Merge remote-tracking branch 'origin/topic/seth/metrics-merge' into topic/bernhard/hyperloglog-with-measurement

Conflicts:
	scripts/base/frameworks/sumstats/plugins/__load__.bro

scripts/base/frameworks/sumstats/main.bro

@@ -182,7 +182,7 @@ global thresholds_store: table[string, Key] of bool = table();
 global data_added: function(ss: SumStat, key: Key, result: Result);
 
 # Prototype the hook point for plugins to do calculations.
-global add_to_reducer_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal);
+global observe_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal);
 # Prototype the hook point for plugins to initialize any result values.
 global init_resultval_hook: hook(r: Reducer, rv: ResultVal);
 # Prototype the hook point for plugins to merge Results.
@@ -323,7 +323,7 @@ function observe(id: string, key: Key, obs: Observation)
 		if ( obs?$num || obs?$dbl )
 			val = obs?$dbl ? obs$dbl : obs$num;
 
-		hook add_to_reducer_hook(r, val, obs, result_val);
+		hook observe_hook(r, val, obs, result_val);
 		data_added(ss, key, result);
 		}
 	}

scripts/base/frameworks/sumstats/plugins/__load__.bro

@@ -1,9 +1,9 @@
 @load ./average
+@load ./hll_unique
 @load ./max
 @load ./min
 @load ./sample
-@load ./variance
 @load ./std-dev
 @load ./sum
 @load ./unique
-@load ./hll_unique
+@load ./variance

scripts/base/frameworks/sumstats/plugins/average.bro

@@ -14,7 +14,7 @@ export {
 	};
 }
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( AVERAGE in r$apply )
 		{

scripts/base/frameworks/sumstats/plugins/hll_unique.bro

@@ -31,7 +31,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal)
 	}
 
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( HLLUNIQUE in r$apply )
 		{

scripts/base/frameworks/sumstats/plugins/max.bro

@@ -14,7 +14,7 @@ export {
 	};
 }
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( MAX in r$apply )
 		{

scripts/base/frameworks/sumstats/plugins/min.bro

@@ -14,7 +14,7 @@ export {
 	};
 }
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( MIN in r$apply )
 		{

scripts/base/frameworks/sumstats/plugins/sample.bro

@@ -29,7 +29,7 @@ function get_samples(rv: ResultVal): vector of Observation
 	return s;
 	}
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( r$samples > 0 )
 		{

scripts/base/frameworks/sumstats/plugins/std-dev.bro

@@ -22,7 +22,7 @@ function calc_std_dev(rv: ResultVal)
 	}
 
 # This depends on the variance plugin which uses priority -5
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10
 	{
 	if ( STD_DEV in r$apply )
 		calc_std_dev(rv);

scripts/base/frameworks/sumstats/plugins/sum.bro

@@ -34,7 +34,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal)
 		rv$sum = 0;
 	}
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( SUM in r$apply )
 		rv$sum += val;

scripts/base/frameworks/sumstats/plugins/unique.bro

@@ -23,7 +23,7 @@ redef record ResultVal += {
 	unique_vals: set[Observation] &optional;
 };
 
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( UNIQUE in r$apply )
 		{

scripts/base/frameworks/sumstats/plugins/variance.bro

@@ -29,7 +29,7 @@ function calc_variance(rv: ResultVal)
 	}
 
 # Reduced priority since this depends on the average
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5
 	{
 	if ( VARIANCE in r$apply )
 		{

scripts/base/protocols/ftp/main.bro

@@ -174,8 +174,9 @@ function ftp_message(s: Info)
 		if ( s$cmdarg$cmd in file_cmds )
 			{
 			local comp_path = build_path_compressed(s$cwd, arg);
-			if ( s$cwd[0] != "/" )
+			if ( comp_path[0] != "/" )
 				comp_path = cat("/", comp_path);
+
 			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
 			}
 		
@@ -245,16 +246,13 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=5
 	{
-	# TODO: figure out what to do with continued FTP response (not used much)
-	#if ( cont_resp ) return;
-
-	local id = c$id;
 	set_ftp_session(c);
-	
 	c$ftp$cmdarg = get_pending_cmd(c$ftp$pending_commands, code, msg);
-	
 	c$ftp$reply_code = code;
 	c$ftp$reply_msg = msg;
+
+	# TODO: figure out what to do with continued FTP response (not used much)
+	if ( cont_resp ) return;
 	
 	# TODO: do some sort of generic clear text login processing here.
 	local response_xyz = parse_ftp_reply_code(code);
@@ -283,10 +281,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 			c$ftp$passive=T;
 			
 			if ( code == 229 && data$h == [::] )
-				data$h = id$resp_h;
+				data$h = c$id$resp_h;
 			
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			expect_connection(c$id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
 			}
 		else
 			{

scripts/policy/misc/scan.bro

@@ -1,4 +1,4 @@
-##! Scan detection
+##! TCP Scan detection
 ##!
 ##! ..Authors: Sheharbano Khattak
 ##!            Seth Hall
@@ -47,22 +47,9 @@ export {
 	const addr_scan_custom_thresholds: table[port] of count &redef;
 
 	global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
-	
 	global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 }
 
-
-#function check_addr_scan_threshold(key: SumStats::Key, val: SumStats::Result): bool
-#	{
-#	# We don't need to do this if no custom thresholds are defined.
-#	if ( |addr_scan_custom_thresholds| == 0 )
-#		return F;
-#
-#	local service = to_port(key$str);
-#	return ( service in addr_scan_custom_thresholds &&
-#	         val$sum > addr_scan_custom_thresholds[service] );
-#	}
-
 event bro_init() &priority=5
 	{
 	local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE)];
@@ -124,30 +111,6 @@ function add_sumstats(id: conn_id, reverse: bool)
 		victim       = id$orig_h;
 		scanned_port = id$orig_p;
 		}
-
-	# Defaults to be implemented with a hook...
-	#local transport_layer_proto = get_port_transport_proto(service);
-	#if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) )
-	#	return F;
-	#else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) )
-	#	return F;
-	#else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) )
-	#	return F;
-
-	# TODO: all of this whitelist/blacklist will be done 
-	#       through the upcoming hook mechanism
-	# Blacklisting/whitelisting services
-	#if ( |analyze_services| > 0 )
-	#	{
-	#	if ( service !in analyze_services )
-	#		return F;
-	#	}
-	#else if ( service in skip_services )
-	#	return F;
-	#
-	## Blacklisting/whitelisting subnets
-	#if ( |analyze_subnets| > 0 && host !in analyze_subnets )
-	#	return F;
 	
 	if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) )
 		SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]);