Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details

scripts/base/frameworks/netcontrol/__load__.zeek

@@ -3,7 +3,6 @@
 @load ./plugins
 @load ./drop
 @load ./shunt
-@load ./catch-and-release
 
 # The cluster framework must be loaded first.
 @load base/frameworks/cluster

scripts/base/frameworks/netcontrol/drop.zeek

@@ -1,9 +1,9 @@
 ##! Implementation of the drop functionality for NetControl.
 
-module NetControl;
-
 @load ./main
 
+module NetControl;
+
 export {
 	redef enum Log::ID += { DROP };
 

scripts/base/frameworks/netcontrol/main.zeek

@@ -10,11 +10,11 @@
 ##! provides convenience functions for a set of common operations. The
 ##! low-level API provides full flexibility.
 
-module NetControl;
-
 @load ./plugin
 @load ./types
 
+module NetControl;
+
 export {
 	## The framework's logging stream identifier.
 	redef enum Log::ID += { LOG };
@@ -889,7 +889,7 @@ function remove_rule_impl(id: string, reason: string) : bool
 function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
 	{
 	# do not emit timeout events on shutdown
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		return;
 
 	if ( r$id !in rules )

scripts/base/frameworks/netcontrol/non-cluster.zeek

@@ -1,7 +1,8 @@
-module NetControl;
 
 @load ./main
 
+module NetControl;
+
 function activate(p: PluginState, priority: int)
 	{
 	activate_impl(p, priority);

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -1,9 +1,9 @@
 ##! This file defines the plugin interface for NetControl.
 
-module NetControl;
-
 @load ./types
 
+module NetControl;
+
 export {
 	## This record keeps the per instance state of a plugin.
 	##

scripts/base/frameworks/netcontrol/plugins/acld.zeek

@@ -1,11 +1,11 @@
 ##! Acld plugin for the netcontrol framework.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	type AclRule : record {
 		command: string;

scripts/base/frameworks/netcontrol/plugins/broker.zeek

@@ -2,12 +2,12 @@
 ##! used in NetControl on to Broker to allow for easy handling, e.g., of
 ##! command-line scripts.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
 	type BrokerConfig: record {

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -3,10 +3,10 @@
 ##! and can only add/remove filters for addresses, this is quite
 ##! limited in scope at the moment. 
 
-module NetControl;
-
 @load ../plugin
 
+module NetControl;
+
 export {
 	## Instantiates the packetfilter plugin.
 	global create_packetfilter: function() : PluginState;

scripts/base/frameworks/notice/__load__.zeek

@@ -3,7 +3,6 @@
 
 # There should be no overhead imposed by loading notice actions so we
 # load them all.
-@load ./actions/drop
 @load ./actions/email_admin
 @load ./actions/page
 @load ./actions/add-geodata

scripts/base/frameworks/notice/main.zeek

@@ -405,7 +405,7 @@ function email_headers(subject_desc: string, dest: string): string
 		"From: ", mail_from, "\n",
 		"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
 		"To: ", dest, "\n",
-		"User-Agent: Bro-IDS/", bro_version(), "\n");
+		"User-Agent: Bro-IDS/", zeek_version(), "\n");
 	if ( reply_to != "" )
 		header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
 	return header_text;

scripts/base/frameworks/openflow/consts.zeek

@@ -11,7 +11,7 @@ const COOKIE_BID_SIZE = 16777216;
 # start at bit 40 (1 << 40)
 const COOKIE_BID_START = 1099511627776;
 # Zeek specific cookie ID shall have the 42 bit set (1 << 42)
-const BRO_COOKIE_ID = 4;
+const ZEEK_COOKIE_ID = 4;
 # 8 bits group identifier
 const COOKIE_GID_SIZE = 256;
 # start at bit 32 (1 << 32)

scripts/base/frameworks/openflow/main.zeek

@@ -198,7 +198,7 @@ function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
 # 42 bit of the cookie set.
 function generate_cookie(cookie: count &default=0): count
 	{
-	local c = BRO_COOKIE_ID * COOKIE_BID_START;
+	local c = ZEEK_COOKIE_ID * COOKIE_BID_START;
 
 	if ( cookie >= COOKIE_UID_SIZE )
 		Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
@@ -211,7 +211,7 @@ function generate_cookie(cookie: count &default=0): count
 # local function to check if a given flow_mod cookie is forged from this framework.
 function is_valid_cookie(cookie: count): bool
 	{
-	if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
+	if ( cookie / COOKIE_BID_START == ZEEK_COOKIE_ID )
 		return T;
 
 	Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
@@ -231,7 +231,7 @@ function get_cookie_gid(cookie: count): count
 	{
 	if( is_valid_cookie(cookie) )
 		return (
-			(cookie	- (COOKIE_BID_START * BRO_COOKIE_ID) -
+			(cookie	- (COOKIE_BID_START * ZEEK_COOKIE_ID) -
 			(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
 			COOKIE_GID_START
 		);

scripts/base/frameworks/openflow/types.zeek

@@ -89,7 +89,7 @@ export {
 		## Opaque controller-issued identifier.
 		# This is optional in the specification - but let's force
 		# it so we always can identify our flows...
-		cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
+		cookie: count; # &default=ZEEK_COOKIE_ID * COOKIE_BID_START;
 		# Flow actions
 		## Table to put the flow in. OFPTT_ALL can be used for delete,
 		## to delete flows from all matching tables.

scripts/base/frameworks/sumstats/non-cluster.zeek

@@ -35,7 +35,7 @@ event SumStats::finish_epoch(ss: SumStat)
 			{
 			local data = result_store[ss$name];
 			local now = network_time();
-			if ( bro_is_terminating() )
+			if ( zeek_is_terminating() )
 				{
 				for ( key, val in data )
 					ss$epoch_result(now, key, val);

scripts/base/init-bare.zeek

@@ -4282,6 +4282,22 @@ export {
 		dig_product_id:         string &optional;
 	};
 
+	## The TS_UD_CS_SEC data block contains security-related information used
+	## to advertise client cryptographic support.
+	type RDP::ClientSecurityData: record {
+		## Cryptographic encryption methods supported by the client and used in
+		## conjunction with Standard RDP Security.  Known flags:
+		##
+		## - 0x00000001: support for 40-bit session encryption keys
+		## - 0x00000002: support for 128-bit session encryption keys
+		## - 0x00000008: support for 56-bit session encryption keys
+		## - 0x00000010: support for FIPS compliant encryption and MAC methods
+		encryption_methods:	count;
+		## Only used in French locale and designates the encryption method.  If
+		## non-zero, then encryption_methods should be set to 0.
+		ext_encryption_methods:	count;
+	};
+
 	## Name and flags for a single channel requested by the client.
 	type RDP::ClientChannelDef: record {
 		## A unique name for the channel
@@ -4749,7 +4765,7 @@ const packet_filter_default = F &redef;
 const sig_max_group_size = 50 &redef;
 
 ## Description transmitted to remote communication peers for identification.
-const peer_description = "bro" &redef;
+const peer_description = "zeek" &redef;
 
 ## The number of IO chunks allowed to be buffered between the child
 ## and parent process of remote communication before Zeek starts dropping

scripts/base/init-default.zeek

@@ -74,7 +74,6 @@
 @load base/files/pe
 @load base/files/hash
 @load base/files/extract
-@load base/files/unified2
 @load base/files/x509
 
 @load base/misc/find-checksum-offloading

scripts/base/misc/version.zeek

@@ -78,10 +78,10 @@ export {
 	## The format of the number is ABBCC with A being the major version,
 	## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
 	## As an example, Zeek 2.4.1 results in the number 20401
-	const number = Version::parse(bro_version())$version_number;
+	const number = Version::parse(zeek_version())$version_number;
 
 	## `VersionDescription` record pertaining to the currently running version of Zeek.
-	const info = Version::parse(bro_version());
+	const info = Version::parse(zeek_version());
 }
 
 function at_least(version_string: string): bool

scripts/base/protocols/dhcp/main.zeek

@@ -141,7 +141,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
 	# Also, if Zeek is shutting down.
 	if ( (now - info$last_message_ts) > 5sec ||
 	     (now - info$ts) > max_txid_watch_time ||
-	     bro_is_terminating() )
+	     zeek_is_terminating() )
 		{
 		Log::write(LOG, info);
 

scripts/policy/frameworks/netcontrol/catch-and-release.zeek

@@ -1,10 +1,9 @@
 ##! Implementation of catch-and-release functionality for NetControl.
 
-module NetControl;
-
+@load base/frameworks/netcontrol
 @load base/frameworks/cluster
-@load ./main
-@load ./drop
+
+module NetControl;
 
 export {
 

scripts/policy/frameworks/notice/actions/drop.zeek

@@ -1,8 +1,9 @@
 ##! This script extends the built in notice code to implement the IP address
 ##! dropping functionality.
 
-@load ../main
+@load base/frameworks/notice/main
 @load base/frameworks/netcontrol
+@load policy/frameworks/netcontrol/catch-and-release
 
 module Notice;
 

scripts/policy/misc/stats.zeek

@@ -99,7 +99,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local fs = get_file_analysis_stats();
 	local ds = get_dns_stats();
 
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		# No more stats will be written or scheduled when Zeek is
 		# shutting down.
 		return;

scripts/policy/misc/trim-trace-file.zeek

@@ -17,7 +17,7 @@ export {
 
 event TrimTraceFile::go(first_trim: bool)
 	{
-	if ( bro_is_terminating() || trace_output_file == "" )
+	if ( zeek_is_terminating() || trace_output_file == "" )
 		return;
 	
 	if ( ! first_trim )

scripts/test-all-policy.zeek

@@ -31,12 +31,16 @@
 @load frameworks/intel/seen/ssl.zeek
 @load frameworks/intel/seen/where-locations.zeek
 @load frameworks/intel/seen/x509.zeek
+@load frameworks/netcontrol/catch-and-release.zeek
 @load frameworks/files/detect-MHR.zeek
 @load frameworks/files/entropy-test-all-files.zeek
 #@load frameworks/files/extract-all-files.zeek
 @load frameworks/files/hash-all-files.zeek
 @load frameworks/notice/__load__.zeek
+@load frameworks/notice/actions/drop.zeek
 @load frameworks/notice/extend-email/hostnames.zeek
+@load files/unified2/__load__.zeek
+@load files/unified2/main.zeek
 @load files/x509/log-ocsp.zeek
 @load frameworks/packet-filter/shunt.zeek
 @load frameworks/software/version-changes.zeek