diff --git a/NEWS b/NEWS index 2b0e1ec6ce..ef82c4fb33 100644 --- a/NEWS +++ b/NEWS @@ -47,6 +47,9 @@ Breaking Changes continue to represent the total number across all connections seen by the current instance of Zeek. +- The barnyard2 policy scripts have been removed. The integration in the + Barnyard2 project uses Broccoli, which had been removed with Zeek 3.0 + and it's assumed there have been no users. New Functionality ----------------- @@ -111,6 +114,11 @@ Changed Functionality This prevents callbacks into script-land through change handlers when parts of the environment have already been torn down. +Removed Functionality +--------------------- + +- The barnyard2 policy scripts have been removed. + Deprecated Functionality ------------------------ diff --git a/doc b/doc index 79238280e1..497bcf29bc 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 79238280e1a29ab232af84e4bed354ae37c7e6f6 +Subproject commit 497bcf29bc7bec2ef4eb076c8e4364ff45078858 diff --git a/scripts/policy/integration/barnyard2/README b/scripts/policy/integration/barnyard2/README deleted file mode 100644 index a792668397..0000000000 --- a/scripts/policy/integration/barnyard2/README +++ /dev/null @@ -1 +0,0 @@ -Integration with Barnyard2. diff --git a/scripts/policy/integration/barnyard2/__load__.zeek b/scripts/policy/integration/barnyard2/__load__.zeek deleted file mode 100644 index c4790c6b32..0000000000 --- a/scripts/policy/integration/barnyard2/__load__.zeek +++ /dev/null @@ -1,2 +0,0 @@ -@load ./types -@load ./main diff --git a/scripts/policy/integration/barnyard2/main.zeek b/scripts/policy/integration/barnyard2/main.zeek deleted file mode 100644 index 35f5a281ba..0000000000 --- a/scripts/policy/integration/barnyard2/main.zeek +++ /dev/null @@ -1,61 +0,0 @@ -##! This script lets Barnyard2 integrate with Zeek. It receives alerts from -##! Barnyard2 and logs them. In the future it will do more correlation -##! and derive new notices from the alerts. - -@load ./types - -module Barnyard2; - -export { - redef enum Log::ID += { LOG }; - - global log_policy: Log::PolicyHook; - - type Info: record { - ## Timestamp of the alert. - ts: time &log; - ## Associated packet ID. - pid: PacketID &log; - ## Associated alert data. - alert: AlertData &log; - }; - - ## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to - ## a :zeek:type:`conn_id` value in the case that you might need to index - ## into an existing data structure elsewhere within Zeek. - global pid2cid: function(p: PacketID): conn_id; -} - -event zeek_init() &priority=5 - { - Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2", $policy=log_policy]); - } - - -function pid2cid(p: PacketID): conn_id - { - return [$orig_h=p$src_ip, $orig_p=p$src_p, $resp_h=p$dst_ip, $resp_p=p$dst_p]; - } - -event barnyard_alert(id: PacketID, alert: AlertData, msg: string, data: string) - { - Log::write(Barnyard2::LOG, [$ts=network_time(), $pid=id, $alert=alert]); - - #local proto_connection_string: string; - #if ( id$src_p == 0/tcp ) - # proto_connection_string = fmt("{PROTO:255} %s -> %s", id$src_ip, id$dst_ip); - #else - # proto_connection_string = fmt("{%s} %s:%d -> %s:%d", - # to_upper(fmt("%s", get_port_transport_proto(id$dst_p))), - # id$src_ip, id$src_p, id$dst_ip, id$dst_p); - # - #local snort_alike_msg = fmt("%.6f [**] [%d:%d:%d] %s [**] [Classification: %s] [Priority: %d] %s", - # sad$ts, - # sad$generator_id, - # sad$signature_id, - # sad$signature_revision, - # msg, - # sad$classification, - # sad$priority_id, - # proto_connection_string); - } diff --git a/scripts/policy/integration/barnyard2/types.zeek b/scripts/policy/integration/barnyard2/types.zeek deleted file mode 100644 index ed8b35cf58..0000000000 --- a/scripts/policy/integration/barnyard2/types.zeek +++ /dev/null @@ -1,32 +0,0 @@ -##! This file is separate from the base script so that dependencies can -##! be loaded in the correct order. - -module Barnyard2; - -export { - type AlertData: record { - sensor_id: count; ##< Sensor that originated this event. - ts: time; ##< Timestamp attached to the alert. - signature_id: count; ##< Sig id for this generator. - generator_id: count; ##< Which generator generated the alert? - signature_revision: count; ##< Sig revision for this id. - classification_id: count; ##< Event classification. - classification: string; ##< Descriptive classification string. - priority_id: count; ##< Event priority. - event_id: count; ##< Event ID. - } &log; - - type PacketID: record { - src_ip: addr; - src_p: port; - dst_ip: addr; - dst_p: port; - } &log; - - ## This is the event that Barnyard2 instances will send if they're - ## configured with the bro_alert output plugin. - global barnyard_alert: event(id: Barnyard2::PacketID, - alert: Barnyard2::AlertData, - msg: string, - data: string); -} diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index cd7638eea4..5b63a418b5 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -73,9 +73,6 @@ @load frameworks/software/vulnerable.zeek @load frameworks/software/windows-version-detection.zeek @load frameworks/telemetry/log.zeek -@load integration/barnyard2/__load__.zeek -@load integration/barnyard2/main.zeek -@load integration/barnyard2/types.zeek @load integration/collective-intel/__load__.zeek @load integration/collective-intel/main.zeek @load misc/capture-loss.zeek diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index b2cb315069..e98f18e365 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -barnyard2 broker capture_loss cluster