
|
|
@ -23,7 +23,7 @@
|
|||
%token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
|
||||
%token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
|
||||
%token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
|
||||
%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
|
||||
%token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
|
||||
%token TOK_ATTR_TYPE_COLUMN
|
||||
|
||||
%token TOK_DEBUG
|
||||
|
|
@ -1362,8 +1362,6 @@ attr:
|
|||
{ $$ = new Attr(ATTR_MERGEABLE); }
|
||||
| TOK_ATTR_PRIORITY '=' expr
|
||||
{ $$ = new Attr(ATTR_PRIORITY, $3); }
|
||||
| TOK_ATTR_GROUP '=' expr
|
||||
{ $$ = new Attr(ATTR_GROUP, $3); }
|
||||
| TOK_ATTR_TYPE_COLUMN '=' expr
|
||||
{ $$ = new Attr(ATTR_TYPE_COLUMN, $3); }
|
||||
| TOK_ATTR_LOG
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done ply http_stats
|
||||
## truncate_http_URI
|
||||
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request";
|
||||
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
|
||||
|
||||
## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
|
||||
## sessions and raises corresponding events as it parses client/server
|
||||
|
|
@ -41,7 +41,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
|
|||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done http_request
|
||||
## http_stats
|
||||
event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply";
|
||||
event http_reply%(c: connection, version: string, code: count, reason: string%);
|
||||
|
||||
## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
|
||||
## sessions and raises corresponding events as it parses client/server
|
||||
|
|
@ -64,7 +64,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%)
|
|||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header";
|
||||
event http_header%(c: connection, is_orig: bool, name: string, value: string%);
|
||||
|
||||
## Generated for HTTP headers, passing on all headers of an HTTP message at
|
||||
## once. Bro supports persistent and pipelined HTTP sessions and raises
|
||||
|
|
@ -86,7 +86,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%) &
|
|||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header";
|
||||
event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
|
||||
|
||||
## Generated when starting to parse an HTTP body entity. This event is generated
|
||||
## at least once for each non-empty (client or server) HTTP body; and
|
||||
|
|
@ -105,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%)
|
|||
## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## mime_begin_entity
|
||||
event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
|
||||
event http_begin_entity%(c: connection, is_orig: bool%);
|
||||
|
||||
## Generated when finishing parsing an HTTP body entity. This event is generated
|
||||
## at least once for each non-empty (client or server) HTTP body; and
|
||||
|
|
@ -124,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
|
|||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request
|
||||
## http_stats mime_end_entity
|
||||
event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
|
||||
event http_end_entity%(c: connection, is_orig: bool%);
|
||||
|
||||
## Generated when parsing an HTTP body entity, passing on the data. This event
|
||||
## can potentially be raised many times for each entity, each time passing a
|
||||
|
|
@ -152,7 +152,7 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
|
|||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## mime_entity_data http_entity_data_delivery_size skip_http_data
|
||||
event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body";
|
||||
event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
|
||||
|
||||
## Generated for reporting an HTTP body's content type. This event is
|
||||
## generated at the end of parsing an HTTP header, passing on the MIME
|
||||
|
|
@ -176,7 +176,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
|
|||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
|
||||
event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
|
||||
|
||||
## Generated once at the end of parsing an HTTP message. Bro supports persistent
|
||||
## and pipelined HTTP sessions and raises corresponding events as it parses
|
||||
|
|
@ -198,7 +198,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_reply http_request http_stats
|
||||
event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body";
|
||||
event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
|
||||
|
||||
## Generated for errors found when decoding HTTP requests or replies.
|
||||
##
|
||||
|
|
|
|||
|
|
@ -332,7 +332,6 @@ when return TOK_WHEN;
|
|||
&encrypt return TOK_ATTR_ENCRYPT;
|
||||
&error_handler return TOK_ATTR_ERROR_HANDLER;
|
||||
&expire_func return TOK_ATTR_EXPIRE_FUNC;
|
||||
&group return TOK_ATTR_GROUP;
|
||||
&log return TOK_ATTR_LOG;
|
||||
&mergeable return TOK_ATTR_MERGEABLE;
|
||||
&optional return TOK_ATTR_OPTIONAL;
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2013-04-01-19-44-31
|
||||
#open 2013-04-09-22-37-59
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -36,5 +36,6 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/./HTTP.events.bif.bro
|
||||
build/scripts/base/bif/plugins/./HTTP.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/./SSL.events.bif.bro
|
||||
build/scripts/base/bif/plugins/./Syslog.events.bif.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2013-04-01-19-44-31
|
||||
#close 2013-04-09-22-37-59
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2013-04-01-19-44-38
|
||||
#open 2013-04-09-22-38-15
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -36,6 +36,7 @@ scripts/base/init-bare.bro
|
|||
build/scripts/base/bif/plugins/./HTTP.events.bif.bro
|
||||
build/scripts/base/bif/plugins/./HTTP.functions.bif.bro
|
||||
build/scripts/base/bif/plugins/./SSL.events.bif.bro
|
||||
build/scripts/base/bif/plugins/./Syslog.events.bif.bro
|
||||
scripts/base/init-default.bro
|
||||
scripts/base/utils/site.bro
|
||||
scripts/base/utils/./patterns.bro
|
||||
|
|
@ -126,4 +127,4 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/syslog/./main.bro
|
||||
scripts/base/misc/find-checksum-offloading.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2013-04-01-19-44-38
|
||||
#close 2013-04-09-22-38-15
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue