mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/fastpath'
* origin/fastpath: Update documentation for builtin types Adding an identifier to the SMTP blocklist notices for duplicate suppression. Doc fixes for signature 'eval' conditions. Remove orphaned unit tests. Add type checking for signature 'eval' condition functions.
This commit is contained in:
Robin Sommer
commit
6dd43ea017
17 changed files with 121 additions and 44 deletions
22
CHANGES
22
CHANGES
|
|
@ -1,4 +1,26 @@
|
|||
|
||||
2.1-beta-54 | 2012-08-23 11:58:50 -0700
|
||||
|
||||
* Update documentation for builtin types. (Daniel Thayer)
|
||||
|
||||
- Add missing description of interval "msec" unit.
|
||||
|
||||
- Improved description of pattern by clarifying the issue of
|
||||
operand order and difference between exact and embedded
|
||||
matching.
|
||||
|
||||
* Documentation fixes for signature 'eval' conditions. (Jon Siwek)
|
||||
|
||||
* Remove orphaned 1.5 unit tests. (Jon Siwek)
|
||||
|
||||
* Add type checking for signature 'eval' condition functions. (Jon
|
||||
Siwek)
|
||||
|
||||
* Adding an identifier to the SMTP blocklist notices for duplicate
|
||||
suppression. (Seth Hall)
|
||||
|
||||
- Slight addition and revision to inline docs.
|
||||
|
||||
2.1-beta-45 | 2012-08-22 16:11:10 -0700
|
||||
|
||||
* Add an option to the input framework that allows the user to chose
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
2.1-beta-45
|
||||
2.1-beta-54
|
||||
|
|
|
|||
|
|
@ -55,8 +55,8 @@ The Bro scripting language supports the following built-in types.
|
|||
|
||||
A temporal type representing a relative time. An ``interval``
|
||||
constant can be written as a numeric constant followed by a time
|
||||
unit where the time unit is one of ``usec``, ``sec``, ``min``,
|
||||
``hr``, or ``day`` which respectively represent microseconds,
|
||||
unit where the time unit is one of ``usec``, ``msec``, ``sec``, ``min``,
|
||||
``hr``, or ``day`` which respectively represent microseconds, milliseconds,
|
||||
seconds, minutes, hours, and days. Whitespace between the numeric
|
||||
constant and time unit is optional. Appending the letter "s" to the
|
||||
time unit in order to pluralize it is also optional (to no semantic
|
||||
|
|
@ -95,14 +95,14 @@ The Bro scripting language supports the following built-in types.
|
|||
and embedded.
|
||||
|
||||
In exact matching the ``==`` equality relational operator is used
|
||||
with one :bro:type:`string` operand and one :bro:type:`pattern`
|
||||
operand to check whether the full string exactly matches the
|
||||
pattern. In this case, the ``^`` beginning-of-line and ``$``
|
||||
end-of-line anchors are redundant since pattern is implicitly
|
||||
anchored to the beginning and end of the line to facilitate an exact
|
||||
match. For example::
|
||||
with one :bro:type:`pattern` operand and one :bro:type:`string`
|
||||
operand (order of operands does not matter) to check whether the full
|
||||
string exactly matches the pattern. In exact matching, the ``^``
|
||||
beginning-of-line and ``$`` end-of-line anchors are redundant since
|
||||
the pattern is implicitly anchored to the beginning and end of the
|
||||
line to facilitate an exact match. For example::
|
||||
|
||||
"foo" == /foo|bar/
|
||||
/foo|bar/ == "foo"
|
||||
|
||||
yields true, while::
|
||||
|
||||
|
|
@ -110,9 +110,9 @@ The Bro scripting language supports the following built-in types.
|
|||
|
||||
yields false. The ``!=`` operator would yield the negation of ``==``.
|
||||
|
||||
In embedded matching the ``in`` operator is again used with one
|
||||
:bro:type:`string` operand and one :bro:type:`pattern` operand
|
||||
(which must be on the left-hand side), but tests whether the pattern
|
||||
In embedded matching the ``in`` operator is used with one
|
||||
:bro:type:`pattern` operand (which must be on the left-hand side) and
|
||||
one :bro:type:`string` operand, but tests whether the pattern
|
||||
appears anywhere within the given string. For example::
|
||||
|
||||
/foo|bar/ in "foobar"
|
||||
|
|
|
|||
|
|
@ -229,20 +229,10 @@ matched. The following context conditions are defined:
|
|||
confirming the match. If false is returned, no signature match is
|
||||
going to be triggered. The function has to be of type ``function
|
||||
cond(state: signature_state, data: string): bool``. Here,
|
||||
``content`` may contain the most recent content chunk available at
|
||||
``data`` may contain the most recent content chunk available at
|
||||
the time the signature was matched. If no such chunk is available,
|
||||
``content`` will be the empty string. ``signature_state`` is
|
||||
defined as follows:
|
||||
|
||||
.. code:: bro
|
||||
|
||||
type signature_state: record {
|
||||
id: string; # ID of the signature
|
||||
conn: connection; # Current connection
|
||||
is_orig: bool; # True if current endpoint is originator
|
||||
payload_size: count; # Payload size of the first packet
|
||||
};
|
||||
|
||||
``data`` will be the empty string. See :bro:type:`signature_state`
|
||||
for its definition.
|
||||
|
||||
``payload-size <cmp> <integer>``
|
||||
Compares the integer to the size of the payload of a packet. For
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
##! Watch for various SPAM blocklist URLs in SMTP error messages.
|
||||
|
||||
@load base/protocols/smtp
|
||||
|
||||
|
|
@ -5,9 +6,11 @@ module SMTP;
|
|||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## Indicates that the server sent a reply mentioning an SMTP block list.
|
||||
## An SMTP server sent a reply mentioning an SMTP block list.
|
||||
Blocklist_Error_Message,
|
||||
## Indicates the client's address is seen in the block list error message.
|
||||
## The originator's address is seen in the block list error message.
|
||||
## This is useful to detect local hosts sending SPAM with a high
|
||||
## positive rate.
|
||||
Blocklist_Blocked_Host,
|
||||
};
|
||||
|
||||
|
|
@ -52,7 +55,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
|
|||
message = fmt("%s is on an SMTP block list", c$id$orig_h);
|
||||
}
|
||||
|
||||
NOTICE([$note=note, $conn=c, $msg=message, $sub=msg]);
|
||||
NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
|
||||
$identifier=cat(c$id$orig_h)]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -126,6 +126,23 @@ RuleConditionEval::RuleConditionEval(const char* func)
|
|||
rules_error("unknown identifier", func);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( id->Type()->Tag() == TYPE_FUNC )
|
||||
{
|
||||
// Validate argument quantity and type.
|
||||
FuncType* f = id->Type()->AsFuncType();
|
||||
|
||||
if ( f->YieldType()->Tag() != TYPE_BOOL )
|
||||
rules_error("eval function type must yield a 'bool'", func);
|
||||
|
||||
TypeList tl;
|
||||
tl.Append(internal_type("signature_state")->Ref());
|
||||
tl.Append(base_type(TYPE_STRING));
|
||||
|
||||
if ( ! f->CheckArgs(tl.Types()) )
|
||||
rules_error("eval function parameters must be a 'signature_state' "
|
||||
"and a 'string' type", func);
|
||||
}
|
||||
}
|
||||
|
||||
bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0 cc=1
|
||||
1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
|
||||
1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 677 5 713
|
||||
1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
|
||||
1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0
|
||||
1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
|
||||
1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 697 5 713
|
||||
1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
|
||||
1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
error: Error in signature (./blah.sig:6): eval function parameters must be a 'signature_state' and a 'string' type (mark_conn)
|
||||
|
||||
14
testing/btest/Baseline/signatures.eval-condition/conn.log
Normal file
14
testing/btest/Baseline/signatures.eval-condition/conn.log
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2012-08-23-16-41-23
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
|
||||
1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
|
||||
1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
|
||||
1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
|
||||
1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
|
||||
1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp,blah 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)
|
||||
#close 2012-08-23-16-41-23
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
[btest]
|
||||
TestDirs = doc bifs language core scripts istate coverage
|
||||
TestDirs = doc bifs language core scripts istate coverage signatures
|
||||
TmpDir = %(testbase)s/.tmp
|
||||
BaselineDir = %(testbase)s/Baseline
|
||||
IgnoreDirs = .svn CVS .tmp
|
||||
|
|
|
|||
22
testing/btest/signatures/bad-eval-condition.bro
Normal file
22
testing/btest/signatures/bad-eval-condition.bro
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# @TEST-EXEC-FAIL: bro -r $TRACES/ftp-ipv4.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
@load-sigs blah.sig
|
||||
|
||||
@TEST-START-FILE blah.sig
|
||||
signature blah
|
||||
{
|
||||
ip-proto == tcp
|
||||
src-port == 21
|
||||
payload /.*/
|
||||
eval mark_conn
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
||||
# wrong function signature for use with signature 'eval' conditions
|
||||
# needs to be reported
|
||||
function mark_conn(state: signature_state): bool
|
||||
{
|
||||
add state$conn$service["blah"];
|
||||
return T;
|
||||
}
|
||||
20
testing/btest/signatures/eval-condition.bro
Normal file
20
testing/btest/signatures/eval-condition.bro
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/ftp-ipv4.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load-sigs blah.sig
|
||||
|
||||
@TEST-START-FILE blah.sig
|
||||
signature blah
|
||||
{
|
||||
ip-proto == tcp
|
||||
src-port == 21
|
||||
payload /.*/
|
||||
eval mark_conn
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
||||
function mark_conn(state: signature_state, data: string): bool
|
||||
{
|
||||
add state$conn$service["blah"];
|
||||
return T;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue