diff --git a/policy/bro.init b/policy/bro.init index 3b3378c5ac..fbc5282a9b 100644 --- a/policy/bro.init +++ b/policy/bro.init @@ -1390,3 +1390,49 @@ const trace_output_file = ""; # packets out before we actually process them, which can be helpful # for debugging in case the analysis triggers a crash. const record_all_packets = F &redef; + + +# Some connections (e.g., SSH) retransmit the acknowledged last +# byte to keep the connection alive. If ignore_keep_alive_rexmit +# is set to T, such retransmissions will be excluded in the rexmit +# counter in conn_stats. +const ignore_keep_alive_rexmit = F &redef; + +# Skip HTTP data portions for performance considerations (the skipped +# portion will not go through TCP reassembly). +const skip_http_data = F &redef; + +# Whether the analysis engine parses IP packets encapsulated in +# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. +const parse_udp_tunnels = F &redef; + +# Whether a commitment is required before writing the transformed +# trace for a connection into the dump file. +const requires_trace_commitment = F &redef; + +# Whether IP address anonymization is enabled. +const anonymize_ip_addr = F &redef; + +# Whether to omit place holder packets when rewriting. +const omit_rewrite_place_holder = T &redef; + +# Whether trace of various protocols is being rewritten. +const rewriting_http_trace = F &redef; +const rewriting_smtp_trace = F &redef; +const rewriting_ftp_trace = F &redef; +const rewriting_ident_trace = F &redef; +const rewriting_finger_trace = F &redef; +const rewriting_dns_trace = F &redef; +const rewriting_smb_trace = F &redef; + +# Whether we dump selected original packets to the output trace. +const dump_selected_source_packets = F &redef; + +# If true, we dump original packets to the output trace *if and only if* +# the connection is not rewritten; if false, the policy script can decide +# whether to dump a particular connection by calling dump_packets_of_connection. +# +# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! +# (TODO: this variable should be disabled when using '-A' option) +const dump_original_packets_if_not_rewriting = F &redef; + diff --git a/src/builtin-func.l b/src/builtin-func.l index 782bbf5bb9..972f4aad8f 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -37,6 +37,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) D [[:digit:]]+ HEX [0-9a-fA-F]+ + %option nodefault %% diff --git a/src/builtin-func.y b/src/builtin-func.y index 5b6aa0cec4..3fe67db1dd 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -159,6 +159,31 @@ const char* trace_rewriter_name = "trace_rewriter"; #include "bif_arg.h" +/* Map bif/bro type names to C types for use in const declaration */ +static struct { + const char* bif_type; + const char* bro_type; + const char* c_type; + const char* accessor; + const char* constructor; +} builtin_types[] = { +#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \ + {bif_type, bro_type, c_type, accessor, constructor}, +#include "bif_type.def" +#undef DEFINE_BIF_TYPE +}; + +int get_type_index(const char *type_name) + { + for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i ) + { + if (strcmp(builtin_types[i].bif_type, type_name) == 0) + return i; + } + return TYPE_OTHER; + } + + int var_arg; // whether the number of arguments is variable std::vector args; @@ -422,33 +447,33 @@ enum_list: enum_list TOK_ID opt_ws ',' opt_ws | /* nothing */ ; -const_def: const_def_1 const_init opt_attr ';' - { - fprintf(fp_bro_init, ";\n"); - fprintf(fp_netvar_h, "%s extern int %s; %s\n", - decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str()); - fprintf(fp_netvar_def, "%s int %s; %s\n", - decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str()); - fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n", - decl.c_fullname.c_str(), decl.bro_fullname.c_str()); - } - ; -const_def_1: TOK_CONST opt_ws TOK_ID opt_ws +const_def: TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';' { set_definition_type(CONST_DEF, 0); set_decl_name($3); - fprintf(fp_bro_init, "const%s", $2); - fprintf(fp_bro_init, "%s: bool%s", decl.bro_name.c_str(), $4); + int typeidx = get_type_index($7); + char accessor[1024]; + + snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, ""); + + + fprintf(fp_netvar_h, "%s extern %s %s; %s\n", + decl.c_namespace_start.c_str(), + builtin_types[typeidx].c_type, decl.bare_name.c_str(), + decl.c_namespace_end.c_str()); + fprintf(fp_netvar_def, "%s %s %s; %s\n", + decl.c_namespace_start.c_str(), + builtin_types[typeidx].c_type, decl.bare_name.c_str(), + decl.c_namespace_end.c_str()); + fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")%s;\n", + decl.c_fullname.c_str(), decl.bro_fullname.c_str(), + accessor); } - ; - -opt_const_init: /* nothing */ - | const_init - ; - + + /* Currently support only boolean and string values */ -const_init: '=' opt_ws TOK_BOOL opt_ws +opt_attr_init: '=' opt_ws TOK_BOOL opt_ws { fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4); } @@ -458,7 +483,7 @@ const_init: '=' opt_ws TOK_BOOL opt_ws opt_attr: /* nothing */ | opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); } - opt_ws opt_const_init + opt_ws opt_attr_init ; func_prefix: TOK_FUNCTION @@ -533,7 +558,7 @@ head_1: TOK_ID opt_ws arg_begin decl.c_fullname.c_str(), decl.bro_fullname.c_str()); fprintf(fp_func_h, - "%sextern Val* %s(Frame* frame, val_list*);\n %s", + "%sextern Val* %s(Frame* frame, val_list*);%s\n", decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str()); fprintf(fp_func_def, diff --git a/src/const.bif b/src/const.bif index f6aef299ea..6d757c1cd8 100644 --- a/src/const.bif +++ b/src/const.bif @@ -4,37 +4,37 @@ # byte to keep the connection alive. If ignore_keep_alive_rexmit # is set to T, such retransmissions will be excluded in the rexmit # counter in conn_stats. -const ignore_keep_alive_rexmit = F &redef; +const ignore_keep_alive_rexmit: bool; # Skip HTTP data portions for performance considerations (the skipped # portion will not go through TCP reassembly). -const skip_http_data = F &redef; +const skip_http_data: bool; # Whether the analysis engine parses IP packets encapsulated in # UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. -const parse_udp_tunnels = F &redef; +const parse_udp_tunnels: bool; # Whether a commitment is required before writing the transformed # trace for a connection into the dump file. -const requires_trace_commitment = F &redef; +const requires_trace_commitment: bool; # Whether IP address anonymization is enabled. -const anonymize_ip_addr = F &redef; +const anonymize_ip_addr: bool; # Whether to omit place holder packets when rewriting. -const omit_rewrite_place_holder = T &redef; +const omit_rewrite_place_holder : bool ; # Whether trace of various protocols is being rewritten. -const rewriting_http_trace = F &redef; -const rewriting_smtp_trace = F &redef; -const rewriting_ftp_trace = F &redef; -const rewriting_ident_trace = F &redef; -const rewriting_finger_trace = F &redef; -const rewriting_dns_trace = F &redef; -const rewriting_smb_trace = F &redef; +const rewriting_http_trace :bool; +const rewriting_smtp_trace: bool; +const rewriting_ftp_trace: bool; +const rewriting_ident_trace: bool; +const rewriting_finger_trace: bool; +const rewriting_dns_trace: bool; +const rewriting_smb_trace: bool; # Whether we dump selected original packets to the output trace. -const dump_selected_source_packets = F &redef; +const dump_selected_source_packets: bool; # If true, we dump original packets to the output trace *if and only if* # the connection is not rewritten; if false, the policy script can decide @@ -42,5 +42,5 @@ const dump_selected_source_packets = F &redef; # # NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! # (TODO: this variable should be disabled when using '-A' option) -const dump_original_packets_if_not_rewriting = F &redef; +const dump_original_packets_if_not_rewriting: bool;