diff --git a/CHANGES b/CHANGES index 9d600b6fda..971354196d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,22 @@ +2.5-975 | 2018-09-05 16:52:32 -0500 + + * Allow weird sampling settings to be updateable at runtime (Johanna Amann, Corelight) + + * Permit weird sampling rate of 0, which suppresses all weirds (Johanna Amann, Corelight) + + * Switch packet stats to uint64. (Robin Sommer, Corelight) + +2.5-969 | 2018-09-05 15:11:48 -0500 + + * BIT-1208: remove unused weirds from Weird::actions table (Jon Siwek, Corelight) + + * BIT-1779: use BRO_LOG_SUFFIX env var in ascii log rotation function (Jon Siwek, Corelight) + +2.5-967 | 2018-09-05 19:30:48 +0000 + + * Fix printf format specification for reporting packet stats. (Robin Sommer, Corelight) + 2.5-965 | 2018-09-04 17:17:36 -0500 * Updates to NTLM script handling. (Seth Hall, Corelight) diff --git a/VERSION b/VERSION index 63620a7ffd..26d9883e73 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-965 +2.5-975 diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.bro index 0a7a8d0713..e27097abaf 100644 --- a/scripts/base/frameworks/config/__load__.bro +++ b/scripts/base/frameworks/config/__load__.bro @@ -1,2 +1,3 @@ @load ./main @load ./input +@load ./weird diff --git a/scripts/base/frameworks/config/weird.bro b/scripts/base/frameworks/config/weird.bro new file mode 100644 index 0000000000..bc311e3029 --- /dev/null +++ b/scripts/base/frameworks/config/weird.bro @@ -0,0 +1,44 @@ +##! This script sets up the config framework change handlers for weirds. + +@load ./main + +module Config; + +function weird_option_change_sampling_whitelist(ID: string, new_value: string_set, location: string) : string_set + { + if ( ID == "Weird::sampling_whitelist" ) + { + Reporter::set_weird_sampling_whitelist(new_value); + } + return new_value; + } + +function weird_option_change_count(ID: string, new_value: count, location: string) : count + { + if ( ID == "Weird::sampling_threshold" ) + { + Reporter::set_weird_sampling_threshold(new_value); + } + else if ( ID == "Weird::sampling_rate" ) + { + Reporter::set_weird_sampling_rate(new_value); + } + return new_value; + } + +function weird_option_change_interval(ID: string, new_value: interval, location: string) : interval + { + if ( ID == "Weird::sampling_duration" ) + { + Reporter::set_weird_sampling_duration(new_value); + } + return new_value; + } + +event bro_init() &priority=5 + { + Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5); + Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5); + Option::set_change_handler("Weird::sampling_rate", weird_option_change_count, 5); + Option::set_change_handler("Weird::sampling_duration", weird_option_change_interval, 5); + } diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro index 6f2b03aafd..8cab6fa0ff 100644 --- a/scripts/base/frameworks/logging/writers/ascii.bro +++ b/scripts/base/frameworks/logging/writers/ascii.bro @@ -81,10 +81,14 @@ function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool { # If the filename has a ".gz" extension, then keep it. local gz = info$fname[-3:] == ".gz" ? ".gz" : ""; + local bls = getenv("BRO_LOG_SUFFIX"); + + if ( bls == "" ) + bls = "log"; # Move file to name including both opening and closing time. - local dst = fmt("%s.%s.log%s", info$path, - strftime(Log::default_rotation_date_format, info$open), gz); + local dst = fmt("%s.%s.%s%s", info$path, + strftime(Log::default_rotation_date_format, info$open), bls, gz); system(fmt("/bin/mv %s %s", info$fname, dst)); diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 9481723e3f..c6f3748a46 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -107,14 +107,9 @@ export { ["base64_illegal_encoding"] = ACTION_LOG, ["connection_originator_SYN_ack"] = ACTION_LOG_PER_ORIG, ["contentline_size_exceeded"] = ACTION_LOG, - ["corrupt_tcp_options"] = ACTION_LOG_PER_ORIG, ["crud_trailing_HTTP_request"] = ACTION_LOG, ["data_after_reset"] = ACTION_LOG, ["data_before_established"] = ACTION_LOG, - ["data_without_SYN_ACK"] = ACTION_LOG, - ["DHCP_no_type_option"] = ACTION_LOG, - ["DHCP_wrong_msg_type"] = ACTION_LOG, - ["DHCP_wrong_op_type"] = ACTION_LOG, ["DNS_AAAA_neg_length"] = ACTION_LOG, ["DNS_Conn_count_too_large"] = ACTION_LOG, ["DNS_NAME_too_long"] = ACTION_LOG, @@ -129,18 +124,15 @@ export { ["DNS_truncated_ans_too_short"] = ACTION_LOG, ["DNS_truncated_len_lt_hdr_len"] = ACTION_LOG, ["DNS_truncated_quest_too_short"] = ACTION_LOG, - ["dns_changed_number_of_responses"] = ACTION_LOG_PER_ORIG, - ["dns_reply_seen_after_done"] = ACTION_LOG_PER_ORIG, ["excessive_data_without_further_acks"] = ACTION_LOG, ["excess_RPC"] = ACTION_LOG_PER_ORIG, - ["excessive_RPC_len"] = ACTION_LOG_PER_ORIG, ["FIN_advanced_last_seq"] = ACTION_LOG, ["FIN_after_reset"] = ACTION_IGNORE, ["FIN_storm"] = ACTION_NOTICE_PER_ORIG, ["HTTP_bad_chunk_size"] = ACTION_LOG, ["HTTP_chunked_transfer_for_multipart_message"] = ACTION_LOG, ["HTTP_overlapping_messages"] = ACTION_LOG, - ["HTTP_unknown_method"] = ACTION_LOG, + ["unknown_HTTP_method"] = ACTION_LOG, ["HTTP_version_mismatch"] = ACTION_LOG, ["ident_request_addendum"] = ACTION_LOG, ["inappropriate_FIN"] = ACTION_LOG, @@ -174,17 +166,13 @@ export { ["line_terminated_with_single_LF"] = ACTION_LOG, ["malformed_ssh_identification"] = ACTION_LOG, ["malformed_ssh_version"] = ACTION_LOG, - ["matching_undelivered_data"] = ACTION_LOG, ["multiple_HTTP_request_elements"] = ACTION_LOG, - ["multiple_RPCs"] = ACTION_LOG_PER_ORIG, - ["non_IPv4_packet"] = ACTION_LOG_ONCE, ["NUL_in_line"] = ACTION_LOG, ["originator_RPC_reply"] = ACTION_LOG_PER_ORIG, ["partial_finger_request"] = ACTION_LOG, ["partial_ftp_request"] = ACTION_LOG, ["partial_ident_request"] = ACTION_LOG, ["partial_RPC"] = ACTION_LOG_PER_ORIG, - ["partial_RPC_request"] = ACTION_LOG, ["pending_data_when_closed"] = ACTION_LOG, ["pop3_bad_base64_encoding"] = ACTION_LOG, ["pop3_client_command_unknown"] = ACTION_LOG, diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 8e51b312b0..93bcc203b7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4847,30 +4847,31 @@ export { module Weird; export { ## Prevents rate-limiting sampling of any weirds named in the table. - const sampling_whitelist: set[string] &redef; + option sampling_whitelist: set[string] = {}; ## How many weirds of a given type to tolerate before sampling begins. - ## i.e. this many consecutive weirds of a given type will be allowed to + ## I.e. this many consecutive weirds of a given type will be allowed to ## raise events for script-layer handling before being rate-limited. - const sampling_threshold = 25 &redef; + option sampling_threshold : count = 25; - ## The rate-limiting sampling rate. One out of every of this number of + ## The rate-limiting sampling rate. One out of every of this number of ## rate-limited weirds of a given type will be allowed to raise events - ## for further script-layer handling. - const sampling_rate = 1000 &redef; + ## for further script-layer handling. Setting the sampling rate to 0 + ## will disable all output of rate-limited weirds. + option sampling_rate : count = 1000; ## How long a weird of a given type is allowed to keep state/counters in - ## memory. For "net" weirds an expiration timer starts per weird name when - ## first initializing its counter. For "flow" weirds an expiration timer - ## starts once per src/dst IP pair for the first weird of any name. For + ## memory. For "net" weirds an expiration timer starts per weird name when + ## first initializing its counter. For "flow" weirds an expiration timer + ## starts once per src/dst IP pair for the first weird of any name. For ## "conn" weirds, counters and expiration timers are kept for the duration - ## of the connection for each named weird and reset when necessary. e.g. + ## of the connection for each named weird and reset when necessary. E.g. ## if a "conn" weird by the name of "foo" is seen more than ## :bro:see:`Weird::sampling_threshold` times, then an expiration timer ## begins for "foo" and upon triggering will reset the counter for "foo" ## and unthrottle its rate-limiting until it once again exceeds the ## threshold. - const sampling_duration = 10min &redef; + option sampling_duration = 10min; } module GLOBAL; diff --git a/src/Conn.cc b/src/Conn.cc index c69f155731..2bcb82de26 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -1078,10 +1078,10 @@ bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate, auto& state = weird_state[name]; ++state.count; - if ( state.count < threshold ) + if ( state.count <= threshold ) return true; - if ( state.count == threshold ) + if ( state.count == threshold + 1) state.sampling_start_time = network_time; else { @@ -1094,5 +1094,8 @@ bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate, } auto num_above_threshold = state.count - threshold; - return num_above_threshold % rate == 0; + if ( rate ) + return num_above_threshold % rate == 0; + else + return false; } diff --git a/src/Net.cc b/src/Net.cc index 4357f122ca..d6cb6632b2 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -421,7 +421,7 @@ void net_get_final_stats() { iosource::PktSrc::Stats s; ps->Statistics(&s); - reporter->Info("%d packets received on interface %s, %d dropped", + reporter->Info("%" PRIu64 " packets received on interface %s, %" PRIu64 " dropped", s.received, ps->Path().c_str(), s.dropped); } } diff --git a/src/Reporter.cc b/src/Reporter.cc index 59e877bb7c..a21d0a0538 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -52,13 +52,13 @@ Reporter::~Reporter() void Reporter::InitOptions() { - info_to_stderr = internal_const_val("Reporter::info_to_stderr")->AsBool(); - warnings_to_stderr = internal_const_val("Reporter::warnings_to_stderr")->AsBool(); - errors_to_stderr = internal_const_val("Reporter::errors_to_stderr")->AsBool(); - weird_sampling_rate = internal_const_val("Weird::sampling_rate")->AsCount(); - weird_sampling_threshold = internal_const_val("Weird::sampling_threshold")->AsCount(); - weird_sampling_duration = internal_const_val("Weird::sampling_duration")->AsInterval(); - auto wl_val = internal_const_val("Weird::sampling_whitelist")->AsTableVal(); + info_to_stderr = internal_val("Reporter::info_to_stderr")->AsBool(); + warnings_to_stderr = internal_val("Reporter::warnings_to_stderr")->AsBool(); + errors_to_stderr = internal_val("Reporter::errors_to_stderr")->AsBool(); + weird_sampling_rate = internal_val("Weird::sampling_rate")->AsCount(); + weird_sampling_threshold = internal_val("Weird::sampling_threshold")->AsCount(); + weird_sampling_duration = internal_val("Weird::sampling_duration")->AsInterval(); + auto wl_val = internal_val("Weird::sampling_whitelist")->AsTableVal(); auto wl_table = wl_val->AsTable(); HashKey* k; @@ -296,11 +296,14 @@ bool Reporter::PermitNetWeird(const char* name) timer_mgr->Add(new NetWeirdTimer(network_time, name, weird_sampling_duration)); - if ( count < weird_sampling_threshold ) + if ( count <= weird_sampling_threshold ) return true; auto num_above_threshold = count - weird_sampling_threshold; - return num_above_threshold % weird_sampling_rate == 0; + if ( weird_sampling_rate ) + return num_above_threshold % weird_sampling_rate == 0; + else + return false; } bool Reporter::PermitFlowWeird(const char* name, @@ -316,11 +319,14 @@ bool Reporter::PermitFlowWeird(const char* name, auto& count = map[name]; ++count; - if ( count < weird_sampling_threshold ) + if ( count <= weird_sampling_threshold ) return true; auto num_above_threshold = count - weird_sampling_threshold; - return num_above_threshold % weird_sampling_rate == 0; + if ( weird_sampling_rate ) + return num_above_threshold % weird_sampling_rate == 0; + else + return false; } void Reporter::Weird(const char* name) diff --git a/src/Reporter.h b/src/Reporter.h index f5090ee91e..bd029c0b59 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -152,6 +152,85 @@ public: const WeirdCountMap& GetWeirdsByType() const { return weird_count_by_type; } + /** + * Gets the weird sampling whitelist. + */ + WeirdSet GetWeirdSamplingWhitelist() const + { + return weird_sampling_whitelist; + } + + /** + * Sets the weird sampling whitelist. + * + * @param weird_sampling_whitelist New weird sampling whitelist. + */ + void SetWeirdSamplingWhitelist(const WeirdSet& weird_sampling_whitelist) + { + this->weird_sampling_whitelist = weird_sampling_whitelist; + } + + /** + * Gets the current weird sampling threshold. + * + * @return weird sampling threshold. + */ + uint64 GetWeirdSamplingThreshold() const + { + return weird_sampling_threshold; + } + + /** + * Sets the current weird sampling threshold. + * + * @param weird_sampling_threshold New weird sampling threshold. + */ + void SetWeirdSamplingThreshold(uint64 weird_sampling_threshold) + { + this->weird_sampling_threshold = weird_sampling_threshold; + } + + /** + * Gets the current weird sampling rate. + * + * @return weird sampling rate. + */ + uint64 GetWeirdSamplingRate() const + { + return weird_sampling_rate; + } + + /** + * Sets the weird sampling rate. + * + * @param weird_sampling_rate New weird sampling rate. + */ + void SetWeirdSamplingRate(uint64 weird_sampling_rate) + { + this->weird_sampling_rate = weird_sampling_rate; + } + + /** + * Gets the current weird sampling duration. + * + * @return weird sampling duration. + */ + double GetWeirdSamplingDuration() const + { + return weird_sampling_duration; + } + + /** + * Sets the current weird sampling duration. Please note that + * this will not delete already running timers. + * + * @param weird_sampling_duration New weird sampling duration. + */ + void SetWeirdSamplingDuration(double weird_sampling_duration) + { + this->weird_sampling_duration = weird_sampling_duration; + } + private: void DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Connection* conn, val_list* addl, bool location, bool time, @@ -178,7 +257,6 @@ private: uint64 weird_count; WeirdCountMap weird_count_by_type; - WeirdCountMap net_weird_state; WeirdFlowMap flow_weird_state; diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h index dcf5f38de8..7efecfb0bf 100644 --- a/src/iosource/PktSrc.h +++ b/src/iosource/PktSrc.h @@ -28,18 +28,18 @@ public: /** * Packets received by source after filtering (w/o drops). */ - unsigned int received; + uint64 received; /** * Packets dropped by source. */ - unsigned int dropped; // pkts dropped + uint64 dropped; // pkts dropped /** * Total number of packets on link before filtering. * Optional, can be left unset if not available. */ - unsigned int link; + uint64 link; /** * Bytes received by source after filtering (w/o drops). diff --git a/src/reporter.bif b/src/reporter.bif index a6463f6226..92088e5fc9 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -112,3 +112,102 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul reporter->Weird(c, name->CheckString(), addl->CheckString()); return new Val(1, TYPE_BOOL); %} + +## Gets the weird sampling whitelist +## +## Returns: Current weird sampling whitelist +function Reporter::get_weird_sampling_whitelist%(%): string_set + %{ + TableVal* set = new TableVal(string_set); + for ( auto el : reporter->GetWeirdSamplingWhitelist() ) + { + set->Assign(new StringVal(el), nullptr); + } + return set; + %} + +## Sets the weird sampling whitelist +## +## whitelist: New weird sampling rate. +## +## Returns: Always true. +function Reporter::set_weird_sampling_whitelist%(weird_sampling_whitelist: string_set%) : bool +%{ + auto wl_val = weird_sampling_whitelist->AsTableVal(); + auto wl_table = wl_val->AsTable(); + std::unordered_set whitelist_set; + + HashKey* k; + IterCookie* c = wl_table->InitForIteration(); + TableEntryVal* v; + + while ( (v = wl_table->NextEntry(k, c)) ) + { + auto index = wl_val->RecoverIndex(k); + string key = index->Index(0)->AsString()->CheckString(); + whitelist_set.emplace(move(key)); + Unref(index); + delete k; + } + reporter->SetWeirdSamplingWhitelist(whitelist_set); + return new Val(1, TYPE_BOOL); +%} + +## Gets the current weird sampling threshold +## +## Returns: current weird sampling threshold. +function Reporter::get_weird_sampling_threshold%(%) : count + %{ + return new Val(reporter->GetWeirdSamplingThreshold(), TYPE_COUNT); + %} + +## Sets the current weird sampling threshold +## +## threshold: New weird sampling threshold. +## +## Returns: Always returns true; +function Reporter::set_weird_sampling_threshold%(weird_sampling_threshold: count%) : bool + %{ + reporter->SetWeirdSamplingThreshold(weird_sampling_threshold); + return new Val(1, TYPE_BOOL); + %} + + +## Gets the current weird sampling rate. +## +## Returns: weird sampling rate. +function Reporter::get_weird_sampling_rate%(%) : count + %{ + return new Val(reporter->GetWeirdSamplingRate(), TYPE_COUNT); + %} + +## Sets the weird sampling rate. +## +## weird_sampling_rate: New weird sampling rate. +## +## Returns: Always returns true. +function Reporter::set_weird_sampling_rate%(weird_sampling_rate: count%) : bool + %{ + reporter->SetWeirdSamplingRate(weird_sampling_rate); + return new Val(1, TYPE_BOOL); + %} + +## Gets the current weird sampling duration. +## +## Returns: weird sampling duration. +function Reporter::get_weird_sampling_duration%(%) : interval + %{ + return new Val(reporter->GetWeirdSamplingDuration(), TYPE_INTERVAL); + %} + +## Sets the current weird sampling duration. Please note that +## this will not delete already running timers. +## +## weird_sampling_duration: New weird sampling duration. +## +## Returns: always returns True +function Reporter::set_weird_sampling_duration%(weird_sampling_duration: interval%) : bool + %{ + reporter->SetWeirdSamplingDuration(weird_sampling_duration); + return new Val(1, TYPE_BOOL); + %} diff --git a/testing/btest/Baseline/core.reporter-weird-sampling-disable/output b/testing/btest/Baseline/core.reporter-weird-sampling-disable/output new file mode 100644 index 0000000000..b7b0090086 --- /dev/null +++ b/testing/btest/Baseline/core.reporter-weird-sampling-disable/output @@ -0,0 +1 @@ +net_weird, my_net_weird diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index f32dcfabd6..1df4b007c1 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-09-04-21-14-06 +#open 2018-09-05-20-33-08 #fields name #types string scripts/base/init-bare.bro @@ -248,6 +248,7 @@ scripts/base/init-default.bro scripts/base/frameworks/config/__load__.bro scripts/base/frameworks/config/main.bro scripts/base/frameworks/config/input.bro + scripts/base/frameworks/config/weird.bro scripts/base/frameworks/sumstats/__load__.bro scripts/base/frameworks/sumstats/main.bro scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -370,4 +371,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2018-09-04-21-14-06 +#close 2018-09-05-20-33-08 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 643bfe6c14..9ab4580aa6 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -274,7 +274,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +459,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -515,6 +515,14 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::weird_option_change_interval{ if (Weird::sampling_duration == Config::ID) { Reporter::set_weird_sampling_duration(Config::new_value)}return (Config::new_value)}, 5)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_rate, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_rate, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_threshold, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_threshold, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_whitelist, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelist{ if (Weird::sampling_whitelist == Config::ID) { Reporter::set_weird_sampling_whitelist(Config::new_value)}return (Config::new_value)}, 5)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::weird_do_not_ignore_repeats, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> @@ -1152,7 +1160,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1337,7 +1345,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1393,6 +1401,14 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::weird_option_change_interval{ if (Weird::sampling_duration == Config::ID) { Reporter::set_weird_sampling_duration(Config::new_value)}return (Config::new_value)}, 5)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_rate, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_rate, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_threshold, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_threshold, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_whitelist, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelist{ if (Weird::sampling_whitelist == Config::ID) { Reporter::set_weird_sampling_whitelist(Config::new_value)}return (Config::new_value)}, 5)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::weird_do_not_ignore_repeats, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) @@ -2029,7 +2045,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2214,7 +2230,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2270,6 +2286,14 @@ 0.000000 | HookCallFunction Option::set_change_handler(Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_duration, Config::weird_option_change_interval{ if (Weird::sampling_duration == Config::ID) { Reporter::set_weird_sampling_duration(Config::new_value)}return (Config::new_value)}, 5) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_rate, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_rate, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_threshold, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_threshold, Config::weird_option_change_count{ if (Weird::sampling_threshold == Config::ID) { Reporter::set_weird_sampling_threshold(Config::new_value)}elseif (Weird::sampling_rate == Config::ID) { Reporter::set_weird_sampling_rate(Config::new_value)}return (Config::new_value)}, 5) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_whitelist, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelist{ if (Weird::sampling_whitelist == Config::ID) { Reporter::set_weird_sampling_whitelist(Config::new_value)}return (Config::new_value)}, 5) 0.000000 | HookCallFunction Option::set_change_handler(Weird::weird_do_not_ignore_repeats, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) @@ -2627,7 +2651,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1536095668.920574, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1536179603.812250, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log b/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log new file mode 100644 index 0000000000..2203bd77d6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path config +#open 2018-09-05-19-30-42 +#fields ts id old_value new_value location +#types time string string string string +0.000000 Weird::sampling_duration 10.0 mins 5.0 secs - +0.000000 Weird::sampling_threshold 25 10 - +0.000000 Weird::sampling_rate 1000 10 - +0.000000 Weird::sampling_whitelist (empty) whitelisted_net_weird,whitelisted_flow_weird,whitelisted_conn_weird - +#close 2018-09-05-19-30-42 diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.weird/output b/testing/btest/Baseline/scripts.base.frameworks.config.weird/output new file mode 100644 index 0000000000..d66ea7af36 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.config.weird/output @@ -0,0 +1,360 @@ +Config values set +{ +whitelisted_net_weird, +whitelisted_flow_weird, +whitelisted_conn_weird +} +10 +10 +5.0 +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird +net_weird, my_net_weird +flow_weird, my_flow_weird +conn_weird, my_conn_weird +net_weird, whitelisted_net_weird +flow_weird, whitelisted_flow_weird +conn_weird, whitelisted_conn_weird diff --git a/testing/btest/core/reporter-weird-sampling-disable.bro b/testing/btest/core/reporter-weird-sampling-disable.bro new file mode 100644 index 0000000000..014e287dab --- /dev/null +++ b/testing/btest/core/reporter-weird-sampling-disable.bro @@ -0,0 +1,32 @@ +# @TEST-EXEC: bro -b -r $TRACES/http/bro.org.pcap %INPUT >output +# @TEST-EXEC: btest-diff output + +redef Weird::sampling_threshold = 1; +redef Weird::sampling_rate = 0; + +event net_weird(name: string) + { + print "net_weird", name; + } + +event gen_weirds(c: connection) + { + local num = 5; + + while ( num != 0 ) + { + Reporter::net_weird("my_net_weird"); + --num; + } + } + +global did_one_connection = F; + +event new_connection(c: connection) + { + if ( did_one_connection ) + return; + + did_one_connection = T; + event gen_weirds(c); + } diff --git a/testing/btest/scripts/base/frameworks/config/weird.bro b/testing/btest/scripts/base/frameworks/config/weird.bro new file mode 100644 index 0000000000..ae3e0f2153 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/config/weird.bro @@ -0,0 +1,66 @@ +# @TEST-EXEC: bro -r $TRACES/http/bro.org.pcap %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff config.log + +event bro_init() + { + Config::set_value("Weird::sampling_duration", 5sec); + Config::set_value("Weird::sampling_threshold", 10); + Config::set_value("Weird::sampling_rate", 10); + Config::set_value("Weird::sampling_whitelist", set("whitelisted_net_weird", "whitelisted_flow_weird", "whitelisted_conn_weird")); + print "Config values set"; + } + +event bro_init() &priority = -10 + { + print Reporter::get_weird_sampling_whitelist(); + print Reporter::get_weird_sampling_rate(); + print Reporter::get_weird_sampling_threshold(); + print Reporter::get_weird_sampling_duration(); + } + +event conn_weird(name: string, c: connection, addl: string) + { + print "conn_weird", name; + } + +event flow_weird(name: string, src: addr, dst: addr) + { + print "flow_weird", name; + } + +event net_weird(name: string) + { + print "net_weird", name; + } + +event gen_weirds(c: connection) + { + local num = 30; + + while ( num != 0 ) + { + Reporter::net_weird("my_net_weird"); + Reporter::flow_weird("my_flow_weird", c$id$orig_h, c$id$resp_h); + Reporter::conn_weird("my_conn_weird", c); + + Reporter::net_weird("whitelisted_net_weird"); + Reporter::flow_weird("whitelisted_flow_weird", c$id$orig_h, c$id$resp_h); + Reporter::conn_weird("whitelisted_conn_weird", c); + --num; + } + } + +global did_one_connection = F; + +event new_connection(c: connection) + { + if ( did_one_connection ) + return; + + did_one_connection = T; + event gen_weirds(c); # should permit 10 + 2 of each "my" weird + schedule 2sec { gen_weirds(c) }; # should permit 3 of each "my" weird + schedule 7sec { gen_weirds(c) }; # should permit 10 + 2 of each "my" weird + # Total of 27 "my" weirds of each type and 90 of each "whitelisted" type + }