Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/johanna/243

Browse source
This commit is contained in:
Johanna Amann 2019-05-20 10:14:11 -07:00
commit 824ccde6fc
1222 changed files with 2435 additions and 2096 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.gitmodules vendored
View file

@ -4,9 +4,9 @@
[submodule "aux/binpac"]
path = aux/binpac
url = https://github.com/zeek/binpac
[submodule "aux/broctl"]
path = aux/broctl
url = https://github.com/zeek/broctl
[submodule "aux/zeekctl"]
path = aux/zeekctl
url = https://github.com/zeek/zeekctl
[submodule "aux/btest"]
path = aux/btest
url = https://github.com/zeek/btest

94
CHANGES
View file

@ -1,4 +1,98 @@
2.6-311 | 2019-05-20 09:07:58 -0700
* Add missing &optional attr to KRB record fields; also add existence
checks to scripts (Jon Siwek, Corelight).
2.6-308 | 2019-05-17 14:13:46 -0700
* Always emit scripting errors to stderr during zeek_init (Jon Siwek, Corelight)
2.6-307 | 2019-05-16 13:37:24 -0700
* More bro-to-zeek renaming in scripts and other files (Daniel Thayer)
* More bro-to-zeek renaming in the unit tests (Daniel Thayer)
2.6-303 | 2019-05-15 15:03:11 -0700
* Changes needed due to bro-to-zeek renaming in broker (Daniel Thayer)
2.6-301 | 2019-05-15 10:05:53 -0700
* Fix potential race in openflow broker plugin (Jon Siwek, Corelight)
2.6-300 | 2019-05-15 09:00:57 -0700
* Fixes to DNS lookup, including ref-counting bugs, preventing starvation
of the DNS_Mgr in the I/O loop, dead code removal, and a fix that
prevents the timeout of already resolved DNS lookups (Jon Siwek, Corelight)
2.6-292 | 2019-05-14 19:01:05 -0700
* Fix maybe-uninitialized compiler warning (Jon Siwek, Corelight)
2.6-290 | 2019-05-14 18:35:25 -0700
* Update btest.cfg path to use zeek-aux (Jon Siwek, Corelight)
2.6-288 | 2019-05-14 17:47:55 -0700
* Update CMake to use aux/zeekctl and aux/zeek-aux submodules (Jon Siwek, Corelight)
2.6-287 | 2019-05-14 17:40:40 -0700
* Rename broctl submodule to zeekctl (Jon Siwek, Corelight)
2.6-286 | 2019-05-14 13:19:12 -0700
* Undo an unintentional change to btest.cfg from a recent commit (Daniel Thayer)
* Fix zeek-wrapper and improve error messages (Daniel Thayer)
The script was not passing command-line arguments to the new program.
* Update for renaming BroControl to ZeekControl. (Robin Sommer, Corelight)
* GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.
(Robin Sommer, Corelight)
This also installs symlinks from "zeek" and "bro-config" to a wrapper
script that prints a deprecation warning.
2.6-279 | 2019-05-13 20:02:59 -0700
* GH-365: improve un-indexable type error message (Jon Siwek, Corelight)
2.6-277 | 2019-05-08 12:42:18 -0700
* Allow tuning Broker log batching via scripts (Jon Siwek, Corelight)
Via redefining "Broker::log_batch_size" or "Broker::log_batch_interval"
2.6-276 | 2019-05-08 09:03:27 -0700
* Force the Broker IOSource to idle periodically, preventing packet
IOSource starvation. (Jon Siwek, Corelight).
2.6-274 | 2019-05-08 08:58:25 -0700
* GH-353: Add `/<re>/i` case-insensitive signature syntax (Jon Siwek, Corelight)
2.6-272 | 2019-05-06 18:43:13 -0700
* Remove support for using && and || with patterns. (Johanna Amann, Corelight)
This was never documented and previously deprecated.
* Remove RemoteSerializer and related code/types. (Johanna Amann, Corelight)
Also removes broccoli from the source tree.
* Remove PersistenceSerializer. (Johanna Amann, Corelight)
* Remove &synchronized and &persistent attributes. (Johanna Amann, Corelight)
2.6-264 | 2019-05-03 11:16:38 -0700
* Fix sporadic openflow/broker test failure (Jon Siwek, Corelight)

61
CMakeLists.txt
View file

@ -1,7 +1,7 @@
project(Bro C CXX)
# When changing the minimum version here, also adapt
# aux/bro-aux/plugin-support/skeleton/CMakeLists.txt
# aux/zeek-aux/plugin-support/skeleton/CMakeLists.txt
cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
include(cmake/CommonCMakeConfig.cmake)
@ -23,31 +23,31 @@ endif ()
set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
if (NOT BRO_SCRIPT_INSTALL_PATH)
# set the default Bro script installation path (user did not specify one)
# set the default Zeek script installation path (user did not specify one)
set(BRO_SCRIPT_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro)
endif ()
if (NOT BRO_MAN_INSTALL_PATH)
# set the default Bro man page installation path (user did not specify one)
# set the default Zeek man page installation path (user did not specify one)
set(BRO_MAN_INSTALL_PATH ${BRO_ROOT_DIR}/share/man)
endif ()
# sanitize the Bro script install directory into an absolute path
# sanitize the Zeek script install directory into an absolute path
# (CMake is confused by ~ as a representation of home directory)
get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH}
ABSOLUTE)
set(BRO_PLUGIN_INSTALL_PATH ${BRO_ROOT_DIR}/lib/bro/plugins CACHE STRING "Installation path for plugins" FORCE)
configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
"export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
"export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
"export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
"setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
"setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
"setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
@ -254,36 +254,43 @@ if ( NOT BINARY_PACKAGING_MODE )
endif ()
string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
${CMAKE_CURRENT_BINARY_DIR}/bro-config.h)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
include_directories(${CMAKE_CURRENT_BINARY_DIR})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h DESTINATION include/bro)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/bro)
if ( CAF_ROOT_DIR )
set(BRO_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
set(ZEEK_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
else ()
set(BRO_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
set(ZEEK_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
endif ()
if ( BinPAC_ROOT_DIR )
set(BRO_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
else ()
set(BRO_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
endif ()
if ( BROKER_ROOT_DIR )
set(BRO_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
else ()
set(BRO_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
endif ()
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/bro-config DESTINATION bin)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
USE_SOURCE_PERMISSIONS)
# Install wrapper script for Bro-to-Zeek renaming.
include(InstallShellScript)
include(InstallSymlink)
InstallShellScript("bin" "zeek-wrapper.in" "zeek-wrapper")
InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro-config")
InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/bro/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/bro/bro-config.h")
########################################################################
## Recurse on sub-directories
@ -324,13 +331,13 @@ add_subdirectory(man)
include(CheckOptionalBuildSources)
CheckOptionalBuildSources(aux/broctl Broctl INSTALL_BROCTL)
CheckOptionalBuildSources(aux/bro-aux Bro-Aux INSTALL_AUX_TOOLS)
CheckOptionalBuildSources(aux/zeekctl ZeekControl INSTALL_ZEEKCTL)
CheckOptionalBuildSources(aux/zeek-aux Zeek-Aux INSTALL_AUX_TOOLS)
########################################################################
## Packaging Setup
if (INSTALL_BROCTL)
if (INSTALL_ZEEKCTL)
# CPack RPM Generator may not automatically detect this
set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
endif ()
@ -351,12 +358,12 @@ if (CMAKE_BUILD_TYPE)
endif ()
message(
"\n====================| Bro Build Summary |====================="
"\n====================| Zeek Build Summary |===================="
"\n"
"\nBuild type: ${CMAKE_BUILD_TYPE}"
"\nBuild dir: ${CMAKE_BINARY_DIR}"
"\nInstall prefix: ${CMAKE_INSTALL_PREFIX}"
"\nBro Script Path: ${BRO_SCRIPT_INSTALL_PATH}"
"\nZeek Script Path: ${BRO_SCRIPT_INSTALL_PATH}"
"\nDebug mode: ${ENABLE_DEBUG}"
"\n"
"\nCC: ${CMAKE_C_COMPILER}"
@ -365,7 +372,7 @@ message(
"\nCXXFLAGS: ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
"\nCPP: ${CMAKE_CXX_COMPILER}"
"\n"
"\nBroctl: ${INSTALL_BROCTL}"
"\nZeekControl: ${INSTALL_ZEEKCTL}"
"\nAux. Tools: ${INSTALL_AUX_TOOLS}"
"\n"
"\nlibmaxminddb: ${USE_GEOIP}"

4
Makefile
View file

@ -55,9 +55,9 @@ test:
-@( cd testing && make )
test-aux:
-test -d aux/broctl && ( cd aux/broctl && make test-all )
-test -d aux/zeekctl && ( cd aux/zeekctl && make test-all )
-test -d aux/btest && ( cd aux/btest && make test )
-test -d aux/bro-aux && ( cd aux/bro-aux && make test )
-test -d aux/zeek-aux && ( cd aux/zeek-aux && make test )
-test -d aux/plugins && ( cd aux/plugins && make test-all )
test-all: test test-aux

28
NEWS
View file

@ -1,5 +1,5 @@
This document summarizes the most important changes in the current Bro
This document summarizes the most important changes in the current Zeek
release. For an exhaustive list of changes, see the ``CHANGES`` file
(note that submodules, such as Broker, come with their own ``CHANGES``.)
@ -18,7 +18,7 @@ New Functionality
- dns_NSEC
- dns_NSEC3
- Bro's Plugin framework now allows a patch version. If a patch version is not
- Zeek's Plugin framework now allows a patch version. If a patch version is not
provided, it will default to 0. To specify this, modify the plugin
Configuration class in your ``src/Plugin.cc`` and set
``config.version.patch``. Note that the default plugin skeleton
@ -76,9 +76,31 @@ New Functionality
the DNS resolver to use by setting it to an IPv4 or IPv6 address. If
not set, then the first IPv4 address from /etc/resolv.conf gets used.
- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
also allowed when specifying patterns used in signature files.
Changed Functionality
---------------------
- The following executable names have changed (the old names will
continue to work, but emit a deprecation warning):
- ``bro`` is now ``zeek``
- ``bro-config`` is now ``zeek-config``
- ``broctl`` is now ``zeekctl``
- ``bro-cut`` is now ``zeek-cut``
- BroControl has been completely renamed to ZeekControl. Many installation
directories and files with "broctl" in their name have been changed
to use "zeekctl" instead. It's expected this has been done in a way
that's backwards compatible with previous Bro installations. E.g.
if you made customizations to the ``broctl.cfg`` file of a previous
installation, installing the newer Zeek version over it will retain that
file and even symlink the new ``zeekctl.cfg`` to it.
- ``$prefix/share/bro/site/local.bro`` has been renamed to
``local.zeek``. If you have a ``local.bro`` file from a previous
installation, possibly with customizations made to it, the new
@ -293,6 +315,8 @@ Removed Functionality
in Bro 2.6, was removed. The ``-g`` command-line option (dump-config) which relied on
this functionality was also removed.
- Removed the BroControl ``update`` command, which was deprecated in Bro 2.6.
Deprecated Functionality
------------------------

2
VERSION
View file

@ -1 +1 @@
2.6-264
2.6-311

2
aux/binpac

@ -1 +1 @@
Subproject commit 04c7e27a22491a91ee309877253da0922d0822bc
Subproject commit aab0acfb43efb30313a2d14417f042db42627caf

1
aux/broctl

@ -1 +0,0 @@
Subproject commit 39ae4a469d6ae86c12b49020b361da4fcab24b5b

1
aux/broctl Symbolic link
View file

@ -0,0 +1 @@
zeekctl

2
aux/broker

@ -1 +1 @@
Subproject commit 56408c5582c80db6774c8b25642149dfb542345a
Subproject commit 53f7e0da11c4d6ce014f27ae4dcf807a651fb634

2
aux/zeek-aux

@ -1 +1 @@
Subproject commit ba482418c4e16551fd7b9128a4082348ef2842f0
Subproject commit 117e8a550de1266e2d50428344caf858aab0485b

1
aux/zeekctl Submodule

@ -0,0 +1 @@
Subproject commit bbfcb91b077a8bc145e39d7c941c50ba62826070

28
configure vendored
View file

@ -32,14 +32,14 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
Installation Directories:
--prefix=PREFIX installation directory [/usr/local/bro]
--scriptdir=PATH root installation directory for Bro scripts
--scriptdir=PATH root installation directory for Zeek scripts
[PREFIX/share/bro]
--localstatedir=PATH when using BroControl, path to store log files
--localstatedir=PATH when using ZeekControl, path to store log files
and run-time data (within log/ and spool/ subdirs)
[PREFIX]
--spooldir=PATH when using BroControl, path to store run-time data
--spooldir=PATH when using ZeekControl, path to store run-time data
[PREFIX/spool]
--logdir=PATH when using BroControl, path to store log file
--logdir=PATH when using ZeekControl, path to store log file
[PREFIX/logs]
--conf-files-dir=PATH config files installation directory [PREFIX/etc]
@ -51,12 +51,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
(automatically on when perftools is present on Linux)
--enable-perftools-debug use Google's perftools for debugging
--enable-jemalloc link against jemalloc
--enable-static-broker build broker statically (ignored if --with-broker is specified)
--enable-static-broker build Broker statically (ignored if --with-broker is specified)
--enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
--disable-broctl don't install Broctl
--disable-zeekctl don't install ZeekControl
--disable-auxtools don't build or install auxiliary tools
--disable-perftools don't try to build with Google Perftools
--disable-python don't try to build python bindings for broker
--disable-python don't try to build python bindings for Broker
--disable-broker-tests don't try to build Broker unit tests
Required Packages in Non-Standard Locations:
@ -65,13 +65,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--with-pcap=PATH path to libpcap install root
--with-binpac=PATH path to BinPAC executable
(useful for cross-compiling)
--with-bifcl=PATH path to Bro BIF compiler executable
--with-bifcl=PATH path to Zeek BIF compiler executable
(useful for cross-compiling)
--with-flex=PATH path to flex executable
--with-bison=PATH path to bison executable
--with-python=PATH path to Python executable
--with-broker=PATH path to Broker install root
(Bro uses an embedded version by default)
(Zeek uses an embedded version by default)
--with-caf=PATH path to C++ Actor Framework install root
(a Broker dependency that is embedded by default)
@ -131,7 +131,7 @@ prefix=/usr/local/bro
CMakeCacheEntries=""
append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix
append_cache_entry BRO_ROOT_DIR PATH $prefix
append_cache_entry PY_MOD_INSTALL_DIR PATH $prefix/lib/broctl
append_cache_entry PY_MOD_INSTALL_DIR PATH $prefix/lib/zeekctl
append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
append_cache_entry BRO_ETC_INSTALL_DIR PATH $prefix/etc
append_cache_entry ENABLE_DEBUG BOOL false
@ -140,7 +140,7 @@ append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
append_cache_entry ENABLE_JEMALLOC BOOL false
append_cache_entry BUILD_SHARED_LIBS BOOL true
append_cache_entry INSTALL_AUX_TOOLS BOOL true
append_cache_entry INSTALL_BROCTL BOOL true
append_cache_entry INSTALL_ZEEKCTL BOOL true
append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
append_cache_entry ENABLE_MOBILE_IPV6 BOOL false
append_cache_entry DISABLE_PERFTOOLS BOOL false
@ -180,7 +180,7 @@ while [ $# -ne 0 ]; do
prefix=$optarg
append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
append_cache_entry BRO_ROOT_DIR PATH $optarg
append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg/lib/broctl
append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg/lib/zeekctl
;;
--scriptdir=*)
append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg
@ -225,8 +225,8 @@ while [ $# -ne 0 ]; do
--enable-static-binpac)
append_cache_entry BUILD_STATIC_BINPAC BOOL true
;;
--disable-broctl)
append_cache_entry INSTALL_BROCTL BOOL false
--disable-zeekctl)
append_cache_entry INSTALL_ZEEKCTL BOOL false
;;
--disable-auxtools)
append_cache_entry INSTALL_AUX_TOOLS BOOL false

2
doc

@ -1 +1 @@
Subproject commit 6c099d4bff68f9f9d97952dfaca048425f12027a
Subproject commit b5720567293c652233287a17cf781f6195073159

12
man/bro.8 → man/zeek.8
View file

@ -5,13 +5,13 @@ bro \- passive network traffic analyzer
.B bro
\/\fP [\fIoptions\fR] [\fIfile\fR ...]
.SH DESCRIPTION
Bro is primarily a security monitor that inspects all traffic on a link in
depth for signs of suspicious activity. More generally, however, Bro
Zeek is primarily a security monitor that inspects all traffic on a link in
depth for signs of suspicious activity. More generally, however, Zeek
supports a wide range of traffic analysis tasks even outside of the
security domain, including performance measurements and helping with
trouble-shooting.
Bro comes with built-in functionality for a range of analysis and detection
Zeek comes with built-in functionality for a range of analysis and detection
tasks, including detecting malware by interfacing to external registries,
reporting vulnerable versions of software seen on the network, identifying
popular web applications, detecting SSH brute-forcing, validating SSL
@ -108,12 +108,12 @@ load seeds from given file
\fB\-\-save\-seeds\fR <file>
save seeds to given file
.TP
The following option is available only when Bro is built with the \-\-enable\-debug configure option:
The following option is available only when Zeek is built with the \-\-enable\-debug configure option:
.TP
\fB\-B\fR,\ \-\-debug <dbgstreams>
Enable debugging output for selected streams ('-B help' for help)
.TP
The following options are available only when Bro is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
The following options are available only when Zeek is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
.TP
\fB\-m\fR,\ \-\-mem-leaks
show leaks
@ -150,4 +150,4 @@ Output file for script execution statistics
Disable Zeekygen (Broxygen) documentation support
.SH AUTHOR
.B bro
was written by The Bro Project <info@bro.org>.
was written by The Zeek Project <info@zeek.org>.

2
scripts/CMakeLists.txt
View file

@ -11,7 +11,7 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING
if ( NOT BINARY_PACKAGING_MODE )
# If the user has a local.bro file from a previous installation, prefer to
# symlink local.zeek to it to avoid breaking their custom configuration --
# because BroControl will now prefer to load local.zeek rather than local.bro
# because ZeekControl will now prefer to load local.zeek rather than local.bro
# and we're about to install a default version of local.zeek.
set(_local_bro_dst ${BRO_SCRIPT_INSTALL_PATH}/site/local.bro)

2
scripts/base/frameworks/analyzer/README
View file

@ -1,3 +1,3 @@
The analyzer framework allows to dynamically enable or disable Bro's
The analyzer framework allows to dynamically enable or disable Zeek's
protocol analyzers, as well as to manage the well-known ports which
automatically activate a particular analyzer for new connections.

4
scripts/base/frameworks/analyzer/main.zeek
View file

@ -1,4 +1,4 @@
##! Framework for managing Bro's protocol analyzers.
##! Framework for managing Zeek's protocol analyzers.
##!
##! The analyzer framework allows to dynamically enable or disable analyzers, as
##! well as to manage the well-known ports which automatically activate a
@ -21,7 +21,7 @@ export {
global disable_all = F &redef;
## Enables an analyzer. Once enabled, the analyzer may be used for analysis
## of future connections as decided by Bro's dynamic protocol detection.
## of future connections as decided by Zeek's dynamic protocol detection.
##
## tag: The tag of the analyzer to enable.
##

2
scripts/base/frameworks/broker/README
View file

@ -1,2 +1,2 @@
The Broker communication framework facilitates connecting to remote Bro
The Broker communication framework facilitates connecting to remote Zeek
instances to share state and transfer events.

20
scripts/base/frameworks/broker/main.zeek
View file

@ -32,27 +32,27 @@ export {
const disable_ssl = F &redef;
## Path to a file containing concatenated trusted certificates
## in PEM format. If set, Bro will require valid certificates for
## in PEM format. If set, Zeek will require valid certificates for
## all peers.
const ssl_cafile = "" &redef;
## Path to an OpenSSL-style directory of trusted certificates.
## If set, Bro will require valid certificates for
## If set, Zeek will require valid certificates for
## all peers.
const ssl_capath = "" &redef;
## Path to a file containing a X.509 certificate for this
## node in PEM format. If set, Bro will require valid certificates for
## node in PEM format. If set, Zeek will require valid certificates for
## all peers.
const ssl_certificate = "" &redef;
## Passphrase to decrypt the private key specified by
## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid
## :zeek:see:`Broker::ssl_keyfile`. If set, Zeek will require valid
## certificates for all peers.
const ssl_passphrase = "" &redef;
## Path to the file containing the private key for this node's
## certificate. If set, Bro will require valid certificates for
## certificate. If set, Zeek will require valid certificates for
## all peers.
const ssl_keyfile = "" &redef;
@ -61,6 +61,14 @@ export {
## control mechanisms).
const congestion_queue_size = 200 &redef;
## The max number of log entries per log stream to batch together when
## sending log messages to a remote logger.
const log_batch_size = 400 &redef;
## Max time to buffer log messages before sending the current set out as a
## batch.
const log_batch_interval = 1sec &redef;
## Max number of threads to use for Broker/CAF functionality. The
## BRO_BROKER_MAX_THREADS environment variable overrides this setting.
const max_threads = 1 &redef;
@ -339,7 +347,7 @@ export {
## Peers advertise interest by registering a subscription to some
## prefix of this topic name.
##
## ev: a Bro event value.
## ev: a Zeek event value.
##
## Returns: true if automatic event sending is now enabled.
global auto_publish: function(topic: string, ev: any): bool;

8
scripts/base/frameworks/broker/store.zeek
View file

@ -365,15 +365,15 @@ export {
# Data API #
##########################
## Convert any Bro value to communication data.
## Convert any Zeek value to communication data.
##
## .. note:: Normally you won't need to use this function as data
## conversion happens implicitly when passing Bro values into Broker
## conversion happens implicitly when passing Zeek values into Broker
## functions.
##
## d: any Bro value to attempt to convert (not all types are supported).
## d: any Zeek value to attempt to convert (not all types are supported).
##
## Returns: the converted communication data. If the supplied Bro data
## Returns: the converted communication data. If the supplied Zeek data
## type does not support conversion to communication data, the
## returned record's optional field will not be set.
global data: function(d: any): Broker::Data;

2
scripts/base/frameworks/cluster/README
View file

@ -1,2 +1,2 @@
The cluster framework provides for establishing and controlling a cluster
of Bro instances.
of Zeek instances.

10
scripts/base/frameworks/cluster/main.zeek
View file

@ -1,6 +1,6 @@
##! A framework for establishing and controlling a cluster of Bro instances.
##! A framework for establishing and controlling a cluster of Zeek instances.
##! In order to use the cluster framework, a script named
##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path
##! ``cluster-layout.zeek`` must exist somewhere in Zeek's script search path
##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
##! must also be sent and the cluster framework loaded as a package like
@ -178,7 +178,7 @@ export {
global is_enabled: function(): bool;
## This function can be called at any time to determine what type of
## cluster node the current Bro instance is going to be acting as.
## cluster node the current Zeek instance is going to be acting as.
## If :zeek:id:`Cluster::is_enabled` returns false, then
## :zeek:enum:`Cluster::NONE` is returned.
##
@ -194,7 +194,7 @@ export {
## The cluster layout definition. This should be placed into a filter
## named cluster-layout.zeek somewhere in the BROPATH. It will be
## automatically loaded if the CLUSTER_NODE environment variable is set.
## Note that BroControl handles all of this automatically.
## Note that ZeekControl handles all of this automatically.
## The table is typically indexed by node names/labels (e.g. "manager"
## or "worker-1").
const nodes: table[string] of Node = {} &redef;
@ -202,7 +202,7 @@ export {
## Indicates whether or not the manager will act as the logger and receive
## logs. This value should be set in the cluster-layout.zeek script (the
## value should be true only if no logger is specified in Cluster::nodes).
## Note that BroControl handles this automatically.
## Note that ZeekControl handles this automatically.
const manager_is_logger = T &redef;
## This is usually supplied on the command line for each instance

6
scripts/base/frameworks/cluster/nodes/logger.zeek
View file

@ -1,7 +1,7 @@
##! This is the core Bro script to support the notion of a cluster logger.
##! This is the core Zeek script to support the notion of a cluster logger.
##!
##! The logger is passive (other Bro instances connect to us), and once
##! connected the logger receives logs from other Bro instances.
##! The logger is passive (other Zeek instances connect to us), and once
##! connected the logger receives logs from other Zeek instances.
##! This script will be automatically loaded if necessary based on the
##! type of node being started.

2
scripts/base/frameworks/cluster/nodes/manager.zeek
View file

@ -1,4 +1,4 @@
##! This is the core Bro script to support the notion of a cluster manager.
##! This is the core Zeek script to support the notion of a cluster manager.
##!
##! The manager is passive (the workers connect to us), and once connected
##! the manager registers for the events on the workers that are needed

2
scripts/base/frameworks/cluster/nodes/proxy.zeek
View file

@ -1,4 +1,4 @@
##! Redefines the options common to all proxy nodes within a Bro cluster.
##! Redefines the options common to all proxy nodes within a Zeek cluster.
##! In particular, proxies are not meant to produce logs locally and they
##! do not forward events anywhere, they mainly synchronize state between
##! worker nodes.

2
scripts/base/frameworks/cluster/nodes/worker.zeek
View file

@ -1,4 +1,4 @@
##! Redefines some options common to all worker nodes within a Bro cluster.
##! Redefines some options common to all worker nodes within a Zeek cluster.
##! In particular, worker nodes do not produce logs locally, instead they
##! send them off to a logger node for processing.

2
scripts/base/frameworks/cluster/pools.zeek
View file

@ -351,7 +351,7 @@ event zeek_init() &priority=-5
return;
# Sorting now ensures the node distribution process is stable even if
# there's a change in the order of time-of-registration between Bro runs.
# there's a change in the order of time-of-registration between Zeek runs.
sort(registered_pools, pool_sorter);
pool_eligibility[Cluster::WORKER] =

2
scripts/base/frameworks/cluster/setup-connections.zeek
View file

@ -44,7 +44,7 @@ function connect_peers_with_type(node_type: NodeType)
event zeek_init() &priority=-10
{
if ( getenv("BROCTL_CHECK_CONFIG") != "" )
if ( getenv("ZEEKCTL_CHECK_CONFIG") != "" )
return;
local self = nodes[node];

2
scripts/base/frameworks/config/README
View file

@ -1,2 +1,2 @@
The configuration framework provides a way to change the Bro configuration
The configuration framework provides a way to change the Zeek configuration
in "option" values at run-time.

2
scripts/base/frameworks/config/main.zeek
View file

@ -1,4 +1,4 @@
##! The configuration framework provides a way to change Bro options
##! The configuration framework provides a way to change Zeek options
##! (as specified by the "option" keyword) at runtime. It also logs runtime
##! changes to options to config.log.

2
scripts/base/frameworks/control/README
View file

@ -1,3 +1,3 @@
The control framework provides the foundation for providing "commands"
that can be taken remotely at runtime to modify a running Bro instance
that can be taken remotely at runtime to modify a running Zeek instance
or collect information from the running instance.

8
scripts/base/frameworks/control/main.zeek
View file

@ -1,12 +1,12 @@
##! The control framework provides the foundation for providing "commands"
##! that can be taken remotely at runtime to modify a running Bro instance
##! that can be taken remotely at runtime to modify a running Zeek instance
##! or collect information from the running instance.
module Control;
export {
## The topic prefix used for exchanging control messages via Broker.
const topic_prefix = "bro/control";
const topic_prefix = "zeek/control";
## Whether the controllee should call :zeek:see:`Broker::listen`.
## In a cluster, this isn't needed since the setup process calls it.
@ -58,7 +58,7 @@ export {
## Returns the current net_stats.
global net_stats_response: event(s: string);
## Inform the remote Bro instance that it's configuration may have been
## Inform the remote Zeek instance that it's configuration may have been
## updated.
global configuration_update_request: event();
## This event is a wrapper and alias for the
@ -68,7 +68,7 @@ export {
## Message in response to a configuration update request.
global configuration_update_response: event();
## Requests that the Bro instance begins shutting down.
## Requests that the Zeek instance begins shutting down.
global shutdown_request: event();
## Message in response to a shutdown request.
global shutdown_response: event();

2
scripts/base/frameworks/input/README
View file

@ -1,2 +1,2 @@
The input framework provides a way to read previously stored data either as
an event stream or into a Bro table.
an event stream or into a Zeek table.

10
scripts/base/frameworks/input/main.zeek
View file

@ -1,5 +1,5 @@
##! The input framework provides a way to read previously stored data either
##! as an event stream or into a Bro table.
##! as an event stream or into a Zeek table.
module Input;
@ -55,7 +55,7 @@ export {
## abort. Defaults to false (abort).
const accept_unsupported_types = F &redef;
## A table input stream type used to send data to a Bro table.
## A table input stream type used to send data to a Zeek table.
type TableDescription: record {
# Common definitions for tables and events
@ -112,7 +112,7 @@ export {
##
## The event is raised like if it had been declared as follows:
## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
error_ev: any &optional;
## A key/value table that will be passed to the reader.
@ -121,7 +121,7 @@ export {
config: table[string] of string &default=table();
};
## An event input stream type used to send input data to a Bro event.
## An event input stream type used to send input data to a Zeek event.
type EventDescription: record {
# Common definitions for tables and events
@ -166,7 +166,7 @@ export {
##
## The event is raised like it had been declared as follows:
## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
error_ev: any &optional;
## A key/value table that will be passed to the reader.

2
scripts/base/frameworks/input/readers/ascii.zeek
View file

@ -1,6 +1,6 @@
##! Interface for the ascii input reader.
##!
##! The defaults are set to match Bro's ASCII output.
##! The defaults are set to match Zeek's ASCII output.
module InputAscii;

12
scripts/base/frameworks/logging/main.zeek
View file

@ -1,6 +1,6 @@
##! The Bro logging interface.
##! The Zeek logging interface.
##!
##! See :doc:`/frameworks/logging` for an introduction to Bro's
##! See :doc:`/frameworks/logging` for an introduction to Zeek's
##! logging framework.
module Log;
@ -84,13 +84,13 @@ export {
path: string; ##< Original path value.
open: time; ##< Time when opened.
close: time; ##< Time when closed.
terminating: bool; ##< True if rotation occured due to Bro shutting down.
terminating: bool; ##< True if rotation occured due to Zeek shutting down.
};
## Default rotation interval to use for filters that do not specify
## an interval. Zero disables rotation.
##
## Note that this is overridden by the BroControl LogRotationInterval
## Note that this is overridden by the ZeekControl LogRotationInterval
## option.
const default_rotation_interval = 0secs &redef;
@ -108,7 +108,7 @@ export {
## Default alarm summary mail interval. Zero disables alarm summary
## mails.
##
## Note that this is overridden by the BroControl MailAlarmsInterval
## Note that this is overridden by the ZeekControl MailAlarmsInterval
## option.
const default_mail_alarms_interval = 0secs &redef;
@ -219,7 +219,7 @@ export {
scope_sep: string &default=default_scope_sep;
## Default prefix for all extension fields. It's typically
## prudent to set this to something that Bro's logging
## prudent to set this to something that Zeek's logging
## framework can't normally write out in a field name.
ext_prefix: string &default=default_ext_prefix;

2
scripts/base/frameworks/netcontrol/README
View file

@ -1,3 +1,3 @@
The NetControl framework provides a way for Bro to interact with networking
The NetControl framework provides a way for Zeek to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.

2
scripts/base/frameworks/netcontrol/drop.zeek
View file

@ -32,7 +32,7 @@ export {
type DropInfo: record {
## Time at which the recorded activity occurred.
ts: time &log;
## ID of the rule; unique during each Bro run.
## ID of the rule; unique during each Zeek run.
rule_id: string &log;
orig_h: addr &log; ##< The originator's IP address.
orig_p: port &log &optional; ##< The originator's port number.

10
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -1,8 +1,8 @@
##! Bro's NetControl framework.
##! Zeek's NetControl framework.
##!
##! This plugin-based framework allows to control the traffic that Bro monitors
##! This plugin-based framework allows to control the traffic that Zeek monitors
##! as well as, if having access to the forwarding path, the traffic the network
##! forwards. By default, the framework lets everything through, to both Bro
##! forwards. By default, the framework lets everything through, to both Zeek
##! itself as well as on the network. Scripts can then add rules to impose
##! restrictions on entities, such as specific connections or IP addresses.
##!
@ -291,7 +291,7 @@ export {
type Info: record {
## Time at which the recorded activity occurred.
ts: time &log;
## ID of the rule; unique during each Bro run.
## ID of the rule; unique during each Zeek run.
rule_id: string &log &optional;
## Type of the log entry.
category: InfoCategory &log &optional;
@ -632,7 +632,7 @@ event NetControl::init() &priority=-20
log_msg_no_plugin("waiting for plugins to initialize");
}
# Low-level functions that only runs on the manager (or standalone) Bro node.
# Low-level functions that only runs on the manager (or standalone) Zeek node.
function activate_impl(p: PluginState, priority: int)
{

2
scripts/base/frameworks/netcontrol/plugin.zeek
View file

@ -74,7 +74,7 @@ export {
## Table for a plugin to store instance-specific configuration information.
##
## Note, it would be nicer to pass the Plugin instance to all the below, instead
## of this state table. However Bro's type resolver has trouble with refering to a
## of this state table. However Zeek's type resolver has trouble with refering to a
## record type from inside itself.
redef record PluginState += {
## The plugin that the state belongs to. (Defined separately

4
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
View file

@ -1,5 +1,5 @@
##! NetControl plugin for the process-level PacketFilter that comes with
##! Bro. Since the PacketFilter in Bro is quite limited in scope
##! Zeek. Since the PacketFilter in Zeek is quite limited in scope
##! and can only add/remove filters for addresses, this is quite
##! limited in scope at the moment.
@ -13,7 +13,7 @@ export {
}
# Check if we can handle this rule. If it specifies ports or
# anything Bro cannot handle, simply ignore it for now.
# anything Zeek cannot handle, simply ignore it for now.
function packetfilter_check_rule(r: Rule) : bool
{
if ( r$ty != DROP )

4
scripts/base/frameworks/netcontrol/shunt.zeek
View file

@ -7,7 +7,7 @@ module NetControl;
export {
redef enum Log::ID += { SHUNT };
## Stops forwarding a uni-directional flow's packets to Bro.
## Stops forwarding a uni-directional flow's packets to Zeek.
##
## f: The flow to shunt.
##
@ -21,7 +21,7 @@ export {
type ShuntInfo: record {
## Time at which the recorded activity occurred.
ts: time &log;
## ID of the rule; unique during each Bro run.
## ID of the rule; unique during each Zeek run.
rule_id: string &log;
## Flow ID of the shunted flow.
f: flow_id &log;

6
scripts/base/frameworks/netcontrol/types.zeek
View file

@ -50,12 +50,12 @@ export {
## Type defining the target of a rule.
##
## Rules can either be applied to the forward path, affecting all network traffic, or
## on the monitor path, only affecting the traffic that is sent to Bro. The second
## is mostly used for shunting, which allows Bro to tell the networking hardware that
## on the monitor path, only affecting the traffic that is sent to Zeek. The second
## is mostly used for shunting, which allows Zeek to tell the networking hardware that
## it wants to no longer see traffic that it identified as benign.
type TargetType: enum {
FORWARD, #< Apply rule actively to traffic on forwarding path.
MONITOR, #< Apply rule passively to traffic sent to Bro for monitoring.
MONITOR, #< Apply rule passively to traffic sent to Zeek for monitoring.
};
## Type of rules that the framework supports. Each type lists the extra

4
scripts/base/frameworks/notice/README
View file

@ -1,4 +1,4 @@
The notice framework enables Bro to "notice" things which are odd or
The notice framework enables Zeek to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable. This decoupling of detection and reporting allows
Bro to be customized to the different needs that sites have.
Zeek to be customized to the different needs that sites have.

2
scripts/base/frameworks/notice/actions/pp-alarms.zeek
View file

@ -14,7 +14,7 @@ export {
## Address to send the pretty-printed reports to. Default if not set is
## :zeek:id:`Notice::mail_dest`.
##
## Note that this is overridden by the BroControl MailAlarmsTo option.
## Note that this is overridden by the ZeekControl MailAlarmsTo option.
const mail_dest_pretty_printed = "" &redef;
## If an address from one of these networks is reported, we mark
## the entry with an additional quote symbol (i.e., ">"). Many MUAs

18
scripts/base/frameworks/notice/main.zeek
View file

@ -1,6 +1,6 @@
##! This is the notice framework which enables Bro to "notice" things which
##! This is the notice framework which enables Zeek to "notice" things which
##! are odd or potentially bad. Decisions of the meaning of various notices
##! need to be done per site because Bro does not ship with assumptions about
##! need to be done per site because Zeek does not ship with assumptions about
##! what is bad activity for sites. More extensive documentation about using
##! the notice framework can be found in :doc:`/frameworks/notice`.
@ -189,26 +189,26 @@ export {
## Local system sendmail program.
##
## Note that this is overridden by the BroControl SendMail option.
## Note that this is overridden by the ZeekControl SendMail option.
option sendmail = "/usr/sbin/sendmail";
## Email address to send notices with the
## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
## on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
##
## Note that this is overridden by the BroControl MailTo option.
## Note that this is overridden by the ZeekControl MailTo option.
const mail_dest = "" &redef;
## Address that emails will be from.
##
## Note that this is overridden by the BroControl MailFrom option.
option mail_from = "Big Brother <bro@localhost>";
## Note that this is overridden by the ZeekControl MailFrom option.
option mail_from = "Zeek <zeek@localhost>";
## Reply-to address used in outbound email.
option reply_to = "";
## Text string prefixed to the subject of all emails sent out.
##
## Note that this is overridden by the BroControl MailSubjectPrefix
## Note that this is overridden by the ZeekControl MailSubjectPrefix
## option.
option mail_subject_prefix = "[Bro]";
option mail_subject_prefix = "[Zeek]";
## The maximum amount of time a plugin can delay email from being sent.
const max_email_delay = 15secs &redef;
@ -390,7 +390,7 @@ event zeek_init() &priority=5
Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm"]);
# If Bro is configured for mailing notices, set up mailing for alarms.
# If Zeek is configured for mailing notices, set up mailing for alarms.
# Make sure that this alarm log is also output as text so that it can
# be packaged up and emailed later.
if ( ! reading_traces() && mail_dest != "" )

2
scripts/base/frameworks/notice/weird.zeek
View file

@ -1,5 +1,5 @@
##! This script provides a default set of actions to take for "weird activity"
##! events generated from Bro's event engine. Weird activity is defined as
##! events generated from Zeek's event engine. Weird activity is defined as
##! unusual or exceptional activity that can indicate malformed connections,
##! traffic that doesn't conform to a particular protocol, malfunctioning
##! or misconfigured hardware, or even an attacker attempting to avoid/confuse

6
scripts/base/frameworks/openflow/consts.zeek
View file

@ -1,7 +1,7 @@
##! Constants used by the OpenFlow framework.
# All types/constants not specific to OpenFlow will be defined here
# until they somehow get into Bro.
# until they somehow get into Zeek.
module OpenFlow;
@ -10,7 +10,7 @@ module OpenFlow;
const COOKIE_BID_SIZE = 16777216;
# start at bit 40 (1 << 40)
const COOKIE_BID_START = 1099511627776;
# bro specific cookie ID shall have the 42 bit set (1 << 42)
# Zeek specific cookie ID shall have the 42 bit set (1 << 42)
const BRO_COOKIE_ID = 4;
# 8 bits group identifier
const COOKIE_GID_SIZE = 256;
@ -122,7 +122,7 @@ export {
## Return value for a cookie from a flow
## which is not added, modified or deleted
## from the bro openflow framework.
## from the Zeek openflow framework.
const INVALID_COOKIE = 0xffffffffffffffff;
# Openflow physical port definitions
## Send the packet out the input port. This

2
scripts/base/frameworks/openflow/main.zeek
View file

@ -1,4 +1,4 @@
##! Bro's OpenFlow control framework.
##! Zeek's OpenFlow control framework.
##!
##! This plugin-based framework allows to control OpenFlow capable
##! switches by implementing communication to an OpenFlow controller

2
scripts/base/frameworks/openflow/plugins/broker.zeek
View file

@ -61,8 +61,8 @@ function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
function broker_init(state: OpenFlow::ControllerState)
{
Broker::peer(cat(state$broker_host), state$broker_port);
Broker::subscribe(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
Broker::peer(cat(state$broker_host), state$broker_port);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)

2
scripts/base/frameworks/openflow/plugins/log.zeek
View file

@ -1,5 +1,5 @@
##! OpenFlow plugin that outputs flow-modification commands
##! to a Bro log file.
##! to a Zeek log file.
@load base/frameworks/openflow
@load base/frameworks/logging

2
scripts/base/frameworks/packet-filter/README
View file

@ -1 +1 @@
The packet filter framework supports how Bro sets its BPF capture filter.
The packet filter framework supports how Zeek sets its BPF capture filter.

6
scripts/base/frameworks/packet-filter/main.zeek
View file

@ -1,7 +1,7 @@
##! This script supports how Bro sets its BPF capture filter. By default
##! Bro sets a capture filter that allows all traffic. If a filter
##! This script supports how Zeek sets its BPF capture filter. By default
##! Zeek sets a capture filter that allows all traffic. If a filter
##! is set on the command line, that filter takes precedence over the default
##! open filter and all filters defined in Bro scripts with the
##! open filter and all filters defined in Zeek scripts with the
##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
@load base/frameworks/notice

2
scripts/base/frameworks/packet-filter/netstats.zeek
View file

@ -1,5 +1,5 @@
##! This script reports on packet loss from the various packet sources.
##! When Bro is reading input from trace files, this script will not
##! When Zeek is reading input from trace files, this script will not
##! report any packet loss statistics.
@load base/frameworks/notice

4
scripts/base/frameworks/reporter/main.zeek
View file

@ -27,9 +27,9 @@ export {
## terminate program execution.
level: Level &log;
## An info/warning/error message that could have either been
## generated from the internal Bro core or at the scripting-layer.
## generated from the internal Zeek core or at the scripting-layer.
message: string &log;
## This is the location in a Bro script where the message originated.
## This is the location in a Zeek script where the message originated.
## Not all reporter messages will have locations in them though.
location: string &log &optional;
};

2
scripts/base/frameworks/signatures/README
View file

@ -1,4 +1,4 @@
The signature framework provides for doing low-level pattern matching. While
signatures are not Bro's preferred detection tool, they sometimes come in
signatures are not Zeek's preferred detection tool, they sometimes come in
handy and are closer to what many people are familiar with from using
other NIDS.

2
scripts/base/frameworks/signatures/main.zeek
View file

@ -1,6 +1,6 @@
##! Script level signature support. See the
##! :doc:`signature documentation </frameworks/signatures>` for more
##! information about Bro's signature engine.
##! information about Zeek's signature engine.
@load base/frameworks/notice

111
scripts/base/init-bare.zeek
View file

@ -113,7 +113,7 @@ type mime_match: record {
## :zeek:see:`file_magic`
type mime_matches: vector of mime_match;
## A connection's transport-layer protocol. Note that Bro uses the term
## A connection's transport-layer protocol. Note that Zeek uses the term
## "connection" broadly, using flow semantics for ICMP and UDP.
type transport_proto: enum {
unknown_transport, ##< An unknown transport-layer protocol.
@ -235,7 +235,7 @@ type icmp6_nd_option: record {
## A type alias for a vector of ICMPv6 neighbor discovery message options.
type icmp6_nd_options: vector of icmp6_nd_option;
# A DNS mapping between IP address and hostname resolved by Bro's internal
# A DNS mapping between IP address and hostname resolved by Zeek's internal
# resolver.
#
# .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@ -340,8 +340,8 @@ type endpoint: record {
l2_addr: string &optional;
};
## A connection. This is Bro's basic connection type describing IP- and
## transport-layer information about the conversation. Note that Bro uses a
## A connection. This is Zeek's basic connection type describing IP- and
## transport-layer information about the conversation. Note that Zeek uses a
## liberal interpretation of "connection" and associates instances of this type
## also with UDP and ICMP flows.
type connection: record {
@ -353,7 +353,7 @@ type connection: record {
## interval between first and last data packet (low-level TCP details
## may adjust it somewhat in ambiguous cases).
duration: interval;
## The set of services the connection is using as determined by Bro's
## The set of services the connection is using as determined by Zeek's
## dynamic protocol detection. Each entry is the label of an analyzer
## that confirmed that it could parse the connection payload. While
## typically, there will be at most one entry for each connection, in
@ -362,8 +362,8 @@ type connection: record {
## the recorded services are independent of any transport-level protocols.
service: set[string];
history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`.
## A globally unique connection identifier. For each connection, Bro
## creates an ID that is very likely unique across independent Bro runs.
## A globally unique connection identifier. For each connection, Zeek
## creates an ID that is very likely unique across independent Zeek runs.
## These IDs can thus be used to tag and locate information associated
## with that connection.
uid: string;
@ -390,7 +390,7 @@ option default_file_timeout_interval: interval = 2 mins;
## matching or later, will receive a copy of this buffer.
option default_file_bof_buffer_size: count = 4096;
## A file that Bro is analyzing. This is Bro's type for describing the basic
## A file that Zeek is analyzing. This is Zeek's type for describing the basic
## internal metadata collected about a "file", which is essentially just a
## byte stream that is e.g. pulled from a network connection or possibly
## some other input source.
@ -476,7 +476,7 @@ type SYN_packet: record {
##
## .. zeek:see:: get_net_stats
type NetStats: record {
pkts_recvd: count &default=0; ##< Packets received by Bro.
pkts_recvd: count &default=0; ##< Packets received by Zeek.
pkts_dropped: count &default=0; ##< Packets reported dropped by the system.
## Packets seen on the link. Note that this may differ
## from *pkts_recvd* because of a potential capture_filter. See
@ -484,7 +484,7 @@ type NetStats: record {
## packet capture system, this value may not be available and will then
## be always set to zero.
pkts_link: count &default=0;
bytes_recvd: count &default=0; ##< Bytes received by Bro.
bytes_recvd: count &default=0; ##< Bytes received by Zeek.
};
type ConnStats: record {
@ -512,16 +512,16 @@ type ConnStats: record {
killed_by_inactivity: count;
};
## Statistics about Bro's process.
## Statistics about Zeek's process.
##
## .. zeek:see:: get_proc_stats
##
## .. note:: All process-level values refer to Bro's main process only, not to
## .. note:: All process-level values refer to Zeek's main process only, not to
## the child process it spawns for doing communication.
type ProcStats: record {
debug: bool; ##< True if compiled with --enable-debug.
start_time: time; ##< Start time of process.
real_time: interval; ##< Elapsed real time since Bro started running.
real_time: interval; ##< Elapsed real time since Zeek started running.
user_time: interval; ##< User CPU seconds.
system_time: interval; ##< System CPU seconds.
mem: count; ##< Maximum memory consumed, in KB.
@ -579,8 +579,8 @@ type FileAnalysisStats: record {
cumulative: count; ##< Cumulative number of files analyzed.
};
## Statistics related to Bro's active use of DNS. These numbers are
## about Bro performing DNS queries on it's own, not traffic
## Statistics related to Zeek's active use of DNS. These numbers are
## about Zeek performing DNS queries on it's own, not traffic
## being seen.
##
## .. zeek:see:: get_dns_stats
@ -735,7 +735,7 @@ type call_argument_vector: vector of call_argument;
# dependent on the names remaining as they are now.
## Set of BPF capture filters to use for capturing, indexed by a user-definable
## ID (which must be unique). If Bro is *not* configured with
## ID (which must be unique). If Zeek is *not* configured with
## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`,
## all packets matching at least one of the filters in this table (and all in
## :zeek:id:`restrict_filters`) will be analyzed.
@ -866,7 +866,7 @@ const mmdb_dir: string = "" &redef;
## Computed entropy values. The record captures a number of measures that are
## computed in parallel. See `A Pseudorandom Number Sequence Test Program
## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
## <http://www.fourmilab.ch/random>`_ for more information, Zeek uses the same
## code.
##
## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
@ -993,7 +993,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef;
## If we've seen this much data without any of it being acked, we give up
## on that connection to avoid memory exhaustion due to buffering all that
## stuff. If set to zero, then we don't ever give up. Ideally, Bro would
## stuff. If set to zero, then we don't ever give up. Ideally, Zeek would
## track the current window on a connection and use it to infer that data
## has in fact gone too far, but for now we just make this quite beefy.
##
@ -1788,7 +1788,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
ext: gtp_private_extension &optional;
};
# Prototypes of Bro built-in functions.
# Prototypes of Zeek built-in functions.
@load base/bif/bro.bif
@load base/bif/stats.bif
@load base/bif/reporter.bif
@ -1801,13 +1801,13 @@ global log_file_name: function(tag: string): string &redef;
## Deprecated. This is superseded by the new logging framework.
global open_log_file: function(tag: string): file &redef;
## Specifies a directory for Bro to store its persistent state. All globals can
## Specifies a directory for Zeek to store its persistent state. All globals can
## be declared persistent via the :zeek:attr:`&persistent` attribute.
const state_dir = ".state" &redef;
## Length of the delays inserted when storing state incrementally. To avoid
## dropping packets when serializing larger volumes of persistent state to
## disk, Bro interleaves the operation with continued packet processing.
## disk, Zeek interleaves the operation with continued packet processing.
const state_write_delay = 0.01 secs &redef;
global done_with_network = F;
@ -1868,7 +1868,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
global discarder_maxlen = 128 &redef;
## Function for skipping packets based on their IP header. If defined, this
## function will be called for all IP packets before Bro performs any further
## function will be called for all IP packets before Zeek performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
@ -1884,7 +1884,7 @@ global discarder_maxlen = 128 &redef;
global discarder_check_ip: function(p: pkt_hdr): bool;
## Function for skipping packets based on their TCP header. If defined, this
## function will be called for all TCP packets before Bro performs any further
## function will be called for all TCP packets before Zeek performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
@ -1902,7 +1902,7 @@ global discarder_check_ip: function(p: pkt_hdr): bool;
global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their UDP header. If defined, this
## function will be called for all UDP packets before Bro performs any further
## function will be called for all UDP packets before Zeek performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
@ -1920,7 +1920,7 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
## Function for skipping packets based on their ICMP header. If defined, this
## function will be called for all ICMP packets before Bro performs any further
## function will be called for all ICMP packets before Zeek performs any further
## analysis. If the function signals to discard a packet, no further processing
## will be performed on it.
##
@ -1935,7 +1935,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
## Avoid using it.
global discarder_check_icmp: function(p: pkt_hdr): bool;
## Bro's watchdog interval.
## Zeek's watchdog interval.
const watchdog_interval = 10 sec &redef;
## The maximum number of timers to expire after processing each new
@ -2711,7 +2711,7 @@ export {
## A set of file names used as named pipes over SMB. This
## only comes into play as a heuristic to identify named
## pipes when the drive mapping wasn't seen by Bro.
## pipes when the drive mapping wasn't seen by Zeek.
##
## .. zeek:see:: smb_pipe_connect_heuristic
const SMB::pipe_filenames: set[string] &redef;
@ -4483,13 +4483,13 @@ export {
## The data from the ERROR_MSG message. See :rfc:`4120`.
type KRB::Error_Msg: record {
## Protocol version number (5 for KRB5)
pvno : count;
pvno : count &optional;
## The message type (30 for ERROR_MSG)
msg_type : count;
msg_type : count &optional;
## Current time on the client
client_time : time &optional;
## Current time on the server
server_time : time;
server_time : time &optional;
## The specific error code
error_code : count;
## Realm of the ticket
@ -4497,9 +4497,9 @@ export {
## Name on the ticket
client_name : string &optional;
## Realm of the service
service_realm : string;
service_realm : string &optional;
## Name of the service
service_name : string;
service_name : string &optional;
## Additional text to explain the error
error_text : string &optional;
## Optional pre-authentication data
@ -4533,25 +4533,25 @@ export {
## Optional pre-authentication data
pa_data : vector of KRB::Type_Value &optional;
## Options specified in the request
kdc_options : KRB::KDC_Options;
kdc_options : KRB::KDC_Options &optional;
## Name on the ticket
client_name : string &optional;
## Realm of the service
service_realm : string;
service_realm : string &optional;
## Name of the service
service_name : string &optional;
## Time the ticket is good from
from : time &optional;
## Time the ticket is good till
till : time;
till : time &optional;
## The requested renew-till time
rtime : time &optional;
## A random nonce generated by the client
nonce : count;
nonce : count &optional;
## The desired encryption algorithms, in order of preference
encryption_types : vector of count;
encryption_types : vector of count &optional;
## Any additional addresses the ticket should be valid for
host_addrs : vector of KRB::Host_Address &optional;
## Additional tickets may be included for certain transactions
@ -4670,16 +4670,16 @@ const detect_filtered_trace = F &redef;
## .. zeek:see:: content_gap partial_connection
const report_gaps_for_partial = F &redef;
## Flag to prevent Bro from exiting automatically when input is exhausted.
## Normally Bro terminates when all packet sources have gone dry
## and communication isn't enabled. If this flag is set, Bro's main loop will
## Flag to prevent Zeek from exiting automatically when input is exhausted.
## Normally Zeek terminates when all packet sources have gone dry
## and communication isn't enabled. If this flag is set, Zeek's main loop will
## instead keep idling until :zeek:see:`terminate` is explicitly called.
##
## This is mainly for testing purposes when termination behaviour needs to be
## controlled for reproducing results.
const exit_only_after_terminate = F &redef;
## The CA certificate file to authorize remote Bros/Broccolis.
## The CA certificate file to authorize remote Zeeks/Broccolis.
##
## .. zeek:see:: ssl_private_key ssl_passphrase
const ssl_ca_certificate = "<undefined>" &redef;
@ -4690,17 +4690,17 @@ const ssl_ca_certificate = "<undefined>" &redef;
const ssl_private_key = "<undefined>" &redef;
## The passphrase for our private key. Keeping this undefined
## causes Bro to prompt for the passphrase.
## causes Zeek to prompt for the passphrase.
##
## .. zeek:see:: ssl_private_key ssl_ca_certificate
const ssl_passphrase = "<undefined>" &redef;
## Default mode for Bro's user-space dynamic packet filter. If true, packets
## Default mode for Zeek's user-space dynamic packet filter. If true, packets
## that aren't explicitly allowed through, are dropped from any further
## processing.
##
## .. note:: This is not the BPF packet filter but an additional dynamic filter
## that Bro optionally applies just before normal processing starts.
## that Zeek optionally applies just before normal processing starts.
##
## .. zeek:see:: install_dst_addr_filter install_dst_net_filter
## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter
@ -4714,10 +4714,11 @@ const sig_max_group_size = 50 &redef;
const peer_description = "bro" &redef;
## The number of IO chunks allowed to be buffered between the child
## and parent process of remote communication before Bro starts dropping
## and parent process of remote communication before Zeek starts dropping
## connections to remote peers in an attempt to catch up.
const chunked_io_buffer_soft_cap = 800000 &redef;
## Reassemble the beginning of all TCP connections before doing
## signature matching. Enabling this provides more accurate matching at the
## expense of CPU cycles.
##
@ -4729,7 +4730,7 @@ const chunked_io_buffer_soft_cap = 800000 &redef;
const dpd_reassemble_first_packets = T &redef;
## Size of per-connection buffer used for dynamic protocol detection. For each
## connection, Bro buffers this initial amount of payload in memory so that
## connection, Zeek buffers this initial amount of payload in memory so that
## complete protocol analysis can start even after the initial packets have
## already passed through (i.e., when a DPD signature matches only later).
## However, once the buffer is full, data is deleted and lost to analyzers that
@ -4783,8 +4784,8 @@ const suppress_local_output = F &redef;
## .. zeek:see:: record_all_packets
const trace_output_file = "";
## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it.
## By default, Bro applies (very few) heuristics to reduce the volume. A side
## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
## By default, Zeek applies (very few) heuristics to reduce the volume. A side
## effect of setting this to true is that we can write the packets out before we
## actually process them, which can be helpful for debugging in case the
## analysis triggers a crash.
@ -4805,7 +4806,7 @@ module JSON;
export {
type TimestampFormat: enum {
## Timestamps will be formatted as UNIX epoch doubles. This is
## the format that Bro typically writes out timestamps.
## the format that Zeek typically writes out timestamps.
TS_EPOCH,
## Timestamps will be formatted as unsigned integers that
## represent the number of milliseconds since the UNIX
@ -4876,17 +4877,17 @@ export {
module Reporter;
export {
## Tunable for sending reporter info messages to STDERR. The option to
## turn it off is presented here in case Bro is being run by some
## turn it off is presented here in case Zeek is being run by some
## external harness and shouldn't output anything to the console.
const info_to_stderr = T &redef;
## Tunable for sending reporter warning messages to STDERR. The option
## to turn it off is presented here in case Bro is being run by some
## to turn it off is presented here in case Zeek is being run by some
## external harness and shouldn't output anything to the console.
const warnings_to_stderr = T &redef;
## Tunable for sending reporter error messages to STDERR. The option to
## turn it off is presented here in case Bro is being run by some
## turn it off is presented here in case Zeek is being run by some
## external harness and shouldn't output anything to the console.
const errors_to_stderr = T &redef;
}
@ -4978,8 +4979,8 @@ export {
module GLOBAL;
## Seed for hashes computed internally for probabilistic data structures. Using
## the same value here will make the hashes compatible between independent Bro
## instances. If left unset, Bro will use a temporary local seed.
## the same value here will make the hashes compatible between independent Zeek
## instances. If left unset, Zeek will use a temporary local seed.
const global_hash_seed: string = "" &redef;
## Number of bits in UIDs that are generated to identify connections and
@ -4988,7 +4989,7 @@ const global_hash_seed: string = "" &redef;
const bits_per_uid: count = 96 &redef;
## Whether usage of the old communication system is considered an error or
## not. The default Bro configuration no longer works with the non-Broker
## not. The default Zeek configuration no longer works with the non-Broker
## communication system unless you have manually taken action to initialize
## and set up the old comm. system. Deprecation warnings are still emitted
## when setting this flag, but they will not result in a fatal error.

2
scripts/base/init-default.zeek
View file

@ -1,5 +1,5 @@
##! This script loads everything in the base/ script directory. If you want
##! to run Bro without all of these scripts loaded by default, you can use
##! to run Zeek without all of these scripts loaded by default, you can use
##! the ``-b`` (``--bare-mode``) command line argument. You can also copy the
##! "@load" lines from this script to your own script to load only the scripts
##! that you actually want.

2
scripts/base/misc/find-checksum-offloading.zeek
View file

@ -50,7 +50,7 @@ event ChecksumOffloading::check()
bad_checksum_msg += "UDP";
}
local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
Reporter::warning(message);
done = T;
}

4
scripts/base/misc/find-filtered-trace.zeek
View file

@ -2,7 +2,7 @@
##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
##! packets and no content). On finding such a trace, a warning is
##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
##! option may be desired if the user does not want Bro to report
##! option may be desired if the user does not want Zeek to report
##! missing TCP segments.
module FilteredTraceDetection;
@ -45,5 +45,5 @@ event zeek_done()
return;
if ( ! saw_tcp_conn_with_data )
Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
}

18
scripts/base/misc/version.zeek
View file

@ -1,4 +1,4 @@
##! Provide information about the currently running Bro version.
##! Provide information about the currently running Zeek version.
##! The most convenient way to access this are the Version::number
##! and Version::info constants.
@ -8,12 +8,12 @@
module Version;
export {
## A type exactly describing a Bro version
## A type exactly describing a Zeek version
type VersionDescription: record {
## Number representing the version which can be used for easy comparison.
## The format of the number is ABBCC with A being the major version,
## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
## As an example, Bro 2.4.1 results in the number 20401.
## As an example, Zeek 2.4.1 results in the number 20401.
version_number: count;
## Major version number (e.g. 2 for 2.5)
major: count;
@ -23,7 +23,7 @@ export {
patch: count;
## Commit number for development versions, e.g. 12 for 2.4-12. 0 for non-development versions
commit: count;
## If set to true, the version is a beta build of Bro
## If set to true, the version is a beta build of Zeek
beta: bool;
## If set to true, the version is a debug build
debug: bool;
@ -33,12 +33,12 @@ export {
## Parse a given version string.
##
## version_string: Bro version string.
## version_string: Zeek version string.
##
## Returns: `VersionDescription` record.
global parse: function(version_string: string): VersionDescription;
## Test if the current running version of Bro is greater or equal to the given version
## Test if the current running version of Zeek is greater or equal to the given version
## string.
##
## version_string: Version to check against the current running version.
@ -74,13 +74,13 @@ function parse(version_string: string): VersionDescription
}
export {
## version number of the currently running version of Bro as a numeric representation.
## version number of the currently running version of Zeek as a numeric representation.
## The format of the number is ABBCC with A being the major version,
## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
## As an example, Bro 2.4.1 results in the number 20401
## As an example, Zeek 2.4.1 results in the number 20401
const number = Version::parse(bro_version())$version_number;
## `VersionDescription` record pertaining to the currently running version of Bro.
## `VersionDescription` record pertaining to the currently running version of Zeek.
const info = Version::parse(bro_version());
}

2
scripts/base/protocols/conn/main.zeek
View file

@ -112,7 +112,7 @@ export {
## w packet with a zero window advertisement
## i inconsistent packet (e.g. FIN+RST bits set)
## q multi-flag packet (SYN+FIN or SYN+RST bits set)
## ^ connection direction was flipped by Bro's heuristic
## ^ connection direction was flipped by Zeek's heuristic
## ====== ====================================================
##
## If the event comes from the originator, the letter is in

2
scripts/base/protocols/dhcp/main.zeek
View file

@ -138,7 +138,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
# If a message hasn't been seen in the past 5 seconds or the
# total time watching has been more than the maximum time
# allowed by the configuration then log this data and expire it.
# Also, if Bro is shutting down.
# Also, if Zeek is shutting down.
if ( (now - info$last_message_ts) > 5sec ||
(now - info$ts) > max_txid_watch_time ||
bro_is_terminating() )

4
scripts/base/protocols/dns/main.zeek
View file

@ -116,7 +116,7 @@ export {
## Give up trying to match pending DNS queries or replies for a given
## query/transaction ID once this number of unmatched queries or replies
## is reached (this shouldn't happen unless either the DNS server/resolver
## is broken, Bro is not seeing all the DNS traffic, or an AXFR query
## is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
## response is ongoing).
option max_pending_msgs = 50;
@ -561,7 +561,7 @@ event connection_state_remove(c: connection) &priority=-5
if ( ! c?$dns_state )
return;
# If Bro is expiring state, we should go ahead and log all unmatched
# If Zeek is expiring state, we should go ahead and log all unmatched
# queries and replies now.
if( c$dns_state?$pending_query )
Log::write(DNS::LOG, c$dns_state$pending_query);

29
scripts/base/protocols/krb/main.zeek
View file

@ -118,7 +118,9 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
msg?$client_realm ? msg$client_realm : "");
c$krb$service = msg$service_name;
if ( msg?$service_name )
c$krb$service = msg$service_name;
c$krb$success = F;
c$krb$error_code = msg$error_code;
@ -139,16 +141,23 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
return;
c$krb$request_type = "AS";
c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "",
msg?$service_realm ? msg$service_realm : "");
if ( msg?$service_name )
c$krb$service = msg$service_name;
if ( msg?$from )
c$krb$from = msg$from;
c$krb$till = msg$till;
if ( msg?$till )
c$krb$till = msg$till;
c$krb$forwardable = msg$kdc_options$forwardable;
c$krb$renewable = msg$kdc_options$renewable;
if ( msg?$kdc_options )
{
c$krb$forwardable = msg$kdc_options$forwardable;
c$krb$renewable = msg$kdc_options$renewable;
}
}
event krb_as_response(c: connection, msg: KDC_Response) &priority=5
@ -188,10 +197,14 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
c$krb$service = msg$service_name;
if ( msg?$from )
c$krb$from = msg$from;
c$krb$till = msg$till;
if ( msg?$till )
c$krb$till = msg$till;
c$krb$forwardable = msg$kdc_options$forwardable;
c$krb$renewable = msg$kdc_options$renewable;
if ( msg?$kdc_options )
{
c$krb$forwardable = msg$kdc_options$forwardable;
c$krb$renewable = msg$kdc_options$renewable;
}
}
event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5

2
scripts/base/utils/active-http.zeek
View file

@ -78,7 +78,7 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string
function request(req: Request): ActiveHTTP::Response
{
local tmpfile = "/tmp/bro-activehttp-" + unique_id("");
local tmpfile = "/tmp/zeek-activehttp-" + unique_id("");
local bodyfile = fmt("%s_body", tmpfile);
local headersfile = fmt("%s_headers", tmpfile);

2
scripts/base/utils/geoip-distance.zeek
View file

@ -1,7 +1,7 @@
##! Functions to calculate distance between two locations, based on GeoIP data.
## Returns the distance between two IP addresses using the haversine formula,
## based on GeoIP database locations. Requires Bro to be built with GeoIP.
## based on GeoIP database locations. Requires Zeek to be built with GeoIP.
##
## a1: First IP address.
##

4
scripts/base/utils/json.zeek
View file

@ -1,9 +1,9 @@
##! Functions to assist with generating JSON data from Bro data scructures.
##! Functions to assist with generating JSON data from Zeek data scructures.
# We might want to implement this in core somtime, this looks... hacky at best.
@load base/utils/strings
## A function to convert arbitrary Bro data into a JSON string.
## A function to convert arbitrary Zeek data into a JSON string.
##
## v: The value to convert to JSON. Typically a record.
##

2
scripts/base/utils/patterns.zeek
View file

@ -9,7 +9,7 @@ module GLOBAL;
## ss: a set of strings to OR together.
##
## pat: the pattern containing a "~~" in it. If a literal backslash is
## included, it needs to be escaped with another backslash due to Bro's
## included, it needs to be escaped with another backslash due to Zeek's
## string parsing reducing it to a single backslash upon rendering.
##
## Returns: the input pattern with "~~" replaced by OR'd elements of input set.

2
scripts/base/utils/site.zeek
View file

@ -17,7 +17,7 @@ export {
[::1]/128,
};
## Networks that are considered "local". Note that BroControl sets
## Networks that are considered "local". Note that ZeekControl sets
## this automatically.
option local_nets: set[subnet] = {};

2
scripts/base/utils/strings.zeek
View file

@ -1,5 +1,5 @@
##! Functions to assist with small string analysis and manipulation that can
##! be implemented as Bro functions and don't need to be implemented as built-in
##! be implemented as Zeek functions and don't need to be implemented as built-in
##! functions.
## Returns true if the given string is at least 25% composed of 8-bit

4
scripts/policy/frameworks/control/controllee.zeek
View file

@ -1,11 +1,11 @@
##! The controllee portion of the control framework. Load this script if remote
##! runtime control of the Bro process is desired.
##! runtime control of the Zeek process is desired.
##!
##! A controllee only needs to load the controllee script in addition
##! to the specific analysis scripts desired. It may also need a node
##! configured as a controller node in the communications nodes configuration::
##!
##! bro <scripts> frameworks/control/controllee
##! zeek <scripts> frameworks/control/controllee
@load base/frameworks/control
@load base/frameworks/broker

4
scripts/policy/frameworks/control/controller.zeek
View file

@ -1,10 +1,10 @@
##! This is a utility script that implements the controller interface for the
##! control framework. It's intended to be run to control a remote Bro
##! control framework. It's intended to be run to control a remote Zeek
##! and then shutdown.
##!
##! It's intended to be used from the command line like this::
##!
##! bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
##! zeek <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
@load base/frameworks/control
@load base/frameworks/broker

8
scripts/policy/frameworks/packet-filter/shunt.zeek
View file

@ -4,18 +4,18 @@
module PacketFilter;
export {
## The maximum number of BPF based shunts that Bro is allowed to perform.
## The maximum number of BPF based shunts that Zeek is allowed to perform.
const max_bpf_shunts = 100 &redef;
## Call this function to use BPF to shunt a connection (to prevent the
## data packets from reaching Bro). For TCP connections, control
## packets are still allowed through so that Bro can continue logging
## data packets from reaching Zeek). For TCP connections, control
## packets are still allowed through so that Zeek can continue logging
## the connection and it can stop shunting once the connection ends.
global shunt_conn: function(id: conn_id): bool;
## This function will use a BPF expression to shunt traffic between
## the two hosts given in the `conn_id` so that the traffic is never
## exposed to Bro's traffic processing.
## exposed to Zeek's traffic processing.
global shunt_host_pair: function(id: conn_id): bool;
## Remove shunting for a host pair given as a `conn_id`. The filter

4
scripts/policy/integration/barnyard2/main.zeek
View file

@ -1,4 +1,4 @@
##! This script lets Barnyard2 integrate with Bro. It receives alerts from
##! This script lets Barnyard2 integrate with Zeek. It receives alerts from
##! Barnyard2 and logs them. In the future it will do more correlation
##! and derive new notices from the alerts.
@ -20,7 +20,7 @@ export {
## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
## a :zeek:type:`conn_id` value in the case that you might need to index
## into an existing data structure elsewhere within Bro.
## into an existing data structure elsewhere within Zeek.
global pid2cid: function(p: PacketID): conn_id;
}

2
scripts/policy/integration/collective-intel/README
View file

@ -1,4 +1,4 @@
The scripts in this module are for deeper integration with the
Collective Intelligence Framework (CIF) since Bro's Intel framework
Collective Intelligence Framework (CIF) since Zeek's Intel framework
doesn't natively behave the same as CIF nor does it store and maintain
the same data in all cases.

2
scripts/policy/integration/collective-intel/main.zeek
View file

@ -3,7 +3,7 @@
module Intel;
## These are some fields to add extended compatibility between Bro and the
## These are some fields to add extended compatibility between Zeek and the
## Collective Intelligence Framework.
redef record Intel::MetaData += {
## Maps to the Impact field in the Collective Intelligence Framework.

2
scripts/policy/misc/capture-loss.zeek
View file

@ -25,7 +25,7 @@ export {
ts: time &log;
## The time delay between this measurement and the last.
ts_delta: interval &log;
## In the event that there are multiple Bro instances logging
## In the event that there are multiple Zeek instances logging
## to the same host, this distinguishes each peer with its
## individual name.
peer: string &log;

4
scripts/policy/misc/dump-events.zeek
View file

@ -1,6 +1,6 @@
##! This script dumps the events that Bro raises out to standard output in a
##! This script dumps the events that Zeek raises out to standard output in a
##! readable form. This is for debugging only and allows to understand events and
##! their parameters as Bro processes input. Note that it will show only events
##! their parameters as Zeek processes input. Note that it will show only events
##! for which a handler is defined.
module DumpEvents;

4
scripts/policy/misc/load-balancing.zeek
View file

@ -1,5 +1,5 @@
##! This script implements the "Bro side" of several load balancing
##! approaches for Bro clusters.
##! This script implements the "Zeek side" of several load balancing
##! approaches for Zeek clusters.
@load base/frameworks/cluster
@load base/frameworks/packet-filter

2
scripts/policy/misc/profiling.zeek
View file

@ -1,4 +1,4 @@
##! Turns on profiling of Bro resource consumption.
##! Turns on profiling of Zeek resource consumption.
module Profiling;

2
scripts/policy/misc/stats.zeek
View file

@ -100,7 +100,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
local ds = get_dns_stats();
if ( bro_is_terminating() )
# No more stats will be written or scheduled when Bro is
# No more stats will be written or scheduled when Zeek is
# shutting down.
return;

4
scripts/policy/protocols/conn/known-hosts.zeek
View file

@ -1,4 +1,4 @@
##! This script logs hosts that Bro determines have performed complete TCP
##! This script logs hosts that Zeek determines have performed complete TCP
##! handshakes and logs the address once per day (by default). The log that
##! is output provides an easy way to determine a count of the IP addresses in
##! use on a network per day.
@ -22,7 +22,7 @@ export {
};
## Toggles between different implementations of this script.
## When true, use a Broker data store, else use a regular Bro set
## When true, use a Broker data store, else use a regular Zeek set
## with keys uniformly distributed over proxy nodes in cluster
## operation.
const use_host_store = T &redef;

2
scripts/policy/protocols/conn/known-services.zeek
View file

@ -28,7 +28,7 @@ export {
};
## Toggles between different implementations of this script.
## When true, use a Broker data store, else use a regular Bro set
## When true, use a Broker data store, else use a regular Zeek set
## with keys uniformly distributed over proxy nodes in cluster
## operation.
const use_service_store = T &redef;

2
scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
View file

@ -10,7 +10,7 @@ export {
## Places where it's suspicious for mail to originate from represented
## as all-capital, two character country codes (e.g., US). It requires
## Bro to be built with GeoIP support.
## Zeek to be built with GeoIP support.
option suspicious_origination_countries: set[string] = {};
option suspicious_origination_networks: set[subnet] = {};

2
scripts/policy/protocols/smtp/software.zeek
View file

@ -26,7 +26,7 @@ export {
};
## Assuming that local mail servers are more trustworthy with the
## headers they insert into message envelopes, this default makes Bro
## headers they insert into message envelopes, this default makes Zeek
## not attempt to detect software in inbound message bodies. If mail
## coming in from external addresses gives incorrect data in
## the Received headers, it could populate your SOFTWARE logging stream

2
scripts/policy/protocols/ssl/known-certs.zeek
View file

@ -32,7 +32,7 @@ export {
option cert_tracking = LOCAL_HOSTS;
## Toggles between different implementations of this script.
## When true, use a Broker data store, else use a regular Bro set
## When true, use a Broker data store, else use a regular Zeek set
## with keys uniformly distributed over proxy nodes in cluster
## operation.
const use_cert_store = T &redef;

2
scripts/policy/protocols/ssl/validate-certs.zeek
View file

@ -34,7 +34,7 @@ export {
&read_expire=5mins &redef;
## Use intermediate CA certificate caching when trying to validate
## certificates. When this is enabled, Bro keeps track of all valid
## certificates. When this is enabled, Zeek keeps track of all valid
## intermediate CA certificates that it has seen in the past. When
## encountering a host certificate that cannot be validated because
## of missing intermediate CA certificate, the cached list is used

2
scripts/policy/protocols/ssl/validate-sct.zeek
View file

@ -34,7 +34,7 @@ export {
logid: string;
## The timestamp at which this SCT was issued measured since the
## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
## milliseconds. Not converted to a Bro timestamp because we need
## milliseconds. Not converted to a Zeek timestamp because we need
## the exact value for validation.
timestamp: count;
## The signature algorithm used for this sct.

2
scripts/test-all-policy.zeek
View file

@ -1,4 +1,4 @@
# This file loads ALL policy scripts that are part of the Bro distribution.
# This file loads ALL policy scripts that are part of the Zeek distribution.
#
# This is rarely makes sense, and is for testing only.
#

2
src/Attr.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include "Attr.h"
#include "Expr.h"

2
src/Base64.cc
View file

@ -1,4 +1,4 @@
#include "bro-config.h"
#include "zeek-config.h"
#include "Base64.h"
#include <math.h>

2
src/BroString.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include <algorithm>
#include <ctype.h>

2
src/CCL.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include "CCL.h"
#include "RE.h"

28
src/CMakeLists.txt
View file

@ -348,24 +348,28 @@ set(bro_SRCS
collect_headers(bro_HEADERS ${bro_SRCS})
if ( bro_HAVE_OBJECT_LIBRARIES )
add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS})
target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
add_executable(zeek ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS})
target_link_libraries(zeek ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
else ()
add_executable(bro ${bro_SRCS} ${bro_HEADERS})
target_link_libraries(bro ${bro_SUBDIRS} ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
add_executable(zeek ${bro_SRCS} ${bro_HEADERS})
target_link_libraries(zeek ${bro_SUBDIRS} ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
endif ()
if ( NOT "${bro_LINKER_FLAGS}" STREQUAL "" )
set_target_properties(bro PROPERTIES LINK_FLAGS "${bro_LINKER_FLAGS}")
set_target_properties(zeek PROPERTIES LINK_FLAGS "${bro_LINKER_FLAGS}")
endif ()
install(TARGETS bro DESTINATION bin)
install(TARGETS zeek DESTINATION bin)
set(BRO_EXE bro
CACHE STRING "Bro executable binary" FORCE)
# Install wrapper script for Bro-to-Zeek renaming.
include(InstallSymlink)
InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro")
set(BRO_EXE_PATH ${CMAKE_CURRENT_BINARY_DIR}/bro
CACHE STRING "Path to Bro executable binary" FORCE)
set(BRO_EXE zeek
CACHE STRING "Zeek executable binary" FORCE)
set(BRO_EXE_PATH ${CMAKE_CURRENT_BINARY_DIR}/zeek
CACHE STRING "Path to Zeek executable binary" FORCE)
# Target to create all the autogenerated files.
add_custom_target(generate_outputs_stage1)
@ -384,12 +388,12 @@ add_dependencies(generate_outputs generate_outputs_stage2a generate_outputs_stag
# Build __load__.zeek files for standard *.bif.zeek.
bro_bif_create_loader(bif_loader "${bro_BASE_BIF_SCRIPTS}")
add_dependencies(bif_loader ${bro_SUBDIRS})
add_dependencies(bro bif_loader)
add_dependencies(zeek bif_loader)
# Build __load__.zeek files for plugins/*.bif.zeek.
bro_bif_create_loader(bif_loader_plugins "${bro_PLUGIN_BIF_SCRIPTS}")
add_dependencies(bif_loader_plugins ${bro_SUBDIRS})
add_dependencies(bro bif_loader_plugins)
add_dependencies(zeek bif_loader_plugins)
# Install *.bif.zeek.
install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base)

4
src/CompHash.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include "CompHash.h"
#include "Val.h"
@ -677,7 +677,7 @@ ListVal* CompositeHash::RecoverVals(const HashKey* k) const
loop_over_list(*tl, i)
{
Val* v;
Val* v = nullptr;
kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v, false);
ASSERT(v);
l->Append(v);

2
src/Conn.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include <ctype.h>

2
src/DFA.cc
View file

@ -1,6 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "zeek-config.h"
#include "EquivClass.h"
#include "DFA.h"

Some files were not shown because too many files have changed in this diff Show more