Checkpoint

2025-10-16 13:38:19 +00:00 · 2013-03-13 22:55:03 -04:00 · 2013-03-13 22:55:03 -04:00 · 8778761c07
commit 8778761c07
parent 09cbaa7ccc
30 changed files with 833 additions and 848 deletions
--- a/scripts/policy/protocols/conn/conn-stats-per-host.bro
+++ b/scripts/policy/protocols/conn/conn-stats-per-host.bro
@ -1,6 +1,6 @@

@load base/protocols/conn
-@load base/frameworks/metrics
+@load base/frameworks/measurement

 event bro_init() &priority=5
 	{
--- a/scripts/policy/protocols/conn/metrics.bro
+++ b/scripts/policy/protocols/conn/metrics.bro
@ -1,4 +1,4 @@
-@load base/frameworks/metrics
+@load base/frameworks/measurement
@load base/utils/site

 event bro_init() &priority=3
--- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro
+++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro
@ -1,6 +1,6 @@

@load base/protocols/ftp
-@load base/frameworks/metrics
+@load base/frameworks/measurement

@load base/utils/time

@ -19,7 +19,7 @@ export {

 	## The time period in which the threshold needs to be crossed before
 	## being reset.
-	const bruteforce_measurement_interval = 15mins;
+	const bruteforce_measurement_interval = 15mins &redef;
 }


@ -32,7 +32,8 @@ event bro_init()
 	                                        $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = 
 	                                        	{
 	                                        	local dur = duration_to_mins_secs(val$end-val$begin);
-	                                        	local message = fmt("%s had %d failed logins on %d FTP servers in %s", index$host, val$num, val$unique, dur);
+	                                        	local plural = val$unique>1 ? "s" : "";
+	                                        	local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur);
 	                                        	NOTICE([$note=FTP::Bruteforcing, 
 	                                        	        $src=index$host,
 	                                        	        $msg=message,
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@ -1,7 +1,7 @@
 ##! SQL injection attack detection in HTTP.

@load base/frameworks/notice
-@load base/frameworks/metrics
+@load base/frameworks/measurement
@load base/protocols/http

 module HTTP;
--- a/scripts/policy/protocols/smtp/metrics.bro
+++ b/scripts/policy/protocols/smtp/metrics.bro
@ -3,7 +3,7 @@
 ##!   "How much mail is being sent from each local mail server per hour?"

@load base/protocols/smtp
-@load base/frameworks/metrics
+@load base/frameworks/measurement
@load base/utils/site
@load base/utils/directions-and-hosts

--- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@ -2,7 +2,7 @@
 ##! bruteforcing over SSH.

@load base/protocols/ssh
-@load base/frameworks/metrics
+@load base/frameworks/measurement
@load base/frameworks/notice
@load base/frameworks/intel

@ -54,8 +54,8 @@ event bro_init()
 	                                          	        $identifier=cat(index$host)]);
 	                                          	# Insert the guesser into the intel framework.
 	                                          	Intel::insert([$host=index$host,
-	                                          		           $meta=[$source="local", 
-	                                          		                  $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]);
+	                                          	               $meta=[$source="local", 
+	                                          	                      $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]);
 	                                          }]);
 	}