diff --git a/CMakeLists.txt b/CMakeLists.txt index 7e239a1976..ce01d25b12 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -176,7 +176,7 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR}) ## Recurse on sub-directories add_subdirectory(src) -add_subdirectory(policy) +add_subdirectory(scripts) add_subdirectory(doc) include(CheckOptionalBuildSources) diff --git a/bro-path-dev.in b/bro-path-dev.in index 9d7f0f224c..57cc8fb2df 100755 --- a/bro-path-dev.in +++ b/bro-path-dev.in @@ -10,7 +10,7 @@ # BROPATH=`./bro-path-dev` ./src/bro # -broPolicies=${PROJECT_SOURCE_DIR}/policy:${PROJECT_SOURCE_DIR}/policy/site +broPolicies=${PROJECT_SOURCE_DIR}/scripts:${PROJECT_SOURCE_DIR}/scripts/policy:${PROJECT_SOURCE_DIR}/scripts/site broGenPolicies=${CMAKE_BINARY_DIR}/src diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index f4888cec54..a50bff625a 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -42,7 +42,7 @@ # is taken as the summary text for a given identifier. # @load directives are self-documenting -@load frameworks/notice +@load frameworks/software/vulnerable # "module" statements are self-documenting module Example; diff --git a/policy/frameworks/cluster/__load__.bro b/policy/frameworks/cluster/__load__.bro deleted file mode 100644 index 781b9aee9f..0000000000 --- a/policy/frameworks/cluster/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/cluster/base diff --git a/policy/frameworks/communication/__load__.bro b/policy/frameworks/communication/__load__.bro deleted file mode 100644 index daf242cb06..0000000000 --- a/policy/frameworks/communication/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/communication/base \ No newline at end of file diff --git a/policy/frameworks/communication/base/__load__.bro b/policy/frameworks/communication/base/__load__.bro deleted file mode 100644 index 80d867807c..0000000000 --- a/policy/frameworks/communication/base/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/communication/base/main diff --git a/policy/frameworks/control/__load__.bro b/policy/frameworks/control/__load__.bro deleted file mode 100644 index f69c5ac2db..0000000000 --- a/policy/frameworks/control/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/control/base \ No newline at end of file diff --git a/policy/frameworks/control/base/__load__.bro b/policy/frameworks/control/base/__load__.bro deleted file mode 100644 index 3ff87580e1..0000000000 --- a/policy/frameworks/control/base/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ - -@load frameworks/control/base/main diff --git a/policy/frameworks/dpd/__load__.bro b/policy/frameworks/dpd/__load__.bro deleted file mode 100644 index 79b77eefa2..0000000000 --- a/policy/frameworks/dpd/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/dpd/base diff --git a/policy/frameworks/dpd/base/__load__.bro b/policy/frameworks/dpd/base/__load__.bro deleted file mode 100644 index 79dd2ad587..0000000000 --- a/policy/frameworks/dpd/base/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/dpd/base/main diff --git a/policy/frameworks/intel/__load__.bro b/policy/frameworks/intel/__load__.bro deleted file mode 100644 index 2adabd11ec..0000000000 --- a/policy/frameworks/intel/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/intel/base \ No newline at end of file diff --git a/policy/frameworks/logging/__load__.bro b/policy/frameworks/logging/__load__.bro deleted file mode 100644 index 3a660db7b1..0000000000 --- a/policy/frameworks/logging/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load frameworks/logging/base - -@load frameworks/logging/plugins/ascii \ No newline at end of file diff --git a/policy/frameworks/metrics/__load__.bro b/policy/frameworks/metrics/__load__.bro deleted file mode 100644 index 4d86c2d744..0000000000 --- a/policy/frameworks/metrics/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/metrics/base diff --git a/policy/frameworks/metrics/base/__load__.bro b/policy/frameworks/metrics/base/__load__.bro deleted file mode 100644 index de0273d701..0000000000 --- a/policy/frameworks/metrics/base/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/metrics/base/main diff --git a/policy/frameworks/notice/__load__.bro b/policy/frameworks/notice/__load__.bro deleted file mode 100644 index 7478a558a3..0000000000 --- a/policy/frameworks/notice/__load__.bro +++ /dev/null @@ -1,5 +0,0 @@ -@load ./base - -# Load the script to add hostnames to emails by default. -# NOTE: this exposes a memleak in async DNS lookups. -#@load ./extend-email/hostnames \ No newline at end of file diff --git a/policy/frameworks/notice/action-filters.bro b/policy/frameworks/notice/action-filters.bro deleted file mode 100644 index d9e2cf28f9..0000000000 --- a/policy/frameworks/notice/action-filters.bro +++ /dev/null @@ -1,131 +0,0 @@ -##! A few predefined notice_action_filters. -##! This is completely and utterly not working right now!!!!! - - -@load ./base - -module Notice; - -export { - const ignore_tallies_at_shutdown = T &redef; - const notice_once_per_orig_tally_interval = 1hr &redef; - - global tallies: table[string] of count &default = 0; - - ## Reports a specific NoticeType the first time we see it for a source. - ## From then on, tally instances per source. - #global notice_once_per_orig: table[Info, addr] of count - # &default=0 &read_expire=5hrs; - - global ignore_it: function(nt: Notice::Type): Notice::PolicyItem; - global file_it: function(nt: Notice::Type): Notice::PolicyItem; - global send_email: function(nt: Notice::Type): Notice::PolicyItem; - global send_page: function(nt: Notice::Type): Notice::PolicyItem; - global tally_notice_type: function(nt: Notice::Type): Notice::PolicyItem; - global tally_notice_type_and_ignore: function(nt: Notice::Type): Notice::PolicyItem; - global file_local_bro_notices: function(nt: Notice::Type): Notice::PolicyItem; - global file_if_remote: function(nt: Notice::Type): Notice::PolicyItem; -} - -function action2policy_item(nt: Notice::Type, action: Notice::Action): Notice::PolicyItem - { - return [$result=action, - $pred(n: Notice::Info) = { return n$note == nt; }, - $priority=5]; - } - -function ignore_it(nt: Notice::Type): Notice::PolicyItem - { - return action2policy_item(nt, ACTION_IGNORE); - } - -function file_it(nt: Notice::Type): Notice::PolicyItem - { - return action2policy_item(nt, ACTION_FILE); - } - -function send_email(nt: Notice::Type): Notice::PolicyItem - { - return action2policy_item(nt, ACTION_EMAIL); - } - -function send_page_action(nt: Notice::Type): Notice::PolicyItem - { - return action2policy_item(nt, ACTION_PAGE); - } - - -#function tally_notice(s: string) -# { -# ++tallies[s]; -# } -# -#function tally_notice_type(nt: Notice::Type): Notice::PolicyItem -# { -# tally_notice(fmt("%s", n$note)); -# return action2policy_item(nt, ACTION_FILE); -# } -# -#function tally_notice_type_and_ignore(nt: Notice::Type): Notice::PolicyItem -# { -# tally_notice(fmt("%s", n$note)); -# return action2policy_item(nt, ACTION_IGNORE); -# } -# -#function file_local_bro_notices(nt: Notice::Type): Notice::PolicyItem -# { -# if ( n$src_peer$is_local ) -# return action2policy_item(nt, ACTION_FILE); -# else -# return action2policy_item(nt, n$action); -# } -# -#function file_if_remote(nt: Notice::Type): Notice::PolicyItem -# { -# if ( n?$src && ! is_local_addr(n$src) ) -# return action2policy_item(nt, ACTION_FILE); -# else -# return action2policy_item(nt, n$action); -# } - - - - -#event notice_alarm_per_orig_tally(n: Notice::Info, host: addr) -# { -# local i = notice_once_per_orig[n$note, host]; -# if ( i > 1 ) -# { -# local msg = fmt("%s seen %d time%s from %s", -# n$note, i, i > 1 ? "s" : "", host); -# NOTICE([$note=Notice_Tally, $msg=msg, $src=host, $n=i]); -# } -# } -# -#function notice_alarm_per_orig(n: Notice::Info, a: Notice::Action): Notice::Action -# { -# local host = n$src; -# -# ++notice_once_per_orig[n$note, host]; -# -# if ( notice_once_per_orig[n$note, host] > 1 ) -# return ACTION_FILE; -# -# schedule notice_once_per_orig_tally_interval -# { notice_alarm_per_orig_tally(n, host) }; -# -# return ACTION_ALARM_ALWAYS; -# } - -event bro_done() - { - if ( ignore_tallies_at_shutdown ) - return; - - for ( s in tallies ) - { - local n = tallies[s]; - local msg = fmt("%s (%d time%s)", s, n, n > 1 ? "s" : ""); - NOTICE([$note=Notice::Tally, $msg=msg, $n=n]); - } - } diff --git a/policy/frameworks/packet-filter/__load__.bro b/policy/frameworks/packet-filter/__load__.bro deleted file mode 100644 index 54e5a6d0df..0000000000 --- a/policy/frameworks/packet-filter/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/packet-filter/base diff --git a/policy/frameworks/packet-filter/base/__load__.bro b/policy/frameworks/packet-filter/base/__load__.bro deleted file mode 100644 index 267c6ab306..0000000000 --- a/policy/frameworks/packet-filter/base/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/packet-filter/base/main \ No newline at end of file diff --git a/policy/frameworks/reporter/__load__.bro b/policy/frameworks/reporter/__load__.bro deleted file mode 100644 index 6b3367a782..0000000000 --- a/policy/frameworks/reporter/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/reporter/base diff --git a/policy/frameworks/signatures/__load__.bro b/policy/frameworks/signatures/__load__.bro deleted file mode 100644 index e8b3a40612..0000000000 --- a/policy/frameworks/signatures/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load frameworks/signatures/base - -redef signature_files += "frameworks/signatures/detect-windows-shells.sig"; diff --git a/policy/frameworks/software/__load__.bro b/policy/frameworks/software/__load__.bro deleted file mode 100644 index 4cbe4ecaad..0000000000 --- a/policy/frameworks/software/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/software/base diff --git a/policy/frameworks/software/base/__load__.bro b/policy/frameworks/software/base/__load__.bro deleted file mode 100644 index 2877c76a44..0000000000 --- a/policy/frameworks/software/base/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load frameworks/software/base/main \ No newline at end of file diff --git a/policy/protocols/conn/__load__.bro b/policy/protocols/conn/__load__.bro deleted file mode 100644 index 03f92aa3ad..0000000000 --- a/policy/protocols/conn/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load protocols/conn/base - diff --git a/policy/protocols/conn/base/__load__.bro b/policy/protocols/conn/base/__load__.bro deleted file mode 100644 index f7fea7ec91..0000000000 --- a/policy/protocols/conn/base/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load protocols/conn/base/main -@load protocols/conn/base/contents -@load protocols/conn/base/inactivity diff --git a/policy/protocols/dns/__load__.bro b/policy/protocols/dns/__load__.bro deleted file mode 100644 index 1126752796..0000000000 --- a/policy/protocols/dns/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load protocols/dns/base diff --git a/policy/protocols/dns/base/__load__.bro b/policy/protocols/dns/base/__load__.bro deleted file mode 100644 index 715f25d153..0000000000 --- a/policy/protocols/dns/base/__load__.bro +++ /dev/null @@ -1,4 +0,0 @@ -@load protocols/dns/base/consts -@load protocols/dns/base/main -@load protocols/dns/base/detect - diff --git a/policy/protocols/ftp/__load__.bro b/policy/protocols/ftp/__load__.bro deleted file mode 100644 index 736d496f69..0000000000 --- a/policy/protocols/ftp/__load__.bro +++ /dev/null @@ -1,5 +0,0 @@ -@load protocols/ftp/utils-commands -@load protocols/ftp/base -@load protocols/ftp/detect -@load protocols/ftp/software -@load protocols/ftp/file-extract \ No newline at end of file diff --git a/policy/protocols/http/__load__.bro b/policy/protocols/http/__load__.bro deleted file mode 100644 index 1d68cf3b40..0000000000 --- a/policy/protocols/http/__load__.bro +++ /dev/null @@ -1,4 +0,0 @@ -##! This script is the wrapper script for HTTP analysis. -##! :Author: Seth Hall - Inspired by the work of many others. - -@load protocols/http/base \ No newline at end of file diff --git a/policy/protocols/http/base/__load__.bro b/policy/protocols/http/base/__load__.bro deleted file mode 100644 index 720d0746aa..0000000000 --- a/policy/protocols/http/base/__load__.bro +++ /dev/null @@ -1,7 +0,0 @@ -@load protocols/http/base/main -@load protocols/http/base/detect-sqli -@load protocols/http/base/detect-intel -@load protocols/http/base/file-ident -@load protocols/http/base/file-hash -@load protocols/http/base/file-extract -@load protocols/http/base/software diff --git a/policy/protocols/http/base/detect-sqli.bro b/policy/protocols/http/base/detect-sqli.bro deleted file mode 100644 index 61bec78707..0000000000 --- a/policy/protocols/http/base/detect-sqli.bro +++ /dev/null @@ -1,54 +0,0 @@ -##! SQL injection detection in HTTP. - -@load frameworks/metrics -@load ./main - -module HTTP; - -export { - redef enum Notice::Type += { - SQL_Injection_Attacker, - SQL_Injection_Attack, - }; - - redef enum Metrics::ID += { - SQL_ATTACKER, - SQL_ATTACK_AGAINST, - }; - - redef enum Tags += { - ## Indicator of a URI based SQL injection attack. - URI_SQLI, - ## Indicator of client body based SQL injection attack. This is - ## typically the body content of a POST request. Not implemented yet! - POST_SQLI, - ## Indicator of a cookie based SQL injection attack. Not implemented yet! - COOKIE_SQLI, - }; - - ## This regular expression is used to match URI based SQL injections - const match_sql_injection_uri = - /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/ - | /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[aA][nN][dD])([[:blank:]]|\/\*.*?\*\/)+['"]?[^a-zA-Z&]+?=/ - | /[\?&][^[:blank:]]+?=[\-0-9%]*([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/)*(\-|\+|\|\|)([[:blank:]]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ - | /[\?&][^[:blank:]\|]+?=([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT]|\()[^a-zA-Z&]/ - | /[\?&][^[:blank:]]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ &redef; -} - -event bro_init() - { - Metrics::add_filter(SQL_ATTACKER, [$break_interval=5mins, $note=SQL_Injection_Attack]); - Metrics::add_filter(SQL_ATTACK_AGAINST, [$break_interval=5mins, $note=SQL_Injection_Attack]); - } - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) &priority=3 - { - if ( match_sql_injection_uri in unescaped_URI ) - { - add c$http$tags[URI_SQLI]; - - Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1); - Metrics::add_data(SQL_ATTACK_AGAINST, [$host=c$id$resp_h], 1); - } - } \ No newline at end of file diff --git a/policy/protocols/irc/__load__.bro b/policy/protocols/irc/__load__.bro deleted file mode 100644 index 8578221110..0000000000 --- a/policy/protocols/irc/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load protocols/irc/base -@load protocols/irc/dcc-send \ No newline at end of file diff --git a/policy/protocols/smtp/__load__.bro b/policy/protocols/smtp/__load__.bro deleted file mode 100644 index 08161451ac..0000000000 --- a/policy/protocols/smtp/__load__.bro +++ /dev/null @@ -1,4 +0,0 @@ -@load protocols/smtp/base - -# This should be optional -@load protocols/smtp/detect-suspicious-orig diff --git a/policy/protocols/smtp/base/__load__.bro b/policy/protocols/smtp/base/__load__.bro deleted file mode 100644 index 826efdef0d..0000000000 --- a/policy/protocols/smtp/base/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load protocols/smtp/base/main -@load protocols/smtp/base/software \ No newline at end of file diff --git a/policy/protocols/ssh/__load__.bro b/policy/protocols/ssh/__load__.bro deleted file mode 100644 index 143e81ddcc..0000000000 --- a/policy/protocols/ssh/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load protocols/ssh/base -@load protocols/ssh/software \ No newline at end of file diff --git a/policy/protocols/ssl/__load__.bro b/policy/protocols/ssl/__load__.bro deleted file mode 100644 index e9c9707165..0000000000 --- a/policy/protocols/ssl/__load__.bro +++ /dev/null @@ -1,4 +0,0 @@ -@load protocols/ssl/consts -@load protocols/ssl/base -@load protocols/ssl/mozilla-ca-list -@load protocols/ssl/known-certs \ No newline at end of file diff --git a/policy/protocols/ssl/ssl-old.bro b/policy/protocols/ssl/ssl-old.bro deleted file mode 100644 index 6a9cc64810..0000000000 --- a/policy/protocols/ssl/ssl-old.bro +++ /dev/null @@ -1,351 +0,0 @@ -##! SSL connections - -@load notice - -@load ssl-ciphers -@load ssl-errors - -module SSL; - -redef enum Notice::Type += { - ## Blanket X509 error - SSL_X509Violation, - ## Session data not consistent with connection - SSL_SessConIncon, -}; - -redef enum Log::ID += { SSL }; - -export { - type Tags: enum { - WEAK_CLIENT_CIPHER, - WEAK_SERVER_CIPHER, - WEAK_CIPHER_AGREED - }; - - type Info: record { - ts: time &log; - id: conn_id &log; - ## This is the session ID. It's optional because SSLv2 doesn't have it. - sid: string &log &optional; - # TODO: dga 3/11 The following 2 fields are not yet picked up - #not_valid_before: time &log &optional; ##< certificate valid time constraint - #not_valid_after: time &log &optional; ##< certificate valid time constraint - version: string &log &default="UNKNOWN"; ##< SSL/TLS version number - - client_cert: X509 &log &optional; ##< client certificate - server_cert: X509 &log &optional; ##< server certificate - handshake_cipher: string &log &optional; ##< agreed-upon cipher for session/conn. - tags: set[Tags] &log; - }; - - type SessionInfo: record { - ## This tracks the number of times this session has been used. - num_use: count &default=1; - - version: string &default=""; # version associated with connection - client_cert: X509 &optional; # client certificate - server_cert: X509 &optional; # server certificate - handshake_cipher: string &default=""; # agreed-upon cipher for session/conn. - }; - - ## Certificates presented by which hosts to record. - ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS - const asset_tracking = default_asset_tracking &redef; - - # If set to T, this will split local and remote certs - # into separate files. F merges everything into a single file. - #const split_log_file = F &redef; - - # If true, Bro stores the client and server cipher specs and performs - # additional tests. This costs an extra amount of memory (normally - # only for a short time) but enables detecting of non-intersecting - # cipher sets, for example. - const ssl_compare_cipherspecs = T &redef; - - # Whether to analyze certificates seen in SSL connections. - const ssl_analyze_certificates = T &redef; - - # If we analyze SSL certificates, we can choose to store them. - const ssl_store_certificates = T &redef; - - # Path where we dump the certificates into. If it's empty, - # use the current directory. - const ssl_store_cert_path = "certs" &redef; - - # If we analyze SSL certificates, we can choose to verify them. - const ssl_verify_certificates = T &redef; - - # This is the path where OpenSSL looks after the trusted certificates. - # If empty, the default path will be used. - const x509_trusted_cert_path = "" &redef; - - # Whether to store key-material exchanged in the handshaking phase. - const ssl_store_key_material = F &redef; - - ## The list of all detected X509 certs. - global certs: set[addr, port, string] &create_expire=1day &synchronized; - - ## Recent TLS session IDs - global recent_sessions: table[string] of SessionInfo &read_expire=1hr; - - global log_ssl: event(rec: Info); - - ## This is the set of SSL/TLS ciphers are are seen as weak to attack. - const weak_ciphers: set[count] = { - SSLv20_CK_RC4_128_EXPORT40_WITH_MD5, - SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSLv20_CK_DES_64_CBC_WITH_MD5, - - TLS_NULL_WITH_NULL_NULL, - TLS_RSA_WITH_NULL_MD5, - TLS_RSA_WITH_NULL_SHA, - TLS_RSA_EXPORT_WITH_RC4_40_MD5, - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, - TLS_RSA_WITH_DES_CBC_SHA, - - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - TLS_DH_DSS_WITH_DES_CBC_SHA, - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - TLS_DH_RSA_WITH_DES_CBC_SHA, - TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - TLS_DHE_DSS_WITH_DES_CBC_SHA, - TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - TLS_DHE_RSA_WITH_DES_CBC_SHA, - - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, - TLS_DH_ANON_WITH_RC4_128_MD5, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, - TLS_DH_ANON_WITH_DES_CBC_SHA, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, - } &redef; - - const SSLv2 = 0x0002; - const SSLv3 = 0x0300; - const TLSv10 = 0x0301; - const TLSv11 = 0x0302; - const version_strings: table[count] of string = { - [SSLv2] = "SSLv2", - [SSLv3] = "SSLv3", - [TLSv10] = "TLSv10", - [TLSv11] = "TLSv11", - } &default="UNKNOWN"; - -} - -redef record connection += { - ssl: Info &optional; -}; - -# NOTE: this is a 'local' port format for your site -# --- well-known ports for ssl --------- -redef capture_filters += { - ["ssl"] = "tcp port 443", - ["nntps"] = "tcp port 563", - ["imap4-ssl"] = "tcp port 585", - ["sshell"] = "tcp port 614", - ["ldaps"] = "tcp port 636", - ["ftps-data"] = "tcp port 989", - ["ftps"] = "tcp port 990", - ["telnets"] = "tcp port 992", - ["imaps"] = "tcp port 993", - ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995" -}; - -global ssl_ports = { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, -}; -redef dpd_config += { [ANALYZER_SSL] = [$ports = ssl_ports] }; -redef dpd_config += { [ANALYZER_SSL_BINPAC] = [$ports = ssl_ports] }; - -event bro_init() - { - Log::create_stream(SSL, [$columns=Info, $ev=log_ssl] ); - - # The event engine will generate a run-time if this fails for - # reasons other than that the directory already exists. - if ( ssl_store_cert_path != "" ) - mkdir(ssl_store_cert_path); - } - -const x509_ignore_errors: set[int] = { - X509_V_OK, - # X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE -}; - -const x509_hot_errors: set[int] = { - X509_V_ERR_CRL_SIGNATURE_FAILURE, - X509_V_ERR_CERT_NOT_YET_VALID, - X509_V_ERR_CERT_HAS_EXPIRED, - X509_V_ERR_CERT_REVOKED, - X509_V_ERR_SUBJECT_ISSUER_MISMATCH, - # X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE # for testing -}; - -@ifdef ( Weird::weird_file ) - redef Weird::weird_action += { - [["SSLv2: Unknown CIPHER-SPEC in CLIENT-HELLO!", - "SSLv2: Client has CipherSpecs > MAX_CIPHERSPEC_SIZE", - "unexpected_SSLv3_record", - "SSLv3_data_without_full_handshake"]] = Weird::WEIRD_IGNORE - }; -@endif - -function set_session(c: connection) - { - local id = c$id; - - if ( ! c?$ssl ) - { - local info: Info; - info$ts=network_time(); - info$id=id; - c$ssl = info; - } - } - -function get_session_info(s: SSL_sessionID): SessionInfo - { - local sess_info: SessionInfo; - - local index = md5_hash(s); - recent_sessions[index] = sess_info; - return sess_info; - } - -event ssl_certificate(c: connection, cert: X509, is_server: bool) - { - set_session(c); - - if ( [c$id$resp_h, c$id$resp_p, cert$subject] !in certs ) - add certs[c$id$resp_h, c$id$resp_p, cert$subject]; - - if( is_server ) - { - c$ssl$server_cert = cert; - - # We have not filled in the field for the master session - # for this connection. Do it now, but only if this is not a - # SSLv2 connection (no session information in that case). - if ( c$ssl$sid in recent_sessions && - recent_sessions[c$ssl$sid]?$server_cert ) - recent_sessions[c$ssl$sid]$server_cert$subject = cert$subject; - } - else - { - c$ssl$client_cert = cert; - } - } - -event ssl_conn_attempt(c: connection, version: count, ciphers: cipher_suites_list) - { - set_session(c); - - c$ssl$version = version_strings[version]; - - for ( cs in ciphers ) - { - if ( cs in weak_ciphers ) - { - add c$ssl$tags[WEAK_CLIENT_CIPHER]; - #event ssl_conn_weak( - # fmt("SSL client supports weak cipher: %s (0x%x)", - # ssl_cipher_desc[cs], cs), c); - } - } - } - -event ssl_conn_server_reply(c: connection, version: count, - ciphers: cipher_suites_list) - { - set_session(c); - - #conn$log$version = version_strings[version]; - - for ( cs in ciphers ) - { - if ( cs in weak_ciphers ) - { - add c$ssl$tags[WEAK_SERVER_CIPHER]; - } - } - } - -event ssl_conn_established(c: connection, version: count, cipher_suite: count) &priority=1 - { - set_session(c); - - c$ssl$version = version_strings[version]; - - if ( cipher_suite in weak_ciphers ) - add c$ssl$tags[WEAK_CIPHER_AGREED]; - - # log the connection - Log::write(SSL, c$ssl); - } - -event process_X509_extensions(c: connection, ex: X509_extension) - { - set_session(c); - - #local msg = fmt( "%.6f X.509 extensions: ", network_time() ); - #for ( i in ex ) - # msg = fmt("%s, %s", msg, ex[i]); - } - -event ssl_session_insertion(c: connection, id: SSL_sessionID) - { - set_session(c); - - local cid = c$id; - c$ssl$sid=md5_hash(id); - - # This will create a new session if one doesn't already exist. - local session = get_session_info(id); - session$version=c$ssl$version; - if ( c$ssl?$client_cert ) session$client_cert=c$ssl$client_cert; - if ( c$ssl?$server_cert ) session$server_cert=c$ssl$server_cert; - if ( c$ssl?$handshake_cipher )session$handshake_cipher=c$ssl$handshake_cipher; - } - -event ssl_conn_reused(c: connection, session_id: SSL_sessionID) - { - set_session(c); - - # We cannot track sessions with SSLv2. - if ( c$ssl$version == version_strings[SSLv2] ) - return; - - local session = get_session_info(session_id); - ++session$num_use; - - # At this point, the connection values have been set. We can then - # compare session and connection values with some confidence. - if ( session$version != c$ssl$version || - session$handshake_cipher != c$ssl$handshake_cipher ) - { - NOTICE([$note=SSL_SessConIncon, $conn=c, $msg="session violation"]); - } - } - -event ssl_X509_error(c: connection, err: int, err_string: string) - { - if ( err in x509_ignore_errors ) - return; - - set_session(c); - - local error = - err in x509_errors ? x509_errors[err] : "unknown X.509 error"; - - local severity = "warning"; - if ( err in x509_hot_errors ) - { - NOTICE([$note=SSL_X509Violation, $conn=c, $msg=error]); - severity = "error"; - } - } - diff --git a/policy/protocols/syslog/__load__.bro b/policy/protocols/syslog/__load__.bro deleted file mode 100644 index 0f09935445..0000000000 --- a/policy/protocols/syslog/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load protocols/syslog/consts -@load protocols/syslog/base \ No newline at end of file diff --git a/policy/site/local.bro b/policy/site/local.bro deleted file mode 100644 index 4a770af2cf..0000000000 --- a/policy/site/local.bro +++ /dev/null @@ -1,32 +0,0 @@ -##! Local site policy. Customize as appropriate. - -# DPD should typically be loaded. It enables the subsystem for detecting -# protocols on non-standard ports and attaching the appropriate analyzer. -@load frameworks/dpd - -# Load some of the commonly used frameworks. -@load frameworks/notice -@load frameworks/signatures -@load frameworks/metrics -@load frameworks/intel -@load frameworks/software -@load frameworks/reporter - -# Load a few extra scripts that aren't loaded by default. -@load frameworks/packet-filter/netstats -@load misc/loaded-scripts - -# Load most of the protocol analysis scripts. -@load protocols/conn -@load protocols/dns -@load protocols/ftp -@load protocols/http -@load protocols/irc -@load protocols/mime -@load protocols/smtp -@load protocols/ssh -@load protocols/ssl -@load protocols/syslog - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults diff --git a/policy/test-all.bro b/policy/test-all.bro deleted file mode 100644 index 0ddde7f31b..0000000000 --- a/policy/test-all.bro +++ /dev/null @@ -1,113 +0,0 @@ -# This file loads ALL policy scripts that are part of the Bro distribution. -# -# This is rarely makes sense, and is for testing only. -# -# Note that we have unit test that makes sure that all policy files shipped are -# actually loaded here. If we have files that are part of the distribution yet -# can't be loaded here, these must still be listed here with their load command -# commented out. - -@load all.bro -# @load test-all.bro -@load tuning/__load__.bro -@load tuning/defaults/__load__.bro -@load tuning/defaults/packet-fragments.bro -@load tuning/defaults/remove-high-volume-notices.bro -@load tuning/track-all-assets.bro -@load utils/addrs.bro -@load utils/conn-ids.bro -@load utils/directions-and-hosts.bro -@load utils/files.bro -@load utils/numbers.bro -@load utils/paths.bro -@load utils/pattern.bro -@load utils/strings.bro -@load utils/thresholds.bro -# @load frameworks/communication/__load__.bro -# @load frameworks/communication/base.bro -# @load frameworks/communication/listen-clear.bro -# @load frameworks/communication/listen-ssl.bro -@load frameworks/dpd/__load__.bro -@load frameworks/dpd/base/main.bro -@load frameworks/dpd/packet-segment-logging.bro -@load frameworks/intel/__load__.bro -@load frameworks/intel/base.bro -@load frameworks/logging/__load__.bro -@load frameworks/logging/base.bro -@load frameworks/logging/plugins/ascii.bro -@load frameworks/metrics/__load__.bro -@load frameworks/metrics/base/main.bro -@load frameworks/notice/__load__.bro -# @load frameworks/notice/action-filters.bro -# @load frameworks/notice/base.bro -# @load frameworks/notice/weird.bro -@load frameworks/packet-filter/__load__.bro -@load frameworks/packet-filter/netstats.bro -@load frameworks/signatures/__load__.bro -@load frameworks/signatures/base.bro -@load frameworks/software/__load__.bro -@load frameworks/software/base/main.bro -@load frameworks/software/vulnerable.bro -# @load hot.conn.bro -@load integration/barnyard2/__load__.bro -@load integration/barnyard2/base.bro -@load integration/barnyard2/event.bro -@load integration/barnyard2/types.bro -@load protocols/conn/__load__.bro -@load protocols/conn/base/main.bro -@load protocols/conn/base/contents.bro -@load protocols/conn/base/inactivity.bro -@load protocols/conn/known-hosts.bro -@load protocols/conn/known-services.bro -@load protocols/dns/__load__.bro -@load protocols/dns/auth-addl.bro -@load protocols/dns/base/main.bro -@load protocols/dns/base/consts.bro -@load protocols/dns/base/detect.bro -@load protocols/ftp/__load__.bro -@load protocols/ftp/base.bro -@load protocols/ftp/detect.bro -@load protocols/ftp/file-extract.bro -@load protocols/ftp/software.bro -@load protocols/ftp/utils-commands.bro -@load protocols/http/__load__.bro -@load protocols/http/base/main.bro -@load protocols/http/base/detect-intel.bro -@load protocols/http/base/detect-sqli.bro -@load protocols/http/base/file-extract.bro -@load protocols/http/base/file-hash.bro -@load protocols/http/base/file-ident.bro -@load protocols/http/base/software.bro -@load protocols/http/base/utils.bro -@load protocols/http/detect-MHR.bro -@load protocols/http/detect-webapps.bro -@load protocols/http/headers.bro -#@load protocols/http/partial-content.bro -@load protocols/http/var-extraction-cookies.bro -@load protocols/http/var-extraction-uri.bro -@load protocols/irc/__load__.bro -@load protocols/irc/base.bro -@load protocols/irc/dcc-send.bro -@load protocols/mime/__load__.bro -@load protocols/mime/base.bro -@load protocols/mime/file-extract.bro -@load protocols/mime/file-hash.bro -@load protocols/mime/file-ident.bro -@load protocols/smtp/__load__.bro -@load protocols/smtp/base/main.bro -@load protocols/smtp/base/software.bro -@load protocols/smtp/detect-suspicious-orig.bro -@load protocols/ssh/__load__.bro -@load protocols/ssh/base.bro -@load protocols/ssh/software.bro -@load protocols/ssl/__load__.bro -@load protocols/ssl/base.bro -@load protocols/ssl/consts.bro -@load protocols/ssl/known-certs.bro -@load protocols/ssl/mozilla-ca-list.bro -# @load protocols/ssl/ssl-old.bro -@load protocols/syslog/__load__.bro -@load protocols/syslog/base.bro -@load protocols/syslog/consts.bro -@load protocols/rpc/base.bro -@load site/local diff --git a/policy/tuning/defaults/__load__.bro b/policy/tuning/defaults/__load__.bro deleted file mode 100644 index 840c75d1de..0000000000 --- a/policy/tuning/defaults/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load ./remove-high-volume-notices -@load ./packet-fragments \ No newline at end of file diff --git a/policy/CMakeLists.txt b/scripts/CMakeLists.txt similarity index 92% rename from policy/CMakeLists.txt rename to scripts/CMakeLists.txt index 10a92a550d..5979e6befd 100644 --- a/policy/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -1,7 +1,6 @@ include(InstallPackageConfigFile) install(DIRECTORY ./ DESTINATION ${POLICYDIR} FILES_MATCHING - PATTERN "summaries" EXCLUDE PATTERN "all.bro" EXCLUDE PATTERN "site/local.bro" EXCLUDE PATTERN "bro.init" diff --git a/policy/all.bro b/scripts/all.bro similarity index 60% rename from policy/all.bro rename to scripts/all.bro index 72fe661003..60762316bb 100644 --- a/policy/all.bro +++ b/scripts/all.bro @@ -1,15 +1,15 @@ ##! This script only aims at loading all of the base analysis scripts. -@load protocols/conn -@load protocols/dns -@load protocols/ftp -@load protocols/http -@load protocols/irc -@load protocols/mime -@load protocols/smtp -@load protocols/ssh +#@load protocols/conn +#@load protocols/dns +#@load protocols/ftp +#@load protocols/http +#@load protocols/irc +#@load protocols/mime +#@load protocols/smtp +#@load protocols/ssh @load protocols/ssl -@load protocols/syslog +#@load protocols/syslog @load frameworks/metrics @load frameworks/notice diff --git a/scripts/base/all.bro b/scripts/base/all.bro new file mode 100644 index 0000000000..91dd3511c0 --- /dev/null +++ b/scripts/base/all.bro @@ -0,0 +1,44 @@ +##! This script loads everything in the base/ script directory. If you want +##! to run Bro without all of these scripts loaded by default, you can define +##! the BRO_NO_BASE_SCRIPTS environment variable to any value. You can also +##! copy the "@load" lines from this script to your own script to load only +##! the scripts that you actually want. + +@if ( getenv("BRO_NO_BASE_SCRIPTS") == "" ) + +@load base/utils/site +@load base/utils/addrs +@load base/utils/conn-ids +@load base/utils/directions-and-hosts +@load base/utils/files +@load base/utils/numbers +@load base/utils/paths +@load base/utils/patterns +@load base/utils/strings +@load base/utils/thresholds + +# This has some weird interplay between types and BiFs so it's loaded in bro.init +#@load base/frameworks/logging +@load base/frameworks/notice +@load base/frameworks/dpd +@load base/frameworks/signatures +@load base/frameworks/packet-filter +@load base/frameworks/software +@load base/frameworks/intel +@load base/frameworks/metrics +@load base/frameworks/communication +@load base/frameworks/control +@load base/frameworks/cluster +@load base/frameworks/reporter + +@load base/protocols/conn +@load base/protocols/dns +@load base/protocols/ftp +@load base/protocols/http +@load base/protocols/irc +@load base/protocols/smtp +@load base/protocols/ssh +@load base/protocols/ssl +@load base/protocols/syslog + +@endif \ No newline at end of file diff --git a/policy/bro.init b/scripts/base/bro.init similarity index 99% rename from policy/bro.init rename to scripts/base/bro.init index fda8cfd6f4..30674fafc7 100644 --- a/policy/bro.init +++ b/scripts/base/bro.init @@ -343,7 +343,7 @@ function add_signature_file(sold: string, snew: string): string } global signature_files = "" &add_func = add_signature_file; -const passive_fingerprint_file = "signatures/p0f.fp" &redef; +const passive_fingerprint_file = "base/misc/p0f.fp" &redef; # TODO: testing to see if I can remove these without causing problems. #const ftp = 21/tcp; @@ -1483,11 +1483,6 @@ const skip_http_data = F &redef; # UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. const parse_udp_tunnels = F &redef; -# Load the site utilities. -@load utils/site - -# Load the logging framework. -@load frameworks/logging - -# Load the packet filtering framework. -@load frameworks/packet-filter +# Load the logging framework here because it uses fairly deep integration with +# BiFs and script-land defined types. +@load base/frameworks/logging diff --git a/policy/frameworks/cluster/base/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro similarity index 77% rename from policy/frameworks/cluster/base/__load__.bro rename to scripts/base/frameworks/cluster/__load__.bro index 64bee5e1ad..c2ff70144c 100644 --- a/policy/frameworks/cluster/base/__load__.bro +++ b/scripts/base/frameworks/cluster/__load__.bro @@ -1,5 +1,5 @@ # Load the core cluster support. -@load frameworks/cluster/base/main +@load ./main @if ( Cluster::node != "" ) @@ -9,10 +9,6 @@ redef peer_description = Cluster::node; # Add a cluster prefix. @prefixes += cluster -# Only load the communication framework if it really looks like someone is -# trying to start up a cluster node. -@load frameworks/communication - # Make this a controllable node since all cluster nodes are inherently # controllable. @load frameworks/control/controllee @@ -25,7 +21,7 @@ redef peer_description = Cluster::node; @if ( Cluster::node in Cluster::nodes ) -@load frameworks/cluster/base/setup-connections +@load ./setup-connections # Don't start the listening process until we're a bit more sure that the # cluster framework is actually being enabled. @@ -35,15 +31,15 @@ redef peer_description = Cluster::node; redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p; @if ( Cluster::nodes[Cluster::node]$node_type == Cluster::MANAGER ) -@load frameworks/cluster/base/node/manager +@load ./nodes/manager @endif @if ( Cluster::nodes[Cluster::node]$node_type == Cluster::PROXY ) -@load frameworks/cluster/base/node/proxy +@load ./nodes/proxy @endif @if ( Cluster::nodes[Cluster::node]$node_type == Cluster::WORKER ) -@load frameworks/cluster/base/node/worker +@load ./nodes/worker @endif @endif diff --git a/policy/frameworks/cluster/base/main.bro b/scripts/base/frameworks/cluster/main.bro similarity index 96% rename from policy/frameworks/cluster/base/main.bro rename to scripts/base/frameworks/cluster/main.bro index 700721aac8..0fc793e7f5 100644 --- a/policy/frameworks/cluster/base/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -1,7 +1,3 @@ -@load utils/numbers - -@load frameworks/notice -@load frameworks/control module Cluster; @@ -60,6 +56,7 @@ export { event bro_init() { + # If a node is given, but it's an unknown name we need to fail. if ( node != "" && node !in nodes ) { local msg = "You didn't supply a valid node in the Cluster::nodes configuration."; diff --git a/policy/frameworks/cluster/base/node/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.bro similarity index 84% rename from policy/frameworks/cluster/base/node/manager.bro rename to scripts/base/frameworks/cluster/nodes/manager.bro index 3a4dbac83f..f4db54fc50 100644 --- a/policy/frameworks/cluster/base/node/manager.bro +++ b/scripts/base/frameworks/cluster/nodes/manager.bro @@ -2,7 +2,8 @@ ##! ##! The manager is passive (the workers connect to us), and once connected ##! the manager registers for the events on the workers that are needed -##! to get the desired data from the workers. +##! to get the desired data from the workers. This script will be +##! automatically loaded if necessary based on the type of node being started. ##! This is where the cluster manager sets it's specific settings for other ##! frameworks and in the core. diff --git a/policy/frameworks/cluster/base/node/proxy.bro b/scripts/base/frameworks/cluster/nodes/proxy.bro similarity index 100% rename from policy/frameworks/cluster/base/node/proxy.bro rename to scripts/base/frameworks/cluster/nodes/proxy.bro diff --git a/policy/frameworks/cluster/base/node/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.bro similarity index 100% rename from policy/frameworks/cluster/base/node/worker.bro rename to scripts/base/frameworks/cluster/nodes/worker.bro diff --git a/policy/frameworks/cluster/base/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro similarity index 98% rename from policy/frameworks/cluster/base/setup-connections.bro rename to scripts/base/frameworks/cluster/setup-connections.bro index 3a6df58626..c8a187fb6b 100644 --- a/policy/frameworks/cluster/base/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -1,6 +1,3 @@ -@load ./main -@load frameworks/communication - module Cluster; event bro_init() &priority=9 diff --git a/scripts/base/frameworks/communication/__load__.bro b/scripts/base/frameworks/communication/__load__.bro new file mode 100644 index 0000000000..a854726f04 --- /dev/null +++ b/scripts/base/frameworks/communication/__load__.bro @@ -0,0 +1,5 @@ + +# TODO: get rid of this as soon as the Expr.cc hack is changed. +@if ( getenv("ENABLE_COMMUNICATION") != "" ) +@load ./main +@endif \ No newline at end of file diff --git a/policy/frameworks/communication/base/main.bro b/scripts/base/frameworks/communication/main.bro similarity index 99% rename from policy/frameworks/communication/base/main.bro rename to scripts/base/frameworks/communication/main.bro index d83d7c9cca..6cc9812b47 100644 --- a/policy/frameworks/communication/base/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -1,8 +1,6 @@ ##! Connect to remote Bro or Broccoli instances to share state and/or transfer ##! events. -@load frameworks/packet-filter - module Communication; export { diff --git a/scripts/base/frameworks/control/__load__.bro b/scripts/base/frameworks/control/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/control/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/policy/frameworks/control/base/main.bro b/scripts/base/frameworks/control/main.bro similarity index 99% rename from policy/frameworks/control/base/main.bro rename to scripts/base/frameworks/control/main.bro index 9bcd4bcbe5..ebb8b08002 100644 --- a/policy/frameworks/control/base/main.bro +++ b/scripts/base/frameworks/control/main.bro @@ -6,7 +6,7 @@ ##! bro frameworks/control/controller Control::host= Control::port= Control::cmd= [Control::arg=] ##! ##! A controllee only needs to load the controllee script in addition -##! to the specific analysis scripts desired. It may also need a noded +##! to the specific analysis scripts desired. It may also need a node ##! configured as a controller node in the communications nodes configuration. ##! bro frameworks/control/controllee ##! diff --git a/scripts/base/frameworks/dpd/__load__.bro b/scripts/base/frameworks/dpd/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/dpd/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/policy/frameworks/dpd/base/dpd.sig b/scripts/base/frameworks/dpd/dpd.sig similarity index 100% rename from policy/frameworks/dpd/base/dpd.sig rename to scripts/base/frameworks/dpd/dpd.sig diff --git a/policy/frameworks/dpd/base/main.bro b/scripts/base/frameworks/dpd/main.bro similarity index 97% rename from policy/frameworks/dpd/base/main.bro rename to scripts/base/frameworks/dpd/main.bro index fc361f4950..9bfd7f615b 100644 --- a/policy/frameworks/dpd/base/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -1,12 +1,10 @@ ##! Activates port-independent protocol detection and selectively disables ##! analyzers if protocol violations occur. -@load frameworks/signatures - module DPD; ## Add the DPD signatures to the signature framework. -redef signature_files += "frameworks/dpd/base/dpd.sig"; +redef signature_files += "base/frameworks/dpd/dpd.sig"; export { redef enum Log::ID += { DPD }; diff --git a/scripts/base/frameworks/intel/__load__.bro b/scripts/base/frameworks/intel/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/intel/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/policy/frameworks/intel/base.bro b/scripts/base/frameworks/intel/main.bro similarity index 99% rename from policy/frameworks/intel/base.bro rename to scripts/base/frameworks/intel/main.bro index 40dfa4f447..9849d4df42 100644 --- a/policy/frameworks/intel/base.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -20,8 +20,6 @@ # canary # friend -@load frameworks/notice - module Intel; export { diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.bro new file mode 100644 index 0000000000..3021aed706 --- /dev/null +++ b/scripts/base/frameworks/logging/__load__.bro @@ -0,0 +1,3 @@ +@load ./main + +@load ./writers/ascii diff --git a/policy/frameworks/logging/base.bro b/scripts/base/frameworks/logging/main.bro similarity index 99% rename from policy/frameworks/logging/base.bro rename to scripts/base/frameworks/logging/main.bro index cdb7cbc575..c7ffea84cc 100644 --- a/policy/frameworks/logging/base.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -46,7 +46,7 @@ export { ## Output path for recording entries matching this ## filter. - ## + ## ## The specific interpretation of the string is up to ## the used writer, and may for example be the destination ## file name. Generally, filenames are expected to given @@ -140,8 +140,6 @@ global filters: table[ID, string] of Filter; @load logging.bif.bro # Needs Filter and Stream defined. -module Log; - function default_rotation_path_func(info: RotationInfo) : string { local date_fmt = rotation_control[info$writer, info$path]$date_fmt; diff --git a/policy/frameworks/logging/plugins/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro similarity index 100% rename from policy/frameworks/logging/plugins/ascii.bro rename to scripts/base/frameworks/logging/writers/ascii.bro diff --git a/scripts/base/frameworks/metrics/__load__.bro b/scripts/base/frameworks/metrics/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/metrics/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/policy/frameworks/metrics/conn-example.bro b/scripts/base/frameworks/metrics/conn-example.bro similarity index 100% rename from policy/frameworks/metrics/conn-example.bro rename to scripts/base/frameworks/metrics/conn-example.bro diff --git a/policy/frameworks/metrics/http-example.bro b/scripts/base/frameworks/metrics/http-example.bro similarity index 96% rename from policy/frameworks/metrics/http-example.bro rename to scripts/base/frameworks/metrics/http-example.bro index 8fe78861b9..a91fdbb47d 100644 --- a/policy/frameworks/metrics/http-example.bro +++ b/scripts/base/frameworks/metrics/http-example.bro @@ -1,5 +1,4 @@ @load frameworks/metrics -@load protocols/http redef enum Metrics::ID += { HTTP_REQUESTS_BY_STATUS_CODE, diff --git a/policy/frameworks/metrics/base/main.bro b/scripts/base/frameworks/metrics/main.bro similarity index 100% rename from policy/frameworks/metrics/base/main.bro rename to scripts/base/frameworks/metrics/main.bro diff --git a/policy/frameworks/notice/base/__load__.bro b/scripts/base/frameworks/notice/__load__.bro similarity index 54% rename from policy/frameworks/notice/base/__load__.bro rename to scripts/base/frameworks/notice/__load__.bro index 51a76b3411..bbc1fcae0d 100644 --- a/policy/frameworks/notice/base/__load__.bro +++ b/scripts/base/frameworks/notice/__load__.bro @@ -1,9 +1,12 @@ @load ./main @load ./weird -# There should be no overhead imposed by loading notice actions so we +# There should be no overhead imposed by loading notice actions so we # load them all. @load ./actions/drop @load ./actions/email_admin @load ./actions/page +# Load the script to add hostnames to emails by default. +# NOTE: this exposes a memleak in async DNS lookups. +#@load ./extend-email/hostnames diff --git a/policy/frameworks/notice/base/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.bro similarity index 100% rename from policy/frameworks/notice/base/actions/drop.bro rename to scripts/base/frameworks/notice/actions/drop.bro diff --git a/policy/frameworks/notice/base/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.bro similarity index 100% rename from policy/frameworks/notice/base/actions/email_admin.bro rename to scripts/base/frameworks/notice/actions/email_admin.bro diff --git a/policy/frameworks/notice/base/actions/page.bro b/scripts/base/frameworks/notice/actions/page.bro similarity index 100% rename from policy/frameworks/notice/base/actions/page.bro rename to scripts/base/frameworks/notice/actions/page.bro diff --git a/policy/frameworks/notice/extend-email/hostnames.bro b/scripts/base/frameworks/notice/extend-email/hostnames.bro similarity index 100% rename from policy/frameworks/notice/extend-email/hostnames.bro rename to scripts/base/frameworks/notice/extend-email/hostnames.bro diff --git a/policy/frameworks/notice/base/main.bro b/scripts/base/frameworks/notice/main.bro similarity index 98% rename from policy/frameworks/notice/base/main.bro rename to scripts/base/frameworks/notice/main.bro index cbab9a26bc..2f39343a42 100644 --- a/policy/frameworks/notice/base/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -77,9 +77,7 @@ export { ## Textual description for the peer that raised this notice. peer_descr: string &log &optional; - ## The actions that are to be applied to this notice. The set[count] - ## is to indicate which :bro:id:`Notice::policy` items - ## triggered the action being added to the notice. + ## The actions which have been applied to this notice. actions: set[Notice::Action] &log &optional; ## These are policy items that returned T and applied their action diff --git a/policy/frameworks/notice/base/weird.bro b/scripts/base/frameworks/notice/weird.bro similarity index 99% rename from policy/frameworks/notice/base/weird.bro rename to scripts/base/frameworks/notice/weird.bro index 6cbaa25a4a..4718dc204a 100644 --- a/policy/frameworks/notice/base/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -1,5 +1,3 @@ -@load frameworks/notice -@load utils/conn-ids module Weird; diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro new file mode 100644 index 0000000000..1d72e1ebe0 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -0,0 +1,2 @@ +@load ./main +@load ./netstats diff --git a/policy/frameworks/packet-filter/base/main.bro b/scripts/base/frameworks/packet-filter/main.bro similarity index 99% rename from policy/frameworks/packet-filter/base/main.bro rename to scripts/base/frameworks/packet-filter/main.bro index a2336b7d61..b030e763f0 100644 --- a/policy/frameworks/packet-filter/base/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -4,8 +4,6 @@ ##! open filter and all filters defined in Bro scripts with the ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. -@load frameworks/notice - module PacketFilter; export { diff --git a/policy/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro similarity index 97% rename from policy/frameworks/packet-filter/netstats.bro rename to scripts/base/frameworks/packet-filter/netstats.bro index bd95d95ff0..887c7222e0 100644 --- a/policy/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.bro @@ -1,7 +1,5 @@ ##! This script reports on packet loss from the various packet sources. -@load frameworks/notice - module PacketFilter; export { diff --git a/scripts/base/frameworks/reporter/__load__.bro b/scripts/base/frameworks/reporter/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/reporter/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/policy/frameworks/reporter/base.bro b/scripts/base/frameworks/reporter/main.bro similarity index 100% rename from policy/frameworks/reporter/base.bro rename to scripts/base/frameworks/reporter/main.bro diff --git a/scripts/base/frameworks/signatures/__load__.bro b/scripts/base/frameworks/signatures/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/signatures/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/policy/frameworks/signatures/base.bro b/scripts/base/frameworks/signatures/main.bro similarity index 98% rename from policy/frameworks/signatures/base.bro rename to scripts/base/frameworks/signatures/main.bro index 767a52cf68..9f218ab144 100644 --- a/policy/frameworks/signatures/base.bro +++ b/scripts/base/frameworks/signatures/main.bro @@ -1,6 +1,4 @@ -##! Script level signature support script. - -@load frameworks/notice +##! Script level signature support. module Signatures; @@ -266,7 +264,8 @@ event signature_match(state: signature_state, msg: string, data: string) orig, vcount, resp); Log::write(SIGNATURES, - [$note=Multiple_Signatures, + [$ts=network_time(), + $note=Multiple_Signatures, $src_addr=orig, $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount, $event_msg=fmt("%s different signatures triggered", vcount), diff --git a/scripts/base/frameworks/software/__load__.bro b/scripts/base/frameworks/software/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/software/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/policy/frameworks/software/base/main.bro b/scripts/base/frameworks/software/main.bro similarity index 89% rename from policy/frameworks/software/base/main.bro rename to scripts/base/frameworks/software/main.bro index 6ac520fa5f..e35902aff1 100644 --- a/policy/frameworks/software/base/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -4,20 +4,9 @@ ##! that they analyze. The entry point for providing new software detections ##! to this framework is through the :bro:id:`Software::found` function. -@load frameworks/notice -@load utils/directions-and-hosts -@load utils/numbers - module Software; export { - redef enum Notice::Type += { - ## For certain softwares, a version changing may matter. In that case, - ## this notice will be generated. Software that matters if the version - ## changes can be configured with the - ## :bro:id:`Software::interesting_version_changes` variable. - Software_Version_Change, - }; redef enum Log::ID += { SOFTWARE }; @@ -58,7 +47,8 @@ export { ## default, only software that is "interesting" due to a change ## in version or it being currently unknown is sent to the ## logging framework. This can be set to T to force the record - ## to be sent to the logging framework. + ## to be sent to the logging framework if some amount of this tracking + ## needs to happen in a specific way to the software. force_log: bool &default=F; }; @@ -66,17 +56,6 @@ export { ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS const asset_tracking = LOCAL_HOSTS &redef; - ## Some software is more interesting when the version changes and this - ## a set of all software that should raise a notice when a different - ## version is seen on a host. - const interesting_version_changes: set[string] = { - "SSH" - } &redef; - - ## Some software is more interesting when the version changes and this - ## a set of all software that should raise a notice when a different - ## version is seen on a host. - const interesting_type_changes: set[string] = set(); ## Other scripts should call this function when they detect software. ## unparsed_version: This is the full string from which the @@ -384,7 +363,8 @@ event software_register(id: conn_id, info: Info) tracked[info$host] = table(); local ts = tracked[info$host]; - # Software already registered for this host? + # Software already registered for this host? We don't want to endlessly + # log the same thing. if ( info$name in ts ) { local old = ts[info$name]; @@ -394,17 +374,6 @@ event software_register(id: conn_id, info: Info) # But if the $force_log value is set then we'll continue. if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 ) return; - - # Is it a potentially interesting version change? - if ( info$name in interesting_version_changes ) - { - local msg = fmt("%.6f %s switched from %s to %s (%s)", - network_time(), software_endpoint_name(id, info$host), - software_fmt_version(old$version), - software_fmt(info), info$software_type); - NOTICE([$note=Software_Version_Change, $id=id, - $msg=msg, $sub=software_fmt(info)]); - } } Log::write(SOFTWARE, info); diff --git a/policy/frameworks/time-machine/notice.bro b/scripts/base/frameworks/time-machine/notice.bro similarity index 100% rename from policy/frameworks/time-machine/notice.bro rename to scripts/base/frameworks/time-machine/notice.bro diff --git a/policy/frameworks/signatures/p0f.fp b/scripts/base/misc/p0f.fp similarity index 100% rename from policy/frameworks/signatures/p0f.fp rename to scripts/base/misc/p0f.fp diff --git a/scripts/base/protocols/conn/__load__.bro b/scripts/base/protocols/conn/__load__.bro new file mode 100644 index 0000000000..8c673eca85 --- /dev/null +++ b/scripts/base/protocols/conn/__load__.bro @@ -0,0 +1,3 @@ +@load ./main +@load ./contents +@load ./inactivity diff --git a/policy/protocols/conn/base/contents.bro b/scripts/base/protocols/conn/contents.bro similarity index 98% rename from policy/protocols/conn/base/contents.bro rename to scripts/base/protocols/conn/contents.bro index d334d70c8e..21945beed5 100644 --- a/policy/protocols/conn/base/contents.bro +++ b/scripts/base/protocols/conn/contents.bro @@ -8,8 +8,6 @@ ##! This script does not work well in a cluster context unless it has a ##! remotely mounted disk to write the content files to. -@load utils/files - module Conn; export { diff --git a/policy/protocols/conn/base/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro similarity index 100% rename from policy/protocols/conn/base/inactivity.bro rename to scripts/base/protocols/conn/inactivity.bro diff --git a/policy/protocols/conn/base/main.bro b/scripts/base/protocols/conn/main.bro similarity index 99% rename from policy/protocols/conn/base/main.bro rename to scripts/base/protocols/conn/main.bro index 91c8279c6f..69c4cde64b 100644 --- a/policy/protocols/conn/base/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -77,7 +77,7 @@ redef record connection += { conn: Info &optional; }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(CONN, [$columns=Info, $ev=log_conn]); } diff --git a/scripts/base/protocols/dns/__load__.bro b/scripts/base/protocols/dns/__load__.bro new file mode 100644 index 0000000000..1d47f6e0cd --- /dev/null +++ b/scripts/base/protocols/dns/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main diff --git a/policy/protocols/dns/base/consts.bro b/scripts/base/protocols/dns/consts.bro similarity index 100% rename from policy/protocols/dns/base/consts.bro rename to scripts/base/protocols/dns/consts.bro diff --git a/policy/protocols/dns/base/main.bro b/scripts/base/protocols/dns/main.bro similarity index 99% rename from policy/protocols/dns/base/main.bro rename to scripts/base/protocols/dns/main.bro index 503a5191d1..59ade654d4 100644 --- a/policy/protocols/dns/base/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,6 +1,4 @@ -@load ./consts - module DNS; export { diff --git a/scripts/base/protocols/ftp/__load__.bro b/scripts/base/protocols/ftp/__load__.bro new file mode 100644 index 0000000000..0a399aef36 --- /dev/null +++ b/scripts/base/protocols/ftp/__load__.bro @@ -0,0 +1,3 @@ +@load ./utils-commands +@load ./main +@load ./file-extract \ No newline at end of file diff --git a/policy/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro similarity index 96% rename from policy/protocols/ftp/file-extract.bro rename to scripts/base/protocols/ftp/file-extract.bro index 75b4a885c8..5ebe0ec63c 100644 --- a/policy/protocols/ftp/file-extract.bro +++ b/scripts/base/protocols/ftp/file-extract.bro @@ -1,9 +1,5 @@ ##! File extraction for FTP. -@load protocols/ftp -@load utils/conn-ids -@load utils/files - module FTP; export { diff --git a/policy/protocols/ftp/base.bro b/scripts/base/protocols/ftp/main.bro similarity index 99% rename from policy/protocols/ftp/base.bro rename to scripts/base/protocols/ftp/main.bro index a0f581bfc8..bf32ba3114 100644 --- a/policy/protocols/ftp/base.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -7,10 +7,6 @@ ##! ##! * Handle encrypted sessions correctly (get an example?) -@load utils/paths -@load utils/numbers -@load ./utils-commands - module FTP; export { @@ -93,7 +89,7 @@ redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of ExpectedConn &create_expire=5mins; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(FTP, [$columns=Info, $ev=log_ftp]); } diff --git a/policy/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.bro similarity index 100% rename from policy/protocols/ftp/utils-commands.bro rename to scripts/base/protocols/ftp/utils-commands.bro diff --git a/scripts/base/protocols/http/__load__.bro b/scripts/base/protocols/http/__load__.bro new file mode 100644 index 0000000000..314f04b872 --- /dev/null +++ b/scripts/base/protocols/http/__load__.bro @@ -0,0 +1,5 @@ +@load ./main +@load ./utils +@load ./file-ident +@load ./file-hash +@load ./file-extract diff --git a/policy/protocols/http/base/file-extract.bro b/scripts/base/protocols/http/file-extract.bro similarity index 97% rename from policy/protocols/http/base/file-extract.bro rename to scripts/base/protocols/http/file-extract.bro index 66bb2dcb75..24ee1d8b93 100644 --- a/policy/protocols/http/base/file-extract.bro +++ b/scripts/base/protocols/http/file-extract.bro @@ -1,9 +1,6 @@ ##! Extracts the items from HTTP traffic, one per file. At this time only ##! the message body from the server can be extracted with this script. -@load protocols/http -@load utils/files - module HTTP; export { diff --git a/policy/protocols/http/base/file-hash.bro b/scripts/base/protocols/http/file-hash.bro similarity index 98% rename from policy/protocols/http/base/file-hash.bro rename to scripts/base/protocols/http/file-hash.bro index f1aaa5cffd..26f8abf51a 100644 --- a/policy/protocols/http/base/file-hash.bro +++ b/scripts/base/protocols/http/file-hash.bro @@ -1,9 +1,5 @@ ##! Calculate hashes for HTTP body transfers. -@load ./main -@load ./utils -@load ./file-ident - module HTTP; export { diff --git a/policy/protocols/http/base/file-ident.bro b/scripts/base/protocols/http/file-ident.bro similarity index 93% rename from policy/protocols/http/base/file-ident.bro rename to scripts/base/protocols/http/file-ident.bro index cd9f891110..082adf75d3 100644 --- a/policy/protocols/http/base/file-ident.bro +++ b/scripts/base/protocols/http/file-ident.bro @@ -1,12 +1,8 @@ ##! This script is involved in the identification of file types in HTTP ##! response bodies. -@load ./main -@load ./utils -@load frameworks/notice -@load frameworks/signatures - -redef signature_files += "protocols/http/base/file-ident.sig"; +# Add the magic number signatures to the core signature set. +redef signature_files += "base/protocols/http/file-ident.sig"; # Ignore the signatures used to match files redef Signatures::ignored_ids += /^matchfile-/; diff --git a/policy/protocols/http/base/file-ident.sig b/scripts/base/protocols/http/file-ident.sig similarity index 100% rename from policy/protocols/http/base/file-ident.sig rename to scripts/base/protocols/http/file-ident.sig diff --git a/policy/protocols/http/base/main.bro b/scripts/base/protocols/http/main.bro similarity index 99% rename from policy/protocols/http/base/main.bro rename to scripts/base/protocols/http/main.bro index 29c98cd3d7..172fb2bd1c 100644 --- a/policy/protocols/http/base/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -1,6 +1,4 @@ -@load utils/numbers - module HTTP; export { @@ -84,7 +82,7 @@ redef record connection += { }; # Initialize the HTTP logging stream. -event bro_init() +event bro_init() &priority=5 { Log::create_stream(HTTP, [$columns=Info, $ev=log_http]); } diff --git a/policy/protocols/http/partial-content.bro b/scripts/base/protocols/http/partial-content.bro similarity index 97% rename from policy/protocols/http/partial-content.bro rename to scripts/base/protocols/http/partial-content.bro index 38a3b50dd9..130cc0db28 100644 --- a/policy/protocols/http/partial-content.bro +++ b/scripts/base/protocols/http/partial-content.bro @@ -1,8 +1,7 @@ ##! This script makes it possible for the HTTP analysis scripts to analyze ##! the apparent normal case of "206 Partial Content" responses. - -@load ./base -@load frameworks/notice +##! +##! This script doesn't work yet and isn't loaded by default. module HTTP; diff --git a/policy/protocols/http/base/utils.bro b/scripts/base/protocols/http/utils.bro similarity index 55% rename from policy/protocols/http/base/utils.bro rename to scripts/base/protocols/http/utils.bro index 7294265e5b..716b1c608b 100644 --- a/policy/protocols/http/base/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -1,13 +1,11 @@ ##! Utilities specific for HTTP processing. -@load ./main - module HTTP; export { global extract_keys: function(data: string, kv_splitter: pattern): string_vec; - global build_url: function(h: Info): string; - global build_url_http: function(h: Info): string; + global build_url: function(rec: Info): string; + global build_url_http: function(rec: Info): string; } @@ -25,16 +23,16 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec return key_vec; } -function build_url(h: Info): string +function build_url(rec: Info): string { - local uri = h?$uri ? h$uri : "/"; - local host = h?$host ? h$host : fmt("%s", h$id$resp_h); - if ( h$id$resp_p != 80/tcp ) - host = fmt("%s:%s", host, h$id$resp_p); + local uri = rec?$uri ? rec$uri : "/"; + local host = rec?$host ? rec$host : fmt("%s", rec$id$resp_h); + if ( rec$id$resp_p != 80/tcp ) + host = fmt("%s:%s", host, rec$id$resp_p); return fmt("%s%s", host, uri); } -function build_url_http(h: Info): string +function build_url_http(rec: Info): string { - return fmt("http://%s", build_url(h)); + return fmt("http://%s", build_url(rec)); } diff --git a/scripts/base/protocols/irc/__load__.bro b/scripts/base/protocols/irc/__load__.bro new file mode 100644 index 0000000000..240e1487c3 --- /dev/null +++ b/scripts/base/protocols/irc/__load__.bro @@ -0,0 +1,2 @@ +@load ./main +@load ./dcc-send \ No newline at end of file diff --git a/policy/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro similarity index 98% rename from policy/protocols/irc/dcc-send.bro rename to scripts/base/protocols/irc/dcc-send.bro index bd5edb0e6e..1b8dc67c25 100644 --- a/policy/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -8,10 +8,6 @@ ##! Example line from IRC server indicating that the DCC SEND is about to start: ##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A -@load protocols/irc -@load utils/files -@load utils/numbers - module IRC; export { diff --git a/policy/protocols/irc/base.bro b/scripts/base/protocols/irc/main.bro similarity index 98% rename from policy/protocols/irc/base.bro rename to scripts/base/protocols/irc/main.bro index 9077ae66ab..c394d8f0c6 100644 --- a/policy/protocols/irc/base.bro +++ b/scripts/base/protocols/irc/main.bro @@ -42,7 +42,7 @@ redef capture_filters += { ["irc-6667"] = "port 6667" }; global irc_ports = { 6666/tcp, 6667/tcp } &redef; redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(IRC, [$columns=Info, $ev=irc_log]); } diff --git a/policy/protocols/mime/__load__.bro b/scripts/base/protocols/mime/__load__.bro similarity index 100% rename from policy/protocols/mime/__load__.bro rename to scripts/base/protocols/mime/__load__.bro diff --git a/policy/protocols/mime/base.bro b/scripts/base/protocols/mime/base.bro similarity index 100% rename from policy/protocols/mime/base.bro rename to scripts/base/protocols/mime/base.bro diff --git a/policy/protocols/mime/file-extract.bro b/scripts/base/protocols/mime/file-extract.bro similarity index 100% rename from policy/protocols/mime/file-extract.bro rename to scripts/base/protocols/mime/file-extract.bro diff --git a/policy/protocols/mime/file-hash.bro b/scripts/base/protocols/mime/file-hash.bro similarity index 100% rename from policy/protocols/mime/file-hash.bro rename to scripts/base/protocols/mime/file-hash.bro diff --git a/policy/protocols/mime/file-ident.bro b/scripts/base/protocols/mime/file-ident.bro similarity index 100% rename from policy/protocols/mime/file-ident.bro rename to scripts/base/protocols/mime/file-ident.bro diff --git a/policy/protocols/rpc/base.bro b/scripts/base/protocols/rpc/base.bro similarity index 100% rename from policy/protocols/rpc/base.bro rename to scripts/base/protocols/rpc/base.bro diff --git a/scripts/base/protocols/smtp/__load__.bro b/scripts/base/protocols/smtp/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/protocols/smtp/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/policy/protocols/smtp/base/main.bro b/scripts/base/protocols/smtp/main.bro similarity index 99% rename from policy/protocols/smtp/base/main.bro rename to scripts/base/protocols/smtp/main.bro index 0f7a674481..e034a459d4 100644 --- a/policy/protocols/smtp/base/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -1,6 +1,3 @@ -@load frameworks/notice -@load utils/addrs -@load utils/directions-and-hosts module SMTP; @@ -99,7 +96,7 @@ redef record connection += { redef capture_filters += { ["smtp"] = "tcp port smtp or tcp port 587" }; redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(SMTP, [$columns=SMTP::Info, $ev=log_smtp]); } diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/protocols/ssh/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/policy/protocols/ssh/base.bro b/scripts/base/protocols/ssh/main.bro similarity index 99% rename from policy/protocols/ssh/base.bro rename to scripts/base/protocols/ssh/main.bro index 7013d94edb..7cc87b6684 100644 --- a/policy/protocols/ssh/base.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -1,5 +1,3 @@ -@load frameworks/notice -@load utils/thresholds module SSH; @@ -83,7 +81,7 @@ redef record connection += { ssh: Info &optional; }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(SSH, [$columns=Info, $ev=log_ssh]); } diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro new file mode 100644 index 0000000000..eaaa13cd76 --- /dev/null +++ b/scripts/base/protocols/ssl/__load__.bro @@ -0,0 +1,3 @@ +@load ./consts +@load ./main +@load ./mozilla-ca-list \ No newline at end of file diff --git a/policy/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro similarity index 100% rename from policy/protocols/ssl/consts.bro rename to scripts/base/protocols/ssl/consts.bro diff --git a/policy/protocols/ssl/base.bro b/scripts/base/protocols/ssl/main.bro similarity index 76% rename from policy/protocols/ssl/base.bro rename to scripts/base/protocols/ssl/main.bro index 414a6ff017..775b59a6e5 100644 --- a/policy/protocols/ssl/base.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -1,5 +1,3 @@ -@load frameworks/notice -@load ./consts module SSL; @@ -7,7 +5,6 @@ export { redef enum Log::ID += { SSL }; redef enum Notice::Type += { - Invalid_Server_Cert, Self_Signed_Cert }; @@ -17,7 +14,6 @@ export { id: conn_id &log; version: string &log &optional; cipher: string &log &optional; - validation_status:string &log &optional; server_name: string &log &optional; subject: string &log &optional; not_valid_before: time &log &optional; @@ -28,8 +24,7 @@ export { }; ## This is where the default root CA bundle is defined. By loading the - ## protocols/ssl/mozilla-ca-list.bro script it will be set to Mozilla's - ## root CA list. + ## mozilla-ca-list.bro script it will be set to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; global log_ssl: event(rec: Info); @@ -44,7 +39,7 @@ redef record connection += { ssl: Info &optional; }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(SSL, [$columns=Info, $ev=log_ssl]); } @@ -60,7 +55,8 @@ redef capture_filters += { ["telnets"] = "tcp port 992", ["imaps"] = "tcp port 993", ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995" + ["pop3s"] = "tcp port 995", + ["xmpps"] = "tcp port 5223", }; redef dpd_config += { @@ -107,28 +103,13 @@ event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: co } } -event ssl_extension(c: connection, code: count, val: string) +event ssl_extension(c: connection, code: count, val: string) &priority=5 { set_session(c); if ( extensions[code] == "server_name" ) c$ssl$server_name = sub_bytes(val, 6, |val|); } - -event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=-5 - { - if ( chain_idx == chain_len-1 || chain_len == 1 ) - { - local result = x509_verify(c$ssl$cert, c$ssl$cert_chain, root_certs); - c$ssl$validation_status = x509_err2str(result); - if ( result != 0 ) - { - local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); - NOTICE([$note=Invalid_Server_Cert, $msg=message, - $sub=c$ssl$subject, $conn=c]); - } - } - } event ssl_established(c: connection) &priority=-5 { diff --git a/policy/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro similarity index 99% rename from policy/protocols/ssl/mozilla-ca-list.bro rename to scripts/base/protocols/ssl/mozilla-ca-list.bro index 57cdd59d97..0df3e0b9f2 100644 --- a/policy/protocols/ssl/mozilla-ca-list.bro +++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro @@ -1,6 +1,6 @@ # Don't edit! This file is automatically generated. # Generated at: Wed Jun 29 07:52:38 -0400 2011 -@load protocols/ssl + module SSL; redef root_certs += { ["GTE CyberTrust Global Root"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F", diff --git a/scripts/base/protocols/syslog/__load__.bro b/scripts/base/protocols/syslog/__load__.bro new file mode 100644 index 0000000000..0098b81a7a --- /dev/null +++ b/scripts/base/protocols/syslog/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main \ No newline at end of file diff --git a/policy/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.bro similarity index 100% rename from policy/protocols/syslog/consts.bro rename to scripts/base/protocols/syslog/consts.bro diff --git a/policy/protocols/syslog/base.bro b/scripts/base/protocols/syslog/main.bro similarity index 97% rename from policy/protocols/syslog/base.bro rename to scripts/base/protocols/syslog/main.bro index 10408e1492..c514556975 100644 --- a/policy/protocols/syslog/base.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -27,7 +27,7 @@ redef record connection += { syslog: Info &optional; }; -event bro_init() +event bro_init() &priority=5 { Log::create_stream(SYSLOG, [$columns=Info]); } diff --git a/policy/utils/addrs.bro b/scripts/base/utils/addrs.bro similarity index 100% rename from policy/utils/addrs.bro rename to scripts/base/utils/addrs.bro diff --git a/policy/utils/conn-ids.bro b/scripts/base/utils/conn-ids.bro similarity index 100% rename from policy/utils/conn-ids.bro rename to scripts/base/utils/conn-ids.bro diff --git a/policy/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.bro similarity index 100% rename from policy/utils/directions-and-hosts.bro rename to scripts/base/utils/directions-and-hosts.bro diff --git a/policy/utils/files.bro b/scripts/base/utils/files.bro similarity index 100% rename from policy/utils/files.bro rename to scripts/base/utils/files.bro diff --git a/policy/utils/numbers.bro b/scripts/base/utils/numbers.bro similarity index 100% rename from policy/utils/numbers.bro rename to scripts/base/utils/numbers.bro diff --git a/policy/utils/paths.bro b/scripts/base/utils/paths.bro similarity index 100% rename from policy/utils/paths.bro rename to scripts/base/utils/paths.bro diff --git a/policy/utils/pattern.bro b/scripts/base/utils/patterns.bro similarity index 100% rename from policy/utils/pattern.bro rename to scripts/base/utils/patterns.bro diff --git a/policy/utils/site.bro b/scripts/base/utils/site.bro similarity index 99% rename from policy/utils/site.bro rename to scripts/base/utils/site.bro index 473670272e..b8414a7a84 100644 --- a/policy/utils/site.bro +++ b/scripts/base/utils/site.bro @@ -1,6 +1,6 @@ ##! Definitions describing a site - which networks and DNS zones are "local" ##! and "neighbors", and servers running particular services. -@load utils/pattern +@load ./patterns module Site; diff --git a/policy/utils/strings.bro b/scripts/base/utils/strings.bro similarity index 100% rename from policy/utils/strings.bro rename to scripts/base/utils/strings.bro diff --git a/policy/utils/thresholds.bro b/scripts/base/utils/thresholds.bro similarity index 100% rename from policy/utils/thresholds.bro rename to scripts/base/utils/thresholds.bro diff --git a/policy/frameworks/communication/listen-clear.bro b/scripts/policy/frameworks/communication/listen-clear.bro similarity index 91% rename from policy/frameworks/communication/listen-clear.bro rename to scripts/policy/frameworks/communication/listen-clear.bro index 38a5d80897..4f96414172 100644 --- a/policy/frameworks/communication/listen-clear.bro +++ b/scripts/policy/frameworks/communication/listen-clear.bro @@ -1,7 +1,5 @@ ##! Listen for other Bro instances to make unencrypted connections. -@load frameworks/communication/base - module Communication; export { diff --git a/policy/frameworks/communication/listen-ssl.bro b/scripts/policy/frameworks/communication/listen-ssl.bro similarity index 92% rename from policy/frameworks/communication/listen-ssl.bro rename to scripts/policy/frameworks/communication/listen-ssl.bro index e5a3c588f1..32c5f747c2 100644 --- a/policy/frameworks/communication/listen-ssl.bro +++ b/scripts/policy/frameworks/communication/listen-ssl.bro @@ -1,7 +1,5 @@ ##! Listen for other Bro instances and encrypt the connection with SSL. -@load frameworks/communication/base - module Communication; export { diff --git a/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro similarity index 97% rename from policy/frameworks/control/controllee.bro rename to scripts/policy/frameworks/control/controllee.bro index 9080979e5f..518336abd8 100644 --- a/policy/frameworks/control/controllee.bro +++ b/scripts/policy/frameworks/control/controllee.bro @@ -1,7 +1,5 @@ -@load frameworks/control - -# If an instance is a controllee, it implicitly needs to listen for remote +# If an instance is a controllee, it implicitly needs to listen for remote # connections. @load frameworks/communication/listen-clear diff --git a/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro similarity index 97% rename from policy/frameworks/control/controller.bro rename to scripts/policy/frameworks/control/controller.bro index 0760ef1d45..8c60ef457a 100644 --- a/policy/frameworks/control/controller.bro +++ b/scripts/policy/frameworks/control/controller.bro @@ -1,7 +1,4 @@ -@load frameworks/control -@load frameworks/communication - module Control; # Do some sanity checking and rework the communication nodes. diff --git a/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro similarity index 99% rename from policy/frameworks/dpd/detect-protocols.bro rename to scripts/policy/frameworks/dpd/detect-protocols.bro index e42d4c4071..cbe81df889 100644 --- a/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -1,8 +1,5 @@ ##! Finds connections with protocols on non-standard ports with DPD. -@load frameworks/notice -@load utils/site - module ProtocolDetector; export { diff --git a/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro similarity index 98% rename from policy/frameworks/dpd/packet-segment-logging.bro rename to scripts/policy/frameworks/dpd/packet-segment-logging.bro index 4e5134c8b9..2276b49e64 100644 --- a/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -4,8 +4,6 @@ ##! A caveat to logging packet data is that in some cases, the packet may ##! not be the packet that actually caused the protocol violation. -@load ./base - module DPD; export { diff --git a/policy/frameworks/signatures/detect-windows-shells.sig b/scripts/policy/frameworks/signatures/detect-windows-shells.sig similarity index 100% rename from policy/frameworks/signatures/detect-windows-shells.sig rename to scripts/policy/frameworks/signatures/detect-windows-shells.sig diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro new file mode 100644 index 0000000000..3b562b5334 --- /dev/null +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -0,0 +1,45 @@ + +module Software; + +export { + redef enum Notice::Type += { + ## For certain softwares, a version changing may matter. In that case, + ## this notice will be generated. Software that matters if the version + ## changes can be configured with the + ## :bro:id:`Software::interesting_version_changes` variable. + Software_Version_Change, + }; + + ## Some software is more interesting when the version changes and this + ## a set of all software that should raise a notice when a different + ## version is seen on a host. + const interesting_version_changes: set[string] = { + "SSH" + } &redef; + + ## Some software is more interesting when the version changes and this + ## a set of all software that should raise a notice when a different + ## version is seen on a host. + const interesting_type_changes: set[string] = {}; +} + +event log_software(rec: Info) + { + local ts = tracked[rec$host]; + + if ( rec$name in ts ) + { + local old = ts[rec$name]; + + # Is it a potentially interesting version change? + if ( rec$name in interesting_version_changes ) + { + local msg = fmt("%.6f %s switched from %s to %s (%s)", + network_time(), rec$software_type, + software_fmt_version(old$version), + software_fmt(rec), rec$software_type); + NOTICE([$note=Software_Version_Change, $src=rec$host, + $msg=msg, $sub=software_fmt(rec)]); + } + } + } diff --git a/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro similarity index 72% rename from policy/frameworks/software/vulnerable.bro rename to scripts/policy/frameworks/software/vulnerable.bro index dca9a14ba9..ec0348d563 100644 --- a/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -1,5 +1,3 @@ -@load frameworks/software -@load frameworks/notice module Software; @@ -13,11 +11,6 @@ export { const vulnerable_versions: table[string] of Version &redef; } -redef vulnerable_versions += { - ["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"], - ["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"], -}; - event log_software(rec: Info) { if ( rec$name in vulnerable_versions && diff --git a/policy/hot.conn.bro b/scripts/policy/hot.conn.bro similarity index 100% rename from policy/hot.conn.bro rename to scripts/policy/hot.conn.bro diff --git a/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.bro similarity index 100% rename from policy/integration/barnyard2/__load__.bro rename to scripts/policy/integration/barnyard2/__load__.bro diff --git a/policy/integration/barnyard2/base.bro b/scripts/policy/integration/barnyard2/base.bro similarity index 100% rename from policy/integration/barnyard2/base.bro rename to scripts/policy/integration/barnyard2/base.bro diff --git a/policy/integration/barnyard2/event.bro b/scripts/policy/integration/barnyard2/event.bro similarity index 100% rename from policy/integration/barnyard2/event.bro rename to scripts/policy/integration/barnyard2/event.bro diff --git a/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.bro similarity index 100% rename from policy/integration/barnyard2/types.bro rename to scripts/policy/integration/barnyard2/types.bro diff --git a/policy/misc/analysis-groups.bro b/scripts/policy/misc/analysis-groups.bro similarity index 97% rename from policy/misc/analysis-groups.bro rename to scripts/policy/misc/analysis-groups.bro index 1e5a784226..17f5bab845 100644 --- a/policy/misc/analysis-groups.bro +++ b/scripts/policy/misc/analysis-groups.bro @@ -2,8 +2,6 @@ ##! groups at runtime. No events will be raised for all members of a disabled ##! event group. -@load frameworks/control - module AnalysisGroups; export { diff --git a/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro similarity index 100% rename from policy/misc/loaded-scripts.bro rename to scripts/policy/misc/loaded-scripts.bro diff --git a/policy/misc/trim-trace-file.bro b/scripts/policy/misc/trim-trace-file.bro similarity index 100% rename from policy/misc/trim-trace-file.bro rename to scripts/policy/misc/trim-trace-file.bro diff --git a/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro similarity index 97% rename from policy/protocols/conn/known-hosts.bro rename to scripts/policy/protocols/conn/known-hosts.bro index c4e70e63b0..72bdaf01a4 100644 --- a/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.bro @@ -3,8 +3,6 @@ ##! output provides an easy way to determine a count of the IP addresses in ##! use on a network per day. -@load utils/directions-and-hosts - module KnownHosts; export { diff --git a/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro similarity index 98% rename from policy/protocols/conn/known-services.bro rename to scripts/policy/protocols/conn/known-services.bro index 60c0f43b8a..35a19a14f0 100644 --- a/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -3,8 +3,6 @@ ##! completed a TCP handshake with another host. If a protocol is detected ##! during the session, the protocol will also be logged. -@load utils/directions-and-hosts - module KnownServices; redef enum Log::ID += { KNOWN_SERVICES }; diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro new file mode 100644 index 0000000000..fabb865093 --- /dev/null +++ b/scripts/policy/protocols/conn/scan.bro @@ -0,0 +1,604 @@ +@load frameworks/notice +@load port-name + +module Scan; + +export { + redef enum Notice::Type += { + ## The source has scanned a number of ports. + PortScan, + ## The source has scanned a number of addresses. + AddressScan, + ## Apparent flooding backscatter seen from source. + BackscatterSeen, + + ## Summary of scanning activity. + ScanSummary, + ## Summary of distinct ports per scanner. + PortScanSummary, + ## Summary of distinct low ports per scanner. + LowPortScanSummary, + + ## Source touched a landmine destination. + Landmine, + ## Source reached :bro:id:`Scan::shut_down_threshold` + ShutdownThreshold, + ## Source touched privileged ports. + LowPortTrolling, + }; + + # Whether to consider UDP "connections" for scan detection. + # Can lead to false positives due to UDP fanout from some P2P apps. + const suppress_UDP_scan_checks = F &redef; + + const activate_priv_port_check = T &redef; + const activate_landmine_check = F &redef; + const landmine_thresh_trigger = 5 &redef; + + const landmine_address: set[addr] &redef; + + const scan_summary_trigger = 25 &redef; + const port_summary_trigger = 20 &redef; + const lowport_summary_trigger = 10 &redef; + + # Raise ShutdownThresh after this many failed attempts + const shut_down_threshold = 100 &redef; + + # Which services should be analyzed when detecting scanning + # (not consulted if analyze_all_services is set). + const analyze_services: set[port] &redef; + const analyze_all_services = T &redef; + + # Track address scaners only if at least these many hosts contacted. + const addr_scan_trigger = 0 &redef; + + # Ignore address scanners for further scan detection after + # scanning this many hosts. + # 0 disables. + const ignore_scanners_threshold = 0 &redef; + + # Report a scan of peers at each of these points. + const report_peer_scan: vector of count = { + 20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000, + } &redef; + + const report_outbound_peer_scan: vector of count = { + 100, 1000, 10000, + } &redef; + + # Report a scan of ports at each of these points. + const report_port_scan: vector of count = { + 50, 250, 1000, 5000, 10000, 25000, 65000, + } &redef; + + # Once a source has scanned this many different ports (to however many + # different remote hosts), start tracking its per-destination access. + const possible_port_scan_thresh = 20 &redef; + + # Threshold for scanning privileged ports. + const priv_scan_trigger = 5 &redef; + const troll_skip_service = { + smtp, ftp, ssh, 20/tcp, http, + } &redef; + + const report_accounts_tried: vector of count = { + 20, 100, 1000, 10000, 100000, 1000000, + } &redef; + + const report_remote_accounts_tried: vector of count = { + 100, 500, + } &redef; + + # Report a successful password guessing if the source attempted + # at least this many. + const password_guessing_success_threshhold = 20 &redef; + + const skip_accounts_tried: set[addr] &redef; + + const addl_web = { + 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, } + &redef; + + const skip_services = { ident, } &redef; + const skip_outbound_services = { Hot::allow_services, ftp, addl_web, } + &redef; + + const skip_scan_sources = { + 255.255.255.255, # who knows why we see these, but we do + + # AltaVista. Here just as an example of what sort of things + # you might list. + test-scooter.av.pa-x.dec.com, + } &redef; + + const skip_scan_nets: set[subnet] = {} &redef; + + # List of well known local server/ports to exclude for scanning + # purposes. + const skip_dest_server_ports: set[addr, port] = {} &redef; + + # Reverse (SYN-ack) scans seen from these ports are considered + # to reflect possible SYN-flooding backscatter, and not true + # (stealth) scans. + const backscatter_ports = { + http, 53/tcp, 53/udp, bgp, 6666/tcp, 6667/tcp, + } &redef; + + const report_backscatter: vector of count = { + 20, + } &redef; + + global check_scan: + function(c: connection, established: bool, reverse: bool): bool; + + # The following tables are defined here so that we can redef + # the expire timeouts. + # FIXME: should we allow redef of attributes on IDs which + # are not exported? + + # How many different hosts connected to with a possible + # backscatter signature. + global distinct_backscatter_peers: table[addr] of table[addr] of count + &read_expire = 15 min; + + # Expire functions that trigger summaries. + global scan_summary: + function(t: table[addr] of set[addr], orig: addr): interval; + global port_summary: + function(t: table[addr] of set[port], orig: addr): interval; + global lowport_summary: + function(t: table[addr] of set[port], orig: addr): interval; + + # Indexed by scanner address, yields # distinct peers scanned. + # pre_distinct_peers tracks until addr_scan_trigger hosts first. + global pre_distinct_peers: table[addr] of set[addr] + &read_expire = 15 mins &redef; + + global distinct_peers: table[addr] of set[addr] + &read_expire = 15 mins &expire_func=scan_summary &redef; + global distinct_ports: table[addr] of set[port] + &read_expire = 15 mins &expire_func=port_summary &redef; + global distinct_low_ports: table[addr] of set[port] + &read_expire = 15 mins &expire_func=lowport_summary &redef; + + # Indexed by scanner address, yields a table with scanned hosts + # (and ports). + global scan_triples: table[addr] of table[addr] of set[port]; + + global remove_possible_source: + function(s: set[addr], idx: addr): interval; + global possible_scan_sources: set[addr] + &expire_func=remove_possible_source &read_expire = 15 mins; + + # Indexed by source address, yields user name & password tried. + global accounts_tried: table[addr] of set[string, string] + &read_expire = 1 days; + + global ignored_scanners: set[addr] &create_expire = 1 day &redef; + + # These tables track whether a threshold has been reached. + # More precisely, the counter is the next index of threshold vector. + global shut_down_threshold_reached: table[addr] of bool &default=F; + global rb_idx: table[addr] of count + &default=0 &read_expire = 1 days &redef; + global rps_idx: table[addr] of count + &default=0 &read_expire = 1 days &redef; + global rops_idx: table[addr] of count + &default=0 &read_expire = 1 days &redef; + global rpts_idx: table[addr,addr] of count + &default=0 &read_expire = 1 days &redef; + global rat_idx: table[addr] of count + &default=0 &read_expire = 1 days &redef; + global rrat_idx: table[addr] of count + &default=0 &read_expire = 1 days &redef; +} + +global thresh_check: function(v: vector of count, idx: table[addr] of count, + orig: addr, n: count): bool; +global thresh_check_2: function(v: vector of count, + idx: table[addr,addr] of count, orig: addr, + resp: addr, n: count): bool; + +function scan_summary(t: table[addr] of set[addr], orig: addr): interval + { + local num_distinct_peers = orig in t ? |t[orig]| : 0; + + if ( num_distinct_peers >= scan_summary_trigger ) + NOTICE([$note=ScanSummary, $src=orig, $n=num_distinct_peers, + $msg=fmt("%s scanned a total of %d hosts", + orig, num_distinct_peers)]); + + return 0 secs; + } + +function port_summary(t: table[addr] of set[port], orig: addr): interval + { + local num_distinct_ports = orig in t ? |t[orig]| : 0; + + if ( num_distinct_ports >= port_summary_trigger ) + NOTICE([$note=PortScanSummary, $src=orig, $n=num_distinct_ports, + $msg=fmt("%s scanned a total of %d ports", + orig, num_distinct_ports)]); + + return 0 secs; + } + +function lowport_summary(t: table[addr] of set[port], orig: addr): interval + { + local num_distinct_lowports = orig in t ? |t[orig]| : 0; + + if ( num_distinct_lowports >= lowport_summary_trigger ) + NOTICE([$note=LowPortScanSummary, $src=orig, + $n=num_distinct_lowports, + $msg=fmt("%s scanned a total of %d low ports", + orig, num_distinct_lowports)]); + + return 0 secs; + } + +function clear_addr(a: addr) + { + delete distinct_peers[a]; + delete distinct_ports[a]; + delete distinct_low_ports[a]; + delete scan_triples[a]; + delete possible_scan_sources[a]; + delete distinct_backscatter_peers[a]; + delete pre_distinct_peers[a]; + delete rb_idx[a]; + delete rps_idx[a]; + delete rops_idx[a]; + delete rat_idx[a]; + delete rrat_idx[a]; + delete shut_down_threshold_reached[a]; + delete ignored_scanners[a]; + } + +function ignore_addr(a: addr) + { + clear_addr(a); + add ignored_scanners[a]; + } + +function check_scan(c: connection, established: bool, reverse: bool): bool + { + local id = c$id; + + local service = "ftp-data" in c$service ? 20/tcp + : (reverse ? id$orig_p : id$resp_p); + local rev_service = reverse ? id$resp_p : id$orig_p; + local orig = reverse ? id$resp_h : id$orig_h; + local resp = reverse ? id$orig_h : id$resp_h; + local outbound = is_local_addr(orig); + + # The following works better than using get_conn_transport_proto() + # because c might not correspond to an active connection (which + # causes the function to fail). + if ( suppress_UDP_scan_checks && + service >= 0/udp && service <= 65535/udp ) + return F; + + if ( service in skip_services && ! outbound ) + return F; + + if ( outbound && service in skip_outbound_services ) + return F; + + if ( orig in skip_scan_sources ) + return F; + + if ( orig in skip_scan_nets ) + return F; + + # Don't include well known server/ports for scanning purposes. + if ( ! outbound && [resp, service] in skip_dest_server_ports ) + return F; + + if ( orig in ignored_scanners) + return F; + + if ( (! established || service !in Hot::allow_services) && + # not established, service not expressly allowed + + # not known peer set + (orig !in distinct_peers || resp !in distinct_peers[orig]) && + + # want to consider service for scan detection + (analyze_all_services || service in analyze_services) ) + { + if ( reverse && rev_service in backscatter_ports && + # reverse, non-priv backscatter port + service >= 1024/tcp ) + { + if ( orig !in distinct_backscatter_peers ) + { + local empty_bs_table: + table[addr] of count &default=0; + distinct_backscatter_peers[orig] = + empty_bs_table; + } + + if ( ++distinct_backscatter_peers[orig][resp] <= 2 && + # The test is <= 2 because we get two check_scan() + # calls, once on connection attempt and once on + # tear-down. + + distinct_backscatter_peers[orig][resp] == 1 && + + # Looks like backscatter, and it's not scanning + # a privileged port. + + thresh_check(report_backscatter, rb_idx, orig, + |distinct_backscatter_peers[orig]|) + ) + { + local rev_svc = rev_service in port_names ? + port_names[rev_service] : + fmt("%s", rev_service); + + NOTICE([$note=BackscatterSeen, $src=orig, + $p=rev_service, + $msg=fmt("backscatter seen from %s (%d hosts; %s)", + orig, |distinct_backscatter_peers[orig]|, rev_svc)]); + } + + if ( ignore_scanners_threshold > 0 && + |distinct_backscatter_peers[orig]| > + ignore_scanners_threshold ) + ignore_addr(orig); + } + + else + { # done with backscatter check + local ignore = F; + + local svc = service in port_names ? + port_names[service] : fmt("%s", service); + + if ( orig !in distinct_peers && addr_scan_trigger > 0 ) + { + if ( orig !in pre_distinct_peers ) + pre_distinct_peers[orig] = set(); + + add pre_distinct_peers[orig][resp]; + if ( |pre_distinct_peers[orig]| < addr_scan_trigger ) + ignore = T; + } + + if ( ! ignore ) + { # XXXXX + + if ( orig !in distinct_peers ) + distinct_peers[orig] = set() &mergeable; + + if ( resp !in distinct_peers[orig] ) + add distinct_peers[orig][resp]; + + local n = |distinct_peers[orig]|; + + if ( activate_landmine_check && + n >= landmine_thresh_trigger && + mask_addr(resp, 24) in landmine_address ) + { + local msg2 = fmt("landmine address trigger %s%s ", orig, svc); + NOTICE([$note=Landmine, $src=orig, + $p=service, $msg=msg2]); + } + + # Check for threshold if not outbound. + if ( ! shut_down_threshold_reached[orig] && + n >= shut_down_threshold && + ! outbound && orig !in neighbor_nets ) + { + shut_down_threshold_reached[orig] = T; + local msg = fmt("shutdown threshold reached for %s", orig); + NOTICE([$note=ShutdownThreshold, $src=orig, + $p=service, $msg=msg]); + } + + else + { + local address_scan = F; + if ( outbound && + # inside host scanning out? + thresh_check(report_outbound_peer_scan, rops_idx, orig, n) ) + address_scan = T; + + if ( ! outbound && + thresh_check(report_peer_scan, rps_idx, orig, n) ) + address_scan = T; + + if ( address_scan ) + NOTICE([$note=AddressScan, + $src=orig, $p=service, + $n=n, + $msg=fmt("%s has scanned %d hosts (%s)", + orig, n, svc)]); + + if ( address_scan && + ignore_scanners_threshold > 0 && + n > ignore_scanners_threshold ) + ignore_addr(orig); + } + } + } # XXXX + } + + if ( established ) + # Don't consider established connections for port scanning, + # it's too easy to be mislead by FTP-like applications that + # legitimately gobble their way through the port space. + return F; + + # Coarse search for port-scanning candidates: those that have made + # connections (attempts) to possible_port_scan_thresh or more + # distinct ports. + if ( orig !in distinct_ports || service !in distinct_ports[orig] ) + { + if ( orig !in distinct_ports ) + distinct_ports[orig] = set() &mergeable; + + if ( service !in distinct_ports[orig] ) + add distinct_ports[orig][service]; + + if ( |distinct_ports[orig]| >= possible_port_scan_thresh && + orig !in scan_triples ) + { + scan_triples[orig] = table() &mergeable; + add possible_scan_sources[orig]; + } + } + + # For sources that have been identified as possible scan sources, + # keep track of per-host scanning. + if ( orig in possible_scan_sources ) + { + if ( orig !in scan_triples ) + scan_triples[orig] = table() &mergeable; + + if ( resp !in scan_triples[orig] ) + scan_triples[orig][resp] = set() &mergeable; + + if ( service !in scan_triples[orig][resp] ) + { + add scan_triples[orig][resp][service]; + + if ( thresh_check_2(report_port_scan, rpts_idx, + orig, resp, + |scan_triples[orig][resp]|) ) + { + local m = |scan_triples[orig][resp]|; + NOTICE([$note=PortScan, $n=m, $src=orig, + $p=service, + $msg=fmt("%s has scanned %d ports of %s", orig, m, resp)]); + } + } + } + + return T; + } + + +# Hook into the catch&release dropping. When an address gets restored, we reset +# the source to allow dropping it again. +event Drop::address_restored(a: addr) + { + #Drop::debug_log(fmt("received restored for %s (scan.bro)", a)); + clear_addr(a); + } + +event Drop::address_cleared(a: addr) + { + #Drop::debug_log(fmt("received cleared for %s (scan.bro)", a)); + clear_addr(a); + } + +# When removing a possible scan source, we automatically delete its scanned +# hosts and ports. But we do not want the deletion propagated, because every +# peer calls the expire_function on its own (and thus applies the delete +# operation on its own table). +function remove_possible_source(s: set[addr], idx: addr): interval + { + suspend_state_updates(); + delete scan_triples[idx]; + resume_state_updates(); + + return 0 secs; + } + +# To recognize whether a certain threshhold vector (e.g. report_peer_scans) +# has been transgressed, a global variable containing the next vector index +# (idx) must be incremented. This cumbersome mechanism is necessary because +# values naturally don't increment by one (e.g. replayed table merges). +function thresh_check(v: vector of count, idx: table[addr] of count, + orig: addr, n: count): bool + { + if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) + { + ignore_addr(orig); + return F; + } + + if ( idx[orig] < |v| && n >= v[idx[orig]] ) + { + ++idx[orig]; + return T; + } + else + return F; + } + +# Same as above, except the index has a different type signature. +function thresh_check_2(v: vector of count, idx: table[addr, addr] of count, + orig: addr, resp: addr, n: count): bool + { + if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) + { + ignore_addr(orig); + return F; + } + + if ( idx[orig,resp] < |v| && n >= v[idx[orig, resp]] ) + { + ++idx[orig,resp]; + return T; + } + else + return F; + } + +event connection_established(c: connection) + { + local is_reverse_scan = (c$orig$state == TCP_INACTIVE); + Scan::check_scan(c, T, is_reverse_scan); + } + +event partial_connection(c: connection) + { + Scan::check_scan(c, T, F); + } + +event connection_attempt(c: connection) + { + Scan::check_scan(c, F, c$orig$state == TCP_INACTIVE); + } + +event connection_half_finished(c: connection) + { + # Half connections never were "established", so do scan-checking here. + Scan::check_scan(c, F, F); + } + +event connection_rejected(c: connection) + { + local is_reverse_scan = c$orig$state == TCP_RESET; + + Scan::check_scan(c, F, is_reverse_scan); + } + +event connection_reset(c: connection) + { + if ( c$orig$state == TCP_INACTIVE || c$resp$state == TCP_INACTIVE ) + # We never heard from one side - that looks like a scan. + Scan::check_scan(c, c$orig$size + c$resp$size > 0, + c$orig$state == TCP_INACTIVE); + } + +event connection_pending(c: connection) + { + if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE ) + Scan::check_scan(c, F, F); + } + +# Report the remaining entries in the tables. +event bro_done() + { + for ( orig in distinct_peers ) + scan_summary(distinct_peers, orig); + + for ( orig in distinct_ports ) + port_summary(distinct_ports, orig); + + for ( orig in distinct_low_ports ) + lowport_summary(distinct_low_ports, orig); + } diff --git a/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro similarity index 90% rename from policy/protocols/dns/auth-addl.bro rename to scripts/policy/protocols/dns/auth-addl.bro index 5fd85fb049..ba21131f7c 100644 --- a/policy/protocols/dns/auth-addl.bro +++ b/scripts/policy/protocols/dns/auth-addl.bro @@ -1,6 +1,4 @@ -@load protocols/dns/base -# TODO: remove these when the options are removed from the core analyzers. redef dns_skip_all_auth = F; redef dns_skip_all_addl = F; diff --git a/policy/protocols/dns/base/detect.bro b/scripts/policy/protocols/dns/detect-external-names.bro similarity index 98% rename from policy/protocols/dns/base/detect.bro rename to scripts/policy/protocols/dns/detect-external-names.bro index d22ca913be..fd49fee183 100644 --- a/policy/protocols/dns/base/detect.bro +++ b/scripts/policy/protocols/dns/detect-external-names.bro @@ -8,8 +8,6 @@ ##! to be within a local zone. :bro:id:`local_zones` variable **must** ##! be set appropriately for this detection. -@load frameworks/notice - module DNS; export { diff --git a/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.bro similarity index 93% rename from policy/protocols/ftp/detect.bro rename to scripts/policy/protocols/ftp/detect.bro index 1041f0d981..4e69dec655 100644 --- a/policy/protocols/ftp/detect.bro +++ b/scripts/policy/protocols/ftp/detect.bro @@ -1,5 +1,3 @@ -@load protocols/ftp -@load frameworks/notice module FTP; diff --git a/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro similarity index 91% rename from policy/protocols/ftp/software.bro rename to scripts/policy/protocols/ftp/software.bro index 8fafce7f4e..918123bb4c 100644 --- a/policy/protocols/ftp/software.bro +++ b/scripts/policy/protocols/ftp/software.bro @@ -6,9 +6,6 @@ ##! * Detect client software with password given for anonymous users ##! (e.g. cyberduck@example.net) -@load protocols/ftp -@load frameworks/software - module FTP; export { diff --git a/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro similarity index 94% rename from policy/protocols/http/detect-MHR.bro rename to scripts/policy/protocols/http/detect-MHR.bro index 6b62908960..11e1d9f87e 100644 --- a/policy/protocols/http/detect-MHR.bro +++ b/scripts/policy/protocols/http/detect-MHR.bro @@ -4,9 +4,6 @@ ##! documentation for the protocols/http/file-hash.bro script to see how to ##! configure which transfers will have hashes calculated. -@load frameworks/notice -@load protocols/http/base/file-hash - export { redef enum Notice::Type += { ## If the MD5 sum of a file transferred over HTTP diff --git a/policy/protocols/http/base/detect-intel.bro b/scripts/policy/protocols/http/detect-intel.bro similarity index 89% rename from policy/protocols/http/base/detect-intel.bro rename to scripts/policy/protocols/http/detect-intel.bro index f1c5640881..ebe6713c03 100644 --- a/policy/protocols/http/base/detect-intel.bro +++ b/scripts/policy/protocols/http/detect-intel.bro @@ -1,8 +1,5 @@ ##! Intelligence based HTTP detections. -@load frameworks/intel -@load protocols/http/base/utils - module HTTP; event log_http(rec: Info) diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro new file mode 100644 index 0000000000..514c599e7e --- /dev/null +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -0,0 +1,52 @@ +##! SQL injection detection in HTTP. + +module HTTP; + +export { + redef enum Notice::Type += { + SQL_Injection_Attacker, + SQL_Injection_Attack, + }; + + redef enum Metrics::ID += { + SQL_ATTACKER, + SQL_ATTACK_AGAINST, + }; + + redef enum Tags += { + ## Indicator of a URI based SQL injection attack. + URI_SQLI, + ## Indicator of client body based SQL injection attack. This is + ## typically the body content of a POST request. Not implemented yet! + POST_SQLI, + ## Indicator of a cookie based SQL injection attack. Not implemented yet! + COOKIE_SQLI, + }; + + ## This regular expression is used to match URI based SQL injections + const match_sql_injection_uri = + /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/ + | /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ + | /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ + | /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ + | /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ + | /\/\*![[:digit:]]{5}.*?\*\//; +} + +event bro_init() + { + Metrics::add_filter(SQL_ATTACKER, [$break_interval=5mins, $note=SQL_Injection_Attack]); + Metrics::add_filter(SQL_ATTACK_AGAINST, [$break_interval=5mins, $note=SQL_Injection_Attack]); + } + +event http_request(c: connection, method: string, original_URI: string, + unescaped_URI: string, version: string) &priority=3 + { + if ( match_sql_injection_uri in unescaped_URI ) + { + add c$http$tags[URI_SQLI]; + + Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1); + Metrics::add_data(SQL_ATTACK_AGAINST, [$host=c$id$resp_h], 1); + } + } \ No newline at end of file diff --git a/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro similarity index 94% rename from policy/protocols/http/detect-webapps.bro rename to scripts/policy/protocols/http/detect-webapps.bro index 4c9740ef21..350f0def98 100644 --- a/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -1,8 +1,4 @@ -@load protocols/http -@load frameworks/software -@load frameworks/signatures - module HTTP; redef signature_files += "protocols/http/detect-webapps.sig"; diff --git a/policy/protocols/http/detect-webapps.sig b/scripts/policy/protocols/http/detect-webapps.sig similarity index 100% rename from policy/protocols/http/detect-webapps.sig rename to scripts/policy/protocols/http/detect-webapps.sig diff --git a/policy/protocols/http/headers.bro b/scripts/policy/protocols/http/headers.bro similarity index 96% rename from policy/protocols/http/headers.bro rename to scripts/policy/protocols/http/headers.bro index be4575ab9c..4451e876ec 100644 --- a/policy/protocols/http/headers.bro +++ b/scripts/policy/protocols/http/headers.bro @@ -1,7 +1,5 @@ ##! Extract and include the header keys used for each request in the log. -@load protocols/http - module HTTP; export { diff --git a/policy/protocols/http/base/software.bro b/scripts/policy/protocols/http/software.bro similarity index 97% rename from policy/protocols/http/base/software.bro rename to scripts/policy/protocols/http/software.bro index 3079fd63e5..5a16b862a6 100644 --- a/policy/protocols/http/base/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -1,8 +1,5 @@ ##! Software identification and extraction for HTTP traffic. -@load protocols/http -@load frameworks/software - module HTTP; export { diff --git a/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.bro similarity index 94% rename from policy/protocols/http/var-extraction-cookies.bro rename to scripts/policy/protocols/http/var-extraction-cookies.bro index 87e6cd4d1a..b30be9d2c1 100644 --- a/policy/protocols/http/var-extraction-cookies.bro +++ b/scripts/policy/protocols/http/var-extraction-cookies.bro @@ -1,7 +1,5 @@ ##! This script extracts and logs variables from cookies sent by clients -@load protocols/http - module HTTP; redef record Info += { diff --git a/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.bro similarity index 94% rename from policy/protocols/http/var-extraction-uri.bro rename to scripts/policy/protocols/http/var-extraction-uri.bro index 1df55caec7..a6e6b1d971 100644 --- a/policy/protocols/http/var-extraction-uri.bro +++ b/scripts/policy/protocols/http/var-extraction-uri.bro @@ -1,7 +1,5 @@ ##! This script extracts and logs variables from the requested URI -@load protocols/http - module HTTP; redef record Info += { diff --git a/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro similarity index 93% rename from policy/protocols/smtp/detect-suspicious-orig.bro rename to scripts/policy/protocols/smtp/detect-suspicious-orig.bro index b90227fc16..26f667cfd6 100644 --- a/policy/protocols/smtp/detect-suspicious-orig.bro +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro @@ -1,6 +1,3 @@ -@load frameworks/notice -@load protocols/smtp/base -@load utils/directions-and-hosts module SMTP; diff --git a/policy/protocols/smtp/base/software.bro b/scripts/policy/protocols/smtp/software.bro similarity index 98% rename from policy/protocols/smtp/base/software.bro rename to scripts/policy/protocols/smtp/software.bro index 1773a87201..36f9621b86 100644 --- a/policy/protocols/smtp/base/software.bro +++ b/scripts/policy/protocols/smtp/software.bro @@ -6,9 +6,6 @@ ##! * Find some heuristic to determine if email was sent through ##! a MS Exhange webmail interface as opposed to a desktop client. -@load frameworks/software -@load ./main - module SMTP; export { diff --git a/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro similarity index 94% rename from policy/protocols/ssh/software.bro rename to scripts/policy/protocols/ssh/software.bro index 60dac7afd7..d40ad513c8 100644 --- a/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -1,5 +1,3 @@ -@load protocols/ssh -@load frameworks/software module SSH; diff --git a/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro similarity index 97% rename from policy/protocols/ssl/known-certs.bro rename to scripts/policy/protocols/ssl/known-certs.bro index b01f11f008..a8815dca07 100644 --- a/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -1,7 +1,4 @@ -@load protocols/ssl -@load utils/directions-and-hosts - module KnownCerts; export { diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro new file mode 100644 index 0000000000..43920557f4 --- /dev/null +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -0,0 +1,31 @@ + +module SSL; + +export { + redef enum Notice::Type += { + Invalid_Server_Cert + }; + + redef record Info += { + validation_status: string &log &optional; + }; + +} + +event ssl_established(c: connection) &priority=5 + { + # If there aren't any certs we can't very well do certificate validation. + if ( !c$ssl?$cert || !c$ssl?$cert_chain ) + return; + + local result = x509_verify(c$ssl$cert, c$ssl$cert_chain, root_certs); + c$ssl$validation_status = x509_err2str(result); + if ( result != 0 ) + { + local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); + NOTICE([$note=Invalid_Server_Cert, $msg=message, + $sub=c$ssl$subject, $conn=c]); + } + } + + diff --git a/policy/tuning/__load__.bro b/scripts/policy/tuning/__load__.bro similarity index 62% rename from policy/tuning/__load__.bro rename to scripts/policy/tuning/__load__.bro index 50659eca0c..03449882f8 100644 --- a/policy/tuning/__load__.bro +++ b/scripts/policy/tuning/__load__.bro @@ -1,2 +1,2 @@ ##! This loads the default tuning -@load tuning/defaults \ No newline at end of file +@load ./defaults \ No newline at end of file diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.bro new file mode 100644 index 0000000000..790a706b7d --- /dev/null +++ b/scripts/policy/tuning/defaults/__load__.bro @@ -0,0 +1,3 @@ +@load ./remove-high-volume-notices +@load ./packet-fragments +@load ./warnings \ No newline at end of file diff --git a/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.bro similarity index 100% rename from policy/tuning/defaults/packet-fragments.bro rename to scripts/policy/tuning/defaults/packet-fragments.bro diff --git a/policy/tuning/defaults/remove-high-volume-notices.bro b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro similarity index 100% rename from policy/tuning/defaults/remove-high-volume-notices.bro rename to scripts/policy/tuning/defaults/remove-high-volume-notices.bro diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.bro new file mode 100644 index 0000000000..ea8f18c3bc --- /dev/null +++ b/scripts/policy/tuning/defaults/warnings.bro @@ -0,0 +1,9 @@ +##! This file is meant to print messages on stdout for settings that would be +##! good to set in most cases or other things that could be done to achieve +##! better detection. + +event bro_init() &priority=-10 + { + if ( |Site::local_nets| == 0 ) + print "WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks."; + } \ No newline at end of file diff --git a/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.bro similarity index 92% rename from policy/tuning/track-all-assets.bro rename to scripts/policy/tuning/track-all-assets.bro index 3e9598a0fd..fe61ff93b6 100644 --- a/policy/tuning/track-all-assets.bro +++ b/scripts/policy/tuning/track-all-assets.bro @@ -1,5 +1,4 @@ -@load frameworks/software @load protocols/conn/known-hosts @load protocols/conn/known-services @load protocols/ssl/known-certs diff --git a/scripts/site/local.bro b/scripts/site/local.bro new file mode 100644 index 0000000000..3b73c73a0b --- /dev/null +++ b/scripts/site/local.bro @@ -0,0 +1,20 @@ +##! Local site policy. Customize as appropriate. + +# Load the script to log which script were loaded during each run +@load misc/loaded-scripts + +# Apply the default tuning scripts for common tuning settings. +@load tuning/defaults + +# Vulnerable versions of software to generate notices for when discovered. +# The default is to only monitor software found in the address space defined +# as "local". Refer to the software framework's documentation for more information. +@load frameworks/software/vulnerable +redef Software::vulnerable_versions += { + ["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"], + ["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"], +}; + +# This adds signatures to detect cleartext forward and reverse windows shells. +redef signature_files += "frameworks/signatures/detect-windows-shells.sig"; + diff --git a/scripts/test-all.bro b/scripts/test-all.bro new file mode 100644 index 0000000000..42e1e91cb5 --- /dev/null +++ b/scripts/test-all.bro @@ -0,0 +1,53 @@ +# This file loads ALL policy scripts that are part of the Bro distribution. +# +# This is rarely makes sense, and is for testing only. +# +# Note that we have unit test that makes sure that all policy files shipped are +# actually loaded here. If we have files that are part of the distribution yet +# can't be loaded here, these must still be listed here with their load command +# commented out. + +# The base/ scripts are all loaded by default and not included here. + +# @load test-all.bro +# @load frameworks/communication/listen-clear.bro +# @load frameworks/communication/listen-ssl.bro +# @load frameworks/control/controllee +# @load frameworks/control/controller +@load frameworks/dpd/detect-protocols.bro +@load frameworks/dpd/packet-segment-logging.bro +@load frameworks/software/version-changes.bro +@load frameworks/software/vulnerable.bro +@load integration/barnyard2/__load__.bro +@load integration/barnyard2/base.bro +@load integration/barnyard2/event.bro +@load integration/barnyard2/types.bro +@load misc/analysis-groups.bro +@load misc/loaded-scripts.bro +@load misc/trim-trace-file.bro +@load protocols/conn/known-hosts.bro +@load protocols/conn/known-services.bro +@load protocols/dns/auth-addl.bro +@load protocols/dns/detect-external-names.bro +@load protocols/ftp/detect.bro +@load protocols/ftp/software.bro +@load protocols/http/detect-intel.bro +@load protocols/http/detect-MHR.bro +@load protocols/http/detect-sqli.bro +@load protocols/http/detect-webapps.bro +@load protocols/http/headers.bro +@load protocols/http/software.bro +@load protocols/http/var-extraction-cookies.bro +@load protocols/http/var-extraction-uri.bro +@load protocols/smtp/detect-suspicious-orig.bro +@load protocols/smtp/software.bro +@load protocols/ssh/software.bro +@load protocols/ssl/known-certs.bro +@load protocols/ssl/validate-certs.bro +@load tuning/__load__.bro +@load tuning/defaults/__load__.bro +@load tuning/defaults/packet-fragments.bro +@load tuning/defaults/remove-high-volume-notices.bro +@load tuning/defaults/warnings.bro +@load tuning/track-all-assets.bro +@load site/local diff --git a/src/main.cc b/src/main.cc index d3d3c446f5..6d529ff5a9 100644 --- a/src/main.cc +++ b/src/main.cc @@ -675,7 +675,8 @@ int main(int argc, char** argv) timer_mgr = new PQ_TimerMgr(""); // timer_mgr = new CQ_TimerMgr(); - add_input_file("bro.init"); + add_input_file("base/bro.init"); + add_input_file("base/all.bro"); if ( optind == argc && read_files.length() == 0 && flow_files.length() == 0 && diff --git a/src/util.cc b/src/util.cc index c8e26f1bab..ac2d4209a4 100644 --- a/src/util.cc +++ b/src/util.cc @@ -758,6 +758,7 @@ const char* bro_path() if ( ! path ) path = ".:" POLICYDEST ":" + POLICYDEST "/policy" POLICYDEST "/site"; return path; diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index c09ea6f1b9..a744346519 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,2 +1,2 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -1128727435.4509 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf +1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output index ace0485b06..494e1946e7 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output @@ -1,8 +1,8 @@ # ts node filter init success -1310591294.19008 - not ip6 F T +1312570784.336354 - not ip6 F T # ts node filter init success -1310591294.28313 - (tcp port 22) and (not ip6) F T +1312570784.550594 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T # ts node filter init success -1310591294.36249 - port 42 F T +1312570784.765990 - port 42 F T # ts node filter init success -1310591294.47815 - port 56730 T T +1312570784.992999 - port 56730 T T diff --git a/testing/btest/Baseline/core.reporter-runtime-error/output b/testing/btest/Baseline/core.reporter-runtime-error/output index 828249b35f..5c0feedf42 100644 --- a/testing/btest/Baseline/core.reporter-runtime-error/output +++ b/testing/btest/Baseline/core.reporter-runtime-error/output @@ -1,2 +1 @@ -error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1]) -error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 9: no such index (a[2]) +error in /Users/seth/bro.git9/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1]) diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index 6bc3c1735e..1d46bd7ab1 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,4 +1,4 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history 952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - -1128727435.4509 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf -1278600802.06942 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF +1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf +1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.ssh.log b/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.ssh.log deleted file mode 100644 index 9a203f1bac..0000000000 --- a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.ssh.log +++ /dev/null @@ -1,2 +0,0 @@ -# b i e c p sn n a d t iv s sc ss se vc ve -T -42 SSH::SSH 21 123 10.0.0.0/24 10.0.0.0 1.2.3.4 3.14 1303580757.69082 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log new file mode 100644 index 0000000000..865786eb2f --- /dev/null +++ b/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log @@ -0,0 +1,2 @@ +# b i e c p sn n a d t iv s sc ss se vc ve +T -42 Test::TEST 21 123 10.0.0.0/24 10.0.0.0 1.2.3.4 3.14 1312565184.899030 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.failure.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.failure.log deleted file mode 100644 index ce48f547f6..0000000000 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.failure.log +++ /dev/null @@ -1,4 +0,0 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure US -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure UK -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.log deleted file mode 100644 index eb392df781..0000000000 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.log +++ /dev/null @@ -1,6 +0,0 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 success - -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure US -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure UK -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 success BR -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.success.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.success.log deleted file mode 100644 index 3861250477..0000000000 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.ssh.success.log +++ /dev/null @@ -1,3 +0,0 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 success - -1303580768.27075 1.2.3.4 1234 2.3.4.5 80 success BR diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log new file mode 100644 index 0000000000..87f5fb3bcb --- /dev/null +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log @@ -0,0 +1,4 @@ +# t id.orig_h id.orig_p id.resp_h id.resp_p status country +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log new file mode 100644 index 0000000000..8d0fedd1b5 --- /dev/null +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log @@ -0,0 +1,6 @@ +# t id.orig_h id.orig_p id.resp_h id.resp_p status country +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success - +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log new file mode 100644 index 0000000000..4b8f54e7ce --- /dev/null +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log @@ -0,0 +1,3 @@ +# t id.orig_h id.orig_p id.resp_h id.resp_p status country +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success - +1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR diff --git a/testing/btest/Baseline/policy.misc.check-test-all/output b/testing/btest/Baseline/policy.misc.check-test-all/output index e69de29bb2..bfc3c033df 100644 --- a/testing/btest/Baseline/policy.misc.check-test-all/output +++ b/testing/btest/Baseline/policy.misc.check-test-all/output @@ -0,0 +1 @@ +WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. diff --git a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log index 4e5c3c4bd3..881c3c105f 100644 --- a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log @@ -1,27 +1,81 @@ # depth name -0 policy/bro.init +0 scripts/base/bro.init 1 build/src/const.bif.bro 1 build/src/types.bif.bro 1 build/src/strings.bif.bro 1 build/src/bro.bif.bro 1 build/src/reporter.bif.bro 1 build/src/event.bif.bro -1 policy/utils/site.bro -2 policy/utils/pattern.bro -1 policy/frameworks/logging/__load__.bro -2 policy/frameworks/logging/base.bro +1 scripts/base/frameworks/logging/__load__.bro +2 scripts/base/frameworks/logging/./main.bro 3 build/src/logging.bif.bro -2 policy/frameworks/logging/plugins/ascii.bro -1 policy/frameworks/packet-filter/__load__.bro -2 policy/frameworks/packet-filter/base/__load__.bro -3 policy/frameworks/packet-filter/base/main.bro -4 policy/frameworks/notice/__load__.bro -5 policy/frameworks/notice/./base/__load__.bro -6 policy/frameworks/notice/./base/./main.bro -6 policy/frameworks/notice/./base/./weird.bro -7 policy/utils/conn-ids.bro -6 policy/frameworks/notice/./base/./actions/drop.bro -6 policy/frameworks/notice/./base/./actions/email_admin.bro -6 policy/frameworks/notice/./base/./actions/page.bro -5 policy/frameworks/notice/./extend-email/hostnames.bro -0 policy/misc/loaded-scripts.bro +2 scripts/base/frameworks/logging/./writers/ascii.bro +0 scripts/base/all.bro +1 scripts/base/utils/site.bro +2 scripts/base/utils/./patterns.bro +1 scripts/base/utils/addrs.bro +1 scripts/base/utils/conn-ids.bro +1 scripts/base/utils/directions-and-hosts.bro +1 scripts/base/utils/files.bro +1 scripts/base/utils/numbers.bro +1 scripts/base/utils/paths.bro +1 scripts/base/utils/strings.bro +1 scripts/base/utils/thresholds.bro +1 scripts/base/frameworks/notice/__load__.bro +2 scripts/base/frameworks/notice/./main.bro +2 scripts/base/frameworks/notice/./weird.bro +2 scripts/base/frameworks/notice/./actions/drop.bro +2 scripts/base/frameworks/notice/./actions/email_admin.bro +2 scripts/base/frameworks/notice/./actions/page.bro +1 scripts/base/frameworks/dpd/__load__.bro +2 scripts/base/frameworks/dpd/./main.bro +1 scripts/base/frameworks/signatures/__load__.bro +2 scripts/base/frameworks/signatures/./main.bro +1 scripts/base/frameworks/packet-filter/__load__.bro +2 scripts/base/frameworks/packet-filter/./main.bro +2 scripts/base/frameworks/packet-filter/./netstats.bro +1 scripts/base/frameworks/software/__load__.bro +2 scripts/base/frameworks/software/./main.bro +1 scripts/base/frameworks/intel/__load__.bro +2 scripts/base/frameworks/intel/./main.bro +1 scripts/base/frameworks/metrics/__load__.bro +2 scripts/base/frameworks/metrics/./main.bro +1 scripts/base/frameworks/communication/__load__.bro +1 scripts/base/frameworks/control/__load__.bro +2 scripts/base/frameworks/control/./main.bro +1 scripts/base/frameworks/cluster/__load__.bro +2 scripts/base/frameworks/cluster/./main.bro +1 scripts/base/frameworks/reporter/__load__.bro +2 scripts/base/frameworks/reporter/./main.bro +1 scripts/base/protocols/conn/__load__.bro +2 scripts/base/protocols/conn/./main.bro +2 scripts/base/protocols/conn/./contents.bro +2 scripts/base/protocols/conn/./inactivity.bro +1 scripts/base/protocols/dns/__load__.bro +2 scripts/base/protocols/dns/./consts.bro +2 scripts/base/protocols/dns/./main.bro +1 scripts/base/protocols/ftp/__load__.bro +2 scripts/base/protocols/ftp/./utils-commands.bro +2 scripts/base/protocols/ftp/./main.bro +2 scripts/base/protocols/ftp/./file-extract.bro +1 scripts/base/protocols/http/__load__.bro +2 scripts/base/protocols/http/./main.bro +2 scripts/base/protocols/http/./utils.bro +2 scripts/base/protocols/http/./file-ident.bro +2 scripts/base/protocols/http/./file-hash.bro +2 scripts/base/protocols/http/./file-extract.bro +1 scripts/base/protocols/irc/__load__.bro +2 scripts/base/protocols/irc/./main.bro +2 scripts/base/protocols/irc/./dcc-send.bro +1 scripts/base/protocols/smtp/__load__.bro +2 scripts/base/protocols/smtp/./main.bro +1 scripts/base/protocols/ssh/__load__.bro +2 scripts/base/protocols/ssh/./main.bro +1 scripts/base/protocols/ssl/__load__.bro +2 scripts/base/protocols/ssl/./consts.bro +2 scripts/base/protocols/ssl/./main.bro +2 scripts/base/protocols/ssl/./mozilla-ca-list.bro +1 scripts/base/protocols/syslog/__load__.bro +2 scripts/base/protocols/syslog/./consts.bro +2 scripts/base/protocols/syslog/./main.bro +0 scripts/policy/misc/loaded-scripts.bro diff --git a/testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output b/testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output new file mode 100644 index 0000000000..6d427174e5 --- /dev/null +++ b/testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output @@ -0,0 +1,2 @@ +If anything besides this line prints out, there is a problem. + diff --git a/testing/btest/core/conn-uid.bro b/testing/btest/core/conn-uid.bro index 67b2dc0234..b2078bc9f5 100644 --- a/testing/btest/core/conn-uid.bro +++ b/testing/btest/core/conn-uid.bro @@ -1,23 +1,23 @@ # # In "normal" test mode, connection uids should be determistic. # -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT protocols/conn >output +# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output # @TEST-EXEC: btest-diff output # # Without a seed, they should differ each time: # -# @TEST-EXEC: unset BRO_SEED_FILE && bro -C -r $TRACES/wikipedia.trace %INPUT protocols/conn >output2 +# @TEST-EXEC: unset BRO_SEED_FILE && bro -C -r $TRACES/wikipedia.trace %INPUT >output2 # @TEST-EXEC: cat output output2 | sort | uniq -c | wc -l | sed 's/ //g' >counts # @TEST-EXEC: btest-diff counts # # Make sure it works without the connection compressor as well. # -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT protocols/conn use_connection_compressor=F >output.cc +# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT use_connection_compressor=F >output.cc # @TEST-EXEC: btest-diff output.cc # # Make sure it works with the full connection compressor as well. # -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT protocols/conn cc_handle_only_syns=F >output.cc2 +# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT cc_handle_only_syns=F >output.cc2 # @TEST-EXEC: btest-diff output.cc2 diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.bro index 8e5ac3a18e..54c6bed0ef 100644 --- a/testing/btest/core/load-prefixes.bro +++ b/testing/btest/core/load-prefixes.bro @@ -1,6 +1,6 @@ # A test of prefix-based @load'ing -# @TEST-EXEC: bro addprefixes utils/site protocols/http >output +# @TEST-EXEC: bro addprefixes >output # @TEST-EXEC: btest-diff output @TEST-START-FILE addprefixes.bro @@ -8,18 +8,18 @@ @prefixes += lcl2 @TEST-END-FILE -@TEST-START-FILE lcl.utils.site.bro -print "loaded lcl.site.bro"; +@TEST-START-FILE lcl.base.utils.site.bro +print "loaded lcl.base.site.bro"; @TEST-END-FILE -@TEST-START-FILE lcl2.utils.site.bro -print "loaded lcl2.site.bro"; +@TEST-START-FILE lcl2.base.utils.site.bro +print "loaded lcl2.base.site.bro"; @TEST-END-FILE -@TEST-START-FILE lcl.protocols.http.bro -print "loaded lcl.protocols.http.bro"; +@TEST-START-FILE lcl.base.protocols.http.bro +print "loaded lcl.base.protocols.http.bro"; @TEST-END-FILE -@TEST-START-FILE lcl2.protocols.http.bro -print "loaded lcl2.protocols.http.bro"; +@TEST-START-FILE lcl2.base.protocols.http.bro +print "loaded lcl2.base.protocols.http.bro"; @TEST-END-FILE diff --git a/testing/btest/core/print-bpf-filters-ipv4.bro b/testing/btest/core/print-bpf-filters-ipv4.bro index aa1f270605..e1aeb3f95f 100644 --- a/testing/btest/core/print-bpf-filters-ipv4.bro +++ b/testing/btest/core/print-bpf-filters-ipv4.bro @@ -2,11 +2,11 @@ # # @TEST-EXEC: bro -e '' >output # @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro PacketFilter::all_packets=F protocols/ssh >>output +# @TEST-EXEC: bro PacketFilter::all_packets=F >>output # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: bro -f "port 42" -e '' >>output # @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace protocols/conn >>output +# @TEST-EXEC: bro -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace >>output # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff conn.log diff --git a/testing/btest/core/vlan-mpls.bro b/testing/btest/core/vlan-mpls.bro index 7d877eaf7a..b7a7a351cb 100644 --- a/testing/btest/core/vlan-mpls.bro +++ b/testing/btest/core/vlan-mpls.bro @@ -1,2 +1,2 @@ -# @TEST-EXEC: bro -C -r $TRACES/mixed-vlan-mpls.trace protocols/conn +# @TEST-EXEC: bro -C -r $TRACES/mixed-vlan-mpls.trace # @TEST-EXEC: btest-diff conn.log diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro index 7f97f40585..19b2bdf23f 100644 --- a/testing/btest/istate/broccoli.bro +++ b/testing/btest/istate/broccoli.bro @@ -1,7 +1,7 @@ # @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # -# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro # @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1 # @TEST-EXEC: btest-bg-wait -k 20 # @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro index b3e02b5e73..b72fc477cb 100644 --- a/testing/btest/istate/events-ssl.bro +++ b/testing/btest/istate/events-ssl.bro @@ -1,14 +1,14 @@ # -# @TEST-EXEC: btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run receiver bro ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 20 # # @TEST-EXEC: btest-diff sender/http.log # @TEST-EXEC: btest-diff receiver/http.log # @TEST-EXEC: cmp sender/http.log receiver/http.log # -# @TEST-EXEC: bro -x sender/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.snd.log -# @TEST-EXEC: bro -x receiver/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.rec.log +# @TEST-EXEC: ENABLE_COMMUNICATION=1 bro -x sender/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.snd.log +# @TEST-EXEC: ENABLE_COMMUNICATION=1 bro -x receiver/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.rec.log # @TEST-EXEC: cmp events.rec.log events.snd.log # # We don't compare the transmitted event paramerters anymore. With the dynamic @@ -16,7 +16,6 @@ @TEST-START-FILE sender.bro -@load protocols/http @load frameworks/communication/listen-ssl event bro_init() @@ -41,9 +40,6 @@ redef ssl_passphrase = "my-password"; @TEST-START-FILE receiver.bro -@load protocols/http -@load frameworks/communication - event bro_init() { capture_events("events.bst"); diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro index 3aaca2d3b9..36b245db58 100644 --- a/testing/btest/istate/events.bro +++ b/testing/btest/istate/events.bro @@ -1,14 +1,14 @@ # -# @TEST-EXEC: btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run receiver bro ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 20 # # @TEST-EXEC: btest-diff sender/http.log # @TEST-EXEC: btest-diff receiver/http.log # @TEST-EXEC: cmp sender/http.log receiver/http.log # -# @TEST-EXEC: bro -x sender/events.bst protocols/http | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.snd.log -# @TEST-EXEC: bro -x receiver/events.bst protocols/http | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.rec.log +# @TEST-EXEC: ENABLE_COMMUNICATION=1 bro -x sender/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.snd.log +# @TEST-EXEC: ENABLE_COMMUNICATION=1 bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' >events.rec.log # @TEST-EXEC: cmp events.rec.log events.snd.log # # We don't compare the transmitted event paramerters anymore. With the dynamic @@ -16,7 +16,6 @@ @TEST-START-FILE sender.bro -@load protocols/http @load frameworks/communication/listen-clear event bro_init() @@ -37,9 +36,6 @@ redef tcp_close_delay = 0secs; @TEST-START-FILE receiver.bro -@load protocols/http -@load frameworks/communication - event bro_init() { capture_events("events.bst"); diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py index b7fb53a955..829797080e 100644 --- a/testing/btest/istate/pybroccoli.py +++ b/testing/btest/istate/pybroccoli.py @@ -2,7 +2,7 @@ # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so # -# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run bro bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro # @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py # @TEST-EXEC: btest-bg-wait -k 20 # @TEST-EXEC: btest-diff bro/.stdout diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro index 21e963accf..ca3f936db7 100644 --- a/testing/btest/istate/sync.bro +++ b/testing/btest/istate/sync.bro @@ -1,6 +1,6 @@ # -# @TEST-EXEC: btest-bg-run sender bro %INPUT ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run sender bro %INPUT ../sender.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run receiver bro %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait 20 # # @TEST-EXEC: btest-diff sender/vars.log @@ -151,8 +151,6 @@ redef Communication::nodes += { @TEST-START-FILE receiver.bro -@load frameworks/communication - event bro_init() { capture_events("events.bst"); diff --git a/testing/btest/language/raw_output_attr.test b/testing/btest/language/raw_output_attr.test index 616d4a4d33..22e565e4b4 100644 --- a/testing/btest/language/raw_output_attr.test +++ b/testing/btest/language/raw_output_attr.test @@ -23,23 +23,3 @@ event print_hook(f: file, s: string) write_file(hookfile, s); close(hookfile); } - -# @TEST-START-NEXT -# now check global variables of file type w/ &raw_output - -global myfile: file; - -event bro_init() - { - myfile = open("myfile"); - enable_raw_output(myfile); - print myfile, "hello\x00world", "hi"; - close(myfile); - } - -event print_hook(f: file, s: string) - { - local hookfile = open("hookfile"); - write_file(hookfile, s); - close(hookfile); - } diff --git a/testing/btest/policy/frameworks/cluster/start-it-up.bro b/testing/btest/policy/frameworks/cluster/start-it-up.bro index fb81b69cca..0e58b662c3 100644 --- a/testing/btest/policy/frameworks/cluster/start-it-up.bro +++ b/testing/btest/policy/frameworks/cluster/start-it-up.bro @@ -1,8 +1,8 @@ -# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT -# @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT -# @TEST-EXEC: btest-bg-run proxy-2 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT -# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT -# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT +# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 CLUSTER_NODE=manager-1 bro %INPUT +# @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 CLUSTER_NODE=proxy-1 bro %INPUT +# @TEST-EXEC: btest-bg-run proxy-2 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 CLUSTER_NODE=proxy-2 bro %INPUT +# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 CLUSTER_NODE=worker-1 bro %INPUT +# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 CLUSTER_NODE=worker-2 bro %INPUT # @TEST-EXEC: btest-bg-wait -k 2 # @TEST-EXEC: btest-diff manager-1/.stdout # @TEST-EXEC: btest-diff proxy-1/.stdout @@ -20,8 +20,6 @@ redef Cluster::nodes = { }; @TEST-END-FILE -@load frameworks/cluster - event remote_connection_handshake_done(p: event_peer) { print "Connected to a peer"; diff --git a/testing/btest/policy/frameworks/control/configuration_update.bro b/testing/btest/policy/frameworks/control/configuration_update.bro index 337db4b1dc..919ba72ee3 100644 --- a/testing/btest/policy/frameworks/control/configuration_update.bro +++ b/testing/btest/policy/frameworks/control/configuration_update.bro @@ -1,12 +1,9 @@ -# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65531/tcp -# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update -# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown +# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65531/tcp +# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update +# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown # @TEST-EXEC: btest-bg-wait 1 # @TEST-EXEC: btest-diff controllee/.stdout -@load frameworks/control -@load frameworks/communication - redef Communication::nodes = { # We're waiting for connections from this host for control. ["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events], diff --git a/testing/btest/policy/frameworks/control/id_value.bro b/testing/btest/policy/frameworks/control/id_value.bro index 2fdb86eb5c..850cb1dd73 100644 --- a/testing/btest/policy/frameworks/control/id_value.bro +++ b/testing/btest/policy/frameworks/control/id_value.bro @@ -1,11 +1,8 @@ -# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port_clear=65532/tcp -# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var +# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port_clear=65532/tcp +# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var # @TEST-EXEC: btest-bg-wait -k 1 # @TEST-EXEC: btest-diff controller/.stdout -@load frameworks/control -@load frameworks/communication - redef Communication::nodes = { # We're waiting for connections from this host for control. ["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events], diff --git a/testing/btest/policy/frameworks/control/shutdown.bro b/testing/btest/policy/frameworks/control/shutdown.bro index acecedc171..f527af6ecb 100644 --- a/testing/btest/policy/frameworks/control/shutdown.bro +++ b/testing/btest/policy/frameworks/control/shutdown.bro @@ -1,10 +1,7 @@ -# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65530/tcp -# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown +# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65530/tcp +# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. ENABLE_COMMUNICATION=1 bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown # @TEST-EXEC: btest-bg-wait 1 -@load frameworks/control -@load frameworks/communication - redef Communication::nodes = { # We're waiting for connections from this host for control. ["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events], diff --git a/testing/btest/policy/frameworks/intel/insert-and-matcher.bro b/testing/btest/policy/frameworks/intel/insert-and-matcher.bro index 0b2b806d76..67e539c176 100644 --- a/testing/btest/policy/frameworks/intel/insert-and-matcher.bro +++ b/testing/btest/policy/frameworks/intel/insert-and-matcher.bro @@ -2,8 +2,6 @@ # @TEST-EXEC: bro %INPUT >out # @TEST-EXEC: btest-diff out -@load frameworks/intel - event bro_init() { Intel::insert([$ip=1.2.3.4, $tags=set("zeustracker.abuse.ch", "malicious")]); diff --git a/testing/btest/policy/frameworks/logging/adapt-filter.bro b/testing/btest/policy/frameworks/logging/adapt-filter.bro index 7036c907a8..439913c7a8 100644 --- a/testing/btest/policy/frameworks/logging/adapt-filter.bro +++ b/testing/btest/policy/frameworks/logging/adapt-filter.bro @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh-new-default.log # @TEST-EXEC: test '!' -e ssh.log @@ -11,7 +11,7 @@ export { # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) - type Log: record { + type Info: record { t: time; id: conn_id; # Will be rolled out into individual columns. status: string &optional; @@ -21,7 +21,7 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH, [$columns=Info]); local filter = Log::get_filter(SSH, "default"); filter$path= "ssh-new-default"; diff --git a/testing/btest/policy/frameworks/logging/ascii-binary.bro b/testing/btest/policy/frameworks/logging/ascii-binary.bro index 6f095db0c7..0b44678089 100644 --- a/testing/btest/policy/frameworks/logging/ascii-binary.bro +++ b/testing/btest/policy/frameworks/logging/ascii-binary.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; @@ -7,7 +7,7 @@ module SSH; export { redef enum Log::ID += { SSH }; - type Log: record { + type Info: record { data: string; data2: string; } &log; @@ -17,7 +17,7 @@ redef LogAscii::separator = "|"; event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH, [$columns=Info]); Log::write(SSH, [$data="abc\n\xffdef", $data2="DATA2"]); Log::write(SSH, [$data="abc|\xffdef", $data2="DATA2"]); Log::write(SSH, [$data="abc\xff|def", $data2="DATA2"]); diff --git a/testing/btest/policy/frameworks/logging/ascii-empty.bro b/testing/btest/policy/frameworks/logging/ascii-empty.bro index 44db69ac60..d9eb1b477a 100644 --- a/testing/btest/policy/frameworks/logging/ascii-empty.bro +++ b/testing/btest/policy/frameworks/logging/ascii-empty.bro @@ -1,9 +1,7 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log -@load frameworks/logging/plugins/ascii - redef LogAscii::output_to_stdout = F; redef LogAscii::separator = "|"; redef LogAscii::empty_field = "EMPTY"; diff --git a/testing/btest/policy/frameworks/logging/ascii-escape.bro b/testing/btest/policy/frameworks/logging/ascii-escape.bro index 7acea46250..c3d427f820 100644 --- a/testing/btest/policy/frameworks/logging/ascii-escape.bro +++ b/testing/btest/policy/frameworks/logging/ascii-escape.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log redef LogAscii::separator = "||"; diff --git a/testing/btest/policy/frameworks/logging/ascii-options.bro b/testing/btest/policy/frameworks/logging/ascii-options.bro index 2a5b121c8a..9999757802 100644 --- a/testing/btest/policy/frameworks/logging/ascii-options.bro +++ b/testing/btest/policy/frameworks/logging/ascii-options.bro @@ -1,9 +1,7 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log -@load frameworks/logging/plugins/ascii - redef LogAscii::output_to_stdout = F; redef LogAscii::separator = "|"; redef LogAscii::include_header = F; diff --git a/testing/btest/policy/frameworks/logging/ascii-timestamps.bro b/testing/btest/policy/frameworks/logging/ascii-timestamps.bro index 4382c9c865..389a264c11 100644 --- a/testing/btest/policy/frameworks/logging/ascii-timestamps.bro +++ b/testing/btest/policy/frameworks/logging/ascii-timestamps.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff test.log module Test; diff --git a/testing/btest/policy/frameworks/logging/attr-extend.bro b/testing/btest/policy/frameworks/logging/attr-extend.bro index 4d7e96b98e..a341973626 100644 --- a/testing/btest/policy/frameworks/logging/attr-extend.bro +++ b/testing/btest/policy/frameworks/logging/attr-extend.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/attr.bro b/testing/btest/policy/frameworks/logging/attr.bro index 658dcae04b..37e4641f91 100644 --- a/testing/btest/policy/frameworks/logging/attr.bro +++ b/testing/btest/policy/frameworks/logging/attr.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/disable-stream.bro b/testing/btest/policy/frameworks/logging/disable-stream.bro index 472766d8e0..310845f5d7 100644 --- a/testing/btest/policy/frameworks/logging/disable-stream.bro +++ b/testing/btest/policy/frameworks/logging/disable-stream.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: test '!' -e ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/empty-event.bro b/testing/btest/policy/frameworks/logging/empty-event.bro index 3e343b75a2..c8e4e1a938 100644 --- a/testing/btest/policy/frameworks/logging/empty-event.bro +++ b/testing/btest/policy/frameworks/logging/empty-event.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/events.bro b/testing/btest/policy/frameworks/logging/events.bro index 0ca7752acf..cfdcd67cb5 100644 --- a/testing/btest/policy/frameworks/logging/events.bro +++ b/testing/btest/policy/frameworks/logging/events.bro @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT >output # @TEST-EXEC: btest-diff output module SSH; diff --git a/testing/btest/policy/frameworks/logging/exclude.bro b/testing/btest/policy/frameworks/logging/exclude.bro index 46603d3202..f0a81f659b 100644 --- a/testing/btest/policy/frameworks/logging/exclude.bro +++ b/testing/btest/policy/frameworks/logging/exclude.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/file.bro b/testing/btest/policy/frameworks/logging/file.bro index 6d73ec52dd..4dca0d9855 100644 --- a/testing/btest/policy/frameworks/logging/file.bro +++ b/testing/btest/policy/frameworks/logging/file.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/include.bro b/testing/btest/policy/frameworks/logging/include.bro index f1fac64bbd..ffcc204ec6 100644 --- a/testing/btest/policy/frameworks/logging/include.bro +++ b/testing/btest/policy/frameworks/logging/include.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/no-local.bro b/testing/btest/policy/frameworks/logging/no-local.bro index eb6cb60151..448cdc3cd5 100644 --- a/testing/btest/policy/frameworks/logging/no-local.bro +++ b/testing/btest/policy/frameworks/logging/no-local.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: test '!' -e ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/path-func.bro b/testing/btest/policy/frameworks/logging/path-func.bro index 760bb81e4a..731cc5464b 100644 --- a/testing/btest/policy/frameworks/logging/path-func.bro +++ b/testing/btest/policy/frameworks/logging/path-func.bro @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: ( ls static-*; cat static-* ) >output # @TEST-EXEC: btest-diff output diff --git a/testing/btest/policy/frameworks/logging/pred.bro b/testing/btest/policy/frameworks/logging/pred.bro index dc7653e24d..0562dcadb6 100644 --- a/testing/btest/policy/frameworks/logging/pred.bro +++ b/testing/btest/policy/frameworks/logging/pred.bro @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.success.log # @TEST-EXEC: btest-diff ssh.failure.log diff --git a/testing/btest/policy/frameworks/logging/remote-types.bro b/testing/btest/policy/frameworks/logging/remote-types.bro index 607473db0f..e36754bd7d 100644 --- a/testing/btest/policy/frameworks/logging/remote-types.bro +++ b/testing/btest/policy/frameworks/logging/remote-types.bro @@ -1,9 +1,9 @@ # -# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 1 -# @TEST-EXEC: btest-diff receiver/ssh.log -# @TEST-EXEC: cmp receiver/ssh.log sender/ssh.log +# @TEST-EXEC: btest-diff receiver/test.log +# @TEST-EXEC: cmp receiver/test.log sender/test.log # Remote version testing all types. @@ -11,11 +11,11 @@ redef LogAscii::empty_field = "EMPTY"; -module SSH; +module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { TEST }; type Log: record { b: bool; @@ -40,14 +40,14 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(TEST, [$columns=Log]); } ##### @TEST-START-FILE sender.bro -module SSH; +module Test; @load frameworks/communication/listen-clear @@ -56,10 +56,10 @@ event remote_connection_handshake_done(p: event_peer) local empty_set: set[string]; local empty_vector: vector of string; - Log::write(SSH, [ + Log::write(TEST, [ $b=T, $i=-42, - $e=SSH, + $e=TEST, $c=21, $p=123/tcp, $sn=10.0.0.1/24, @@ -82,8 +82,6 @@ event remote_connection_handshake_done(p: event_peer) ##### -@load frameworks/communication - redef Communication::nodes += { ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T] }; diff --git a/testing/btest/policy/frameworks/logging/remote.bro b/testing/btest/policy/frameworks/logging/remote.bro index e389e6be6b..1fc459e833 100644 --- a/testing/btest/policy/frameworks/logging/remote.bro +++ b/testing/btest/policy/frameworks/logging/remote.bro @@ -1,22 +1,22 @@ # -# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro # @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro +# @TEST-EXEC: ENABLE_COMMUNICATION=1 btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro # @TEST-EXEC: sleep 1 # @TEST-EXEC: btest-bg-wait -k 1 -# @TEST-EXEC: btest-diff sender/ssh.log -# @TEST-EXEC: btest-diff sender/ssh.failure.log -# @TEST-EXEC: btest-diff sender/ssh.success.log -# @TEST-EXEC: cmp receiver/ssh.log sender/ssh.log -# @TEST-EXEC: cmp receiver/ssh.failure.log sender/ssh.failure.log -# @TEST-EXEC: cmp receiver/ssh.success.log sender/ssh.success.log +# @TEST-EXEC: btest-diff sender/test.log +# @TEST-EXEC: btest-diff sender/test.failure.log +# @TEST-EXEC: btest-diff sender/test.success.log +# @TEST-EXEC: cmp receiver/test.log sender/test.log +# @TEST-EXEC: cmp receiver/test.failure.log sender/test.failure.log +# @TEST-EXEC: cmp receiver/test.success.log sender/test.success.log # This is the common part loaded by both sender and receiver. -module SSH; +module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { TEST }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -30,15 +30,15 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); - Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); + Log::create_stream(TEST, [$columns=Log]); + Log::add_filter(TEST, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); } ##### @TEST-START-FILE sender.bro -module SSH; +module Test; @load frameworks/communication/listen-clear @@ -49,18 +49,18 @@ function fail(rec: Log): bool event remote_connection_handshake_done(p: event_peer) { - Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]); + Log::add_filter(TEST, [$name="f2", $path="test.failure", $pred=fail]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local r: Log = [$t=network_time(), $id=cid, $status="success"]; # Log something. - Log::write(SSH, r); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(TEST, r); + Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(TEST, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } @TEST-END-FILE @@ -68,8 +68,6 @@ event remote_connection_handshake_done(p: event_peer) ##### -@load frameworks/communication - redef Communication::nodes += { ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T] }; diff --git a/testing/btest/policy/frameworks/logging/remove.bro b/testing/btest/policy/frameworks/logging/remove.bro index 488b21408f..fa4d6a0036 100644 --- a/testing/btest/policy/frameworks/logging/remove.bro +++ b/testing/btest/policy/frameworks/logging/remove.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -B logging %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro -B logging %INPUT # @TEST-EXEC: btest-diff ssh.log # @TEST-EXEC: btest-diff ssh.failure.log diff --git a/testing/btest/policy/frameworks/logging/rotate-custom.bro b/testing/btest/policy/frameworks/logging/rotate-custom.bro index 2781a8f59e..cbdca5dde3 100644 --- a/testing/btest/policy/frameworks/logging/rotate-custom.bro +++ b/testing/btest/policy/frameworks/logging/rotate-custom.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT | egrep "test|test2" | sort >out +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro -r %DIR/rotation.trace %INPUT | egrep "test|test2" | sort >out # @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out # @TEST-EXEC: btest-diff out diff --git a/testing/btest/policy/frameworks/logging/stdout.bro b/testing/btest/policy/frameworks/logging/stdout.bro index a482f742a0..9544ca7858 100644 --- a/testing/btest/policy/frameworks/logging/stdout.bro +++ b/testing/btest/policy/frameworks/logging/stdout.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: test '!' -e ssh.log diff --git a/testing/btest/policy/frameworks/logging/test-logging.bro b/testing/btest/policy/frameworks/logging/test-logging.bro index 8443bc2236..4cc217e81f 100644 --- a/testing/btest/policy/frameworks/logging/test-logging.bro +++ b/testing/btest/policy/frameworks/logging/test-logging.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/logging/types.bro b/testing/btest/policy/frameworks/logging/types.bro index 8cd59192bd..aa8633aa67 100644 --- a/testing/btest/policy/frameworks/logging/types.bro +++ b/testing/btest/policy/frameworks/logging/types.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log # # Testing all possible types. diff --git a/testing/btest/policy/frameworks/logging/unset-record.bro b/testing/btest/policy/frameworks/logging/unset-record.bro index e4c05aec0f..18beadf84d 100644 --- a/testing/btest/policy/frameworks/logging/unset-record.bro +++ b/testing/btest/policy/frameworks/logging/unset-record.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff testing.log redef enum Log::ID += { TESTING }; diff --git a/testing/btest/policy/frameworks/logging/vec.bro b/testing/btest/policy/frameworks/logging/vec.bro index b9ed8f8d6d..d6c6e22067 100644 --- a/testing/btest/policy/frameworks/logging/vec.bro +++ b/testing/btest/policy/frameworks/logging/vec.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: BRO_NO_BASE_SCRIPTS=1 bro %INPUT # @TEST-EXEC: btest-diff ssh.log module SSH; diff --git a/testing/btest/policy/frameworks/software/version-parsing.bro b/testing/btest/policy/frameworks/software/version-parsing.bro index 77d4c61e80..5e57a6c3a4 100644 --- a/testing/btest/policy/frameworks/software/version-parsing.bro +++ b/testing/btest/policy/frameworks/software/version-parsing.bro @@ -1,8 +1,6 @@ # @TEST-EXEC: bro %INPUT > output # @TEST-EXEC: btest-diff output -@load frameworks/software - global ts = network_time(); global host = 0.0.0.0; diff --git a/testing/btest/policy/protocols/conn/known-services.bro b/testing/btest/policy/protocols/conn/known-services.bro index a5d35b790d..7adc7cb037 100644 --- a/testing/btest/policy/protocols/conn/known-services.bro +++ b/testing/btest/policy/protocols/conn/known-services.bro @@ -15,10 +15,6 @@ # @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=NO_HOSTS # @TEST-EXEC: test '!' -e known_services.log -@load frameworks/dpd @load protocols/conn/known-services -@load protocols/http -@load protocols/ssh -@load protocols/ftp redef Site::local_nets += {172.16.238.0/24}; diff --git a/testing/btest/policy/protocols/dns/event-priority.bro b/testing/btest/policy/protocols/dns/event-priority.bro index 03a46fb6c5..2165b102e8 100644 --- a/testing/btest/policy/protocols/dns/event-priority.bro +++ b/testing/btest/policy/protocols/dns/event-priority.bro @@ -1,5 +1,4 @@ # @TEST-EXEC: bro -r $TRACES/dns-session.trace %INPUT # @TEST-EXEC: btest-diff dns.log -@load protocols/dns @load protocols/dns/auth-addl diff --git a/testing/btest/policy/protocols/http/http-header-crlf.bro b/testing/btest/policy/protocols/http/http-header-crlf.bro index 3ebec4367d..4e55141a7d 100644 --- a/testing/btest/policy/protocols/http/http-header-crlf.bro +++ b/testing/btest/policy/protocols/http/http-header-crlf.bro @@ -5,5 +5,6 @@ # @TEST-EXEC: bro -r $TRACES/http-byteranges.trace %INPUT # @TEST-EXEC: grep -q http_no_crlf_in_header_list weird.log && exit 1 || exit 0 -@load protocols/http +# The base analysis scripts are loaded by default. +#@load base/protocols/http diff --git a/testing/btest/policy/protocols/http/http-mime-and-md5.bro b/testing/btest/policy/protocols/http/http-mime-and-md5.bro index ff40766a50..4e202c75ed 100644 --- a/testing/btest/policy/protocols/http/http-mime-and-md5.bro +++ b/testing/btest/policy/protocols/http/http-mime-and-md5.bro @@ -6,8 +6,6 @@ # @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output # @TEST-EXEC: btest-diff http.log -@load protocols/http - redef HTTP::generate_md5 += /image\/png/; event bro_init() diff --git a/testing/btest/policy/protocols/http/http-pipelining.bro b/testing/btest/policy/protocols/http/http-pipelining.bro index c2cfe9a326..52ef81fbbf 100644 --- a/testing/btest/policy/protocols/http/http-pipelining.bro +++ b/testing/btest/policy/protocols/http/http-pipelining.bro @@ -1,8 +1,6 @@ # @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output # @TEST-EXEC: btest-diff http.log -@load protocols/http - # mime type is irrelevant to this test, so filter it out event bro_init() { diff --git a/testing/btest/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/policy/protocols/http/test-sql-injection-regex.bro new file mode 100644 index 0000000000..bf8be22210 --- /dev/null +++ b/testing/btest/policy/protocols/http/test-sql-injection-regex.bro @@ -0,0 +1,119 @@ +# @TEST-EXEC: bro %INPUT > output +# @TEST-EXEC: btest-diff output + +@load protocols/http/detect-sqli + +event bro_init () +{ + local positive_matches: set[string]; + local negative_matches: set[string]; + + add positive_matches["/index.asp?ID='+convert(int,convert(varchar,0x7b5d))+'"]; + add positive_matches["/index.asp?ID='+cASt(somefield as int)+'"]; + add positive_matches["/index.asp?ID=1'+139+'0"]; + add positive_matches["/index.asp?ID='+139+'0"]; + add positive_matches["/index.php?blah=123'/*blooblah*/;select * from something;--"]; + add positive_matches["/index.cfm?ID=3%' and '%'='"]; + add positive_matches["/index.php?mac=\" OR whatever LIKE \"%"]; + add positive_matches["/index.cfm?ID=3;declare @d int;--"]; + add positive_matches["/index.cfm?subjID=12;create table t_jiaozhu(jiaozhu varchar(200))"]; + add positive_matches["/index.cfm?subjID=12%' and(char(94)+user+char(94))>0 and '%'='"]; + add positive_matches["/index.cgi?cgi_state=view&ARF_ID=1+(642*truncate(log10(10),0))"]; + add positive_matches["/index.cgi?view=1 regexp IF((ascii(substring(version(),6,1))>>(0)&1),char(42),1) AND 1=1"]; + add positive_matches["/index.cfm?News=203 and char(124)+db_name()+char(124)=0 --"]; + add positive_matches["/index.php?action=&type=view&s=&id=-1' UNION SELECT 0,252381211,0,0,0,0,0/*"]; + add positive_matches["/index.php?x=browse&category='UNION SELECT '1','2','pixelpost_category_sql_injection.nasl','1183412908','5'/*"]; + add positive_matches["/index.php?id='UNION/**/SELECT/**/0,0,1648909705,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*"]; + add positive_matches["/index.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,0x7430705038755A7A20616E64207870726F67206F776E616765,convert(concat((SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F6E616D65),0x3a,(SELECT/**/svalue/**/from/**/sconfig/**/where/**/soption=0x61646D696E5F70617373))/**/using/**/latin1),4,5,6,7,8,9/*"]; + add positive_matches["/index.jsp?arfID=5 AND ascii(lower(substring((SELECT TOP 1 name from sysobjects WHERE xtype=â™Uâ™), 1,1)))>109"]; + add positive_matches["/?main_menu=10&sub_menu=2&id=-1 union select aes_decrypt(aes_encrypt(LOAD_FILE('/etc/passwd'),0x70),0x70)/*"]; + add positive_matches["/index.asp?file=50' and 1=1 and ''='"]; + add positive_matches["/index.php?cat=999 UNION SELECT null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null FROM wp_users where id=1/*"]; + add positive_matches["/index.asp?authornumber=1);insert into SubjectTable(Sub_id, SubjectName, display) values (666, 'ChkQualysRprt', 1); --"]; + add positive_matches["/index.php?ID=60 and (select unicode(substring(isNull(cast(db_name() as varchar(8000)),char(32)),29,1)))"]; + add positive_matches["/index.php?sort=all&&active=NO' union select 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/* and '1'='1"]; + add positive_matches["/index.php?sort=all&&active=no' and 1=2 union select 1,'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/* and '1'='1"]; + add positive_matches["/index.php?sort=all&&active=no' and (select count(table_name) from user_tables)>0 and '1'='1"]; + add positive_matches["/index.php?id=22 /*!49999 and 1=2*/-- and 1=1"]; + add positive_matches["/index.php?ID=59 and (select count(table_name) from user_tables)>0 and 1=1"]; + add positive_matches["/index.php?ID=60 and exists (select * from [news])"]; + + # These are not detected currently. + #add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"]; + #add positive_matches["/index.php' and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password"]; + #add positive_matches["/index.php?id=873 and user=0--"]; + + # The positive_matches below are from the mod_security evasion challenge. + # All supported attacks are uncommented. + # http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html + add positive_matches["/index.asp?id=100&arftype=46' XoR '8'='8"]; + #add positive_matches[unescape_URI("/testphp.vulnweb.com/artists.php?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user")]; + #add positive_matches[unescape_URI("/index.php?hUserId=22768&FromDate=a1%27+or&ToDate=%3C%3Eamount+and%27&sendbutton1=Get+Statement")]; + #add positive_matches["after=1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')&before=d"]; + #add positive_matches["hUserId=22768&FromDate=1&ToDate=1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-&sendbutton1=Get+Statement"]; + add positive_matches[unescape_URI("/test.php?artist=-2%20div%201%20union%20all%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yea%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%23yeaah%0A%23yeah%20babc%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaf%23%0A%23fdsafdsafa%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaafv%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%23fafsfaaf%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201")]; ; + #add positive_matches[unescape_URI("/test.php?artist=%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29 ")]; + add positive_matches[unescape_URI("/test.php?artist=-2%20div%201%20union%20all%23hack%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23hpys%20player%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%0A%23fabuloso%23modsec%0A%23hpys%20player%0A%23fabuloso%23great%23%0A%23fabuloso%23great%23%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201")]; + add positive_matches[unescape_URI("/test.php?artist=1%0bAND(SELECT%0b1%20FROM%20mysql.x)")]; + + add negative_matches["/index.asp?db=a9h&jid=JHE&scope=site"]; + add negative_matches["/blah/?q=?q=archive+title=Read the older content in our archive"]; + add negative_matches["/blah/?q=?q= title=Return to the main page"]; + add negative_matches["/index.pl?http://search.ebscohost.com.proxy.lib.ohio-state.edu/direct.asp?db=s3h&jid=22EG&scope=site"]; + add negative_matches["/search?q=eugene svirsky&spell=1&access=p&output=xml_no_dtd&ie=UTF-8&client=default_frontend&site=default_collection&proxystylesheet=default_frontend"]; + add negative_matches["/index.htm?List=metadata+)++((munson)metadata+)+)"]; + add negative_matches["/index?Z=300x250&s=299359&_salt=523454521`54&B=10&u=http://ad.doubleclick.net/adi/answ.science/;dcopt=ist;kw=biased+sample;tid=2735125;scat=health;scat=business;pcat=science;pos=1;tile=1;sz=300x250;csrc=2451;csrc=2191;csrc=2665;csrc=2750;or&r=0"]; + add negative_matches["/index.php?sid=FirstSearch:AveryIndex&genre=article&issn=1590-1394&isbn=&atitle=Paesaggio+artificiale:+una+cava+diventa+parco+urbano+=++Artificial+landscape:+a+quarry+becomes+an+urban+park&title=Metamorfosi&issue=66&spage=58&epage=60&date=2007-05&sici=1590-1394(200705/06)66<58:PAUCDP>2.0.TX;2-C&id=doi:&pid=858994226+858994226fsapp13-52547-fhscgzal-jqsb44&url_ver=Z39.88-2004&rfr_id=info:sid/firstsearch.oclc.org:AveryIndex&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&req_dat=fsapp13-52547-fhscgzal-jqsb44&rfe_dat=858994226+858994226&rft_id=urn:ISSN:1590-1394&rft.atitle=Paesaggio+artificiale:+una+cava+diventa+parco+urbano+=++Artificial+landscape:+a+quarry+becomes+an+urban+park&rft.jtitle=Metamorfosi&rft.date=2007-05&rft.issue=66&rft.spage=58&rft.epage=60&rft.issn=1590-1394&rft.genre=article&rft.sici=1590-1394(200705/06)66<58:PAUCDP>2.0.TX;2-C"]; + add negative_matches["/index?body=linker&reqidx=00012345(2005)L.349"]; + add negative_matches["/index.jsp?SortField=Score&SortOrder=desc&ResultCount=25&maxdoc=100&coll1=&coll2=ieeecnfs&coll3=ieecnfs&coll4=&coll5=&coll6=&coll7=&coll8=&srchres=0&history=yes&queryText=((curran)metadata)&oldqrytext=(~~simon+curran~~++metadata)++(4389466++punumber)&radiobutton=cit"]; + add negative_matches["/index.php?action=uid=32651(makessc) gid=32652(makessc) groups=32652(makessc)"]; + add negative_matches["/index.cgi?t=event&id=3947&year=2007&week=13&wday=3&rt=n&hour=13&min=30&lengthmin=90&title=771 (4) Biomedical Instrumentation - J. Liu&data=&startyear=2007&startweek=13&startwday=3&duration=1&alval=&altype=&alchk=&strike=0&todo=0&mail=0&lock=0&priv=0"]; + add negative_matches["/index.php?site=EagleTribunePublishingCompany&adSpace=ROS&size=468x60&type=horiz&requestID='+((new Date()).getTime() 2147483648) + Math.random()+'"]; + add negative_matches["/blah?callback=google.language.callbacks.id100&context=22&q=) or articles from the online magazine archive will need to log in, in order to access the content they have purchased.&langpair=|en&key=notsupplied&v=1.0"]; + add negative_matches["/blah?hl=en&rlz=1T4DDWQ_enUS432US432&q=\"andrew+foobar\""]; + add negative_matches["/index.cfm?filename=32423411.GP4&ip=1.2.3.4&id_num=0063&proj_num=2906&sheet_name=2 AND 3 FLR&sheet_num=2E&path=L:\ARF\DATA\13000\95013889.GP4"]; + add negative_matches["/index.pl\?supersite=stations&station=ABCD&path='+location.pathname+'&'+location.search.substring(1)+'\\\"\\"]; + add negative_matches["/ntpagetag.gif?js=1&ts=123412341234.568&lc=http://a.b.org/default.aspx?mode=js#&rs=1440x900&cd=32&ln=en&tz=GMT -04:00&jv=1&ets=123412341234.623&select_challenge_from_gallery=1&ci=RCC00000000"]; + + # These are still being matched accidentally. + #add negative_matches["/A-B-C-D/inc/foobar.php?img=1179681280a b c d arf union.jpg"]; + #add negative_matches["/test,+soviet+union&searchscope=7&SORT=DZ/test,+soviet+union&foobar=7"]; + #add negative_matches["/search?hl=en&q=fee union western"]; + #add negative_matches["/search?hl=en&q=ceiling drop tile"]; + #add negative_matches["/index/hmm.gif?utmdt=Record > Create a Graph"]; + #add negative_matches["/index.php?test='||\x0aTO_CHAR(foo_bar.Foo_Bar_ID)||"]; + + local regex = + /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/ + | /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ + | /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ + | /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ + | /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ + | /\/\*![[:digit:]]{5}.*?\*\//; + + print "If anything besides this line prints out, there is a problem."; + for ( test in positive_matches ) + { + if ( HTTP::match_sql_injection_uri !in test ) + print fmt("Missed: %s", test ); + } + print ""; + for ( test in negative_matches ) + { + if ( HTTP::match_sql_injection_uri in test ) + print fmt("False Positive: %s", test); + } + +} diff --git a/testing/btest/policy/protocols/irc/basic.test b/testing/btest/policy/protocols/irc/basic.test index fe422efc5c..a462e828de 100644 --- a/testing/btest/policy/protocols/irc/basic.test +++ b/testing/btest/policy/protocols/irc/basic.test @@ -4,11 +4,9 @@ # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT # @TEST-EXEC: btest-diff irc.log -@load protocols/irc - # dcc mime types are irrelevant to this test, so filter it out event bro_init() { Log::remove_default_filter(IRC::IRC); - Log::add_filter(IRC::IRC, [$name="less-mime-types", $exclude=set("dcc_mime_type")]); + Log::add_filter(IRC::IRC, [$name="remove-mime", $exclude=set("dcc_mime_type")]); } diff --git a/testing/btest/policy/protocols/irc/dcc-extract.test b/testing/btest/policy/protocols/irc/dcc-extract.test index cf256a0d05..b6be26ddd4 100644 --- a/testing/btest/policy/protocols/irc/dcc-extract.test +++ b/testing/btest/policy/protocols/irc/dcc-extract.test @@ -9,8 +9,6 @@ # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test" # @TEST-EXEC: test -e test_192.168.1.77:57655-209.197.168.151:1024_1.dat -@load protocols/irc - redef IRC::extract_file_types=/.*/; event bro_init() diff --git a/testing/btest/policy/site/testing-local.bro b/testing/btest/policy/site/testing-local.bro index d7afa12549..e2058417cd 100644 --- a/testing/btest/policy/site/testing-local.bro +++ b/testing/btest/policy/site/testing-local.bro @@ -1,3 +1,3 @@ # @TEST-EXEC: bro %INPUT -@load site/local \ No newline at end of file +@load local \ No newline at end of file diff --git a/testing/btest/policy/utils/addrs.test b/testing/btest/policy/utils/addrs.test index b15d42fb5f..08bce5f35f 100644 --- a/testing/btest/policy/utils/addrs.test +++ b/testing/btest/policy/utils/addrs.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT > output # @TEST-EXEC: btest-diff output -@load utils/addrs +# This is loaded by default +#@load base/utils/addrs event bro_init() { diff --git a/testing/btest/policy/utils/conn-ids.test b/testing/btest/policy/utils/conn-ids.test index 626a9c7c49..a7d2ce0939 100644 --- a/testing/btest/policy/utils/conn-ids.test +++ b/testing/btest/policy/utils/conn-ids.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/conn-ids +# This is loaded by default. +#@load base/utils/conn-ids global c: conn_id = [ $orig_h = 10.0.0.100, $orig_p = 10000, $resp_h = 10.0.0.200, $resp_p = 20000 ]; diff --git a/testing/btest/policy/utils/directions-and-hosts.test b/testing/btest/policy/utils/directions-and-hosts.test index 46f6e53003..6f4f781c72 100644 --- a/testing/btest/policy/utils/directions-and-hosts.test +++ b/testing/btest/policy/utils/directions-and-hosts.test @@ -1,8 +1,9 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/site -@load utils/directions-and-hosts +# These are loaded by default. +#@load base/utils/site +#@load base/utils/directions-and-hosts redef Site::local_nets += { 10.0.0.0/8 }; diff --git a/testing/btest/policy/utils/files.test b/testing/btest/policy/utils/files.test index 5433f5b6df..84eff13187 100644 --- a/testing/btest/policy/utils/files.test +++ b/testing/btest/policy/utils/files.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/files +# This is loaded by default. +#@load base/utils/files event connection_established(c: connection) { diff --git a/testing/btest/policy/utils/numbers.test b/testing/btest/policy/utils/numbers.test index 8b9707bdd0..c1a2fff8c8 100644 --- a/testing/btest/policy/utils/numbers.test +++ b/testing/btest/policy/utils/numbers.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/numbers +# This is loaded by default. +#@load base/utils/numbers print extract_count("These aren't the numbers you're looking for."); print extract_count("13These aren't the numbers you're looking for."); diff --git a/testing/btest/policy/utils/paths.test b/testing/btest/policy/utils/paths.test index dd5fa2451c..8436d37b8b 100644 --- a/testing/btest/policy/utils/paths.test +++ b/testing/btest/policy/utils/paths.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/paths +# This is loaded by default. +#@load base/utils/paths function test_extract(str: string, expect: string) { diff --git a/testing/btest/policy/utils/pattern.test b/testing/btest/policy/utils/pattern.test index c16015a85b..1cf5c49100 100644 --- a/testing/btest/policy/utils/pattern.test +++ b/testing/btest/policy/utils/pattern.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/pattern +# This is loaded by default. +#@load base/utils/pattern global r1 = set_to_regex(set("blah", "bleh", "blarg"), "(~~)"); global r2 = set_to_regex(set("blah", "bleh", "blarg"), "foo(~~)bar"); diff --git a/testing/btest/policy/utils/site.test b/testing/btest/policy/utils/site.test index 26a461ed57..cfd7dd2ceb 100644 --- a/testing/btest/policy/utils/site.test +++ b/testing/btest/policy/utils/site.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT > output # @TEST-EXEC: btest-diff output -@load utils/site +# This is loaded by default. +#@load base/utils/site global a = { "site-admin@example.com", "other-site-admin@example.com" }; global b = { "net-admin@example.com" }; diff --git a/testing/btest/policy/utils/strings.test b/testing/btest/policy/utils/strings.test index 16de71d5ad..77fe715def 100644 --- a/testing/btest/policy/utils/strings.test +++ b/testing/btest/policy/utils/strings.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/strings +# This is loaded by default. +#@load base/utils/strings function test_binary_string(s: string) { diff --git a/testing/btest/policy/utils/thresholds.test b/testing/btest/policy/utils/thresholds.test index 0439841e41..2e18cc3b63 100644 --- a/testing/btest/policy/utils/thresholds.test +++ b/testing/btest/policy/utils/thresholds.test @@ -1,7 +1,8 @@ # @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output -@load utils/thresholds +# This is loaded by default. +#@load base/utils/thresholds redef default_notice_thresholds = { 2, 4, 6, 8, 10 }; const my_thresholds: vector of count = { 2, 4, 6, 8, 10 };