Merge remote-tracking branch 'origin/topic/gregor/script-polishing'

* origin/topic/gregor/script-polishing: Tune when c$conn is set. Set c$conn (for logging) in new_connection() event. (Semiautomatically) convert the comments in bare-init.bro into autodoc ones. Add ConnSize_Analyzer's fields to conn.log SSH base scripts: make sure ConnSizeAnalyzer variables are available before using them. Make reference to the other script a link
2025-10-04 15:48:19 +00:00 · 2011-08-25 13:17:49 -04:00 · 2011-08-25 13:17:49 -04:00 · 562abfb0d1
commit 562abfb0d1
parent 9160898d03 89d5e01d38
6 changed files with 462 additions and 405 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@ -12,7 +12,11 @@ export {
 		proto:        transport_proto &log;
 		service:      string          &log &optional;
 		duration:     interval        &log &optional;
 		## The number of payload bytes the originator sent. For TCP
 		## this is taken from sequence numbers and might be inaccurate 
 		## (e.g., due to large connections)
 		orig_bytes:   count           &log &optional;
 		## The number of payload bytes the responder sent. See ``orig_bytes``.
 		resp_bytes:   count           &log &optional;
 		## ==========   ===============================================
@ -68,6 +72,17 @@ export {
 		## for instance. I.e., we just record that data went in that direction.
 		## This history is not meant to encode how much data that happened to be.
 		history:      string          &log &optional;
 		## Number of packets the originator sent.
 		## Only set if :bro:id:`use_conn_size_analyzer`=T
 		orig_pkts:     count      &log &optional;
 		## Number IP level bytes the originator sent (as seen on the wire,
 		## taken from IP total_length header field).
 		## Only set if :bro:id:`use_conn_size_analyzer`=T
 		orig_ip_bytes: count      &log &optional;
 		## Number of packets the responder sent. See ``orig_pkts``.
 		resp_pkts:     count      &log &optional;
 		## Number IP level bytes the responder sent. See ``orig_pkts``.
 		resp_ip_bytes: count      &log &optional;
 	};
 	global log_conn: event(rec: Info);
@ -143,31 +158,39 @@ function determine_service(c: connection): string
 	return to_lower(service);
 	}
 ## Fill out the c$conn record for logging
 function set_conn(c: connection, eoc: bool)
 	{
 	if ( ! c?$conn )
 		{
 		local id = c$id;
 		local tmp: Info;
 		tmp$ts=c$start_time;
 		tmp$uid=c$uid;
 		tmp$id=id;
 		tmp$proto=get_port_transport_proto(id$resp_p);
 		if( |Site::local_nets| > 0 )
 			tmp$local_orig=Site::is_local_addr(id$orig_h);
 		c$conn = tmp;
 		}
 	c$conn$ts=c$start_time;
 	c$conn$uid=c$uid;
 	c$conn$id=c$id;
 	c$conn$proto=get_port_transport_proto(c$id$resp_p);
 	if( |Site::local_nets| > 0 )
 		c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
 	if ( eoc )
 		{
 		if ( c$duration > 0secs ) 
 			{
 			c$conn$duration=c$duration;
 			# TODO: these should optionally use Gregor's new
 			#       actual byte counting code if it's enabled.
 			c$conn$orig_bytes=c$orig$size;
 			c$conn$resp_bytes=c$resp$size;
 			}
 		if ( c$orig?$num_pkts )
 			{
 			# these are set if use_conn_size_analyzer=T
 			# we can have counts in here even without duration>0
 			c$conn$orig_pkts = c$orig$num_pkts;
 			c$conn$orig_ip_bytes = c$orig$num_bytes_ip;
 			c$conn$resp_pkts = c$resp$num_pkts;
 			c$conn$resp_ip_bytes = c$resp$num_bytes_ip;
 			}
 		local service = determine_service(c);
 		if ( service != "" ) 
 			c$conn$service=service;
@ -178,11 +201,6 @@ function set_conn(c: connection, eoc: bool)
 		}
 	}
 event connection_established(c: connection) &priority=5
 	{
 	set_conn(c, F);
 	}
 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
 	{
 	set_conn(c, F);
@ -190,9 +208,13 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio
 	c$conn$missed_bytes = c$conn$missed_bytes + length;
 	}
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection) &priority=5
 	{
 	set_conn(c, T);
 	}
 event connection_state_remove(c: connection) &priority=-5
 	{
 	Log::write(CONN, c$conn);
 	}
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -94,6 +94,11 @@ function check_ssh_connection(c: connection, done: bool)
 	if ( c$ssh$done )
 		return;
 	# Make sure conn_size_analyzer is active by checking 
 	# resp$num_bytes_ip
 	if ( !c$resp?$num_bytes_ip )
 		return;
 	# If this is still a live connection and the byte count has not
 	# crossed the threshold, just return and let the resheduled check happen later.
 	if ( !done && c$resp$num_bytes_ip < authentication_data_size )
--- a/scripts/policy/protocols/http/detect-MHR.bro
+++ b/scripts/policy/protocols/http/detect-MHR.bro
@ -1,7 +1,7 @@
 ##! This script takes MD5 sums of files transferred over HTTP and checks them with
 ##! Team Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
 ##! By default, not all file transfers will have MD5 sums calculated.  Read the
-##! documentation for the base/protocols/http/file-hash.bro script to see how to 
+##! documentation for the :doc:base/protocols/http/file-hash.bro script to see how to 
 ##! configure which transfers will have hashes calculated.
 export {
--- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
@ -1,2 +1,2 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
+# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
-1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf
+1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf	12	710	10	9945
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@ -1,4 +1,4 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
+# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
-952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.10255992412567	25	0	SH	-	0	-
+952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.10255992412567	25	0	SH	-	0	-	11	280	0	0
-1128727435.450898	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf
+1128727435.450898	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf	12	710	10	9945
-1278600802.069419	50da4BEzauh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.00415205955505371	9	3429	SF	-	0	ShADadfF
+1278600802.069419	50da4BEzauh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.00415205955505371	9	3429	SF	-	0	ShADadfF	7	361	7	3801
`@ -1,2 +1,2 @@`
	`# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history`	`# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes`
	`1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf`	`1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945`