Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added a policy/site directory with a local.bro start up script.

Browse source
This commit is contained in:
Seth Hall 2011-07-18 14:30:38 -04:00
parent 2ee000d93e
commit 7bf3e94628
8 changed files with 81 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
bro-path-dev.in
View file

@ -10,7 +10,7 @@
# BROPATH=`./bro-path-dev` ./src/bro
#
broPolicies=${PROJECT_SOURCE_DIR}/policy
broPolicies=${PROJECT_SOURCE_DIR}/policy:${PROJECT_SOURCE_DIR}/policy/site
broGenPolicies=${CMAKE_BINARY_DIR}/src

8
policy/bro.init
View file

@ -1270,7 +1270,7 @@ type bt_tracker_headers: table[string] of string;
# empty if none.
const cmd_line_bpf_filter = "" &redef;
# Rotate logs every x seconds.
# Rotate logs every x interval.
const log_rotate_interval = 0 sec &redef;
# If set, rotate logs at given time + i * log_rotate_interval.
@ -1483,11 +1483,11 @@ const skip_http_data = F &redef;
# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
const parse_udp_tunnels = F &redef;
@load site
# Load the site utilities.
@load utils/site
# Load the logging framework.
@load frameworks/logging
# Load the packet filtering framework.
@load frameworks/packet-filter
#@load dpd

3
policy/functions.bro
View file

@ -1,3 +0,0 @@
@load site
@load frameworks/dpd

1
policy/protocols/conn/base/main.bro
View file

@ -1,4 +1,3 @@
@load site
module Conn;

76
policy/site/local.bro Normal file
View file

@ -0,0 +1,76 @@
# Template for local site policy. Customize as appropriate.
#
# (Note that enabling a particular kind of analysis via the cluster's
# "analysis command" only has an effect if the corresponding scripts are
# loaded by this site policy.)
# DPD should typically be loaded for detecting protocols on any port.
@load frameworks/dpd
@load protocols/conn
@load protocols/dns
@load protocols/ftp
@load protocols/http
@load protocols/irc
@load protocols/mime
@load protocols/smtp
@load protocols/ssh
@load protocols/ssl
@load protocols/syslog
@load frameworks/metrics
@load frameworks/intel
@load frameworks/notice
@load frameworks/signatures
@load frameworks/software
@load frameworks/reporter
@load misc/loaded-scripts
@load tuning/defaults
# Uncomment for profiling resource usage.
# @load profiling
# redef expensive_profiling_multiple = 20;
# Sample notice policy which you will almost certainly want
# to adapt to your environment.
#redef notice_action_filters +=
# {
# # These are all very common.
# #[Weird::ContentGap] = tally_notice_type_and_ignore,
# #[Weird::AckAboveHole] = tally_notice_type_and_ignore,
# #[Weird::RetransmissionInconsistency] = tally_notice_type_and_ignore,
# #[Drop::AddressDropIgnored] = ignore_notice,
# #[Drop::AddressDropped] = ignore_notice,
# #[Weird::WeirdActivity] = file_local_bro_notices,
# #[PacketFilter::DroppedPackets] = file_notice,
# #[TerminateConnection::TerminatingConnectionIgnored] = notice_alarm_per_orig,
# #[ProtocolDetector::ProtocolFound] = file_notice,
# #[ProtocolDetector::ServerFound] = file_if_remote,
# #[DynDisable::ProtocolViolation] = file_notice,
# };
redef Weird::weird_action += {
["window_recision"] = Weird::WEIRD_FILE,
["RST_with_data"] = Weird::WEIRD_FILE,
["line_terminated_with_single_CR"] = Weird::WEIRD_FILE,
["line_terminated_with_single_LF"] = Weird::WEIRD_FILE,
["spontaneous_RST"] = Weird::WEIRD_FILE,
["spontaneous_FIN"] = Weird::WEIRD_FILE,
["data_before_established"] = Weird::WEIRD_FILE,
["unsolicited_SYN_response"] = Weird::WEIRD_FILE,
["inappropriate_FIN"] = Weird::WEIRD_FILE,
["possible_split_routing"] = Weird::WEIRD_FILE,
["connection_originator_SYN_ack"] = Weird::WEIRD_FILE,
["fragment_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
["fragment_size_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
["fragment_overlap"] = Weird::WEIRD_NOTICE_PER_ORIG,
["ICMP-unreachable for wrong state"] = Weird::WEIRD_NOTICE_PER_ORIG,
["corrupt_tcp_options"] = Weird::WEIRD_NOTICE_PER_ORIG,
};

2
policy/test-all.bro
View file

@ -8,8 +8,6 @@
@load all.bro
# @load test-all.bro
@load site.bro
@load detectors/http-MHR.bro
@load tuning/__load__.bro
@load tuning/defaults/__load__.bro
@load tuning/defaults/packet-fragments.bro

1
policy/utils/directions-and-hosts.bro
View file

@ -1,4 +1,3 @@
@load site
type Direction: enum { INBOUND, OUTBOUND, BIDIRECTIONAL, NO_DIRECTION };
function id_matches_direction(id: conn_id, d: Direction): bool

0
policy/site.bro → policy/utils/site.bro
View file