Merge remote-tracking branch 'origin/master' into topic/seth/smb

# Conflicts:
#	scripts/site/local.bro

scripts/base/init-bare.bro

@@ -329,6 +329,8 @@ type endpoint: record {
 	## The current IPv6 flow label that the connection endpoint is using.
 	## Always 0 if the connection is over IPv4.
 	flow_label: count;
+	## The link-layer address seen in the first packet (if available).
+	l2_addr: string &optional;
 };
 
 ## A connection. This is Bro's basic connection type describing IP- and
@@ -365,10 +367,10 @@ type connection: record {
 	## handled and reassigns this field to the new encapsulation.
 	tunnel: EncapsulatingConnVector &optional;
 
-	## The outer VLAN, if applicable, for this connection.
+	## The outer VLAN, if applicable for this connection.
 	vlan: int &optional;
 
-	## The inner VLAN, if applicable, for this connection.
+	## The inner VLAN, if applicable for this connection.
 	inner_vlan: int &optional;
 };
 

scripts/base/init-default.bro

@@ -12,6 +12,7 @@
 @load base/utils/directions-and-hosts
 @load base/utils/exec
 @load base/utils/files
+@load base/utils/geoip-distance
 @load base/utils/numbers
 @load base/utils/paths
 @load base/utils/patterns

scripts/base/protocols/ftp/main.bro

@@ -241,10 +241,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 	if ( [c$ftp$cmdarg$cmd, code] in directory_cmds )
 		{
 		if ( c$ftp$cmdarg$cmd == "CWD" )
-			c$ftp$cwd = build_path(c$ftp$cwd, c$ftp$cmdarg$arg);
+			c$ftp$cwd = build_path_compressed(c$ftp$cwd, c$ftp$cmdarg$arg);
 
 		else if ( c$ftp$cmdarg$cmd == "CDUP" )
-			c$ftp$cwd = cat(c$ftp$cwd, "/..");
+			c$ftp$cwd = build_path_compressed(c$ftp$cwd, "/..");
 
 		else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" )
 			c$ftp$cwd = extract_path(msg);

scripts/base/protocols/socks/main.bro

@@ -87,14 +87,6 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 	c$socks$bound_p = p;
 	}
 
-event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
-	{
-	# This will handle the case where the analyzer failed in some way and was removed.  We probably 
-	# don't want to log these connections.
-	if ( "SOCKS" in c$service )
-		Log::write(SOCKS::LOG, c$socks);
-	}
-
 event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
@@ -112,3 +104,10 @@ event socks_login_userpass_reply(c: connection, code: count) &priority=5
 	c$socks$status = v5_status[code];
 	}
 
+event connection_state_remove(c: connection)
+	{
+	# This will handle the case where the analyzer failed in some way and was
+	# removed.  We probably  don't want to log these connections.
+	if ( "SOCKS" in c$service )
+		Log::write(SOCKS::LOG, c$socks);
+	}

scripts/base/utils/geoip-distance.bro

@@ -0,0 +1,26 @@
+##! Functions to calculate distance between two locations, based on GeoIP data.
+
+## Returns the distance between two IP addresses using the haversine formula,
+## based on GeoIP database locations.  Requires Bro to be built with libgeoip.
+##
+## a1: First IP address.
+##
+## a2: Second IP address.
+##
+## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
+##          is not available for either of the IP addresses.
+##
+## .. bro:see:: haversine_distance lookup_location
+function haversine_distance_ip(a1: addr, a2: addr): double
+	{
+	local loc1 = lookup_location(a1);
+	local loc2 = lookup_location(a2);
+	local miles: double;
+
+	if ( loc1?$latitude && loc1?$longitude && loc2?$latitude && loc2?$longitude )
+		miles = haversine_distance(loc1$latitude, loc1$longitude, loc2$latitude, loc2$longitude);
+	else
+		miles = -1.0;
+
+	return miles;
+	}

scripts/policy/protocols/conn/mac-logging.bro

@@ -0,0 +1,24 @@
+##! This script adds link-layer address (MAC) information to the connection logs
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## Link-layer address of the originator, if available.
+	orig_l2_addr: string	&log &optional;
+	## Link-layer address of the responder, if available.
+	resp_l2_addr: string	&log &optional;
+};
+
+# Add the link-layer addresses to the Conn::Info structure after the connection
+# has been removed. This ensures it's only done once, and is done before the
+# connection information is written to the log.
+event connection_state_remove(c: connection)
+	{
+	if ( c$orig?$l2_addr )
+		c$conn$orig_l2_addr = c$orig$l2_addr;
+
+	if ( c$resp?$l2_addr )
+		c$conn$resp_l2_addr = c$resp$l2_addr;
+	}

scripts/site/local.bro

@@ -89,6 +89,10 @@
 # this adds two VLAN fields to the conn.log file.
 # @load policy/protocols/conn/vlan-logging
 
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
 # Uncomment the following line to enable the SMB analyzer.  The analyzer
 # is currently considered a preview and therefore not loaded by default.
 # @load policy/protocols/smb

scripts/test-all-policy.bro

@@ -63,6 +63,7 @@
 @load misc/trim-trace-file.bro
 @load protocols/conn/known-hosts.bro
 @load protocols/conn/known-services.bro
+@load protocols/conn/mac-logging.bro
 @load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
 @load protocols/dhcp/known-devices-and-hostnames.bro