diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst index 5680a034ff..ef6c6a54a1 100644 --- a/doc/script-reference/attributes.rst +++ b/doc/script-reference/attributes.rst @@ -49,6 +49,8 @@ The Bro scripting language supports the following attributes. +-----------------------------+-----------------------------------------------+ | :bro:attr:`&type_column` |Used by input framework for "port" type. | +-----------------------------+-----------------------------------------------+ +| :bro:attr:`&deprecated` |Marks an identifier as deprecated. | ++-----------------------------+-----------------------------------------------+ Here is a more detailed explanation of each attribute: @@ -230,3 +232,9 @@ Here is a more detailed explanation of each attribute: msg: string; }; +.. bro:attr:: &deprecated + + The associated identifier is marked as deprecated and will be + removed in a future version of Bro. Look in the NEWS file for more + explanation and/or instructions to migrate code that uses deprecated + functionality. diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index d7160c1ac6..bd81e8b8a4 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 4e4b4c6cdb..480d8c84d8 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -29,7 +29,7 @@ function Files::__disable_reassembly%(file_id: string%): bool return new Val(result, TYPE_BOOL); %} -## :bro:see:`Files::set_reassembly_buffer`. +## :bro:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output index acae92f44b..b193e4a530 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output index be9619fa1c..55950caf6b 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest index acae92f44b..b193e4a530 100644 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index be9619fa1c..55950caf6b 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - }