From 5904043e8572b17404026cf391755bfd3a2d74c1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 22 Mar 2012 16:46:37 -0400 Subject: [PATCH 001/134] Modifications to the metrics framework API and new features. - Metrics:ID enum has been replaced with strings. - Uniqueness can now be measured with the Metrics::add_unique function. - Filters can change the index value with the $normalize_func field. --- scripts/base/frameworks/metrics/cluster.bro | 30 +++--- scripts/base/frameworks/metrics/main.bro | 112 +++++++++++++------- 2 files changed, 90 insertions(+), 52 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 4804bc5005..a17993cd27 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -27,29 +27,29 @@ export { ## Event sent by the manager in a cluster to initiate the ## collection of metrics values for a filter. - global cluster_filter_request: event(uid: string, id: ID, filter_name: string); + global cluster_filter_request: event(uid: string, id: string, filter_name: string); ## Event sent by nodes that are collecting metrics after receiving ## a request for the metric filter from the manager. - global cluster_filter_response: event(uid: string, id: ID, filter_name: string, data: MetricTable, done: bool); + global cluster_filter_response: event(uid: string, id: string, filter_name: string, data: MetricTable, done: bool); ## This event is sent by the manager in a cluster to initiate the ## collection of a single index value from a filter. It's typically ## used to get intermediate updates before the break interval triggers ## to speed detection of a value crossing a threshold. - global cluster_index_request: event(uid: string, id: ID, filter_name: string, index: Index); + global cluster_index_request: event(uid: string, id: string, filter_name: string, index: Index); ## This event is sent by nodes in response to a ## :bro:id:`Metrics::cluster_index_request` event. - global cluster_index_response: event(uid: string, id: ID, filter_name: string, index: Index, val: count); + global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, val: count); ## This is sent by workers to indicate that they crossed the percent of the ## current threshold by the percentage defined globally in ## :bro:id:`Metrics::cluster_request_global_view_percent` - global cluster_index_intermediate_response: event(id: Metrics::ID, filter_name: string, index: Metrics::Index, val: count); + global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Metrics::Index, val: count); ## This event is scheduled internally on workers to send result chunks. - global send_data: event(uid: string, id: ID, filter_name: string, data: MetricTable); + global send_data: event(uid: string, id: string, filter_name: string, data: MetricTable); } @@ -65,7 +65,7 @@ global requested_results: table[string] of time = table() &create_expire=5mins; # This variable is maintained by manager nodes as they collect and aggregate # results. -global filter_results: table[string, ID, string] of MetricTable &create_expire=5mins; +global filter_results: table[string, string, string] of MetricTable &create_expire=5mins; # This variable is maintained by manager nodes to track how many "dones" they # collected per collection unique id. Once the number of results for a uid @@ -76,7 +76,7 @@ global done_with: table[string] of count &create_expire=5mins &default=0; # This variable is maintained by managers to track intermediate responses as # they are getting a global view for a certain index. -global index_requests: table[string, ID, string, Index] of count &create_expire=5mins &default=0; +global index_requests: table[string, string, string, Index] of count &create_expire=5mins &default=0; # This variable is maintained by all hosts for different purposes. Non-managers # maintain it to know what indexes they have recently sent as intermediate @@ -86,7 +86,7 @@ global index_requests: table[string, ID, string, Index] of count &create_expire= # an intermediate result has been received. The manager may optionally request # the index again before data expires from here if too many workers are crossing # the percentage threshold (not implemented yet!). -global recent_global_view_indexes: table[ID, string, Index] of count &create_expire=5mins &default=0; +global recent_global_view_indexes: table[string, string, Index] of count &create_expire=5mins &default=0; # Add events to the cluster framework to make this work. redef Cluster::manager2worker_events += /Metrics::cluster_(filter_request|index_request)/; @@ -116,7 +116,7 @@ function data_added(filter: Filter, index: Index, val: count) } } -event Metrics::send_data(uid: string, id: ID, filter_name: string, data: MetricTable) +event Metrics::send_data(uid: string, id: string, filter_name: string, data: MetricTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); @@ -143,7 +143,7 @@ event Metrics::send_data(uid: string, id: ID, filter_name: string, data: MetricT event Metrics::send_data(uid, id, filter_name, data); } -event Metrics::cluster_filter_request(uid: string, id: ID, filter_name: string) +event Metrics::cluster_filter_request(uid: string, id: string, filter_name: string) { #print fmt("WORKER %s: received the cluster_filter_request event.", Cluster::node); @@ -155,7 +155,7 @@ event Metrics::cluster_filter_request(uid: string, id: ID, filter_name: string) reset(filter_store[id, filter_name]); } -event Metrics::cluster_index_request(uid: string, id: ID, filter_name: string, index: Index) +event Metrics::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) { local val=0; if ( index in store[id, filter_name] ) @@ -195,7 +195,7 @@ function data_added(filter: Filter, index: Index, val: count) do_notice(filter, index, val); } -event Metrics::cluster_index_response(uid: string, id: ID, filter_name: string, index: Index, val: count) +event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: count) { #print fmt("%0.6f MANAGER: receiving index data from %s", network_time(), get_event_peer()$descr); @@ -216,7 +216,7 @@ event Metrics::cluster_index_response(uid: string, id: ID, filter_name: string, } # Managers handle intermediate updates here. -event Metrics::cluster_index_intermediate_response(id: ID, filter_name: string, index: Index, val: count) +event Metrics::cluster_index_intermediate_response(id: string, filter_name: string, index: Index, val: count) { #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); @@ -226,7 +226,7 @@ event Metrics::cluster_index_intermediate_response(id: ID, filter_name: string, ++recent_global_view_indexes[id, filter_name, index]; } -event Metrics::cluster_filter_response(uid: string, id: ID, filter_name: string, data: MetricTable, done: bool) +event Metrics::cluster_filter_response(uid: string, id: string, filter_name: string, data: MetricTable, done: bool) { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index d322d128fe..e80054353a 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -8,12 +8,6 @@ export { ## The metrics logging stream identifier. redef enum Log::ID += { LOG }; - ## Identifiers for metrics to collect. - type ID: enum { - ## Blank placeholder value. - NOTHING, - }; - ## The default interval used for "breaking" metrics and writing the ## current value to the logging stream. const default_break_interval = 15mins &redef; @@ -23,12 +17,8 @@ export { const renotice_interval = 1hr &redef; ## Represents a thing which is having metrics collected for it. An instance - ## of this record type and a :bro:type:`Metrics::ID` together represent a - ## single measurement. + ## of this record type and an id together represent a single measurement. type Index: record { - ## Host is the value to which this metric applies. - host: addr &optional; - ## A non-address related metric or a sub-key for an address based metric. ## An example might be successful SSH connections by client IP address ## where the client string would be the index value. @@ -36,7 +26,10 @@ export { ## value in a Host header. This is an example of a non-host based ## metric since multiple IP addresses could respond for the same Host ## header value. - str: string &optional; + str: string &optional; + + ## Host is the value to which this metric applies. + host: addr &optional; ## The CIDR block that this metric applies to. This is typically ## only used internally for host based aggregation. @@ -46,17 +39,19 @@ export { ## The record type that is used for logging metrics. type Info: record { ## Timestamp at which the metric was "broken". - ts: time &log; - ## What measurement the metric represents. - metric_id: ID &log; - ## The name of the filter being logged. :bro:type:`Metrics::ID` values + ts: time &log; + ## Interval between logging of this filter and the last time it was logged. + ts_delta: interval &log; + ## The name of the filter being logged. Values ## can have multiple filters which represent different perspectives on ## the data so this is necessary to understand the value. - filter_name: string &log; + filter_name: string &log; + ## What measurement the metric represents. + metric_id: string &log; ## What the metric value applies to. - index: Index &log; + index: Index &log; ## The simple numeric value of the metric. - value: count &log; + value: count &log; }; # TODO: configure a metrics filter logging stream to log the current @@ -68,15 +63,19 @@ export { ## and logged or how the data within them is aggregated. It's also ## possible to disable logging and use filters for thresholding. type Filter: record { - ## The :bro:type:`Metrics::ID` that this filter applies to. - id: ID &optional; ## The name for this filter so that multiple filters can be ## applied to a single metrics to get a different view of the same ## metric data being collected (different aggregation, break, etc). name: string &default="default"; + ## The :bro:type:`Metrics::ID` that this filter applies to. + id: string &optional; ## A predicate so that you can decide per index if you would like ## to accept the data being inserted. pred: function(index: Index): bool &optional; + ## A function to normalize the index. This can be used to normalize + ## any field in the index and is likely most useful to normalize + ## the $str field. + normalize_func: function(index: Index): Index &optional; ## Global mask by which you'd like to aggregate traffic. aggregation_mask: count &optional; ## This is essentially a mapping table between addresses and subnets. @@ -111,7 +110,7 @@ export { ## id: The metric ID that the filter should be associated with. ## ## filter: The record representing the filter configuration. - global add_filter: function(id: ID, filter: Filter); + global add_filter: function(id: string, filter: Filter); ## Add data into a :bro:type:`Metrics::ID`. This should be called when ## a script has measured some point value and is ready to increment the @@ -122,7 +121,9 @@ export { ## index: The metric index that the value is to be added to. ## ## increment: How much to increment the counter by. - global add_data: function(id: ID, index: Index, increment: count); + global add_data: function(id: string, index: Index, increment: count); + + global add_unique: function(id: string, index: Index, data: string); ## Helper function to represent a :bro:type:`Metrics::Index` value as ## a simple string @@ -141,19 +142,24 @@ export { ## Event to access metrics records as they are passed to the logging framework. global log_metrics: event(rec: Info); + ## Internal use only + type MetricMeasurement: record { + num: count &optional; + unique_vals: set[string] &optional; + }; ## Type to store a table of metrics values. Interal use only! - type MetricTable: table[Index] of count &default=0; + type MetricTable: table[Index] of MetricMeasurement; } redef record Notice::Info += { metric_index: Index &log &optional; }; -global metric_filters: table[ID] of vector of Filter = table(); -global filter_store: table[ID, string] of Filter = table(); +global metric_filters: table[string] of vector of Filter = table(); +global filter_store: table[string, string] of Filter = table(); # This is indexed by metric ID and stream filter name. -global store: table[ID, string] of MetricTable = table() &default=table(); +global store: table[string, string] of MetricTable = table() &default=table(); # This function checks if a threshold has been crossed and generates a # notice if it has. It is also used as a method to implement @@ -166,7 +172,7 @@ global data_added: function(filter: Filter, index: Index, val: count); # This stores the current threshold index for filters using the # $notice_threshold and $notice_thresholds elements. -global thresholds: table[ID, string, Index] of count = {} &create_expire=renotice_interval &default=0; +global thresholds: table[string, string, Index] of count = {} &create_expire=renotice_interval &default=0; event bro_init() &priority=5 { @@ -189,8 +195,13 @@ function write_log(ts: time, filter: Filter, data: MetricTable) { for ( index in data ) { - local val = data[index]; + local val = 0; + if ( data[index]?$unique_vals ) + val = |data[index]$unique_vals|; + else + val = data[index]$num; local m: Info = [$ts=ts, + $ts_delta=filter$break_interval, $metric_id=filter$id, $filter_name=filter$name, $index=index, @@ -207,7 +218,7 @@ function reset(filter: Filter) store[filter$id, filter$name] = table(); } -function add_filter(id: ID, filter: Filter) +function add_filter(id: string, filter: Filter) { if ( filter?$aggregation_table && filter?$aggregation_mask ) { @@ -237,8 +248,8 @@ function add_filter(id: ID, filter: Filter) schedule filter$break_interval { Metrics::log_it(filter) }; } - -function add_data(id: ID, index: Index, increment: count) + +function add_it(id: string, index: Index, integer_value: bool, num: count, str: string) { if ( id !in metric_filters ) return; @@ -257,6 +268,11 @@ function add_data(id: ID, index: Index, increment: count) if ( index?$host ) { + if ( filter?$normalize_func ) + { + index = filter$normalize_func(copy(index)); + } + if ( filter?$aggregation_mask ) { index$network = mask_addr(index$host, filter$aggregation_mask); @@ -274,14 +290,36 @@ function add_data(id: ID, index: Index, increment: count) } local metric_tbl = store[id, filter$name]; - if ( index !in metric_tbl ) - metric_tbl[index] = 0; - metric_tbl[index] += increment; - - data_added(filter, index, metric_tbl[index]); + if ( integer_value ) + { + if ( index !in metric_tbl ) + metric_tbl[index] = [$num=0]; + metric_tbl[index]$num += num; + data_added(filter, index, metric_tbl[index]$num); + } + else + { + if ( index !in metric_tbl ) + { + local empty_ss: set[string] = set(); + metric_tbl[index] = [$unique_vals=empty_ss]; + } + add metric_tbl[index]$unique_vals[str]; + data_added(filter, index, |metric_tbl[index]$unique_vals|); + } } } +function add_data(id: string, index: Index, increment: count) + { + add_it(id, index, T, increment, ""); + } + +function add_unique(id: string, index: Index, data: string) + { + add_it(id, index, F, 0, data); + } + function check_notice(filter: Filter, index: Index, val: count): bool { if ( (filter?$notice_threshold && From 6600e62ea386d7801e52a3646c5761df7f10cba0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Mar 2012 11:39:27 -0400 Subject: [PATCH 002/134] Ported scripts using metrics framework and added a new smtp script. - New script measures a couple of aspects of SMTP traffic. - Existing metrics scripts had a small amount of work done to make them work with changes to metrics framework. --- scripts/base/frameworks/metrics/main.bro | 13 ++++---- .../frameworks/metrics/conn-example.bro | 16 ++++------ scripts/policy/protocols/http/detect-sqli.bro | 27 ++++++---------- scripts/policy/protocols/smtp/metrics.bro | 32 +++++++++++++++++++ .../protocols/ssh/detect-bruteforcing.bro | 17 ++++------ 5 files changed, 61 insertions(+), 44 deletions(-) create mode 100644 scripts/policy/protocols/smtp/metrics.bro diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index e80054353a..e5ed63dccd 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -36,6 +36,12 @@ export { network: subnet &optional; } &log; + ## Represents data being added for a single metric data point. Used internally. + type DataPoint: record { + num: count &optional; + unique_vals: set[string] &optional; + }; + ## The record type that is used for logging metrics. type Info: record { ## Timestamp at which the metric was "broken". @@ -142,13 +148,8 @@ export { ## Event to access metrics records as they are passed to the logging framework. global log_metrics: event(rec: Info); - ## Internal use only - type MetricMeasurement: record { - num: count &optional; - unique_vals: set[string] &optional; - }; ## Type to store a table of metrics values. Interal use only! - type MetricTable: table[Index] of MetricMeasurement; + type MetricTable: table[Index] of DataPoint; } redef record Notice::Info += { diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index 974012963b..00c82f840d 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -4,22 +4,18 @@ @load base/frameworks/metrics @load base/utils/site -redef enum Metrics::ID += { - CONNS_ORIGINATED, - CONNS_RESPONDED -}; - event bro_init() { - Metrics::add_filter(CONNS_ORIGINATED, [$aggregation_mask=24, $break_interval=1mins]); + #Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]); + Metrics::add_filter("conns.originated", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); + # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter(CONNS_RESPONDED, [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); + Metrics::add_filter("conns.responded", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); } event connection_established(c: connection) { - Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1); - Metrics::add_data(CONNS_RESPONDED, [$host=c$id$resp_h], 1); + Metrics::add_data("conns.originated", [$host=c$id$orig_h], 1); + Metrics::add_data("conns.responded", [$host=c$id$resp_h], 1); } - diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index a92565c63a..193a4b9614 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -15,13 +15,6 @@ export { SQL_Injection_Victim, }; - redef enum Metrics::ID += { - ## Metric to track SQL injection attackers. - SQLI_ATTACKER, - ## Metrics to track SQL injection victims. - SQLI_VICTIM, - }; - redef enum Tags += { ## Indicator of a URI based SQL injection attack. URI_SQLI, @@ -58,14 +51,14 @@ event bro_init() &priority=3 # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - Metrics::add_filter(SQLI_ATTACKER, [$log=F, - $notice_threshold=sqli_requests_threshold, - $break_interval=sqli_requests_interval, - $note=SQL_Injection_Attacker]); - Metrics::add_filter(SQLI_VICTIM, [$log=F, - $notice_threshold=sqli_requests_threshold, - $break_interval=sqli_requests_interval, - $note=SQL_Injection_Victim]); + Metrics::add_filter("http.sqli.attacker", [$log=F, + $notice_threshold=sqli_requests_threshold, + $break_interval=sqli_requests_interval, + $note=SQL_Injection_Attacker]); + Metrics::add_filter("http.sqli.victim", [$log=F, + $notice_threshold=sqli_requests_threshold, + $break_interval=sqli_requests_interval, + $note=SQL_Injection_Victim]); } event http_request(c: connection, method: string, original_URI: string, @@ -75,7 +68,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1); - Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1); + Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], 1); + Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], 1); } } diff --git a/scripts/policy/protocols/smtp/metrics.bro b/scripts/policy/protocols/smtp/metrics.bro new file mode 100644 index 0000000000..c3d1bb1e20 --- /dev/null +++ b/scripts/policy/protocols/smtp/metrics.bro @@ -0,0 +1,32 @@ +##! This script is meant to answer the following questions... +##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?" +##! "How much mail is being sent from each local mail server per hour?" + +@load base/frameworks/metrics + +module SMTPMetrics; + +export { + ## Define the break intervals for all of the metrics collected and logged by this script. + const breaks = 1hr &redef; +} + +event bro_init() &priority=5 + { + Metrics::add_filter("smtp.mailfrom", [$pred(index: Metrics::Index) = { + return addr_matches_host(index$host, LOCAL_HOSTS); }, + $break_interval=breaks]); + Metrics::add_filter("smtp.messages", [$pred(index: Metrics::Index) = { + return addr_matches_host(index$host, LOCAL_HOSTS); }, + $break_interval=breaks]); + } + +event SMTP::log_smtp(rec: SMTP::Info) + { + Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], 1); + + if ( rec?$mailfrom ) + Metrics::add_unique("smtp.mailfrom", [$host=rec$id$orig_h], rec$mailfrom); + } + + diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index aa6e920c12..7939f00c72 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -20,11 +20,6 @@ export { Login_By_Password_Guesser, }; - redef enum Metrics::ID += { - ## Metric is to measure failed logins. - FAILED_LOGIN, - }; - ## The number of failed SSH connections before a host is designated as ## guessing passwords. const password_guesses_limit = 30 &redef; @@ -46,11 +41,11 @@ export { event bro_init() { - Metrics::add_filter(FAILED_LOGIN, [$name="detect-bruteforcing", $log=F, - $note=Password_Guessing, - $notice_threshold=password_guesses_limit, - $notice_freq=1hr, - $break_interval=guessing_timeout]); + Metrics::add_filter("ssh.login.failure", [$name="detect-bruteforcing", $log=F, + $note=Password_Guessing, + $notice_threshold=password_guesses_limit, + $notice_freq=1hr, + $break_interval=guessing_timeout]); } event SSH::heuristic_successful_login(c: connection) @@ -75,5 +70,5 @@ event SSH::heuristic_failed_login(c: connection) # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) - Metrics::add_data(FAILED_LOGIN, [$host=id$orig_h], 1); + Metrics::add_data("ssh.login.failure", [$host=id$orig_h], 1); } From 47f58e6340b81b4573d9cbdb0988799f317b23a4 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Mar 2012 14:00:59 -0400 Subject: [PATCH 003/134] Cluster support for the metrics framework returns and all tests work again. --- scripts/base/frameworks/metrics/cluster.bro | 31 +++++++++---------- scripts/base/frameworks/metrics/main.bro | 26 ++++++++++++++++ .../manager-1.metrics.log | 10 +++--- .../metrics.log | 10 +++--- .../manager-1.notice.log | 6 ++-- .../notice.log | 8 ++--- .../base/frameworks/metrics/basic-cluster.bro | 16 ++++------ .../scripts/base/frameworks/metrics/basic.bro | 12 +++---- .../metrics/cluster-intermediate-update.bro | 12 +++---- .../base/frameworks/metrics/notice.bro | 12 +++---- 10 files changed, 76 insertions(+), 67 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index a17993cd27..03bbcdf584 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -41,7 +41,7 @@ export { ## This event is sent by nodes in response to a ## :bro:id:`Metrics::cluster_index_request` event. - global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, val: count); + global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, data: DataPoint); ## This is sent by workers to indicate that they crossed the percent of the ## current threshold by the percentage defined globally in @@ -76,7 +76,7 @@ global done_with: table[string] of count &create_expire=5mins &default=0; # This variable is maintained by managers to track intermediate responses as # they are getting a global view for a certain index. -global index_requests: table[string, string, string, Index] of count &create_expire=5mins &default=0; +global index_requests: table[string, string, string, Index] of DataPoint &create_expire=5mins &default=[]; # This variable is maintained by all hosts for different purposes. Non-managers # maintain it to know what indexes they have recently sent as intermediate @@ -157,12 +157,12 @@ event Metrics::cluster_filter_request(uid: string, id: string, filter_name: stri event Metrics::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) { - local val=0; + local data: DataPoint; if ( index in store[id, filter_name] ) - val = store[id, filter_name][index]; + data = store[id, filter_name][index]; # fmt("WORKER %s: received the cluster_index_request event for %s=%d.", Cluster::node, index2str(index), val); - event Metrics::cluster_index_response(uid, id, filter_name, index, val); + event Metrics::cluster_index_response(uid, id, filter_name, index, data); } @endif @@ -195,21 +195,19 @@ function data_added(filter: Filter, index: Index, val: count) do_notice(filter, index, val); } -event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: count) +event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, data: DataPoint) { #print fmt("%0.6f MANAGER: receiving index data from %s", network_time(), get_event_peer()$descr); - - if ( [uid, id, filter_name, index] !in index_requests ) - index_requests[uid, id, filter_name, index] = 0; - index_requests[uid, id, filter_name, index] += val; + index_requests[uid, id, filter_name, index] = merge_data_points(index_requests[uid, id, filter_name, index], data); local ir = index_requests[uid, id, filter_name, index]; ++done_with[uid]; if ( Cluster::worker_count == done_with[uid] ) { - if ( check_notice(filter_store[id, filter_name], index, ir) ) - do_notice(filter_store[id, filter_name], index, ir); + local size = ir?$num ? ir$num : |ir$unique_vals|; + if ( check_notice(filter_store[id, filter_name], index, size) ) + do_notice(filter_store[id, filter_name], index, size); delete done_with[uid]; delete index_requests[uid, id, filter_name, index]; } @@ -233,12 +231,13 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str local local_data = filter_results[uid, id, filter_name]; for ( index in data ) { - if ( index !in local_data ) - local_data[index] = 0; - local_data[index] += data[index]; + if ( index in local_data ) + local_data[index] = merge_data_points(local_data[index], data[index]); + else + local_data[index] = data[index]; } - # Mark another worker as being "done" for this uid. + # Mark another worker as being "done" for this uid. if ( done ) ++done_with[uid]; diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index e5ed63dccd..0e2496ef16 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -192,6 +192,32 @@ function index2str(index: Index): string return fmt("metric_index(%s)", out); } +function merge_data_points(dp1: DataPoint, dp2: DataPoint): DataPoint + { + local result: DataPoint; + if ( dp1?$num || dp2?$num ) + { + result$num = 0; + if ( dp1?$num ) + result$num += dp1$num; + if ( dp2?$num ) + result$num += dp2$num; + } + + if ( dp1?$unique_vals || dp2?$unique_vals ) + { + result$unique_vals = set(); + if ( dp1?$unique_vals ) + for ( val1 in dp1$unique_vals ) + add result$unique_vals[val1]; + if ( dp2?$unique_vals ) + for ( val2 in dp2$unique_vals ) + add result$unique_vals[val2]; + } + + return result; + } + function write_log(ts: time, filter: Filter, data: MetricTable) { for ( index in data ) diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index a22deb26e4..26ee55e20f 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path metrics -#fields ts metric_id filter_name index.host index.str index.network value -#types time enum string addr string subnet count -1328303679.867377 TEST_METRIC foo-bar 6.5.4.3 - - 4 -1328303679.867377 TEST_METRIC foo-bar 7.2.1.5 - - 2 -1328303679.867377 TEST_METRIC foo-bar 1.2.3.4 - - 6 +#fields ts ts_delta filter_name metric_id index.str index.host index.network value +#types time interval string string string addr subnet count +1332957065.172883 3.000000 foo-bar test.metric - 6.5.4.3 - 4 +1332957065.172883 3.000000 foo-bar test.metric - 1.2.3.4 - 6 +1332957065.172883 3.000000 foo-bar test.metric - 7.2.1.5 - 2 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index 4bfb6964ea..7c625fea5b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path metrics -#fields ts metric_id filter_name index.host index.str index.network value -#types time enum string addr string subnet count -1328303763.333948 TEST_METRIC foo-bar 6.5.4.3 - - 2 -1328303763.333948 TEST_METRIC foo-bar 7.2.1.5 - - 1 -1328303763.333948 TEST_METRIC foo-bar 1.2.3.4 - - 3 +#fields ts ts_delta filter_name metric_id index.str index.host index.network value +#types time interval string string string addr subnet count +1332956138.267655 3.000000 foo-bar test.metric - 6.5.4.3 - 2 +1332956138.267655 3.000000 foo-bar test.metric - 1.2.3.4 - 3 +1332956138.267655 3.000000 foo-bar test.metric - 7.2.1.5 - 1 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log index 59d70896fb..d5af4008d0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log @@ -3,6 +3,6 @@ #empty_field (empty) #unset_field - #path notice -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1325633225.777902 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.str metric_index.host metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double string addr subnet +1332957572.934499 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - 1.2.3.4 - diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log index 58346b79e6..bb25f5b0ea 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path notice -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1325633274.875473 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - -1325633274.875473 - - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 6.5.4.3 - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.str metric_index.host metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double string addr subnet +1332956197.821031 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - 1.2.3.4 - +1332956197.821031 - - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - 6.5.4.3 - diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro index b801074b33..425c91fb53 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro @@ -10,8 +10,8 @@ @TEST-START-FILE cluster-layout.bro redef Cluster::nodes = { - ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")], + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], + ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], }; @@ -19,20 +19,16 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -redef enum Metrics::ID += { - TEST_METRIC, -}; - event bro_init() &priority=5 { - Metrics::add_filter(TEST_METRIC, + Metrics::add_filter("test.metric", [$name="foo-bar", $break_interval=3secs]); if ( Cluster::local_node_type() == Cluster::WORKER ) { - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); + Metrics::add_data("test.metric", [$host=1.2.3.4], 3); + Metrics::add_data("test.metric", [$host=6.5.4.3], 2); + Metrics::add_data("test.metric", [$host=7.2.1.5], 1); } } diff --git a/testing/btest/scripts/base/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro index 43e7ac28ef..23a79d2bd3 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic.bro @@ -1,16 +1,12 @@ # @TEST-EXEC: bro %INPUT # @TEST-EXEC: btest-diff metrics.log -redef enum Metrics::ID += { - TEST_METRIC, -}; - event bro_init() &priority=5 { - Metrics::add_filter(TEST_METRIC, + Metrics::add_filter("test.metric", [$name="foo-bar", $break_interval=3secs]); - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); + Metrics::add_data("test.metric", [$host=1.2.3.4], 3); + Metrics::add_data("test.metric", [$host=6.5.4.3], 2); + Metrics::add_data("test.metric", [$host=7.2.1.5], 1); } diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro index 701d2ea378..f442a100f0 100644 --- a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro @@ -10,8 +10,8 @@ @TEST-START-FILE cluster-layout.bro redef Cluster::nodes = { - ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")], + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], + ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], }; @@ -23,13 +23,9 @@ redef enum Notice::Type += { Test_Notice, }; -redef enum Metrics::ID += { - TEST_METRIC, -}; - event bro_init() &priority=5 { - Metrics::add_filter(TEST_METRIC, + Metrics::add_filter("test.metric", [$name="foo-bar", $break_interval=1hr, $note=Test_Notice, @@ -44,7 +40,7 @@ event do_metrics(i: count) # Worker-1 will trigger an intermediate update and then if everything # works correctly, the data from worker-2 will hit the threshold and # should trigger the notice. - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], i); + Metrics::add_data("test.metric", [$host=1.2.3.4], i); } event bro_init() diff --git a/testing/btest/scripts/base/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro index 0ac9faa956..1ed11a968c 100644 --- a/testing/btest/scripts/base/frameworks/metrics/notice.bro +++ b/testing/btest/scripts/base/frameworks/metrics/notice.bro @@ -6,19 +6,15 @@ redef enum Notice::Type += { Test_Notice, }; -redef enum Metrics::ID += { - TEST_METRIC, -}; - event bro_init() &priority=5 { - Metrics::add_filter(TEST_METRIC, + Metrics::add_filter("test.metric", [$name="foo-bar", $break_interval=3secs, $note=Test_Notice, $notice_threshold=2, $log=F]); - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); + Metrics::add_data("test.metric", [$host=1.2.3.4], 3); + Metrics::add_data("test.metric", [$host=6.5.4.3], 2); + Metrics::add_data("test.metric", [$host=7.2.1.5], 1); } From df6a1800233721b78c8ca8c5ac720a5cea8390cf Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Mar 2012 15:52:20 -0400 Subject: [PATCH 004/134] Some scripts for collecting connection stats and "app" stats. - App stats are considered stats for applications on the internet. Services like facebook, youtube, etc. --- scripts/policy/misc/app-metrics.bro | 75 +++++++++++++++++++++++ scripts/policy/protocols/conn/metrics.bro | 21 +++++++ 2 files changed, 96 insertions(+) create mode 100644 scripts/policy/misc/app-metrics.bro create mode 100644 scripts/policy/protocols/conn/metrics.bro diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro new file mode 100644 index 0000000000..40b8264233 --- /dev/null +++ b/scripts/policy/misc/app-metrics.bro @@ -0,0 +1,75 @@ +@load base/protocols/http +@load base/protocols/ssl + +@load base/frameworks/metrics + +module AppMetrics; + +event bro_init() &priority=3 + { + Metrics::add_filter("apps.bytes", [$break_interval=1hr]); + Metrics::add_filter("apps.views", [$break_interval=1hr]); + Metrics::add_filter("apps.users", [$break_interval=1hr]); + } + +function do_metric(id: conn_id, hostname: string, size: count) + { + if ( /youtube/ in hostname && size > 512*1024 ) + { + Metrics::add_data("apps.bytes", [$str="youtube"], size); + Metrics::add_data("apps.views", [$str="youtube"], 1); + Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h)); + } + else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="facebook"], size); + Metrics::add_data("apps.views", [$str="facebook"], 1); + Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h)); + } + else if ( /google.com/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="google"], size); + Metrics::add_data("apps.views", [$str="google"], 1); + Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h)); + } + else if ( /nflximg.com/ in hostname && size > 200*1024 ) + { + Metrics::add_data("apps.bytes", [$str="netflix"], size); + Metrics::add_data("apps.views", [$str="netflix"], 1); + Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h)); + } + else if ( /pandora.com/ in hostname && size > 512*1024 ) + { + Metrics::add_data("apps.bytes", [$str="pandora"], size); + Metrics::add_data("apps.views", [$str="pandora"], 1); + Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h)); + } + else if ( /gmail.com/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="gmail"], size); + Metrics::add_data("apps.views", [$str="gmail"], 1); + Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h)); + } +} + +redef record connection += { + resp_hostname: string &optional; +}; + +event ssl_established(c: connection) + { + if ( c?$ssl && c$ssl?$server_name ) + c$resp_hostname = c$ssl$server_name; + } + +event connection_finished(c: connection) + { + if ( c?$resp_hostname ) + do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip); + } + +event HTTP::log_http(rec: HTTP::Info) + { + if( rec?$host ) + do_metric(rec$id, rec$host, rec$response_body_len); + } diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro new file mode 100644 index 0000000000..910ae4aa6e --- /dev/null +++ b/scripts/policy/protocols/conn/metrics.bro @@ -0,0 +1,21 @@ +@load base/frameworks/metrics + +event bro_init() &priority=3 + { + Metrics::add_filter("conns.country", [$break_interval=1hr]); + Metrics::add_filter("hosts.active", [$break_interval=1hr]); + } + +event connection_established(c: connection) &priority=3 + { + if ( Site::is_local_addr(c$id$orig_h) ) + { + local loc = lookup_location(c$id$resp_h); + if ( loc?$country_code ) + Metrics::add_data("conns.country", [$str=loc$country_code], 1); + } + + local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h; + # There is no index for this. + Metrics::add_unique("hosts.active", [], cat(the_host)); + } From 77694cc88479b2f16e6d9c5bce2f8522eaefcb85 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Mar 2012 16:06:09 -0400 Subject: [PATCH 005/134] The app metrics break interval is now configurable. --- scripts/policy/misc/app-metrics.bro | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 40b8264233..5cb108ea73 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -5,11 +5,16 @@ module AppMetrics; +export { + ## The metric break interval for the default stats collected by this script. + const break_interval = 1hr &redef; +} + event bro_init() &priority=3 { - Metrics::add_filter("apps.bytes", [$break_interval=1hr]); - Metrics::add_filter("apps.views", [$break_interval=1hr]); - Metrics::add_filter("apps.users", [$break_interval=1hr]); + Metrics::add_filter("apps.bytes", [$break_interval=break_interval]); + Metrics::add_filter("apps.views", [$break_interval=break_interval]); + Metrics::add_filter("apps.users", [$break_interval=break_interval]); } function do_metric(id: conn_id, hostname: string, size: count) From 6e0d15b55e7aeb6084a75402079e6255015939dd Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 31 May 2012 10:32:18 -0700 Subject: [PATCH 006/134] basic sqlite writer seems to work. does not support table and vector types because SQLite has no support for arrays. also does not support rotation, etc. Not really tested thoroughly - but starting bro with Log::default_writer=Log::WRITER_SQLITE yields a couple of sqlite files that seem to contain sensible stuff. --- src/CMakeLists.txt | 1 + src/logging/Manager.cc | 9 + src/logging/writers/SQLite.cc | 331 ++++++++++++++++++++++++++++++++++ src/logging/writers/SQLite.h | 53 ++++++ src/types.bif | 1 + 5 files changed, 395 insertions(+) create mode 100644 src/logging/writers/SQLite.cc create mode 100644 src/logging/writers/SQLite.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 6a68d1e7c5..a59509abdd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -419,6 +419,7 @@ set(bro_SRCS logging/WriterFrontend.cc logging/writers/Ascii.cc logging/writers/DataSeries.cc + logging/writers/SQLite.cc logging/writers/None.cc input/Manager.cc diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index baf832e6a9..32cea88b9b 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -21,6 +21,12 @@ #include "writers/DataSeries.h" #endif +#define USE_SQLITE 1 + +#ifdef USE_SQLITE +#include "writers/SQLite.h" +#endif + using namespace logging; // Structure describing a log writer type. @@ -38,6 +44,9 @@ WriterDefinition log_writers[] = { #ifdef USE_DATASERIES { BifEnum::Log::WRITER_DATASERIES, "DataSeries", 0, writer::DataSeries::Instantiate }, #endif +#ifdef USE_SQLITE + { BifEnum::Log::WRITER_SQLITE, "SQLite", 0, writer::SQLite::Instantiate }, +#endif // End marker, don't touch. { BifEnum::Log::WRITER_DEFAULT, "None", 0, (WriterBackend* (*)(WriterFrontend* frontend))0 } diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc new file mode 100644 index 0000000000..a2f272cd33 --- /dev/null +++ b/src/logging/writers/SQLite.cc @@ -0,0 +1,331 @@ +// See the file "COPYING" in the main distribution directory for copyright. + + +#define USE_SQLITE 1 +#ifdef USE_SQLITE + +#include "config.h" +#include +#include + +#include "../../NetVar.h" + +#include "../../threading/SerialTypes.h" + +#include + +#include "SQLite.h" + +using namespace logging; +using namespace writer; +using threading::Value; +using threading::Field; + +SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) + { + db = 0; + } + +SQLite::~SQLite() + { + if ( db != 0 ) + { + sqlite3_close(db); + db = 0; + } + } + +string SQLite::GetTableType(int arg_type, int arg_subtype) { + + string type; + + switch ( arg_type ) { + + case TYPE_BOOL: + type = "boolean"; + break; + + case TYPE_INT: + case TYPE_COUNT: + case TYPE_COUNTER: + case TYPE_PORT: + type = "integer"; + break; + + /* + case TYPE_PORT: + type = "VARCHAR(10)"; + break; +*/ + + case TYPE_SUBNET: + case TYPE_ADDR: + type = "text"; // sqlite3 does not have a type for internet addresses + break; + + case TYPE_TIME: + case TYPE_INTERVAL: + case TYPE_DOUBLE: + type = "double precision"; + break; + + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: + type = "TEXT"; + break; + + case TYPE_TABLE: + case TYPE_VECTOR: + // nope, we do simply not support this at the moment. SQLite does not support array types and that would mean + // that this module has to roll everything into a string and an importer has to do the reverse. And that is bad-bad-bad + // for a relational database + InternalError("Table types are not supported by SQLite writer"); + + //type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string I guess. + //type = GetTableType(arg_subtype, 0) + "[]"; + break; + + default: + Error(Fmt("unsupported field format %d ", arg_type)); + return ""; + } + + return type; +} + + +bool SQLite::checkError( int code ) + { + if ( code != SQLITE_OK && code != SQLITE_DONE ) + { + printf("SQLite call failed: %s\n", sqlite3_errmsg(db)); + Error(Fmt("SQLite call failed: %s", sqlite3_errmsg(db))); + return true; + } + + return false; + } + +bool SQLite::DoInit(string path, int num_fields, + const Field* const * fields) + { + + string fullpath = path+ ".sqlite"; + + if ( checkError(sqlite3_open_v2( + fullpath.c_str(), + &db, + SQLITE_OPEN_READWRITE | + SQLITE_OPEN_CREATE | + SQLITE_OPEN_FULLMUTEX // perhaps change to nomutex + , + NULL)) ) + return false; + + string create = "CREATE TABLE IF NOT EXISTS "+path+" (\n"; // yes. using path here is stupid. open for better ideas. + //"id SERIAL UNIQUE NOT NULL"; // SQLite has rowids, we do not need a counter here. + + for ( int i = 0; i < num_fields; ++i ) + { + const Field* field = fields[i]; + + if ( i != 0 ) + create += ",\n"; + + string fieldname = fields[i]->name; + replace( fieldname.begin(), fieldname.end(), '.', '_' ); // sqlite does not like "." in row names. + create += fieldname; + + if ( field->type == TYPE_TABLE || field->type == TYPE_VECTOR ) + { + Error("Sorry, the SQLite writer does not support table and vector types"); + return false; + } + + string type = GetTableType(field->type, field->subtype); + + create += " "+type; + /* if ( !field->optional ) { + create += " NOT NULL"; + } */ + + } + + create += "\n);"; + + //printf("Create: %s\n", create.c_str()); + + { + char *errorMsg = 0; + int res = sqlite3_exec(db, create.c_str(), NULL, NULL, &errorMsg); + if ( res != SQLITE_OK ) + { + //printf("Error executing table creation statement: %s", errorMsg); + Error(Fmt("Error executing table creation statement: %s", errorMsg)); + sqlite3_free(errorMsg); + return false; + } + } + + + { + // create the prepared statement that will be re-used forever... + + string insert = "VALUES ("; + string names = "INSERT INTO "+path+" ( "; + + for ( int i = 0; i < num_fields; i++ ) + { + bool ac = true; + + if ( i == 0 ) { + ac = false; + } else { + names += ", "; + insert += ", "; + } + + insert += "?"; + + string fieldname = fields[i]->name; + replace( fieldname.begin(), fieldname.end(), '.', '_' ); // sqlite does not like "." in row names. + names += fieldname; + + } + insert += ");"; + names += ") "; + + insert = names + insert; + //printf("Prepared insert: %s\n\n", insert.c_str()); + + if ( checkError(sqlite3_prepare_v2( db, insert.c_str(), insert.size()+1, &st, NULL )) ) + return false; + } + + return true; + } + +bool SQLite::DoFlush() + { + return true; + } + +bool SQLite::DoFinish() + { + return true; + } + +// Format String +char* SQLite::FS(const char* format, ...) { + char * buf; + + va_list al; + va_start(al, format); + int n = vasprintf(&buf, format, al); + va_end(al); + + assert(n >= 0); + + return buf; +} + +int SQLite::AddParams(Value* val, int pos) + { + + if ( ! val->present ) + { + return sqlite3_bind_null(st, pos); + } + + switch ( val->type ) { + + case TYPE_BOOL: + return sqlite3_bind_int(st, pos, val->val.int_val ? 1 : 0 ); + + case TYPE_INT: + return sqlite3_bind_int(st, pos, val->val.int_val); + + case TYPE_COUNT: + case TYPE_COUNTER: + return sqlite3_bind_int(st, pos, val->val.uint_val); + + case TYPE_PORT: + return sqlite3_bind_int(st, pos, val->val.port_val.port); + + case TYPE_SUBNET: + { + string out = Render(val->val.subnet_val).c_str(); + return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); + } + + case TYPE_ADDR: + { + string out = Render(val->val.addr_val).c_str(); + return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); + } + + case TYPE_TIME: + case TYPE_INTERVAL: + case TYPE_DOUBLE: + return sqlite3_bind_double(st, pos, val->val.double_val); + + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: + { + if ( ! val->val.string_val->size() || val->val.string_val->size() == 0 ) + return sqlite3_bind_null(st, pos); + + return sqlite3_bind_text(st, pos, val->val.string_val->data(), val->val.string_val->size(), SQLITE_TRANSIENT); // FIXME who deletes this + } + + case TYPE_TABLE: + case TYPE_VECTOR: + // we do not support these, fallthrough + + default: + Error(Fmt("unsupported field format %d", val->type )); + return 0; + } + } + +bool SQLite::DoWrite(int num_fields, const Field* const * fields, Value** vals) + { + + // bind parameters + for ( int i = 0; i < num_fields; i++ ) + { + if ( checkError(AddParams(vals[i], i+1)) ) + return false; + } + + // execute query + if ( checkError(sqlite3_step(st)) ) + return false; + + // clean up and make ready for next query execution + if ( checkError(sqlite3_clear_bindings(st)) ) + return false; + + if ( checkError(sqlite3_reset(st)) ) + return false; + + + return true; + } + +bool SQLite::DoRotate(string rotated_path, double open, double close, bool terminating) + { + return true; + } + +bool SQLite::DoSetBuf(bool enabled) + { + // Nothing to do. + return true; + } + +#endif /* USE_SQLITE */ diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h new file mode 100644 index 0000000000..c689b32328 --- /dev/null +++ b/src/logging/writers/SQLite.h @@ -0,0 +1,53 @@ +// See the file "COPYING" in the main distribution directory for copyright. +// +// Log writer for SQLITE logs. + +#ifndef LOGGING_WRITER_SQLITE_H +#define LOGGING_WRITER_SQLITE_H + +#include "config.h" + +#ifdef USE_SQLITE + +#include "../WriterBackend.h" +#include "sqlite3.h" + +namespace logging { namespace writer { + +class SQLite : public WriterBackend { +public: + SQLite(WriterFrontend* frontend); + ~SQLite(); + + static WriterBackend* Instantiate(WriterFrontend* frontend) + { return new SQLite(frontend); } + +protected: + virtual bool DoInit(string path, int num_fields, + const threading::Field* const* fields); + virtual bool DoWrite(int num_fields, const threading::Field* const* fields, + threading::Value** vals); + virtual bool DoSetBuf(bool enabled); + virtual bool DoRotate(string rotated_path, double open, + double close, bool terminating); + virtual bool DoFlush(); + virtual bool DoFinish(); + +private: + bool checkError(int code); + + int AddParams(threading::Value* val, int pos); + string GetTableType(int, int); + char* FS(const char* format, ...); + + sqlite3 *db; + sqlite3_stmt *st; +}; + +} +} + +#endif /* USE_SQLITE */ + +#endif /* LOGGING_WRITER_SQLITE_H */ + diff --git a/src/types.bif b/src/types.bif index 76bac3e0e2..4271e4a0bf 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,6 +163,7 @@ enum Writer %{ WRITER_NONE, WRITER_ASCII, WRITER_DATASERIES, + WRITER_SQLITE, %} enum ID %{ From c664c40ac21772b7ad511724a098218e69187fd5 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 14 Jun 2012 15:54:22 -0700 Subject: [PATCH 007/134] now the writer supports tables and vectors. still not tested, but using Log::default_writer=Log::WRITER_SQLITE seems to generate all the right log-databases, etc. --- scripts/base/frameworks/logging/__load__.bro | 1 + .../frameworks/logging/writers/sqlite.bro | 10 ++ src/logging.bif | 5 + src/logging/writers/SQLite.cc | 144 +++++++++++++++--- src/logging/writers/SQLite.h | 4 + 5 files changed, 145 insertions(+), 19 deletions(-) create mode 100644 scripts/base/frameworks/logging/writers/sqlite.bro diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.bro index 17e03e2ef7..01036253c5 100644 --- a/scripts/base/frameworks/logging/__load__.bro +++ b/scripts/base/frameworks/logging/__load__.bro @@ -2,3 +2,4 @@ @load ./postprocessors @load ./writers/ascii @load ./writers/dataseries +@load ./writers/sqlite diff --git a/scripts/base/frameworks/logging/writers/sqlite.bro b/scripts/base/frameworks/logging/writers/sqlite.bro new file mode 100644 index 0000000000..1b19c84ff3 --- /dev/null +++ b/scripts/base/frameworks/logging/writers/sqlite.bro @@ -0,0 +1,10 @@ +##! Interface for the SQLite log writer. Redefinable options are available +##! to tweak the output format of the SQLite reader. + +module LogSQLite; + +export { + ## Separator between set elements. + const set_separator = "," &redef; +} + diff --git a/src/logging.bif b/src/logging.bif index efc6ed0b4b..c14ccbb16d 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -81,3 +81,8 @@ const extent_size: count; const dump_schema: bool; const use_integer_for_time: bool; const num_threads: count; + +module LogSQLite; + +const set_separator: string; + diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index a2f272cd33..a5333aaf2f 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -23,16 +23,21 @@ using threading::Field; SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) { - db = 0; + set_separator_len = BifConst::LogSQLite::set_separator->Len(); + set_separator = new char[set_separator_len]; + memcpy(set_separator, BifConst::LogSQLite::set_separator->Bytes(), + set_separator_len); + + db = 0; } SQLite::~SQLite() { - if ( db != 0 ) - { - sqlite3_close(db); - db = 0; - } + if ( db != 0 ) + { + sqlite3_close(db); + db = 0; + } } string SQLite::GetTableType(int arg_type, int arg_subtype) { @@ -78,12 +83,7 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { case TYPE_TABLE: case TYPE_VECTOR: - // nope, we do simply not support this at the moment. SQLite does not support array types and that would mean - // that this module has to roll everything into a string and an importer has to do the reverse. And that is bad-bad-bad - // for a relational database - InternalError("Table types are not supported by SQLite writer"); - - //type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string I guess. + type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string I guess. //type = GetTableType(arg_subtype, 0) + "[]"; break; @@ -138,12 +138,6 @@ bool SQLite::DoInit(string path, int num_fields, replace( fieldname.begin(), fieldname.end(), '.', '_' ); // sqlite does not like "." in row names. create += fieldname; - if ( field->type == TYPE_TABLE || field->type == TYPE_VECTOR ) - { - Error("Sorry, the SQLite writer does not support table and vector types"); - return false; - } - string type = GetTableType(field->type, field->subtype); create += " "+type; @@ -231,6 +225,84 @@ char* SQLite::FS(const char* format, ...) { return buf; } +// this one is mainly ripped from Ascii.cc - with some adaptions. +void SQLite::ValToAscii(ODesc* desc, Value* val) + { + if ( ! val->present ) + { + assert(false); + } + + switch ( val->type ) { + + case TYPE_BOOL: + desc->Add(val->val.int_val ? "T" : "F"); + break; + + case TYPE_INT: + desc->Add(val->val.int_val); + break; + + case TYPE_COUNT: + case TYPE_COUNTER: + desc->Add(val->val.uint_val); + break; + + case TYPE_PORT: + desc->Add(val->val.port_val.port); + break; + + case TYPE_SUBNET: + desc->Add(Render(val->val.subnet_val)); + break; + + case TYPE_ADDR: + desc->Add(Render(val->val.addr_val)); + break; + + case TYPE_DOUBLE: + // Rendering via Add() truncates trailing 0s after the + // decimal point. The difference with TIME/INTERVAL is mainly + // to keep the log format consistent. + desc->Add(val->val.double_val); + break; + + case TYPE_INTERVAL: + case TYPE_TIME: + // Rendering via Render() keeps trailing 0s after the decimal + // point. The difference with DOUBLEis mainly to keep the log + // format consistent. + desc->Add(Render(val->val.double_val)); + break; + + case TYPE_ENUM: + case TYPE_STRING: + case TYPE_FILE: + case TYPE_FUNC: + { + int size = val->val.string_val->size(); + const char* data = val->val.string_val->data(); + + if ( size ) + desc->AddN(data, size); + + break; + } + + case TYPE_TABLE: + case TYPE_VECTOR: + assert(false); + // this would mean that we have a table/vector inside a table/vector. + // that is not possible and shoulr have been caught way earlier. + + default: + // there may not be any types that we do not know here. + assert(false); + } + + } + + int SQLite::AddParams(Value* val, int pos) { @@ -283,8 +355,42 @@ int SQLite::AddParams(Value* val, int pos) } case TYPE_TABLE: + { + ODesc desc; + desc.Clear(); + desc.AddEscapeSequence(set_separator, set_separator_len); + + for ( int j = 0; j < val->val.set_val.size; j++ ) + { + if ( j > 0 ) + desc.AddRaw(set_separator, set_separator_len); + + ValToAscii(&desc, val->val.set_val.vals[j]); + } + + + return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); + } + case TYPE_VECTOR: - // we do not support these, fallthrough + { + ODesc desc; + desc.Clear(); + desc.AddEscapeSequence(set_separator, set_separator_len); + + for ( int j = 0; j < val->val.vector_val.size; j++ ) + { + if ( j > 0 ) + desc.AddRaw(set_separator, set_separator_len); + + ValToAscii(&desc, val->val.vector_val.vals[j]); + } + + + return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); + } + + default: Error(Fmt("unsupported field format %d", val->type )); diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index c689b32328..07f6e6c104 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -35,6 +35,7 @@ protected: private: bool checkError(int code); + void ValToAscii(ODesc* desc, threading::Value* val); int AddParams(threading::Value* val, int pos); string GetTableType(int, int); @@ -42,6 +43,9 @@ private: sqlite3 *db; sqlite3_stmt *st; + + char* set_separator; + int set_separator_len; }; } From d29e691da96dcd977f75043a31cc64eb505882b5 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Wed, 25 Jul 2012 15:05:08 -0700 Subject: [PATCH 008/134] ...adapt to new api... --- src/logging/writers/SQLite.cc | 36 ++++++++--------------------------- src/logging/writers/SQLite.h | 11 ++++++----- 2 files changed, 14 insertions(+), 33 deletions(-) diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index ddee536e76..9c78636867 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -112,12 +112,13 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields) { - string fullpath = info.path+ ".sqlite"; + string fullpath(info.path); + fullpath.append(".sqlite"); string dbname; - map::const_iterator it = info.config.find("dbname"); + map::const_iterator it = info.config.find("dbname"); if ( it == info.config.end() ) { - MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to path %s", info.path.c_str())); + MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to path %s", info.path)); dbname = info.path; } else { dbname = it->second; @@ -211,16 +212,6 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, return true; } -bool SQLite::DoFlush() - { - return true; - } - -bool SQLite::DoFinish() - { - return true; - } - // Format String char* SQLite::FS(const char* format, ...) { char * buf; @@ -290,8 +281,8 @@ void SQLite::ValToAscii(ODesc* desc, Value* val) case TYPE_FILE: case TYPE_FUNC: { - int size = val->val.string_val->size(); - const char* data = val->val.string_val->data(); + int size = val->val.string_val.length; + const char* data = val->val.string_val.data; if ( size ) desc->AddN(data, size); @@ -358,10 +349,10 @@ int SQLite::AddParams(Value* val, int pos) case TYPE_FILE: case TYPE_FUNC: { - if ( ! val->val.string_val->size() || val->val.string_val->size() == 0 ) + if ( ! val->val.string_val.length || val->val.string_val.length == 0 ) return sqlite3_bind_null(st, pos); - return sqlite3_bind_text(st, pos, val->val.string_val->data(), val->val.string_val->size(), SQLITE_TRANSIENT); // FIXME who deletes this + return sqlite3_bind_text(st, pos, val->val.string_val.data, val->val.string_val.length, SQLITE_TRANSIENT); // FIXME who deletes this } case TYPE_TABLE: @@ -433,15 +424,4 @@ bool SQLite::DoWrite(int num_fields, const Field* const * fields, Value** vals) return true; } -bool SQLite::DoRotate(string rotated_path, double open, double close, bool terminating) - { - return true; - } - -bool SQLite::DoSetBuf(bool enabled) - { - // Nothing to do. - return true; - } - #endif /* USE_SQLITE */ diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index d4bb50a7a1..8a3baaec9e 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -27,11 +27,12 @@ protected: const threading::Field* const* fields); virtual bool DoWrite(int num_fields, const threading::Field* const* fields, threading::Value** vals); - virtual bool DoSetBuf(bool enabled); - virtual bool DoRotate(string rotated_path, double open, - double close, bool terminating); - virtual bool DoFlush(); - virtual bool DoFinish(); + virtual bool DoSetBuf(bool enabled) { return true; } + virtual bool DoRotate(const char* rotated_path, double open, + double close, bool terminating) { return true; } + virtual bool DoFlush(double network_time) { return true; } + virtual bool DoFinish(double network_time) { return true; } + virtual bool DoHeartbeat(double network_time, double current_time) { return true; } private: bool checkError(int code); From 83910eeb08679df068f910fa8edb04d9c92a43ae Mon Sep 17 00:00:00 2001 From: Sheharbano Khattak Date: Tue, 9 Oct 2012 05:33:37 +0500 Subject: [PATCH 009/134] Added function to intercept threshold checking --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/btest | 2 +- cmake | 2 +- scripts/base/frameworks/metrics/main.bro | 72 +++++++++++++++++++----- 7 files changed, 65 insertions(+), 19 deletions(-) diff --git a/aux/binpac b/aux/binpac index 3034da8f08..a93ef13735 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62 +Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5 diff --git a/aux/bro-aux b/aux/bro-aux index f53bcb2b49..6748ec3a96 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767 +Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff diff --git a/aux/broccoli b/aux/broccoli index a08ca90727..ebfa4de45a 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4 +Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed diff --git a/aux/broctl b/aux/broctl index 954538514d..b0e3c0d846 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d +Subproject commit b0e3c0d84643878c135dcb8a9774ed78147dd648 diff --git a/aux/btest b/aux/btest index 9c9fde204d..44a43e6245 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 9c9fde204dd5518bdfdb8b4a86d38ed06e597209 +Subproject commit 44a43e62452302277f88e8fac08d1f979dc53f98 diff --git a/cmake b/cmake index 2cc1055770..125f9a5fa8 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34 +Subproject commit 125f9a5fa851381d0350efa41a4d14f27be263a2 diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 0e2496ef16..744eaf731d 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -103,12 +103,20 @@ export { notice_threshold: count &optional; ## A series of thresholds at which to generate notices. notice_thresholds: vector of count &optional; - ## How often this notice should be raised for this filter. It - ## will be generated everytime it crosses a threshold, but if the - ## $break_interval is set to 5mins and this is set to 1hr the notice - ## only be generated once per hour even if something crosses the - ## threshold in every break interval. - notice_freq: interval &optional; + + ## Sheharbano's additions + ##-------------------------------------------- + ## A straight threshold for generating a notice. + default_threshold: count &optional; + ## Represents Index specific thresholds, that is we can + ## have different thresholds for different Index values. + ## If the threshold for an Index is not specified in , + ## will be used as default. + custom_thresholds: table[Index] of count &optional; + ## A predicate so that you can decide when to flexibly declare when + ## a threshold crossed, and do extra stuff + check_threshold: function(index: Index, default_thresh: count, + custom_thresh: table[Index] of count, val: count ): bool &optional; }; ## Function to associate a metric filter with a metric ID. @@ -262,6 +270,11 @@ function add_filter(id: string, filter: Filter) print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds"; return; } + if ( !filter?$default_threshold && !filter?$custom_thresholds ) + { + print "INVALID Metric filter: Must define one of $default_threshold and $custom_thresholds"; + return; + } if ( ! filter?$id ) filter$id = id; @@ -349,15 +362,43 @@ function add_unique(id: string, index: Index, data: string) function check_notice(filter: Filter, index: Index, val: count): bool { - if ( (filter?$notice_threshold && - [filter$id, filter$name, index] !in thresholds && - val >= filter$notice_threshold) || - (filter?$notice_thresholds && - |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && - val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) ) - return T; + ## It's possible for a user to skip defining either default_threshold or custom_thresholds. + ## Therefore must check which one is missing, so we can craft and send a dummy value in the function + + local cust_thresh: table[Index] of count; + local def_thresh = 0; + + if ( filter?$custom_thresholds ) + cust_thresh = filter$custom_thresholds; + + if ( filter?$default_threshold ) + def_thresh = filter$default_threshold; + + if ( filter?$check_threshold ) + return filter$check_threshold( index, def_thresh, cust_thresh, val ); + else + { + if ( index in cust_thresh ) + { + if ( val > cust_thresh[index] ) + return T; + } + else if ( val > def_thresh) + return T; + return F; + } + + #if ( (filter?$notice_threshold && + # [filter$id, filter$name, index] !in thresholds && + # val >= filter$notice_threshold) || + # (filter?$notice_thresholds && + # |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && + # val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) ) + #return T; + #else + #return F; } function do_notice(filter: Filter, index: Index, val: count) @@ -377,7 +418,12 @@ function do_notice(filter: Filter, index: Index, val: count) # TODO: not sure where to put the network yet. NOTICE(n); + + # Resetting unique values + local metric_tbl = store[filter$id, filter$name]; + metric_tbl[index]$unique_vals = set(); + # This just needs set to some value so that it doesn't refire the # notice until it expires from the table or it crosses the next # threshold in the case of vectors of thresholds. From 1a1c798738f44599d56225eedecc8fa13dea6958 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 9 Oct 2012 14:30:39 -0700 Subject: [PATCH 010/134] add SQLite reader. Probably memleaky as hell, does not support tables/vectors yet, but it managed to successfully read very simple tables. --- src/CMakeLists.txt | 1 + src/input/Manager.cc | 7 + src/input/readers/SQLite.cc | 356 ++++++++++++++++++++++++++++++++++ src/input/readers/SQLite.h | 60 ++++++ src/logging/Manager.cc | 2 - src/logging/writers/SQLite.cc | 6 +- src/logging/writers/SQLite.h | 1 + src/types.bif | 1 + 8 files changed, 429 insertions(+), 5 deletions(-) create mode 100644 src/input/readers/SQLite.cc create mode 100644 src/input/readers/SQLite.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 8fc541ee78..435fbdf30f 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -438,6 +438,7 @@ set(bro_SRCS input/readers/Ascii.cc input/readers/Raw.cc input/readers/Benchmark.cc + input/readers/SQLite.cc nb_dns.c digest.h diff --git a/src/input/Manager.cc b/src/input/Manager.cc index b5dfdcb2cd..791035bba7 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -9,6 +9,10 @@ #include "readers/Raw.h" #include "readers/Benchmark.h" +#ifdef USE_SQLITE +#include "readers/SQLite.h" +#endif + #include "Event.h" #include "EventHandler.h" #include "NetVar.h" @@ -34,6 +38,9 @@ ReaderDefinition input_readers[] = { { BifEnum::Input::READER_ASCII, "Ascii", 0, reader::Ascii::Instantiate }, { BifEnum::Input::READER_RAW, "Raw", 0, reader::Raw::Instantiate }, { BifEnum::Input::READER_BENCHMARK, "Benchmark", 0, reader::Benchmark::Instantiate }, +#ifdef USE_SQLITE + { BifEnum::Input::READER_SQLITE, "SQLite", 0, reader::SQLite::Instantiate }, +#endif // End marker { BifEnum::Input::READER_DEFAULT, "None", 0, (ReaderBackend* (*)(ReaderFrontend* frontend))0 } diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc new file mode 100644 index 0000000000..53a3609e24 --- /dev/null +++ b/src/input/readers/SQLite.cc @@ -0,0 +1,356 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "config.h" + +#ifdef USE_SQLITE + +#include "SQLite.h" +#include "NetVar.h" + +#include +#include + +#include "../../threading/SerialTypes.h" + +#include +#include +#include + +using namespace input::reader; +using threading::Value; +using threading::Field; + + +SQLite::SQLite(ReaderFrontend *frontend) : ReaderBackend(frontend) + { + + } + +SQLite::~SQLite() + { + DoClose(); + + } + +void SQLite::DoClose() + { + if ( db != 0 ) + { + sqlite3_close(db); + db = 0; + } + } + +bool SQLite::checkError( int code ) + { + if ( code != SQLITE_OK && code != SQLITE_DONE ) + { + Error(Fmt("SQLite call failed: %s", sqlite3_errmsg(db))); + return true; + } + + return false; + } + +bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) + { + started = false; + + string fullpath(info.source); + fullpath.append(".sqlite"); + + string dbname; + map::const_iterator it = info.config.find("dbname"); + if ( it == info.config.end() ) + { + MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); + Error(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); + dbname = info.source; + } + else + dbname = it->second; + + string query; + it = info.config.find("query"); + if ( it == info.config.end() ) + { + Error(Fmt("No query specified when setting up SQLite data source. Aborting.", info.source)); + return false; + } + else + query = it->second; + + if ( checkError(sqlite3_open_v2( + fullpath.c_str(), + &db, + SQLITE_OPEN_READWRITE | + SQLITE_OPEN_FULLMUTEX // perhaps change to nomutex + , + NULL)) ) + return false; + + + num_fields = arg_num_fields; + fields = arg_fields; + + // create the prepared select statement that we will re-use forever... + if ( checkError(sqlite3_prepare_v2( db, query.c_str(), query.size()+1, &st, NULL )) ) + { + return false; + } + + + DoUpdate(); + + return true; + } + +Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos) + { + + if ( sqlite3_column_type(st, pos ) == SQLITE_NULL ) + return new Value(field->type, false); + + Value* val = new Value(field->type, true); + + switch ( field->type ) { + case TYPE_ENUM: + case TYPE_STRING: + { + const char *text = (const char*) sqlite3_column_text(st, pos); + int length = sqlite3_column_bytes(st, pos); + + char *out = new char[length]; + memcpy(out, text, length); + + val->val.string_val.length = length; + val->val.string_val.data = out; + break; + } + + case TYPE_BOOL: + { + if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) { + Error("Invalid data type for boolean - expected Integer"); + return 0; + } + + int res = sqlite3_column_int(st, pos); + + if ( res == 0 || res == 1 ) + val->val.int_val = res; + else + { + Error(Fmt("Invalid value for boolean: %d", res)); + return 0; + } + break; + } + + case TYPE_INT: + val->val.int_val = sqlite3_column_int64(st, pos); + printf("Value: %d\n", val->val.int_val); + break; + + case TYPE_DOUBLE: + case TYPE_TIME: + case TYPE_INTERVAL: + val->val.double_val = sqlite3_column_double(st, pos); + break; + + case TYPE_COUNT: + case TYPE_COUNTER: + val->val.uint_val = sqlite3_column_int64(st, pos); + break; + + case TYPE_PORT: + val->val.port_val.port = sqlite3_column_int(st, pos); + val->val.port_val.proto = TRANSPORT_UNKNOWN; + break; + + case TYPE_SUBNET: { + const char *text = (const char*) sqlite3_column_text(st, pos); + string s(text, sqlite3_column_bytes(st, pos)); + int pos = s.find("/"); + int width = atoi(s.substr(pos+1).c_str()); + string addr = s.substr(0, pos); + + val->val.subnet_val.prefix = StringToAddr(addr); + val->val.subnet_val.length = width; + break; + + } + case TYPE_ADDR: + { + const char *text = (const char*) sqlite3_column_text(st, pos); + string s(text, sqlite3_column_bytes(st, pos)); + val->val.addr_val = StringToAddr(s); + break; + } + + case TYPE_TABLE: + case TYPE_VECTOR: + assert(false); + /* + // First - common initialization + // Then - initialization for table. + // Then - initialization for vector. + // Then - common stuff + { + // how many entries do we have... + unsigned int length = 1; + for ( unsigned int i = 0; i < s.size(); i++ ) + if ( s[i] == ',') length++; + + unsigned int pos = 0; + + if ( s.compare(empty_field) == 0 ) + length = 0; + + + Value** lvals = new Value* [length]; + + if ( field->type == TYPE_TABLE ) + { + val->val.set_val.vals = lvals; + val->val.set_val.size = length; + } + else if ( field->type == TYPE_VECTOR ) + { + val->val.vector_val.vals = lvals; + val->val.vector_val.size = length; + else + assert(false); + + if ( length == 0 ) + break; //empty + + istringstream splitstream(s); + while ( splitstream ) + { + string element; + + if ( !getline(splitstream, element, ',') ) + break; + + if ( pos >= length ) + { + Error(Fmt("Internal error while parsing set. pos %d >= length %d. Element: %s", pos, length, element.c_str())); + break; + } + + Field* newfield = new Field(*field); + newfield->type = field->subtype; + Value* newval = EntryToVal(element, newfield); + delete(newfield); + if ( newval == 0 ) + { + Error("Error while reading set"); + return 0; + } + lvals[pos] = newval; + + pos++; + + } + + + if ( pos != length ) + { + Error("Internal error while parsing set: did not find all elements"); + return 0; + } + + break; + } + */ + + + default: + Error(Fmt("unsupported field format %d", field->type)); + return 0; + } + + return val; + + } + +bool SQLite::DoUpdate() + { + + int numcolumns = sqlite3_column_count(st); + + /* This can happen legitimately I think... + if ( numcolumns != num_fields ) + { + Error(Fmt("SQLite query returned %d results, but input framework expected %d. Aborting", numcolumns, num_fields)); + return false; + } + */ + + int *mapping = new int [num_fields]; + // first set them all to -1 + for ( unsigned int i = 0; i < num_fields; ++i ) { + mapping[i] = -1; + } + + for ( unsigned int i = 0; i < numcolumns; ++i ) + { + const char *name = sqlite3_column_name(st, i); + + for ( unsigned j = 0; j < num_fields; j++ ) { + if ( strcmp(fields[j]->name, name) == 0 ) { + if ( mapping[j] != -1 ) + { + Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); + return false; + } + + mapping[j] = i; + break; + } + } + + } + + for ( unsigned int i = 0; i < num_fields; ++i ) { + if ( mapping[i] == -1 ) + { + Error(Fmt("Required field %s not found after SQLite statement", fields[i]->name)); + return false; + } + } + + int errorcode; + while ( ( errorcode = sqlite3_step(st)) == SQLITE_ROW ) + { + Value** ofields = new Value*[num_fields]; + + for ( unsigned int j = 0; j < num_fields; ++j) + { + + ofields[j] = EntryToVal(st, fields[j], mapping[j]); + if ( ofields[j] == 0 ) { + return false; + } + + } + + SendEntry(ofields); + } + + if ( checkError(errorcode) ) // check the last error code returned by sqlite + return false; + + + EndCurrentSend(); + + delete (mapping); + + if ( checkError(sqlite3_reset(st)) ) + return false; + + return true; + } + +#endif /* USE_SQLITE */ diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h new file mode 100644 index 0000000000..5ed24ce393 --- /dev/null +++ b/src/input/readers/SQLite.h @@ -0,0 +1,60 @@ +// See the file "COPYING" in the main distribution directory for copyright. +// + +#ifndef INPUT_READERS_POSTGRES_H +#define INPUT_READERS_POSTGRES_H + +#include "config.h" + +#ifdef USE_SQLITE + +#include +#include + +#include "../ReaderBackend.h" +#include "sqlite3.h" + +namespace input { namespace reader { + +class SQLite : public ReaderBackend { +public: + SQLite(ReaderFrontend* frontend); + ~SQLite(); + + static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new SQLite(frontend); } + +protected: + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); + + virtual void DoClose(); + + virtual bool DoUpdate(); + + virtual bool DoHeartbeat(double network_time, double current_time) { return true; } +private: + bool checkError(int code); + + unsigned int num_fields; + + const threading::Field* const * fields; // raw mapping + + threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos); + + int mode; + + bool started; + string query; + + sqlite3 *db; + sqlite3_stmt *st; + +}; + + +} +} + +#endif /* USE_SQLITE */ + +#endif /* INPUT_READERS_POSTGRES_H */ + diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index bea19018ee..2a7ef63295 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -26,8 +26,6 @@ #include "writers/DataSeries.h" #endif -#define USE_SQLITE 1 - #ifdef USE_SQLITE #include "writers/SQLite.h" #endif diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 9c78636867..1028710fc0 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -1,10 +1,11 @@ // See the file "COPYING" in the main distribution directory for copyright. -#define USE_SQLITE 1 -#ifdef USE_SQLITE #include "config.h" + +#ifdef USE_SQLITE + #include #include @@ -100,7 +101,6 @@ bool SQLite::checkError( int code ) { if ( code != SQLITE_OK && code != SQLITE_DONE ) { - printf("SQLite call failed: %s\n", sqlite3_errmsg(db)); Error(Fmt("SQLite call failed: %s", sqlite3_errmsg(db))); return true; } diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index 8a3baaec9e..0c8addc9da 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -2,6 +2,7 @@ // // Log writer for SQLITE logs. + #ifndef LOGGING_WRITER_SQLITE_H #define LOGGING_WRITER_SQLITE_H diff --git a/src/types.bif b/src/types.bif index 3def034219..4400c78b52 100644 --- a/src/types.bif +++ b/src/types.bif @@ -189,6 +189,7 @@ enum Reader %{ READER_ASCII, READER_RAW, READER_BENCHMARK, + READER_SQLITE, %} enum Event %{ From d510702078e89a1c6914794f902437614aca48d2 Mon Sep 17 00:00:00 2001 From: Sheharbano Khattak Date: Tue, 16 Oct 2012 05:54:38 +0500 Subject: [PATCH 011/134] Added the branch /testing --- scripts/base/frameworks/metrics/cluster.bro | 15 +- scripts/base/frameworks/metrics/main.bro | 154 ++++++++++++------ .../base/frameworks/metrics/non-cluster.bro | 5 +- 3 files changed, 116 insertions(+), 58 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 03bbcdf584..19f431460f 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -107,7 +107,7 @@ function data_added(filter: Filter, index: Index, val: count) # intermediate update. local pct_val = double_to_count(val / cluster_request_global_view_percent); - if ( check_notice(filter, index, pct_val) ) + if ( check_threshold(filter, index, pct_val) ) { # kick off intermediate update event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index, val); @@ -137,6 +137,9 @@ event Metrics::send_data(uid: string, id: string, filter_name: string, data: Met # If data is empty, this metric is done. if ( |data| == 0 ) done = T; + + #print "Here is local_data"; + #print local_data; event Metrics::cluster_filter_response(uid, id, filter_name, local_data, done); if ( ! done ) @@ -191,8 +194,9 @@ event Metrics::log_it(filter: Filter) # being collected by managers. function data_added(filter: Filter, index: Index, val: count) { - if ( check_notice(filter, index, val) ) - do_notice(filter, index, val); + if ( check_threshold(filter, index, val) ) + threshold_crossed_alert( filter, index, val ); + #do_notice(filter, index, val); } event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, data: DataPoint) @@ -206,8 +210,9 @@ event Metrics::cluster_index_response(uid: string, id: string, filter_name: stri if ( Cluster::worker_count == done_with[uid] ) { local size = ir?$num ? ir$num : |ir$unique_vals|; - if ( check_notice(filter_store[id, filter_name], index, size) ) - do_notice(filter_store[id, filter_name], index, size); + if ( check_threshold(filter_store[id, filter_name], index, size) ) + threshold_crossed_alert( filter_store[id, filter_name], index, size ); + #do_notice(filter_store[id, filter_name], index, size); delete done_with[uid]; delete index_requests[uid, id, filter_name, index]; } diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 744eaf731d..d4bfd8bd5f 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -14,7 +14,7 @@ export { ## This is the interval for how often threshold based notices will happen ## after they have already fired. - const renotice_interval = 1hr &redef; + const renotice_interval = 12hr &redef; ## Represents a thing which is having metrics collected for it. An instance ## of this record type and an id together represent a single measurement. @@ -98,11 +98,7 @@ export { log: bool &default=T; ## If this and a $notice_threshold value are set, this notice type ## will be generated by the metrics framework. - note: Notice::Type &optional; - ## A straight threshold for generating a notice. - notice_threshold: count &optional; - ## A series of thresholds at which to generate notices. - notice_thresholds: vector of count &optional; + note: Notice::Type &optional; ## Sheharbano's additions ##-------------------------------------------- @@ -115,8 +111,20 @@ export { custom_thresholds: table[Index] of count &optional; ## A predicate so that you can decide when to flexibly declare when ## a threshold crossed, and do extra stuff - check_threshold: function(index: Index, default_thresh: count, + custom_check_threshold: function(index: Index, default_thresh: count, custom_thresh: table[Index] of count, val: count ): bool &optional; + ## Even if custom_check_threshold has been defined, we don't want + ## to call it every time because of function call overhead. + ## Metrics::Filter$trigger_custom_check_threshold describes how often + ## custom_check_threshold will be called + ## e.g. call custom_check_threshold for every 5 items seen by the metrics fw + trigger_custom_check_threshold: count &default=1; + ## A predicate that is called whenever a threshold is crossed + ## ToDo: Also have a parameter here that is a sample of the + ## observed trackable items + threshold_crossed: function(index: Index, val: count ) &optional; + ## A series of thresholds at which to generate notices. + threshold_series: vector of count &optional; }; ## Function to associate a metric filter with a metric ID. @@ -136,6 +144,13 @@ export { ## ## increment: How much to increment the counter by. global add_data: function(id: string, index: Index, increment: count); + + # This function does the following: + # If index (src,) doesn't exist, it creates an entry for this index. It + # adds data (c$id$orig_h) to a set associated with this index. If the number + # of unique data values for an index exceeds threshold, a notice is generated. + # So the threshold applies to the number of unique data values associated with + # an index. global add_unique: function(id: string, index: Index, data: string); @@ -173,15 +188,13 @@ global store: table[string, string] of MetricTable = table() &default=table(); # This function checks if a threshold has been crossed and generates a # notice if it has. It is also used as a method to implement # mid-break-interval threshold crossing detection for cluster deployments. -global check_notice: function(filter: Filter, index: Index, val: count): bool; - +global check_threshold: function(filter: Filter, index: Index, val: count): bool; # This is hook for watching thresholds being crossed. It is called whenever # index values are updated and the new val is given as the `val` argument. global data_added: function(filter: Filter, index: Index, val: count); -# This stores the current threshold index for filters using the -# $notice_threshold and $notice_thresholds elements. -global thresholds: table[string, string, Index] of count = {} &create_expire=renotice_interval &default=0; +# This stores the current threshold index for filters using $threshold_series. +global threshold_series_index: table[string, string, Index] of count = {} &create_expire=renotice_interval &default=0; event bro_init() &priority=5 { @@ -265,16 +278,23 @@ function add_filter(id: string, filter: Filter) print fmt("INVALID Metric filter: Filter with name \"%s\" already exists.", filter$name); return; } - if ( filter?$notice_threshold && filter?$notice_thresholds ) + if ( filter?$threshold_series && ( filter?$default_threshold || filter?$custom_thresholds ) ) { - print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds"; + print "INVALID Metric filter: Cannot define $custom_thresholds and $default_threshold with $threshold_series"; return; } - if ( !filter?$default_threshold && !filter?$custom_thresholds ) + if ( !filter?$default_threshold && !filter?$custom_thresholds && !filter?$threshold_series ) { - print "INVALID Metric filter: Must define one of $default_threshold and $custom_thresholds"; + print "INVALID Metric filter: Must define one of $default_threshold, $custom_thresholds and threshold_series"; return; } + + #Bro throws error anyway when a non-optional record field is missing + #if ( !filter?$threshold_crossed ) + # { + # print "INVALID Metric filter: Must define the function $threshold_crossed"; + # return; + # } if ( ! filter?$id ) filter$id = id; @@ -345,6 +365,8 @@ function add_it(id: string, index: Index, integer_value: bool, num: count, str: metric_tbl[index] = [$unique_vals=empty_ss]; } add metric_tbl[index]$unique_vals[str]; + #print metric_tbl[index]$unique_vals; + #print "-------------------------------------"; data_added(filter, index, |metric_tbl[index]$unique_vals|); } } @@ -360,7 +382,7 @@ function add_unique(id: string, index: Index, data: string) add_it(id, index, F, 0, data); } -function check_notice(filter: Filter, index: Index, val: count): bool +function check_threshold(filter: Filter, index: Index, val: count): bool { ## It's possible for a user to skip defining either default_threshold or custom_thresholds. ## Therefore must check which one is missing, so we can craft and send a dummy value in the function @@ -373,59 +395,89 @@ function check_notice(filter: Filter, index: Index, val: count): bool if ( filter?$default_threshold ) def_thresh = filter$default_threshold; + + if ( filter?$custom_check_threshold && ( val%filter$trigger_custom_check_threshold == 0 ) ) + return filter$custom_check_threshold( index, def_thresh, cust_thresh, val ); - if ( filter?$check_threshold ) - return filter$check_threshold( index, def_thresh, cust_thresh, val ); - - else + # No custom check threshold defined + else if ( !filter?$custom_check_threshold ) { if ( index in cust_thresh ) { if ( val > cust_thresh[index] ) return T; } - else if ( val > def_thresh) - return T; + else if ( filter?$default_threshold ) + { + if ( val > def_thresh) + { + if ( index$str == "80/tcp") + print fmt("default threshold--val is %d for index %s",val,index); + return T; + } + } + else if ( filter?$threshold_series ) + { + #print threshold_series_index[filter$id, filter$name, index]; + if ( |filter$threshold_series| >= threshold_series_index[filter$id, filter$name, index] && + val >= filter$threshold_series[threshold_series_index[filter$id, filter$name, index]] ) + { + if ( index$str == "80/tcp") + print fmt("series threshold--val is %d for index %s",val,index); + return T; + } + } + return F; } + #else if ( !filter?$custom_check_threshold ) + # { + # if ( index in cust_thresh ) + # { + # if ( val > cust_thresh[index] ) + # return T; + # } + # else if ( val > def_thresh) + # return T; + # } - #if ( (filter?$notice_threshold && - # [filter$id, filter$name, index] !in thresholds && - # val >= filter$notice_threshold) || - # (filter?$notice_thresholds && - # |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && - # val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) ) - #return T; - #else - #return F; + return F; } -function do_notice(filter: Filter, index: Index, val: count) +function threshold_crossed_alert(filter: Filter, index: Index, val: count) { # We include $peer_descr here because the a manager count have actually # generated the notice even though the current remote peer for the event # calling this could be a worker if this is running as a cluster. - local n: Notice::Info = [$note=filter$note, - $n=val, - $metric_index=index, - $peer_descr=peer_description]; - n$msg = fmt("Threshold crossed by %s %d/%d", index2str(index), val, filter$notice_threshold); - if ( index?$str ) - n$sub = index$str; - if ( index?$host ) - n$src = index$host; + #local n: Notice::Info = [$note=filter$note, + # $n=val, + # $metric_index=index, + # $peer_descr=peer_description]; + #n$msg = fmt("Threshold crossed by %s %d/%d", index2str(index), val, filter$notice_threshold); + #if ( index?$str ) + # n$sub = index$str; + #if ( index?$host ) + # n$src = index$host; # TODO: not sure where to put the network yet. - NOTICE(n); + #NOTICE(n); + + if ( filter?$threshold_crossed ) + filter$threshold_crossed( index, val ); # Resetting unique values - local metric_tbl = store[filter$id, filter$name]; - metric_tbl[index]$unique_vals = set(); - - - # This just needs set to some value so that it doesn't refire the - # notice until it expires from the table or it crosses the next - # threshold in the case of vectors of thresholds. - ++thresholds[filter$id, filter$name, index]; + #local metric_tbl = store[filter$id, filter$name]; + #metric_tbl[index]$unique_vals = set(); + # If I don't reset here, the value just keeps + # retriggering once the threshold has been exceeded + if ( !filter?$threshold_series ) + reset(filter); + else + { + # This just needs set to some value so that it doesn't refire the + # notice until it expires from the table or it crosses the next + # threshold in the case of vectors of thresholds. + ++threshold_series_index[filter$id, filter$name, index]; + } } diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index 85c050fb25..dc0daea2be 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -16,6 +16,7 @@ event Metrics::log_it(filter: Filter) function data_added(filter: Filter, index: Index, val: count) { - if ( check_notice(filter, index, val) ) - do_notice(filter, index, val); + if ( check_threshold(filter, index, val) ) + threshold_crossed_alert( filter, index, val ); + #do_notice(filter, index, val); } From 6244bf43088c459450496fbead708bef980407d2 Mon Sep 17 00:00:00 2001 From: Sheharbano Khattak Date: Wed, 17 Oct 2012 04:13:13 +0500 Subject: [PATCH 012/134] Started the branch testing2 --- scripts/base/frameworks/metrics/main.bro | 118 ++++++------------ .../base/frameworks/metrics/non-cluster.bro | 1 - 2 files changed, 35 insertions(+), 84 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index d4bfd8bd5f..ebe5170062 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -11,10 +11,14 @@ export { ## The default interval used for "breaking" metrics and writing the ## current value to the logging stream. const default_break_interval = 15mins &redef; + + ## The default number of metric items which trigger + ## filter$custom_check_threshold + const default_trigger_custom_check_threshold = 10 &redef; ## This is the interval for how often threshold based notices will happen ## after they have already fired. - const renotice_interval = 12hr &redef; + const threshold_series_restart_interval = 1hr &redef; ## Represents a thing which is having metrics collected for it. An instance ## of this record type and an id together represent a single measurement. @@ -96,33 +100,22 @@ export { ## thresholding and statistics gathering utility that is meant to ## never log but rather to generate notices and derive data. log: bool &default=T; - ## If this and a $notice_threshold value are set, this notice type - ## will be generated by the metrics framework. - note: Notice::Type &optional; - - ## Sheharbano's additions - ##-------------------------------------------- ## A straight threshold for generating a notice. default_threshold: count &optional; - ## Represents Index specific thresholds, that is we can - ## have different thresholds for different Index values. - ## If the threshold for an Index is not specified in , - ## will be used as default. - custom_thresholds: table[Index] of count &optional; ## A predicate so that you can decide when to flexibly declare when ## a threshold crossed, and do extra stuff custom_check_threshold: function(index: Index, default_thresh: count, - custom_thresh: table[Index] of count, val: count ): bool &optional; + val: count ): bool &optional; ## Even if custom_check_threshold has been defined, we don't want ## to call it every time because of function call overhead. ## Metrics::Filter$trigger_custom_check_threshold describes how often ## custom_check_threshold will be called - ## e.g. call custom_check_threshold for every 5 items seen by the metrics fw - trigger_custom_check_threshold: count &default=1; + ## e.g. call custom_check_threshold for every 10 items seen by the metrics fw + trigger_custom_check_threshold: count &default=default_trigger_custom_check_threshold; ## A predicate that is called whenever a threshold is crossed ## ToDo: Also have a parameter here that is a sample of the ## observed trackable items - threshold_crossed: function(index: Index, val: count ) &optional; + threshold_crossed: function(index: Index, val: count ); ## A series of thresholds at which to generate notices. threshold_series: vector of count &optional; }; @@ -194,7 +187,7 @@ global check_threshold: function(filter: Filter, index: Index, val: count): bool global data_added: function(filter: Filter, index: Index, val: count); # This stores the current threshold index for filters using $threshold_series. -global threshold_series_index: table[string, string, Index] of count = {} &create_expire=renotice_interval &default=0; +global threshold_series_index: table[string, string, Index] of count = {} &create_expire=threshold_series_restart_interval &default=0; event bro_init() &priority=5 { @@ -278,23 +271,35 @@ function add_filter(id: string, filter: Filter) print fmt("INVALID Metric filter: Filter with name \"%s\" already exists.", filter$name); return; } - if ( filter?$threshold_series && ( filter?$default_threshold || filter?$custom_thresholds ) ) + if ( !filter?$threshold_series && !filter?$default_threshold ) { - print "INVALID Metric filter: Cannot define $custom_thresholds and $default_threshold with $threshold_series"; + print "INVALID Metric filter: Must define one of $default_threshold and $threshold_series"; return; } - if ( !filter?$default_threshold && !filter?$custom_thresholds && !filter?$threshold_series ) + if ( filter?$threshold_series && filter?$custom_check_threshold ) { - print "INVALID Metric filter: Must define one of $default_threshold, $custom_thresholds and threshold_series"; + print "INVALID Metric filter: Cannot define $custom_check_threshold with $threshold_series"; return; } - - #Bro throws error anyway when a non-optional record field is missing - #if ( !filter?$threshold_crossed ) - # { - # print "INVALID Metric filter: Must define the function $threshold_crossed"; - # return; - # } + if ( filter?$threshold_series && filter?$default_threshold ) + { + print "INVALID Metric filter: Cannot define both $default_threshold and $threshold_series"; + return; + } + if ( filter?$custom_check_threshold && !filter?$default_threshold ) + { + print "INVALID Metric filter: Must define $default_threshold with $custom_check_threshold"; + return; + } + if ( !filter?$trigger_custom_check_threshold && filter?$custom_check_threshold ) + { + print "INVALID Metric filter: You defined $trigger_custom_check_threshold but $custom_check_threshold is missing"; + return; + } + if ( !filter?$trigger_custom_check_threshold && filter?$custom_check_threshold ) + { + print "WARNING Metric filter: You did not define $trigger_custom_check_threshold (default will be used)"; + } if ( ! filter?$id ) filter$id = id; @@ -384,91 +389,38 @@ function add_unique(id: string, index: Index, data: string) function check_threshold(filter: Filter, index: Index, val: count): bool { - ## It's possible for a user to skip defining either default_threshold or custom_thresholds. - ## Therefore must check which one is missing, so we can craft and send a dummy value in the function - - local cust_thresh: table[Index] of count; local def_thresh = 0; - if ( filter?$custom_thresholds ) - cust_thresh = filter$custom_thresholds; - if ( filter?$default_threshold ) def_thresh = filter$default_threshold; if ( filter?$custom_check_threshold && ( val%filter$trigger_custom_check_threshold == 0 ) ) - return filter$custom_check_threshold( index, def_thresh, cust_thresh, val ); + return filter$custom_check_threshold( index, def_thresh, val ); # No custom check threshold defined else if ( !filter?$custom_check_threshold ) { - if ( index in cust_thresh ) - { - if ( val > cust_thresh[index] ) - return T; - } - else if ( filter?$default_threshold ) + if ( filter?$default_threshold ) { if ( val > def_thresh) - { - if ( index$str == "80/tcp") - print fmt("default threshold--val is %d for index %s",val,index); return T; - } } else if ( filter?$threshold_series ) { - #print threshold_series_index[filter$id, filter$name, index]; if ( |filter$threshold_series| >= threshold_series_index[filter$id, filter$name, index] && val >= filter$threshold_series[threshold_series_index[filter$id, filter$name, index]] ) - { - if ( index$str == "80/tcp") - print fmt("series threshold--val is %d for index %s",val,index); return T; - } } - - return F; } - #else if ( !filter?$custom_check_threshold ) - # { - # if ( index in cust_thresh ) - # { - # if ( val > cust_thresh[index] ) - # return T; - # } - # else if ( val > def_thresh) - # return T; - # } - return F; } function threshold_crossed_alert(filter: Filter, index: Index, val: count) { - # We include $peer_descr here because the a manager count have actually - # generated the notice even though the current remote peer for the event - # calling this could be a worker if this is running as a cluster. - #local n: Notice::Info = [$note=filter$note, - # $n=val, - # $metric_index=index, - # $peer_descr=peer_description]; - #n$msg = fmt("Threshold crossed by %s %d/%d", index2str(index), val, filter$notice_threshold); - #if ( index?$str ) - # n$sub = index$str; - #if ( index?$host ) - # n$src = index$host; - # TODO: not sure where to put the network yet. - - #NOTICE(n); - if ( filter?$threshold_crossed ) filter$threshold_crossed( index, val ); - # Resetting unique values - #local metric_tbl = store[filter$id, filter$name]; - #metric_tbl[index]$unique_vals = set(); # If I don't reset here, the value just keeps # retriggering once the threshold has been exceeded if ( !filter?$threshold_series ) diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index dc0daea2be..ccd0414b2b 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -18,5 +18,4 @@ function data_added(filter: Filter, index: Index, val: count) { if ( check_threshold(filter, index, val) ) threshold_crossed_alert( filter, index, val ); - #do_notice(filter, index, val); } From d5cf730b516eb9ef32986345642f141c154b1b4c Mon Sep 17 00:00:00 2001 From: Sheharbano Khattak Date: Thu, 18 Oct 2012 13:45:31 +0500 Subject: [PATCH 013/134] Added str to pred function --- scripts/base/frameworks/metrics/main.bro | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index ebe5170062..174b30a09a 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -81,7 +81,7 @@ export { id: string &optional; ## A predicate so that you can decide per index if you would like ## to accept the data being inserted. - pred: function(index: Index): bool &optional; + pred: function(index: Index, str: string): bool &optional; ## A function to normalize the index. This can be used to normalize ## any field in the index and is likely most useful to normalize ## the $str field. @@ -328,7 +328,7 @@ function add_it(id: string, index: Index, integer_value: bool, num: count, str: # If this filter has a predicate, run the predicate and skip this # index if the predicate return false. - if ( filter?$pred && ! filter$pred(index) ) + if ( filter?$pred && ! filter$pred(index,str) ) next; if ( index?$host ) From d9195076b17332420b9131272d66a246409efe50 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 16 Nov 2012 02:37:52 -0500 Subject: [PATCH 014/134] Metrics framework checkpoint. - New scan.bro merged in and reworked a bit. - Updated metrics API. Now possible to calculate much more. --- scripts/base/frameworks/metrics/cluster.bro | 105 ++-- scripts/base/frameworks/metrics/main.bro | 520 +++++++++++------- .../base/frameworks/metrics/non-cluster.bro | 10 +- .../protocols/conn/conn-stats-per-host.bro | 22 + scripts/policy/protocols/conn/scan.bro | 320 +++++++++++ scripts/policy/protocols/http/detect-sqli.bro | 35 +- .../protocols/ssh/detect-bruteforcing.bro | 15 +- scripts/site/local.bro | 3 + .../manager-1..stdout | 1 + .../.stdout | 10 + .../base/frameworks/metrics/basic-cluster.bro | 40 +- .../scripts/base/frameworks/metrics/basic.bro | 14 +- .../metrics/cluster-intermediate-update.bro | 45 +- .../base/frameworks/metrics/notice.bro | 20 - .../base/frameworks/metrics/thresholding.bro | 47 ++ 15 files changed, 851 insertions(+), 356 deletions(-) create mode 100644 scripts/policy/protocols/conn/conn-stats-per-host.bro create mode 100644 scripts/policy/protocols/conn/scan.bro create mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout create mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout delete mode 100644 testing/btest/scripts/base/frameworks/metrics/notice.bro create mode 100644 testing/btest/scripts/base/frameworks/metrics/thresholding.bro diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 19f431460f..9650b80554 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -3,9 +3,6 @@ ##! and will be depending on if the cluster framework has been enabled. ##! The goal of this script is to make metric calculation completely and ##! transparently automated when running on a cluster. -##! -##! Events defined here are not exported deliberately because they are meant -##! to be an internal implementation detail. @load base/frameworks/cluster @load ./main @@ -24,36 +21,34 @@ export { ## since it may opt not to if it requested a global view for the index ## recently. const cluster_request_global_view_percent = 0.1 &redef; - - ## Event sent by the manager in a cluster to initiate the - ## collection of metrics values for a filter. + + # Event sent by the manager in a cluster to initiate the + # collection of metrics values for a filter. global cluster_filter_request: event(uid: string, id: string, filter_name: string); - ## Event sent by nodes that are collecting metrics after receiving - ## a request for the metric filter from the manager. + # Event sent by nodes that are collecting metrics after receiving + # a request for the metric filter from the manager. global cluster_filter_response: event(uid: string, id: string, filter_name: string, data: MetricTable, done: bool); - ## This event is sent by the manager in a cluster to initiate the - ## collection of a single index value from a filter. It's typically - ## used to get intermediate updates before the break interval triggers - ## to speed detection of a value crossing a threshold. + # This event is sent by the manager in a cluster to initiate the + # collection of a single index value from a filter. It's typically + # used to get intermediate updates before the break interval triggers + # to speed detection of a value crossing a threshold. global cluster_index_request: event(uid: string, id: string, filter_name: string, index: Index); - ## This event is sent by nodes in response to a - ## :bro:id:`Metrics::cluster_index_request` event. - global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, data: DataPoint); + # This event is sent by nodes in response to a + # :bro:id:`Metrics::cluster_index_request` event. + global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, val: ResultVal); - ## This is sent by workers to indicate that they crossed the percent of the - ## current threshold by the percentage defined globally in - ## :bro:id:`Metrics::cluster_request_global_view_percent` - global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Metrics::Index, val: count); + # This is sent by workers to indicate that they crossed the percent of the + # current threshold by the percentage defined globally in + # :bro:id:`Metrics::cluster_request_global_view_percent` + global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Metrics::Index); - ## This event is scheduled internally on workers to send result chunks. + # This event is scheduled internally on workers to send result chunks. global send_data: event(uid: string, id: string, filter_name: string, data: MetricTable); - } - # This is maintained by managers so they can know what data they requested and # when they requested it. global requested_results: table[string] of time = table() &create_expire=5mins; @@ -76,7 +71,7 @@ global done_with: table[string] of count &create_expire=5mins &default=0; # This variable is maintained by managers to track intermediate responses as # they are getting a global view for a certain index. -global index_requests: table[string, string, string, Index] of DataPoint &create_expire=5mins &default=[]; +global index_requests: table[string, string, string, Index] of ResultVal &create_expire=5mins &default=[]; # This variable is maintained by all hosts for different purposes. Non-managers # maintain it to know what indexes they have recently sent as intermediate @@ -95,23 +90,20 @@ redef Cluster::worker2manager_events += /Metrics::cluster_(filter_response|index @if ( Cluster::local_node_type() != Cluster::MANAGER ) # This is done on all non-manager node types in the event that a metric is # being collected somewhere other than a worker. -function data_added(filter: Filter, index: Index, val: count) +function data_added(filter: Filter, index: Index, val: ResultVal) { # If an intermediate update for this value was sent recently, don't send # it again. if ( [filter$id, filter$name, index] in recent_global_view_indexes ) return; - + # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that # crosses the full threshold then it's a candidate to send as an # intermediate update. - local pct_val = double_to_count(val / cluster_request_global_view_percent); - - if ( check_threshold(filter, index, pct_val) ) + if ( check_thresholds(filter, index, val, cluster_request_global_view_percent) ) { # kick off intermediate update - event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index, val); - + event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index); ++recent_global_view_indexes[filter$id, filter$name, index]; } } @@ -137,9 +129,6 @@ event Metrics::send_data(uid: string, id: string, filter_name: string, data: Met # If data is empty, this metric is done. if ( |data| == 0 ) done = T; - - #print "Here is local_data"; - #print local_data; event Metrics::cluster_filter_response(uid, id, filter_name, local_data, done); if ( ! done ) @@ -148,7 +137,7 @@ event Metrics::send_data(uid: string, id: string, filter_name: string, data: Met event Metrics::cluster_filter_request(uid: string, id: string, filter_name: string) { - #print fmt("WORKER %s: received the cluster_filter_request event.", Cluster::node); + #print fmt("WORKER %s: received the cluster_filter_request event for %s.", Cluster::node, id); # Initiate sending all of the data for the requested filter. event Metrics::send_data(uid, id, filter_name, store[id, filter_name]); @@ -160,12 +149,12 @@ event Metrics::cluster_filter_request(uid: string, id: string, filter_name: stri event Metrics::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) { - local data: DataPoint; - if ( index in store[id, filter_name] ) - data = store[id, filter_name][index]; - - # fmt("WORKER %s: received the cluster_index_request event for %s=%d.", Cluster::node, index2str(index), val); - event Metrics::cluster_index_response(uid, id, filter_name, index, data); + if ( [id, filter_name] in store && index in store[id, filter_name] ) + { + local data = store[id, filter_name][index]; + #print fmt("WORKER %s: received the cluster_index_request event for %s=%s.", Cluster::node, index2str(index), data); + event Metrics::cluster_index_response(uid, id, filter_name, index, data); + } } @endif @@ -177,7 +166,6 @@ event Metrics::cluster_index_request(uid: string, id: string, filter_name: strin event Metrics::log_it(filter: Filter) { #print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id); - local uid = unique_id(""); # Set some tracking variables. @@ -187,39 +175,44 @@ event Metrics::log_it(filter: Filter) # Request data from peers. event Metrics::cluster_filter_request(uid, filter$id, filter$name); # Schedule the log_it event for the next break period. - schedule filter$break_interval { Metrics::log_it(filter) }; + schedule filter$every { Metrics::log_it(filter) }; } # This is unlikely to be called often, but it's here in case there are metrics # being collected by managers. -function data_added(filter: Filter, index: Index, val: count) +function data_added(filter: Filter, index: Index, val: ResultVal) { - if ( check_threshold(filter, index, val) ) - threshold_crossed_alert( filter, index, val ); - #do_notice(filter, index, val); + if ( check_thresholds(filter, index, val, 1.0) ) + threshold_crossed(filter, index, val); } -event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, data: DataPoint) +event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) { - #print fmt("%0.6f MANAGER: receiving index data from %s", network_time(), get_event_peer()$descr); + #print fmt("%0.6f MANAGER: receiving index data from %s - %s=%s", network_time(), get_event_peer()$descr, index2str(index), val); - index_requests[uid, id, filter_name, index] = merge_data_points(index_requests[uid, id, filter_name, index], data); + local merged_val = merge_result_vals(index_requests[uid, id, filter_name, index], val); + index_requests[uid, id, filter_name, index] = merged_val; local ir = index_requests[uid, id, filter_name, index]; + # Mark that this worker is done. ++done_with[uid]; + + #print ir; + #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); + if ( Cluster::worker_count == done_with[uid] ) { - local size = ir?$num ? ir$num : |ir$unique_vals|; - if ( check_threshold(filter_store[id, filter_name], index, size) ) - threshold_crossed_alert( filter_store[id, filter_name], index, size ); - #do_notice(filter_store[id, filter_name], index, size); + if ( check_thresholds(filter_store[id, filter_name], index, ir, 1.0) ) + { + threshold_crossed(filter_store[id, filter_name], index, ir); + } delete done_with[uid]; delete index_requests[uid, id, filter_name, index]; } } # Managers handle intermediate updates here. -event Metrics::cluster_index_intermediate_response(id: string, filter_name: string, index: Index, val: count) +event Metrics::cluster_index_intermediate_response(id: string, filter_name: string, index: Index) { #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); @@ -237,12 +230,12 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str for ( index in data ) { if ( index in local_data ) - local_data[index] = merge_data_points(local_data[index], data[index]); + local_data[index] = merge_result_vals(local_data[index], data[index]); else local_data[index] = data[index]; } - # Mark another worker as being "done" for this uid. + # Mark another worker as being "done" for this uid. if ( done ) ++done_with[uid]; diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 174b30a09a..8e40e76e02 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -1,7 +1,5 @@ ##! The metrics framework provides a way to count and measure data. -@load base/frameworks/notice - module Metrics; export { @@ -11,15 +9,21 @@ export { ## The default interval used for "breaking" metrics and writing the ## current value to the logging stream. const default_break_interval = 15mins &redef; - - ## The default number of metric items which trigger - ## filter$custom_check_threshold - const default_trigger_custom_check_threshold = 10 &redef; ## This is the interval for how often threshold based notices will happen ## after they have already fired. const threshold_series_restart_interval = 1hr &redef; + type Calculation: enum { + SUM, + MIN, + MAX, + VARIANCE, + STD_DEV, + AVG, + UNIQUE, + }; + ## Represents a thing which is having metrics collected for it. An instance ## of this record type and an id together represent a single measurement. type Index: record { @@ -40,12 +44,47 @@ export { network: subnet &optional; } &log; - ## Represents data being added for a single metric data point. Used internally. + ## Represents data being added for a single metric data point. type DataPoint: record { - num: count &optional; - unique_vals: set[string] &optional; + num: count &optional; + dbl: double &optional; + str: string &optional; }; - + + ## Value supplied when a metric is finished. It contains all + ## of the measurements collected for the metric. + type ResultVal: record { + ## The number of measurements received. + num: count &log &default=0; + + ## For numeric data, this tracks the sum of all values. + sum: double &log &optional; + + ## For numeric data, this tracks the minimum value given. + min: double &log &optional; + + ## For numeric data, this tracks the maximum value given. + max: double &log &optional; + + ## For numeric data, this calculates the average of all values. + avg: double &log &optional; + + ## For numeric data, this calculates the variance. + variance: double &log &optional; + + ## For numeric data, this calculates the standard deviation. + std_dev: double &log &optional; + + ## If cardinality is being tracked, the number of unique + ## items is tracked here. + unique: count &log &optional; + + ## A sample of something being measured. This is helpful in + ## some cases for collecting information to do further detection + ## or better logging for forensic purposes. + sample: set[DataPoint] &optional; + }; + ## The record type that is used for logging metrics. type Info: record { ## Timestamp at which the metric was "broken". @@ -57,67 +96,58 @@ export { ## the data so this is necessary to understand the value. filter_name: string &log; ## What measurement the metric represents. - metric_id: string &log; + metric: string &log; ## What the metric value applies to. index: Index &log; ## The simple numeric value of the metric. - value: count &log; + result: ResultVal &log; }; - # TODO: configure a metrics filter logging stream to log the current - # metrics configuration in case someone is looking through - # old logs and the configuration has changed since then. - ## Filters define how the data from a metric is aggregated and handled. - ## Filters can be used to set how often the measurements are cut or "broken" + ## Filters can be used to set how often the measurements are cut ## and logged or how the data within them is aggregated. It's also - ## possible to disable logging and use filters for thresholding. + ## possible to disable logging and use filters solely for thresholding. type Filter: record { ## The name for this filter so that multiple filters can be ## applied to a single metrics to get a different view of the same ## metric data being collected (different aggregation, break, etc). - name: string &default="default"; - ## The :bro:type:`Metrics::ID` that this filter applies to. - id: string &optional; + name: string &default="default"; + ## The metric that this filter applies to. + id: string &optional; + ## The measurements to perform on the data. + measure: set[Calculation] &optional; ## A predicate so that you can decide per index if you would like ## to accept the data being inserted. - pred: function(index: Index, str: string): bool &optional; - ## A function to normalize the index. This can be used to normalize - ## any field in the index and is likely most useful to normalize - ## the $str field. - normalize_func: function(index: Index): Index &optional; - ## Global mask by which you'd like to aggregate traffic. - aggregation_mask: count &optional; - ## This is essentially a mapping table between addresses and subnets. - aggregation_table: table[subnet] of subnet &optional; + pred: function(index: Metrics::Index, data: DataPoint): bool &optional; + ## A function to normalize the index. This can be used to aggregate or + ## normalize the entire index. + normalize_func: function(index: Metrics::Index): Index &optional; + ## Global mask by to aggregate traffic measuring an attribute of hosts. + ## This is a special case of the normalize_func. + aggregation_mask: count &optional; ## The interval at which this filter should be "broken" and written ## to the logging stream. The counters are also reset to zero at ## this time so any threshold based detection needs to be set to a ## number that should be expected to happen within this period. - break_interval: interval &default=default_break_interval; + every: interval &default=default_break_interval; ## This determines if the result of this filter is sent to the metrics ## logging stream. One use for the logging framework is as an internal ## thresholding and statistics gathering utility that is meant to ## never log but rather to generate notices and derive data. - log: bool &default=T; - ## A straight threshold for generating a notice. - default_threshold: count &optional; + log: bool &default=T; + ## A direct threshold for calling the $threshold_crossed function when + ## the SUM is greater than or equal to this value. + threshold: count &optional; + ## A series of thresholds for calling the $threshold_crossed function. + threshold_series: vector of count &optional; ## A predicate so that you can decide when to flexibly declare when - ## a threshold crossed, and do extra stuff - custom_check_threshold: function(index: Index, default_thresh: count, - val: count ): bool &optional; - ## Even if custom_check_threshold has been defined, we don't want - ## to call it every time because of function call overhead. - ## Metrics::Filter$trigger_custom_check_threshold describes how often - ## custom_check_threshold will be called - ## e.g. call custom_check_threshold for every 10 items seen by the metrics fw - trigger_custom_check_threshold: count &default=default_trigger_custom_check_threshold; - ## A predicate that is called whenever a threshold is crossed - ## ToDo: Also have a parameter here that is a sample of the - ## observed trackable items - threshold_crossed: function(index: Index, val: count ); - ## A series of thresholds at which to generate notices. - threshold_series: vector of count &optional; + ## a threshold crossed, and do extra work. + threshold_func: function(index: Metrics::Index, val: Metrics::ResultVal): bool &optional; + ## A function callback that is called when a threshold is crossed. + threshold_crossed: function(index: Metrics::Index, val: Metrics::ResultVal) &optional; + ## A number of sample DataPoints to collect for the threshold + ## crossing callback. + samples: count &optional; }; ## Function to associate a metric filter with a metric ID. @@ -125,70 +155,72 @@ export { ## id: The metric ID that the filter should be associated with. ## ## filter: The record representing the filter configuration. - global add_filter: function(id: string, filter: Filter); + global add_filter: function(id: string, filter: Metrics::Filter); - ## Add data into a :bro:type:`Metrics::ID`. This should be called when + ## Add data into a metric. This should be called when ## a script has measured some point value and is ready to increment the ## counters. ## - ## id: The metric ID that the data represents. + ## id: The metric identifier that the data represents. ## ## index: The metric index that the value is to be added to. ## ## increment: How much to increment the counter by. - global add_data: function(id: string, index: Index, increment: count); - - # This function does the following: - # If index (src,) doesn't exist, it creates an entry for this index. It - # adds data (c$id$orig_h) to a set associated with this index. If the number - # of unique data values for an index exceeds threshold, a notice is generated. - # So the threshold applies to the number of unique data values associated with - # an index. - - global add_unique: function(id: string, index: Index, data: string); + global add_data: function(id: string, index: Metrics::Index, data: Metrics::DataPoint); ## Helper function to represent a :bro:type:`Metrics::Index` value as - ## a simple string + ## a simple string. ## ## index: The metric index that is to be converted into a string. ## ## Returns: A string reprentation of the metric index. - global index2str: function(index: Index): string; - - ## Event that is used to "finish" metrics and adapt the metrics - ## framework for clustered or non-clustered usage. - ## - ## ..note: This is primarily intended for internal use. - global log_it: event(filter: Filter); - + global index2str: function(index: Metrics::Index): string; + ## Event to access metrics records as they are passed to the logging framework. - global log_metrics: event(rec: Info); + global log_metrics: event(rec: Metrics::Info); - ## Type to store a table of metrics values. Interal use only! - type MetricTable: table[Index] of DataPoint; } -redef record Notice::Info += { - metric_index: Index &log &optional; +redef record ResultVal += { + # Internal use only. Used for incrementally calculating variance. + prev_avg: double &optional; + + # Internal use only. For calculating variance. + var_s: double &optional; + + # Internal use only. This is not meant to be publically available + # because we don't want to trust that we can inspect the values + # since we will like move to a probalistic data structure in the future. + # TODO: in the future this will optionally be a hyperloglog structure + unique_vals: set[DataPoint] &optional; }; +# Type to store a table of metrics values. +type MetricTable: table[Index] of ResultVal; + +# Store the filters indexed on the metric identifier. global metric_filters: table[string] of vector of Filter = table(); + +# Store the filters indexed on the metric identifier and filter name. global filter_store: table[string, string] of Filter = table(); -# This is indexed by metric ID and stream filter name. +# This is indexed by metric id and filter name. global store: table[string, string] of MetricTable = table() &default=table(); -# This function checks if a threshold has been crossed and generates a -# notice if it has. It is also used as a method to implement -# mid-break-interval threshold crossing detection for cluster deployments. -global check_threshold: function(filter: Filter, index: Index, val: count): bool; -# This is hook for watching thresholds being crossed. It is called whenever -# index values are updated and the new val is given as the `val` argument. -global data_added: function(filter: Filter, index: Index, val: count); - # This stores the current threshold index for filters using $threshold_series. global threshold_series_index: table[string, string, Index] of count = {} &create_expire=threshold_series_restart_interval &default=0; +# This is hook for watching thresholds being crossed. It is called whenever +# index values are updated and the new val is given as the `val` argument. +# It's only prototyped here because cluster and non-cluster has separate +# implementations. +global data_added: function(filter: Filter, index: Index, val: ResultVal); + +## Event that is used to "finish" metrics and adapt the metrics +## framework for clustered or non-clustered usage. +global log_it: event(filter: Metrics::Filter); + + event bro_init() &priority=5 { Log::create_stream(Metrics::LOG, [$columns=Info, $ev=log_metrics]); @@ -206,29 +238,91 @@ function index2str(index: Index): string return fmt("metric_index(%s)", out); } -function merge_data_points(dp1: DataPoint, dp2: DataPoint): DataPoint +function do_calculated_fields(val: ResultVal) { - local result: DataPoint; - if ( dp1?$num || dp2?$num ) + if ( val?$unique_vals ) + val$unique = |val$unique_vals|; + if ( val?$var_s ) + val$variance = (val$num > 1) ? val$var_s/val$num : 0.0; + if ( val?$variance ) + val$std_dev = sqrt(val$variance); + } + +function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal + { + local result: ResultVal; + + # Merge $num + result$num = rv1$num + rv2$num; + + # Merge $sum + if ( rv1?$sum || rv2?$sum ) { - result$num = 0; - if ( dp1?$num ) - result$num += dp1$num; - if ( dp2?$num ) - result$num += dp2$num; + result$sum = 0; + if ( rv1?$sum ) + result$sum += rv1$sum; + if ( rv2?$sum ) + result$sum += rv2$sum; } - - if ( dp1?$unique_vals || dp2?$unique_vals ) + + # Merge $max + if ( rv1?$max && rv2?$max ) + result$max = (rv1$max > rv2$max) ? rv1$max : rv2$max; + else if ( rv1?$max ) + result$max = rv1$max; + else if ( rv2?$max ) + result$max = rv2$max; + + # Merge $min + if ( rv1?$min && rv2?$min ) + result$min = (rv1$min < rv2$min) ? rv1$min : rv2$min; + else if ( rv1?$min ) + result$min = rv1$min; + else if ( rv2?$min ) + result$min = rv2$min; + + # Merge $avg + if ( rv1?$avg && rv2?$avg ) + result$avg = ((rv1$avg*rv1$num) + (rv2$avg*rv2$num))/(rv1$num+rv2$num); + else if ( rv1?$avg ) + result$avg = rv1$avg; + else if ( rv2?$avg ) + result$avg = rv2$avg; + + # Merge $prev_avg + if ( rv1?$prev_avg && rv2?$prev_avg ) + result$prev_avg = ((rv1$prev_avg*rv1$num) + (rv2$prev_avg*rv2$num))/(rv1$num+rv2$num); + else if ( rv1?$prev_avg ) + result$prev_avg = rv1$prev_avg; + else if ( rv2?$prev_avg ) + result$prev_avg = rv2$prev_avg; + + # Merge $var_s + if ( rv1?$var_s && rv2?$var_s ) + { + local rv1_avg_sq = (rv1$avg - result$avg); + rv1_avg_sq = rv1_avg_sq*rv1_avg_sq; + local rv2_avg_sq = (rv2$avg - result$avg); + rv2_avg_sq = rv2_avg_sq*rv2_avg_sq; + result$var_s = rv1$num*(rv1$var_s/rv1$num + rv1_avg_sq) + rv2$num*(rv2$var_s/rv2$num + rv2_avg_sq); + } + else if ( rv1?$var_s ) + result$var_s = rv1$var_s; + else if ( rv2?$var_s ) + result$var_s = rv2$var_s; + + if ( rv1?$unique_vals || rv2?$unique_vals ) { result$unique_vals = set(); - if ( dp1?$unique_vals ) - for ( val1 in dp1$unique_vals ) + if ( rv1?$unique_vals ) + for ( val1 in rv1$unique_vals ) add result$unique_vals[val1]; - if ( dp2?$unique_vals ) - for ( val2 in dp2$unique_vals ) + if ( rv2?$unique_vals ) + for ( val2 in rv2$unique_vals ) add result$unique_vals[val2]; - } - + } + + do_calculated_fields(result); return result; } @@ -236,24 +330,18 @@ function write_log(ts: time, filter: Filter, data: MetricTable) { for ( index in data ) { - local val = 0; - if ( data[index]?$unique_vals ) - val = |data[index]$unique_vals|; - else - val = data[index]$num; local m: Info = [$ts=ts, - $ts_delta=filter$break_interval, - $metric_id=filter$id, + $ts_delta=filter$every, + $metric=filter$id, $filter_name=filter$name, $index=index, - $value=val]; + $result=data[index]]; if ( filter$log ) Log::write(Metrics::LOG, m); } } - function reset(filter: Filter) { store[filter$id, filter$name] = table(); @@ -261,45 +349,16 @@ function reset(filter: Filter) function add_filter(id: string, filter: Filter) { - if ( filter?$aggregation_table && filter?$aggregation_mask ) + if ( filter?$normalize_func && filter?$aggregation_mask ) { - print "INVALID Metric filter: Defined $aggregation_table and $aggregation_mask."; + Reporter::warning(fmt("invalid Metric filter (%s): Defined $normalize_func and $aggregation_mask.", filter$name)); return; } if ( [id, filter$name] in store ) { - print fmt("INVALID Metric filter: Filter with name \"%s\" already exists.", filter$name); + Reporter::warning(fmt("invalid Metric filter (%s): Filter with same name already exists.", filter$name)); return; } - if ( !filter?$threshold_series && !filter?$default_threshold ) - { - print "INVALID Metric filter: Must define one of $default_threshold and $threshold_series"; - return; - } - if ( filter?$threshold_series && filter?$custom_check_threshold ) - { - print "INVALID Metric filter: Cannot define $custom_check_threshold with $threshold_series"; - return; - } - if ( filter?$threshold_series && filter?$default_threshold ) - { - print "INVALID Metric filter: Cannot define both $default_threshold and $threshold_series"; - return; - } - if ( filter?$custom_check_threshold && !filter?$default_threshold ) - { - print "INVALID Metric filter: Must define $default_threshold with $custom_check_threshold"; - return; - } - if ( !filter?$trigger_custom_check_threshold && filter?$custom_check_threshold ) - { - print "INVALID Metric filter: You defined $trigger_custom_check_threshold but $custom_check_threshold is missing"; - return; - } - if ( !filter?$trigger_custom_check_threshold && filter?$custom_check_threshold ) - { - print "WARNING Metric filter: You did not define $trigger_custom_check_threshold (default will be used)"; - } if ( ! filter?$id ) filter$id = id; @@ -311,10 +370,10 @@ function add_filter(id: string, filter: Filter) filter_store[id, filter$name] = filter; store[id, filter$name] = table(); - schedule filter$break_interval { Metrics::log_it(filter) }; + schedule filter$every { Metrics::log_it(filter) }; } -function add_it(id: string, index: Index, integer_value: bool, num: count, str: string) +function add_data(id: string, index: Index, data: DataPoint) { if ( id !in metric_filters ) return; @@ -328,103 +387,140 @@ function add_it(id: string, index: Index, integer_value: bool, num: count, str: # If this filter has a predicate, run the predicate and skip this # index if the predicate return false. - if ( filter?$pred && ! filter$pred(index,str) ) + if ( filter?$pred && ! filter$pred(index, data) ) next; - if ( index?$host ) + if ( filter?$normalize_func ) + index = filter$normalize_func(copy(index)); + + if ( index?$host && filter?$aggregation_mask ) { - if ( filter?$normalize_func ) - { - index = filter$normalize_func(copy(index)); - } - - if ( filter?$aggregation_mask ) - { - index$network = mask_addr(index$host, filter$aggregation_mask); - delete index$host; - } - else if ( filter?$aggregation_table ) - { - # Don't add the data if the aggregation table doesn't include - # the given host address. - if ( index$host !in filter$aggregation_table ) - return; - index$network = filter$aggregation_table[index$host]; - delete index$host; - } + index$network = mask_addr(index$host, filter$aggregation_mask); + delete index$host; } local metric_tbl = store[id, filter$name]; - if ( integer_value ) + if ( index !in metric_tbl ) + metric_tbl[index] = []; + + local result = metric_tbl[index]; + + # If a string was given, fall back to 1.0 as the value. + local val = 1.0; + if ( data?$num || data?$dbl ) + val = data?$dbl ? data$dbl : data$num; + + ++result$num; + + if ( SUM in filter$measure ) { - if ( index !in metric_tbl ) - metric_tbl[index] = [$num=0]; - metric_tbl[index]$num += num; - data_added(filter, index, metric_tbl[index]$num); + if ( ! result?$sum ) result$sum = 0; + result$sum += val; } - else + + if ( MIN in filter$measure ) { - if ( index !in metric_tbl ) + if ( ! result?$min ) + result$min = val; + else if (val < result$min) + result$min = val; + } + + if ( MAX in filter$measure ) + { + if ( ! result?$max ) + result$max = val; + else if (val > result$max) + result$max = val; + } + + if ( AVG in filter$measure || VARIANCE in filter$measure ) + { + if ( ! result?$avg ) { - local empty_ss: set[string] = set(); - metric_tbl[index] = [$unique_vals=empty_ss]; + result$avg = val; + result$prev_avg = val; + } + else + { + result$prev_avg = result$avg; + result$avg += (val - result$avg) / result$num; } - add metric_tbl[index]$unique_vals[str]; - #print metric_tbl[index]$unique_vals; - #print "-------------------------------------"; - data_added(filter, index, |metric_tbl[index]$unique_vals|); } + + if ( VARIANCE in filter$measure ) + { + if ( ! result?$var_s ) result$var_s = 0.0; + result$var_s += (val - result$prev_avg)*(val - result$avg); + } + + if ( STD_DEV in filter$measure ) + { + #if ( result?$variance ) + # result$std_dev = sqrt(result$variance); + } + + if ( UNIQUE in filter$measure ) + { + if ( ! result?$unique_vals ) result$unique_vals=set(); + add result$unique_vals[data]; + } + + do_calculated_fields(result); + data_added(filter, index, result); } } -function add_data(id: string, index: Index, increment: count) +# This function checks if a threshold has been crossed and generates a +# notice if it has. It is also used as a method to implement +# mid-break-interval threshold crossing detection for cluster deployments. +function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_pct: double): bool { - add_it(id, index, T, increment, ""); - } - -function add_unique(id: string, index: Index, data: string) - { - add_it(id, index, F, 0, data); - } - -function check_threshold(filter: Filter, index: Index, val: count): bool - { - local def_thresh = 0; + local watch = 0.0; + if ( val?$unique ) + watch = val$unique; + else if ( val?$sum ) + watch = val$sum; - if ( filter?$default_threshold ) - def_thresh = filter$default_threshold; - - if ( filter?$custom_check_threshold && ( val%filter$trigger_custom_check_threshold == 0 ) ) - return filter$custom_check_threshold( index, def_thresh, val ); + if ( modify_pct < 1.0 && modify_pct > 0.0 ) + watch = watch/modify_pct; - # No custom check threshold defined - else if ( !filter?$custom_check_threshold ) + if ( filter?$threshold && watch >= filter$threshold ) { - if ( filter?$default_threshold ) - { - if ( val > def_thresh) - return T; - } - - else if ( filter?$threshold_series ) - { - if ( |filter$threshold_series| >= threshold_series_index[filter$id, filter$name, index] && - val >= filter$threshold_series[threshold_series_index[filter$id, filter$name, index]] ) - return T; - } + # A default threshold was given and the value crossed it. + return T; } + + if ( filter?$threshold_series && + |filter$threshold_series| >= threshold_series_index[filter$id, filter$name, index] && + watch >= filter$threshold_series[threshold_series_index[filter$id, filter$name, index]] ) + { + # A threshold series was given and the value crossed the next + # value in the series. + return T; + } + + if ( filter?$threshold_func && + filter$threshold_func(index, val) ) + { + # The threshold function indicated it was crossed. + return T; + } + return F; } -function threshold_crossed_alert(filter: Filter, index: Index, val: count) +function threshold_crossed(filter: Filter, index: Index, val: ResultVal) { if ( filter?$threshold_crossed ) - filter$threshold_crossed( index, val ); + filter$threshold_crossed(index, val); # If I don't reset here, the value just keeps - # retriggering once the threshold has been exceeded + # retriggering once the threshold has been exceeded. if ( !filter?$threshold_series ) + { reset(filter); + } else { # This just needs set to some value so that it doesn't refire the diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index ccd0414b2b..a94370d776 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -6,16 +6,16 @@ event Metrics::log_it(filter: Filter) { local id = filter$id; local name = filter$name; - + write_log(network_time(), filter, store[id, name]); reset(filter); - schedule filter$break_interval { Metrics::log_it(filter) }; + schedule filter$every { Metrics::log_it(filter) }; } -function data_added(filter: Filter, index: Index, val: count) +function data_added(filter: Filter, index: Index, val: ResultVal) { - if ( check_threshold(filter, index, val) ) - threshold_crossed_alert( filter, index, val ); + if ( check_thresholds(filter, index, val, 1.0) ) + threshold_crossed(filter, index, val); } diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro new file mode 100644 index 0000000000..9e532b8590 --- /dev/null +++ b/scripts/policy/protocols/conn/conn-stats-per-host.bro @@ -0,0 +1,22 @@ + +event bro_init() &priority=5 + { + Metrics::add_filter("conn.orig.data", + [$every=5mins, + $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + Metrics::add_filter("conn.resp.data", + [$every=5mins, + $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + } + + +event connection_state_remove(c: connection) + { + if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) ) + return; + + if ( Site::is_local_addr(c$id$orig_h) ) + Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]); + if ( Site::is_local_addr(c$id$resp_h) ) + Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]); + } \ No newline at end of file diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro new file mode 100644 index 0000000000..4df2697092 --- /dev/null +++ b/scripts/policy/protocols/conn/scan.bro @@ -0,0 +1,320 @@ +##! Scan detection +##! +##! ..Authors: Sheharbano Kattack +##! Seth Hall +##! All the authors of the old scan.bro + +module Scan; + +export { + + redef enum Notice::Type += { + AddressScan, + PortScan, + }; + + const analyze_addr_scan = T &redef; + const analyze_port_scan = T &redef; + + ## Interval at which to watch for the + ## :bro:id:`Scan::conn_failed_(port|addr)_threshold` variable to be crossed. + ## At the end of each interval the counter is reset. + const conn_failed_addr_interval = 5min &redef; + const conn_failed_port_interval = 5min &redef; + + const default_addr_scan_threshold = 25 &redef; + const default_port_scan_threshold = 15 &redef; + + # For address scan + const suppress_UDP_scan_checks = T &redef; + const suppress_TCP_scan_checks = F &redef; + const suppress_ICMP_scan_checks = T &redef; + + global addr_scan_thresh_series: vector of count = vector(100, 200, 300); + global port_scan_thresh_series: vector of count = vector(10, 20, 30); + + # Custom threholds based on service for address scan + const addr_scan_custom_thresholds: table[port] of count &redef; +} + +function is_failed_conn(c: connection): bool + { + # Sr || ( (hR || ShR) && (data not sent in any direction) ) + if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || + ( + ((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || + (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) + ) && + !("D" in c$history || "d" in c$history) + ) ) + return T; + return F; + } + +function is_reverse_failed_conn(c: connection): bool + { + # reverse scan i.e. conn dest is the scanner + # sR || ( (Hr || sHr) && (data not sent in any direction) ) + if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || + ( + ((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || + (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) + ) && + !("D" in c$history || "d" in c$history) + ) ) + return T; + return F; + } + +function addr_scan_predicate(index: Metrics::Index, data: Metrics::DataPoint): bool + { + local service = to_port(index$str); + local host = index$host; + + local transport_layer_proto = get_port_transport_proto(service); + if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) + return F; + else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) + return F; + else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) + return F; + + # TODO: all of this whitelist/blacklist will be done + # through the upcoming hook mechanism + # Blacklisting/whitelisting services + #if ( |analyze_services| > 0 ) + # { + # if ( service !in analyze_services ) + # return F; + # } + #else if ( service in skip_services ) + # return F; + # + ## Blacklisting/whitelisting subnets + #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) + # return F; + + return T; + } + +function port_scan_predicate(index: Metrics::Index, data: Metrics::DataPoint): bool + { + local service = to_port(data$str); + local host = index$host; + + local transport_layer_proto = get_port_transport_proto(service); + if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) + return F; + else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) + return F; + else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) + return F; + + # TODO: all of this whitelist/blacklist will be done + # through the upcoming hook mechanism + # Blacklisting/whitelisting services + #if ( |analyze_services| > 0 ) + # { + # if ( service !in analyze_services ) + # return F; + # } + #else if ( service in skip_services ) + # return F; + # + ## Blacklisting/whitelisting subnets + #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) + # return F; + + return T; + } + +function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVal): bool + { + local service = to_port(index$str); + + return ( service in addr_scan_custom_thresholds && + val$sum > addr_scan_custom_thresholds[service] ); + } + +function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) + { + local direction = Site::is_local_addr(index$host) ? "OutboundScan" : "InboundScan"; + local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); + + NOTICE([$note=AddressScan, + $src=index$host, + $p=to_port(index$str), + $sub=direction, + $msg=message, + $identifier=message]); + } + +function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) + { + local direction = Site::is_local_addr(index$host) ? "OutboundScan" : "InboundScan"; + local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); + + NOTICE([$note=PortScan, + $src=index$host, + $dst=to_addr(index$str), + $sub=direction, + $msg=message, + $identifier=message]); + } + +event bro_init() &priority=5 + { + # Add local networks here to determine scan direction + # i.e. inbound scan / outbound scan + #add Site::local_nets[0.0.0.0/16]; + + if ( analyze_addr_scan ) + { + # note=> Addr scan: table [src_ip, port] of set(dst); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.addr.fail", [$log=F, + $every=conn_failed_addr_interval, + $measure=set(Metrics::UNIQUE), + $pred=addr_scan_predicate, + $threshold_func=check_addr_scan_threshold, + $threshold=default_addr_scan_threshold, + $threshold_crossed=addr_scan_threshold_crossed]); + } + + if ( analyze_port_scan ) + { + # note=> Port Sweep: table[src_ip, dst_ip] of set(port); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.port.fail", [$log=F, + $every=conn_failed_port_interval, + $measure=set(Metrics::UNIQUE), + $pred=port_scan_predicate, + $threshold=default_port_scan_threshold, + $threshold_crossed=port_scan_threshold_crossed]); + } + } + +## Generated when a SYN-ACK packet is seen in response to a SYN +## packet during a TCP handshake. The final ACK of the handshake +## in response to SYN-ACK may or may not occur later, one way to +## tell is to check the history field of connection to see if the +## originator sent an ACK, indicated by ‘A’ in the history string. +#event connection_established(c: connection) +# { + # Not useful for scan (too early) +# } + +## Generated when one endpoint of a TCP connection attempted +## to gracefully close the connection, but the other endpoint +## is in the TCP_INACTIVE state. This can happen due to split +## routing, in which Bro only sees one side of a connection. +#event connection_half_finished(c: connection) +# { + # Half connections never were "established", so do scan-checking here. + # I am not taking *f cases of c$history into account. Ask Seth if I should +# } + +function add_metrics(id: conn_id, reverse: bool) + { + local scanner: addr; + local victim: string; + local scanned_port: string; + + if ( reverse ) + { + scanner = id$resp_h; + victim = cat(id$orig_h); + scanned_port = fmt("%s", id$orig_p); + } + else + { + scanner = id$orig_h; + victim = cat(id$resp_h); + scanned_port = fmt("%s", id$resp_p); + } + + if ( analyze_addr_scan ) + Metrics::add_data("scan.addr.fail", [$host=scanner, $str=scanned_port], [$str=victim]); + if ( analyze_port_scan ) + Metrics::add_data("scan.port.fail", [$host=scanner, $str=victim], [$str=scanned_port]); + } + +## Generated for an unsuccessful connection attempt. This +## event is raised when an originator unsuccessfully attempted +## to establish a connection. “Unsuccessful” is defined as at least +## tcp_attempt_delay seconds having elapsed since the originator +## first sent a connection establishment packet to the destination +## without seeing a reply. +event connection_attempt(c: connection) + { + local is_reverse_scan = F; + if ( "H" in c$history ) + is_reverse_scan = T; + + add_metrics(c$id, is_reverse_scan); + } + +## Generated for a rejected TCP connection. This event +## is raised when an originator attempted to setup a TCP +## connection but the responder replied with a RST packet +## denying it. +event connection_rejected(c: connection) + { + local is_reverse_scan = F; + if ( "s" in c$history ) + is_reverse_scan = T; + + add_metrics(c$id, is_reverse_scan); + } + +## Generated when an endpoint aborted a TCP connection. +## The event is raised when one endpoint of an *established* +## TCP connection aborted by sending a RST packet. +event connection_reset(c: connection) + { + local is_reverse_scan = F; + local is_scan = F; + + if ( is_failed_conn(c) ) + { + is_scan = T; + is_reverse_scan = F; + } + else if ( is_reverse_failed_conn(c) ) + { + is_scan = T; + is_reverse_scan = T; + } + + if ( is_scan ) + { + add_metrics(c$id, is_reverse_scan); + } + } + +## Generated for each still-open connection when Bro terminates. +event connection_pending(c: connection) + { + local is_reverse_scan = F; + local is_scan = F; + + if ( is_failed_conn(c) ) + { + is_scan = T; + is_reverse_scan = F; + } + else if ( is_reverse_failed_conn(c) ) + { + is_scan = T; + is_reverse_scan = T; + } + + if ( is_scan ) + { + add_metrics(c$id, is_reverse_scan); + } + } \ No newline at end of file diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 193a4b9614..9dab73c43e 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -51,14 +51,29 @@ event bro_init() &priority=3 # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - Metrics::add_filter("http.sqli.attacker", [$log=F, - $notice_threshold=sqli_requests_threshold, - $break_interval=sqli_requests_interval, - $note=SQL_Injection_Attacker]); - Metrics::add_filter("http.sqli.victim", [$log=F, - $notice_threshold=sqli_requests_threshold, - $break_interval=sqli_requests_interval, - $note=SQL_Injection_Victim]); + Metrics::add_filter("http.sqli.attacker", + [$every=sqli_requests_interval, + $measure=set(Metrics::SUM), + $threshold=sqli_requests_threshold, + $samples=10, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + NOTICE([$note=SQL_Injection_Attacker, + $msg="An SQL injection attacker was discovered!", + $src=index$host, + $identifier=cat(index$host)]); + }, $log=F]); + + Metrics::add_filter("http.sqli.victim", + [$every=sqli_requests_interval, + $measure=set(Metrics::SUM), + $threshold=sqli_requests_threshold, + $samples=10, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + NOTICE([$note=SQL_Injection_Victim, + $msg="An SQL injection victim was discovered!", + $src=index$host, + $identifier=cat(index$host)]); + }, $log=F]); } event http_request(c: connection, method: string, original_URI: string, @@ -68,7 +83,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], 1); - Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], 1); + Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); + Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); } } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index 7939f00c72..d0f1b63d70 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -42,10 +42,15 @@ export { event bro_init() { Metrics::add_filter("ssh.login.failure", [$name="detect-bruteforcing", $log=F, - $note=Password_Guessing, - $notice_threshold=password_guesses_limit, - $notice_freq=1hr, - $break_interval=guessing_timeout]); + $every=guessing_timeout, + $measure=set(Metrics::SUM), + $threshold=password_guesses_limit, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + NOTICE([$note=Password_Guessing, + $msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum), + $src=index$host, + $identifier=cat(index$host)]); + }]); } event SSH::heuristic_successful_login(c: connection) @@ -70,5 +75,5 @@ event SSH::heuristic_failed_login(c: connection) # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) - Metrics::add_data("ssh.login.failure", [$host=id$orig_h], 1); + Metrics::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]); } diff --git a/scripts/site/local.bro b/scripts/site/local.bro index db1a786839..acbef96721 100644 --- a/scripts/site/local.bro +++ b/scripts/site/local.bro @@ -8,6 +8,9 @@ # Apply the default tuning scripts for common tuning settings. @load tuning/defaults +# Load the scan detection script. +@load protocols/conn/scan + # Generate notices when vulnerable versions of software are discovered. # The default is to only monitor software found in the address space defined # as "local". Refer to the software framework's documentation for more diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout new file mode 100644 index 0000000000..2d0750ca18 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout @@ -0,0 +1 @@ +A test metric threshold was crossed! diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout new file mode 100644 index 0000000000..fc881ba68e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout @@ -0,0 +1,10 @@ +THRESHOLD_SERIES: hit a threshold series value at 3 for metric_index(host=1.2.3.4) +THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4) +THRESHOLD_FUNC: hit a threshold function value at 2 for metric_index(host=6.5.4.3) +THRESHOLD_FUNC: hit a threshold function value at 1 for metric_index(host=7.2.1.5) +THRESHOLD: hit a threshold value at 6 for metric_index(host=1.2.3.4) +THRESHOLD_SERIES: hit a threshold series value at 6 for metric_index(host=1.2.3.4) +THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4) +THRESHOLD: hit a threshold value at 1000 for metric_index(host=7.2.1.5) +THRESHOLD_SERIES: hit a threshold series value at 1001 for metric_index(host=7.2.1.5) +THRESHOLD_FUNC: hit a threshold function value at 1000 for metric_index(host=7.2.1.5) diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro index acd57f037e..41ef9b57dc 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro @@ -5,15 +5,15 @@ # @TEST-EXEC: sleep 1 # @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT # @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT -# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: btest-diff manager-1/metrics.log @TEST-START-FILE cluster-layout.bro redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], + ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], }; @TEST-END-FILE @@ -22,8 +22,8 @@ redef Log::default_rotation_interval = 0secs; event bro_init() &priority=5 { Metrics::add_filter("test.metric", - [$name="foo-bar", - $break_interval=3secs]); + [$every=3secs, + $measure=set(Metrics::SUM, Metrics::MIN, Metrics::MAX, Metrics::AVG, Metrics::STD_DEV, Metrics::VARIANCE)]); } event remote_connection_closed(p: event_peer) @@ -39,9 +39,25 @@ redef Cluster::manager2worker_events += /ready_for_data/; event ready_for_data() { - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); + if ( Cluster::node == "worker-1" ) + { + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=34]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=30]); + Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=1]); + Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=54]); + } + if ( Cluster::node == "worker-2" ) + { + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=75]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=30]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=57]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=52]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=61]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=95]); + Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=5]); + Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=91]); + } } @endif @@ -53,7 +69,7 @@ global peer_count = 0; event Metrics::log_metrics(rec: Metrics::Info) { - n = n + 1; + ++n; if ( n == 3 ) { terminate_communication(); @@ -64,11 +80,9 @@ event Metrics::log_metrics(rec: Metrics::Info) event remote_connection_handshake_done(p: event_peer) { print p; - peer_count = peer_count + 1; + ++peer_count; if ( peer_count == 3 ) - { event ready_for_data(); - } } @endif diff --git a/testing/btest/scripts/base/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro index 23a79d2bd3..12163ed689 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic.bro @@ -5,8 +5,14 @@ event bro_init() &priority=5 { Metrics::add_filter("test.metric", [$name="foo-bar", - $break_interval=3secs]); - Metrics::add_data("test.metric", [$host=1.2.3.4], 3); - Metrics::add_data("test.metric", [$host=6.5.4.3], 2); - Metrics::add_data("test.metric", [$host=7.2.1.5], 1); + $every=3secs, + $measure=set(Metrics::SUM, Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=5]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=22]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=94]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=50]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=50]); + + Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=2]); + Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1]); } diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro index eacebaa50e..3341fa1887 100644 --- a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro @@ -1,36 +1,33 @@ # @TEST-SERIALIZE: comm # # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT -# @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT -# @TEST-EXEC: sleep 1 +# @TEST-EXEC: sleep 3 # @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT # @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT -# @TEST-EXEC: btest-bg-wait 20 -# @TEST-EXEC: btest-diff manager-1/notice.log +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff manager-1/.stdout @TEST-START-FILE cluster-layout.bro redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"], }; @TEST-END-FILE redef Log::default_rotation_interval = 0secs; -redef enum Notice::Type += { - Test_Notice, -}; - event bro_init() &priority=5 { Metrics::add_filter("test.metric", - [$name="foo-bar", - $break_interval=1hr, - $note=Test_Notice, - $notice_threshold=100, - $log=T]); + [$every=1hr, + $measure=set(Metrics::SUM), + $threshold=100, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + print "A test metric threshold was crossed!"; + terminate(); + } + ]); } event remote_connection_closed(p: event_peer) @@ -38,24 +35,12 @@ event remote_connection_closed(p: event_peer) terminate(); } -@if ( Cluster::local_node_type() == Cluster::MANAGER ) - -event Notice::log_notice(rec: Notice::Info) - { - terminate_communication(); - terminate(); - } - -@endif - -@if ( Cluster::local_node_type() == Cluster::WORKER ) - event do_metrics(i: count) { # Worker-1 will trigger an intermediate update and then if everything # works correctly, the data from worker-2 will hit the threshold and # should trigger the notice. - Metrics::add_data("test.metric", [$host=1.2.3.4], i); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=i]); } event bro_init() @@ -65,5 +50,3 @@ event bro_init() if ( Cluster::node == "worker-2" ) event do_metrics(1); } - -@endif diff --git a/testing/btest/scripts/base/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro deleted file mode 100644 index 1ed11a968c..0000000000 --- a/testing/btest/scripts/base/frameworks/metrics/notice.bro +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff notice.log - - -redef enum Notice::Type += { - Test_Notice, -}; - -event bro_init() &priority=5 - { - Metrics::add_filter("test.metric", - [$name="foo-bar", - $break_interval=3secs, - $note=Test_Notice, - $notice_threshold=2, - $log=F]); - Metrics::add_data("test.metric", [$host=1.2.3.4], 3); - Metrics::add_data("test.metric", [$host=6.5.4.3], 2); - Metrics::add_data("test.metric", [$host=7.2.1.5], 1); - } diff --git a/testing/btest/scripts/base/frameworks/metrics/thresholding.bro b/testing/btest/scripts/base/frameworks/metrics/thresholding.bro new file mode 100644 index 0000000000..bd0cd6faae --- /dev/null +++ b/testing/btest/scripts/base/frameworks/metrics/thresholding.bro @@ -0,0 +1,47 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + + +redef enum Notice::Type += { + Test_Notice, +}; + +event bro_init() &priority=5 + { + Metrics::add_filter("test.metric", + [$name="foobar", + $every=3secs, + $measure=set(Metrics::SUM), + $threshold=5, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + print fmt("THRESHOLD: hit a threshold value at %.0f for %s", val$sum, Metrics::index2str(index)); + }, + $log=F]); + + Metrics::add_filter("test.metric", + [$name="foobar2", + $every=3secs, + $measure=set(Metrics::SUM), + $threshold_series=vector(3,6,800), + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", val$sum, Metrics::index2str(index)); + }, + $log=F]); + Metrics::add_filter("test.metric", + [$every=3secs, + $measure=set(Metrics::SUM), + $threshold_func(index: Metrics::Index, val: Metrics::ResultVal) = { + # This causes any data added to be cross the threshold. + return T; + }, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + print fmt("THRESHOLD_FUNC: hit a threshold function value at %.0f for %s", val$sum, Metrics::index2str(index)); + }, + $log=F]); + + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=2]); + Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1000]); + } From 257b460b18a9364fa74a0c0594c17724875f35e4 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 16 Nov 2012 03:05:43 -0500 Subject: [PATCH 015/134] Updated the app-metrics script to the new metrics api. - Inconsequential change to scan.bro. --- scripts/policy/misc/app-metrics.bro | 35 +++++++++++--------------- scripts/policy/protocols/conn/scan.bro | 2 -- 2 files changed, 14 insertions(+), 23 deletions(-) diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 5cb108ea73..a89d0d8eb3 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -12,48 +12,41 @@ export { event bro_init() &priority=3 { - Metrics::add_filter("apps.bytes", [$break_interval=break_interval]); - Metrics::add_filter("apps.views", [$break_interval=break_interval]); - Metrics::add_filter("apps.users", [$break_interval=break_interval]); + Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM)]); + Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::SUM, Metrics::UNIQUE)]); } function do_metric(id: conn_id, hostname: string, size: count) { if ( /youtube/ in hostname && size > 512*1024 ) { - Metrics::add_data("apps.bytes", [$str="youtube"], size); - Metrics::add_data("apps.views", [$str="youtube"], 1); - Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="youtube"], [$num=size]); + Metrics::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); } else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="facebook"], size); - Metrics::add_data("apps.views", [$str="facebook"], 1); - Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="facebook"], [$num=size]); + Metrics::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); } else if ( /google.com/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="google"], size); - Metrics::add_data("apps.views", [$str="google"], 1); - Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="google"], [$num=size]); + Metrics::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); } else if ( /nflximg.com/ in hostname && size > 200*1024 ) { - Metrics::add_data("apps.bytes", [$str="netflix"], size); - Metrics::add_data("apps.views", [$str="netflix"], 1); - Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="netflix"], [$num=size]); + Metrics::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); } else if ( /pandora.com/ in hostname && size > 512*1024 ) { - Metrics::add_data("apps.bytes", [$str="pandora"], size); - Metrics::add_data("apps.views", [$str="pandora"], 1); - Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="pandora"], [$num=size]); + Metrics::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); } else if ( /gmail.com/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="gmail"], size); - Metrics::add_data("apps.views", [$str="gmail"], 1); - Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h)); + Metrics::add_data("apps.bytes", [$str="gmail"], [$num=size]); + Metrics::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); } } diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index 4df2697092..8795cfda06 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -282,7 +282,6 @@ event connection_reset(c: connection) if ( is_failed_conn(c) ) { is_scan = T; - is_reverse_scan = F; } else if ( is_reverse_failed_conn(c) ) { @@ -305,7 +304,6 @@ event connection_pending(c: connection) if ( is_failed_conn(c) ) { is_scan = T; - is_reverse_scan = F; } else if ( is_reverse_failed_conn(c) ) { From 5b81cfe7e2a8768667ddd19e524819a250d34505 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 19 Nov 2012 23:42:19 -0500 Subject: [PATCH 016/134] Implemented a nearly generic Queue in scriptland. --- scripts/base/init-default.bro | 1 + scripts/base/utils/queue.bro | 177 ++++++++++++++++++ .../Baseline/scripts.base.utils.queue/output | 11 ++ testing/btest/scripts/base/utils/queue.test | 35 ++++ 4 files changed, 224 insertions(+) create mode 100644 scripts/base/utils/queue.bro create mode 100644 testing/btest/Baseline/scripts.base.utils.queue/output create mode 100644 testing/btest/scripts/base/utils/queue.test diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..563f8af0bc 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -12,6 +12,7 @@ @load base/utils/numbers @load base/utils/paths @load base/utils/patterns +@load base/utils/queue @load base/utils/strings @load base/utils/thresholds @load base/utils/urls diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro new file mode 100644 index 0000000000..c5e3bcf906 --- /dev/null +++ b/scripts/base/utils/queue.bro @@ -0,0 +1,177 @@ +##! A FIFO string queue. + +module Queue; + +export { + ## Settings for initializing the queue. + type Settings: record { + ## If a maximum length is set for the queue + ## it will maintain itself at that + ## maximum length automatically. + max_len: count &optional; + }; + + ## The internal data structure for the queue. + type Queue: record {}; + + ## Initialize a queue record structure. + ## + ## s: A :bro:record:`Settings` record configuring the queue. + ## + ## Returns: An opaque queue record. + global init: function(s: Settings): Queue; + + ## Push a string onto the top of a queue. + ## + ## q: The queue to push the string into. + ## + ## val: The string to push + global push: function(q: Queue, val: any); + + ## Pop a string from the bottom of a queue. + ## + ## q: The queue to pop the string from. + ## + ## Returns: The string popped from the queue. + global pop: function(q: Queue): any; + + ## Merge two queue's together. If any settings are applied + ## to the queues, the settings from q1 are used for the new + ## merged queue. + ## + ## q1: The first queue. Settings are taken from here. + ## + ## q2: The second queue. + ## + ## Returns: A new queue from merging the other two together. + global merge: function(q1: Queue, q2: Queue): Queue; + + ## Get the number of items in a queue. + ## + ## q: The queue. + ## + ## Returns: The length of the queue. + global len: function(q: Queue): count; + + ## Get the contents of the queue as a string vector. + ## + ## q: The queue. + ## + ## Returns: A :bro:type:`vector of string` containing the + ## current contents of q. + global get_str_vector: function(q: Queue): vector of string; + + ## Get the contents of the queue as a count vector. Use care + ## with this function. If the data put into the queue wasn't + ## integers you will get conversion errors. + ## + ## q: The queue. + ## + ## Returns: A :bro:type:`vector of count` containing the + ## current contents of q. + global get_cnt_vector: function(q: Queue): vector of count; +} + +redef record Queue += { + # Indicator for if the queue was appropriately initialized. + initialized: bool &default=F; + # The values are stored here. + vals: table[count] of any &optional; + # Settings for the queue. + settings: Settings &optional; + # The top value in the vals table. + top: count &default=0; + # The bottom value in the vals table. + bottom: count &default=0; + # The number of bytes in the queue. + size: count &default=0; +}; + +function init(s: Settings): Queue + { + local q: Queue; + q$vals=table(); + q$settings = copy(s); + q$initialized=T; + return q; + } + +function push(q: Queue, val: any) + { + if ( q$settings?$max_len && len(q) >= q$settings$max_len ) + pop(q); + q$vals[q$top] = val; + ++q$top; + } + +function pop(q: Queue): any + { + local ret = q$vals[q$bottom]; + delete q$vals[q$bottom]; + ++q$bottom; + return ret; + } + +function merge(q1: Queue, q2: Queue): Queue + { + local ret = init(q1$settings); + local i = q1$bottom; + local j = q2$bottom; + for ( ignored_val in q1$vals ) + { + if ( i in q1$vals ) + push(ret, q1$vals[i]); + if ( j in q2$vals ) + push(ret, q2$vals[j]); + ++i; + ++j; + } + } + +function len(q: Queue): count + { + return |q$vals|; + } + +function get_str_vector(q: Queue): vector of string + { + local ret: vector of string; + local i = q$bottom; + local j = 0; + # Really dumb hack, this is only to provide + # the iteration for the correct number of + # values in q$vals. + for ( ignored_val in q$vals ) + { + if ( i >= q$top ) + break; + + ret[j] = cat(q$vals[i]); + ++j; ++i; + } + return ret; + } + +function get_cnt_vector(q: Queue): vector of count + { + local ret: vector of count; + local i = q$bottom; + local j = 0; + # Really dumb hack, this is only to provide + # the iteration for the correct number of + # values in q$vals. + for ( ignored_val in q$vals ) + { + if ( i >= q$top ) + break; + + # TODO: this is terrible and should be replaced by + # a more generic version of the various + # functions to get vectors of values. + # (the way "any" works right now makes this impossible though) + ret[j] = to_count(cat(q$vals[i])); + ++j; ++i; + } + return ret; + } + diff --git a/testing/btest/Baseline/scripts.base.utils.queue/output b/testing/btest/Baseline/scripts.base.utils.queue/output new file mode 100644 index 0000000000..b878006310 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.utils.queue/output @@ -0,0 +1,11 @@ +This is a get_cnt_vector test: 3 +This is a get_cnt_vector test: 4 +This is a get_str_vector test: 3 +This is a get_str_vector test: 4 +Testing pop: 3 +Length after pop: 1 +Size of q2: 4 +String queue value: test 1 +String queue value: test 2 +String queue value: test 2 +String queue value: test 1 diff --git a/testing/btest/scripts/base/utils/queue.test b/testing/btest/scripts/base/utils/queue.test new file mode 100644 index 0000000000..50f541a25f --- /dev/null +++ b/testing/btest/scripts/base/utils/queue.test @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -b %INPUT > output +# @TEST-EXEC: btest-diff output + +# This is loaded by default +@load base/utils/queue + +event bro_init() + { + local q = Queue::init([$max_len=2]); + Queue::push(q, 1); + Queue::push(q, 2); + Queue::push(q, 3); + Queue::push(q, 4); + local test1 = Queue::get_cnt_vector(q); + for ( i in test1 ) + print fmt("This is a get_cnt_vector test: %d", test1[i]); + + local test2 = Queue::get_str_vector(q); + for ( i in test2 ) + print fmt("This is a get_str_vector test: %s", test2[i]); + + local test_val = Queue::pop(q); + print fmt("Testing pop: %s", test_val); + print fmt("Length after pop: %d", Queue::len(q)); + + local q2 = Queue::init([]); + Queue::push(q2, "test 1"); + Queue::push(q2, "test 2"); + Queue::push(q2, "test 2"); + Queue::push(q2, "test 1"); + print fmt("Size of q2: %d", Queue::len(q2)); + local test3: vector of string = Queue::get_str_vector(q2); + for ( i in test3 ) + print fmt("String queue value: %s", test3[i]); + } \ No newline at end of file From 95b12262e44da0f5ccd3bb66872b0c818d8c01de Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 19 Nov 2012 23:43:15 -0500 Subject: [PATCH 017/134] More cleanup and fixed to the metrics framework. --- scripts/base/frameworks/metrics/main.bro | 113 ++++++++++++------ .../.stdout | 4 +- 2 files changed, 79 insertions(+), 38 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 8e40e76e02..ffb3a18354 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -1,5 +1,7 @@ ##! The metrics framework provides a way to count and measure data. +@load base/utils/queue + module Metrics; export { @@ -12,15 +14,23 @@ export { ## This is the interval for how often threshold based notices will happen ## after they have already fired. - const threshold_series_restart_interval = 1hr &redef; + const threshold_crossed_restart_interval = 1hr &redef; type Calculation: enum { + ## Sums the values given. For string values, + ## this will be the number of strings given. SUM, + ## Find the minimum value. MIN, + ## Find the maximum value. MAX, + ## Find the variance of the values. VARIANCE, + ## Find the standard deviation of the values. STD_DEV, + ## Calculate the average of the values. AVG, + ## Calculate the number of unique values. UNIQUE, }; @@ -45,9 +55,13 @@ export { } &log; ## Represents data being added for a single metric data point. + ## Only supply a single value here at a time. type DataPoint: record { + ## Count value. num: count &optional; + ## Double value. dbl: double &optional; + ## String value. str: string &optional; }; @@ -55,34 +69,34 @@ export { ## of the measurements collected for the metric. type ResultVal: record { ## The number of measurements received. - num: count &log &default=0; + num: count &log &default=0; ## For numeric data, this tracks the sum of all values. - sum: double &log &optional; + sum: double &log &optional; ## For numeric data, this tracks the minimum value given. - min: double &log &optional; + min: double &log &optional; ## For numeric data, this tracks the maximum value given. - max: double &log &optional; + max: double &log &optional; ## For numeric data, this calculates the average of all values. - avg: double &log &optional; + avg: double &log &optional; ## For numeric data, this calculates the variance. - variance: double &log &optional; + variance: double &log &optional; ## For numeric data, this calculates the standard deviation. - std_dev: double &log &optional; + std_dev: double &log &optional; ## If cardinality is being tracked, the number of unique ## items is tracked here. - unique: count &log &optional; + unique: count &log &optional; ## A sample of something being measured. This is helpful in ## some cases for collecting information to do further detection ## or better logging for forensic purposes. - sample: set[DataPoint] &optional; + samples: vector of string &optional; }; ## The record type that is used for logging metrics. @@ -145,7 +159,7 @@ export { threshold_func: function(index: Metrics::Index, val: Metrics::ResultVal): bool &optional; ## A function callback that is called when a threshold is crossed. threshold_crossed: function(index: Metrics::Index, val: Metrics::ResultVal) &optional; - ## A number of sample DataPoints to collect for the threshold + ## A number of sample DataPoint strings to collect for the threshold ## crossing callback. samples: count &optional; }; @@ -193,6 +207,17 @@ redef record ResultVal += { # since we will like move to a probalistic data structure in the future. # TODO: in the future this will optionally be a hyperloglog structure unique_vals: set[DataPoint] &optional; + + # Internal use only. This is the queue where samples + # are maintained since the queue is self managing for + # the number of samples requested. + sample_queue: Queue::Queue &optional; + + # Internal use only. Indicates if a simple threshold was already crossed. + is_threshold_crossed: bool &default=F; + + # Internal use only. Current index for threshold series. + threshold_series_index: count &default=0; }; # Type to store a table of metrics values. @@ -207,9 +232,6 @@ global filter_store: table[string, string] of Filter = table(); # This is indexed by metric id and filter name. global store: table[string, string] of MetricTable = table() &default=table(); -# This stores the current threshold index for filters using $threshold_series. -global threshold_series_index: table[string, string, Index] of count = {} &create_expire=threshold_series_restart_interval &default=0; - # This is hook for watching thresholds being crossed. It is called whenever # index values are updated and the new val is given as the `val` argument. # It's only prototyped here because cluster and non-cluster has separate @@ -311,6 +333,7 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal else if ( rv2?$var_s ) result$var_s = rv2$var_s; + # Merge $unique_vals if ( rv1?$unique_vals || rv2?$unique_vals ) { result$unique_vals = set(); @@ -321,7 +344,22 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal for ( val2 in rv2$unique_vals ) add result$unique_vals[val2]; } + + # Merge $sample_queue + if ( rv1?$sample_queue && rv2?$sample_queue ) + result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); + else if ( rv1?$sample_queue ) + result$sample_queue = rv1$sample_queue; + else if ( rv2?$sample_queue ) + result$sample_queue = rv2$sample_queue; + # Merge $threshold_series_index + result$threshold_series_index = (rv1$threshold_series_index > rv2$threshold_series_index) ? rv1$threshold_series_index : rv2$threshold_series_index; + + # Merge $is_threshold_crossed + if ( rv1$is_threshold_crossed || rv2$is_threshold_crossed ) + result$is_threshold_crossed = T; + do_calculated_fields(result); return result; } @@ -412,6 +450,13 @@ function add_data(id: string, index: Index, data: DataPoint) ++result$num; + if ( filter?$samples && data?$str ) + { + if ( ! result?$sample_queue ) + result$sample_queue = Queue::init([$max_len=filter$samples]); + Queue::push(result$sample_queue, data$str); + } + if ( SUM in filter$measure ) { if ( ! result?$sum ) result$sum = 0; @@ -422,7 +467,7 @@ function add_data(id: string, index: Index, data: DataPoint) { if ( ! result?$min ) result$min = val; - else if (val < result$min) + else if ( val < result$min ) result$min = val; } @@ -430,7 +475,7 @@ function add_data(id: string, index: Index, data: DataPoint) { if ( ! result?$max ) result$max = val; - else if (val > result$max) + else if ( val > result$max ) result$max = val; } @@ -485,22 +530,24 @@ function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_p if ( modify_pct < 1.0 && modify_pct > 0.0 ) watch = watch/modify_pct; - if ( filter?$threshold && watch >= filter$threshold ) + if ( ! val$is_threshold_crossed && + filter?$threshold && watch >= filter$threshold ) { # A default threshold was given and the value crossed it. return T; } if ( filter?$threshold_series && - |filter$threshold_series| >= threshold_series_index[filter$id, filter$name, index] && - watch >= filter$threshold_series[threshold_series_index[filter$id, filter$name, index]] ) + |filter$threshold_series| >= val$threshold_series_index && + watch >= filter$threshold_series[val$threshold_series_index] ) { # A threshold series was given and the value crossed the next # value in the series. return T; } - if ( filter?$threshold_func && + if ( ! val$is_threshold_crossed && + filter?$threshold_func && filter$threshold_func(index, val) ) { # The threshold function indicated it was crossed. @@ -512,20 +559,16 @@ function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_p function threshold_crossed(filter: Filter, index: Index, val: ResultVal) { - if ( filter?$threshold_crossed ) - filter$threshold_crossed(index, val); + if ( ! filter?$threshold_crossed ) + return; - # If I don't reset here, the value just keeps - # retriggering once the threshold has been exceeded. - if ( !filter?$threshold_series ) - { - reset(filter); - } - else - { - # This just needs set to some value so that it doesn't refire the - # notice until it expires from the table or it crosses the next - # threshold in the case of vectors of thresholds. - ++threshold_series_index[filter$id, filter$name, index]; - } + if ( val?$sample_queue ) + val$samples = Queue::get_str_vector(val$sample_queue); + + filter$threshold_crossed(index, val); + val$is_threshold_crossed = T; + + # Bump up to the next threshold series index if a threshold series is being used. + if ( filter?$threshold_series ) + ++val$threshold_series_index; } diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout index fc881ba68e..da692f2fe2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout @@ -4,7 +4,5 @@ THRESHOLD_FUNC: hit a threshold function value at 2 for metric_index(host=6.5.4. THRESHOLD_FUNC: hit a threshold function value at 1 for metric_index(host=7.2.1.5) THRESHOLD: hit a threshold value at 6 for metric_index(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 6 for metric_index(host=1.2.3.4) -THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1000 for metric_index(host=7.2.1.5) +THRESHOLD: hit a threshold value at 1001 for metric_index(host=7.2.1.5) THRESHOLD_SERIES: hit a threshold series value at 1001 for metric_index(host=7.2.1.5) -THRESHOLD_FUNC: hit a threshold function value at 1000 for metric_index(host=7.2.1.5) From 47f5d256d80427aec26fb0ba8fe16a26bb44d200 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 20 Nov 2012 01:01:37 -0500 Subject: [PATCH 018/134] Added a script module for detecting hosts doing traceroutes. --- .../misc/detect-traceroute/__load__.bro | 1 + .../detect-traceroute/detect-low-ttls.sig | 9 ++ .../policy/misc/detect-traceroute/main.bro | 87 +++++++++++++++++++ 3 files changed, 97 insertions(+) create mode 100644 scripts/policy/misc/detect-traceroute/__load__.bro create mode 100644 scripts/policy/misc/detect-traceroute/detect-low-ttls.sig create mode 100644 scripts/policy/misc/detect-traceroute/main.bro diff --git a/scripts/policy/misc/detect-traceroute/__load__.bro b/scripts/policy/misc/detect-traceroute/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig b/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig new file mode 100644 index 0000000000..c04a8905f7 --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig @@ -0,0 +1,9 @@ +signature traceroute-detector-ipv4 { + header ip[8] < 10 + event "match" +} + +signature traceroute-detector-ipv6 { + header ip6[7] < 10 + event "match" +} diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro new file mode 100644 index 0000000000..0709834cea --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -0,0 +1,87 @@ +##! This script detects large number of ICMP Time Exceeded messages heading +##! toward hosts that have sent low TTL packets. +##! It generates a notice when the number of ICMP Time Exceeded +##! messages for a source-destination pair exceeds threshold +@load base/frameworks/metrics +@load base/frameworks/signatures +@load-sigs ./detect-low-ttls.sig + +redef Signatures::ignored_ids += /traceroute-detector.*/; + +module Traceroute; + +export { + redef enum Log::ID += { LOG }; + + redef enum Notice::Type += { + ## Indicates that a host was seen running traceroutes. For more + ## detail about specific traceroutes that we run, refer to the + ## traceroute.log. + Detected + }; + + ## By default this script requires that any host detected running traceroutes + ## first send low TTL packets (TTL < 10) to the traceroute destination host. + ## Changing this this setting to `F` will relax the detection a bit by + ## solely relying on ICMP time-exceeded messages to detect traceroute. + const require_low_ttl_packets = T &redef; + + ## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. + ## This threshold only comes into play after a host is found to be + ## sending low ttl packets. + const icmp_time_exceeded_threshold = 2 &redef; + + ## Interval at which to watch for the + ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. + ## At the end of each interval the counter is reset. + const icmp_time_exceeded_interval = 1min &redef; + + ## The log record for the traceroute log. + type Info: record { + ## Timestamp + ts: time &log; + ## Address initiaing the traceroute. + src: addr &log; + ## Destination address of the traceroute. + dst: addr &log; + }; + + global log_traceroute: event(rec: Traceroute::Info); +} + +# Track hosts that have sent low TTL packets. +global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized; + +event bro_init() &priority=3 + { + Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); + + Metrics::add_filter("traceroute.time_exceeded", + [$log=F, + $every=icmp_time_exceeded_interval, + $measure=set(Metrics::UNIQUE), + $threshold=icmp_time_exceeded_threshold, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + local parts = split1(index$str, /-/); + local src = to_addr(parts[1]); + local dst = to_addr(parts[2]); + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + NOTICE([$note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute", src), + $src=src, $dst=dst, + $identifier=parts[1]]); + }]); + } + +# Low TTL packets are detected with a signature. +event signature_match(state: signature_state, msg: string, data: string) + { + if ( state$sig_id == /traceroute-detector.*/ ) + add low_ttlers[state$conn$id$orig_h, state$conn$id$resp_h]; + } + +event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) + { + if ( ! require_low_ttl_packets || [context$id$orig_h, context$id$resp_h] in low_ttlers ) + Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + } From 20fdd36a44a3b0d10c3da342af1f771b3098897a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 20 Nov 2012 01:02:23 -0500 Subject: [PATCH 019/134] Updated the SQL injection detection script to make it include samples in notice emails. --- scripts/base/frameworks/metrics/main.bro | 7 +++-- scripts/policy/protocols/http/detect-sqli.bro | 26 ++++++++++++++----- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index ffb3a18354..6b587a0939 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -68,6 +68,9 @@ export { ## Value supplied when a metric is finished. It contains all ## of the measurements collected for the metric. type ResultVal: record { + ## The time when this result was first started. + begin: time &log; + ## The number of measurements received. num: count &log &default=0; @@ -439,7 +442,7 @@ function add_data(id: string, index: Index, data: DataPoint) local metric_tbl = store[id, filter$name]; if ( index !in metric_tbl ) - metric_tbl[index] = []; + metric_tbl[index] = [$begin=network_time()]; local result = metric_tbl[index]; @@ -450,7 +453,7 @@ function add_data(id: string, index: Index, data: DataPoint) ++result$num; - if ( filter?$samples && data?$str ) + if ( filter?$samples && filter$samples > 0 && data?$str ) { if ( ! result?$sample_queue ) result$sample_queue = Queue::init([$max_len=filter$samples]); diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 9dab73c43e..06f14219d1 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -35,6 +35,11 @@ export { ## At the end of each interval the counter is reset. const sqli_requests_interval = 5min &redef; + ## Collecting samples will add extra data to notice emails + ## by collecting some sample SQL injection url paths. Disable + ## sample collection by setting this value to 0. + const collect_SQLi_samples = 5 &redef; + ## Regular expression is used to match URI based SQL injections. const match_sql_injection_uri = /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/ @@ -45,20 +50,28 @@ export { | /\/\*![[:digit:]]{5}.*?\*\// &redef; } +function format_sqli_samples(samples: vector of string): string + { + local ret = "SQL Injection samples\n---------------------"; + for ( i in samples ) + ret += "\n" + samples[i]; + return ret; + } + event bro_init() &priority=3 { # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - - Metrics::add_filter("http.sqli.attacker", + Metrics::add_filter("http.sqli.attacker", [$every=sqli_requests_interval, $measure=set(Metrics::SUM), $threshold=sqli_requests_threshold, - $samples=10, + $samples=collect_SQLi_samples, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - NOTICE([$note=SQL_Injection_Attacker, + NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", + $email_body_sections=vector(format_sqli_samples(val$samples)), $src=index$host, $identifier=cat(index$host)]); }, $log=F]); @@ -67,10 +80,11 @@ event bro_init() &priority=3 [$every=sqli_requests_interval, $measure=set(Metrics::SUM), $threshold=sqli_requests_threshold, - $samples=10, + $samples=collect_SQLi_samples, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - NOTICE([$note=SQL_Injection_Victim, + NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", + $email_body_sections=vector(format_sqli_samples(val$samples)), $src=index$host, $identifier=cat(index$host)]); }, $log=F]); From 08538211e178846262251824c0f9c35917257c1b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 20 Nov 2012 02:08:49 -0500 Subject: [PATCH 020/134] Some test updates. --- scripts/base/frameworks/metrics/main.bro | 2 +- .../frameworks/metrics/conn-example.bro | 4 +-- .../frameworks/metrics/http-example.bro | 17 +++--------- .../policy/frameworks/metrics/ssl-example.bro | 10 +++---- .../protocols/conn/conn-stats-per-host.bro | 3 +++ scripts/policy/protocols/conn/metrics.bro | 9 ++++--- scripts/policy/protocols/conn/scan.bro | 4 ++- scripts/policy/protocols/smtp/metrics.bro | 27 +++++++++++-------- .../canonified_loaded_scripts.log | 5 ++-- .../manager-1.metrics.log | 14 +++++----- .../manager-1.notice.log | 10 +++---- .../manager-1.notice.log | 10 +++---- .../notice.log | 10 +++---- 13 files changed, 62 insertions(+), 63 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 6b587a0939..48f11ef7f7 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -135,7 +135,7 @@ export { measure: set[Calculation] &optional; ## A predicate so that you can decide per index if you would like ## to accept the data being inserted. - pred: function(index: Metrics::Index, data: DataPoint): bool &optional; + pred: function(index: Metrics::Index, data: Metrics::DataPoint): bool &optional; ## A function to normalize the index. This can be used to aggregate or ## normalize the entire index. normalize_func: function(index: Metrics::Index): Index &optional; diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index 00c82f840d..e5c604a5b2 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -16,6 +16,6 @@ event bro_init() event connection_established(c: connection) { - Metrics::add_data("conns.originated", [$host=c$id$orig_h], 1); - Metrics::add_data("conns.responded", [$host=c$id$resp_h], 1); + Metrics::add_data("conns.originated", [$host=c$id$orig_h], [$num=1]); + Metrics::add_data("conns.responded", [$host=c$id$resp_h], [$num=1]); } diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index 58ca4e6614..3c60f3c931 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -6,15 +6,6 @@ @load base/protocols/http @load base/utils/site -redef enum Metrics::ID += { - ## Measures HTTP requests indexed on both the request host and the response - ## code from the server. - HTTP_REQUESTS_BY_STATUS_CODE, - - ## Currently unfinished and not working. - HTTP_REQUESTS_BY_HOST_HEADER, -}; - event bro_init() { # TODO: these are waiting on a fix with table vals + records before they will work. @@ -24,14 +15,14 @@ event bro_init() # $break_interval=1min]); # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter(HTTP_REQUESTS_BY_STATUS_CODE, [$aggregation_table=Site::local_nets_table, - $break_interval=1min]); + Metrics::add_filter("http.request.by_status_code", [$aggregation_table=Site::local_nets_table, + $break_interval=1min]); } event HTTP::log_http(rec: HTTP::Info) { if ( rec?$host ) - Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1); + Metrics::add_data("http.request.by_host_header", [$str=rec$host], [$num=1]); if ( rec?$status_code ) - Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1); + Metrics::add_data("http.request.by_status_code", [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], [$num=1]); } diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro index 5ec675779a..64e63bc215 100644 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ b/scripts/policy/frameworks/metrics/ssl-example.bro @@ -6,15 +6,11 @@ @load base/frameworks/metrics @load base/protocols/ssl -redef enum Metrics::ID += { - SSL_SERVERNAME, -}; - event bro_init() { - Metrics::add_filter(SSL_SERVERNAME, + Metrics::add_filter("ssl.by_servername", [$name="no-google-ssl-servers", - $pred(index: Metrics::Index) = { + $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return (/google\.com$/ !in index$str); }, $break_interval=10secs @@ -24,5 +20,5 @@ event bro_init() event SSL::log_ssl(rec: SSL::Info) { if ( rec?$server_name ) - Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1); + Metrics::add_data("ssl.by_servername", [$str=rec$server_name], [$num=1]); } diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro index 9e532b8590..df58081163 100644 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ b/scripts/policy/protocols/conn/conn-stats-per-host.bro @@ -1,4 +1,7 @@ +@load base/protocols/conn +@load base/frameworks/metrics + event bro_init() &priority=5 { Metrics::add_filter("conn.orig.data", diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro index 910ae4aa6e..0fb5fa2134 100644 --- a/scripts/policy/protocols/conn/metrics.bro +++ b/scripts/policy/protocols/conn/metrics.bro @@ -1,9 +1,10 @@ @load base/frameworks/metrics +@load base/utils/site event bro_init() &priority=3 { - Metrics::add_filter("conns.country", [$break_interval=1hr]); - Metrics::add_filter("hosts.active", [$break_interval=1hr]); + Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM)]); + Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM)]); } event connection_established(c: connection) &priority=3 @@ -12,10 +13,10 @@ event connection_established(c: connection) &priority=3 { local loc = lookup_location(c$id$resp_h); if ( loc?$country_code ) - Metrics::add_data("conns.country", [$str=loc$country_code], 1); + Metrics::add_data("conns.country", [$str=loc$country_code], [$num=1]); } local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h; # There is no index for this. - Metrics::add_unique("hosts.active", [], cat(the_host)); + Metrics::add_data("hosts.active", [], [$str=cat(the_host)]); } diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index 8795cfda06..503b8c34b4 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -4,10 +4,12 @@ ##! Seth Hall ##! All the authors of the old scan.bro +@load base/frameworks/notice +@load base/frameworks/metrics + module Scan; export { - redef enum Notice::Type += { AddressScan, PortScan, diff --git a/scripts/policy/protocols/smtp/metrics.bro b/scripts/policy/protocols/smtp/metrics.bro index c3d1bb1e20..ac803ac621 100644 --- a/scripts/policy/protocols/smtp/metrics.bro +++ b/scripts/policy/protocols/smtp/metrics.bro @@ -2,31 +2,36 @@ ##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?" ##! "How much mail is being sent from each local mail server per hour?" +@load base/protocols/smtp @load base/frameworks/metrics +@load base/utils/site +@load base/utils/directions-and-hosts module SMTPMetrics; export { ## Define the break intervals for all of the metrics collected and logged by this script. - const breaks = 1hr &redef; + const breaks=1hr &redef; } event bro_init() &priority=5 { - Metrics::add_filter("smtp.mailfrom", [$pred(index: Metrics::Index) = { - return addr_matches_host(index$host, LOCAL_HOSTS); }, - $break_interval=breaks]); - Metrics::add_filter("smtp.messages", [$pred(index: Metrics::Index) = { - return addr_matches_host(index$host, LOCAL_HOSTS); }, - $break_interval=breaks]); + Metrics::add_filter("smtp.mailfrom", [$every=breaks, + $measure=set(Metrics::SUM), + $pred(index: Metrics::Index, data: Metrics::DataPoint) = { + return addr_matches_host(index$host, LOCAL_HOSTS); + }]); + Metrics::add_filter("smtp.messages", [$every=breaks, + $measure=set(Metrics::SUM), + $pred(index: Metrics::Index, data: Metrics::DataPoint) = { + return addr_matches_host(index$host, LOCAL_HOSTS); + }]); } event SMTP::log_smtp(rec: SMTP::Info) { - Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], 1); + Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], [$num=1]); if ( rec?$mailfrom ) - Metrics::add_unique("smtp.mailfrom", [$host=rec$id$orig_h], rec$mailfrom); + Metrics::add_data("smtp.mailfrom", [$host=rec$id$orig_h], [$str=rec$mailfrom]); } - - diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 7fd3a1bdc8..02b7e51030 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-11-05-23-29-45 +#open 2012-11-20-06-11-08 #fields name #types string scripts/base/init-bare.bro @@ -38,6 +38,7 @@ scripts/base/init-default.bro scripts/base/utils/files.bro scripts/base/utils/numbers.bro scripts/base/utils/paths.bro + scripts/base/utils/queue.bro scripts/base/utils/strings.bro scripts/base/utils/thresholds.bro scripts/base/utils/urls.bro @@ -118,4 +119,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-11-05-23-29-45 +#close 2012-11-20-06-11-08 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index cb1bd5af01..e6c33719aa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-07-20-01-50-41 -#fields ts metric_id filter_name index.host index.str index.network value -#types time enum string addr string subnet count -1342749041.601712 TEST_METRIC foo-bar 6.5.4.3 - - 4 -1342749041.601712 TEST_METRIC foo-bar 7.2.1.5 - - 2 -1342749041.601712 TEST_METRIC foo-bar 1.2.3.4 - - 6 -#close 2012-07-20-01-50-49 +#open 2012-11-20-06-46-51 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time count double double double double double double count +1353394011.192622 3.000000 default test.metric - 6.5.4.3 - - 2 6.0 1.0 5.0 3.0 4.0 2.0 - +1353394011.192622 3.000000 default test.metric - 1.2.3.4 - - 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - +1353394011.192622 3.000000 default test.metric - 7.2.1.5 - - 2 145.0 54.0 91.0 72.5 342.25 18.5 - +#close 2012-11-20-06-46-51 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log index 6c93cb875e..a5e28de7f9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-51-18 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342749078.270791 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-07-20-01-51-27 +#open 2012-11-20-06-46-22 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double +1353393982.260495 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - +#close 2012-11-20-06-46-22 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log index 88f25b066f..d657cf0ce8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-51-36 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342749096.545663 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-07-20-01-51-45 +#open 2012-11-20-06-45-52 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double +1353393952.489496 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - +#close 2012-11-20-06-45-56 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log index f9292344a8..92206c35ce 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-10-05-21-45-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-10-05-21-45-15 +#open 2012-11-20-06-09-07 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double +1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - +#close 2012-11-20-06-09-07 From 5921a68e910787c9a12ea95d4038e5b0e555a93f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 20 Nov 2012 11:18:55 -0500 Subject: [PATCH 021/134] More test updates. --- doc/scripts/DocSourcesList.cmake | 7 +++++++ .../metrics.log | 14 +++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index b95464b6b3..88e5f51025 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -102,6 +102,7 @@ rest_target(${psd} base/utils/files.bro) rest_target(${psd} base/utils/numbers.bro) rest_target(${psd} base/utils/paths.bro) rest_target(${psd} base/utils/patterns.bro) +rest_target(${psd} base/utils/queue.bro) rest_target(${psd} base/utils/site.bro) rest_target(${psd} base/utils/strings.bro) rest_target(${psd} base/utils/thresholds.bro) @@ -129,13 +130,18 @@ rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) rest_target(${psd} policy/misc/analysis-groups.bro) +rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) +rest_target(${psd} policy/misc/detect-traceroute/main.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) +rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) +rest_target(${psd} policy/protocols/conn/metrics.bro) +rest_target(${psd} policy/protocols/conn/scan.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) @@ -153,6 +159,7 @@ rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) rest_target(${psd} policy/protocols/modbus/track-memmap.bro) rest_target(${psd} policy/protocols/smtp/blocklists.bro) rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) +rest_target(${psd} policy/protocols/smtp/metrics.bro) rest_target(${psd} policy/protocols/smtp/software.bro) rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ssh/geo-data.bro) diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index fb6476ee88..784d6d7920 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-07-20-01-49-22 -#fields ts metric_id filter_name index.host index.str index.network value -#types time enum string addr string subnet count -1342748962.841548 TEST_METRIC foo-bar 6.5.4.3 - - 2 -1342748962.841548 TEST_METRIC foo-bar 7.2.1.5 - - 1 -1342748962.841548 TEST_METRIC foo-bar 1.2.3.4 - - 3 -#close 2012-07-20-01-49-22 +#open 2012-11-20-15-05-07 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time count double double double double double double count +1353423907.236002 3.000000 foo-bar test.metric - 6.5.4.3 - 1353423907.236002 1 2.0 2.0 2.0 2.0 0.0 0.0 - +1353423907.236002 3.000000 foo-bar test.metric - 1.2.3.4 - 1353423907.236002 5 221.0 5.0 94.0 44.2 915.36 30.254917 - +1353423907.236002 3.000000 foo-bar test.metric - 7.2.1.5 - 1353423907.236002 1 1.0 1.0 1.0 1.0 0.0 0.0 - +#close 2012-11-20-15-05-07 From ebacb80d1ca104715c30e95db22cf700acd605d6 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 21 Nov 2012 11:56:39 -0500 Subject: [PATCH 022/134] Add intel detection for apparently successful logins. --- .../protocols/ssh/detect-bruteforcing.bro | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index d0f1b63d70..edf6379bec 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -19,6 +19,11 @@ export { ## currently implemented. Login_By_Password_Guesser, }; + + redef enum Intel::Where += { + ## An indicator of the login for the intel framework. + SSH::SUCCESSFUL_LOGIN, + }; ## The number of failed SSH connections before a host is designated as ## guessing passwords. @@ -33,10 +38,6 @@ export { ## heuristic fails and this acts as the whitelist. The index represents ## client subnets and the yield value represents server subnets. const ignore_guessers: table[subnet] of subnet &redef; - - ## Tracks hosts identified as guessing passwords. - global password_guessers: set[addr] - &read_expire=guessing_timeout+1hr &synchronized &redef; } event bro_init() @@ -46,10 +47,15 @@ event bro_init() $measure=set(Metrics::SUM), $threshold=password_guesses_limit, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + # Generate the notice. NOTICE([$note=Password_Guessing, $msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum), $src=index$host, $identifier=cat(index$host)]); + # Insert the guesser into the intel framework. + Intel::insert([$host=index$host, + $meta=[$source="local", + $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]); }]); } @@ -57,14 +63,9 @@ event SSH::heuristic_successful_login(c: connection) { local id = c$id; - # TODO: This is out for the moment pending some more additions to the - # metrics framework. - #if ( id$orig_h in password_guessers ) - # { - # NOTICE([$note=Login_By_Password_Guesser, - # $conn=c, - # $msg=fmt("Successful SSH login by password guesser %s", id$orig_h)]); - # } + Intel::seen([$host=id$orig_h, + $conn=c, + $where=SSH::SUCCESSFUL_LOGIN]); } event SSH::heuristic_failed_login(c: connection) From 6bdcdcecf909439814eaa6d07fd400df4a14c744 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 26 Nov 2012 16:17:35 -0500 Subject: [PATCH 023/134] Fixed a problem with metrics aggregation on clusters (thanks Jon!). --- scripts/base/frameworks/metrics/cluster.bro | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 9650b80554..d20dd733b8 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -189,15 +189,16 @@ function data_added(filter: Filter, index: Index, val: ResultVal) event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) { #print fmt("%0.6f MANAGER: receiving index data from %s - %s=%s", network_time(), get_event_peer()$descr, index2str(index), val); - - local merged_val = merge_result_vals(index_requests[uid, id, filter_name, index], val); - index_requests[uid, id, filter_name, index] = merged_val; + if ( [uid, id, filter_name, index] in index_requests ) + index_requests[uid, id, filter_name, index] = merge_result_vals(index_requests[uid, id, filter_name, index], val); + else + index_requests[uid, id, filter_name, index] = val; + local ir = index_requests[uid, id, filter_name, index]; # Mark that this worker is done. ++done_with[uid]; - #print ir; #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); if ( Cluster::worker_count == done_with[uid] ) From 2add60b4b140f99d246c03c5e344a1eb2ba8e1fb Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Nov 2012 15:22:45 -0500 Subject: [PATCH 024/134] A function wasn't returning a value like it should be. --- scripts/base/utils/queue.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index c5e3bcf906..438529f579 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -126,6 +126,7 @@ function merge(q1: Queue, q2: Queue): Queue ++i; ++j; } + return ret; } function len(q: Queue): count From 92285a97114aa6dfb830598bbb05687ab2f2b762 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Nov 2012 15:52:41 -0500 Subject: [PATCH 025/134] Fix a race condition when multiple workers report intermediate indexes simultaneously. --- scripts/base/frameworks/metrics/cluster.bro | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index d20dd733b8..4f2de5577e 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -81,7 +81,7 @@ global index_requests: table[string, string, string, Index] of ResultVal &create # an intermediate result has been received. The manager may optionally request # the index again before data expires from here if too many workers are crossing # the percentage threshold (not implemented yet!). -global recent_global_view_indexes: table[string, string, Index] of count &create_expire=5mins &default=0; +global recent_global_view_indexes: table[string, string, Index] of count &create_expire=1min &default=0; # Add events to the cluster framework to make this work. redef Cluster::manager2worker_events += /Metrics::cluster_(filter_request|index_request)/; @@ -217,10 +217,12 @@ event Metrics::cluster_index_intermediate_response(id: string, filter_name: stri { #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); - + ++recent_global_view_indexes[id, filter_name, index]; + if ( [id, filter_name, index] in recent_global_view_indexes ) + return; + local uid = unique_id(""); event Metrics::cluster_index_request(uid, id, filter_name, index); - ++recent_global_view_indexes[id, filter_name, index]; } event Metrics::cluster_filter_response(uid: string, id: string, filter_name: string, data: MetricTable, done: bool) From f1b7ca62eef5deb03a043227b374ac8424824b12 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Nov 2012 15:58:29 -0500 Subject: [PATCH 026/134] Actually fix the problem I just tried to fix a minute ago. --- scripts/base/frameworks/metrics/cluster.bro | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 4f2de5577e..64c7a2d7ee 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -217,10 +217,13 @@ event Metrics::cluster_index_intermediate_response(id: string, filter_name: stri { #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); - ++recent_global_view_indexes[id, filter_name, index]; + + # If a worker recently sent this as an intermediate update, don't request it. if ( [id, filter_name, index] in recent_global_view_indexes ) return; + ++recent_global_view_indexes[id, filter_name, index]; + local uid = unique_id(""); event Metrics::cluster_index_request(uid, id, filter_name, index); } From 2b72275d7e321b356b0a7b5f7b13944428543f78 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Nov 2012 17:07:30 -0500 Subject: [PATCH 027/134] More updates to clean up scan.bro --- scripts/policy/protocols/conn/scan.bro | 326 ++++++++++--------------- 1 file changed, 128 insertions(+), 198 deletions(-) diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index 503b8c34b4..c35e768912 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -27,18 +27,79 @@ export { const default_addr_scan_threshold = 25 &redef; const default_port_scan_threshold = 15 &redef; - # For address scan - const suppress_UDP_scan_checks = T &redef; - const suppress_TCP_scan_checks = F &redef; - const suppress_ICMP_scan_checks = T &redef; - - global addr_scan_thresh_series: vector of count = vector(100, 200, 300); - global port_scan_thresh_series: vector of count = vector(10, 20, 30); - # Custom threholds based on service for address scan const addr_scan_custom_thresholds: table[port] of count &redef; } + +function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVal): bool + { + local service = to_port(index$str); + + return ( service in addr_scan_custom_thresholds && + val$sum > addr_scan_custom_thresholds[service] ); + } + +function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) + { + local side = Site::is_local_addr(index$host) ? "local" : "remote"; + local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); + + NOTICE([$note=AddressScan, + $src=index$host, + $p=to_port(index$str), + $sub=side, + $msg=message, + $identifier=message]); + } + +function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) + { + local side = Site::is_local_addr(index$host) ? "local" : "remote"; + local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); + + NOTICE([$note=PortScan, + $src=index$host, + $dst=to_addr(index$str), + $sub=side, + $msg=message, + $identifier=message]); + } + +event bro_init() &priority=5 + { + # Add local networks here to determine scan direction + # i.e. inbound scan / outbound scan + #add Site::local_nets[0.0.0.0/16]; + + if ( analyze_addr_scan ) + { + # note=> Addr scan: table [src_ip, port] of set(dst); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.addr.fail", [$log=F, + $every=conn_failed_addr_interval, + $measure=set(Metrics::UNIQUE), + $threshold_func=check_addr_scan_threshold, + $threshold=default_addr_scan_threshold, + $threshold_crossed=addr_scan_threshold_crossed]); + } + + if ( analyze_port_scan ) + { + # note=> Port Sweep: table[src_ip, dst_ip] of set(port); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.port.fail", [$log=F, + $every=conn_failed_port_interval, + $measure=set(Metrics::UNIQUE), + $threshold=default_port_scan_threshold, + $threshold_crossed=port_scan_threshold_crossed]); + } + } + function is_failed_conn(c: connection): bool { # Sr || ( (hR || ShR) && (data not sent in any direction) ) @@ -68,181 +129,56 @@ function is_reverse_failed_conn(c: connection): bool return F; } -function addr_scan_predicate(index: Metrics::Index, data: Metrics::DataPoint): bool - { - local service = to_port(index$str); - local host = index$host; - - local transport_layer_proto = get_port_transport_proto(service); - if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) - return F; - else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) - return F; - else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) - return F; - - # TODO: all of this whitelist/blacklist will be done - # through the upcoming hook mechanism - # Blacklisting/whitelisting services - #if ( |analyze_services| > 0 ) - # { - # if ( service !in analyze_services ) - # return F; - # } - #else if ( service in skip_services ) - # return F; - # - ## Blacklisting/whitelisting subnets - #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) - # return F; - - return T; - } - -function port_scan_predicate(index: Metrics::Index, data: Metrics::DataPoint): bool - { - local service = to_port(data$str); - local host = index$host; - - local transport_layer_proto = get_port_transport_proto(service); - if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) - return F; - else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) - return F; - else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) - return F; - - # TODO: all of this whitelist/blacklist will be done - # through the upcoming hook mechanism - # Blacklisting/whitelisting services - #if ( |analyze_services| > 0 ) - # { - # if ( service !in analyze_services ) - # return F; - # } - #else if ( service in skip_services ) - # return F; - # - ## Blacklisting/whitelisting subnets - #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) - # return F; - - return T; - } - -function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVal): bool - { - local service = to_port(index$str); - - return ( service in addr_scan_custom_thresholds && - val$sum > addr_scan_custom_thresholds[service] ); - } - -function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) - { - local direction = Site::is_local_addr(index$host) ? "OutboundScan" : "InboundScan"; - local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); - - NOTICE([$note=AddressScan, - $src=index$host, - $p=to_port(index$str), - $sub=direction, - $msg=message, - $identifier=message]); - } - -function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) - { - local direction = Site::is_local_addr(index$host) ? "OutboundScan" : "InboundScan"; - local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); - - NOTICE([$note=PortScan, - $src=index$host, - $dst=to_addr(index$str), - $sub=direction, - $msg=message, - $identifier=message]); - } - -event bro_init() &priority=5 - { - # Add local networks here to determine scan direction - # i.e. inbound scan / outbound scan - #add Site::local_nets[0.0.0.0/16]; - - if ( analyze_addr_scan ) - { - # note=> Addr scan: table [src_ip, port] of set(dst); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. - Metrics::add_filter("scan.addr.fail", [$log=F, - $every=conn_failed_addr_interval, - $measure=set(Metrics::UNIQUE), - $pred=addr_scan_predicate, - $threshold_func=check_addr_scan_threshold, - $threshold=default_addr_scan_threshold, - $threshold_crossed=addr_scan_threshold_crossed]); - } - - if ( analyze_port_scan ) - { - # note=> Port Sweep: table[src_ip, dst_ip] of set(port); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. - Metrics::add_filter("scan.port.fail", [$log=F, - $every=conn_failed_port_interval, - $measure=set(Metrics::UNIQUE), - $pred=port_scan_predicate, - $threshold=default_port_scan_threshold, - $threshold_crossed=port_scan_threshold_crossed]); - } - } - -## Generated when a SYN-ACK packet is seen in response to a SYN -## packet during a TCP handshake. The final ACK of the handshake -## in response to SYN-ACK may or may not occur later, one way to -## tell is to check the history field of connection to see if the -## originator sent an ACK, indicated by ‘A’ in the history string. -#event connection_established(c: connection) -# { - # Not useful for scan (too early) -# } - -## Generated when one endpoint of a TCP connection attempted -## to gracefully close the connection, but the other endpoint -## is in the TCP_INACTIVE state. This can happen due to split -## routing, in which Bro only sees one side of a connection. -#event connection_half_finished(c: connection) -# { - # Half connections never were "established", so do scan-checking here. - # I am not taking *f cases of c$history into account. Ask Seth if I should -# } - function add_metrics(id: conn_id, reverse: bool) { local scanner: addr; - local victim: string; - local scanned_port: string; + local victim: addr; + local scanned_port: port; if ( reverse ) { scanner = id$resp_h; - victim = cat(id$orig_h); - scanned_port = fmt("%s", id$orig_p); + victim = id$orig_h; + scanned_port = id$orig_p; } else { scanner = id$orig_h; - victim = cat(id$resp_h); - scanned_port = fmt("%s", id$resp_p); + victim = id$resp_h; + scanned_port = id$resp_p; } + # Defaults to be implemented with a hook... + #local transport_layer_proto = get_port_transport_proto(service); + #if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) + # return F; + #else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) + # return F; + #else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) + # return F; + + # TODO: all of this whitelist/blacklist will be done + # through the upcoming hook mechanism + # Blacklisting/whitelisting services + #if ( |analyze_services| > 0 ) + # { + # if ( service !in analyze_services ) + # return F; + # } + #else if ( service in skip_services ) + # return F; + # + ## Blacklisting/whitelisting subnets + #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) + # return F; + + # Probably do a hook point here? if ( analyze_addr_scan ) - Metrics::add_data("scan.addr.fail", [$host=scanner, $str=scanned_port], [$str=victim]); + Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); + + # Probably do a hook point here? if ( analyze_port_scan ) - Metrics::add_data("scan.port.fail", [$host=scanner, $str=victim], [$str=scanned_port]); + Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } ## Generated for an unsuccessful connection attempt. This @@ -278,43 +214,37 @@ event connection_rejected(c: connection) ## TCP connection aborted by sending a RST packet. event connection_reset(c: connection) { - local is_reverse_scan = F; - local is_scan = F; - if ( is_failed_conn(c) ) - { - is_scan = T; - } + add_metrics(c$id, F); else if ( is_reverse_failed_conn(c) ) - { - is_scan = T; - is_reverse_scan = T; - } - - if ( is_scan ) - { - add_metrics(c$id, is_reverse_scan); - } + add_metrics(c$id, T); } ## Generated for each still-open connection when Bro terminates. event connection_pending(c: connection) { - local is_reverse_scan = F; - local is_scan = F; - if ( is_failed_conn(c) ) - { - is_scan = T; - } + add_metrics(c$id, F); else if ( is_reverse_failed_conn(c) ) - { - is_scan = T; - is_reverse_scan = T; - } + add_metrics(c$id, T); + } - if ( is_scan ) - { - add_metrics(c$id, is_reverse_scan); - } - } \ No newline at end of file +## Generated when a SYN-ACK packet is seen in response to a SYN +## packet during a TCP handshake. The final ACK of the handshake +## in response to SYN-ACK may or may not occur later, one way to +## tell is to check the history field of connection to see if the +## originator sent an ACK, indicated by ‘A’ in the history string. +#event connection_established(c: connection) +# { + # Not useful for scan (too early) +# } + +## Generated when one endpoint of a TCP connection attempted +## to gracefully close the connection, but the other endpoint +## is in the TCP_INACTIVE state. This can happen due to split +## routing, in which Bro only sees one side of a connection. +#event connection_half_finished(c: connection) +# { + # Half connections never were "established", so do scan-checking here. + # I am not taking *f cases of c$history into account. Ask Seth if I should +# } From 2484295db3ad1a93879f19019111cb40db27b3e5 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 30 Nov 2012 09:48:52 -0500 Subject: [PATCH 028/134] scan.bro updates. --- scripts/policy/protocols/conn/scan.bro | 132 +++++++++++-------------- 1 file changed, 59 insertions(+), 73 deletions(-) diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index c35e768912..dde96bf939 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -11,31 +11,39 @@ module Scan; export { redef enum Notice::Type += { - AddressScan, - PortScan, + ## Address scans detect that a host appears to be scanning + ## some number of other hosts on a single port. + Address_Scan, + ## Port scans detect that a host appears to be scanning a + ## single other host on numerous ports. + Port_Scan, }; - const analyze_addr_scan = T &redef; - const analyze_port_scan = T &redef; + ## Interval at which to watch for an address scan detection threshold to be crossed. + const addr_scan_interval = 5min &redef; + ## Interval at which to watch for a port scan detection threshold to be crossed. + const port_scan_interval = 5min &redef; - ## Interval at which to watch for the - ## :bro:id:`Scan::conn_failed_(port|addr)_threshold` variable to be crossed. - ## At the end of each interval the counter is reset. - const conn_failed_addr_interval = 5min &redef; - const conn_failed_port_interval = 5min &redef; + ## The threshold of a unique number of hosts a scanning host has to have failed + ## connections with on a single port. + const addr_scan_threshold = 25 &redef; + ## The threshold of a number of unique ports a scanning host has to have failed + ## connections with on a single victim host. + const port_scan_threshold = 15 &redef; - const default_addr_scan_threshold = 25 &redef; - const default_port_scan_threshold = 15 &redef; - - # Custom threholds based on service for address scan + ## Custom threholds based on service for address scan. This is primarily + ## useful for setting reduced thresholds for specific ports. const addr_scan_custom_thresholds: table[port] of count &redef; } function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVal): bool { - local service = to_port(index$str); + # We don't need to do this if no custom thresholds are defined. + if ( |addr_scan_custom_thresholds| == 0 ) + return F; + local service = to_port(index$str); return ( service in addr_scan_custom_thresholds && val$sum > addr_scan_custom_thresholds[service] ); } @@ -45,12 +53,12 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result local side = Site::is_local_addr(index$host) ? "local" : "remote"; local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); - NOTICE([$note=AddressScan, + NOTICE([$note=Address_Scan, $src=index$host, $p=to_port(index$str), $sub=side, $msg=message, - $identifier=message]); + $identifier=cat(index)]); } function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) @@ -58,58 +66,46 @@ function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result local side = Site::is_local_addr(index$host) ? "local" : "remote"; local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); - NOTICE([$note=PortScan, + NOTICE([$note=Port_Scan, $src=index$host, $dst=to_addr(index$str), $sub=side, $msg=message, - $identifier=message]); + $identifier=cat(index)]); } event bro_init() &priority=5 { - # Add local networks here to determine scan direction - # i.e. inbound scan / outbound scan - #add Site::local_nets[0.0.0.0/16]; + # note=> Addr scan: table [src_ip, port] of set(dst); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.addr.fail", [$log=F, + $every=addr_scan_interval, + $measure=set(Metrics::UNIQUE), + $threshold_func=check_addr_scan_threshold, + $threshold=addr_scan_threshold, + $threshold_crossed=addr_scan_threshold_crossed]); - if ( analyze_addr_scan ) - { - # note=> Addr scan: table [src_ip, port] of set(dst); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. - Metrics::add_filter("scan.addr.fail", [$log=F, - $every=conn_failed_addr_interval, - $measure=set(Metrics::UNIQUE), - $threshold_func=check_addr_scan_threshold, - $threshold=default_addr_scan_threshold, - $threshold_crossed=addr_scan_threshold_crossed]); - } - - if ( analyze_port_scan ) - { - # note=> Port Sweep: table[src_ip, dst_ip] of set(port); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. - Metrics::add_filter("scan.port.fail", [$log=F, - $every=conn_failed_port_interval, - $measure=set(Metrics::UNIQUE), - $threshold=default_port_scan_threshold, - $threshold_crossed=port_scan_threshold_crossed]); - } + # note=> Port Sweep: table[src_ip, dst_ip] of set(port); + # Add filters to the metrics so that the metrics framework knows how to + # determine when it looks like an actual attack and how to respond when + # thresholds are crossed. + Metrics::add_filter("scan.port.fail", [$log=F, + $every=port_scan_interval, + $measure=set(Metrics::UNIQUE), + $threshold=port_scan_threshold, + $threshold_crossed=port_scan_threshold_crossed]); } function is_failed_conn(c: connection): bool { # Sr || ( (hR || ShR) && (data not sent in any direction) ) if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || - ( - ((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || + (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) - ) && - !("D" in c$history || "d" in c$history) - ) ) + ) && /[Dd]/ !in c$history ) + ) return T; return F; } @@ -119,21 +115,19 @@ function is_reverse_failed_conn(c: connection): bool # reverse scan i.e. conn dest is the scanner # sR || ( (Hr || sHr) && (data not sent in any direction) ) if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || - ( - ((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || + (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) - ) && - !("D" in c$history || "d" in c$history) - ) ) + ) && /[Dd]/ !in c$history ) + ) return T; return F; } function add_metrics(id: conn_id, reverse: bool) { - local scanner: addr; - local victim: addr; - local scanned_port: port; + local scanner = id$orig_h; + local victim = id$resp_h; + local scanned_port = id$resp_p; if ( reverse ) { @@ -141,12 +135,6 @@ function add_metrics(id: conn_id, reverse: bool) victim = id$orig_h; scanned_port = id$orig_p; } - else - { - scanner = id$orig_h; - victim = id$resp_h; - scanned_port = id$resp_p; - } # Defaults to be implemented with a hook... #local transport_layer_proto = get_port_transport_proto(service); @@ -173,12 +161,10 @@ function add_metrics(id: conn_id, reverse: bool) # return F; # Probably do a hook point here? - if ( analyze_addr_scan ) - Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); + Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); # Probably do a hook point here? - if ( analyze_port_scan ) - Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); + Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } ## Generated for an unsuccessful connection attempt. This @@ -236,7 +222,7 @@ event connection_pending(c: connection) ## originator sent an ACK, indicated by ‘A’ in the history string. #event connection_established(c: connection) # { - # Not useful for scan (too early) +# # Not useful for scan (too early) # } ## Generated when one endpoint of a TCP connection attempted @@ -245,6 +231,6 @@ event connection_pending(c: connection) ## routing, in which Bro only sees one side of a connection. #event connection_half_finished(c: connection) # { - # Half connections never were "established", so do scan-checking here. - # I am not taking *f cases of c$history into account. Ask Seth if I should +# # Half connections never were "established", so do scan-checking here. +# # I am not taking *f cases of c$history into account. Ask Seth if I should # } From 96f850ca4e922a665d9d67414d65a6f7a76ea1f6 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 30 Nov 2012 09:49:16 -0500 Subject: [PATCH 029/134] Moving scan.bro to a more appropriate place. --- scripts/policy/{protocols/conn => misc}/scan.bro | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scripts/policy/{protocols/conn => misc}/scan.bro (100%) diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/misc/scan.bro similarity index 100% rename from scripts/policy/protocols/conn/scan.bro rename to scripts/policy/misc/scan.bro From bb7db648417983f4288eaf86e2ae8e45cec29ef8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 30 Nov 2012 09:51:20 -0500 Subject: [PATCH 030/134] Fixed Sheharbano's name. --- scripts/policy/misc/scan.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index dde96bf939..dbafb51bea 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -1,6 +1,6 @@ ##! Scan detection ##! -##! ..Authors: Sheharbano Kattack +##! ..Authors: Sheharbano Khattak ##! Seth Hall ##! All the authors of the old scan.bro From 1542b3696ee3ceb0054861ae0aacad4bc3842336 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 30 Nov 2012 11:27:09 -0500 Subject: [PATCH 031/134] Changed how traceroute detection works by having it check for low ttl packets after detecting time exceeded messages. --- .../policy/misc/detect-traceroute/main.bro | 34 +++++++++++++------ 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 0709834cea..fd19e7fef1 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -29,7 +29,7 @@ export { ## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. ## This threshold only comes into play after a host is found to be ## sending low ttl packets. - const icmp_time_exceeded_threshold = 2 &redef; + const icmp_time_exceeded_threshold = 3 &redef; ## Interval at which to watch for the ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. @@ -49,10 +49,21 @@ export { global log_traceroute: event(rec: Traceroute::Info); } -# Track hosts that have sent low TTL packets. +# Track hosts that have sent low TTL packets and which hosts they +# sent them to. global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized; -event bro_init() &priority=3 +function traceroute_detected(src: addr, dst: addr) + { + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + NOTICE([$note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute", src), + $src=src, $dst=dst, + $identifier=cat(src)]); + } + + +event bro_init() &priority=5 { Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); @@ -65,11 +76,15 @@ event bro_init() &priority=3 local parts = split1(index$str, /-/); local src = to_addr(parts[1]); local dst = to_addr(parts[2]); - Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); - NOTICE([$note=Traceroute::Detected, - $msg=fmt("%s seems to be running traceroute", src), - $src=src, $dst=dst, - $identifier=parts[1]]); + if ( require_low_ttl_packets ) + { + when ( [src, dst] in low_ttlers ) + { + traceroute_detected(src, dst); + } + } + else + traceroute_detected(src, dst); }]); } @@ -82,6 +97,5 @@ event signature_match(state: signature_state, msg: string, data: string) event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) { - if ( ! require_low_ttl_packets || [context$id$orig_h, context$id$resp_h] in low_ttlers ) - Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); } From 4bb8babb4556b9d0bd30538e91c60d592845fcfa Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 3 Dec 2012 14:58:11 -0500 Subject: [PATCH 032/134] Small change to load the correct scan file in local.bro. --- scripts/policy/misc/scan.bro | 50 ++++++++++++++++++------------------ scripts/site/local.bro | 2 +- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index dbafb51bea..a8ed6e8359 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -98,31 +98,6 @@ event bro_init() &priority=5 $threshold_crossed=port_scan_threshold_crossed]); } -function is_failed_conn(c: connection): bool - { - # Sr || ( (hR || ShR) && (data not sent in any direction) ) - if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || - (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || - (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) - ) && /[Dd]/ !in c$history ) - ) - return T; - return F; - } - -function is_reverse_failed_conn(c: connection): bool - { - # reverse scan i.e. conn dest is the scanner - # sR || ( (Hr || sHr) && (data not sent in any direction) ) - if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || - (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || - (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) - ) && /[Dd]/ !in c$history ) - ) - return T; - return F; - } - function add_metrics(id: conn_id, reverse: bool) { local scanner = id$orig_h; @@ -167,6 +142,31 @@ function add_metrics(id: conn_id, reverse: bool) Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } +function is_failed_conn(c: connection): bool + { + # Sr || ( (hR || ShR) && (data not sent in any direction) ) + if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || + (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || + (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) + ) && /[Dd]/ !in c$history ) + ) + return T; + return F; + } + +function is_reverse_failed_conn(c: connection): bool + { + # reverse scan i.e. conn dest is the scanner + # sR || ( (Hr || sHr) && (data not sent in any direction) ) + if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || + (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || + (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) + ) && /[Dd]/ !in c$history ) + ) + return T; + return F; + } + ## Generated for an unsuccessful connection attempt. This ## event is raised when an originator unsuccessfully attempted ## to establish a connection. “Unsuccessful” is defined as at least diff --git a/scripts/site/local.bro b/scripts/site/local.bro index acbef96721..918bc0f462 100644 --- a/scripts/site/local.bro +++ b/scripts/site/local.bro @@ -9,7 +9,7 @@ @load tuning/defaults # Load the scan detection script. -@load protocols/conn/scan +@load misc/scan # Generate notices when vulnerable versions of software are discovered. # The default is to only monitor software found in the address space defined From 70a532e898cc035c52005605bfdd6529f5b38ad0 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 3 Dec 2012 13:46:48 -0800 Subject: [PATCH 033/134] make it compile --- src/input/readers/SQLite.cc | 1 - src/logging/writers/SQLite.cc | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index 53a3609e24..955e821a53 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -149,7 +149,6 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p case TYPE_INT: val->val.int_val = sqlite3_column_int64(st, pos); - printf("Value: %d\n", val->val.int_val); break; case TYPE_DOUBLE: diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 1028710fc0..56e8a23d4e 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -294,7 +294,7 @@ void SQLite::ValToAscii(ODesc* desc, Value* val) case TYPE_VECTOR: assert(false); // this would mean that we have a table/vector inside a table/vector. - // that is not possible and shoulr have been caught way earlier. + // that is not possible and should have been caught way earlier. default: // there may not be any types that we do not know here. From 9c09dee294f17bccee9f693d9cdc98029d1a1775 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 3 Dec 2012 14:14:40 -0800 Subject: [PATCH 034/134] and adapt to AsciiInputOutput - seems to work... --- .../frameworks/logging/writers/sqlite.bro | 5 +- src/AsciiInputOutput.cc | 2 + src/input/readers/SQLite.cc | 8 +- src/input/readers/SQLite.h | 5 + src/logging.bif | 1 + src/logging/writers/SQLite.cc | 121 +++++------------- src/logging/writers/SQLite.h | 9 +- 7 files changed, 51 insertions(+), 100 deletions(-) diff --git a/scripts/base/frameworks/logging/writers/sqlite.bro b/scripts/base/frameworks/logging/writers/sqlite.bro index 1b19c84ff3..654af93c96 100644 --- a/scripts/base/frameworks/logging/writers/sqlite.bro +++ b/scripts/base/frameworks/logging/writers/sqlite.bro @@ -5,6 +5,9 @@ module LogSQLite; export { ## Separator between set elements. - const set_separator = "," &redef; + const set_separator = Log::set_separator &redef; + + ## String to use for an unset &optional field. + const unset_field = Log::unset_field &redef; } diff --git a/src/AsciiInputOutput.cc b/src/AsciiInputOutput.cc index 28736b9a77..74cabecb1d 100644 --- a/src/AsciiInputOutput.cc +++ b/src/AsciiInputOutput.cc @@ -134,6 +134,7 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre if ( j > 0 ) desc->AddRaw(set_separator); + assert(field != 0); if ( ! ValToODesc(desc, val->val.set_val.vals[j], field) ) { desc->RemoveEscapeSequence(set_separator); @@ -159,6 +160,7 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre if ( j > 0 ) desc->AddRaw(set_separator); + assert(field != 0); if ( ! ValToODesc(desc, val->val.vector_val.vals[j], field) ) { desc->RemoveEscapeSequence(set_separator); diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index 955e821a53..20559f5664 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -23,13 +23,13 @@ using threading::Field; SQLite::SQLite(ReaderFrontend *frontend) : ReaderBackend(frontend) { - + io = new AsciiInputOutput(this); } SQLite::~SQLite() { DoClose(); - + delete io; } void SQLite::DoClose() @@ -174,7 +174,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p int width = atoi(s.substr(pos+1).c_str()); string addr = s.substr(0, pos); - val->val.subnet_val.prefix = StringToAddr(addr); + val->val.subnet_val.prefix = io->StringToAddr(addr); val->val.subnet_val.length = width; break; @@ -183,7 +183,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p { const char *text = (const char*) sqlite3_column_text(st, pos); string s(text, sqlite3_column_bytes(st, pos)); - val->val.addr_val = StringToAddr(s); + val->val.addr_val = io->StringToAddr(s); break; } diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 5ed24ce393..1ba528643b 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -12,8 +12,11 @@ #include #include "../ReaderBackend.h" +#include "../../AsciiInputOutput.h" + #include "sqlite3.h" + namespace input { namespace reader { class SQLite : public ReaderBackend { @@ -48,6 +51,8 @@ private: sqlite3 *db; sqlite3_stmt *st; + AsciiInputOutput* io; + }; diff --git a/src/logging.bif b/src/logging.bif index 487d54a19a..93317e242d 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -87,6 +87,7 @@ const num_threads: count; module LogSQLite; const set_separator: string; +const unset_field: string; # Options for the ElasticSearch writer. diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 56e8a23d4e..3157c3f0fc 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -24,12 +24,22 @@ using threading::Field; SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) { - set_separator_len = BifConst::LogSQLite::set_separator->Len(); - set_separator = new char[set_separator_len]; - memcpy(set_separator, BifConst::LogSQLite::set_separator->Bytes(), - set_separator_len); + + set_separator.assign( + (const char*) BifConst::LogSQLite::set_separator->Bytes(), + BifConst::LogAscii::set_separator->Len() + ); + + + unset_field.assign( + (const char*) BifConst::LogSQLite::unset_field->Bytes(), + BifConst::LogAscii::unset_field->Len() + ); + db = 0; + + io = new AsciiInputOutput(this, set_separator, unset_field); } SQLite::~SQLite() @@ -39,6 +49,8 @@ SQLite::~SQLite() sqlite3_close(db); db = 0; } + + delete io; } string SQLite::GetTableType(int arg_type, int arg_subtype) { @@ -226,84 +238,6 @@ char* SQLite::FS(const char* format, ...) { return buf; } -// this one is mainly ripped from Ascii.cc - with some adaptions. -void SQLite::ValToAscii(ODesc* desc, Value* val) - { - if ( ! val->present ) - { - assert(false); - } - - switch ( val->type ) { - - case TYPE_BOOL: - desc->Add(val->val.int_val ? "T" : "F"); - break; - - case TYPE_INT: - desc->Add(val->val.int_val); - break; - - case TYPE_COUNT: - case TYPE_COUNTER: - desc->Add(val->val.uint_val); - break; - - case TYPE_PORT: - desc->Add(val->val.port_val.port); - break; - - case TYPE_SUBNET: - desc->Add(Render(val->val.subnet_val)); - break; - - case TYPE_ADDR: - desc->Add(Render(val->val.addr_val)); - break; - - case TYPE_DOUBLE: - // Rendering via Add() truncates trailing 0s after the - // decimal point. The difference with TIME/INTERVAL is mainly - // to keep the log format consistent. - desc->Add(val->val.double_val); - break; - - case TYPE_INTERVAL: - case TYPE_TIME: - // Rendering via Render() keeps trailing 0s after the decimal - // point. The difference with DOUBLEis mainly to keep the log - // format consistent. - desc->Add(Render(val->val.double_val)); - break; - - case TYPE_ENUM: - case TYPE_STRING: - case TYPE_FILE: - case TYPE_FUNC: - { - int size = val->val.string_val.length; - const char* data = val->val.string_val.data; - - if ( size ) - desc->AddN(data, size); - - break; - } - - case TYPE_TABLE: - case TYPE_VECTOR: - assert(false); - // this would mean that we have a table/vector inside a table/vector. - // that is not possible and should have been caught way earlier. - - default: - // there may not be any types that we do not know here. - assert(false); - } - - } - - int SQLite::AddParams(Value* val, int pos) { @@ -329,13 +263,13 @@ int SQLite::AddParams(Value* val, int pos) case TYPE_SUBNET: { - string out = Render(val->val.subnet_val).c_str(); + string out = io->Render(val->val.subnet_val).c_str(); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } case TYPE_ADDR: { - string out = Render(val->val.addr_val).c_str(); + string out = io->Render(val->val.addr_val).c_str(); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } @@ -359,17 +293,19 @@ int SQLite::AddParams(Value* val, int pos) { ODesc desc; desc.Clear(); - desc.AddEscapeSequence(set_separator, set_separator_len); + desc.AddEscapeSequence(set_separator); for ( int j = 0; j < val->val.set_val.size; j++ ) { if ( j > 0 ) - desc.AddRaw(set_separator, set_separator_len); + desc.AddRaw(set_separator); - ValToAscii(&desc, val->val.set_val.vals[j]); + io->ValToODesc(&desc, val->val.set_val.vals[j], NULL); + // yes, giving NULL here is not really really pretty.... + // it works however, because tables cannot contain tables... + // or vectors. } - - + desc.RemoveEscapeSequence(set_separator); return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); } @@ -377,16 +313,17 @@ int SQLite::AddParams(Value* val, int pos) { ODesc desc; desc.Clear(); - desc.AddEscapeSequence(set_separator, set_separator_len); + desc.AddEscapeSequence(set_separator); for ( int j = 0; j < val->val.vector_val.size; j++ ) { if ( j > 0 ) - desc.AddRaw(set_separator, set_separator_len); + desc.AddRaw(set_separator); - ValToAscii(&desc, val->val.vector_val.vals[j]); + io->ValToODesc(&desc, val->val.vector_val.vals[j], NULL); } + desc.RemoveEscapeSequence(set_separator); return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); } diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index 0c8addc9da..f74c2259a5 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -12,6 +12,7 @@ #include "../WriterBackend.h" #include "sqlite3.h" +#include "../../AsciiInputOutput.h" namespace logging { namespace writer { @@ -37,7 +38,6 @@ protected: private: bool checkError(int code); - void ValToAscii(ODesc* desc, threading::Value* val); int AddParams(threading::Value* val, int pos); string GetTableType(int, int); @@ -46,8 +46,11 @@ private: sqlite3 *db; sqlite3_stmt *st; - char* set_separator; - int set_separator_len; + string separator; + string set_separator; + string unset_field; + + AsciiInputOutput* io; }; } From 3ca0333294dcaafff68a10cc44ce17a005a0df69 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 4 Dec 2012 00:15:19 -0500 Subject: [PATCH 035/134] Fix to checking metrics thresholds at the end of the break interval ($every field). --- scripts/base/frameworks/metrics/cluster.bro | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 64c7a2d7ee..6a536efb85 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -143,7 +143,7 @@ event Metrics::cluster_filter_request(uid: string, id: string, filter_name: stri event Metrics::send_data(uid, id, filter_name, store[id, filter_name]); # Lookup the actual filter and reset it, the reference to the data - # currently stored will be maintained interally by the send_data event. + # currently stored will be maintained internally by the send_data event. reset(filter_store[id, filter_name]); } @@ -232,6 +232,10 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); + # Mark another worker as being "done" for this uid. + if ( done ) + ++done_with[uid]; + local local_data = filter_results[uid, id, filter_name]; for ( index in data ) { @@ -239,12 +243,19 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str local_data[index] = merge_result_vals(local_data[index], data[index]); else local_data[index] = data[index]; + + # If a filter is done being collected, thresholds for each index + # need to checked so we're doing it here to avoid doubly iterating + # over each index. + if ( Cluster::worker_count == done_with[uid] ) + { + if ( check_thresholds(filter_store[id, filter_name], index, local_data[index], 1.0) ) + { + threshold_crossed(filter_store[id, filter_name], index, local_data[index]); + } + } } - # Mark another worker as being "done" for this uid. - if ( done ) - ++done_with[uid]; - # If the data has been collected from all peers, we are done and ready to log. if ( Cluster::worker_count == done_with[uid] ) { From e769ab469f400c7f1d11a35709b52bc3ca66cb86 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 4 Dec 2012 00:15:49 -0500 Subject: [PATCH 036/134] Comment and indentation cleanup. --- .../policy/misc/detect-traceroute/main.bro | 8 ++++---- scripts/policy/misc/scan.bro | 20 ++----------------- 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index fd19e7fef1..051d81c5c7 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -81,10 +81,10 @@ event bro_init() &priority=5 when ( [src, dst] in low_ttlers ) { traceroute_detected(src, dst); - } - } - else - traceroute_detected(src, dst); + } + } + else + traceroute_detected(src, dst); }]); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index a8ed6e8359..decc34c894 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -76,10 +76,7 @@ function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result event bro_init() &priority=5 { - # note=> Addr scan: table [src_ip, port] of set(dst); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. + # Note: addr scans are trcked similar to: table[src_ip, port] of set(dst); Metrics::add_filter("scan.addr.fail", [$log=F, $every=addr_scan_interval, $measure=set(Metrics::UNIQUE), @@ -87,10 +84,7 @@ event bro_init() &priority=5 $threshold=addr_scan_threshold, $threshold_crossed=addr_scan_threshold_crossed]); - # note=> Port Sweep: table[src_ip, dst_ip] of set(port); - # Add filters to the metrics so that the metrics framework knows how to - # determine when it looks like an actual attack and how to respond when - # thresholds are crossed. + # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); Metrics::add_filter("scan.port.fail", [$log=F, $every=port_scan_interval, $measure=set(Metrics::UNIQUE), @@ -224,13 +218,3 @@ event connection_pending(c: connection) # { # # Not useful for scan (too early) # } - -## Generated when one endpoint of a TCP connection attempted -## to gracefully close the connection, but the other endpoint -## is in the TCP_INACTIVE state. This can happen due to split -## routing, in which Bro only sees one side of a connection. -#event connection_half_finished(c: connection) -# { -# # Half connections never were "established", so do scan-checking here. -# # I am not taking *f cases of c$history into account. Ask Seth if I should -# } From 3af4517e2a92efc657f65121cdbf5e54b4e1b999 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 4 Dec 2012 11:04:01 -0500 Subject: [PATCH 037/134] Adding an $end time for result values to measure the length of time a measurement took. --- scripts/base/frameworks/metrics/main.bro | 13 ++++++++++++- scripts/policy/misc/scan.bro | 4 ++-- .../manager-1.metrics.log | 14 +++++++------- .../metrics.log | 14 +++++++------- 4 files changed, 28 insertions(+), 17 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 48f11ef7f7..8d7ea26bc7 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -71,6 +71,9 @@ export { ## The time when this result was first started. begin: time &log; + ## The time when the last value was added to this result. + end: time &log; + ## The number of measurements received. num: count &log &default=0; @@ -277,6 +280,12 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal { local result: ResultVal; + # Merge $begin (take the earliest one) + result$begin = rv1$begin < rv2$begin ? rv1$begin : rv2$begin; + + # Merge $end (take the latest one) + result$end = rv1$end > rv2$end ? rv1$end : rv2$end; + # Merge $num result$num = rv1$num + rv2$num; @@ -442,7 +451,7 @@ function add_data(id: string, index: Index, data: DataPoint) local metric_tbl = store[id, filter$name]; if ( index !in metric_tbl ) - metric_tbl[index] = [$begin=network_time()]; + metric_tbl[index] = [$begin=network_time(), $end=network_time()]; local result = metric_tbl[index]; @@ -452,6 +461,8 @@ function add_data(id: string, index: Index, data: DataPoint) val = data?$dbl ? data$dbl : data$num; ++result$num; + # Continually update the $end field. + result$end=network_time(); if ( filter?$samples && filter$samples > 0 && data?$str ) { diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index decc34c894..42350bbe77 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -51,7 +51,7 @@ function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVa function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); + local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, val$end-val$begin); NOTICE([$note=Address_Scan, $src=index$host, @@ -64,7 +64,7 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); + local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, val$end-val$begin); NOTICE([$note=Port_Scan, $src=index$host, diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index e6c33719aa..98794673f1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-11-20-06-46-51 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time count double double double double double double count -1353394011.192622 3.000000 default test.metric - 6.5.4.3 - - 2 6.0 1.0 5.0 3.0 4.0 2.0 - -1353394011.192622 3.000000 default test.metric - 1.2.3.4 - - 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - -1353394011.192622 3.000000 default test.metric - 7.2.1.5 - - 2 145.0 54.0 91.0 72.5 342.25 18.5 - -#close 2012-11-20-06-46-51 +#open 2012-12-04-15-53-23 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time time count double double double double double double count +1354636403.682565 3.000000 default test.metric - 6.5.4.3 - 1354636401.774655 1354636401.782720 2 6.0 1.0 5.0 3.0 4.0 2.0 - +1354636403.682565 3.000000 default test.metric - 1.2.3.4 - 1354636401.774655 1354636401.782720 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - +1354636403.682565 3.000000 default test.metric - 7.2.1.5 - 1354636401.774655 1354636401.782720 2 145.0 54.0 91.0 72.5 342.25 18.5 - +#close 2012-12-04-15-53-23 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index 784d6d7920..63bf7c95fb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-11-20-15-05-07 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time count double double double double double double count -1353423907.236002 3.000000 foo-bar test.metric - 6.5.4.3 - 1353423907.236002 1 2.0 2.0 2.0 2.0 0.0 0.0 - -1353423907.236002 3.000000 foo-bar test.metric - 1.2.3.4 - 1353423907.236002 5 221.0 5.0 94.0 44.2 915.36 30.254917 - -1353423907.236002 3.000000 foo-bar test.metric - 7.2.1.5 - 1353423907.236002 1 1.0 1.0 1.0 1.0 0.0 0.0 - -#close 2012-11-20-15-05-07 +#open 2012-12-04-15-55-13 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time time count double double double double double double count +1354636513.492214 3.000000 foo-bar test.metric - 6.5.4.3 - 1354636513.492214 1354636513.492214 1 2.0 2.0 2.0 2.0 0.0 0.0 - +1354636513.492214 3.000000 foo-bar test.metric - 1.2.3.4 - 1354636513.492214 1354636513.492214 5 221.0 5.0 94.0 44.2 915.36 30.254917 - +1354636513.492214 3.000000 foo-bar test.metric - 7.2.1.5 - 1354636513.492214 1354636513.492214 1 1.0 1.0 1.0 1.0 0.0 0.0 - +#close 2012-12-04-15-55-13 From d0e8a6eef3a8da10480fbe18ebd3d1622de3e93b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 4 Dec 2012 11:54:39 -0500 Subject: [PATCH 038/134] Comment updates and revised scan detection duration logging. - Detection duration tracking is now logged in notices as 2m43s and only goes down to seconds. Previously is was proceeding to milli- and micro seconds which aren't particularly useful. - Inline docu-comment updates from Vlad Grigorescu. --- scripts/policy/misc/scan.bro | 43 +++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 42350bbe77..5a8e3f7830 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -11,17 +11,26 @@ module Scan; export { redef enum Notice::Type += { - ## Address scans detect that a host appears to be scanning - ## some number of other hosts on a single port. + ## Address scans detect that a host appears to be scanning some number + ## of hosts on a single port. This notice is generated when more than + ## :bro:id:`addr_scan_threshold` unique hosts are seen over the + ## previous :bro:id:`addr_scan_interval` time range. Address_Scan, - ## Port scans detect that a host appears to be scanning a - ## single other host on numerous ports. + ## Port scans detect that an attacking host appears to be scanning a + ## single victim host on several ports. This notice is generated when + ## an attacking host attempts to connect to :bro:id:`port_scan_threshold` + ## unique ports on a single host over the previous + ## :bro:id:`port_scan_interval` time range. Port_Scan, }; - ## Interval at which to watch for an address scan detection threshold to be crossed. + ## Failed connection attempts are tracked over this time interval for the address + ## scan detection. A higher interval will detect slower scanners, but may + ## also yield more false positives. const addr_scan_interval = 5min &redef; - ## Interval at which to watch for a port scan detection threshold to be crossed. + ## Failed connection attempts are tracked over this time interval for the port + ## scan detection. A higher interval will detect slower scanners, but may + ## also yield more false positives. const port_scan_interval = 5min &redef; ## The threshold of a unique number of hosts a scanning host has to have failed @@ -48,10 +57,17 @@ function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVa val$sum > addr_scan_custom_thresholds[service] ); } +function duration_to_mins_secs(dur: interval): string + { + local dur_count = double_to_count(interval_to_double(dur)); + return fmt("%dm%ds", dur_count/60, dur_count%60); + } + function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, val$end-val$begin); + local dur = duration_to_mins_secs(val$end-val$begin); + local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, dur); NOTICE([$note=Address_Scan, $src=index$host, @@ -64,7 +80,8 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, val$end-val$begin); + local dur = duration_to_mins_secs(val$end-val$begin); + local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, dur); NOTICE([$note=Port_Scan, $src=index$host, @@ -208,13 +225,3 @@ event connection_pending(c: connection) else if ( is_reverse_failed_conn(c) ) add_metrics(c$id, T); } - -## Generated when a SYN-ACK packet is seen in response to a SYN -## packet during a TCP handshake. The final ACK of the handshake -## in response to SYN-ACK may or may not occur later, one way to -## tell is to check the history field of connection to see if the -## originator sent an ACK, indicated by ‘A’ in the history string. -#event connection_established(c: connection) -# { -# # Not useful for scan (too early) -# } From 69b7ce12d2085b343768705b6225abc68e3fd8e7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 01:08:59 -0500 Subject: [PATCH 039/134] API updates for metrics framework. - Removed default logging. Now a function is available for the new $period_finished filter field to get the same behavior for logging named Metrics::write_log. - Added index rollups for getting multiple metrics result values as the same time. --- scripts/base/frameworks/metrics/cluster.bro | 45 +++- scripts/base/frameworks/metrics/main.bro | 210 ++++++++++++------ .../base/frameworks/metrics/non-cluster.bro | 26 ++- .../frameworks/metrics/conn-example.bro | 9 +- .../frameworks/metrics/http-example.bro | 15 +- .../policy/frameworks/metrics/ssl-example.bro | 5 +- scripts/policy/misc/app-metrics.bro | 55 ++++- scripts/policy/misc/capture-loss.bro | 1 - scripts/policy/misc/scan.bro | 18 +- .../protocols/conn/conn-stats-per-host.bro | 6 +- scripts/policy/protocols/conn/metrics.bro | 6 +- .../manager-1.metrics.log | 14 +- .../metrics.log | 14 +- .../base/frameworks/metrics/basic-cluster.bro | 26 +-- .../scripts/base/frameworks/metrics/basic.bro | 4 +- .../metrics/cluster-intermediate-update.bro | 3 +- .../base/frameworks/metrics/thresholding.bro | 9 +- 17 files changed, 304 insertions(+), 162 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 6a536efb85..60342b327f 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -60,18 +60,18 @@ global requested_results: table[string] of time = table() &create_expire=5mins; # This variable is maintained by manager nodes as they collect and aggregate # results. -global filter_results: table[string, string, string] of MetricTable &create_expire=5mins; +global filter_results: table[string, string, string] of MetricTable &read_expire=1min; # This variable is maintained by manager nodes to track how many "dones" they # collected per collection unique id. Once the number of results for a uid # matches the number of peer nodes that results should be coming from, the # result is written out and deleted from here. # TODO: add an &expire_func in case not all results are received. -global done_with: table[string] of count &create_expire=5mins &default=0; +global done_with: table[string] of count &read_expire=1min &default=0; # This variable is maintained by managers to track intermediate responses as # they are getting a global view for a certain index. -global index_requests: table[string, string, string, Index] of ResultVal &create_expire=5mins &default=[]; +global index_requests: table[string, string, string, Index] of ResultVal &read_expire=1min; # This variable is maintained by all hosts for different purposes. Non-managers # maintain it to know what indexes they have recently sent as intermediate @@ -163,7 +163,7 @@ event Metrics::cluster_index_request(uid: string, id: string, filter_name: strin @if ( Cluster::local_node_type() == Cluster::MANAGER ) # Manager's handle logging. -event Metrics::log_it(filter: Filter) +event Metrics::finish_period(filter: Filter) { #print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id); local uid = unique_id(""); @@ -174,8 +174,8 @@ event Metrics::log_it(filter: Filter) # Request data from peers. event Metrics::cluster_filter_request(uid, filter$id, filter$name); - # Schedule the log_it event for the next break period. - schedule filter$every { Metrics::log_it(filter) }; + # Schedule the next finish_period event. + schedule filter$every { Metrics::finish_period(filter) }; } # This is unlikely to be called often, but it's here in case there are metrics @@ -237,6 +237,8 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str ++done_with[uid]; local local_data = filter_results[uid, id, filter_name]; + local filter = filter_store[id, filter_name]; + for ( index in data ) { if ( index in local_data ) @@ -245,18 +247,18 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str local_data[index] = data[index]; # If a filter is done being collected, thresholds for each index - # need to checked so we're doing it here to avoid doubly iterating + # need to be checked so we're doing it here to avoid doubly iterating # over each index. if ( Cluster::worker_count == done_with[uid] ) { - if ( check_thresholds(filter_store[id, filter_name], index, local_data[index], 1.0) ) + if ( check_thresholds(filter, index, local_data[index], 1.0) ) { - threshold_crossed(filter_store[id, filter_name], index, local_data[index]); + threshold_crossed(filter, index, local_data[index]); } } } - # If the data has been collected from all peers, we are done and ready to log. + # If the data has been collected from all peers, we are done and ready to finish. if ( Cluster::worker_count == done_with[uid] ) { local ts = network_time(); @@ -267,11 +269,30 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str delete requested_results[uid]; } - write_log(ts, filter_store[id, filter_name], local_data); - + if ( filter?$rollup ) + { + for ( index in local_data ) + { + if ( index !in rollup_store ) + rollup_store[index] = table(); + rollup_store[index][id, filter_name] = local_data[index]; + + # If all of the result vals are stored then the rollup callback can be executed. + if ( |rollup_store[index]| == |rollups[filter$rollup]$filters| ) + { + rollups[filter$rollup]$callback(index, rollup_store[index]); + } + } + } + + if ( filter?$period_finished ) + filter$period_finished(ts, filter$id, filter$name, local_data); + # Clean up delete filter_results[uid, id, filter_name]; delete done_with[uid]; + # Not sure I need to reset the filter on the manager. + reset(filter); } } diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 8d7ea26bc7..534529e020 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -8,10 +8,6 @@ export { ## The metrics logging stream identifier. redef enum Log::ID += { LOG }; - ## The default interval used for "breaking" metrics and writing the - ## current value to the logging stream. - const default_break_interval = 15mins &redef; - ## This is the interval for how often threshold based notices will happen ## after they have already fired. const threshold_crossed_restart_interval = 1hr &redef; @@ -108,63 +104,74 @@ export { ## The record type that is used for logging metrics. type Info: record { ## Timestamp at which the metric was "broken". - ts: time &log; + ts: time &log; ## Interval between logging of this filter and the last time it was logged. - ts_delta: interval &log; - ## The name of the filter being logged. Values - ## can have multiple filters which represent different perspectives on - ## the data so this is necessary to understand the value. - filter_name: string &log; + ts_delta: interval &log; ## What measurement the metric represents. - metric: string &log; + metric: string &log; ## What the metric value applies to. - index: Index &log; + index: Index &log; ## The simple numeric value of the metric. - result: ResultVal &log; + result: ResultVal &log; }; + ## Type to store a table of metrics result values. + type MetricTable: table[Index] of ResultVal; + ## Filters define how the data from a metric is aggregated and handled. ## Filters can be used to set how often the measurements are cut ## and logged or how the data within them is aggregated. It's also ## possible to disable logging and use filters solely for thresholding. type Filter: record { - ## The name for this filter so that multiple filters can be - ## applied to a single metrics to get a different view of the same - ## metric data being collected (different aggregation, break, etc). + ## A name for the filter in case multiple filters are being + ## applied to the same metric. In most cases the default + ## filter name is fine and this field does not need to be set. name: string &default="default"; - ## The metric that this filter applies to. - id: string &optional; - ## The measurements to perform on the data. - measure: set[Calculation] &optional; - ## A predicate so that you can decide per index if you would like - ## to accept the data being inserted. - pred: function(index: Metrics::Index, data: Metrics::DataPoint): bool &optional; - ## A function to normalize the index. This can be used to aggregate or - ## normalize the entire index. - normalize_func: function(index: Metrics::Index): Index &optional; - ## Global mask by to aggregate traffic measuring an attribute of hosts. - ## This is a special case of the normalize_func. - aggregation_mask: count &optional; + ## The interval at which this filter should be "broken" and written ## to the logging stream. The counters are also reset to zero at ## this time so any threshold based detection needs to be set to a ## number that should be expected to happen within this period. - every: interval &default=default_break_interval; - ## This determines if the result of this filter is sent to the metrics - ## logging stream. One use for the logging framework is as an internal - ## thresholding and statistics gathering utility that is meant to - ## never log but rather to generate notices and derive data. - log: bool &default=T; + every: interval; + + ## The measurements to perform on the data. + measure: set[Calculation] &optional; + + ## A predicate so that you can decide per index if you would like + ## to accept the data being inserted. + pred: function(index: Metrics::Index, data: Metrics::DataPoint): bool &optional; + + ## A function to normalize the index. This can be used to aggregate or + ## normalize the entire index. + normalize_func: function(index: Metrics::Index): Index &optional; + + ## Global mask by to aggregate traffic measuring an attribute of hosts. + ## This is a special case of the normalize_func. + aggregation_mask: count &optional; + ## A direct threshold for calling the $threshold_crossed function when ## the SUM is greater than or equal to this value. threshold: count &optional; + ## A series of thresholds for calling the $threshold_crossed function. threshold_series: vector of count &optional; + ## A predicate so that you can decide when to flexibly declare when ## a threshold crossed, and do extra work. threshold_func: function(index: Metrics::Index, val: Metrics::ResultVal): bool &optional; - ## A function callback that is called when a threshold is crossed. + + ## A callback with the full collection of ResultVals for this filter. This + ## is defined as a redef because the function includes a :bro:type:`Filter` + ## record which is self referential before the Filter type has been fully + ## defined and doesn't work. + period_finished: function(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) &optional; + + ## A callback that is called when a threshold is crossed. threshold_crossed: function(index: Metrics::Index, val: Metrics::ResultVal) &optional; + + ## A rollup to register this filter with. + rollup: string &optional; + ## A number of sample DataPoint strings to collect for the threshold ## crossing callback. samples: count &optional; @@ -187,7 +194,19 @@ export { ## ## increment: How much to increment the counter by. global add_data: function(id: string, index: Metrics::Index, data: Metrics::DataPoint); - + + ## The callback definition for rollup functions. + type RollupCallback: function(index: Metrics::Index, vals: table[string, string] of Metrics::ResultVal); + + ## Add a rollup function for merging multiple filters with matching + ## indexes. If the metrics filters being merged don't have equivalent times + ## in the $every field, an error will be generated. + ## + ## name: An arbitrary name for this filter rollup. + ## + ## vals: Each ResultVal record indexed by the appropriate metric name and filter name. + global create_index_rollup: function(name: string, rollup: RollupCallback); + ## Helper function to represent a :bro:type:`Metrics::Index` value as ## a simple string. ## @@ -195,12 +214,23 @@ export { ## ## Returns: A string reprentation of the metric index. global index2str: function(index: Metrics::Index): string; - + + ## A helper function to use with the `period_finished` field in filters. Using + ## this function is not recommended however since each metric likely has + ## different data and different semantics which would be better served by writing + ## a custom function that logs in more domain specific fashion. + global write_log: function(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable); + ## Event to access metrics records as they are passed to the logging framework. global log_metrics: event(rec: Metrics::Info); } +redef record Filter += { + # The metric that this filter applies to. The value is automatically set. + id: string &optional; +}; + redef record ResultVal += { # Internal use only. Used for incrementally calculating variance. prev_avg: double &optional; @@ -226,9 +256,6 @@ redef record ResultVal += { threshold_series_index: count &default=0; }; -# Type to store a table of metrics values. -type MetricTable: table[Index] of ResultVal; - # Store the filters indexed on the metric identifier. global metric_filters: table[string] of vector of Filter = table(); @@ -238,16 +265,23 @@ global filter_store: table[string, string] of Filter = table(); # This is indexed by metric id and filter name. global store: table[string, string] of MetricTable = table() &default=table(); -# This is hook for watching thresholds being crossed. It is called whenever +# This is a hook for watching thresholds being crossed. It is called whenever # index values are updated and the new val is given as the `val` argument. -# It's only prototyped here because cluster and non-cluster has separate +# It's only prototyped here because cluster and non-cluster have separate # implementations. global data_added: function(filter: Filter, index: Index, val: ResultVal); +type Rollup: record { + callback: RollupCallback; + filters: set[Filter] &optional; +}; +global rollups: table[string] of Rollup; +global rollup_store: table[Index] of table[string, string] of ResultVal = {}; + + ## Event that is used to "finish" metrics and adapt the metrics ## framework for clustered or non-clustered usage. -global log_it: event(filter: Metrics::Filter); - +global finish_period: event(filter: Metrics::Filter); event bro_init() &priority=5 { @@ -279,22 +313,21 @@ function do_calculated_fields(val: ResultVal) function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal { local result: ResultVal; - + # Merge $begin (take the earliest one) - result$begin = rv1$begin < rv2$begin ? rv1$begin : rv2$begin; + result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; # Merge $end (take the latest one) - result$end = rv1$end > rv2$end ? rv1$end : rv2$end; + result$end = (rv1$end > rv2$end) ? rv1$end : rv2$end; # Merge $num result$num = rv1$num + rv2$num; # Merge $sum + result$sum = rv1$sum + rv2$sum; if ( rv1?$sum || rv2?$sum ) { - result$sum = 0; - if ( rv1?$sum ) - result$sum += rv1$sum; + result$sum = rv1?$sum ? rv1$sum : 0; if ( rv2?$sum ) result$sum += rv2$sum; } @@ -348,13 +381,15 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal # Merge $unique_vals if ( rv1?$unique_vals || rv2?$unique_vals ) { - result$unique_vals = set(); if ( rv1?$unique_vals ) - for ( val1 in rv1$unique_vals ) - add result$unique_vals[val1]; + result$unique_vals = rv1$unique_vals; + if ( rv2?$unique_vals ) - for ( val2 in rv2$unique_vals ) - add result$unique_vals[val2]; + if ( ! result?$unique_vals ) + result$unique_vals = rv2$unique_vals; + else + for ( val2 in rv2$unique_vals ) + add result$unique_vals[val2]; } # Merge $sample_queue @@ -376,8 +411,9 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal return result; } -function write_log(ts: time, filter: Filter, data: MetricTable) +function write_log(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) { + local filter = filter_store[metric_name, filter_name]; for ( index in data ) { local m: Info = [$ts=ts, @@ -386,9 +422,7 @@ function write_log(ts: time, filter: Filter, data: MetricTable) $filter_name=filter$name, $index=index, $result=data[index]]; - - if ( filter$log ) - Log::write(Metrics::LOG, m); + Log::write(LOG, m); } } @@ -401,7 +435,7 @@ function add_filter(id: string, filter: Filter) { if ( filter?$normalize_func && filter?$aggregation_mask ) { - Reporter::warning(fmt("invalid Metric filter (%s): Defined $normalize_func and $aggregation_mask.", filter$name)); + Reporter::warning(fmt("invalid Metric filter (%s): Defined both $normalize_func and $aggregation_mask.", filter$name)); return; } if ( [id, filter$name] in store ) @@ -409,7 +443,33 @@ function add_filter(id: string, filter: Filter) Reporter::warning(fmt("invalid Metric filter (%s): Filter with same name already exists.", filter$name)); return; } - + if ( filter?$rollup ) + { + if ( filter$rollup !in rollups ) + { + Reporter::warning(fmt("invalid Metric filter (%s): %s rollup doesn't exist.", filter$name, filter$rollup)); + return; + } + else + { + local every_field = 0secs; + for ( filt in rollups ) + { + if ( [id, filt] !in filter_store ) + next; + + if ( every_field == 0secs ) + every_field = filter_store[id, filt]$every; + else if ( every_field == filter_store[id, filt]$every ) + { + Reporter::warning(fmt("invalid Metric rollup for %s: Filters with differing $every fields applied to %s.", filter$name, filter$rollup)); + return; + } + } + } + add rollups[filter$rollup]$filters[filter]; + } + if ( ! filter?$id ) filter$id = id; @@ -419,8 +479,8 @@ function add_filter(id: string, filter: Filter) filter_store[id, filter$name] = filter; store[id, filter$name] = table(); - - schedule filter$every { Metrics::log_it(filter) }; + + schedule filter$every { Metrics::finish_period(filter) }; } function add_data(id: string, index: Index, data: DataPoint) @@ -513,11 +573,11 @@ function add_data(id: string, index: Index, data: DataPoint) result$var_s += (val - result$prev_avg)*(val - result$avg); } - if ( STD_DEV in filter$measure ) - { - #if ( result?$variance ) - # result$std_dev = sqrt(result$variance); - } + #if ( STD_DEV in filter$measure ) + # { + # #if ( result?$variance ) + # # result$std_dev = sqrt(result$variance); + # } if ( UNIQUE in filter$measure ) { @@ -530,8 +590,7 @@ function add_data(id: string, index: Index, data: DataPoint) } } -# This function checks if a threshold has been crossed and generates a -# notice if it has. It is also used as a method to implement +# This function checks if a threshold has been crossed. It is also used as a method to implement # mid-break-interval threshold crossing detection for cluster deployments. function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_pct: double): bool { @@ -570,7 +629,7 @@ function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_p return F; } - + function threshold_crossed(filter: Filter, index: Index, val: ResultVal) { if ( ! filter?$threshold_crossed ) @@ -586,3 +645,10 @@ function threshold_crossed(filter: Filter, index: Index, val: ResultVal) if ( filter?$threshold_series ) ++val$threshold_series_index; } + +function create_index_rollup(name: string, rollup: RollupCallback) + { + local r: Rollup = [$callback=rollup]; + r$filters=set(); + rollups[name] = r; + } diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index a94370d776..b76ca3ea48 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -2,15 +2,31 @@ module Metrics; -event Metrics::log_it(filter: Filter) +event Metrics::finish_period(filter: Filter) { - local id = filter$id; - local name = filter$name; + local data = store[filter$id, filter$name]; + if ( filter?$rollup ) + { + for ( index in data ) + { + if ( index !in rollup_store ) + rollup_store[index] = table(); + rollup_store[index][filter$id, filter$name] = data[index]; + + # If all of the result vals are stored then the rollup callback can be executed. + if ( |rollup_store[index]| == |rollups[filter$rollup]$filters| ) + { + rollups[filter$rollup]$callback(index, rollup_store[index]); + } + } + } + + if ( filter?$period_finished ) + filter$period_finished(network_time(), filter$id, filter$name, data); - write_log(network_time(), filter, store[id, name]); reset(filter); - schedule filter$every { Metrics::log_it(filter) }; + schedule filter$every { Metrics::finish_period(filter) }; } diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index e5c604a5b2..1271d6eb32 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -7,11 +7,16 @@ event bro_init() { #Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]); - Metrics::add_filter("conns.originated", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); + Metrics::add_filter("conns.originated", [$every=1mins, $measure=set(Metrics::SUM), + $aggregation_table=Site::local_nets_table, + $period_finished=Metrics::write_log]); # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("conns.responded", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); + Metrics::add_filter("conns.responded", [$every=1mins, $measure=set(Metrics::SUM), + $aggregation_table=Site::local_nets_table, + $period_finished=Metrics::write_log]); + } event connection_established(c: connection) diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index 3c60f3c931..b3284580e8 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -8,15 +8,16 @@ event bro_init() { - # TODO: these are waiting on a fix with table vals + records before they will work. - #Metrics::add_filter(HTTP_REQUESTS_BY_HOST_HEADER, - # [$pred(index: Metrics::Index) = { return Site::is_local_addr(index$host); }, - # $aggregation_mask=24, - # $break_interval=1min]); + Metrics::add_filter("http.request.by_host_header", + [$every=1min, $measure=set(Metrics::SUM), + $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return T; return Site::is_local_addr(index$host); }, + $aggregation_mask=24, + $period_finished=Metrics::write_log]); # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("http.request.by_status_code", [$aggregation_table=Site::local_nets_table, - $break_interval=1min]); + Metrics::add_filter("http.request.by_status_code", [$every=1min, $measure=set(Metrics::SUM), + $aggregation_table=Site::local_nets_table, + $period_finished=Metrics::write_log]); } event HTTP::log_http(rec: HTTP::Info) diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro index 64e63bc215..3b9b848edb 100644 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ b/scripts/policy/frameworks/metrics/ssl-example.bro @@ -10,11 +10,10 @@ event bro_init() { Metrics::add_filter("ssl.by_servername", [$name="no-google-ssl-servers", + $every=10secs, $measure=set(Metrics::SUM), $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return (/google\.com$/ !in index$str); - }, - $break_interval=10secs - ]); + }]); } event SSL::log_ssl(rec: SSL::Info) diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index a89d0d8eb3..d88eb8fe6e 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -1,49 +1,80 @@ @load base/protocols/http @load base/protocols/ssl - @load base/frameworks/metrics module AppMetrics; export { - ## The metric break interval for the default stats collected by this script. - const break_interval = 1hr &redef; + redef enum Log::ID += { LOG }; + + type Info: record { + ts: time &log; + app: string &log; + uniq_hosts: count &log; + hits: count &log; + bytes: count &log; + }; + + ## The frequency of logging the stats collected by this script. + const break_interval = 1min &redef; } +function app_metrics_rollup(index: Metrics::Index, vals: table[string, string] of Metrics::ResultVal) + { + local l: Info; + l$ts = network_time(); + for ( [metric_name, filter_name] in vals ) + { + local val = vals[metric_name, filter_name]; + l$app = index$str; + if ( metric_name == "apps.bytes" ) + l$bytes = double_to_count(floor(val$sum)); + else if ( metric_name == "apps.hits" ) + { + l$hits = val$num; + l$uniq_hosts = val$unique; + } + } + Log::write(LOG, l); + } + event bro_init() &priority=3 { - Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM)]); - Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::SUM, Metrics::UNIQUE)]); + Log::create_stream(AppMetrics::LOG, [$columns=Info]); + + Metrics::create_index_rollup("AppMetrics", app_metrics_rollup); + Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM), $period_finished=Metrics::write_log, $rollup="AppMetrics"]); + Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::UNIQUE), $rollup="AppMetrics"]); } function do_metric(id: conn_id, hostname: string, size: count) { - if ( /youtube/ in hostname && size > 512*1024 ) + if ( /youtube\.com$/ in hostname && size > 512*1024 ) { Metrics::add_data("apps.bytes", [$str="youtube"], [$num=size]); Metrics::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); } - else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 ) + else if ( /(\.facebook\.com|\.fbcdn\.net)$/ in hostname && size > 20 ) { Metrics::add_data("apps.bytes", [$str="facebook"], [$num=size]); Metrics::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); } - else if ( /google.com/ in hostname && size > 20 ) + else if ( /\.google\.com$/ in hostname && size > 20 ) { Metrics::add_data("apps.bytes", [$str="google"], [$num=size]); Metrics::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); } - else if ( /nflximg.com/ in hostname && size > 200*1024 ) + else if ( /nflximg\.com$/ in hostname && size > 200*1024 ) { Metrics::add_data("apps.bytes", [$str="netflix"], [$num=size]); Metrics::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); } - else if ( /pandora.com/ in hostname && size > 512*1024 ) + else if ( /\.(pandora|p-cdn)\.com$/ in hostname && size > 512*1024 ) { Metrics::add_data("apps.bytes", [$str="pandora"], [$num=size]); Metrics::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); } - else if ( /gmail.com/ in hostname && size > 20 ) + else if ( /gmail\.com$/ in hostname && size > 20 ) { Metrics::add_data("apps.bytes", [$str="gmail"], [$num=size]); Metrics::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); @@ -63,7 +94,7 @@ event ssl_established(c: connection) event connection_finished(c: connection) { if ( c?$resp_hostname ) - do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip); + do_metric(c$id, c$resp_hostname, c$resp$size); } event HTTP::log_http(rec: HTTP::Info) diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.bro index b2d23020f8..1f0726299d 100644 --- a/scripts/policy/misc/capture-loss.bro +++ b/scripts/policy/misc/capture-loss.bro @@ -8,7 +8,6 @@ ##! for a sequence number that's above a gap). @load base/frameworks/notice -@load base/frameworks/metrics module CaptureLoss; diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 5a8e3f7830..a0228a7955 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -43,6 +43,10 @@ export { ## Custom threholds based on service for address scan. This is primarily ## useful for setting reduced thresholds for specific ports. const addr_scan_custom_thresholds: table[port] of count &redef; + + global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); + + global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); } @@ -94,16 +98,14 @@ function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result event bro_init() &priority=5 { # Note: addr scans are trcked similar to: table[src_ip, port] of set(dst); - Metrics::add_filter("scan.addr.fail", [$log=F, - $every=addr_scan_interval, + Metrics::add_filter("scan.addr.fail", [$every=addr_scan_interval, $measure=set(Metrics::UNIQUE), $threshold_func=check_addr_scan_threshold, $threshold=addr_scan_threshold, $threshold_crossed=addr_scan_threshold_crossed]); # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); - Metrics::add_filter("scan.port.fail", [$log=F, - $every=port_scan_interval, + Metrics::add_filter("scan.port.fail", [$every=port_scan_interval, $measure=set(Metrics::UNIQUE), $threshold=port_scan_threshold, $threshold_crossed=port_scan_threshold_crossed]); @@ -146,11 +148,11 @@ function add_metrics(id: conn_id, reverse: bool) #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) # return F; - # Probably do a hook point here? - Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); + if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) + Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); - # Probably do a hook point here? - Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); + if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) + Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } function is_failed_conn(c: connection): bool diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro index df58081163..fad2331f44 100644 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ b/scripts/policy/protocols/conn/conn-stats-per-host.bro @@ -6,10 +6,12 @@ event bro_init() &priority=5 { Metrics::add_filter("conn.orig.data", [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), + $period_finished=Metrics::write_log]); Metrics::add_filter("conn.resp.data", [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), + $period_finished=Metrics::write_log]); } diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro index 0fb5fa2134..057e23e088 100644 --- a/scripts/policy/protocols/conn/metrics.bro +++ b/scripts/policy/protocols/conn/metrics.bro @@ -3,8 +3,10 @@ event bro_init() &priority=3 { - Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM)]); - Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM)]); + Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM), + $period_finished=Metrics::write_log]); + Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM), + $period_finished=Metrics::write_log]); } event connection_established(c: connection) &priority=3 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index 98794673f1..bdc86c68bb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-12-04-15-53-23 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time time count double double double double double double count -1354636403.682565 3.000000 default test.metric - 6.5.4.3 - 1354636401.774655 1354636401.782720 2 6.0 1.0 5.0 3.0 4.0 2.0 - -1354636403.682565 3.000000 default test.metric - 1.2.3.4 - 1354636401.774655 1354636401.782720 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - -1354636403.682565 3.000000 default test.metric - 7.2.1.5 - 1354636401.774655 1354636401.782720 2 145.0 54.0 91.0 72.5 342.25 18.5 - -#close 2012-12-04-15-53-23 +#open 2012-12-17-18-43-15 +#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string addr subnet time time count double double double double double double count +1355769795.365325 3.000000 test.metric - 6.5.4.3 - 1355769793.449322 1355769793.458467 2 6.0 1.0 5.0 3.0 4.0 2.0 2 +1355769795.365325 3.000000 test.metric - 1.2.3.4 - 1355769793.449322 1355769793.458467 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 8 +1355769795.365325 3.000000 test.metric - 7.2.1.5 - 1355769793.449322 1355769793.458467 2 145.0 54.0 91.0 72.5 342.25 18.5 2 +#close 2012-12-17-18-43-21 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index 63bf7c95fb..51d892e8d5 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-12-04-15-55-13 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time time count double double double double double double count -1354636513.492214 3.000000 foo-bar test.metric - 6.5.4.3 - 1354636513.492214 1354636513.492214 1 2.0 2.0 2.0 2.0 0.0 0.0 - -1354636513.492214 3.000000 foo-bar test.metric - 1.2.3.4 - 1354636513.492214 1354636513.492214 5 221.0 5.0 94.0 44.2 915.36 30.254917 - -1354636513.492214 3.000000 foo-bar test.metric - 7.2.1.5 - 1354636513.492214 1354636513.492214 1 1.0 1.0 1.0 1.0 0.0 0.0 - -#close 2012-12-04-15-55-13 +#open 2012-12-17-18-43-45 +#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string addr subnet time time count double double double double double double count +1355769825.947161 3.000000 test.metric - 6.5.4.3 - 1355769825.947161 1355769825.947161 1 2.0 2.0 2.0 2.0 0.0 0.0 - +1355769825.947161 3.000000 test.metric - 1.2.3.4 - 1355769825.947161 1355769825.947161 5 221.0 5.0 94.0 44.2 915.36 30.254917 - +1355769825.947161 3.000000 test.metric - 7.2.1.5 - 1355769825.947161 1355769825.947161 1 1.0 1.0 1.0 1.0 0.0 0.0 - +#close 2012-12-17-18-43-45 diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro index 41ef9b57dc..c68a4f7beb 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro @@ -19,11 +19,23 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; +global n = 0; + event bro_init() &priority=5 { Metrics::add_filter("test.metric", [$every=3secs, - $measure=set(Metrics::SUM, Metrics::MIN, Metrics::MAX, Metrics::AVG, Metrics::STD_DEV, Metrics::VARIANCE)]); + $measure=set(Metrics::SUM, Metrics::MIN, Metrics::MAX, Metrics::AVG, Metrics::STD_DEV, Metrics::VARIANCE, Metrics::UNIQUE), + $period_finished(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) = + { + Metrics::write_log(ts, metric_name, filter_name, data); + if ( ++n == 3 ) + { + terminate_communication(); + terminate(); + } + } + ]); } event remote_connection_closed(p: event_peer) @@ -64,22 +76,10 @@ event ready_for_data() @if ( Cluster::local_node_type() == Cluster::MANAGER ) -global n = 0; global peer_count = 0; -event Metrics::log_metrics(rec: Metrics::Info) - { - ++n; - if ( n == 3 ) - { - terminate_communication(); - terminate(); - } - } - event remote_connection_handshake_done(p: event_peer) { - print p; ++peer_count; if ( peer_count == 3 ) event ready_for_data(); diff --git a/testing/btest/scripts/base/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro index 12163ed689..e665f2ea5c 100644 --- a/testing/btest/scripts/base/frameworks/metrics/basic.bro +++ b/testing/btest/scripts/base/frameworks/metrics/basic.bro @@ -6,7 +6,9 @@ event bro_init() &priority=5 Metrics::add_filter("test.metric", [$name="foo-bar", $every=3secs, - $measure=set(Metrics::SUM, Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV)]); + $measure=set(Metrics::SUM, Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), + $period_finished=Metrics::write_log]); + Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=5]); Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=22]); Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=94]); diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro index 3341fa1887..b16645dbe6 100644 --- a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro @@ -26,8 +26,7 @@ event bro_init() &priority=5 $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { print "A test metric threshold was crossed!"; terminate(); - } - ]); + }]); } event remote_connection_closed(p: event_peer) diff --git a/testing/btest/scripts/base/frameworks/metrics/thresholding.bro b/testing/btest/scripts/base/frameworks/metrics/thresholding.bro index bd0cd6faae..f39443fc2a 100644 --- a/testing/btest/scripts/base/frameworks/metrics/thresholding.bro +++ b/testing/btest/scripts/base/frameworks/metrics/thresholding.bro @@ -15,8 +15,7 @@ event bro_init() &priority=5 $threshold=5, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { print fmt("THRESHOLD: hit a threshold value at %.0f for %s", val$sum, Metrics::index2str(index)); - }, - $log=F]); + }]); Metrics::add_filter("test.metric", [$name="foobar2", @@ -25,8 +24,7 @@ event bro_init() &priority=5 $threshold_series=vector(3,6,800), $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", val$sum, Metrics::index2str(index)); - }, - $log=F]); + }]); Metrics::add_filter("test.metric", [$every=3secs, $measure=set(Metrics::SUM), @@ -36,8 +34,7 @@ event bro_init() &priority=5 }, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { print fmt("THRESHOLD_FUNC: hit a threshold function value at %.0f for %s", val$sum, Metrics::index2str(index)); - }, - $log=F]); + }]); Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=2]); From 7edef1f2c4d2e36008c3caa2f09d9ee3aa9a17ca Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 01:31:52 -0500 Subject: [PATCH 040/134] Disable the hook execution in the scan.bro script. It's not working like I expected. --- scripts/policy/misc/scan.bro | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index a0228a7955..1def14d07e 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -148,10 +148,12 @@ function add_metrics(id: conn_id, reverse: bool) #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) # return F; - if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) + # Hooks don't seem to be working like I expected. They'll have to wait a bit longer. + + #if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); - if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) + #if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } From f31de38c9b2a73dfb1200761626c4585eb15c688 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 01:44:46 -0500 Subject: [PATCH 041/134] Bug fix. --- scripts/base/frameworks/metrics/main.bro | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 534529e020..4803a521c7 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -324,7 +324,6 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal result$num = rv1$num + rv2$num; # Merge $sum - result$sum = rv1$sum + rv2$sum; if ( rv1?$sum || rv2?$sum ) { result$sum = rv1?$sum ? rv1$sum : 0; From ed36f376439a3f0e29b4e3ce0aa08c42293a4a91 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 02:23:56 -0500 Subject: [PATCH 042/134] A few more small fixes. --- scripts/policy/misc/app-metrics.bro | 2 +- scripts/policy/misc/detect-traceroute/main.bro | 2 +- scripts/policy/protocols/http/detect-sqli.bro | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index d88eb8fe6e..f8e4ae2491 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -16,7 +16,7 @@ export { }; ## The frequency of logging the stats collected by this script. - const break_interval = 1min &redef; + const break_interval = 15mins &redef; } function app_metrics_rollup(index: Metrics::Index, vals: table[string, string] of Metrics::ResultVal) diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 051d81c5c7..e62d370e45 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -34,7 +34,7 @@ export { ## Interval at which to watch for the ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. ## At the end of each interval the counter is reset. - const icmp_time_exceeded_interval = 1min &redef; + const icmp_time_exceeded_interval = 3min &redef; ## The log record for the traceroute log. type Info: record { diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 06f14219d1..21164bc126 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -74,7 +74,7 @@ event bro_init() &priority=3 $email_body_sections=vector(format_sqli_samples(val$samples)), $src=index$host, $identifier=cat(index$host)]); - }, $log=F]); + }]); Metrics::add_filter("http.sqli.victim", [$every=sqli_requests_interval, @@ -87,7 +87,7 @@ event bro_init() &priority=3 $email_body_sections=vector(format_sqli_samples(val$samples)), $src=index$host, $identifier=cat(index$host)]); - }, $log=F]); + }]); } event http_request(c: connection, method: string, original_URI: string, From 6e9e3a5e8860b6bf36ceb19a4b06e4a3447169e3 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 10:31:38 -0500 Subject: [PATCH 043/134] Small fixes. - Slight wording change in scan notices. - AppMetrics no longer writes to metrics.log. --- scripts/policy/misc/app-metrics.bro | 2 +- scripts/policy/misc/scan.bro | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index f8e4ae2491..0a4fc8b39f 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -43,7 +43,7 @@ event bro_init() &priority=3 Log::create_stream(AppMetrics::LOG, [$columns=Info]); Metrics::create_index_rollup("AppMetrics", app_metrics_rollup); - Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM), $period_finished=Metrics::write_log, $rollup="AppMetrics"]); + Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM), $rollup="AppMetrics"]); Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::UNIQUE), $rollup="AppMetrics"]); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 1def14d07e..1c13f8224b 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -71,7 +71,7 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result { local side = Site::is_local_addr(index$host) ? "local" : "remote"; local dur = duration_to_mins_secs(val$end-val$begin); - local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, dur); + local message=fmt("%s scanned at least %d unique hosts on port %s in %s", index$host, val$unique, index$str, dur); NOTICE([$note=Address_Scan, $src=index$host, @@ -85,7 +85,7 @@ function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result { local side = Site::is_local_addr(index$host) ? "local" : "remote"; local dur = duration_to_mins_secs(val$end-val$begin); - local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, dur); + local message = fmt("%s scanned at least %d unique ports of host %s in %s", index$host, val$unique, index$str, dur); NOTICE([$note=Port_Scan, $src=index$host, From 9c00ef3ccd7cba2721b888e229800a23eb82faa0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Dec 2012 12:22:28 -0500 Subject: [PATCH 044/134] Doing some code reorganization and small changes to hopefully fix a memory issue. --- scripts/base/frameworks/metrics/cluster.bro | 45 ++++++++++----------- scripts/base/frameworks/metrics/main.bro | 7 +++- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 60342b327f..59abd1a606 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -49,29 +49,6 @@ export { global send_data: event(uid: string, id: string, filter_name: string, data: MetricTable); } -# This is maintained by managers so they can know what data they requested and -# when they requested it. -global requested_results: table[string] of time = table() &create_expire=5mins; - -# TODO: The next 4 variables make the assumption that a value never -# takes longer than 5 minutes to transmit from workers to manager. This needs to -# be tunable or self-tuning. These should also be restructured to be -# maintained within a single variable. - -# This variable is maintained by manager nodes as they collect and aggregate -# results. -global filter_results: table[string, string, string] of MetricTable &read_expire=1min; - -# This variable is maintained by manager nodes to track how many "dones" they -# collected per collection unique id. Once the number of results for a uid -# matches the number of peer nodes that results should be coming from, the -# result is written out and deleted from here. -# TODO: add an &expire_func in case not all results are received. -global done_with: table[string] of count &read_expire=1min &default=0; - -# This variable is maintained by managers to track intermediate responses as -# they are getting a global view for a certain index. -global index_requests: table[string, string, string, Index] of ResultVal &read_expire=1min; # This variable is maintained by all hosts for different purposes. Non-managers # maintain it to know what indexes they have recently sent as intermediate @@ -162,6 +139,26 @@ event Metrics::cluster_index_request(uid: string, id: string, filter_name: strin @if ( Cluster::local_node_type() == Cluster::MANAGER ) +# This variable is maintained by manager nodes as they collect and aggregate +# results. +global filter_results: table[string, string, string] of MetricTable &read_expire=1min; + +# This is maintained by managers so they can know what data they requested and +# when they requested it. +global requested_results: table[string] of time = table() &create_expire=5mins; + +# This variable is maintained by manager nodes to track how many "dones" they +# collected per collection unique id. Once the number of results for a uid +# matches the number of peer nodes that results should be coming from, the +# result is written out and deleted from here. +# TODO: add an &expire_func in case not all results are received. +global done_with: table[string] of count &read_expire=1min &default=0; + +# This variable is maintained by managers to track intermediate responses as +# they are getting a global view for a certain index. +global index_requests: table[string, string, string, Index] of ResultVal &read_expire=1min; + + # Manager's handle logging. event Metrics::finish_period(filter: Filter) { @@ -170,6 +167,8 @@ event Metrics::finish_period(filter: Filter) # Set some tracking variables. requested_results[uid] = network_time(); + if ( [uid, filter$id, filter$name] in filter_results ) + delete filter_results[uid, filter$id, filter$name]; filter_results[uid, filter$id, filter$name] = table(); # Request data from peers. diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 4803a521c7..0cfe96dfc6 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -227,7 +227,7 @@ export { } redef record Filter += { - # The metric that this filter applies to. The value is automatically set. + # Internal use only. The metric that this filter applies to. The value is automatically set. id: string &optional; }; @@ -263,7 +263,7 @@ global metric_filters: table[string] of vector of Filter = table(); global filter_store: table[string, string] of Filter = table(); # This is indexed by metric id and filter name. -global store: table[string, string] of MetricTable = table() &default=table(); +global store: table[string, string] of MetricTable = table(); # This is a hook for watching thresholds being crossed. It is called whenever # index values are updated and the new val is given as the `val` argument. @@ -427,6 +427,9 @@ function write_log(ts: time, metric_name: string, filter_name: string, data: Met function reset(filter: Filter) { + if ( [filter$id, filter$name] in store ) + delete store[filter$id, filter$name]; + store[filter$id, filter$name] = table(); } From 50827d8df0e6e34eda1e1465a7e4c535bc5c047e Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Dec 2012 23:17:27 -0500 Subject: [PATCH 045/134] Implement an option to disable intermediate updates for the metrics framework. - There are some large sites having trouble and I'm thinking it might be overload from intermediate updates. --- scripts/base/frameworks/metrics/cluster.bro | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 59abd1a606..f14f3b1518 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -22,6 +22,11 @@ export { ## recently. const cluster_request_global_view_percent = 0.1 &redef; + ## Intermediate updates can cause overload situations on very large clusters. + ## This option may help reduce load and correct intermittent problems. + ## The goal for this option is also meant to be temporary. + const enable_intermediate_updates = T &redef; + # Event sent by the manager in a cluster to initiate the # collection of metrics values for a filter. global cluster_filter_request: event(uid: string, id: string, filter_name: string); @@ -77,7 +82,8 @@ function data_added(filter: Filter, index: Index, val: ResultVal) # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that # crosses the full threshold then it's a candidate to send as an # intermediate update. - if ( check_thresholds(filter, index, val, cluster_request_global_view_percent) ) + if ( enable_intermediate_updates && + check_thresholds(filter, index, val, cluster_request_global_view_percent) ) { # kick off intermediate update event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index); From c3a6916572436cffd4fc0e63bbdb8bcea584cd69 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 4 Jan 2013 16:54:13 -0500 Subject: [PATCH 046/134] More cluster tuning for the metrics framework. - Fixed several state maintenance issues for intermediate updates. - Added a new tuning variable Metrics::max_outstanding_global_views which limits the number of in-flight intermediate updates per metric filter. - Changed the default global view threshold percent to 20% (up from 10%) --- scripts/base/frameworks/metrics/cluster.bro | 60 +++++++++++++-------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index f14f3b1518..01e127e4bf 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -20,7 +20,13 @@ export { ## requirement that the manager requests a global view for the index ## since it may opt not to if it requested a global view for the index ## recently. - const cluster_request_global_view_percent = 0.1 &redef; + const cluster_request_global_view_percent = 0.2 &redef; + + ## This is to deal with intermediate update overload. A manager will only allow + ## this many intermediate update requests to the workers to be inflight at + ## any given time. Requested intermediate updates are currently thrown out + ## and not performed. In practice this should hopefully have a minimal effect. + const max_outstanding_global_views = 10 &redef; ## Intermediate updates can cause overload situations on very large clusters. ## This option may help reduce load and correct intermittent problems. @@ -55,21 +61,17 @@ export { } -# This variable is maintained by all hosts for different purposes. Non-managers -# maintain it to know what indexes they have recently sent as intermediate -# updates so they don't overwhelm their manager. Managers maintain it so they -# don't overwhelm workers with intermediate index requests. The count that is -# yielded is the number of times the percentage threshold has been crossed and -# an intermediate result has been received. The manager may optionally request -# the index again before data expires from here if too many workers are crossing -# the percentage threshold (not implemented yet!). -global recent_global_view_indexes: table[string, string, Index] of count &create_expire=1min &default=0; - # Add events to the cluster framework to make this work. redef Cluster::manager2worker_events += /Metrics::cluster_(filter_request|index_request)/; redef Cluster::worker2manager_events += /Metrics::cluster_(filter_response|index_response|index_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) +# This variable is maintained to know what indexes they have recently sent as +# intermediate updates so they don't overwhelm their manager. The count that is +# yielded is the number of times the percentage threshold has been crossed and +# an intermediate result has been received. +global recent_global_view_indexes: table[string, string, Index] of count &create_expire=1min &default=0; + # This is done on all non-manager node types in the event that a metric is # being collected somewhere other than a worker. function data_added(filter: Filter, index: Index, val: ResultVal) @@ -134,9 +136,14 @@ event Metrics::cluster_index_request(uid: string, id: string, filter_name: strin { if ( [id, filter_name] in store && index in store[id, filter_name] ) { - local data = store[id, filter_name][index]; #print fmt("WORKER %s: received the cluster_index_request event for %s=%s.", Cluster::node, index2str(index), data); - event Metrics::cluster_index_response(uid, id, filter_name, index, data); + event Metrics::cluster_index_response(uid, id, filter_name, index, store[id, filter_name][index]); + } + else + { + # We need to send an empty response if we don't have the data so that the manager + # can know that it heard back from all of the workers. + event Metrics::cluster_index_response(uid, id, filter_name, index, [$begin=network_time(), $end=network_time()]); } } @@ -164,8 +171,12 @@ global done_with: table[string] of count &read_expire=1min &default=0; # they are getting a global view for a certain index. global index_requests: table[string, string, string, Index] of ResultVal &read_expire=1min; +# This variable is maintained by managers to prevent overwhelming communication due +# to too many intermediate updates. Each metric filter is tracked separately so that +# one metric won't overwhelm and degrade other quieter metrics. +global outstanding_global_views: table[string, string] of count; -# Manager's handle logging. +# Managers handle logging. event Metrics::finish_period(filter: Filter) { #print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id); @@ -194,26 +205,28 @@ function data_added(filter: Filter, index: Index, val: ResultVal) event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) { #print fmt("%0.6f MANAGER: receiving index data from %s - %s=%s", network_time(), get_event_peer()$descr, index2str(index), val); - if ( [uid, id, filter_name, index] in index_requests ) + + # We only want to try and do a value merge if there are actually measured datapoints + # in the ResultVal. + if ( val$num > 0 && [uid, id, filter_name, index] in index_requests ) index_requests[uid, id, filter_name, index] = merge_result_vals(index_requests[uid, id, filter_name, index], val); else index_requests[uid, id, filter_name, index] = val; - local ir = index_requests[uid, id, filter_name, index]; - # Mark that this worker is done. ++done_with[uid]; #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); - if ( Cluster::worker_count == done_with[uid] ) { + local ir = index_requests[uid, id, filter_name, index]; if ( check_thresholds(filter_store[id, filter_name], index, ir, 1.0) ) { threshold_crossed(filter_store[id, filter_name], index, ir); } delete done_with[uid]; delete index_requests[uid, id, filter_name, index]; + --outstanding_global_views[id, filter_name]; } } @@ -223,11 +236,16 @@ event Metrics::cluster_index_intermediate_response(id: string, filter_name: stri #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); - # If a worker recently sent this as an intermediate update, don't request it. - if ( [id, filter_name, index] in recent_global_view_indexes ) + if ( [id, filter_name] in outstanding_global_views && + |outstanding_global_views[id, filter_name]| > max_outstanding_global_views ) + { + # Don't do this intermediate update. Perhaps at some point in the future + # we will queue and randomly select from these ignored intermediate + # update requests. return; + } - ++recent_global_view_indexes[id, filter_name, index]; + ++outstanding_global_views[id, filter_name]; local uid = unique_id(""); event Metrics::cluster_index_request(uid, id, filter_name, index); From ab7087f95337d5b072a0998aff770137cec5dfc2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 4 Jan 2013 21:01:49 -0500 Subject: [PATCH 047/134] Hooks work now, enabling the hooks in the scan.bro script. --- scripts/policy/misc/scan.bro | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 1c13f8224b..4f19f29eb8 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -147,13 +147,11 @@ function add_metrics(id: conn_id, reverse: bool) ## Blacklisting/whitelisting subnets #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) # return F; - - # Hooks don't seem to be working like I expected. They'll have to wait a bit longer. - #if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) + if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); - #if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) + if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } From 9e1d5d87de38a847afb4cf7885378d5df80ce3e2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 4 Jan 2013 23:34:57 -0500 Subject: [PATCH 048/134] New script to detect FTP bruteforcing. - Created a new time utils library. --- scripts/base/init-default.bro | 1 + scripts/base/utils/time.bro | 9 ++++ scripts/policy/misc/scan.bro | 8 +-- .../protocols/ftp/detect-bruteforcing.bro | 53 +++++++++++++++++++ 4 files changed, 65 insertions(+), 6 deletions(-) create mode 100644 scripts/base/utils/time.bro create mode 100644 scripts/policy/protocols/ftp/detect-bruteforcing.bro diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 563f8af0bc..35e78531fc 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -15,6 +15,7 @@ @load base/utils/queue @load base/utils/strings @load base/utils/thresholds +@load base/utils/time @load base/utils/urls # This has some deep interplay between types and BiFs so it's diff --git a/scripts/base/utils/time.bro b/scripts/base/utils/time.bro new file mode 100644 index 0000000000..abae46c144 --- /dev/null +++ b/scripts/base/utils/time.bro @@ -0,0 +1,9 @@ + +## Given an interval, returns a string of the form 3m34s to +## give a minimalized human readable string for the minutes +## and seconds represented by the interval. +function duration_to_mins_secs(dur: interval): string + { + local dur_count = double_to_count(interval_to_double(dur)); + return fmt("%dm%ds", dur_count/60, dur_count%60); + } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 4f19f29eb8..7f5f43dbd9 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -7,6 +7,8 @@ @load base/frameworks/notice @load base/frameworks/metrics +@load base/utils/time + module Scan; export { @@ -61,12 +63,6 @@ function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVa val$sum > addr_scan_custom_thresholds[service] ); } -function duration_to_mins_secs(dur: interval): string - { - local dur_count = double_to_count(interval_to_double(dur)); - return fmt("%dm%ds", dur_count/60, dur_count%60); - } - function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro new file mode 100644 index 0000000000..9206882071 --- /dev/null +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -0,0 +1,53 @@ + +@load base/protocols/ftp +@load base/frameworks/metrics + +@load base/utils/time + +module FTP; + +export { + redef enum Notice::Type += { + ## Indicates a host bruteforcing FTP logins by watching for too many + ## rejected usernames or failed passwords. + Bruteforcing + }; + + ## How many rejected usernames or passwords are required before being + ## considered to be bruteforcing. + const bruteforce_threshold = 2 &redef; +} + + +event bro_init() + { + Metrics::add_filter("ftp.failed_auth", [$every=15min, + $measure=set(Metrics::SUM, Metrics::UNIQUE), + $threshold_func(index: Metrics::Index, val: Metrics::ResultVal) = + { + return val$num >= bruteforce_threshold; + }, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = + { + print "booyah"; + local dur = duration_to_mins_secs(val$end-val$begin); + local message = fmt("%s had %d failed logins on %d FTP servers in %s", index$host, val$num, val$unique, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=index$host, + $msg=message, + $identifier=cat(index$host)]); + }]); + } + +event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) + { + local cmd = c$ftp$cmdarg$cmd; + if ( cmd == "USER" || cmd == "PASS" ) + { + if ( FTP::parse_ftp_reply_code(code)$x == 5 ) + { + print "yep"; + Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$host=c$id$resp_h]); + } + } + } \ No newline at end of file From 283f7840b358cc78ea7254bc9001f380dd3fe014 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 4 Jan 2013 23:38:10 -0500 Subject: [PATCH 049/134] Removing some debugging print statements I accidently left behind. --- scripts/policy/protocols/ftp/detect-bruteforcing.bro | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 9206882071..69ef4d9c65 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -29,7 +29,6 @@ event bro_init() }, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - print "booyah"; local dur = duration_to_mins_secs(val$end-val$begin); local message = fmt("%s had %d failed logins on %d FTP servers in %s", index$host, val$num, val$unique, dur); NOTICE([$note=FTP::Bruteforcing, @@ -45,9 +44,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - { - print "yep"; Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$host=c$id$resp_h]); - } } } \ No newline at end of file From 9366411cf407dfe5b769565c677e36dfc1f7f493 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 4 Jan 2013 23:49:09 -0500 Subject: [PATCH 050/134] Fix the FTP bruteforce threshold to what it's really supposed to be. --- scripts/policy/protocols/ftp/detect-bruteforcing.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 69ef4d9c65..76053f7f5c 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -15,7 +15,7 @@ export { ## How many rejected usernames or passwords are required before being ## considered to be bruteforcing. - const bruteforce_threshold = 2 &redef; + const bruteforce_threshold = 20 &redef; } From bcd7fe114d9e22007b0f2bc3eab9fdc5efa4f066 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 5 Jan 2013 22:27:17 -0500 Subject: [PATCH 051/134] Fixed an issue causing reporter messages from the metrics framework. --- scripts/base/frameworks/metrics/cluster.bro | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 01e127e4bf..721f2a212e 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -174,7 +174,7 @@ global index_requests: table[string, string, string, Index] of ResultVal &read_e # This variable is maintained by managers to prevent overwhelming communication due # to too many intermediate updates. Each metric filter is tracked separately so that # one metric won't overwhelm and degrade other quieter metrics. -global outstanding_global_views: table[string, string] of count; +global outstanding_global_views: table[string, string] of count &default=0; # Managers handle logging. event Metrics::finish_period(filter: Filter) @@ -226,7 +226,9 @@ event Metrics::cluster_index_response(uid: string, id: string, filter_name: stri } delete done_with[uid]; delete index_requests[uid, id, filter_name, index]; - --outstanding_global_views[id, filter_name]; + # Check that there is an outstanding view before subtracting. + if ( outstanding_global_views[id, filter_name] > 0 ) + --outstanding_global_views[id, filter_name]; } } From 720089c03f2ce058e426ac1ee8c4f1b65c31ac48 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 5 Jan 2013 22:37:19 -0500 Subject: [PATCH 052/134] Add a feature to better select the value threshold will apply to in the metrics framework. - The feature was primarily added to allow the value to be modified for cluster based intermediate threshold checks without requiring the user to write the metrics filter differently for cluster consideration. It's also a nice way to calculate some related information to the metric without accidently applying thresholds to that value. - Fixed a few small bugs in ftp detect-bruteforcing script and adapted it to the new threshold value selection feature. --- scripts/base/frameworks/metrics/main.bro | 9 +++++++++ .../policy/protocols/ftp/detect-bruteforcing.bro | 16 +++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 0cfe96dfc6..9b167d200f 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -149,6 +149,12 @@ export { ## This is a special case of the normalize_func. aggregation_mask: count &optional; + ## Optionally provide a function to calculate a value from the ResultVal + ## structure which will be used for thresholding. If no function is + ## provided, then in the following order of preference either the + ## $unique or the $sum fields will be used. + threshold_val_func: function(val: Metrics::ResultVal): count &optional; + ## A direct threshold for calling the $threshold_crossed function when ## the SUM is greater than or equal to this value. threshold: count &optional; @@ -602,6 +608,9 @@ function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_p else if ( val?$sum ) watch = val$sum; + if ( filter?$threshold_val_func ) + watch = filter$threshold_val_func(val); + if ( modify_pct < 1.0 && modify_pct > 0.0 ) watch = watch/modify_pct; diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 76053f7f5c..11d6ec71a1 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -16,17 +16,19 @@ export { ## How many rejected usernames or passwords are required before being ## considered to be bruteforcing. const bruteforce_threshold = 20 &redef; + + ## The time period in which the threshold needs to be crossed before + ## being reset. + const bruteforce_measurement_interval = 15mins; } event bro_init() { - Metrics::add_filter("ftp.failed_auth", [$every=15min, - $measure=set(Metrics::SUM, Metrics::UNIQUE), - $threshold_func(index: Metrics::Index, val: Metrics::ResultVal) = - { - return val$num >= bruteforce_threshold; - }, + Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, + $measure=set(Metrics::UNIQUE), + $threshold_val_func(val: Metrics::ResultVal) = { return val$num; }, + $threshold=bruteforce_threshold, $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { local dur = duration_to_mins_secs(val$end-val$begin); @@ -44,6 +46,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$host=c$id$resp_h]); + Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } } \ No newline at end of file From 96aa8776d3b4a5127831c8b2270671864759b52d Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 13 Jan 2013 19:32:12 -0800 Subject: [PATCH 053/134] make it compile with new version of AsciiInputOutput --- src/input/readers/SQLite.cc | 2 +- src/input/readers/SQLite.h | 2 +- src/logging/writers/SQLite.cc | 2 +- src/logging/writers/SQLite.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index 20559f5664..e6192645e1 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -23,7 +23,7 @@ using threading::Field; SQLite::SQLite(ReaderFrontend *frontend) : ReaderBackend(frontend) { - io = new AsciiInputOutput(this); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo()); } SQLite::~SQLite() diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 1ba528643b..38fdddf3aa 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -12,7 +12,7 @@ #include #include "../ReaderBackend.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" #include "sqlite3.h" diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 3157c3f0fc..dca1d851b5 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -39,7 +39,7 @@ SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) db = 0; - io = new AsciiInputOutput(this, set_separator, unset_field); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field)); } SQLite::~SQLite() diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index f74c2259a5..2300144063 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -12,7 +12,7 @@ #include "../WriterBackend.h" #include "sqlite3.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" namespace logging { namespace writer { From d843297a97b048419510d3c497e549dfa4ea7ced Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 15 Jan 2013 11:48:47 -0800 Subject: [PATCH 054/134] make sqlite-writer more stable. This actually looks quite good... --- src/logging/writers/SQLite.cc | 69 +++++++++++++++-------------------- 1 file changed, 30 insertions(+), 39 deletions(-) diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index dca1d851b5..fd8900851b 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -1,20 +1,16 @@ // See the file "COPYING" in the main distribution directory for copyright. - - #include "config.h" #ifdef USE_SQLITE #include #include +#include #include "../../NetVar.h" - #include "../../threading/SerialTypes.h" -#include - #include "SQLite.h" using namespace logging; @@ -24,19 +20,16 @@ using threading::Field; SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) { - set_separator.assign( (const char*) BifConst::LogSQLite::set_separator->Bytes(), BifConst::LogAscii::set_separator->Len() ); - unset_field.assign( (const char*) BifConst::LogSQLite::unset_field->Bytes(), BifConst::LogAscii::unset_field->Len() ); - db = 0; io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field)); @@ -54,11 +47,9 @@ SQLite::~SQLite() } string SQLite::GetTableType(int arg_type, int arg_subtype) { - string type; switch ( arg_type ) { - case TYPE_BOOL: type = "boolean"; break; @@ -66,16 +57,10 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { case TYPE_INT: case TYPE_COUNT: case TYPE_COUNTER: - case TYPE_PORT: + case TYPE_PORT: // note that we do not save the protocol at the moment. Just like in the case of the ascii-writer type = "integer"; break; - /* - case TYPE_PORT: - type = "VARCHAR(10)"; - break; -*/ - case TYPE_SUBNET: case TYPE_ADDR: type = "text"; // sqlite3 does not have a type for internet addresses @@ -96,19 +81,18 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { case TYPE_TABLE: case TYPE_VECTOR: - type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string I guess. - //type = GetTableType(arg_subtype, 0) + "[]"; + type = "text"; // dirty - but sqlite does not directly support arrays. so - we just roll it into a ","-separated string. break; default: Error(Fmt("unsupported field format %d ", arg_type)); - return ""; + return ""; // not the cleanest way to abort. But sqlite will complain on create table... } return type; } - +// returns true true in case of error bool SQLite::checkError( int code ) { if ( code != SQLITE_OK && code != SQLITE_DONE ) @@ -123,7 +107,11 @@ bool SQLite::checkError( int code ) bool SQLite::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields) { - + if ( sqlite3_threadsafe() == 0 ) { + Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); + return false; + } + string fullpath(info.path); fullpath.append(".sqlite"); string dbname; @@ -157,9 +145,15 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, if ( i != 0 ) create += ",\n"; - string fieldname = fields[i]->name; - replace( fieldname.begin(), fieldname.end(), '.', '_' ); // sqlite does not like "." in row names. + // sadly sqlite3 has no other method for escaping stuff. That I know of. + char* fieldname = sqlite3_mprintf("%Q", fields[i]->name); + if ( fieldname == 0 ) + { + InternalError("Could not malloc memory"); + return false; + } create += fieldname; + sqlite3_free(fieldname); string type = GetTableType(field->type, field->subtype); @@ -167,19 +161,15 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, /* if ( !field->optional ) { create += " NOT NULL"; } */ - } create += "\n);"; - //printf("Create: %s\n", create.c_str()); - { char *errorMsg = 0; int res = sqlite3_exec(db, create.c_str(), NULL, NULL, &errorMsg); if ( res != SQLITE_OK ) { - //printf("Error executing table creation statement: %s", errorMsg); Error(Fmt("Error executing table creation statement: %s", errorMsg)); sqlite3_free(errorMsg); return false; @@ -206,16 +196,20 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, insert += "?"; - string fieldname = fields[i]->name; - replace( fieldname.begin(), fieldname.end(), '.', '_' ); // sqlite does not like "." in row names. - names += fieldname; - + char* fieldname = sqlite3_mprintf("%Q", fields[i]->name); + printf("Fieldname: %s\n", fieldname); + if ( fieldname == 0 ) + { + InternalError("Could not malloc memory"); + return false; + } + names.append(fieldname); + sqlite3_free(fieldname); } insert += ");"; names += ") "; insert = names + insert; - //printf("Prepared insert: %s\n\n", insert.c_str()); if ( checkError(sqlite3_prepare_v2( db, insert.c_str(), insert.size()+1, &st, NULL )) ) return false; @@ -242,12 +236,9 @@ int SQLite::AddParams(Value* val, int pos) { if ( ! val->present ) - { - return sqlite3_bind_null(st, pos); - } + return sqlite3_bind_null(st, pos); switch ( val->type ) { - case TYPE_BOOL: return sqlite3_bind_int(st, pos, val->val.int_val ? 1 : 0 ); @@ -263,13 +254,13 @@ int SQLite::AddParams(Value* val, int pos) case TYPE_SUBNET: { - string out = io->Render(val->val.subnet_val).c_str(); + string out = io->Render(val->val.subnet_val); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } case TYPE_ADDR: { - string out = io->Render(val->val.addr_val).c_str(); + string out = io->Render(val->val.addr_val); return sqlite3_bind_text(st, pos, out.data(), out.size(), SQLITE_TRANSIENT); } From 3415b5fcbe36e37443ce93a159e5ade299ad9f6b Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 15 Jan 2013 16:01:30 -0800 Subject: [PATCH 055/134] make sqlite support more or less work for logging and input * add support for &type_column for reading * add basic tests for logging & input * clean up a bit * add support for tables for reading (untested) --- src/input/readers/SQLite.cc | 158 +++++++----------- src/input/readers/SQLite.h | 12 +- src/logging/writers/SQLite.cc | 24 +-- src/main.cc | 12 ++ .../out | 35 ++++ .../out | 3 + .../conn.select | 34 ++++ .../http.select | 14 ++ .../base/frameworks/input/sqlite/basic.bro | 98 +++++++++++ .../base/frameworks/input/sqlite/port.bro | 48 ++++++ .../frameworks/logging/sqlite/wikipedia.bro | 8 + 11 files changed, 325 insertions(+), 121 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select create mode 100644 testing/btest/scripts/base/frameworks/input/sqlite/basic.bro create mode 100644 testing/btest/scripts/base/frameworks/input/sqlite/port.bro create mode 100644 testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index e6192645e1..8821d1a8a2 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -9,13 +9,12 @@ #include #include - -#include "../../threading/SerialTypes.h" - #include #include #include +#include "../../threading/SerialTypes.h" + using namespace input::reader; using threading::Value; using threading::Field; @@ -54,6 +53,12 @@ bool SQLite::checkError( int code ) bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) { + if ( sqlite3_threadsafe() == 0 ) + { + Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); + return false; + } + started = false; string fullpath(info.source); @@ -64,7 +69,6 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading: if ( it == info.config.end() ) { MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); - Error(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); dbname = info.source; } else @@ -105,9 +109,10 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading: return true; } -Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos) +// pos = field position +// subpos = subfield position, only used for port-field +Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos) { - if ( sqlite3_column_type(st, pos ) == SQLITE_NULL ) return new Value(field->type, false); @@ -130,10 +135,11 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p case TYPE_BOOL: { - if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) { + if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) + { Error("Invalid data type for boolean - expected Integer"); return 0; - } + } int res = sqlite3_column_int(st, pos); @@ -163,11 +169,23 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; case TYPE_PORT: + { val->val.port_val.port = sqlite3_column_int(st, pos); val->val.port_val.proto = TRANSPORT_UNKNOWN; + if ( subpos != -1 ) + { + const char *text = (const char*) sqlite3_column_text(st, subpos); + string s(text, sqlite3_column_bytes(st, subpos)); + if ( text == 0 ) + Error("Port protocol definition did not contain text"); + else + val->val.port_val.proto = io->StringToProto(s); + } break; + } - case TYPE_SUBNET: { + case TYPE_SUBNET: + { const char *text = (const char*) sqlite3_column_text(st, pos); string s(text, sqlite3_column_bytes(st, pos)); int pos = s.find("/"); @@ -177,8 +195,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p val->val.subnet_val.prefix = io->StringToAddr(addr); val->val.subnet_val.length = width; break; - } + case TYPE_ADDR: { const char *text = (const char*) sqlite3_column_text(st, pos); @@ -189,81 +207,12 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p case TYPE_TABLE: case TYPE_VECTOR: - assert(false); - /* - // First - common initialization - // Then - initialization for table. - // Then - initialization for vector. - // Then - common stuff { - // how many entries do we have... - unsigned int length = 1; - for ( unsigned int i = 0; i < s.size(); i++ ) - if ( s[i] == ',') length++; - - unsigned int pos = 0; - - if ( s.compare(empty_field) == 0 ) - length = 0; - - - Value** lvals = new Value* [length]; - - if ( field->type == TYPE_TABLE ) - { - val->val.set_val.vals = lvals; - val->val.set_val.size = length; - } - else if ( field->type == TYPE_VECTOR ) - { - val->val.vector_val.vals = lvals; - val->val.vector_val.size = length; - else - assert(false); - - if ( length == 0 ) - break; //empty - - istringstream splitstream(s); - while ( splitstream ) - { - string element; - - if ( !getline(splitstream, element, ',') ) - break; - - if ( pos >= length ) - { - Error(Fmt("Internal error while parsing set. pos %d >= length %d. Element: %s", pos, length, element.c_str())); - break; - } - - Field* newfield = new Field(*field); - newfield->type = field->subtype; - Value* newval = EntryToVal(element, newfield); - delete(newfield); - if ( newval == 0 ) - { - Error("Error while reading set"); - return 0; - } - lvals[pos] = newval; - - pos++; - - } - - - if ( pos != length ) - { - Error("Internal error while parsing set: did not find all elements"); - return 0; - } - + const char *text = (const char*) sqlite3_column_text(st, pos); + string s(text, sqlite3_column_bytes(st, pos)); + val = io->StringToVal(s, "", field->type, field->subtype); break; } - */ - default: Error(Fmt("unsupported field format %d", field->type)); @@ -276,29 +225,26 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p bool SQLite::DoUpdate() { - int numcolumns = sqlite3_column_count(st); - /* This can happen legitimately I think... - if ( numcolumns != num_fields ) - { - Error(Fmt("SQLite query returned %d results, but input framework expected %d. Aborting", numcolumns, num_fields)); - return false; - } - */ - int *mapping = new int [num_fields]; + int *submapping = new int [num_fields]; // first set them all to -1 for ( unsigned int i = 0; i < num_fields; ++i ) { mapping[i] = -1; + submapping[i] = -1; } + + for ( unsigned int i = 0; i < numcolumns; ++i ) { const char *name = sqlite3_column_name(st, i); - for ( unsigned j = 0; j < num_fields; j++ ) { - if ( strcmp(fields[j]->name, name) == 0 ) { + for ( unsigned j = 0; j < num_fields; j++ ) + { + if ( strcmp(fields[j]->name, name) == 0 ) + { if ( mapping[j] != -1 ) { Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); @@ -306,10 +252,20 @@ bool SQLite::DoUpdate() } mapping[j] = i; - break; - } - } + } + if ( fields[j]->secondary_name != 0 && strcmp(fields[j]->secondary_name, name) == 0 ) + { + assert(fields[j]->type == TYPE_PORT); + if ( submapping[j] != -1 ) + { + Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); + return false; + } + + submapping[j] = i; + } + } } for ( unsigned int i = 0; i < num_fields; ++i ) { @@ -327,12 +283,9 @@ bool SQLite::DoUpdate() for ( unsigned int j = 0; j < num_fields; ++j) { - - ofields[j] = EntryToVal(st, fields[j], mapping[j]); - if ( ofields[j] == 0 ) { + ofields[j] = EntryToVal(st, fields[j], mapping[j], submapping[j]); + if ( ofields[j] == 0 ) return false; - } - } SendEntry(ofields); @@ -344,7 +297,8 @@ bool SQLite::DoUpdate() EndCurrentSend(); - delete (mapping); + delete [] mapping; + delete [] submapping; if ( checkError(sqlite3_reset(st)) ) return false; diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 38fdddf3aa..6ab6bb9c58 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -37,22 +37,16 @@ protected: private: bool checkError(int code); - unsigned int num_fields; - + threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos); + const threading::Field* const * fields; // raw mapping - - threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos); - + unsigned int num_fields; int mode; - bool started; string query; - sqlite3 *db; sqlite3_stmt *st; - AsciiInputOutput* io; - }; diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index fd8900851b..dc58688994 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -76,7 +76,7 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { case TYPE_STRING: case TYPE_FILE: case TYPE_FUNC: - type = "TEXT"; + type = "text"; break; case TYPE_TABLE: @@ -107,22 +107,26 @@ bool SQLite::checkError( int code ) bool SQLite::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields) { - if ( sqlite3_threadsafe() == 0 ) { + if ( sqlite3_threadsafe() == 0 ) + { Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); return false; - } + } string fullpath(info.path); fullpath.append(".sqlite"); string dbname; map::const_iterator it = info.config.find("dbname"); - if ( it == info.config.end() ) { + if ( it == info.config.end() ) + { MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to path %s", info.path)); dbname = info.path; - } else { + } + else + { dbname = it->second; - } + } if ( checkError(sqlite3_open_v2( @@ -135,7 +139,7 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, NULL)) ) return false; - string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; // yes. using path here is stupid. open for better ideas. + string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; //"id SERIAL UNIQUE NOT NULL"; // SQLite has rowids, we do not need a counter here. for ( int i = 0; i < num_fields; ++i ) @@ -197,7 +201,6 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, insert += "?"; char* fieldname = sqlite3_mprintf("%Q", fields[i]->name); - printf("Fieldname: %s\n", fieldname); if ( fieldname == 0 ) { InternalError("Could not malloc memory"); @@ -219,7 +222,8 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, } // Format String -char* SQLite::FS(const char* format, ...) { +char* SQLite::FS(const char* format, ...) + { char * buf; va_list al; @@ -230,7 +234,7 @@ char* SQLite::FS(const char* format, ...) { assert(n >= 0); return buf; -} + } int SQLite::AddParams(Value* val, int pos) { diff --git a/src/main.cc b/src/main.cc index 5999186240..2c96104a8e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -16,6 +16,10 @@ #include #endif +#ifdef USE_SQLITE +#include "sqlite3.h" +#endif + #ifdef USE_IDMEF extern "C" { #include @@ -724,6 +728,10 @@ int main(int argc, char** argv) curl_global_init(CURL_GLOBAL_ALL); #endif +#ifdef USE_SQLITE + sqlite3_initialize(); +#endif + // FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't // seed the PRNG. We should do this here (but at least Linux, FreeBSD // and Solaris provide /dev/urandom). @@ -1078,6 +1086,10 @@ int main(int argc, char** argv) curl_global_cleanup(); #endif +#ifdef USE_SQLITE + sqlite3_shutdown(); +#endif + terminate_bro(); // Close files after net_delete(), because net_delete() diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out new file mode 100644 index 0000000000..f227bb5d8e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out @@ -0,0 +1,35 @@ +[ts=1300475167.096535, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475167.097012, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown], proto=udp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475167.099816, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475168.853899, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000435, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.854378, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.00042, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.854837, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000392, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.857956, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.858306, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000343, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.858713, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000375, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.891644, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000339, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.892037, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000335, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.892414, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000421, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.893988, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000384, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.894422, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.894787, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000423, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.901749, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000402, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents=] +[ts=1300475168.902195, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000374, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents=] +[ts=1300475169.899438, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475170.862384, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=2.613017, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475171.675372, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100096, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475171.677081, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100021, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.116749, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099801, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.117362, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099849, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.153679, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475168.724007, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown], proto=tcp, service=http, duration=0.119905, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents=] +[ts=1300475168.892936, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.229603, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.859163, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.215893, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.855305, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.218501, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=] +[ts=1300475168.895267, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.227284, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.902635, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=http, duration=0.120041, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents=] +[ts=1300475168.85533, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.21972, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475169.780331, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=OTH, local_orig=, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents=] +[ts=1300475168.652003, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=, duration=0.061329, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents=] +[ts=1300475168.892913, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.220961, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=] +End of data diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out new file mode 100644 index 0000000000..a2cc947fbc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out @@ -0,0 +1,3 @@ +5353/udp +6162/tcp +End of data diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select new file mode 100644 index 0000000000..0e93dc54e1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select @@ -0,0 +1,34 @@ +1300475167.09653|UWkUyAuUGXf|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0| +1300475167.09701|arKYeMETxOg|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0| +1300475167.09982|k6kgXLOoSKl|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0| +1300475168.652|nQcgTWjvg4c|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402| +1300475168.72401|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396| +1300475168.8539|TEfuqmmG4bh|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117| +1300475168.85438|FrJExwHcSal|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127| +1300475168.85484|5OKnoww6xl4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211| +1300475168.85533|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950| +1300475168.8553|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949| +1300475168.85796|fRFu0wcOle6|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117| +1300475168.85831|qSsw6ESzHV4|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127| +1300475168.85871|iE6yhOq3SF|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211| +1300475168.85916|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950| +1300475168.89164|qCaWGmzFtM5|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117| +1300475168.89204|70MGiRM1Qf4|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127| +1300475168.89241|h5DsfNtYzi1|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211| +1300475168.89291|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949| +1300475168.89294|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950| +1300475168.89399|c4Zw9TmAE05|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117| +1300475168.89442|EAr0uf4mhq|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127| +1300475168.89479|GvmoxJFXdTa|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211| +1300475168.89527|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950| +1300475168.90175|slFea8xwSmb|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159| +1300475168.90219|UfGkYA2HI2g|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226| +1300475168.90264|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576| +1300475169.78033|2cx26uAvUPl|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48| +1300475169.89944|BWaU4aSuwkc|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0| +1300475170.86238|10XodEwRycf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0| +1300475171.67537|zno26fFZkrh|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0| +1300475171.67708|v5rgkJBig5l|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0| +1300475173.11675|eWZCH7OONC1|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0| +1300475173.11736|0Pwk3ntf8O3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0| +1300475173.15368|0HKorjr8Zp7|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0| diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select new file mode 100644 index 0000000000..774a93408a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select @@ -0,0 +1,14 @@ +1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro new file mode 100644 index 0000000000..39ff448b7d --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro @@ -0,0 +1,98 @@ +# @TEST-EXEC: cat conn.sql | sqlite3 conn.sqlite +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +@TEST-START-FILE conn.sql +PRAGMA foreign_keys=OFF; +BEGIN TRANSACTION; +CREATE TABLE conn ( +'ts' double precision, +'uid' text, +'id.orig_h' text, +'id.orig_p' integer, +'id.resp_h' text, +'id.resp_p' integer, +'proto' text, +'service' text, +'duration' double precision, +'orig_bytes' integer, +'resp_bytes' integer, +'conn_state' text, +'local_orig' boolean, +'missed_bytes' integer, +'history' text, +'orig_pkts' integer, +'orig_ip_bytes' integer, +'resp_pkts' integer, +'resp_ip_bytes' integer, +'tunnel_parents' text +); +INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,73,0,0,''); +INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,199,0,0,''); +INSERT INTO "conn" VALUES(1.30047516709981608392e+09,'0Ox0H56yl88','141.142.220.50',5353,'224.0.0.251',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,179,0,0,''); +INSERT INTO "conn" VALUES(1.30047516885389900212e+09,'rvmSc7rDQub','141.142.220.118',43927,'141.142.2.2',53,'udp','dns',4.351139068603515625e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516885437798497e+09,'ogkztouSArh','141.142.220.118',37676,'141.142.2.2',53,'udp','dns',4.20093536376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516885483694076e+09,'0UIDdXFt7Tb','141.142.220.118',40526,'141.142.2.2',53,'udp','dns',3.9196014404296875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516885795593258e+09,'WqFYV51UIq7','141.142.220.118',32902,'141.142.2.2',53,'udp','dns',3.17096710205078125e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516885830593104e+09,'ylcqZpbz6K2','141.142.220.118',59816,'141.142.2.2',53,'udp','dns',3.430843353271484375e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516885871291159e+09,'blhldTzA7Y6','141.142.220.118',59714,'141.142.2.2',53,'udp','dns',3.750324249267578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516889164400098e+09,'Sc34cGJo3Kg','141.142.220.118',58206,'141.142.2.2',53,'udp','dns',3.39031219482421875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516889203691487e+09,'RzvFrfXSRfk','141.142.220.118',38911,'141.142.2.2',53,'udp','dns',3.349781036376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516889241409298e+09,'GaaFI58mpbe','141.142.220.118',59746,'141.142.2.2',53,'udp','dns',4.208087921142578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516889398789407e+09,'tr7M6tvAIQa','141.142.220.118',45000,'141.142.2.2',53,'udp','dns',3.840923309326171875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516889442205426e+09,'gV0TcSc2pb4','141.142.220.118',48479,'141.142.2.2',53,'udp','dns',3.168582916259765625e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516889478707315e+09,'MOG0z4PYOhk','141.142.220.118',48128,'141.142.2.2',53,'udp','dns',4.22954559326171875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516890174889565e+09,'PlehgEduUyj','141.142.220.118',56056,'141.142.2.2',53,'udp','dns',4.022121429443359375e-04,36,131,'SF',NULL,0,'Dd',1,64,1,159,''); +INSERT INTO "conn" VALUES(1.30047516890219497676e+09,'4eZgk09f2Re','141.142.220.118',55092,'141.142.2.2',53,'udp','dns',3.740787506103515625e-04,36,198,'SF',NULL,0,'Dd',1,64,1,226,''); +INSERT INTO "conn" VALUES(1.30047516989943790432e+09,'3xwJPc7mQ9a','141.142.220.44',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,85,0,0,''); +INSERT INTO "conn" VALUES(1.30047517086238408089e+09,'yxTcvvTKWQ4','141.142.220.226',137,'141.142.220.255',137,'udp','dns',2.61301684379577636718e+00,350,0,'S0',NULL,0,'D',7,546,0,0,''); +INSERT INTO "conn" VALUES(1.30047517167537188525e+09,'8bLW3XNfhCj','fe80::3074:17d5:2052:c324',65373,'ff02::1:3',5355,'udp','dns',1.00096225738525390625e-01,66,0,'S0',NULL,0,'D',2,162,0,0,''); +INSERT INTO "conn" VALUES(1.30047517167708110807e+09,'rqjhiiRPjEe','141.142.220.226',55131,'224.0.0.252',5355,'udp','dns',1.00020885467529296875e-01,66,0,'S0',NULL,0,'D',2,122,0,0,''); +INSERT INTO "conn" VALUES(1.30047517311674904827e+09,'hTPyfL3QSGa','fe80::3074:17d5:2052:c324',54213,'ff02::1:3',5355,'udp','dns',9.980106353759765625e-02,66,0,'S0',NULL,0,'D',2,162,0,0,''); +INSERT INTO "conn" VALUES(1.30047517311736202235e+09,'EruUQ9AJRj4','141.142.220.226',55671,'224.0.0.252',5355,'udp','dns',9.98489856719970703125e-02,66,0,'S0',NULL,0,'D',2,122,0,0,''); +INSERT INTO "conn" VALUES(1.30047517315367889406e+09,'sw1bKJOMjuk','141.142.220.238',56641,'141.142.220.255',137,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,78,0,0,''); +INSERT INTO "conn" VALUES(1.30047516872400689127e+09,'NPHCuyWykE7','141.142.220.118',48649,'208.80.152.118',80,'tcp','http',1.19904994964599609375e-01,525,232,'S1',NULL,0,'ShADad',4,741,3,396,''); +INSERT INTO "conn" VALUES(1.30047516889293599126e+09,'VapPqRhPgJ4','141.142.220.118',50000,'208.80.152.3',80,'tcp','http',2.29603052139282226562e-01,1148,734,'S1',NULL,0,'ShADad',6,1468,4,950,''); +INSERT INTO "conn" VALUES(1.30047516885916304588e+09,'3607hh8C3bc','141.142.220.118',49998,'208.80.152.3',80,'tcp','http',2.15893030166625976562e-01,1130,734,'S1',NULL,0,'ShADad',6,1450,4,950,''); +INSERT INTO "conn" VALUES(1.30047516885530495647e+09,'tgYMrIvzDSg','141.142.220.118',49996,'208.80.152.3',80,'tcp','http',2.1850109100341796875e-01,1171,733,'S1',NULL,0,'ShADad',6,1491,4,949,''); +INSERT INTO "conn" VALUES(1.30047516889526700977e+09,'xQsjPwNBrXd','141.142.220.118',50001,'208.80.152.3',80,'tcp','http',2.27283954620361328125e-01,1178,734,'S1',NULL,0,'ShADad',6,1498,4,950,''); +INSERT INTO "conn" VALUES(1.30047516890263509747e+09,'Ap3GzMI1vM9','141.142.220.118',35642,'208.80.152.2',80,'tcp','http',1.200408935546875e-01,534,412,'S1',NULL,0,'ShADad',4,750,3,576,''); +INSERT INTO "conn" VALUES(1300475168.85533,'FTVcgrmNy52','141.142.220.118',49997,'208.80.152.3',80,'tcp','http',2.19720125198364257812e-01,1125,734,'S1',NULL,0,'ShADad',6,1445,4,950,''); +INSERT INTO "conn" VALUES(1.30047516978033089643e+09,'1xFx4PGdeq5','141.142.220.235',6705,'173.192.163.128',80,'tcp',NULL,NULL,NULL,NULL,'OTH',NULL,0,'h',0,0,1,48,''); +INSERT INTO "conn" VALUES(1.3004751686520030498e+09,'WIG1ud65z22','141.142.220.118',35634,'208.80.152.2',80,'tcp',NULL,6.1328887939453125e-02,463,350,'OTH',NULL,0,'DdA',2,567,1,402,''); +INSERT INTO "conn" VALUES(1.3004751688929131031e+09,'o2gAkl4V7sa','141.142.220.118',49999,'208.80.152.3',80,'tcp','http',2.20960855484008789062e-01,1137,733,'S1',NULL,0,'ShADad',6,1457,4,949,''); +COMMIT; +@TEST-END-FILE + +@load base/protocols/conn + +redef Input::accept_unsupported_types = T; + +global outfile: file; + +module A; + +event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Info) + { + print outfile, r; + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["query"] = "select * from conn;", + ["dbname"] = "conn" + }; + + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_event([$source="../conn", $name="conn", $fields=Conn::Info, $ev=line, $want_record=T, $reader=Input::READER_SQLITE, $config=config_strings]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of data"; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro new file mode 100644 index 0000000000..5cdc9a9d76 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro @@ -0,0 +1,48 @@ +# @TEST-EXEC: cat port.sql | sqlite3 port.sqlite +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +@TEST-START-FILE port.sql +PRAGMA foreign_keys=OFF; +BEGIN TRANSACTION; +CREATE TABLE port ( +'port' integer, +'proto' text +); +INSERT INTO "port" VALUES(5353,'udp'); +INSERT INTO "port" VALUES(6162,'tcp'); +COMMIT; +@TEST-END-FILE + +global outfile: file; + +module A; + +type Val: record { + p: port &type_column="proto"; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, p: port) + { + print outfile, p; + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["query"] = "select port as p, proto from port;", + ["dbname"] = "port" + }; + + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_event([$source="../port", $name="port", $fields=Val, $ev=line, $reader=Input::READER_SQLITE, $want_record=F, $config=config_strings]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of data"; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro new file mode 100644 index 0000000000..14134d5427 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro @@ -0,0 +1,8 @@ +# +# @TEST-GROUP: dataseries +# +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE +# @TEST-EXEC: sqlite3 conn.sqlite 'select * from conn' | sort > conn.select +# @TEST-EXEC: sqlite3 http.sqlite 'select * from http' | sort > http.select +# @TEST-EXEC: btest-diff conn.select +# @TEST-EXEC: btest-diff http.select From 8f71186bf7ab752a46c160a9b76c02a4fa9e96c4 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 15 Jan 2013 16:23:48 -0800 Subject: [PATCH 056/134] no, you will never guess from where I copied this file... --- .../btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro index 14134d5427..d4af793788 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro @@ -1,5 +1,5 @@ # -# @TEST-GROUP: dataseries +# @TEST-GROUP: sqlite # # @TEST-EXEC: bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE # @TEST-EXEC: sqlite3 conn.sqlite 'select * from conn' | sort > conn.select From 0fcc3db9a0a5b493cfbf699f74abb779e5dada26 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Wed, 16 Jan 2013 18:13:39 -0800 Subject: [PATCH 057/134] start adding a different text for empty records for the sqlite writer. Sadly there also seems to be another deadlock issue which I am currently not really able to figure out - on shutdown sometimes (too often) the main thread + all sqlite threads wait for semaphores or mutexes. --- scripts/base/frameworks/input/__load__.bro | 2 +- scripts/base/frameworks/logging/writers/sqlite.bro | 4 ++++ src/input.bif | 5 +++++ src/input/readers/SQLite.cc | 12 +++++++++++- src/input/readers/SQLite.h | 3 +++ src/logging.bif | 1 + src/logging/writers/SQLite.cc | 9 +++++++-- src/logging/writers/SQLite.h | 2 +- .../scripts/base/frameworks/input/sqlite/basic.bro | 1 - .../scripts/base/frameworks/input/sqlite/port.bro | 1 - 10 files changed, 33 insertions(+), 7 deletions(-) diff --git a/scripts/base/frameworks/input/__load__.bro b/scripts/base/frameworks/input/__load__.bro index 0e7d8ffb73..ab7c289fcf 100644 --- a/scripts/base/frameworks/input/__load__.bro +++ b/scripts/base/frameworks/input/__load__.bro @@ -2,4 +2,4 @@ @load ./readers/ascii @load ./readers/raw @load ./readers/benchmark - +@load ./readers/sqlite diff --git a/scripts/base/frameworks/logging/writers/sqlite.bro b/scripts/base/frameworks/logging/writers/sqlite.bro index 654af93c96..d835d10151 100644 --- a/scripts/base/frameworks/logging/writers/sqlite.bro +++ b/scripts/base/frameworks/logging/writers/sqlite.bro @@ -9,5 +9,9 @@ export { ## String to use for an unset &optional field. const unset_field = Log::unset_field &redef; + + ## String to use for empty fields. This should be different from + ## *unset_field* to make the output non-ambigious. + const empty_field = Log::empty_field &redef; } diff --git a/src/input.bif b/src/input.bif index 199b665fa6..bb2ee9a58b 100644 --- a/src/input.bif +++ b/src/input.bif @@ -57,3 +57,8 @@ const autospread: double; const addfactor: count; const stopspreadat: count; const timedspread: double; + +module InputSQLite; +const set_separator: string; +const unset_field: string; +const empty_field: string; diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index 8821d1a8a2..f843accced 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -22,7 +22,17 @@ using threading::Field; SQLite::SQLite(ReaderFrontend *frontend) : ReaderBackend(frontend) { - io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo()); + set_separator.assign( + (const char*) BifConst::LogSQLite::set_separator->Bytes(), + BifConst::InputSQLite::set_separator->Len() + ); + + unset_field.assign( + (const char*) BifConst::LogSQLite::unset_field->Bytes(), + BifConst::InputSQLite::unset_field->Len() + ); + + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field)); } SQLite::~SQLite() diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 6ab6bb9c58..aa7f9686c7 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -47,6 +47,9 @@ private: sqlite3 *db; sqlite3_stmt *st; AsciiInputOutput* io; + + string set_separator; + string unset_field; }; diff --git a/src/logging.bif b/src/logging.bif index 93317e242d..f7684b7216 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -87,6 +87,7 @@ const num_threads: count; module LogSQLite; const set_separator: string; +const empty_field: string; const unset_field: string; # Options for the ElasticSearch writer. diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index dc58688994..eaa20da466 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -30,9 +30,14 @@ SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) BifConst::LogAscii::unset_field->Len() ); + empty_field.assign( + (const char*) BifConst::LogAscii::empty_field->Bytes(), + BifConst::LogAscii::empty_field->Len() + ); + db = 0; - io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field)); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field, empty_field)); } SQLite::~SQLite() @@ -134,7 +139,7 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | - SQLITE_OPEN_FULLMUTEX // perhaps change to nomutex + SQLITE_OPEN_NOMUTEX // perhaps change to nomutex , NULL)) ) return false; diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index 2300144063..f430057ed8 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -46,9 +46,9 @@ private: sqlite3 *db; sqlite3_stmt *st; - string separator; string set_separator; string unset_field; + string empty_field; AsciiInputOutput* io; }; diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro index 39ff448b7d..06b121be51 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro @@ -86,7 +86,6 @@ event bro_init() }; outfile = open("../out"); - # first read in the old stuff into the table... Input::add_event([$source="../conn", $name="conn", $fields=Conn::Info, $ev=line, $want_record=T, $reader=Input::READER_SQLITE, $config=config_strings]); } diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro index 5cdc9a9d76..4501f28b2b 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro @@ -36,7 +36,6 @@ event bro_init() }; outfile = open("../out"); - # first read in the old stuff into the table... Input::add_event([$source="../port", $name="port", $fields=Val, $ev=line, $reader=Input::READER_SQLITE, $want_record=F, $config=config_strings]); } From e3856d76813ef6a8cc85d895855853727798a29d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 27 Feb 2013 11:25:01 -0500 Subject: [PATCH 058/134] Removing a field that is no longer logged through the standard metrics log. --- scripts/base/frameworks/metrics/main.bro | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 9b167d200f..6101d1cf4a 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -424,7 +424,6 @@ function write_log(ts: time, metric_name: string, filter_name: string, data: Met local m: Info = [$ts=ts, $ts_delta=filter$every, $metric=filter$id, - $filter_name=filter$name, $index=index, $result=data[index]]; Log::write(LOG, m); From 5d12765886b032469a51180ba26396e20e9eb9b4 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 11 Mar 2013 12:01:49 -0700 Subject: [PATCH 059/134] make work with newer AsciiFormatter. --- src/input/readers/SQLite.cc | 15 ++++++++++----- src/input/readers/SQLite.h | 5 +++-- src/logging/writers/SQLite.cc | 8 ++++---- src/logging/writers/SQLite.h | 4 ++-- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index f843accced..962f0926db 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -31,8 +31,13 @@ SQLite::SQLite(ReaderFrontend *frontend) : ReaderBackend(frontend) (const char*) BifConst::LogSQLite::unset_field->Bytes(), BifConst::InputSQLite::unset_field->Len() ); + + empty_field.assign( + (const char*) BifConst::LogAscii::empty_field->Bytes(), + BifConst::InputSQLite::empty_field->Len() + ); - io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field)); + io = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field)); } SQLite::~SQLite() @@ -189,7 +194,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p if ( text == 0 ) Error("Port protocol definition did not contain text"); else - val->val.port_val.proto = io->StringToProto(s); + val->val.port_val.proto = io->ParseProto(s); } break; } @@ -202,7 +207,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p int width = atoi(s.substr(pos+1).c_str()); string addr = s.substr(0, pos); - val->val.subnet_val.prefix = io->StringToAddr(addr); + val->val.subnet_val.prefix = io->ParseAddr(addr); val->val.subnet_val.length = width; break; } @@ -211,7 +216,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p { const char *text = (const char*) sqlite3_column_text(st, pos); string s(text, sqlite3_column_bytes(st, pos)); - val->val.addr_val = io->StringToAddr(s); + val->val.addr_val = io->ParseAddr(s); break; } @@ -220,7 +225,7 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p { const char *text = (const char*) sqlite3_column_text(st, pos); string s(text, sqlite3_column_bytes(st, pos)); - val = io->StringToVal(s, "", field->type, field->subtype); + val = io->ParseValue(s, "", field->type, field->subtype); break; } diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index aa7f9686c7..0705ba2df0 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -12,7 +12,7 @@ #include #include "../ReaderBackend.h" -#include "../../threading/AsciiInputOutput.h" +#include "../../threading/AsciiFormatter.h" #include "sqlite3.h" @@ -46,10 +46,11 @@ private: string query; sqlite3 *db; sqlite3_stmt *st; - AsciiInputOutput* io; + AsciiFormatter* io; string set_separator; string unset_field; + string empty_field; }; diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index eaa20da466..cf4be92e14 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -31,13 +31,13 @@ SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) ); empty_field.assign( - (const char*) BifConst::LogAscii::empty_field->Bytes(), + (const char*) BifConst::LogSQLite::empty_field->Bytes(), BifConst::LogAscii::empty_field->Len() ); db = 0; - io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field, empty_field)); + io = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field)); } SQLite::~SQLite() @@ -300,7 +300,7 @@ int SQLite::AddParams(Value* val, int pos) if ( j > 0 ) desc.AddRaw(set_separator); - io->ValToODesc(&desc, val->val.set_val.vals[j], NULL); + io->Describe(&desc, val->val.set_val.vals[j], NULL); // yes, giving NULL here is not really really pretty.... // it works however, because tables cannot contain tables... // or vectors. @@ -320,7 +320,7 @@ int SQLite::AddParams(Value* val, int pos) if ( j > 0 ) desc.AddRaw(set_separator); - io->ValToODesc(&desc, val->val.vector_val.vals[j], NULL); + io->Describe(&desc, val->val.vector_val.vals[j], NULL); } desc.RemoveEscapeSequence(set_separator); diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index f430057ed8..8c04c52c41 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -12,7 +12,7 @@ #include "../WriterBackend.h" #include "sqlite3.h" -#include "../../threading/AsciiInputOutput.h" +#include "../../threading/AsciiFormatter.h" namespace logging { namespace writer { @@ -50,7 +50,7 @@ private: string unset_field; string empty_field; - AsciiInputOutput* io; + AsciiFormatter* io; }; } From a251a1c39afd334aaf399c85548c30c1b89a6a44 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 11 Mar 2013 13:10:56 -0700 Subject: [PATCH 060/134] fix small bug with vectors and sets. On a first glance - this kind of seems to work. On mac-os you need a newer than the system-installed sqlite - the hanging problem only occurs with that one... --- src/input/readers/SQLite.h | 2 +- src/logging/writers/SQLite.cc | 11 +++++++---- src/logging/writers/SQLite.h | 7 +++++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 0705ba2df0..c00f1197bf 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -27,7 +27,7 @@ public: static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new SQLite(frontend); } protected: - virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields); virtual void DoClose(); diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index cf4be92e14..c529fbfe3c 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -109,14 +109,17 @@ bool SQLite::checkError( int code ) return false; } -bool SQLite::DoInit(const WriterInfo& info, int num_fields, - const Field* const * fields) +bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields, + const Field* const * arg_fields) { if ( sqlite3_threadsafe() == 0 ) { Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); return false; } + + num_fields = arg_num_fields; + fields = arg_fields; string fullpath(info.path); fullpath.append(".sqlite"); @@ -300,7 +303,7 @@ int SQLite::AddParams(Value* val, int pos) if ( j > 0 ) desc.AddRaw(set_separator); - io->Describe(&desc, val->val.set_val.vals[j], NULL); + io->Describe(&desc, val->val.set_val.vals[j], fields[pos]->name); // yes, giving NULL here is not really really pretty.... // it works however, because tables cannot contain tables... // or vectors. @@ -320,7 +323,7 @@ int SQLite::AddParams(Value* val, int pos) if ( j > 0 ) desc.AddRaw(set_separator); - io->Describe(&desc, val->val.vector_val.vals[j], NULL); + io->Describe(&desc, val->val.vector_val.vals[j], fields[pos]->name); } desc.RemoveEscapeSequence(set_separator); diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index 8c04c52c41..e5444a89b9 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -25,8 +25,8 @@ public: { return new SQLite(frontend); } protected: - virtual bool DoInit(const WriterInfo& info, int num_fields, - const threading::Field* const* fields); + virtual bool DoInit(const WriterInfo& info, int arg_num_fields, + const threading::Field* const* arg_fields); virtual bool DoWrite(int num_fields, const threading::Field* const* fields, threading::Value** vals); virtual bool DoSetBuf(bool enabled) { return true; } @@ -43,6 +43,9 @@ private: string GetTableType(int, int); char* FS(const char* format, ...); + const threading::Field* const * fields; // raw mapping + unsigned int num_fields; + sqlite3 *db; sqlite3_stmt *st; From fdc8de7596578c00872d8926c7076e847cbb6a53 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 11 Mar 2013 14:22:35 -0700 Subject: [PATCH 061/134] add sqlite tests and fix small vector/set escaping bugs --- src/logging/writers/SQLite.cc | 49 +++++++---- .../out | 15 ++++ .../ssh.select | 8 ++ .../base/frameworks/input/sqlite/types.bro | 87 +++++++++++++++++++ .../base/frameworks/logging/sqlite/types.bro | 77 ++++++++++++++++ 5 files changed, 218 insertions(+), 18 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.sqlite.types/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.types/ssh.select create mode 100644 testing/btest/scripts/base/frameworks/input/sqlite/types.bro create mode 100644 testing/btest/scripts/base/frameworks/logging/sqlite/types.bro diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index c529fbfe3c..23d7799b1e 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -22,17 +22,17 @@ SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) { set_separator.assign( (const char*) BifConst::LogSQLite::set_separator->Bytes(), - BifConst::LogAscii::set_separator->Len() + BifConst::LogSQLite::set_separator->Len() ); unset_field.assign( (const char*) BifConst::LogSQLite::unset_field->Bytes(), - BifConst::LogAscii::unset_field->Len() + BifConst::LogSQLite::unset_field->Len() ); empty_field.assign( (const char*) BifConst::LogSQLite::empty_field->Bytes(), - BifConst::LogAscii::empty_field->Len() + BifConst::LogSQLite::empty_field->Len() ); db = 0; @@ -247,7 +247,7 @@ char* SQLite::FS(const char* format, ...) int SQLite::AddParams(Value* val, int pos) { - if ( ! val->present ) + if ( ! val->present ) return sqlite3_bind_null(st, pos); switch ( val->type ) { @@ -296,18 +296,25 @@ int SQLite::AddParams(Value* val, int pos) { ODesc desc; desc.Clear(); + desc.EnableEscaping(); desc.AddEscapeSequence(set_separator); - for ( int j = 0; j < val->val.set_val.size; j++ ) + if ( ! val->val.set_val.size ) { - if ( j > 0 ) - desc.AddRaw(set_separator); - - io->Describe(&desc, val->val.set_val.vals[j], fields[pos]->name); - // yes, giving NULL here is not really really pretty.... - // it works however, because tables cannot contain tables... - // or vectors. + desc.Add(empty_field); } + else + for ( int j = 0; j < val->val.set_val.size; j++ ) + { + if ( j > 0 ) + desc.AddRaw(set_separator); + + io->Describe(&desc, val->val.set_val.vals[j], fields[pos]->name); + // yes, giving NULL here is not really really pretty.... + // it works however, because tables cannot contain tables... + // or vectors. + } + desc.RemoveEscapeSequence(set_separator); return sqlite3_bind_text(st, pos, (const char*) desc.Bytes(), desc.Len(), SQLITE_TRANSIENT); } @@ -316,15 +323,21 @@ int SQLite::AddParams(Value* val, int pos) { ODesc desc; desc.Clear(); + desc.EnableEscaping(); desc.AddEscapeSequence(set_separator); - - for ( int j = 0; j < val->val.vector_val.size; j++ ) + + if ( ! val->val.vector_val.size ) { - if ( j > 0 ) - desc.AddRaw(set_separator); - - io->Describe(&desc, val->val.vector_val.vals[j], fields[pos]->name); + desc.Add(empty_field); } + else + for ( int j = 0; j < val->val.vector_val.size; j++ ) + { + if ( j > 0 ) + desc.AddRaw(set_separator); + + io->Describe(&desc, val->val.vector_val.vals[j], fields[pos]->name); + } desc.RemoveEscapeSequence(set_separator); diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.types/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.types/out new file mode 100644 index 0000000000..9b4aa6e207 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.types/out @@ -0,0 +1,15 @@ +[b=T, i=-42, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1358376849.393854, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], vs=[], vn=] +0 +1 +End of data diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.types/ssh.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.types/ssh.select new file mode 100644 index 0000000000..7b92f10d65 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.types/ssh.select @@ -0,0 +1,8 @@ +1|-42|SSH::LOG|21|123|10.0.0.0/24|1.2.3.4|3.14|1363036624.07106|100.0|hurz|2,4,1,3|CC,AA,BB|(empty)|10,20,30|(empty)|SSH::foo +{ +if (0 < SSH::i) + return (Foo); +else + return (Bar); + +} diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro b/testing/btest/scripts/base/frameworks/input/sqlite/types.bro new file mode 100644 index 0000000000..a325100964 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/sqlite/types.bro @@ -0,0 +1,87 @@ +# @TEST-EXEC: cat ssh.sql | sqlite3 ssh.sqlite +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +@TEST-START-FILE ssh.sql +PRAGMA foreign_keys=OFF; +BEGIN TRANSACTION; +CREATE TABLE ssh ( +'b' boolean, +'i' integer, +'e' text, +'c' integer, +'p' integer, +'sn' text, +'a' text, +'d' double precision, +'t' double precision, +'iv' double precision, +'s' text, +'sc' text, +'ss' text, +'se' text, +'vc' text, +'vs' text, +'vn' text +); +INSERT INTO "ssh" VALUES(1,-42,'SSH::LOG',21,123,'10.0.0.0/24','1.2.3.4',3.14,1.35837684939385390286e+09,100.0,'hurz','2,4,1,3','CC,AA,BB','(empty)','10,20,30','', null); +COMMIT; +@TEST-END-FILE + +redef exit_only_after_terminate = T; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + b: bool; + i: int; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of count; + vs: vector of string; + vn: vector of string &optional; + } &log; +} + + +global outfile: file; + +event line(description: Input::EventDescription, tpe: Input::Event, p: SSH::Log) + { + print outfile, p; + + print outfile, |p$se|; + print outfile, |p$vs|; + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["query"] = "select * from ssh;", + ["dbname"] = "ssh" + }; + + outfile = open("../out"); + Input::add_event([$source="../ssh", $name="ssh", $fields=SSH::Log, $ev=line, $reader=Input::READER_SQLITE, $want_record=T, $config=config_strings]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of data"; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro new file mode 100644 index 0000000000..24fcf7362b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro @@ -0,0 +1,77 @@ +# +# @TEST-GROUP: sqlite +# +# @TEST-EXEC: bro -b %INPUT +# @TEST-EXEC: sqlite3 ssh.sqlite 'select * from ssh' > ssh.select +# @TEST-EXEC: btest-diff ssh.select +# +# Testing all possible types. + +redef LogSQLite::unset_field = "(unset)"; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + b: bool; + i: int; + e: Log::ID; + c: count; + p: port; + sn: subnet; + a: addr; + d: double; + t: time; + iv: interval; + s: string; + sc: set[count]; + ss: set[string]; + se: set[string]; + vc: vector of count; + ve: vector of string; + f: function(i: count) : string; + } &log; +} + +function foo(i : count) : string + { + if ( i > 0 ) + return "Foo"; + else + return "Bar"; + } + +event bro_init() +{ + Log::create_stream(SSH::LOG, [$columns=Log]); + Log::remove_filter(SSH::LOG, "default"); + + local filter: Log::Filter = [$name="sqlite", $path="ssh", $writer=Log::WRITER_SQLITE]; + Log::add_filter(SSH::LOG, filter); + + local empty_set: set[string]; + local empty_vector: vector of string; + + Log::write(SSH::LOG, [ + $b=T, + $i=-42, + $e=SSH::LOG, + $c=21, + $p=123/tcp, + $sn=10.0.0.1/24, + $a=1.2.3.4, + $d=3.14, + $t=network_time(), + $iv=100secs, + $s="hurz", + $sc=set(1,2,3,4), + $ss=set("AA", "BB", "CC"), + $se=empty_set, + $vc=vector(10, 20, 30), + $ve=empty_vector, + $f=foo + ]); +} + From 8778761c07e3d9009dd1e619a9e82bd525285d4a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 13 Mar 2013 22:55:03 -0400 Subject: [PATCH 062/134] Checkpoint --- doc/scripts/DocSourcesList.cmake | 6 +- .../{metrics => measurement}/__load__.bro | 2 + .../{metrics => measurement}/cluster.bro | 60 +- scripts/base/frameworks/measurement/main.bro | 367 ++++++++++ .../frameworks/measurement/non-cluster.bro | 21 + .../measurement/plugins/__load__.bro | 7 + .../measurement/plugins/average.bro | 35 + .../frameworks/measurement/plugins/max.bro | 37 + .../frameworks/measurement/plugins/min.bro | 35 + .../measurement/plugins/std-dev.bro | 36 + .../frameworks/measurement/plugins/sum.bro | 35 + .../frameworks/measurement/plugins/unique.bro | 51 ++ .../measurement/plugins/variance.bro | 65 ++ .../base/frameworks/measurement/simple.bro | 6 + scripts/base/frameworks/metrics/main.bro | 664 ------------------ .../base/frameworks/metrics/non-cluster.bro | 37 - scripts/base/init-default.bro | 2 +- scripts/base/protocols/ssh/main.bro | 108 ++- .../frameworks/metrics/conn-example.bro | 2 +- .../frameworks/metrics/http-example.bro | 2 +- .../policy/frameworks/metrics/ssl-example.bro | 2 +- scripts/policy/misc/app-metrics.bro | 68 +- .../policy/misc/detect-traceroute/main.bro | 2 +- scripts/policy/misc/scan.bro | 10 +- .../protocols/conn/conn-stats-per-host.bro | 2 +- scripts/policy/protocols/conn/metrics.bro | 2 +- .../protocols/ftp/detect-bruteforcing.bro | 7 +- scripts/policy/protocols/http/detect-sqli.bro | 2 +- scripts/policy/protocols/smtp/metrics.bro | 2 +- .../protocols/ssh/detect-bruteforcing.bro | 6 +- 30 files changed, 833 insertions(+), 848 deletions(-) rename scripts/base/frameworks/{metrics => measurement}/__load__.bro (93%) rename scripts/base/frameworks/{metrics => measurement}/cluster.bro (83%) create mode 100644 scripts/base/frameworks/measurement/main.bro create mode 100644 scripts/base/frameworks/measurement/non-cluster.bro create mode 100644 scripts/base/frameworks/measurement/plugins/__load__.bro create mode 100644 scripts/base/frameworks/measurement/plugins/average.bro create mode 100644 scripts/base/frameworks/measurement/plugins/max.bro create mode 100644 scripts/base/frameworks/measurement/plugins/min.bro create mode 100644 scripts/base/frameworks/measurement/plugins/std-dev.bro create mode 100644 scripts/base/frameworks/measurement/plugins/sum.bro create mode 100644 scripts/base/frameworks/measurement/plugins/unique.bro create mode 100644 scripts/base/frameworks/measurement/plugins/variance.bro create mode 100644 scripts/base/frameworks/measurement/simple.bro delete mode 100644 scripts/base/frameworks/metrics/main.bro delete mode 100644 scripts/base/frameworks/metrics/non-cluster.bro diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 5ce7221909..4e957d03a0 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -46,9 +46,9 @@ rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) rest_target(${psd} base/frameworks/logging/writers/none.bro) -rest_target(${psd} base/frameworks/metrics/cluster.bro) -rest_target(${psd} base/frameworks/metrics/main.bro) -rest_target(${psd} base/frameworks/metrics/non-cluster.bro) +rest_target(${psd} base/frameworks/measurement/cluster.bro) +rest_target(${psd} base/frameworks/measurement/main.bro) +rest_target(${psd} base/frameworks/measurement/non-cluster.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) diff --git a/scripts/base/frameworks/metrics/__load__.bro b/scripts/base/frameworks/measurement/__load__.bro similarity index 93% rename from scripts/base/frameworks/metrics/__load__.bro rename to scripts/base/frameworks/measurement/__load__.bro index 35f6b30fb5..fc784e1632 100644 --- a/scripts/base/frameworks/metrics/__load__.bro +++ b/scripts/base/frameworks/measurement/__load__.bro @@ -1,5 +1,7 @@ @load ./main +@load ./plugins + # The cluster framework must be loaded first. @load base/frameworks/cluster diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/measurement/cluster.bro similarity index 83% rename from scripts/base/frameworks/metrics/cluster.bro rename to scripts/base/frameworks/measurement/cluster.bro index 721f2a212e..6ccf5bb2f9 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/measurement/cluster.bro @@ -7,7 +7,7 @@ @load base/frameworks/cluster @load ./main -module Metrics; +module Measurement; export { ## Allows a user to decide how large of result groups the @@ -48,13 +48,13 @@ export { global cluster_index_request: event(uid: string, id: string, filter_name: string, index: Index); # This event is sent by nodes in response to a - # :bro:id:`Metrics::cluster_index_request` event. + # :bro:id:`Measurement::cluster_index_request` event. global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, val: ResultVal); # This is sent by workers to indicate that they crossed the percent of the # current threshold by the percentage defined globally in - # :bro:id:`Metrics::cluster_request_global_view_percent` - global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Metrics::Index); + # :bro:id:`Measurement::cluster_request_global_view_percent` + global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Measurement::Index); # This event is scheduled internally on workers to send result chunks. global send_data: event(uid: string, id: string, filter_name: string, data: MetricTable); @@ -62,8 +62,8 @@ export { # Add events to the cluster framework to make this work. -redef Cluster::manager2worker_events += /Metrics::cluster_(filter_request|index_request)/; -redef Cluster::worker2manager_events += /Metrics::cluster_(filter_response|index_response|index_intermediate_response)/; +redef Cluster::manager2worker_events += /Measurement::cluster_(filter_request|index_request)/; +redef Cluster::worker2manager_events += /Measurement::cluster_(filter_response|index_response|index_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) # This variable is maintained to know what indexes they have recently sent as @@ -88,12 +88,12 @@ function data_added(filter: Filter, index: Index, val: ResultVal) check_thresholds(filter, index, val, cluster_request_global_view_percent) ) { # kick off intermediate update - event Metrics::cluster_index_intermediate_response(filter$id, filter$name, index); + event Measurement::cluster_index_intermediate_response(filter$id, filter$name, index); ++recent_global_view_indexes[filter$id, filter$name, index]; } } -event Metrics::send_data(uid: string, id: string, filter_name: string, data: MetricTable) +event Measurement::send_data(uid: string, id: string, filter_name: string, data: MetricTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); @@ -115,35 +115,35 @@ event Metrics::send_data(uid: string, id: string, filter_name: string, data: Met if ( |data| == 0 ) done = T; - event Metrics::cluster_filter_response(uid, id, filter_name, local_data, done); + event Measurement::cluster_filter_response(uid, id, filter_name, local_data, done); if ( ! done ) - event Metrics::send_data(uid, id, filter_name, data); + event Measurement::send_data(uid, id, filter_name, data); } -event Metrics::cluster_filter_request(uid: string, id: string, filter_name: string) +event Measurement::cluster_filter_request(uid: string, id: string, filter_name: string) { #print fmt("WORKER %s: received the cluster_filter_request event for %s.", Cluster::node, id); # Initiate sending all of the data for the requested filter. - event Metrics::send_data(uid, id, filter_name, store[id, filter_name]); + event Measurement::send_data(uid, id, filter_name, store[id, filter_name]); # Lookup the actual filter and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. reset(filter_store[id, filter_name]); } -event Metrics::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) +event Measurement::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) { if ( [id, filter_name] in store && index in store[id, filter_name] ) { #print fmt("WORKER %s: received the cluster_index_request event for %s=%s.", Cluster::node, index2str(index), data); - event Metrics::cluster_index_response(uid, id, filter_name, index, store[id, filter_name][index]); + event Measurement::cluster_index_response(uid, id, filter_name, index, store[id, filter_name][index]); } else { # We need to send an empty response if we don't have the data so that the manager # can know that it heard back from all of the workers. - event Metrics::cluster_index_response(uid, id, filter_name, index, [$begin=network_time(), $end=network_time()]); + event Measurement::cluster_index_response(uid, id, filter_name, index, [$begin=network_time(), $end=network_time()]); } } @@ -177,7 +177,7 @@ global index_requests: table[string, string, string, Index] of ResultVal &read_e global outstanding_global_views: table[string, string] of count &default=0; # Managers handle logging. -event Metrics::finish_period(filter: Filter) +event Measurement::finish_period(filter: Filter) { #print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id); local uid = unique_id(""); @@ -189,9 +189,9 @@ event Metrics::finish_period(filter: Filter) filter_results[uid, filter$id, filter$name] = table(); # Request data from peers. - event Metrics::cluster_filter_request(uid, filter$id, filter$name); + event Measurement::cluster_filter_request(uid, filter$id, filter$name); # Schedule the next finish_period event. - schedule filter$every { Metrics::finish_period(filter) }; + schedule filter$every { Measurement::finish_period(filter) }; } # This is unlikely to be called often, but it's here in case there are metrics @@ -202,7 +202,7 @@ function data_added(filter: Filter, index: Index, val: ResultVal) threshold_crossed(filter, index, val); } -event Metrics::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) +event Measurement::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) { #print fmt("%0.6f MANAGER: receiving index data from %s - %s=%s", network_time(), get_event_peer()$descr, index2str(index), val); @@ -233,7 +233,7 @@ event Metrics::cluster_index_response(uid: string, id: string, filter_name: stri } # Managers handle intermediate updates here. -event Metrics::cluster_index_intermediate_response(id: string, filter_name: string, index: Index) +event Measurement::cluster_index_intermediate_response(id: string, filter_name: string, index: Index) { #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting index data for %s", index2str(index)); @@ -250,10 +250,10 @@ event Metrics::cluster_index_intermediate_response(id: string, filter_name: stri ++outstanding_global_views[id, filter_name]; local uid = unique_id(""); - event Metrics::cluster_index_request(uid, id, filter_name, index); + event Measurement::cluster_index_request(uid, id, filter_name, index); } -event Metrics::cluster_filter_response(uid: string, id: string, filter_name: string, data: MetricTable, done: bool) +event Measurement::cluster_filter_response(uid: string, id: string, filter_name: string, data: MetricTable, done: bool) { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); @@ -294,22 +294,6 @@ event Metrics::cluster_filter_response(uid: string, id: string, filter_name: str delete requested_results[uid]; } - if ( filter?$rollup ) - { - for ( index in local_data ) - { - if ( index !in rollup_store ) - rollup_store[index] = table(); - rollup_store[index][id, filter_name] = local_data[index]; - - # If all of the result vals are stored then the rollup callback can be executed. - if ( |rollup_store[index]| == |rollups[filter$rollup]$filters| ) - { - rollups[filter$rollup]$callback(index, rollup_store[index]); - } - } - } - if ( filter?$period_finished ) filter$period_finished(ts, filter$id, filter$name, local_data); diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro new file mode 100644 index 0000000000..3809fb16cc --- /dev/null +++ b/scripts/base/frameworks/measurement/main.bro @@ -0,0 +1,367 @@ +##! The metrics framework provides a way to count and measure data. + +@load base/utils/queue + +module Measurement; + +export { + ## The metrics logging stream identifier. + redef enum Log::ID += { LOG }; + + ## This is the interval for how often threshold based notices will happen + ## after they have already fired. + const threshold_crossed_restart_interval = 1hr &redef; + + ## The various calculations are all defined as plugins. + type Calculation: enum { + PLACEHOLDER + }; + + ## Represents a thing which is having metrics collected for it. An instance + ## of this record type and an id together represent a single measurement. + type Index: record { + ## A non-address related metric or a sub-key for an address based metric. + ## An example might be successful SSH connections by client IP address + ## where the client string would be the index value. + ## Another example might be number of HTTP requests to a particular + ## value in a Host header. This is an example of a non-host based + ## metric since multiple IP addresses could respond for the same Host + ## header value. + str: string &optional; + + ## Host is the value to which this metric applies. + host: addr &optional; + } &log; + + ## Represents data being added for a single metric data point. + ## Only supply a single value here at a time. + type DataPoint: record { + ## Count value. + num: count &optional; + ## Double value. + dbl: double &optional; + ## String value. + str: string &optional; + }; + + ## Value supplied when a metric is finished. It contains all + ## of the measurements collected for the metric. Most of the + ## fields are added by calculation plugins. + type ResultVal: record { + ## The time when this result was first started. + begin: time &log; + + ## The time when the last value was added to this result. + end: time &log; + + ## The number of measurements received. + num: count &log &default=0; + + ## A sample of something being measured. This is helpful in + ## some cases for collecting information to do further detection + ## or better logging for forensic purposes. + samples: vector of string &optional; + }; + + type Measurement: record { + ## The calculations to perform on the data. + apply: set[Calculation]; + + ## A predicate so that you can decide per index if you would like + ## to accept the data being inserted. + pred: function(index: Measurement::Index, data: Measurement::DataPoint): bool &optional; + + ## A function to normalize the index. This can be used to aggregate or + ## normalize the entire index. + normalize_func: function(index: Measurement::Index): Index &optional; + + ## A number of sample DataPoints to collect. + samples: count &optional; + }; + + + type Results: record { + begin: time; + end: time; + result + }; + + ## Type to store a table of metrics result values. + type ResultTable: table[Index] of Results; + + ## Filters define how the data from a metric is aggregated and handled. + ## Filters can be used to set how often the measurements are cut + ## and logged or how the data within them is aggregated. + type Filter: record { + ## A name for the filter in case multiple filters are being + ## applied to the same metric. In most cases the default + ## filter name is fine and this field does not need to be set. + id: string; + + ## The interval at which this filter should be "broken" and written + ## to the logging stream. The counters are also reset to zero at + ## this time so any threshold based detection needs to be set to a + ## number that should be expected to happen within this period. + every: interval; + + ## Optionally provide a function to calculate a value from the ResultVal + ## structure which will be used for thresholding. If no function is + ## provided, then in the following order of preference either the + ## $unique or the $sum fields will be used. + threshold_val_func: function(val: Measurement::ResultVal): count &optional; + + ## The threshold value for calling the $threshold_crossed callback. + threshold: count &optional; + + ## A series of thresholds for calling the $threshold_crossed callback. + threshold_series: vector of count &optional; + + ## A callback with the full collection of ResultVals for this filter. + ## It's best to not access any global state outside of the variables + ## given to the callback because there is no assurance provided as to + ## where the callback will be executed on clusters. + period_finished: function(data: Measurement::ResultTable) &optional; + + ## A callback that is called when a threshold is crossed. + threshold_crossed: function(index: Measurement::Index, val: Measurement::ResultVal) &optional; + }; + + ## Function to associate a metric filter with a metric ID. + ## + ## id: The metric ID that the filter should be associated with. + ## + ## filter: The record representing the filter configuration. + global add_filter: function(id: string, filter: Measurement::Filter); + + ## Add data into a metric. This should be called when + ## a script has measured some point value and is ready to increment the + ## counters. + ## + ## id: The metric identifier that the data represents. + ## + ## index: The metric index that the value is to be added to. + ## + ## increment: How much to increment the counter by. + global add_data: function(id: string, index: Measurement::Index, data: Measurement::DataPoint); + + ## Helper function to represent a :bro:type:`Measurement::Index` value as + ## a simple string. + ## + ## index: The metric index that is to be converted into a string. + ## + ## Returns: A string reprentation of the metric index. + global index2str: function(index: Measurement::Index): string; + + ## Event to access metrics records as they are passed to the logging framework. + global log_metrics: event(rec: Measurement::Info); + +} + +redef record Filter += { + # Internal use only. The metric that this filter applies to. The value is automatically set. + id: string &optional; +}; + +redef record ResultVal += { + # Internal use only. This is the queue where samples + # are maintained since the queue is self managing for + # the number of samples requested. + sample_queue: Queue::Queue &optional; + + # Internal use only. Indicates if a simple threshold was already crossed. + is_threshold_crossed: bool &default=F; + + # Internal use only. Current index for threshold series. + threshold_series_index: count &default=0; +}; + +# Store the filters indexed on the metric identifier and filter name. +global filter_store: table[string, string] of Filter = table(); + +# This is indexed by metric id and filter name. +global store: table[string, string] of ResultTable = table(); + +# This is a hook for watching thresholds being crossed. It is called whenever +# index values are updated and the new val is given as the `val` argument. +# It's only prototyped here because cluster and non-cluster have separate +# implementations. +global data_added: function(filter: Filter, index: Index, val: ResultVal); + +# Prototype the hook point for plugins to do calculations. +global add_to_calculation: hook(filter: Filter, val: double, data: DataPoint, result: ResultVal); +# Prototype the hook point for plugins to merge Measurements. +global plugin_merge_measurements: hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal); + +# Event that is used to "finish" metrics and adapt the metrics +# framework for clustered or non-clustered usage. +global finish_period: event(filter: Measurement::Filter); + +event bro_init() &priority=5 + { + Log::create_stream(Measurement::LOG, [$columns=Info, $ev=log_metrics]); + } + +function index2str(index: Index): string + { + local out = ""; + if ( index?$host ) + out = fmt("%shost=%s", out, index$host); + if ( index?$str ) + out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", index$str); + return fmt("metric_index(%s)", out); + } + +function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal + { + local result: ResultVal; + + # Merge $begin (take the earliest one) + result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; + + # Merge $end (take the latest one) + result$end = (rv1$end > rv2$end) ? rv1$end : rv2$end; + + # Merge $num + result$num = rv1$num + rv2$num; + + hook plugin_merge_measurements(result, rv1, rv2); + + # Merge $sample_queue + if ( rv1?$sample_queue && rv2?$sample_queue ) + result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); + else if ( rv1?$sample_queue ) + result$sample_queue = rv1$sample_queue; + else if ( rv2?$sample_queue ) + result$sample_queue = rv2$sample_queue; + + # Merge $threshold_series_index + result$threshold_series_index = (rv1$threshold_series_index > rv2$threshold_series_index) ? rv1$threshold_series_index : rv2$threshold_series_index; + + # Merge $is_threshold_crossed + if ( rv1$is_threshold_crossed || rv2$is_threshold_crossed ) + result$is_threshold_crossed = T; + + return result; + } + +function reset(filter: Filter) + { + if ( [filter$id, filter$name] in store ) + delete store[filter$id, filter$name]; + + store[filter$id, filter$name] = table(); + } + +function add_filter(id: string, filter: Filter) + { + if ( [id, filter$name] in store ) + { + Reporter::warning(fmt("invalid Metric filter (%s): Filter with same name already exists.", filter$name)); + return; + } + + if ( ! filter?$id ) + filter$id = id; + + filter_store[id, filter$name] = filter; + store[id, filter$name] = table(); + + schedule filter$every { Measurement::finish_period(filter) }; + } + +function add_data(id: string, index: Index, data: DataPoint) + { + # Try to add the data to all of the defined filters for the metric. + for ( [metric_id, filter_id] in filter_store ) + { + local filter = filter_store[metric_id, filter_id]; + + # If this filter has a predicate, run the predicate and skip this + # index if the predicate return false. + if ( filter?$pred && ! filter$pred(index, data) ) + next; + + #if ( filter?$normalize_func ) + # index = filter$normalize_func(copy(index)); + + local metric_tbl = store[id, filter$name]; + if ( index !in metric_tbl ) + metric_tbl[index] = [$begin=network_time(), $end=network_time()]; + + local result = metric_tbl[index]; + + # If a string was given, fall back to 1.0 as the value. + local val = 1.0; + if ( data?$num || data?$dbl ) + val = data?$dbl ? data$dbl : data$num; + + ++result$num; + # Continually update the $end field. + result$end=network_time(); + + #if ( filter?$samples && filter$samples > 0 && data?$str ) + # { + # if ( ! result?$sample_queue ) + # result$sample_queue = Queue::init([$max_len=filter$samples]); + # Queue::push(result$sample_queue, data$str); + # } + + hook add_to_calculation(filter, val, data, result); + data_added(filter, index, result); + } + } + +# This function checks if a threshold has been crossed. It is also used as a method to implement +# mid-break-interval threshold crossing detection for cluster deployments. +function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_pct: double): bool + { + if ( ! (filter?$threshold || filter?$threshold_series) ) + return; + + local watch = 0.0; + if ( val?$unique ) + watch = val$unique; + else if ( val?$sum ) + watch = val$sum; + + if ( filter?$threshold_val_func ) + watch = filter$threshold_val_func(val); + + if ( modify_pct < 1.0 && modify_pct > 0.0 ) + watch = watch/modify_pct; + + if ( ! val$is_threshold_crossed && + filter?$threshold && watch >= filter$threshold ) + { + # A default threshold was given and the value crossed it. + return T; + } + + if ( filter?$threshold_series && + |filter$threshold_series| >= val$threshold_series_index && + watch >= filter$threshold_series[val$threshold_series_index] ) + { + # A threshold series was given and the value crossed the next + # value in the series. + return T; + } + + return F; + } + +function threshold_crossed(filter: Filter, index: Index, val: ResultVal) + { + if ( ! filter?$threshold_crossed ) + return; + + if ( val?$sample_queue ) + val$samples = Queue::get_str_vector(val$sample_queue); + + filter$threshold_crossed(index, val); + val$is_threshold_crossed = T; + + # Bump up to the next threshold series index if a threshold series is being used. + if ( filter?$threshold_series ) + ++val$threshold_series_index; + } + diff --git a/scripts/base/frameworks/measurement/non-cluster.bro b/scripts/base/frameworks/measurement/non-cluster.bro new file mode 100644 index 0000000000..11bb7f16dc --- /dev/null +++ b/scripts/base/frameworks/measurement/non-cluster.bro @@ -0,0 +1,21 @@ +@load ./main + +module Measurement; + +event Measurement::finish_period(filter: Filter) + { + local data = store[filter$id, filter$name]; + if ( filter?$period_finished ) + filter$period_finished(network_time(), filter$id, filter$name, data); + + reset(filter); + + schedule filter$every { Measurement::finish_period(filter) }; + } + + +function data_added(filter: Filter, index: Index, val: ResultVal) + { + if ( check_thresholds(filter, index, val, 1.0) ) + threshold_crossed(filter, index, val); + } diff --git a/scripts/base/frameworks/measurement/plugins/__load__.bro b/scripts/base/frameworks/measurement/plugins/__load__.bro new file mode 100644 index 0000000000..b708f917d1 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/__load__.bro @@ -0,0 +1,7 @@ +@load ./average +@load ./max +@load ./min +@load ./std-dev +@load ./sum +@load ./unique +@load ./variance \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/measurement/plugins/average.bro new file mode 100644 index 0000000000..d3e1bef4d5 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/average.bro @@ -0,0 +1,35 @@ + +module Metrics; + +export { + redef enum Calculation += { + ## Calculate the average of the values. + AVERAGE + }; + + redef record ResultVal += { + ## For numeric data, this calculates the average of all values. + average: double &log &optional; + }; +} + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) + { + if ( AVERAGE in filter$measure ) + { + if ( ! result?$average ) + result$average = val; + else + result$average += (val - result$average) / result$num; + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + if ( rv1?$average && rv2?$average ) + result$average = ((rv1$average*rv1$num) + (rv2$average*rv2$num))/(rv1$num+rv2$num); + else if ( rv1?$average ) + result$average = rv1$average; + else if ( rv2?$average ) + result$average = rv2$average; + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/measurement/plugins/max.bro new file mode 100644 index 0000000000..806713dbd4 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/max.bro @@ -0,0 +1,37 @@ + +module Metrics; + +export { + redef enum Calculation += { + ## Find the maximum value. + MAX + }; + + redef record ResultVal += { + ## For numeric data, this tracks the maximum value given. + max: double &log &optional; + }; +} + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) + { + if ( MAX in filter$measure ) + { + if ( ! result?$max ) + result$max = val; + else if ( val > result$max ) + result$max = val; + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + if ( rv1?$max && rv2?$max ) + result$max = (rv1$max > rv2$max) ? rv1$max : rv2$max; + else if ( rv1?$max ) + result$max = rv1$max; + else if ( rv2?$max ) + result$max = rv2$max; + } + + diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/measurement/plugins/min.bro new file mode 100644 index 0000000000..e0d4003b31 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/min.bro @@ -0,0 +1,35 @@ + +module Metrics; + +export { + redef enum Calculation += { + ## Find the minimum value. + MIN + }; + + redef record ResultVal += { + ## For numeric data, this tracks the minimum value given. + min: double &log &optional; + }; +} + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) + { + if ( MIN in filter$measure ) + { + if ( ! result?$min ) + result$min = val; + else if ( val < result$min ) + result$min = val; + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + if ( rv1?$min && rv2?$min ) + result$min = (rv1$min < rv2$min) ? rv1$min : rv2$min; + else if ( rv1?$min ) + result$min = rv1$min; + else if ( rv2?$min ) + result$min = rv2$min; + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro new file mode 100644 index 0000000000..cbd0db3416 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -0,0 +1,36 @@ +@load ./sum +@load ./variance + +module Metrics; + +export { + redef enum Calculation += { + ## Find the standard deviation of the values. + STD_DEV + }; + + redef record ResultVal += { + ## For numeric data, this calculates the standard deviation. + std_dev: double &log &optional; + }; +} + +# This depends on the variance plugin which uses priority -5 +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=-10 + { + if ( STD_DEV in filter$measure ) + { + if ( result?$variance ) + result$std_dev = sqrt(result$variance); + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-10 + { + if ( rv1?$sum || rv2?$sum ) + { + result$sum = rv1?$sum ? rv1$sum : 0; + if ( rv2?$sum ) + result$sum += rv2$sum; + } + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro new file mode 100644 index 0000000000..2f615ffb6c --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -0,0 +1,35 @@ + +module Metrics; + +export { + redef enum Calculation += { + ## Sums the values given. For string values, + ## this will be the number of strings given. + SUM + }; + + redef record ResultVal += { + ## For numeric data, this tracks the sum of all values. + sum: double &log &optional; + }; +} + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) + { + if ( SUM in filter$measure ) + { + if ( ! result?$sum ) + result$sum = 0; + result$sum += val; + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + if ( rv1?$sum || rv2?$sum ) + { + result$sum = rv1?$sum ? rv1$sum : 0; + if ( rv2?$sum ) + result$sum += rv2$sum; + } + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro new file mode 100644 index 0000000000..66cab47897 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -0,0 +1,51 @@ + +module Metrics; + +export { + redef enum Calculation += { + ## Calculate the number of unique values. + UNIQUE + }; + + redef record ResultVal += { + ## If cardinality is being tracked, the number of unique + ## items is tracked here. + unique: count &log &optional; + }; +} + +redef record ResultVal += { + # Internal use only. This is not meant to be publically available + # because we don't want to trust that we can inspect the values + # since we will like move to a probalistic data structure in the future. + # TODO: in the future this will optionally be a hyperloglog structure + unique_vals: set[DataPoint] &optional; +}; + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) + { + if ( UNIQUE in filter$measure ) + { + if ( ! result?$unique_vals ) + result$unique_vals=set(); + add result$unique_vals[data]; + } + } + +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + if ( rv1?$unique_vals || rv2?$unique_vals ) + { + if ( rv1?$unique_vals ) + result$unique_vals = rv1$unique_vals; + + if ( rv2?$unique_vals ) + if ( ! result?$unique_vals ) + result$unique_vals = rv2$unique_vals; + else + for ( val2 in rv2$unique_vals ) + add result$unique_vals[val2]; + + result$unique = |result$unique_vals|; + } + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro new file mode 100644 index 0000000000..df83361c35 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -0,0 +1,65 @@ +@load ./average + +module Metrics; + +export { + redef enum Calculation += { + ## Find the variance of the values. + VARIANCE + }; + + redef record ResultVal += { + ## For numeric data, this calculates the variance. + variance: double &log &optional; + }; +} + +redef record ResultVal += { + # Internal use only. Used for incrementally calculating variance. + prev_avg: double &optional; + + # Internal use only. For calculating incremental variance. + var_s: double &optional; +}; + +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=5 + { + if ( VARIANCE in filter$measure ) + result$prev_avg = result$average; + } + +# Reduced priority since this depends on the average +hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=-5 + { + if ( VARIANCE in filter$measure ) + { + if ( ! result?$var_s ) + result$var_s = 0.0; + result$var_s += (val - result$prev_avg) * (val - result$average); + result$variance = (val > 0) ? result$var_s/val : 0.0; + } + } + +# Reduced priority since this depends on the average +hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-5 + { + if ( rv1?$var_s && rv2?$var_s ) + { + local rv1_avg_sq = (rv1$average - result$average); + rv1_avg_sq = rv1_avg_sq*rv1_avg_sq; + local rv2_avg_sq = (rv2$average - result$average); + rv2_avg_sq = rv2_avg_sq*rv2_avg_sq; + result$var_s = rv1$num*(rv1$var_s/rv1$num + rv1_avg_sq) + rv2$num*(rv2$var_s/rv2$num + rv2_avg_sq); + } + else if ( rv1?$var_s ) + result$var_s = rv1$var_s; + else if ( rv2?$var_s ) + result$var_s = rv2$var_s; + + if ( rv1?$prev_avg && rv2?$prev_avg ) + result$prev_avg = ((rv1$prev_avg*rv1$num) + (rv2$prev_avg*rv2$num))/(rv1$num+rv2$num); + else if ( rv1?$prev_avg ) + result$prev_avg = rv1$prev_avg; + else if ( rv2?$prev_avg ) + result$prev_avg = rv2$prev_avg; + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/simple.bro b/scripts/base/frameworks/measurement/simple.bro new file mode 100644 index 0000000000..51bf7e8c44 --- /dev/null +++ b/scripts/base/frameworks/measurement/simple.bro @@ -0,0 +1,6 @@ + +module Metrics; + +export { + +} \ No newline at end of file diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro deleted file mode 100644 index 6101d1cf4a..0000000000 --- a/scripts/base/frameworks/metrics/main.bro +++ /dev/null @@ -1,664 +0,0 @@ -##! The metrics framework provides a way to count and measure data. - -@load base/utils/queue - -module Metrics; - -export { - ## The metrics logging stream identifier. - redef enum Log::ID += { LOG }; - - ## This is the interval for how often threshold based notices will happen - ## after they have already fired. - const threshold_crossed_restart_interval = 1hr &redef; - - type Calculation: enum { - ## Sums the values given. For string values, - ## this will be the number of strings given. - SUM, - ## Find the minimum value. - MIN, - ## Find the maximum value. - MAX, - ## Find the variance of the values. - VARIANCE, - ## Find the standard deviation of the values. - STD_DEV, - ## Calculate the average of the values. - AVG, - ## Calculate the number of unique values. - UNIQUE, - }; - - ## Represents a thing which is having metrics collected for it. An instance - ## of this record type and an id together represent a single measurement. - type Index: record { - ## A non-address related metric or a sub-key for an address based metric. - ## An example might be successful SSH connections by client IP address - ## where the client string would be the index value. - ## Another example might be number of HTTP requests to a particular - ## value in a Host header. This is an example of a non-host based - ## metric since multiple IP addresses could respond for the same Host - ## header value. - str: string &optional; - - ## Host is the value to which this metric applies. - host: addr &optional; - - ## The CIDR block that this metric applies to. This is typically - ## only used internally for host based aggregation. - network: subnet &optional; - } &log; - - ## Represents data being added for a single metric data point. - ## Only supply a single value here at a time. - type DataPoint: record { - ## Count value. - num: count &optional; - ## Double value. - dbl: double &optional; - ## String value. - str: string &optional; - }; - - ## Value supplied when a metric is finished. It contains all - ## of the measurements collected for the metric. - type ResultVal: record { - ## The time when this result was first started. - begin: time &log; - - ## The time when the last value was added to this result. - end: time &log; - - ## The number of measurements received. - num: count &log &default=0; - - ## For numeric data, this tracks the sum of all values. - sum: double &log &optional; - - ## For numeric data, this tracks the minimum value given. - min: double &log &optional; - - ## For numeric data, this tracks the maximum value given. - max: double &log &optional; - - ## For numeric data, this calculates the average of all values. - avg: double &log &optional; - - ## For numeric data, this calculates the variance. - variance: double &log &optional; - - ## For numeric data, this calculates the standard deviation. - std_dev: double &log &optional; - - ## If cardinality is being tracked, the number of unique - ## items is tracked here. - unique: count &log &optional; - - ## A sample of something being measured. This is helpful in - ## some cases for collecting information to do further detection - ## or better logging for forensic purposes. - samples: vector of string &optional; - }; - - ## The record type that is used for logging metrics. - type Info: record { - ## Timestamp at which the metric was "broken". - ts: time &log; - ## Interval between logging of this filter and the last time it was logged. - ts_delta: interval &log; - ## What measurement the metric represents. - metric: string &log; - ## What the metric value applies to. - index: Index &log; - ## The simple numeric value of the metric. - result: ResultVal &log; - }; - - ## Type to store a table of metrics result values. - type MetricTable: table[Index] of ResultVal; - - ## Filters define how the data from a metric is aggregated and handled. - ## Filters can be used to set how often the measurements are cut - ## and logged or how the data within them is aggregated. It's also - ## possible to disable logging and use filters solely for thresholding. - type Filter: record { - ## A name for the filter in case multiple filters are being - ## applied to the same metric. In most cases the default - ## filter name is fine and this field does not need to be set. - name: string &default="default"; - - ## The interval at which this filter should be "broken" and written - ## to the logging stream. The counters are also reset to zero at - ## this time so any threshold based detection needs to be set to a - ## number that should be expected to happen within this period. - every: interval; - - ## The measurements to perform on the data. - measure: set[Calculation] &optional; - - ## A predicate so that you can decide per index if you would like - ## to accept the data being inserted. - pred: function(index: Metrics::Index, data: Metrics::DataPoint): bool &optional; - - ## A function to normalize the index. This can be used to aggregate or - ## normalize the entire index. - normalize_func: function(index: Metrics::Index): Index &optional; - - ## Global mask by to aggregate traffic measuring an attribute of hosts. - ## This is a special case of the normalize_func. - aggregation_mask: count &optional; - - ## Optionally provide a function to calculate a value from the ResultVal - ## structure which will be used for thresholding. If no function is - ## provided, then in the following order of preference either the - ## $unique or the $sum fields will be used. - threshold_val_func: function(val: Metrics::ResultVal): count &optional; - - ## A direct threshold for calling the $threshold_crossed function when - ## the SUM is greater than or equal to this value. - threshold: count &optional; - - ## A series of thresholds for calling the $threshold_crossed function. - threshold_series: vector of count &optional; - - ## A predicate so that you can decide when to flexibly declare when - ## a threshold crossed, and do extra work. - threshold_func: function(index: Metrics::Index, val: Metrics::ResultVal): bool &optional; - - ## A callback with the full collection of ResultVals for this filter. This - ## is defined as a redef because the function includes a :bro:type:`Filter` - ## record which is self referential before the Filter type has been fully - ## defined and doesn't work. - period_finished: function(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) &optional; - - ## A callback that is called when a threshold is crossed. - threshold_crossed: function(index: Metrics::Index, val: Metrics::ResultVal) &optional; - - ## A rollup to register this filter with. - rollup: string &optional; - - ## A number of sample DataPoint strings to collect for the threshold - ## crossing callback. - samples: count &optional; - }; - - ## Function to associate a metric filter with a metric ID. - ## - ## id: The metric ID that the filter should be associated with. - ## - ## filter: The record representing the filter configuration. - global add_filter: function(id: string, filter: Metrics::Filter); - - ## Add data into a metric. This should be called when - ## a script has measured some point value and is ready to increment the - ## counters. - ## - ## id: The metric identifier that the data represents. - ## - ## index: The metric index that the value is to be added to. - ## - ## increment: How much to increment the counter by. - global add_data: function(id: string, index: Metrics::Index, data: Metrics::DataPoint); - - ## The callback definition for rollup functions. - type RollupCallback: function(index: Metrics::Index, vals: table[string, string] of Metrics::ResultVal); - - ## Add a rollup function for merging multiple filters with matching - ## indexes. If the metrics filters being merged don't have equivalent times - ## in the $every field, an error will be generated. - ## - ## name: An arbitrary name for this filter rollup. - ## - ## vals: Each ResultVal record indexed by the appropriate metric name and filter name. - global create_index_rollup: function(name: string, rollup: RollupCallback); - - ## Helper function to represent a :bro:type:`Metrics::Index` value as - ## a simple string. - ## - ## index: The metric index that is to be converted into a string. - ## - ## Returns: A string reprentation of the metric index. - global index2str: function(index: Metrics::Index): string; - - ## A helper function to use with the `period_finished` field in filters. Using - ## this function is not recommended however since each metric likely has - ## different data and different semantics which would be better served by writing - ## a custom function that logs in more domain specific fashion. - global write_log: function(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable); - - ## Event to access metrics records as they are passed to the logging framework. - global log_metrics: event(rec: Metrics::Info); - -} - -redef record Filter += { - # Internal use only. The metric that this filter applies to. The value is automatically set. - id: string &optional; -}; - -redef record ResultVal += { - # Internal use only. Used for incrementally calculating variance. - prev_avg: double &optional; - - # Internal use only. For calculating variance. - var_s: double &optional; - - # Internal use only. This is not meant to be publically available - # because we don't want to trust that we can inspect the values - # since we will like move to a probalistic data structure in the future. - # TODO: in the future this will optionally be a hyperloglog structure - unique_vals: set[DataPoint] &optional; - - # Internal use only. This is the queue where samples - # are maintained since the queue is self managing for - # the number of samples requested. - sample_queue: Queue::Queue &optional; - - # Internal use only. Indicates if a simple threshold was already crossed. - is_threshold_crossed: bool &default=F; - - # Internal use only. Current index for threshold series. - threshold_series_index: count &default=0; -}; - -# Store the filters indexed on the metric identifier. -global metric_filters: table[string] of vector of Filter = table(); - -# Store the filters indexed on the metric identifier and filter name. -global filter_store: table[string, string] of Filter = table(); - -# This is indexed by metric id and filter name. -global store: table[string, string] of MetricTable = table(); - -# This is a hook for watching thresholds being crossed. It is called whenever -# index values are updated and the new val is given as the `val` argument. -# It's only prototyped here because cluster and non-cluster have separate -# implementations. -global data_added: function(filter: Filter, index: Index, val: ResultVal); - -type Rollup: record { - callback: RollupCallback; - filters: set[Filter] &optional; -}; -global rollups: table[string] of Rollup; -global rollup_store: table[Index] of table[string, string] of ResultVal = {}; - - -## Event that is used to "finish" metrics and adapt the metrics -## framework for clustered or non-clustered usage. -global finish_period: event(filter: Metrics::Filter); - -event bro_init() &priority=5 - { - Log::create_stream(Metrics::LOG, [$columns=Info, $ev=log_metrics]); - } - -function index2str(index: Index): string - { - local out = ""; - if ( index?$host ) - out = fmt("%shost=%s", out, index$host); - if ( index?$network ) - out = fmt("%s%snetwork=%s", out, |out|==0 ? "" : ", ", index$network); - if ( index?$str ) - out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", index$str); - return fmt("metric_index(%s)", out); - } - -function do_calculated_fields(val: ResultVal) - { - if ( val?$unique_vals ) - val$unique = |val$unique_vals|; - if ( val?$var_s ) - val$variance = (val$num > 1) ? val$var_s/val$num : 0.0; - if ( val?$variance ) - val$std_dev = sqrt(val$variance); - } - -function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal - { - local result: ResultVal; - - # Merge $begin (take the earliest one) - result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; - - # Merge $end (take the latest one) - result$end = (rv1$end > rv2$end) ? rv1$end : rv2$end; - - # Merge $num - result$num = rv1$num + rv2$num; - - # Merge $sum - if ( rv1?$sum || rv2?$sum ) - { - result$sum = rv1?$sum ? rv1$sum : 0; - if ( rv2?$sum ) - result$sum += rv2$sum; - } - - # Merge $max - if ( rv1?$max && rv2?$max ) - result$max = (rv1$max > rv2$max) ? rv1$max : rv2$max; - else if ( rv1?$max ) - result$max = rv1$max; - else if ( rv2?$max ) - result$max = rv2$max; - - # Merge $min - if ( rv1?$min && rv2?$min ) - result$min = (rv1$min < rv2$min) ? rv1$min : rv2$min; - else if ( rv1?$min ) - result$min = rv1$min; - else if ( rv2?$min ) - result$min = rv2$min; - - # Merge $avg - if ( rv1?$avg && rv2?$avg ) - result$avg = ((rv1$avg*rv1$num) + (rv2$avg*rv2$num))/(rv1$num+rv2$num); - else if ( rv1?$avg ) - result$avg = rv1$avg; - else if ( rv2?$avg ) - result$avg = rv2$avg; - - # Merge $prev_avg - if ( rv1?$prev_avg && rv2?$prev_avg ) - result$prev_avg = ((rv1$prev_avg*rv1$num) + (rv2$prev_avg*rv2$num))/(rv1$num+rv2$num); - else if ( rv1?$prev_avg ) - result$prev_avg = rv1$prev_avg; - else if ( rv2?$prev_avg ) - result$prev_avg = rv2$prev_avg; - - # Merge $var_s - if ( rv1?$var_s && rv2?$var_s ) - { - local rv1_avg_sq = (rv1$avg - result$avg); - rv1_avg_sq = rv1_avg_sq*rv1_avg_sq; - local rv2_avg_sq = (rv2$avg - result$avg); - rv2_avg_sq = rv2_avg_sq*rv2_avg_sq; - result$var_s = rv1$num*(rv1$var_s/rv1$num + rv1_avg_sq) + rv2$num*(rv2$var_s/rv2$num + rv2_avg_sq); - } - else if ( rv1?$var_s ) - result$var_s = rv1$var_s; - else if ( rv2?$var_s ) - result$var_s = rv2$var_s; - - # Merge $unique_vals - if ( rv1?$unique_vals || rv2?$unique_vals ) - { - if ( rv1?$unique_vals ) - result$unique_vals = rv1$unique_vals; - - if ( rv2?$unique_vals ) - if ( ! result?$unique_vals ) - result$unique_vals = rv2$unique_vals; - else - for ( val2 in rv2$unique_vals ) - add result$unique_vals[val2]; - } - - # Merge $sample_queue - if ( rv1?$sample_queue && rv2?$sample_queue ) - result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); - else if ( rv1?$sample_queue ) - result$sample_queue = rv1$sample_queue; - else if ( rv2?$sample_queue ) - result$sample_queue = rv2$sample_queue; - - # Merge $threshold_series_index - result$threshold_series_index = (rv1$threshold_series_index > rv2$threshold_series_index) ? rv1$threshold_series_index : rv2$threshold_series_index; - - # Merge $is_threshold_crossed - if ( rv1$is_threshold_crossed || rv2$is_threshold_crossed ) - result$is_threshold_crossed = T; - - do_calculated_fields(result); - return result; - } - -function write_log(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) - { - local filter = filter_store[metric_name, filter_name]; - for ( index in data ) - { - local m: Info = [$ts=ts, - $ts_delta=filter$every, - $metric=filter$id, - $index=index, - $result=data[index]]; - Log::write(LOG, m); - } - } - -function reset(filter: Filter) - { - if ( [filter$id, filter$name] in store ) - delete store[filter$id, filter$name]; - - store[filter$id, filter$name] = table(); - } - -function add_filter(id: string, filter: Filter) - { - if ( filter?$normalize_func && filter?$aggregation_mask ) - { - Reporter::warning(fmt("invalid Metric filter (%s): Defined both $normalize_func and $aggregation_mask.", filter$name)); - return; - } - if ( [id, filter$name] in store ) - { - Reporter::warning(fmt("invalid Metric filter (%s): Filter with same name already exists.", filter$name)); - return; - } - if ( filter?$rollup ) - { - if ( filter$rollup !in rollups ) - { - Reporter::warning(fmt("invalid Metric filter (%s): %s rollup doesn't exist.", filter$name, filter$rollup)); - return; - } - else - { - local every_field = 0secs; - for ( filt in rollups ) - { - if ( [id, filt] !in filter_store ) - next; - - if ( every_field == 0secs ) - every_field = filter_store[id, filt]$every; - else if ( every_field == filter_store[id, filt]$every ) - { - Reporter::warning(fmt("invalid Metric rollup for %s: Filters with differing $every fields applied to %s.", filter$name, filter$rollup)); - return; - } - } - } - add rollups[filter$rollup]$filters[filter]; - } - - if ( ! filter?$id ) - filter$id = id; - - if ( id !in metric_filters ) - metric_filters[id] = vector(); - metric_filters[id][|metric_filters[id]|] = filter; - - filter_store[id, filter$name] = filter; - store[id, filter$name] = table(); - - schedule filter$every { Metrics::finish_period(filter) }; - } - -function add_data(id: string, index: Index, data: DataPoint) - { - if ( id !in metric_filters ) - return; - - local filters = metric_filters[id]; - - # Try to add the data to all of the defined filters for the metric. - for ( filter_id in filters ) - { - local filter = filters[filter_id]; - - # If this filter has a predicate, run the predicate and skip this - # index if the predicate return false. - if ( filter?$pred && ! filter$pred(index, data) ) - next; - - if ( filter?$normalize_func ) - index = filter$normalize_func(copy(index)); - - if ( index?$host && filter?$aggregation_mask ) - { - index$network = mask_addr(index$host, filter$aggregation_mask); - delete index$host; - } - - local metric_tbl = store[id, filter$name]; - if ( index !in metric_tbl ) - metric_tbl[index] = [$begin=network_time(), $end=network_time()]; - - local result = metric_tbl[index]; - - # If a string was given, fall back to 1.0 as the value. - local val = 1.0; - if ( data?$num || data?$dbl ) - val = data?$dbl ? data$dbl : data$num; - - ++result$num; - # Continually update the $end field. - result$end=network_time(); - - if ( filter?$samples && filter$samples > 0 && data?$str ) - { - if ( ! result?$sample_queue ) - result$sample_queue = Queue::init([$max_len=filter$samples]); - Queue::push(result$sample_queue, data$str); - } - - if ( SUM in filter$measure ) - { - if ( ! result?$sum ) result$sum = 0; - result$sum += val; - } - - if ( MIN in filter$measure ) - { - if ( ! result?$min ) - result$min = val; - else if ( val < result$min ) - result$min = val; - } - - if ( MAX in filter$measure ) - { - if ( ! result?$max ) - result$max = val; - else if ( val > result$max ) - result$max = val; - } - - if ( AVG in filter$measure || VARIANCE in filter$measure ) - { - if ( ! result?$avg ) - { - result$avg = val; - result$prev_avg = val; - } - else - { - result$prev_avg = result$avg; - result$avg += (val - result$avg) / result$num; - } - } - - if ( VARIANCE in filter$measure ) - { - if ( ! result?$var_s ) result$var_s = 0.0; - result$var_s += (val - result$prev_avg)*(val - result$avg); - } - - #if ( STD_DEV in filter$measure ) - # { - # #if ( result?$variance ) - # # result$std_dev = sqrt(result$variance); - # } - - if ( UNIQUE in filter$measure ) - { - if ( ! result?$unique_vals ) result$unique_vals=set(); - add result$unique_vals[data]; - } - - do_calculated_fields(result); - data_added(filter, index, result); - } - } - -# This function checks if a threshold has been crossed. It is also used as a method to implement -# mid-break-interval threshold crossing detection for cluster deployments. -function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_pct: double): bool - { - local watch = 0.0; - if ( val?$unique ) - watch = val$unique; - else if ( val?$sum ) - watch = val$sum; - - if ( filter?$threshold_val_func ) - watch = filter$threshold_val_func(val); - - if ( modify_pct < 1.0 && modify_pct > 0.0 ) - watch = watch/modify_pct; - - if ( ! val$is_threshold_crossed && - filter?$threshold && watch >= filter$threshold ) - { - # A default threshold was given and the value crossed it. - return T; - } - - if ( filter?$threshold_series && - |filter$threshold_series| >= val$threshold_series_index && - watch >= filter$threshold_series[val$threshold_series_index] ) - { - # A threshold series was given and the value crossed the next - # value in the series. - return T; - } - - if ( ! val$is_threshold_crossed && - filter?$threshold_func && - filter$threshold_func(index, val) ) - { - # The threshold function indicated it was crossed. - return T; - } - - return F; - } - -function threshold_crossed(filter: Filter, index: Index, val: ResultVal) - { - if ( ! filter?$threshold_crossed ) - return; - - if ( val?$sample_queue ) - val$samples = Queue::get_str_vector(val$sample_queue); - - filter$threshold_crossed(index, val); - val$is_threshold_crossed = T; - - # Bump up to the next threshold series index if a threshold series is being used. - if ( filter?$threshold_series ) - ++val$threshold_series_index; - } - -function create_index_rollup(name: string, rollup: RollupCallback) - { - local r: Rollup = [$callback=rollup]; - r$filters=set(); - rollups[name] = r; - } diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro deleted file mode 100644 index b76ca3ea48..0000000000 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ /dev/null @@ -1,37 +0,0 @@ -@load ./main - -module Metrics; - -event Metrics::finish_period(filter: Filter) - { - local data = store[filter$id, filter$name]; - if ( filter?$rollup ) - { - for ( index in data ) - { - if ( index !in rollup_store ) - rollup_store[index] = table(); - rollup_store[index][filter$id, filter$name] = data[index]; - - # If all of the result vals are stored then the rollup callback can be executed. - if ( |rollup_store[index]| == |rollups[filter$rollup]$filters| ) - { - rollups[filter$rollup]$callback(index, rollup_store[index]); - } - } - } - - if ( filter?$period_finished ) - filter$period_finished(network_time(), filter$id, filter$name, data); - - reset(filter); - - schedule filter$every { Metrics::finish_period(filter) }; - } - - -function data_added(filter: Filter, index: Index, val: ResultVal) - { - if ( check_thresholds(filter, index, val, 1.0) ) - threshold_crossed(filter, index, val); - } diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 35e78531fc..bb64accaea 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -29,7 +29,7 @@ @load base/frameworks/communication @load base/frameworks/control @load base/frameworks/cluster -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/frameworks/intel @load base/frameworks/reporter @load base/frameworks/tunnels diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index cd20f4e913..d782c4fa37 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -17,12 +17,6 @@ export { ## The SSH protocol logging stream identifier. redef enum Log::ID += { LOG }; - redef enum Notice::Type += { - ## Indicates that a heuristically detected "successful" SSH - ## authentication occurred. - Login - }; - type Info: record { ## Time when the SSH connection began. ts: time &log; @@ -30,9 +24,9 @@ export { uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; - ## Indicates if the login was heuristically guessed to be "success" - ## or "failure". - status: string &log &optional; + ## Indicates if the login was heuristically guessed to be "success", + ## "failure", or "undetermined". + status: string &log &default="undetermined"; ## Direction of the connection. If the client was a local host ## logging into an external host, this would be OUTBOUND. INBOUND ## would be set for the opposite situation. @@ -54,12 +48,12 @@ export { ## The size in bytes of data sent by the server at which the SSH ## connection is presumed to be successful. - const authentication_data_size = 5500 &redef; + const authentication_data_size = 4000 &redef; ## If true, we tell the event engine to not look at further data ## packets after the initial SSH handshake. Helps with performance ## (especially with large file transfers) but precludes some - ## kinds of analyses (e.g., tracking connection size). + ## kinds of analyses. const skip_processing_after_detection = F &redef; ## Event that is generated when the heuristic thinks that a login @@ -104,54 +98,60 @@ function set_session(c: connection) function check_ssh_connection(c: connection, done: bool) { - # If done watching this connection, just return. + # If already done watching this connection, just return. if ( c$ssh$done ) return; - # Make sure conn_size_analyzer is active by checking - # resp$num_bytes_ip. In general it should always be active though. - if ( ! c$resp?$num_bytes_ip ) - return; - - # Remove the IP and TCP header length from the total size. - # TODO: Fix for IPv6. This whole approach also seems to break in some - # cases where there are more header bytes than num_bytes_ip. - local header_bytes = c$resp$num_pkts*32 + c$resp$num_pkts*20; - local server_bytes = c$resp$num_bytes_ip; - if ( server_bytes >= header_bytes ) - server_bytes = server_bytes - header_bytes; - else - server_bytes = c$resp$size; - - # If this is still a live connection and the byte count has not crossed - # the threshold, just return and let the rescheduled check happen later. - if ( ! done && server_bytes < authentication_data_size ) - return; - - # Make sure the server has sent back more than 50 bytes to filter out - # hosts that are just port scanning. Nothing is ever logged if the server - # doesn't send back at least 50 bytes. - if ( server_bytes < 50 ) - return; - - c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND; - c$ssh$resp_size = server_bytes; - - if ( server_bytes < authentication_data_size ) + if ( done ) { - c$ssh$status = "failure"; - event SSH::heuristic_failed_login(c); + # If this connection is done, then we can look to see if + # this matches the conditions for a failed login. Failed + # logins are only detected at connection state removal. + + if ( # Require originators to have sent at least 50 bytes. + c$orig$size > 50 && + # Responders must be below 4000 bytes. + c$resp$size < 4000 && + # Responder must have sent fewer than 40 packets. + c$resp$num_pkts < 40 && + # If there was a content gap we can't reliably do this heuristic. + c$conn$missed_bytes == 0)# && + # Only "normal" connections can count. + #c$conn?$conn_state && c$conn$conn_state in valid_states ) + { + c$ssh$status = "failure"; + event SSH::heuristic_failed_login(c); + } + + if ( c$resp$size > authentication_data_size ) + { + c$ssh$status = "success"; + event SSH::heuristic_successful_login(c); + } } else - { - # presumed successful login - c$ssh$status = "success"; - event SSH::heuristic_successful_login(c); + { + # If this connection is still being tracked, then it's possible + # to watch for it to be a successful connection. + if ( c$resp$size > authentication_data_size ) + { + c$ssh$status = "success"; + event SSH::heuristic_successful_login(c); + } + else + # This connection must be tracked longer. Let the scheduled + # check happen again. + return; } + + # Set the direction for the log. + c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND; # Set the "done" flag to prevent the watching event from rescheduling # after detection is done. c$ssh$done=T; + + Log::write(SSH::LOG, c$ssh); if ( skip_processing_after_detection ) { @@ -161,18 +161,6 @@ function check_ssh_connection(c: connection, done: bool) } } -event SSH::heuristic_successful_login(c: connection) &priority=-5 - { - NOTICE([$note=Login, - $msg="Heuristically detected successful SSH login.", - $conn=c]); - - Log::write(SSH::LOG, c$ssh); - } -event SSH::heuristic_failed_login(c: connection) &priority=-5 - { - Log::write(SSH::LOG, c$ssh); - } event connection_state_remove(c: connection) &priority=-5 { diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index 1271d6eb32..3f87ecb283 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -1,7 +1,7 @@ ##! An example of using the metrics framework to collect connection metrics ##! aggregated into /24 CIDR ranges. -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/utils/site event bro_init() diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index b3284580e8..d7aa304754 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -2,7 +2,7 @@ ##! only local networks. Additionally, the status code for the response from ##! the request is added into the metric. -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/protocols/http @load base/utils/site diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro index 3b9b848edb..400373c06c 100644 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ b/scripts/policy/frameworks/metrics/ssl-example.bro @@ -3,7 +3,7 @@ ##! establishments. Names ending in google.com are being filtered out as an ##! example of the predicate based filtering in metrics filters. -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/protocols/ssl event bro_init() diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 0a4fc8b39f..68deddaa29 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -1,8 +1,8 @@ @load base/protocols/http @load base/protocols/ssl -@load base/frameworks/metrics +@load base/frameworks/measurement -module AppMetrics; +module AppMeasurement; export { redef enum Log::ID += { LOG }; @@ -19,7 +19,11 @@ export { const break_interval = 15mins &redef; } -function app_metrics_rollup(index: Metrics::Index, vals: table[string, string] of Metrics::ResultVal) +redef record connection += { + resp_hostname: string &optional; +}; + +function app_metrics_rollup(index: Measurement::Index, vals: table[string, string] of Measurement::ResultVal) { local l: Info; l$ts = network_time(); @@ -35,55 +39,67 @@ function app_metrics_rollup(index: Metrics::Index, vals: table[string, string] o l$uniq_hosts = val$unique; } } - Log::write(LOG, l); } event bro_init() &priority=3 { - Log::create_stream(AppMetrics::LOG, [$columns=Info]); + Log::create_stream(AppMeasurement::LOG, [$columns=Info]); - Metrics::create_index_rollup("AppMetrics", app_metrics_rollup); - Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM), $rollup="AppMetrics"]); - Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::UNIQUE), $rollup="AppMetrics"]); + #Measurement::create_index_rollup("AppMeasurement", app_metrics_rollup); + #Measurement::add_filter("apps.bytes", [$every=break_interval, $measure=set(Measurement::SUM), $rollup="AppMeasurement"]); + #Measurement::add_filter("apps.hits", [$every=break_interval, $measure=set(Measurement::UNIQUE), $rollup="AppMeasurement"]); + + Measurement::create([$epoch=break_interval, + $measurements=table(["apps.bytes"] = [$apply=set(Measurement::SUM)], + ["apps.hits"] = [$apply=set(Measurement::UNIQUE)]), + $period_finished(result: Measurement::Results) = + { + local l: Info; + l$ts = network_time(); + for ( index in result ) + { + l$bytes = double_to_count(floor(result[index]["apps.bytes"]$sum)); + l$hits = result[index]["apps.hits"]$num; + l$uniq_hosts = result[index]["apps.hits"]$unique; + Log::write(LOG, l); + } + }]); } function do_metric(id: conn_id, hostname: string, size: count) { - if ( /youtube\.com$/ in hostname && size > 512*1024 ) + if ( /\.youtube\.com$/ in hostname && size > 512*1024 ) { - Metrics::add_data("apps.bytes", [$str="youtube"], [$num=size]); - Metrics::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="youtube"], [$num=size]); + Measurement::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); } else if ( /(\.facebook\.com|\.fbcdn\.net)$/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="facebook"], [$num=size]); - Metrics::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="facebook"], [$num=size]); + Measurement::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); } else if ( /\.google\.com$/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="google"], [$num=size]); - Metrics::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="google"], [$num=size]); + Measurement::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); } - else if ( /nflximg\.com$/ in hostname && size > 200*1024 ) + else if ( /\.nflximg\.com$/ in hostname && size > 200*1024 ) { - Metrics::add_data("apps.bytes", [$str="netflix"], [$num=size]); - Metrics::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="netflix"], [$num=size]); + Measurement::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); } else if ( /\.(pandora|p-cdn)\.com$/ in hostname && size > 512*1024 ) { - Metrics::add_data("apps.bytes", [$str="pandora"], [$num=size]); - Metrics::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="pandora"], [$num=size]); + Measurement::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); } - else if ( /gmail\.com$/ in hostname && size > 20 ) + else if ( /\.gmail\.com$/ in hostname && size > 20 ) { - Metrics::add_data("apps.bytes", [$str="gmail"], [$num=size]); - Metrics::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); + Measurement::add_data("apps.bytes", [$str="gmail"], [$num=size]); + Measurement::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); } } -redef record connection += { - resp_hostname: string &optional; -}; event ssl_established(c: connection) { diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index e62d370e45..7656ed8d03 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -2,7 +2,7 @@ ##! toward hosts that have sent low TTL packets. ##! It generates a notice when the number of ICMP Time Exceeded ##! messages for a source-destination pair exceeds threshold -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/frameworks/signatures @load-sigs ./detect-low-ttls.sig diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 7f5f43dbd9..570dbfe6b0 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -5,7 +5,7 @@ ##! All the authors of the old scan.bro @load base/frameworks/notice -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/utils/time @@ -24,7 +24,7 @@ export { ## unique ports on a single host over the previous ## :bro:id:`port_scan_interval` time range. Port_Scan, - }; + }; ## Failed connection attempts are tracked over this time interval for the address ## scan detection. A higher interval will detect slower scanners, but may @@ -42,7 +42,7 @@ export { ## connections with on a single victim host. const port_scan_threshold = 15 &redef; - ## Custom threholds based on service for address scan. This is primarily + ## Custom thresholds based on service for address scan. This is primarily ## useful for setting reduced thresholds for specific ports. const addr_scan_custom_thresholds: table[port] of count &redef; @@ -74,7 +74,7 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result $p=to_port(index$str), $sub=side, $msg=message, - $identifier=cat(index)]); + $identifier=cat(index$host)]); } function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) @@ -88,7 +88,7 @@ function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result $dst=to_addr(index$str), $sub=side, $msg=message, - $identifier=cat(index)]); + $identifier=cat(index$host)]); } event bro_init() &priority=5 diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro index fad2331f44..d537d13b72 100644 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ b/scripts/policy/protocols/conn/conn-stats-per-host.bro @@ -1,6 +1,6 @@ @load base/protocols/conn -@load base/frameworks/metrics +@load base/frameworks/measurement event bro_init() &priority=5 { diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro index 057e23e088..62ca96ea0a 100644 --- a/scripts/policy/protocols/conn/metrics.bro +++ b/scripts/policy/protocols/conn/metrics.bro @@ -1,4 +1,4 @@ -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/utils/site event bro_init() &priority=3 diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 11d6ec71a1..59c8525c7e 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -1,6 +1,6 @@ @load base/protocols/ftp -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/utils/time @@ -19,7 +19,7 @@ export { ## The time period in which the threshold needs to be crossed before ## being reset. - const bruteforce_measurement_interval = 15mins; + const bruteforce_measurement_interval = 15mins &redef; } @@ -32,7 +32,8 @@ event bro_init() $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { local dur = duration_to_mins_secs(val$end-val$begin); - local message = fmt("%s had %d failed logins on %d FTP servers in %s", index$host, val$num, val$unique, dur); + local plural = val$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur); NOTICE([$note=FTP::Bruteforcing, $src=index$host, $msg=message, diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 21164bc126..410d3fde31 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -1,7 +1,7 @@ ##! SQL injection attack detection in HTTP. @load base/frameworks/notice -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/protocols/http module HTTP; diff --git a/scripts/policy/protocols/smtp/metrics.bro b/scripts/policy/protocols/smtp/metrics.bro index ac803ac621..19a3220805 100644 --- a/scripts/policy/protocols/smtp/metrics.bro +++ b/scripts/policy/protocols/smtp/metrics.bro @@ -3,7 +3,7 @@ ##! "How much mail is being sent from each local mail server per hour?" @load base/protocols/smtp -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/utils/site @load base/utils/directions-and-hosts diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index edf6379bec..44e94eb361 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -2,7 +2,7 @@ ##! bruteforcing over SSH. @load base/protocols/ssh -@load base/frameworks/metrics +@load base/frameworks/measurement @load base/frameworks/notice @load base/frameworks/intel @@ -54,8 +54,8 @@ event bro_init() $identifier=cat(index$host)]); # Insert the guesser into the intel framework. Intel::insert([$host=index$host, - $meta=[$source="local", - $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]); + $meta=[$source="local", + $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]); }]); } From 38e1dc9ca47d97508276a2f7192c5353bb8e6837 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 14 Mar 2013 14:51:10 -0700 Subject: [PATCH 063/134] Support for cleaning up threads that have terminated. Once a BasicThread leaves its run() method, a thread is now marked for cleaning up, and the ThreadMgr will soon join it to release the OS resources. Also, adding a function Log::remove_stream() that remove a logging stream, stopping all writer threads that are associated with it. Note, however, that removing a *filter* from a stream still doesn't clean up any threads. The problem is that because of the output paths potentially being created dynamically it's unclear if the writer thread will still be needed in the future. We could add clean writers up with timeouts, but that doesn't sound great either. So for now, the only way to sure clean up logging threads is to remove the entire stream. Also note that cleanup doesn't work with input threads yet, which don't seem to terminate (at least in the case I tried). --- scripts/base/frameworks/logging/main.bro | 16 ++++++++++++ src/logging.bif | 6 +++++ src/logging/Manager.cc | 32 ++++++++++++++++++++++++ src/logging/Manager.h | 10 ++++++++ src/logging/WriterFrontend.cc | 7 ++++++ src/logging/WriterFrontend.h | 3 ++- src/threading/BasicThread.cc | 7 +++--- src/threading/Manager.cc | 27 ++++++++++++++++++++ 8 files changed, 104 insertions(+), 4 deletions(-) diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 054ad4a30b..1126686c13 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -189,6 +189,15 @@ export { ## .. bro:see:: Log::add_default_filter Log::remove_default_filter global create_stream: function(id: ID, stream: Stream) : bool; + ## Removes a logging stream completely, stopping all the threads. + ## + ## id: The ID enum to be associated with the new logging stream. + ## + ## Returns: True if a new stream was successfully removed. + ## + ## .. bro:see:: Log:create_stream + global remove_stream: function(id: ID) : bool; + ## Enables a previously disabled logging stream. Disabled streams ## will not be written to until they are enabled again. New streams ## are enabled by default. @@ -442,6 +451,13 @@ function create_stream(id: ID, stream: Stream) : bool return add_default_filter(id); } +function remove_stream(id: ID) : bool + { + delete active_streams[id]; + + return __remove_stream(id); + } + function disable_stream(id: ID) : bool { delete active_streams[id]; diff --git a/src/logging.bif b/src/logging.bif index f5d3e8e3e6..cf97c59cd3 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -18,6 +18,12 @@ function Log::__create_stream%(id: Log::ID, stream: Log::Stream%) : bool return new Val(result, TYPE_BOOL); %} +function Log::__remove_stream%(id: Log::ID%) : bool + %{ + bool result = log_mgr->RemoveStream(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + function Log::__enable_stream%(id: Log::ID%) : bool %{ bool result = log_mgr->EnableStream(id->AsEnumVal()); diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 1ab83d84ba..67e7d998ed 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -374,6 +374,38 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval) return true; } +bool Manager::RemoveStream(EnumVal* id) + { + unsigned int idx = id->AsEnum(); + + if ( idx >= streams.size() || ! streams[idx] ) + return false; + + Stream* stream = streams[idx]; + + if ( ! stream ) + return false; + + for ( Stream::WriterMap::iterator i = stream->writers.begin(); i != stream->writers.end(); i++ ) + { + WriterInfo* winfo = i->second; + + DBG_LOG(DBG_LOGGING, "Removed writer '%s' from stream '%s'", + winfo->writer->Name(), stream->name.c_str()); + + winfo->writer->Stop(); + delete winfo->writer; + delete winfo; + } + + stream->writers.clear(); + delete stream; + streams[idx] = 0; + + DBG_LOG(DBG_LOGGING, "Removed logging stream '%s'", stream->name.c_str()); + return true; + } + bool Manager::EnableStream(EnumVal* id) { Stream* stream = FindStream(id); diff --git a/src/logging/Manager.h b/src/logging/Manager.h index 90ad944bc6..5b5f8014e3 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -47,6 +47,16 @@ public: */ bool CreateStream(EnumVal* id, RecordVal* stream); + /** + * Remove a log stream, stopping all threads. + * + * @param id The enum value corresponding the log stream. + * + * This methods corresponds directly to the internal BiF defined in + * logging.bif, which just forwards here. + */ + bool RemoveStream(EnumVal* id); + /** * Enables a log log stream. * diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc index a97f48c1ed..9ed9f802d3 100644 --- a/src/logging/WriterFrontend.cc +++ b/src/logging/WriterFrontend.cc @@ -138,6 +138,13 @@ void WriterFrontend::Stop() { FlushWriteBuffer(); SetDisable(); + + if ( backend ) + { + backend->PrepareStop(); + backend->Stop(); + backend = 0; // Thread manager will clean it up once it finishes. + } } void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields) diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h index a4a8dcd415..5bcde21a5e 100644 --- a/src/logging/WriterFrontend.h +++ b/src/logging/WriterFrontend.h @@ -54,7 +54,8 @@ public: /** * Stops all output to this writer. Calling this methods disables all - * message forwarding to the backend. + * message forwarding to the backend and will eventually remove the + * backend thread. * * This method must only be called from the main thread. */ diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc index c708bb79ef..b7ec094309 100644 --- a/src/threading/BasicThread.cc +++ b/src/threading/BasicThread.cc @@ -150,11 +150,12 @@ void BasicThread::Join() if ( ! started ) return; + if ( ! pthread ) + return; + assert(terminating); - DBG_LOG(DBG_THREADING, "Joining thread %s ...", name); - - if ( pthread && pthread_join(pthread, 0) != 0 ) + if ( pthread_join(pthread, 0) != 0 ) reporter->FatalError("Failure joining thread %s", name); DBG_LOG(DBG_THREADING, "Joined with thread %s", name); diff --git a/src/threading/Manager.cc b/src/threading/Manager.cc index cfc44596e1..59eff4fd99 100644 --- a/src/threading/Manager.cc +++ b/src/threading/Manager.cc @@ -148,6 +148,33 @@ void Manager::Process() } } + all_thread_list to_delete; + + for ( all_thread_list::iterator i = all_threads.begin(); i != all_threads.end(); i++ ) + { + BasicThread* t = *i; + + if ( ! t->Killed() ) + continue; + + to_delete.push_back(t); + } + + for ( all_thread_list::iterator i = to_delete.begin(); i != to_delete.end(); i++ ) + { + BasicThread* t = *i; + + all_threads.remove(t); + + MsgThread* mt = dynamic_cast(t); + + if ( mt ) + msg_threads.remove(mt); + + t->Join(); + delete t; + } + // fprintf(stderr, "P %.6f %.6f do_beat=%d did_process=%d next_next=%.6f\n", network_time, timer_mgr->Time(), do_beat, (int)did_process, next_beat); } From d11bd56b5d809460327cfc06b52b8c44b5a56f4b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 15 Mar 2013 17:54:20 -0700 Subject: [PATCH 064/134] Changing semantics of thread stop methods. PrepareStop() is now SignalStop() and just signals a thread that it should terminate. After that's called, WaitForStop() (formerly Stop()) wait for it to actually finish processing. When stopping writers during operation, we now no longer wait for them to finish. --- src/logging/WriterFrontend.cc | 3 +-- src/threading/BasicThread.cc | 30 +++++++++++++------------- src/threading/BasicThread.h | 40 ++++++++++++++++++----------------- src/threading/Manager.cc | 6 +++--- src/threading/MsgThread.cc | 6 +++--- src/threading/MsgThread.h | 4 ++-- 6 files changed, 45 insertions(+), 44 deletions(-) diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc index 9ed9f802d3..73cba2ff3a 100644 --- a/src/logging/WriterFrontend.cc +++ b/src/logging/WriterFrontend.cc @@ -141,8 +141,7 @@ void WriterFrontend::Stop() if ( backend ) { - backend->PrepareStop(); - backend->Stop(); + backend->SignalStop(); backend = 0; // Thread manager will clean it up once it finishes. } } diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc index b7ec094309..09b6e95d7a 100644 --- a/src/threading/BasicThread.cc +++ b/src/threading/BasicThread.cc @@ -117,20 +117,7 @@ void BasicThread::Start() OnStart(); } -void BasicThread::PrepareStop() - { - if ( ! started ) - return; - - if ( terminating ) - return; - - DBG_LOG(DBG_THREADING, "Preparing thread %s to terminate ...", name); - - OnPrepareStop(); - } - -void BasicThread::Stop() +void BasicThread::SignalStop() { if ( ! started ) return; @@ -140,7 +127,20 @@ void BasicThread::Stop() DBG_LOG(DBG_THREADING, "Signaling thread %s to terminate ...", name); - OnStop(); + OnSignalStop(); + } + +void BasicThread::WaitForStop() + { + if ( ! started ) + return; + + if ( terminating ) + return; + + DBG_LOG(DBG_THREADING, "Waiting for thread %s to terminate ...", name); + + OnWaitForStop(); terminating = true; } diff --git a/src/threading/BasicThread.h b/src/threading/BasicThread.h index 100efe8851..cb0108219c 100644 --- a/src/threading/BasicThread.h +++ b/src/threading/BasicThread.h @@ -71,32 +71,33 @@ public: void Start(); /** - * Signals the thread to prepare for stopping. This must be called - * before Stop() and allows the thread to trigger shutting down - * without yet blocking for doing so. + * Signals the thread to prepare for stopping, but doesn't block to + * wait for that to happen. Use WaitForStop() for that. * + * The method lets Terminating() now return true, it does however not + * force the thread to terminate. It's up to the Run() method to to + * query Terminating() and exit eventually. + * * Calling this method has no effect if Start() hasn't been executed * yet. * * Only Bro's main thread must call this method. */ - void PrepareStop(); + void SignalStop(); /** - * Signals the thread to stop. The method lets Terminating() now - * return true. It does however not force the thread to terminate. - * It's up to the Run() method to to query Terminating() and exit - * eventually. + * Waits until a thread has stopped after receiving SignalStop(). * * Calling this method has no effect if Start() hasn't been executed - * yet. + * yet. If this is executed without calling SignalStop() first, + * results are undefined. * * Only Bro's main thread must call this method. */ - void Stop(); + void WaitForStop(); /** - * Returns true if Stop() has been called. + * Returns true if WaitForStop() has been called and finished. * * This method is safe to call from any thread. */ @@ -145,18 +146,19 @@ protected: virtual void OnStart() {} /** - * Executed with PrepareStop() (and before OnStop()). This is a hook - * into preparing the thread for stopping. It will be called from - * Bro's main thread before the thread has been signaled to stop. + * Executed with SignalStop(). This is a hook into preparing the + * thread for stopping. It will be called from Bro's main thread + * before the thread has been signaled to stop. */ - virtual void OnPrepareStop() {} + virtual void OnSignalStop() {} /** - * Executed with Stop() (and after OnPrepareStop()). This is a hook - * into stopping the thread. It will be called from Bro's main thread - * after the thread has been signaled to stop. + * Executed with WaitForStop(). This is a hook into waiting for the + * thread to stop. It must be overridden by derived classes and only + * return once the thread has indeed finished processing. The method + * will be called from Bro's main thread. */ - virtual void OnStop() {} + virtual void OnWaitForStop() = 0; /** * Executed with Kill(). This is a hook into killing the thread. diff --git a/src/threading/Manager.cc b/src/threading/Manager.cc index 59eff4fd99..39a6bdce7d 100644 --- a/src/threading/Manager.cc +++ b/src/threading/Manager.cc @@ -32,10 +32,10 @@ void Manager::Terminate() // Signal all to stop. for ( all_thread_list::iterator i = all_threads.begin(); i != all_threads.end(); i++ ) - (*i)->PrepareStop(); + (*i)->SignalStop(); for ( all_thread_list::iterator i = all_threads.begin(); i != all_threads.end(); i++ ) - (*i)->Stop(); + (*i)->WaitForStop(); // Then join them all. for ( all_thread_list::iterator i = all_threads.begin(); i != all_threads.end(); i++ ) @@ -141,7 +141,7 @@ void Manager::Process() else { reporter->Error("%s failed, terminating thread", msg->Name()); - t->Stop(); + t->SignalStop(); } delete msg; diff --git a/src/threading/MsgThread.cc b/src/threading/MsgThread.cc index 6c63c5a287..902ea36410 100644 --- a/src/threading/MsgThread.cc +++ b/src/threading/MsgThread.cc @@ -161,16 +161,16 @@ MsgThread::MsgThread() : BasicThread(), queue_in(this, 0), queue_out(0, this) // Set by Bro's main signal handler. extern int signal_val; -void MsgThread::OnPrepareStop() +void MsgThread::OnSignalStop() { if ( finished || Killed() ) return; - // Signal thread to terminate and wait until it has acknowledged. + // Signal thread to terminate. SendIn(new FinishMessage(this, network_time), true); } -void MsgThread::OnStop() +void MsgThread::OnWaitForStop() { int signal_count = 0; int old_signal_val = signal_val; diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h index d5e223d48f..4492320541 100644 --- a/src/threading/MsgThread.h +++ b/src/threading/MsgThread.h @@ -228,8 +228,8 @@ protected: * */ virtual void Run(); - virtual void OnStop(); - virtual void OnPrepareStop(); + virtual void OnWaitForStop(); + virtual void OnSignalStop(); virtual void OnKill(); private: From 6dc204b385e37fbf89a425df8cba9c95d2c20a6a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 19 Mar 2013 11:39:58 -0400 Subject: [PATCH 065/134] Checkpoint, don't try running this. It's broken all over the place. --- .../base/frameworks/measurement/__load__.bro | 1 - .../base/frameworks/measurement/cluster.bro | 206 +++++------ scripts/base/frameworks/measurement/main.bro | 338 ++++++++---------- .../frameworks/measurement/non-cluster.bro | 21 +- .../measurement/plugins/__load__.bro | 1 + .../measurement/plugins/average.bro | 10 +- .../frameworks/measurement/plugins/max.bro | 10 +- .../frameworks/measurement/plugins/min.bro | 10 +- .../frameworks/measurement/plugins/sample.bro | 45 +++ .../measurement/plugins/std-dev.bro | 10 +- .../frameworks/measurement/plugins/sum.bro | 10 +- .../frameworks/measurement/plugins/unique.bro | 13 +- .../measurement/plugins/variance.bro | 16 +- scripts/policy/misc/app-metrics.bro | 40 +-- 14 files changed, 352 insertions(+), 379 deletions(-) create mode 100644 scripts/base/frameworks/measurement/plugins/sample.bro diff --git a/scripts/base/frameworks/measurement/__load__.bro b/scripts/base/frameworks/measurement/__load__.bro index fc784e1632..c2b77e706a 100644 --- a/scripts/base/frameworks/measurement/__load__.bro +++ b/scripts/base/frameworks/measurement/__load__.bro @@ -1,5 +1,4 @@ @load ./main - @load ./plugins # The cluster framework must be loaded first. diff --git a/scripts/base/frameworks/measurement/cluster.bro b/scripts/base/frameworks/measurement/cluster.bro index 6ccf5bb2f9..9c35b85b32 100644 --- a/scripts/base/frameworks/measurement/cluster.bro +++ b/scripts/base/frameworks/measurement/cluster.bro @@ -17,8 +17,8 @@ export { ## The percent of the full threshold value that needs to be met ## on a single worker for that worker to send the value to its manager in ## order for it to request a global view for that value. There is no - ## requirement that the manager requests a global view for the index - ## since it may opt not to if it requested a global view for the index + ## requirement that the manager requests a global view for the key + ## since it may opt not to if it requested a global view for the key ## recently. const cluster_request_global_view_percent = 0.2 &redef; @@ -34,75 +34,74 @@ export { const enable_intermediate_updates = T &redef; # Event sent by the manager in a cluster to initiate the - # collection of metrics values for a filter. - global cluster_filter_request: event(uid: string, id: string, filter_name: string); + # collection of metrics values for a measurement. + global cluster_measurement_request: event(uid: string, mid: string); # Event sent by nodes that are collecting metrics after receiving - # a request for the metric filter from the manager. - global cluster_filter_response: event(uid: string, id: string, filter_name: string, data: MetricTable, done: bool); + # a request for the metric measurement from the manager. + global cluster_measurement_response: event(uid: string, mid: string, data: ResultTable, done: bool); # This event is sent by the manager in a cluster to initiate the - # collection of a single index value from a filter. It's typically + # collection of a single key value from a measurement. It's typically # used to get intermediate updates before the break interval triggers # to speed detection of a value crossing a threshold. - global cluster_index_request: event(uid: string, id: string, filter_name: string, index: Index); + global cluster_key_request: event(uid: string, mid: string, key: Key); # This event is sent by nodes in response to a - # :bro:id:`Measurement::cluster_index_request` event. - global cluster_index_response: event(uid: string, id: string, filter_name: string, index: Index, val: ResultVal); + # :bro:id:`Measurement::cluster_key_request` event. + global cluster_key_response: event(uid: string, mid: string, key: Key, result: ResultTable); # This is sent by workers to indicate that they crossed the percent of the # current threshold by the percentage defined globally in # :bro:id:`Measurement::cluster_request_global_view_percent` - global cluster_index_intermediate_response: event(id: string, filter_name: string, index: Measurement::Index); + global cluster_key_intermediate_response: event(mid: string, key: Measurement::Key); # This event is scheduled internally on workers to send result chunks. - global send_data: event(uid: string, id: string, filter_name: string, data: MetricTable); + global send_data: event(uid: string, id: string, measurement_name: string, data: ResultTable); } - # Add events to the cluster framework to make this work. -redef Cluster::manager2worker_events += /Measurement::cluster_(filter_request|index_request)/; -redef Cluster::worker2manager_events += /Measurement::cluster_(filter_response|index_response|index_intermediate_response)/; +redef Cluster::manager2worker_events += /Measurement::cluster_(measurement_request|key_request)/; +redef Cluster::worker2manager_events += /Measurement::cluster_(measurement_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -# This variable is maintained to know what indexes they have recently sent as +# This variable is maintained to know what keysthey have recently sent as # intermediate updates so they don't overwhelm their manager. The count that is # yielded is the number of times the percentage threshold has been crossed and # an intermediate result has been received. -global recent_global_view_indexes: table[string, string, Index] of count &create_expire=1min &default=0; +global recent_global_view_keys: table[string, string, Key] of count &create_expire=1min &default=0; # This is done on all non-manager node types in the event that a metric is # being collected somewhere other than a worker. -function data_added(filter: Filter, index: Index, val: ResultVal) +function data_added(measurement: Filter, key: Key, val: Result) { # If an intermediate update for this value was sent recently, don't send # it again. - if ( [filter$id, filter$name, index] in recent_global_view_indexes ) + if ( [measurement$id, measurement$name, key] in recent_global_view_keys ) return; # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that # crosses the full threshold then it's a candidate to send as an # intermediate update. if ( enable_intermediate_updates && - check_thresholds(filter, index, val, cluster_request_global_view_percent) ) + check_thresholds(measurement, key, val, cluster_request_global_view_percent) ) { # kick off intermediate update - event Measurement::cluster_index_intermediate_response(filter$id, filter$name, index); - ++recent_global_view_indexes[filter$id, filter$name, index]; + event Measurement::cluster_key_intermediate_response(measurement$id, measurement$name, key); + ++recent_global_view_keys[measurement$id, measurement$name, key]; } } -event Measurement::send_data(uid: string, id: string, filter_name: string, data: MetricTable) +event Measurement::send_data(uid: string, id: string, data: ResultTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); - local local_data: MetricTable; + local local_data: ResultTable; local num_added = 0; - for ( index in data ) + for ( key in data ) { - local_data[index] = data[index]; - delete data[index]; + local_data[key] = data[key]; + delete data[key]; # Only send cluster_send_in_groups_of at a time. Queue another # event to send the next group. @@ -115,35 +114,35 @@ event Measurement::send_data(uid: string, id: string, filter_name: string, data: if ( |data| == 0 ) done = T; - event Measurement::cluster_filter_response(uid, id, filter_name, local_data, done); + event Measurement::cluster_measurement_response(uid, local_data, done); if ( ! done ) - event Measurement::send_data(uid, id, filter_name, data); + event Measurement::send_data(uid, mid, data); } -event Measurement::cluster_filter_request(uid: string, id: string, filter_name: string) +event Measurement::cluster_measurement_request(uid: string, mid: string) { - #print fmt("WORKER %s: received the cluster_filter_request event for %s.", Cluster::node, id); + #print fmt("WORKER %s: received the cluster_measurement_request event for %s.", Cluster::node, id); - # Initiate sending all of the data for the requested filter. - event Measurement::send_data(uid, id, filter_name, store[id, filter_name]); + # Initiate sending all of the data for the requested measurement. + event Measurement::send_data(uid, mid, result_store[mid]); - # Lookup the actual filter and reset it, the reference to the data + # Lookup the actual measurement and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. - reset(filter_store[id, filter_name]); + reset(measurement_store[mid]); } -event Measurement::cluster_index_request(uid: string, id: string, filter_name: string, index: Index) +event Measurement::cluster_key_request(uid: string, mid: string, key: Key) { - if ( [id, filter_name] in store && index in store[id, filter_name] ) + if ( [mid] in result_store && key in result_store[mid] ) { - #print fmt("WORKER %s: received the cluster_index_request event for %s=%s.", Cluster::node, index2str(index), data); - event Measurement::cluster_index_response(uid, id, filter_name, index, store[id, filter_name][index]); + #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); + event Measurement::cluster_key_response(uid, mid, key, result_store[mid][key]); } else { # We need to send an empty response if we don't have the data so that the manager # can know that it heard back from all of the workers. - event Measurement::cluster_index_response(uid, id, filter_name, index, [$begin=network_time(), $end=network_time()]); + event Measurement::cluster_key_response(uid, mid, key, [$begin=network_time(), $end=network_time()]); } } @@ -153,12 +152,8 @@ event Measurement::cluster_index_request(uid: string, id: string, filter_name: s @if ( Cluster::local_node_type() == Cluster::MANAGER ) # This variable is maintained by manager nodes as they collect and aggregate -# results. -global filter_results: table[string, string, string] of MetricTable &read_expire=1min; - -# This is maintained by managers so they can know what data they requested and -# when they requested it. -global requested_results: table[string] of time = table() &create_expire=5mins; +# results. It's index on a uid. +global measurement_results: table[string] of ResultTable &read_expire=1min; # This variable is maintained by manager nodes to track how many "dones" they # collected per collection unique id. Once the number of results for a uid @@ -168,50 +163,49 @@ global requested_results: table[string] of time = table() &create_expire=5mins; global done_with: table[string] of count &read_expire=1min &default=0; # This variable is maintained by managers to track intermediate responses as -# they are getting a global view for a certain index. -global index_requests: table[string, string, string, Index] of ResultVal &read_expire=1min; +# they are getting a global view for a certain key. Indexed on a uid. +global key_requests: table[string] of Result &read_expire=1min; # This variable is maintained by managers to prevent overwhelming communication due -# to too many intermediate updates. Each metric filter is tracked separately so that -# one metric won't overwhelm and degrade other quieter metrics. -global outstanding_global_views: table[string, string] of count &default=0; +# to too many intermediate updates. Each measurement is tracked separately so that +# one metric won't overwhelm and degrade other quieter metrics. Indexed on a +# measurement id. +global outstanding_global_views: table[string] of count &default=0; # Managers handle logging. -event Measurement::finish_period(filter: Filter) +event Measurement::finish_period(m: Measurement) { - #print fmt("%.6f MANAGER: breaking %s filter for %s metric", network_time(), filter$name, filter$id); + #print fmt("%.6f MANAGER: breaking %s measurement for %s metric", network_time(), measurement$name, measurement$id); local uid = unique_id(""); - # Set some tracking variables. - requested_results[uid] = network_time(); - if ( [uid, filter$id, filter$name] in filter_results ) - delete filter_results[uid, filter$id, filter$name]; - filter_results[uid, filter$id, filter$name] = table(); + if ( uid in measurement_results ) + delete measurement_results[uid]; + measurement_results[uid] = table(); # Request data from peers. - event Measurement::cluster_filter_request(uid, filter$id, filter$name); + event Measurement::cluster_measurement_request(uid, m$id); # Schedule the next finish_period event. - schedule filter$every { Measurement::finish_period(filter) }; + schedule m$epoch { Measurement::finish_period(m) }; } -# This is unlikely to be called often, but it's here in case there are metrics +# This is unlikely to be called often, but it's here in case there are measurements # being collected by managers. -function data_added(filter: Filter, index: Index, val: ResultVal) +function data_added(m: Measurement, key: Key, result: Result) { - if ( check_thresholds(filter, index, val, 1.0) ) - threshold_crossed(filter, index, val); + #if ( check_thresholds(m, key, val, 1.0) ) + # threshold_crossed(m, key, val); } -event Measurement::cluster_index_response(uid: string, id: string, filter_name: string, index: Index, val: ResultVal) +event Measurement::cluster_key_response(uid: string, mid: string, key: Key, result: Result) { - #print fmt("%0.6f MANAGER: receiving index data from %s - %s=%s", network_time(), get_event_peer()$descr, index2str(index), val); + #print fmt("%0.6f MANAGER: receiving key data from %s - %s=%s", network_time(), get_event_peer()$descr, key2str(key), val); # We only want to try and do a value merge if there are actually measured datapoints - # in the ResultVal. - if ( val$num > 0 && [uid, id, filter_name, index] in index_requests ) - index_requests[uid, id, filter_name, index] = merge_result_vals(index_requests[uid, id, filter_name, index], val); + # in the Result. + if ( result$num > 0 && uid in key_requests ) + key_requests[uid] = compose_resultvals(key_requests[uid], result); else - index_requests[uid, id, filter_name, index] = val; + key_requests[uid] = result; # Mark that this worker is done. ++done_with[uid]; @@ -219,27 +213,27 @@ event Measurement::cluster_index_response(uid: string, id: string, filter_name: #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); if ( Cluster::worker_count == done_with[uid] ) { - local ir = index_requests[uid, id, filter_name, index]; - if ( check_thresholds(filter_store[id, filter_name], index, ir, 1.0) ) - { - threshold_crossed(filter_store[id, filter_name], index, ir); - } + local m = measurement_store[mid]; + local ir = key_requests[uid]; + if ( check_thresholds(m, key, ir, 1.0) ) + threshold_crossed(m, key, ir); + delete done_with[uid]; - delete index_requests[uid, id, filter_name, index]; + delete key_requests[uid]; # Check that there is an outstanding view before subtracting. - if ( outstanding_global_views[id, filter_name] > 0 ) - --outstanding_global_views[id, filter_name]; + if ( outstanding_global_views[mid] > 0 ) + --outstanding_global_views[mid]; } } # Managers handle intermediate updates here. -event Measurement::cluster_index_intermediate_response(id: string, filter_name: string, index: Index) +event Measurement::cluster_key_intermediate_response(mid: string, key: Key) { - #print fmt("MANAGER: receiving intermediate index data from %s", get_event_peer()$descr); - #print fmt("MANAGER: requesting index data for %s", index2str(index)); + #print fmt("MANAGER: receiving intermediate key data from %s", get_event_peer()$descr); + #print fmt("MANAGER: requesting key data for %s", key2str(key)); - if ( [id, filter_name] in outstanding_global_views && - |outstanding_global_views[id, filter_name]| > max_outstanding_global_views ) + if ( [mid] in outstanding_global_views && + |outstanding_global_views[mid]| > max_outstanding_global_views ) { # Don't do this intermediate update. Perhaps at some point in the future # we will queue and randomly select from these ignored intermediate @@ -247,38 +241,38 @@ event Measurement::cluster_index_intermediate_response(id: string, filter_name: return; } - ++outstanding_global_views[id, filter_name]; + ++outstanding_global_views[mid]; local uid = unique_id(""); - event Measurement::cluster_index_request(uid, id, filter_name, index); + event Measurement::cluster_key_request(uid, mid, key); } -event Measurement::cluster_filter_response(uid: string, id: string, filter_name: string, data: MetricTable, done: bool) +event Measurement::cluster_measurement_response(uid: string, mid: string, data: ResultTable, done: bool) { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); - + # Mark another worker as being "done" for this uid. if ( done ) ++done_with[uid]; - local local_data = filter_results[uid, id, filter_name]; - local filter = filter_store[id, filter_name]; + local local_data = measurement_results[uid]; + local m = measurement_store[mid]; - for ( index in data ) + for ( key in data ) { - if ( index in local_data ) - local_data[index] = merge_result_vals(local_data[index], data[index]); + if ( key in local_data ) + local_data[key] = compose_resultvals(local_data[key], data[key]); else - local_data[index] = data[index]; + local_data[key] = data[key]; - # If a filter is done being collected, thresholds for each index + # If a measurement is done being collected, thresholds for each key # need to be checked so we're doing it here to avoid doubly iterating - # over each index. + # over each key. if ( Cluster::worker_count == done_with[uid] ) { - if ( check_thresholds(filter, index, local_data[index], 1.0) ) + if ( check_thresholds(m, key, local_data[key], 1.0) ) { - threshold_crossed(filter, index, local_data[index]); + threshold_crossed(m, key, local_data[key]); } } } @@ -286,22 +280,14 @@ event Measurement::cluster_filter_response(uid: string, id: string, filter_name: # If the data has been collected from all peers, we are done and ready to finish. if ( Cluster::worker_count == done_with[uid] ) { - local ts = network_time(); - # Log the time this was initially requested if it's available. - if ( uid in requested_results ) - { - ts = requested_results[uid]; - delete requested_results[uid]; - } - - if ( filter?$period_finished ) - filter$period_finished(ts, filter$id, filter$name, local_data); + if ( m?$period_finished ) + m$period_finished(local_data); # Clean up - delete filter_results[uid, id, filter_name]; + delete measurement_results[uid]; delete done_with[uid]; - # Not sure I need to reset the filter on the manager. - reset(filter); + # Not sure I need to reset the measurement on the manager. + reset(m); } } diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index 3809fb16cc..a7f22ed3b7 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -5,24 +5,16 @@ module Measurement; export { - ## The metrics logging stream identifier. - redef enum Log::ID += { LOG }; - - ## This is the interval for how often threshold based notices will happen - ## after they have already fired. - const threshold_crossed_restart_interval = 1hr &redef; - ## The various calculations are all defined as plugins. type Calculation: enum { PLACEHOLDER }; - ## Represents a thing which is having metrics collected for it. An instance - ## of this record type and an id together represent a single measurement. - type Index: record { + ## Represents a thing which is having measurement results collected for it. + type Key: record { ## A non-address related metric or a sub-key for an address based metric. ## An example might be successful SSH connections by client IP address - ## where the client string would be the index value. + ## where the client string would be the key value. ## Another example might be number of HTTP requests to a particular ## value in a Host header. This is an example of a non-host based ## metric since multiple IP addresses could respond for the same Host @@ -44,176 +36,152 @@ export { str: string &optional; }; - ## Value supplied when a metric is finished. It contains all - ## of the measurements collected for the metric. Most of the - ## fields are added by calculation plugins. - type ResultVal: record { - ## The time when this result was first started. + type Reducer: record { + ## Data stream identifier for the reducer to attach to. + stream: string; + + ## The calculations to perform on the data points. + apply: set[Calculation]; + + ## A predicate so that you can decide per key if you would like + ## to accept the data being inserted. + pred: function(key: Measurement::Key, data: Measurement::DataPoint): bool &optional; + + ## A function to normalize the key. This can be used to aggregate or + ## normalize the entire key. + normalize_key: function(key: Measurement::Key): Key &optional; + }; + + ## Value calculated for a data point stream fed into a reducer. + ## Most of the fields are added by plugins. + type Result: record { + ## The time when the first data point was added to this result value. begin: time &log; - ## The time when the last value was added to this result. + ## The time when the last data point was added to this result value. end: time &log; ## The number of measurements received. num: count &log &default=0; - - ## A sample of something being measured. This is helpful in - ## some cases for collecting information to do further detection - ## or better logging for forensic purposes. - samples: vector of string &optional; - }; - - type Measurement: record { - ## The calculations to perform on the data. - apply: set[Calculation]; - - ## A predicate so that you can decide per index if you would like - ## to accept the data being inserted. - pred: function(index: Measurement::Index, data: Measurement::DataPoint): bool &optional; - - ## A function to normalize the index. This can be used to aggregate or - ## normalize the entire index. - normalize_func: function(index: Measurement::Index): Index &optional; - - ## A number of sample DataPoints to collect. - samples: count &optional; }; - - type Results: record { - begin: time; - end: time; - result - }; - - ## Type to store a table of metrics result values. - type ResultTable: table[Index] of Results; + ## Type to store a table of measurement results. First table is + ## indexed on the measurement Key and the enclosed table is + ## indexed on the data id that the Key was relevant for. + type ResultTable: table[Key] of table[string] of Result; ## Filters define how the data from a metric is aggregated and handled. ## Filters can be used to set how often the measurements are cut ## and logged or how the data within them is aggregated. - type Filter: record { - ## A name for the filter in case multiple filters are being - ## applied to the same metric. In most cases the default - ## filter name is fine and this field does not need to be set. - id: string; - - ## The interval at which this filter should be "broken" and written - ## to the logging stream. The counters are also reset to zero at + type Measurement: record { + ## The interval at which this filter should be "broken" and the + ## callback called. The counters are also reset to zero at ## this time so any threshold based detection needs to be set to a ## number that should be expected to happen within this period. - every: interval; + epoch: interval; - ## Optionally provide a function to calculate a value from the ResultVal - ## structure which will be used for thresholding. If no function is - ## provided, then in the following order of preference either the - ## $unique or the $sum fields will be used. - threshold_val_func: function(val: Measurement::ResultVal): count &optional; + ## The reducers for the measurement indexed by data id. + reducers: set[Reducer]; + + ## Optionally provide a function to calculate a value from the Result + ## structure which will be used for thresholding. + threshold_val: function(result: Measurement::Result): count &optional; ## The threshold value for calling the $threshold_crossed callback. threshold: count &optional; ## A series of thresholds for calling the $threshold_crossed callback. threshold_series: vector of count &optional; + + ## A callback that is called when a threshold is crossed. + threshold_crossed: function(key: Measurement::Key, result: Measurement::Result) &optional; - ## A callback with the full collection of ResultVals for this filter. + ## A callback with the full collection of Results for this filter. ## It's best to not access any global state outside of the variables ## given to the callback because there is no assurance provided as to ## where the callback will be executed on clusters. period_finished: function(data: Measurement::ResultTable) &optional; - - ## A callback that is called when a threshold is crossed. - threshold_crossed: function(index: Measurement::Index, val: Measurement::ResultVal) &optional; }; - ## Function to associate a metric filter with a metric ID. - ## - ## id: The metric ID that the filter should be associated with. - ## - ## filter: The record representing the filter configuration. - global add_filter: function(id: string, filter: Measurement::Filter); - + ## Create a measurement. + global create: function(m: Measurement::Measurement); + ## Add data into a metric. This should be called when ## a script has measured some point value and is ready to increment the ## counters. ## ## id: The metric identifier that the data represents. ## - ## index: The metric index that the value is to be added to. + ## key: The metric key that the value is to be added to. ## - ## increment: How much to increment the counter by. - global add_data: function(id: string, index: Measurement::Index, data: Measurement::DataPoint); + ## data: The data point to send into the stream. + global add_data: function(id: string, key: Measurement::Key, data: Measurement::DataPoint); - ## Helper function to represent a :bro:type:`Measurement::Index` value as + ## Helper function to represent a :bro:type:`Measurement::Key` value as ## a simple string. ## - ## index: The metric index that is to be converted into a string. + ## key: The metric key that is to be converted into a string. ## - ## Returns: A string reprentation of the metric index. - global index2str: function(index: Measurement::Index): string; - - ## Event to access metrics records as they are passed to the logging framework. - global log_metrics: event(rec: Measurement::Info); + ## Returns: A string representation of the metric key. + global key2str: function(key: Measurement::Key): string; } -redef record Filter += { - # Internal use only. The metric that this filter applies to. The value is automatically set. - id: string &optional; +redef record Reducer += { + # Internal use only. Measurement ID. + mid: string &optional; }; -redef record ResultVal += { - # Internal use only. This is the queue where samples - # are maintained since the queue is self managing for - # the number of samples requested. - sample_queue: Queue::Queue &optional; - +redef record Result += { # Internal use only. Indicates if a simple threshold was already crossed. is_threshold_crossed: bool &default=F; - # Internal use only. Current index for threshold series. + # Internal use only. Current key for threshold series. threshold_series_index: count &default=0; }; -# Store the filters indexed on the metric identifier and filter name. -global filter_store: table[string, string] of Filter = table(); +redef record Measurement += { + # Internal use only (mostly for cluster coherency). + id: string &optional; +}; -# This is indexed by metric id and filter name. -global store: table[string, string] of ResultTable = table(); +# Store of reducers indexed on the data id. +global reducer_store: table[string] of set[Reducer] = table(); -# This is a hook for watching thresholds being crossed. It is called whenever -# index values are updated and the new val is given as the `val` argument. +# Store of results indexed on the measurement id. +global result_store: table[string] of ResultTable = table(); + +# Store of measurements indexed on the measurement id. +global measurement_store: table[string] of Measurement = table(); + +# This is called whenever +# key values are updated and the new val is given as the `val` argument. # It's only prototyped here because cluster and non-cluster have separate # implementations. -global data_added: function(filter: Filter, index: Index, val: ResultVal); +global data_added: function(m: Measurement, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. -global add_to_calculation: hook(filter: Filter, val: double, data: DataPoint, result: ResultVal); -# Prototype the hook point for plugins to merge Measurements. -global plugin_merge_measurements: hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal); +global add_to_reducer: hook(r: Reducer, val: double, data: DataPoint, result: Result); +# Prototype the hook point for plugins to merge Results. +global compose_resultvals_hook: hook(result: Result, rv1: Result, rv2: Result); -# Event that is used to "finish" metrics and adapt the metrics +# Event that is used to "finish" measurements and adapt the measurement # framework for clustered or non-clustered usage. -global finish_period: event(filter: Measurement::Filter); +global finish_period: event(m: Measurement); -event bro_init() &priority=5 - { - Log::create_stream(Measurement::LOG, [$columns=Info, $ev=log_metrics]); - } - -function index2str(index: Index): string +function key2str(key: Key): string { local out = ""; - if ( index?$host ) - out = fmt("%shost=%s", out, index$host); - if ( index?$str ) - out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", index$str); - return fmt("metric_index(%s)", out); + if ( key?$host ) + out = fmt("%shost=%s", out, key$host); + if ( key?$str ) + out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", key$str); + return fmt("metric_key(%s)", out); } -function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal +function compose_resultvals(rv1: Result, rv2: Result): Result { - local result: ResultVal; + local result: Result; # Merge $begin (take the earliest one) result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; @@ -224,16 +192,6 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal # Merge $num result$num = rv1$num + rv2$num; - hook plugin_merge_measurements(result, rv1, rv2); - - # Merge $sample_queue - if ( rv1?$sample_queue && rv2?$sample_queue ) - result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); - else if ( rv1?$sample_queue ) - result$sample_queue = rv1$sample_queue; - else if ( rv2?$sample_queue ) - result$sample_queue = rv2$sample_queue; - # Merge $threshold_series_index result$threshold_series_index = (rv1$threshold_series_index > rv2$threshold_series_index) ? rv1$threshold_series_index : rv2$threshold_series_index; @@ -241,105 +199,103 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal if ( rv1$is_threshold_crossed || rv2$is_threshold_crossed ) result$is_threshold_crossed = T; + hook compose_resultvals_hook(result, rv1, rv2); + return result; } -function reset(filter: Filter) +function reset(m: Measurement) { - if ( [filter$id, filter$name] in store ) - delete store[filter$id, filter$name]; + if ( m$id in result_store ) + delete result_store[m$id]; - store[filter$id, filter$name] = table(); + result_store[m$id] = table(); } -function add_filter(id: string, filter: Filter) +function create(m: Measurement) { - if ( [id, filter$name] in store ) + m$id=unique_id(""); + measurement_store[m$id] = m; + + for ( reducer in m$reducers ) { - Reporter::warning(fmt("invalid Metric filter (%s): Filter with same name already exists.", filter$name)); - return; + reducer$mid = m$id; + if ( reducer$stream !in reducer_store ) + reducer_store[reducer$stream] = set(); + add reducer_store[reducer$stream][reducer]; } - if ( ! filter?$id ) - filter$id = id; - - filter_store[id, filter$name] = filter; - store[id, filter$name] = table(); - - schedule filter$every { Measurement::finish_period(filter) }; + reset(m); + schedule m$epoch { Measurement::finish_period(m) }; } -function add_data(id: string, index: Index, data: DataPoint) +function add_data(data_id: string, key: Key, data: DataPoint) { - # Try to add the data to all of the defined filters for the metric. - for ( [metric_id, filter_id] in filter_store ) + # Try to add the data to all of the defined reducers. + if ( data_id !in reducer_store ) + return; + + for ( r in reducer_store[data_id] ) { - local filter = filter_store[metric_id, filter_id]; - - # If this filter has a predicate, run the predicate and skip this - # index if the predicate return false. - if ( filter?$pred && ! filter$pred(index, data) ) + # If this reducer has a predicate, run the predicate + # and skip this key if the predicate return false. + if ( r?$pred && ! r$pred(key, data) ) next; - #if ( filter?$normalize_func ) - # index = filter$normalize_func(copy(index)); + if ( r?$normalize_key ) + key = r$normalize_key(copy(key)); - local metric_tbl = store[id, filter$name]; - if ( index !in metric_tbl ) - metric_tbl[index] = [$begin=network_time(), $end=network_time()]; + local m = measurement_store[r$mid]; + local results = result_store[m$id]; + if ( key !in results ) + results[key] = table(); + if ( data_id !in results[key] ) + results[key][data_id] = [$begin=network_time(), $end=network_time()]; - local result = metric_tbl[index]; + local result = results[key][data_id]; + ++result$num; + # Continually update the $end field. + result$end=network_time(); # If a string was given, fall back to 1.0 as the value. local val = 1.0; if ( data?$num || data?$dbl ) val = data?$dbl ? data$dbl : data$num; - ++result$num; - # Continually update the $end field. - result$end=network_time(); - - #if ( filter?$samples && filter$samples > 0 && data?$str ) - # { - # if ( ! result?$sample_queue ) - # result$sample_queue = Queue::init([$max_len=filter$samples]); - # Queue::push(result$sample_queue, data$str); - # } - - hook add_to_calculation(filter, val, data, result); - data_added(filter, index, result); + hook add_to_reducer(r, val, data, result); + data_added(m, key, result); } } # This function checks if a threshold has been crossed. It is also used as a method to implement # mid-break-interval threshold crossing detection for cluster deployments. -function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_pct: double): bool +function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: double): bool { - if ( ! (filter?$threshold || filter?$threshold_series) ) - return; + if ( ! (m?$threshold || m?$threshold_series) ) + return F; local watch = 0.0; - if ( val?$unique ) - watch = val$unique; - else if ( val?$sum ) - watch = val$sum; + #if ( val?$unique ) + # watch = val$unique; + #else if ( val?$sum ) + # watch = val$sum; - if ( filter?$threshold_val_func ) - watch = filter$threshold_val_func(val); + if ( m?$threshold_val ) + watch = m$threshold_val(result); if ( modify_pct < 1.0 && modify_pct > 0.0 ) watch = watch/modify_pct; - if ( ! val$is_threshold_crossed && - filter?$threshold && watch >= filter$threshold ) + if ( ! result$is_threshold_crossed && + m?$threshold && watch >= m$threshold ) { # A default threshold was given and the value crossed it. return T; } - if ( filter?$threshold_series && - |filter$threshold_series| >= val$threshold_series_index && - watch >= filter$threshold_series[val$threshold_series_index] ) + if ( m?$threshold_series && + |m$threshold_series| >= result$threshold_series_index && + watch >= m$threshold_series[result$threshold_series_index] ) { # A threshold series was given and the value crossed the next # value in the series. @@ -349,19 +305,19 @@ function check_thresholds(filter: Filter, index: Index, val: ResultVal, modify_p return F; } -function threshold_crossed(filter: Filter, index: Index, val: ResultVal) +function threshold_crossed(m: Measurement, key: Key, result: Result) { - if ( ! filter?$threshold_crossed ) + if ( ! m?$threshold_crossed ) return; - if ( val?$sample_queue ) - val$samples = Queue::get_str_vector(val$sample_queue); + #if ( val?$sample_queue ) + # val$samples = Queue::get_str_vector(val$sample_queue); - filter$threshold_crossed(index, val); - val$is_threshold_crossed = T; + m$threshold_crossed(key, result); + result$is_threshold_crossed = T; # Bump up to the next threshold series index if a threshold series is being used. - if ( filter?$threshold_series ) - ++val$threshold_series_index; + if ( m?$threshold_series ) + ++result$threshold_series_index; } diff --git a/scripts/base/frameworks/measurement/non-cluster.bro b/scripts/base/frameworks/measurement/non-cluster.bro index 11bb7f16dc..7a0a2a2c3e 100644 --- a/scripts/base/frameworks/measurement/non-cluster.bro +++ b/scripts/base/frameworks/measurement/non-cluster.bro @@ -2,20 +2,23 @@ module Measurement; -event Measurement::finish_period(filter: Filter) +event Measurement::finish_period(m: Measurement) { - local data = store[filter$id, filter$name]; - if ( filter?$period_finished ) - filter$period_finished(network_time(), filter$id, filter$name, data); + if ( m$id in result_store ) + { + local data = result_store[m$id]; + if ( m?$period_finished ) + m$period_finished(data); - reset(filter); + reset(m); + } - schedule filter$every { Measurement::finish_period(filter) }; + schedule m$epoch { Measurement::finish_period(m) }; } -function data_added(filter: Filter, index: Index, val: ResultVal) +function data_added(m: Measurement, key: Key, result: Result) { - if ( check_thresholds(filter, index, val, 1.0) ) - threshold_crossed(filter, index, val); + if ( check_thresholds(m, key, result, 1.0) ) + threshold_crossed(m, key, result); } diff --git a/scripts/base/frameworks/measurement/plugins/__load__.bro b/scripts/base/frameworks/measurement/plugins/__load__.bro index b708f917d1..0d4c2ed302 100644 --- a/scripts/base/frameworks/measurement/plugins/__load__.bro +++ b/scripts/base/frameworks/measurement/plugins/__load__.bro @@ -1,6 +1,7 @@ @load ./average @load ./max @load ./min +@load ./sample @load ./std-dev @load ./sum @load ./unique diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/measurement/plugins/average.bro index d3e1bef4d5..629cb2fc7b 100644 --- a/scripts/base/frameworks/measurement/plugins/average.bro +++ b/scripts/base/frameworks/measurement/plugins/average.bro @@ -1,5 +1,5 @@ -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -7,15 +7,15 @@ export { AVERAGE }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this calculates the average of all values. average: double &log &optional; }; } -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( AVERAGE in filter$measure ) + if ( AVERAGE in r$apply ) { if ( ! result?$average ) result$average = val; @@ -24,7 +24,7 @@ hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: Re } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) { if ( rv1?$average && rv2?$average ) result$average = ((rv1$average*rv1$num) + (rv2$average*rv2$num))/(rv1$num+rv2$num); diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/measurement/plugins/max.bro index 806713dbd4..5138e3f684 100644 --- a/scripts/base/frameworks/measurement/plugins/max.bro +++ b/scripts/base/frameworks/measurement/plugins/max.bro @@ -1,5 +1,5 @@ -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -7,15 +7,15 @@ export { MAX }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this tracks the maximum value given. max: double &log &optional; }; } -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( MAX in filter$measure ) + if ( MAX in r$apply ) { if ( ! result?$max ) result$max = val; @@ -24,7 +24,7 @@ hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: Re } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) { if ( rv1?$max && rv2?$max ) result$max = (rv1$max > rv2$max) ? rv1$max : rv2$max; diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/measurement/plugins/min.bro index e0d4003b31..ebdbb39373 100644 --- a/scripts/base/frameworks/measurement/plugins/min.bro +++ b/scripts/base/frameworks/measurement/plugins/min.bro @@ -1,5 +1,5 @@ -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -7,15 +7,15 @@ export { MIN }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this tracks the minimum value given. min: double &log &optional; }; } -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( MIN in filter$measure ) + if ( MIN in r$apply ) { if ( ! result?$min ) result$min = val; @@ -24,7 +24,7 @@ hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: Re } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) { if ( rv1?$min && rv2?$min ) result$min = (rv1$min < rv2$min) ? rv1$min : rv2$min; diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro new file mode 100644 index 0000000000..3edd92ce13 --- /dev/null +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -0,0 +1,45 @@ + +module Measurement; + +export { + + redef record Reducer += { + ## A number of sample DataPoints to collect. + samples: count &default=0; + }; + + redef record Result += { + ## A sample of something being measured. This is helpful in + ## some cases for collecting information to do further detection + ## or better logging for forensic purposes. + samples: vector of Measurement::DataPoint &optional; + }; +} + +redef record Result += { + # Internal use only. This is the queue where samples + # are maintained since the queue is self managing for + # the number of samples requested. + sample_queue: Queue::Queue &optional; +}; + +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) + { + if ( r$samples > 0 ) + { + if ( ! result?$sample_queue ) + result$sample_queue = Queue::init([$max_len=r$samples]); + Queue::push(result$sample_queue, data$str); + } + } + +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) + { + # Merge $sample_queue + if ( rv1?$sample_queue && rv2?$sample_queue ) + result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); + else if ( rv1?$sample_queue ) + result$sample_queue = rv1$sample_queue; + else if ( rv2?$sample_queue ) + result$sample_queue = rv2$sample_queue; + } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro index cbd0db3416..6d13d7fc51 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -1,7 +1,7 @@ @load ./sum @load ./variance -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -9,23 +9,23 @@ export { STD_DEV }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this calculates the standard deviation. std_dev: double &log &optional; }; } # This depends on the variance plugin which uses priority -5 -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=-10 +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( STD_DEV in filter$measure ) + if ( STD_DEV in r$apply ) { if ( result?$variance ) result$std_dev = sqrt(result$variance); } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-10 +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) &priority=-10 { if ( rv1?$sum || rv2?$sum ) { diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro index 2f615ffb6c..7e8b6ff692 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -1,5 +1,5 @@ -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -8,15 +8,15 @@ export { SUM }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this tracks the sum of all values. sum: double &log &optional; }; } -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( SUM in filter$measure ) + if ( SUM in r$apply ) { if ( ! result?$sum ) result$sum = 0; @@ -24,7 +24,7 @@ hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: Re } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) { if ( rv1?$sum || rv2?$sum ) { diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro index 66cab47897..4f30206a4e 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -1,5 +1,5 @@ -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -7,14 +7,14 @@ export { UNIQUE }; - redef record ResultVal += { + redef record Result += { ## If cardinality is being tracked, the number of unique ## items is tracked here. unique: count &log &optional; }; } -redef record ResultVal += { +redef record Result += { # Internal use only. This is not meant to be publically available # because we don't want to trust that we can inspect the values # since we will like move to a probalistic data structure in the future. @@ -22,17 +22,18 @@ redef record ResultVal += { unique_vals: set[DataPoint] &optional; }; -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( UNIQUE in filter$measure ) + if ( UNIQUE in r$apply ) { if ( ! result?$unique_vals ) result$unique_vals=set(); add result$unique_vals[data]; + result$unique = |result$unique_vals|; } } -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) { if ( rv1?$unique_vals || rv2?$unique_vals ) { diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro index df83361c35..07a7293539 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -1,6 +1,6 @@ @load ./average -module Metrics; +module Measurement; export { redef enum Calculation += { @@ -8,13 +8,13 @@ export { VARIANCE }; - redef record ResultVal += { + redef record Result += { ## For numeric data, this calculates the variance. variance: double &log &optional; }; } -redef record ResultVal += { +redef record Result += { # Internal use only. Used for incrementally calculating variance. prev_avg: double &optional; @@ -22,16 +22,16 @@ redef record ResultVal += { var_s: double &optional; }; -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=5 +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) { - if ( VARIANCE in filter$measure ) + if ( VARIANCE in r$apply ) result$prev_avg = result$average; } # Reduced priority since this depends on the average -hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: ResultVal) &priority=-5 +hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) &priority=-5 { - if ( VARIANCE in filter$measure ) + if ( VARIANCE in r$apply ) { if ( ! result?$var_s ) result$var_s = 0.0; @@ -41,7 +41,7 @@ hook add_to_calculation(filter: Filter, val: double, data: DataPoint, result: Re } # Reduced priority since this depends on the average -hook plugin_merge_measurements(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-5 +hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) &priority=-5 { if ( rv1?$var_s && rv2?$var_s ) { diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 68deddaa29..d76511fe98 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -16,51 +16,33 @@ export { }; ## The frequency of logging the stats collected by this script. - const break_interval = 15mins &redef; + const break_interval = 1min &redef; } redef record connection += { resp_hostname: string &optional; }; -function app_metrics_rollup(index: Measurement::Index, vals: table[string, string] of Measurement::ResultVal) - { - local l: Info; - l$ts = network_time(); - for ( [metric_name, filter_name] in vals ) - { - local val = vals[metric_name, filter_name]; - l$app = index$str; - if ( metric_name == "apps.bytes" ) - l$bytes = double_to_count(floor(val$sum)); - else if ( metric_name == "apps.hits" ) - { - l$hits = val$num; - l$uniq_hosts = val$unique; - } - } - } event bro_init() &priority=3 { Log::create_stream(AppMeasurement::LOG, [$columns=Info]); - #Measurement::create_index_rollup("AppMeasurement", app_metrics_rollup); - #Measurement::add_filter("apps.bytes", [$every=break_interval, $measure=set(Measurement::SUM), $rollup="AppMeasurement"]); - #Measurement::add_filter("apps.hits", [$every=break_interval, $measure=set(Measurement::UNIQUE), $rollup="AppMeasurement"]); - + local r1: Measurement::Reducer = [$stream="apps.bytes", $apply=set(Measurement::SUM)]; + local r2: Measurement::Reducer = [$stream="apps.hits", $apply=set(Measurement::UNIQUE)]; Measurement::create([$epoch=break_interval, - $measurements=table(["apps.bytes"] = [$apply=set(Measurement::SUM)], - ["apps.hits"] = [$apply=set(Measurement::UNIQUE)]), - $period_finished(result: Measurement::Results) = + $reducers=set(r1, r2), + $period_finished(data: Measurement::ResultTable) = { local l: Info; l$ts = network_time(); - for ( index in result ) + for ( key in data ) { - l$bytes = double_to_count(floor(result[index]["apps.bytes"]$sum)); - l$hits = result[index]["apps.hits"]$num; - l$uniq_hosts = result[index]["apps.hits"]$unique; + local result = data[key]; + l$app = key$str; + l$bytes = double_to_count(floor(result["apps.bytes"]$sum)); + l$hits = result["apps.hits"]$num; + l$uniq_hosts = result["apps.hits"]$unique; Log::write(LOG, l); } }]); From 53f9948b02a0ff53f8bd94c4c79f10db603d9c3a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 1 Apr 2013 14:16:37 -0400 Subject: [PATCH 066/134] Measurement framework tests all pass now. --- .../base/frameworks/measurement/cluster.bro | 136 ++++++----- scripts/base/frameworks/measurement/main.bro | 228 +++++++++++------- .../frameworks/measurement/non-cluster.bro | 10 +- .../measurement/plugins/average.bro | 14 +- .../frameworks/measurement/plugins/max.bro | 16 +- .../frameworks/measurement/plugins/min.bro | 16 +- .../frameworks/measurement/plugins/sample.bro | 14 +- .../measurement/plugins/std-dev.bro | 29 ++- .../frameworks/measurement/plugins/sum.bro | 27 ++- .../frameworks/measurement/plugins/unique.bro | 18 +- .../measurement/plugins/variance.bro | 28 ++- .../manager-1..stdout | 4 + .../.stdout | 3 + .../manager-1..stdout | 1 + .../.stdout | 6 + .../frameworks/measurement/basic-cluster.bro | 83 +++++++ .../base/frameworks/measurement/basic.bro | 34 +++ .../cluster-intermediate-update.bro | 33 ++- .../frameworks/measurement/thresholding.bro | 73 ++++++ .../base/frameworks/metrics/basic-cluster.bro | 88 ------- .../scripts/base/frameworks/metrics/basic.bro | 20 -- .../base/frameworks/metrics/thresholding.bro | 44 ---- 22 files changed, 544 insertions(+), 381 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout create mode 100644 testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout create mode 100644 testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout create mode 100644 testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout create mode 100644 testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro create mode 100644 testing/btest/scripts/base/frameworks/measurement/basic.bro rename testing/btest/scripts/base/frameworks/{metrics => measurement}/cluster-intermediate-update.bro (56%) create mode 100644 testing/btest/scripts/base/frameworks/measurement/thresholding.bro delete mode 100644 testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro delete mode 100644 testing/btest/scripts/base/frameworks/metrics/basic.bro delete mode 100644 testing/btest/scripts/base/frameworks/metrics/thresholding.bro diff --git a/scripts/base/frameworks/measurement/cluster.bro b/scripts/base/frameworks/measurement/cluster.bro index 9c35b85b32..481b306417 100644 --- a/scripts/base/frameworks/measurement/cluster.bro +++ b/scripts/base/frameworks/measurement/cluster.bro @@ -33,70 +33,78 @@ export { ## The goal for this option is also meant to be temporary. const enable_intermediate_updates = T &redef; - # Event sent by the manager in a cluster to initiate the - # collection of metrics values for a measurement. + ## Event sent by the manager in a cluster to initiate the + ## collection of metrics values for a measurement. global cluster_measurement_request: event(uid: string, mid: string); - # Event sent by nodes that are collecting metrics after receiving - # a request for the metric measurement from the manager. + ## Event sent by nodes that are collecting metrics after receiving + ## a request for the metric measurement from the manager. global cluster_measurement_response: event(uid: string, mid: string, data: ResultTable, done: bool); - # This event is sent by the manager in a cluster to initiate the - # collection of a single key value from a measurement. It's typically - # used to get intermediate updates before the break interval triggers - # to speed detection of a value crossing a threshold. + ## This event is sent by the manager in a cluster to initiate the + ## collection of a single key value from a measurement. It's typically + ## used to get intermediate updates before the break interval triggers + ## to speed detection of a value crossing a threshold. global cluster_key_request: event(uid: string, mid: string, key: Key); - # This event is sent by nodes in response to a - # :bro:id:`Measurement::cluster_key_request` event. - global cluster_key_response: event(uid: string, mid: string, key: Key, result: ResultTable); + ## This event is sent by nodes in response to a + ## :bro:id:`Measurement::cluster_key_request` event. + global cluster_key_response: event(uid: string, mid: string, key: Key, result: Result); - # This is sent by workers to indicate that they crossed the percent of the - # current threshold by the percentage defined globally in - # :bro:id:`Measurement::cluster_request_global_view_percent` + ## This is sent by workers to indicate that they crossed the percent of the + ## current threshold by the percentage defined globally in + ## :bro:id:`Measurement::cluster_request_global_view_percent` global cluster_key_intermediate_response: event(mid: string, key: Measurement::Key); - # This event is scheduled internally on workers to send result chunks. - global send_data: event(uid: string, id: string, measurement_name: string, data: ResultTable); + ## This event is scheduled internally on workers to send result chunks. + global send_data: event(uid: string, mid: string, data: ResultTable); } # Add events to the cluster framework to make this work. redef Cluster::manager2worker_events += /Measurement::cluster_(measurement_request|key_request)/; +redef Cluster::manager2worker_events += /Measurement::new_measurement/; redef Cluster::worker2manager_events += /Measurement::cluster_(measurement_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -# This variable is maintained to know what keysthey have recently sent as +# This variable is maintained to know what keys have recently sent as # intermediate updates so they don't overwhelm their manager. The count that is # yielded is the number of times the percentage threshold has been crossed and # an intermediate result has been received. -global recent_global_view_keys: table[string, string, Key] of count &create_expire=1min &default=0; +global recent_global_view_keys: table[string, Key] of count &create_expire=1min &default=0; + +event bro_init() &priority=-100 + { + # The manager is the only host allowed to track these. + measurement_store = table(); + reducer_store = table(); + } # This is done on all non-manager node types in the event that a metric is # being collected somewhere other than a worker. -function data_added(measurement: Filter, key: Key, val: Result) +function data_added(m: Measurement, key: Key, result: Result) { # If an intermediate update for this value was sent recently, don't send # it again. - if ( [measurement$id, measurement$name, key] in recent_global_view_keys ) + if ( [m$id, key] in recent_global_view_keys ) return; # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that # crosses the full threshold then it's a candidate to send as an # intermediate update. if ( enable_intermediate_updates && - check_thresholds(measurement, key, val, cluster_request_global_view_percent) ) + check_thresholds(m, key, result, cluster_request_global_view_percent) ) { # kick off intermediate update - event Measurement::cluster_key_intermediate_response(measurement$id, measurement$name, key); - ++recent_global_view_keys[measurement$id, measurement$name, key]; + event Measurement::cluster_key_intermediate_response(m$id, key); + ++recent_global_view_keys[m$id, key]; } } -event Measurement::send_data(uid: string, id: string, data: ResultTable) +event Measurement::send_data(uid: string, mid: string, data: ResultTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); - - local local_data: ResultTable; + + local local_data: ResultTable = table(); local num_added = 0; for ( key in data ) { @@ -114,9 +122,9 @@ event Measurement::send_data(uid: string, id: string, data: ResultTable) if ( |data| == 0 ) done = T; - event Measurement::cluster_measurement_response(uid, local_data, done); + event Measurement::cluster_measurement_response(uid, mid, local_data, done); if ( ! done ) - event Measurement::send_data(uid, mid, data); + schedule 0.01 sec { Measurement::send_data(uid, mid, data) }; } event Measurement::cluster_measurement_request(uid: string, mid: string) @@ -128,12 +136,13 @@ event Measurement::cluster_measurement_request(uid: string, mid: string) # Lookup the actual measurement and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. - reset(measurement_store[mid]); + if ( mid in measurement_store ) + reset(measurement_store[mid]); } event Measurement::cluster_key_request(uid: string, mid: string, key: Key) { - if ( [mid] in result_store && key in result_store[mid] ) + if ( mid in result_store && key in result_store[mid] ) { #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); event Measurement::cluster_key_response(uid, mid, key, result_store[mid][key]); @@ -142,7 +151,7 @@ event Measurement::cluster_key_request(uid: string, mid: string, key: Key) { # We need to send an empty response if we don't have the data so that the manager # can know that it heard back from all of the workers. - event Measurement::cluster_key_response(uid, mid, key, [$begin=network_time(), $end=network_time()]); + event Measurement::cluster_key_response(uid, mid, key, table()); } } @@ -152,62 +161,70 @@ event Measurement::cluster_key_request(uid: string, mid: string, key: Key) @if ( Cluster::local_node_type() == Cluster::MANAGER ) # This variable is maintained by manager nodes as they collect and aggregate -# results. It's index on a uid. +# results. +# Index on a uid. global measurement_results: table[string] of ResultTable &read_expire=1min; # This variable is maintained by manager nodes to track how many "dones" they # collected per collection unique id. Once the number of results for a uid # matches the number of peer nodes that results should be coming from, the # result is written out and deleted from here. +# Indexed on a uid. # TODO: add an &expire_func in case not all results are received. global done_with: table[string] of count &read_expire=1min &default=0; # This variable is maintained by managers to track intermediate responses as -# they are getting a global view for a certain key. Indexed on a uid. +# they are getting a global view for a certain key. +# Indexed on a uid. global key_requests: table[string] of Result &read_expire=1min; # This variable is maintained by managers to prevent overwhelming communication due # to too many intermediate updates. Each measurement is tracked separately so that -# one metric won't overwhelm and degrade other quieter metrics. Indexed on a -# measurement id. +# one won't overwhelm and degrade other quieter measurements. +# Indexed on a measurement id. global outstanding_global_views: table[string] of count &default=0; +const zero_time = double_to_time(0.0); # Managers handle logging. -event Measurement::finish_period(m: Measurement) +event Measurement::finish_epoch(m: Measurement) { - #print fmt("%.6f MANAGER: breaking %s measurement for %s metric", network_time(), measurement$name, measurement$id); - local uid = unique_id(""); - - if ( uid in measurement_results ) - delete measurement_results[uid]; - measurement_results[uid] = table(); - - # Request data from peers. - event Measurement::cluster_measurement_request(uid, m$id); - # Schedule the next finish_period event. - schedule m$epoch { Measurement::finish_period(m) }; + if ( network_time() > zero_time ) + { + #print fmt("%.6f MANAGER: breaking %s measurement for %s metric", network_time(), measurement$name, measurement$id); + local uid = unique_id(""); + + if ( uid in measurement_results ) + delete measurement_results[uid]; + measurement_results[uid] = table(); + + # Request data from peers. + event Measurement::cluster_measurement_request(uid, m$id); + } + + # Schedule the next finish_epoch event. + schedule m$epoch { Measurement::finish_epoch(m) }; } # This is unlikely to be called often, but it's here in case there are measurements # being collected by managers. function data_added(m: Measurement, key: Key, result: Result) { - #if ( check_thresholds(m, key, val, 1.0) ) - # threshold_crossed(m, key, val); + if ( check_thresholds(m, key, result, 1.0) ) + threshold_crossed(m, key, result); } event Measurement::cluster_key_response(uid: string, mid: string, key: Key, result: Result) { - #print fmt("%0.6f MANAGER: receiving key data from %s - %s=%s", network_time(), get_event_peer()$descr, key2str(key), val); + #print fmt("%0.6f MANAGER: receiving key data from %s - %s=%s", network_time(), get_event_peer()$descr, key2str(key), result); # We only want to try and do a value merge if there are actually measured datapoints # in the Result. - if ( result$num > 0 && uid in key_requests ) - key_requests[uid] = compose_resultvals(key_requests[uid], result); + if ( uid in key_requests ) + key_requests[uid] = compose_results(key_requests[uid], result); else key_requests[uid] = result; - # Mark that this worker is done. + # Mark that a worker is done. ++done_with[uid]; #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); @@ -232,7 +249,7 @@ event Measurement::cluster_key_intermediate_response(mid: string, key: Key) #print fmt("MANAGER: receiving intermediate key data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting key data for %s", key2str(key)); - if ( [mid] in outstanding_global_views && + if ( mid in outstanding_global_views && |outstanding_global_views[mid]| > max_outstanding_global_views ) { # Don't do this intermediate update. Perhaps at some point in the future @@ -261,7 +278,7 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: for ( key in data ) { if ( key in local_data ) - local_data[key] = compose_resultvals(local_data[key], data[key]); + local_data[key] = compose_results(local_data[key], data[key]); else local_data[key] = data[key]; @@ -280,8 +297,8 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: # If the data has been collected from all peers, we are done and ready to finish. if ( Cluster::worker_count == done_with[uid] ) { - if ( m?$period_finished ) - m$period_finished(local_data); + if ( m?$epoch_finished ) + m$epoch_finished(local_data); # Clean up delete measurement_results[uid]; @@ -291,4 +308,9 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: } } +event remote_connection_handshake_done(p: event_peer) &priority=5 + { + send_id(p, "Measurement::measurement_store"); + send_id(p, "Measurement::reducer_store"); + } @endif diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index a7f22ed3b7..a8e2950f5a 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -19,21 +19,21 @@ export { ## value in a Host header. This is an example of a non-host based ## metric since multiple IP addresses could respond for the same Host ## header value. - str: string &optional; + str: string &optional; ## Host is the value to which this metric applies. - host: addr &optional; - } &log; + host: addr &optional; + }; ## Represents data being added for a single metric data point. ## Only supply a single value here at a time. type DataPoint: record { ## Count value. - num: count &optional; + num: count &optional; ## Double value. - dbl: double &optional; + dbl: double &optional; ## String value. - str: string &optional; + str: string &optional; }; type Reducer: record { @@ -45,7 +45,7 @@ export { ## A predicate so that you can decide per key if you would like ## to accept the data being inserted. - pred: function(key: Measurement::Key, data: Measurement::DataPoint): bool &optional; + pred: function(key: Measurement::Key, point: Measurement::DataPoint): bool &optional; ## A function to normalize the key. This can be used to aggregate or ## normalize the entire key. @@ -54,44 +54,45 @@ export { ## Value calculated for a data point stream fed into a reducer. ## Most of the fields are added by plugins. - type Result: record { + type ResultVal: record { ## The time when the first data point was added to this result value. - begin: time &log; + begin: time; ## The time when the last data point was added to this result value. - end: time &log; + end: time; ## The number of measurements received. - num: count &log &default=0; + num: count &default=0; }; - ## Type to store a table of measurement results. First table is - ## indexed on the measurement Key and the enclosed table is - ## indexed on the data id that the Key was relevant for. - type ResultTable: table[Key] of table[string] of Result; + ## Type to store results for multiple reducers. + type Result: table[string] of ResultVal; - ## Filters define how the data from a metric is aggregated and handled. - ## Filters can be used to set how often the measurements are cut - ## and logged or how the data within them is aggregated. + ## Type to store a table of measurement results indexed by the measurement key. + type ResultTable: table[Key] of Result; + + ## Measurements represent an aggregation of reducers along with + ## mechanisms to handle various situations like the epoch ending + ## or thresholds being crossed. type Measurement: record { ## The interval at which this filter should be "broken" and the - ## callback called. The counters are also reset to zero at - ## this time so any threshold based detection needs to be set to a - ## number that should be expected to happen within this period. + ## '$epoch_finished' callback called. The results are also reset + ## at this time so any threshold based detection needs to be set to a + ## number that should be expected to happen within this epoch. epoch: interval; ## The reducers for the measurement indexed by data id. reducers: set[Reducer]; - ## Optionally provide a function to calculate a value from the Result + ## Provide a function to calculate a value from the :bro:see:`Result` ## structure which will be used for thresholding. - threshold_val: function(result: Measurement::Result): count &optional; + threshold_val: function(key: Measurement::Key, result: Measurement::Result): count &optional; ## The threshold value for calling the $threshold_crossed callback. - threshold: count &optional; + threshold: count &optional; ## A series of thresholds for calling the $threshold_crossed callback. - threshold_series: vector of count &optional; + threshold_series: vector of count &optional; ## A callback that is called when a threshold is crossed. threshold_crossed: function(key: Measurement::Key, result: Measurement::Result) &optional; @@ -100,22 +101,21 @@ export { ## It's best to not access any global state outside of the variables ## given to the callback because there is no assurance provided as to ## where the callback will be executed on clusters. - period_finished: function(data: Measurement::ResultTable) &optional; + epoch_finished: function(rt: Measurement::ResultTable) &optional; }; ## Create a measurement. global create: function(m: Measurement::Measurement); - ## Add data into a metric. This should be called when - ## a script has measured some point value and is ready to increment the - ## counters. + ## Add data into a data point stream. This should be called when + ## a script has measured some point value. ## - ## id: The metric identifier that the data represents. + ## id: The stream identifier that the data point represents. ## - ## key: The metric key that the value is to be added to. + ## key: The measurement key that the value is to be added to. ## - ## data: The data point to send into the stream. - global add_data: function(id: string, key: Measurement::Key, data: Measurement::DataPoint); + ## point: The data point to send into the stream. + global add_data: function(id: string, key: Measurement::Key, point: Measurement::DataPoint); ## Helper function to represent a :bro:type:`Measurement::Key` value as ## a simple string. @@ -124,15 +124,19 @@ export { ## ## Returns: A string representation of the metric key. global key2str: function(key: Measurement::Key): string; - + + ## This event is generated for each new measurement that is created. + ## + ## m: The record which describes a measurement. + global new_measurement: event(m: Measurement); } redef record Reducer += { - # Internal use only. Measurement ID. + # Internal use only. Provides a reference back to the related Measurement by it's ID. mid: string &optional; }; -redef record Result += { +type Thresholding: record { # Internal use only. Indicates if a simple threshold was already crossed. is_threshold_crossed: bool &default=F; @@ -143,16 +147,22 @@ redef record Result += { redef record Measurement += { # Internal use only (mostly for cluster coherency). id: string &optional; + + # Internal use only. For tracking tresholds per key. + threshold_tracker: table[Key] of Thresholding &optional; }; -# Store of reducers indexed on the data id. +# Store of measurements indexed on the measurement id. +global measurement_store: table[string] of Measurement = table(); + +# Store of reducers indexed on the data point stream id. global reducer_store: table[string] of set[Reducer] = table(); # Store of results indexed on the measurement id. global result_store: table[string] of ResultTable = table(); -# Store of measurements indexed on the measurement id. -global measurement_store: table[string] of Measurement = table(); +# Store of threshold information. +global thresholds_store: table[string, Key] of bool = table(); # This is called whenever # key values are updated and the new val is given as the `val` argument. @@ -161,13 +171,15 @@ global measurement_store: table[string] of Measurement = table(); global data_added: function(m: Measurement, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. -global add_to_reducer: hook(r: Reducer, val: double, data: DataPoint, result: Result); +global add_to_reducer_hook: hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal); +# Prototype the hook point for plugins to initialize any result values. +global init_resultval_hook: hook(r: Reducer, rv: ResultVal); # Prototype the hook point for plugins to merge Results. -global compose_resultvals_hook: hook(result: Result, rv1: Result, rv2: Result); +global compose_resultvals_hook: hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal); # Event that is used to "finish" measurements and adapt the measurement # framework for clustered or non-clustered usage. -global finish_period: event(m: Measurement); +global finish_epoch: event(m: Measurement); function key2str(key: Key): string { @@ -176,12 +188,19 @@ function key2str(key: Key): string out = fmt("%shost=%s", out, key$host); if ( key?$str ) out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", key$str); - return fmt("metric_key(%s)", out); + return fmt("measurement_key(%s)", out); } -function compose_resultvals(rv1: Result, rv2: Result): Result +function init_resultval(r: Reducer): ResultVal { - local result: Result; + local rv: ResultVal = [$begin=network_time(), $end=network_time()]; + hook init_resultval_hook(r, rv); + return rv; + } + +function compose_resultvals(rv1: ResultVal, rv2: ResultVal): ResultVal + { + local result: ResultVal; # Merge $begin (take the earliest one) result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; @@ -192,18 +211,40 @@ function compose_resultvals(rv1: Result, rv2: Result): Result # Merge $num result$num = rv1$num + rv2$num; - # Merge $threshold_series_index - result$threshold_series_index = (rv1$threshold_series_index > rv2$threshold_series_index) ? rv1$threshold_series_index : rv2$threshold_series_index; - - # Merge $is_threshold_crossed - if ( rv1$is_threshold_crossed || rv2$is_threshold_crossed ) - result$is_threshold_crossed = T; - hook compose_resultvals_hook(result, rv1, rv2); return result; } + +function compose_results(r1: Result, r2: Result): Result + { + local result: Result = table(); + + if ( |r1| > |r2| ) + { + for ( data_id in r1 ) + { + if ( data_id in r2 ) + result[data_id] = compose_resultvals(r1[data_id], r2[data_id]); + else + result[data_id] = r1[data_id]; + } + } + else + { + for ( data_id in r2 ) + { + if ( data_id in r1 ) + result[data_id] = compose_resultvals(r1[data_id], r2[data_id]); + else + result[data_id] = r2[data_id]; + } + } + return result; + } + + function reset(m: Measurement) { if ( m$id in result_store ) @@ -214,7 +255,10 @@ function reset(m: Measurement) function create(m: Measurement) { - m$id=unique_id(""); + if ( ! m?$id ) + m$id=unique_id(""); + local tmp: table[Key] of Thresholding = table(); + m$threshold_tracker = tmp; measurement_store[m$id] = m; for ( reducer in m$reducers ) @@ -226,20 +270,20 @@ function create(m: Measurement) } reset(m); - schedule m$epoch { Measurement::finish_period(m) }; + schedule m$epoch { Measurement::finish_epoch(m) }; } -function add_data(data_id: string, key: Key, data: DataPoint) +function add_data(id: string, key: Key, point: DataPoint) { # Try to add the data to all of the defined reducers. - if ( data_id !in reducer_store ) + if ( id !in reducer_store ) return; - for ( r in reducer_store[data_id] ) + for ( r in reducer_store[id] ) { # If this reducer has a predicate, run the predicate # and skip this key if the predicate return false. - if ( r?$pred && ! r$pred(key, data) ) + if ( r?$pred && ! r$pred(key, point) ) next; if ( r?$normalize_key ) @@ -249,20 +293,21 @@ function add_data(data_id: string, key: Key, data: DataPoint) local results = result_store[m$id]; if ( key !in results ) results[key] = table(); - if ( data_id !in results[key] ) - results[key][data_id] = [$begin=network_time(), $end=network_time()]; + if ( id !in results[key] ) + results[key][id] = init_resultval(r); - local result = results[key][data_id]; - ++result$num; + local result = results[key]; + local result_val = result[id]; + ++result_val$num; # Continually update the $end field. - result$end=network_time(); + result_val$end=network_time(); # If a string was given, fall back to 1.0 as the value. local val = 1.0; - if ( data?$num || data?$dbl ) - val = data?$dbl ? data$dbl : data$num; + if ( point?$num || point?$dbl ) + val = point?$dbl ? point$dbl : point$num; - hook add_to_reducer(r, val, data, result); + hook add_to_reducer_hook(r, val, point, result_val); data_added(m, key, result); } } @@ -274,28 +319,37 @@ function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: if ( ! (m?$threshold || m?$threshold_series) ) return F; - local watch = 0.0; - #if ( val?$unique ) - # watch = val$unique; - #else if ( val?$sum ) - # watch = val$sum; + if ( key !in m$threshold_tracker ) + { + local tmp: Thresholding; + m$threshold_tracker[key] = tmp; + } - if ( m?$threshold_val ) - watch = m$threshold_val(result); + # Add in the extra ResultVals to make threshold_vals easier to write. + if ( |m$reducers| != |result| ) + { + for ( reducer in m$reducers ) + { + if ( reducer$stream !in result ) + result[reducer$stream] = init_resultval(reducer); + } + } + + local watch = m$threshold_val(key, result); if ( modify_pct < 1.0 && modify_pct > 0.0 ) - watch = watch/modify_pct; + watch = double_to_count(floor(watch/modify_pct)); - if ( ! result$is_threshold_crossed && - m?$threshold && watch >= m$threshold ) + local tt = m$threshold_tracker[key]; + if ( m?$threshold && ! tt$is_threshold_crossed && watch >= m$threshold ) { - # A default threshold was given and the value crossed it. + # Value crossed the threshold. return T; } if ( m?$threshold_series && - |m$threshold_series| >= result$threshold_series_index && - watch >= m$threshold_series[result$threshold_series_index] ) + |m$threshold_series| >= tt$threshold_series_index && + watch >= m$threshold_series[tt$threshold_series_index] ) { # A threshold series was given and the value crossed the next # value in the series. @@ -307,17 +361,29 @@ function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: function threshold_crossed(m: Measurement, key: Key, result: Result) { + # If there is no callback, there is no point in any of this. if ( ! m?$threshold_crossed ) return; #if ( val?$sample_queue ) # val$samples = Queue::get_str_vector(val$sample_queue); + # Add in the extra ResultVals to make threshold_crossed callbacks easier to write. + if ( |m$reducers| != |result| ) + { + for ( reducer in m$reducers ) + { + if ( reducer$stream !in result ) + result[reducer$stream] = init_resultval(reducer); + } + } + m$threshold_crossed(key, result); - result$is_threshold_crossed = T; + local tt = m$threshold_tracker[key]; + tt$is_threshold_crossed = T; # Bump up to the next threshold series index if a threshold series is being used. if ( m?$threshold_series ) - ++result$threshold_series_index; + ++tt$threshold_series_index; } diff --git a/scripts/base/frameworks/measurement/non-cluster.bro b/scripts/base/frameworks/measurement/non-cluster.bro index 7a0a2a2c3e..35ff9dc935 100644 --- a/scripts/base/frameworks/measurement/non-cluster.bro +++ b/scripts/base/frameworks/measurement/non-cluster.bro @@ -2,18 +2,18 @@ module Measurement; -event Measurement::finish_period(m: Measurement) +event Measurement::finish_epoch(m: Measurement) { if ( m$id in result_store ) { local data = result_store[m$id]; - if ( m?$period_finished ) - m$period_finished(data); + if ( m?$epoch_finished ) + m$epoch_finished(data); reset(m); } - - schedule m$epoch { Measurement::finish_period(m) }; + + schedule m$epoch { Measurement::finish_epoch(m) }; } diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/measurement/plugins/average.bro index 629cb2fc7b..172e8c788d 100644 --- a/scripts/base/frameworks/measurement/plugins/average.bro +++ b/scripts/base/frameworks/measurement/plugins/average.bro @@ -7,24 +7,24 @@ export { AVERAGE }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this calculates the average of all values. - average: double &log &optional; + average: double &optional; }; } -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( AVERAGE in r$apply ) { - if ( ! result?$average ) - result$average = val; + if ( ! rv?$average ) + rv$average = val; else - result$average += (val - result$average) / result$num; + rv$average += (val - rv$average) / rv$num; } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$average && rv2?$average ) result$average = ((rv1$average*rv1$num) + (rv2$average*rv2$num))/(rv1$num+rv2$num); diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/measurement/plugins/max.bro index 5138e3f684..02b536f849 100644 --- a/scripts/base/frameworks/measurement/plugins/max.bro +++ b/scripts/base/frameworks/measurement/plugins/max.bro @@ -7,24 +7,24 @@ export { MAX }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this tracks the maximum value given. - max: double &log &optional; + max: double &optional; }; } -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( MAX in r$apply ) { - if ( ! result?$max ) - result$max = val; - else if ( val > result$max ) - result$max = val; + if ( ! rv?$max ) + rv$max = val; + else if ( val > rv$max ) + rv$max = val; } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$max && rv2?$max ) result$max = (rv1$max > rv2$max) ? rv1$max : rv2$max; diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/measurement/plugins/min.bro index ebdbb39373..944ee9fcb4 100644 --- a/scripts/base/frameworks/measurement/plugins/min.bro +++ b/scripts/base/frameworks/measurement/plugins/min.bro @@ -7,24 +7,24 @@ export { MIN }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this tracks the minimum value given. - min: double &log &optional; + min: double &optional; }; } -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( MIN in r$apply ) { - if ( ! result?$min ) - result$min = val; - else if ( val < result$min ) - result$min = val; + if ( ! rv?$min ) + rv$min = val; + else if ( val < rv$min ) + rv$min = val; } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$min && rv2?$min ) result$min = (rv1$min < rv2$min) ? rv1$min : rv2$min; diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro index 3edd92ce13..e0084e88d1 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -8,7 +8,7 @@ export { samples: count &default=0; }; - redef record Result += { + redef record ResultVal += { ## A sample of something being measured. This is helpful in ## some cases for collecting information to do further detection ## or better logging for forensic purposes. @@ -16,24 +16,24 @@ export { }; } -redef record Result += { +redef record ResultVal += { # Internal use only. This is the queue where samples # are maintained since the queue is self managing for # the number of samples requested. sample_queue: Queue::Queue &optional; }; -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( r$samples > 0 ) { - if ( ! result?$sample_queue ) - result$sample_queue = Queue::init([$max_len=r$samples]); - Queue::push(result$sample_queue, data$str); + if ( ! rv?$sample_queue ) + rv$sample_queue = Queue::init([$max_len=r$samples]); + Queue::push(rv$sample_queue, data$str); } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { # Merge $sample_queue if ( rv1?$sample_queue && rv2?$sample_queue ) diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro index 6d13d7fc51..bcf2cdcb00 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -9,28 +9,31 @@ export { STD_DEV }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this calculates the standard deviation. - std_dev: double &log &optional; + std_dev: double &optional; }; } +function calc_std_dev(rv: ResultVal) + { + if ( rv?$variance ) + rv$std_dev = sqrt(rv$variance); + } + # This depends on the variance plugin which uses priority -5 -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) &priority=-10 { if ( STD_DEV in r$apply ) { - if ( result?$variance ) - result$std_dev = sqrt(result$variance); + if ( rv?$variance ) + calc_std_dev(rv); + else + rv$std_dev = 0.0; } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) &priority=-10 +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-10 { - if ( rv1?$sum || rv2?$sum ) - { - result$sum = rv1?$sum ? rv1$sum : 0; - if ( rv2?$sum ) - result$sum += rv2$sum; - } - } \ No newline at end of file + calc_std_dev(result); + } diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro index 7e8b6ff692..8f989317d8 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -8,23 +8,32 @@ export { SUM }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this tracks the sum of all values. - sum: double &log &optional; + sum: double &default=0.0; }; + + type threshold_function: function(key: Measurement::Key, result: Measurement::Result): count; + global sum_threshold: function(data_id: string): threshold_function; } -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +function sum_threshold(data_id: string): threshold_function { - if ( SUM in r$apply ) + return function(key: Measurement::Key, result: Measurement::Result): count { - if ( ! result?$sum ) - result$sum = 0; - result$sum += val; - } + print fmt("data_id: %s", data_id); + print result; + return double_to_count(result[data_id]$sum); + }; } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) + { + if ( SUM in r$apply ) + rv$sum += val; + } + +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$sum || rv2?$sum ) { diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro index 4f30206a4e..5160f0df91 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -7,14 +7,14 @@ export { UNIQUE }; - redef record Result += { + redef record ResultVal += { ## If cardinality is being tracked, the number of unique ## items is tracked here. - unique: count &log &optional; + unique: count &optional; }; } -redef record Result += { +redef record ResultVal += { # Internal use only. This is not meant to be publically available # because we don't want to trust that we can inspect the values # since we will like move to a probalistic data structure in the future. @@ -22,18 +22,18 @@ redef record Result += { unique_vals: set[DataPoint] &optional; }; -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( UNIQUE in r$apply ) { - if ( ! result?$unique_vals ) - result$unique_vals=set(); - add result$unique_vals[data]; - result$unique = |result$unique_vals|; + if ( ! rv?$unique_vals ) + rv$unique_vals=set(); + add rv$unique_vals[data]; + rv$unique = |rv$unique_vals|; } } -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$unique_vals || rv2?$unique_vals ) { diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro index 07a7293539..dc94f39840 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -8,40 +8,40 @@ export { VARIANCE }; - redef record Result += { + redef record ResultVal += { ## For numeric data, this calculates the variance. - variance: double &log &optional; + variance: double &optional; }; } -redef record Result += { +redef record ResultVal += { # Internal use only. Used for incrementally calculating variance. prev_avg: double &optional; # Internal use only. For calculating incremental variance. - var_s: double &optional; + var_s: double &default=0.0; }; -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) +function calc_variance(rv: ResultVal) { - if ( VARIANCE in r$apply ) - result$prev_avg = result$average; + rv$variance = (rv$num > 1) ? rv$var_s/(rv$num-1) : 0.0; } # Reduced priority since this depends on the average -hook add_to_reducer(r: Reducer, val: double, data: DataPoint, result: Result) &priority=-5 +hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) &priority=-5 { if ( VARIANCE in r$apply ) { - if ( ! result?$var_s ) - result$var_s = 0.0; - result$var_s += (val - result$prev_avg) * (val - result$average); - result$variance = (val > 0) ? result$var_s/val : 0.0; + if ( rv$num > 1 ) + rv$var_s += ((val - rv$prev_avg) * (val - rv$average)); + + calc_variance(rv); + rv$prev_avg = rv$average; } } # Reduced priority since this depends on the average -hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) &priority=-5 +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-5 { if ( rv1?$var_s && rv2?$var_s ) { @@ -62,4 +62,6 @@ hook compose_resultvals_hook(result: Result, rv1: Result, rv2: Result) &priority result$prev_avg = rv1$prev_avg; else if ( rv2?$prev_avg ) result$prev_avg = rv2$prev_avg; + + calc_variance(result); } \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout new file mode 100644 index 0000000000..ea8904d2e6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout @@ -0,0 +1,4 @@ +Host: 6.5.4.3 - num:2 - sum:6.0 - avg:3.0 - max:5.0 - min:1.0 - var:8.0 - std_dev:2.8 - unique:2 +Host: 10.10.10.10 - num:1 - sum:5.0 - avg:5.0 - max:5.0 - min:5.0 - var:0.0 - std_dev:0.0 - unique:1 +Host: 1.2.3.4 - num:9 - sum:437.0 - avg:48.6 - max:95.0 - min:3.0 - var:758.8 - std_dev:27.5 - unique:8 +Host: 7.2.1.5 - num:2 - sum:145.0 - avg:72.5 - max:91.0 - min:54.0 - var:684.5 - std_dev:26.2 - unique:2 diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout new file mode 100644 index 0000000000..208b6103b7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout @@ -0,0 +1,3 @@ +Host: 6.5.4.3 - num:1 - sum:2.0 - var:0.0 - avg:2.0 - max:2.0 - min:2.0 - std_dev:0.0 - unique:1 +Host: 1.2.3.4 - num:5 - sum:221.0 - var:1144.2 - avg:44.2 - max:94.0 - min:5.0 - std_dev:33.8 - unique:4 +Host: 7.2.1.5 - num:1 - sum:1.0 - var:0.0 - avg:1.0 - max:1.0 - min:1.0 - std_dev:0.0 - unique:1 diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout new file mode 100644 index 0000000000..2a53389dc3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout @@ -0,0 +1 @@ +A test metric threshold was crossed with a value of: 100.0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout new file mode 100644 index 0000000000..09c65c3864 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout @@ -0,0 +1,6 @@ +THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) +THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) +THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) +THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5) diff --git a/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro b/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro new file mode 100644 index 0000000000..e2f5e4e7d5 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro @@ -0,0 +1,83 @@ +# @TEST-SERIALIZE: comm +# +# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT +# @TEST-EXEC: sleep 1 +# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT +# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT +# @TEST-EXEC: btest-bg-wait 15 + +# @TEST-EXEC: btest-diff manager-1/.stdout + +@TEST-START-FILE cluster-layout.bro +redef Cluster::nodes = { + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"], +}; +@TEST-END-FILE + +redef Log::default_rotation_interval = 0secs; + +global n = 0; + +event bro_init() &priority=5 + { + local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM, Measurement::MIN, Measurement::MAX, Measurement::AVERAGE, Measurement::STD_DEV, Measurement::VARIANCE, Measurement::UNIQUE)]; + Measurement::create([$epoch=5secs, + $reducers=set(r1), + $epoch_finished(rt: Measurement::ResultTable) = + { + for ( key in rt ) + { + local r = rt[key]["test.metric"]; + print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique); + } + + terminate(); + } + ]); + } + +event remote_connection_closed(p: event_peer) + { + terminate(); + } + +global ready_for_data: event(); +redef Cluster::manager2worker_events += /^ready_for_data$/; + +event ready_for_data() + { + if ( Cluster::node == "worker-1" ) + { + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=34]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=30]); + Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=1]); + Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=54]); + } + if ( Cluster::node == "worker-2" ) + { + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=75]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=30]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=57]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=52]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=61]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=95]); + Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=5]); + Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=91]); + Measurement::add_data("test.metric", [$host=10.10.10.10], [$num=5]); + } + } + +@if ( Cluster::local_node_type() == Cluster::MANAGER ) + +global peer_count = 0; +event remote_connection_handshake_done(p: event_peer) &priority=-5 + { + ++peer_count; + if ( peer_count == 2 ) + event ready_for_data(); + } + +@endif diff --git a/testing/btest/scripts/base/frameworks/measurement/basic.bro b/testing/btest/scripts/base/frameworks/measurement/basic.bro new file mode 100644 index 0000000000..e9dd21e0ef --- /dev/null +++ b/testing/btest/scripts/base/frameworks/measurement/basic.bro @@ -0,0 +1,34 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() &priority=5 + { + local r1: Measurement::Reducer = [$stream="test.metric", + $apply=set(Measurement::SUM, + Measurement::VARIANCE, + Measurement::AVERAGE, + Measurement::MAX, + Measurement::MIN, + Measurement::STD_DEV, + Measurement::UNIQUE)]; + Measurement::create([$epoch=3secs, + $reducers=set(r1), + $epoch_finished(data: Measurement::ResultTable) = + { + for ( key in data ) + { + local r = data[key]["test.metric"]; + print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique); + } + } + ]); + + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=5]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=22]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=94]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=50]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=50]); + + Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=2]); + Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1]); + } diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro similarity index 56% rename from testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro index b16645dbe6..56f44db2eb 100644 --- a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro @@ -19,14 +19,20 @@ redef Log::default_rotation_interval = 0secs; event bro_init() &priority=5 { - Metrics::add_filter("test.metric", - [$every=1hr, - $measure=set(Metrics::SUM), + local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=1hr, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, $threshold=100, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - print "A test metric threshold was crossed!"; + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + print fmt("A test metric threshold was crossed with a value of: %.1f", result["test.metric"]$sum); terminate(); - }]); + } + ]); } event remote_connection_closed(p: event_peer) @@ -39,13 +45,16 @@ event do_metrics(i: count) # Worker-1 will trigger an intermediate update and then if everything # works correctly, the data from worker-2 will hit the threshold and # should trigger the notice. - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=i]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=i]); } -event bro_init() +event remote_connection_handshake_done(p: event_peer) { - if ( Cluster::node == "worker-1" ) - schedule 2sec { do_metrics(99) }; - if ( Cluster::node == "worker-2" ) - event do_metrics(1); + if ( p$descr == "manager-1" ) + { + if ( Cluster::node == "worker-1" ) + schedule 0.1sec { do_metrics(1) }; + if ( Cluster::node == "worker-2" ) + schedule 0.5sec { do_metrics(99) }; + } } diff --git a/testing/btest/scripts/base/frameworks/measurement/thresholding.bro b/testing/btest/scripts/base/frameworks/measurement/thresholding.bro new file mode 100644 index 0000000000..d25350930e --- /dev/null +++ b/testing/btest/scripts/base/frameworks/measurement/thresholding.bro @@ -0,0 +1,73 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + +redef enum Notice::Type += { + Test_Notice, +}; + +event bro_init() &priority=5 + { + local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=3secs, + $reducers=set(r1), + #$threshold_val = Measurement::sum_threshold("test.metric"), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, + $threshold=5, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["test.metric"]; + print fmt("THRESHOLD: hit a threshold value at %.0f for %s", r$sum, Measurement::key2str(key)); + } + ]); + + local r2: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=3secs, + $reducers=set(r2), + #$threshold_val = Measurement::sum_threshold("test.metric"), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, + $threshold_series=vector(3,6,800), + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["test.metric"]; + print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", r$sum, Measurement::key2str(key)); + } + ]); + + local r3: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; + local r4: Measurement::Reducer = [$stream="test.metric2", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=3secs, + $reducers=set(r3, r4), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + # Calculate a ratio between sums of two reducers. + if ( "test.metric2" in result && "test.metric" in result && + result["test.metric"]$sum > 0 ) + return double_to_count(result["test.metric2"]$sum / result["test.metric"]$sum); + else + return 0; + }, + # Looking for metric2 sum to be 5 times the sum of metric + $threshold=5, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local thold = result["test.metric2"]$sum / result["test.metric"]$sum; + print fmt("THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at %.0fx for %s", thold, Measurement::key2str(key)); + } + ]); + + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=2]); + Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1]); + Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); + Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1000]); + Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=10]); + Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=1000]); + Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=54321]); + + } diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro deleted file mode 100644 index c68a4f7beb..0000000000 --- a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro +++ /dev/null @@ -1,88 +0,0 @@ -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT -# @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT -# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT -# @TEST-EXEC: btest-bg-wait 15 -# @TEST-EXEC: btest-diff manager-1/metrics.log - -@TEST-START-FILE cluster-layout.bro -redef Cluster::nodes = { - ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], -}; -@TEST-END-FILE - -redef Log::default_rotation_interval = 0secs; - -global n = 0; - -event bro_init() &priority=5 - { - Metrics::add_filter("test.metric", - [$every=3secs, - $measure=set(Metrics::SUM, Metrics::MIN, Metrics::MAX, Metrics::AVG, Metrics::STD_DEV, Metrics::VARIANCE, Metrics::UNIQUE), - $period_finished(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) = - { - Metrics::write_log(ts, metric_name, filter_name, data); - if ( ++n == 3 ) - { - terminate_communication(); - terminate(); - } - } - ]); - } - -event remote_connection_closed(p: event_peer) - { - terminate(); - } - -global ready_for_data: event(); - -redef Cluster::manager2worker_events += /ready_for_data/; - -@if ( Cluster::local_node_type() == Cluster::WORKER ) - -event ready_for_data() - { - if ( Cluster::node == "worker-1" ) - { - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=34]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=30]); - Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=1]); - Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=54]); - } - if ( Cluster::node == "worker-2" ) - { - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=75]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=30]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=57]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=52]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=61]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=95]); - Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=5]); - Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=91]); - } - } - -@endif - -@if ( Cluster::local_node_type() == Cluster::MANAGER ) - -global peer_count = 0; - -event remote_connection_handshake_done(p: event_peer) - { - ++peer_count; - if ( peer_count == 3 ) - event ready_for_data(); - } - -@endif diff --git a/testing/btest/scripts/base/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro deleted file mode 100644 index e665f2ea5c..0000000000 --- a/testing/btest/scripts/base/frameworks/metrics/basic.bro +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff metrics.log - -event bro_init() &priority=5 - { - Metrics::add_filter("test.metric", - [$name="foo-bar", - $every=3secs, - $measure=set(Metrics::SUM, Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=5]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=22]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=94]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=50]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=50]); - - Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=2]); - Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1]); - } diff --git a/testing/btest/scripts/base/frameworks/metrics/thresholding.bro b/testing/btest/scripts/base/frameworks/metrics/thresholding.bro deleted file mode 100644 index f39443fc2a..0000000000 --- a/testing/btest/scripts/base/frameworks/metrics/thresholding.bro +++ /dev/null @@ -1,44 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff .stdout - - -redef enum Notice::Type += { - Test_Notice, -}; - -event bro_init() &priority=5 - { - Metrics::add_filter("test.metric", - [$name="foobar", - $every=3secs, - $measure=set(Metrics::SUM), - $threshold=5, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - print fmt("THRESHOLD: hit a threshold value at %.0f for %s", val$sum, Metrics::index2str(index)); - }]); - - Metrics::add_filter("test.metric", - [$name="foobar2", - $every=3secs, - $measure=set(Metrics::SUM), - $threshold_series=vector(3,6,800), - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", val$sum, Metrics::index2str(index)); - }]); - Metrics::add_filter("test.metric", - [$every=3secs, - $measure=set(Metrics::SUM), - $threshold_func(index: Metrics::Index, val: Metrics::ResultVal) = { - # This causes any data added to be cross the threshold. - return T; - }, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - print fmt("THRESHOLD_FUNC: hit a threshold function value at %.0f for %s", val$sum, Metrics::index2str(index)); - }]); - - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Metrics::add_data("test.metric", [$host=6.5.4.3], [$num=2]); - Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1]); - Metrics::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Metrics::add_data("test.metric", [$host=7.2.1.5], [$num=1000]); - } From b477d2b02d80e0d449724e4fb812c36b480f98ab Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 1 Apr 2013 17:04:15 -0400 Subject: [PATCH 067/134] Measurement framework is ready for testing. - New, expanded API. - Calculations moved into plugins. - Scripts using measurement framework ported. - Updated the script-land queue implementation to make it more generic. - --- scripts/base/frameworks/measurement/main.bro | 8 +- .../frameworks/measurement/plugins/sample.bro | 6 +- .../frameworks/measurement/plugins/sum.bro | 6 + .../frameworks/measurement/plugins/unique.bro | 2 +- scripts/base/utils/queue.bro | 71 +++--------- scripts/policy/misc/app-metrics.bro | 19 +++- .../policy/misc/detect-traceroute/main.bro | 56 ++++------ scripts/policy/misc/scan.bro | 105 +++++++++--------- .../protocols/ftp/detect-bruteforcing.bro | 4 +- scripts/policy/protocols/http/detect-sqli.bro | 54 +++++---- .../protocols/ssh/detect-bruteforcing.bro | 38 ++++--- 11 files changed, 183 insertions(+), 186 deletions(-) diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index a8e2950f5a..f649dbe1f2 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -255,6 +255,11 @@ function reset(m: Measurement) function create(m: Measurement) { + if ( (m?$threshold || m?$threshold_series) && ! m?$threshold_val ) + { + Reporter::error("Measurement given a threshold with no $threshold_val function"); + } + if ( ! m?$id ) m$id=unique_id(""); local tmp: table[Key] of Thresholding = table(); @@ -365,9 +370,6 @@ function threshold_crossed(m: Measurement, key: Key, result: Result) if ( ! m?$threshold_crossed ) return; - #if ( val?$sample_queue ) - # val$samples = Queue::get_str_vector(val$sample_queue); - # Add in the extra ResultVals to make threshold_crossed callbacks easier to write. if ( |m$reducers| != |result| ) { diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro index e0084e88d1..018b7c9652 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -1,3 +1,4 @@ +@load base/utils/queue module Measurement; @@ -29,7 +30,10 @@ hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal { if ( ! rv?$sample_queue ) rv$sample_queue = Queue::init([$max_len=r$samples]); - Queue::push(rv$sample_queue, data$str); + if ( ! rv?$samples ) + rv$samples = vector(); + Queue::put(rv$sample_queue, data); + Queue::get_vector(rv$sample_queue, rv$samples); } } diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro index 8f989317d8..5a25573870 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -27,6 +27,12 @@ function sum_threshold(data_id: string): threshold_function }; } +hook init_resultval_hook(r: Reducer, rv: ResultVal) + { + if ( SUM in r$apply && ! rv?$sum ) + rv$sum = 0; + } + hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( SUM in r$apply ) diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro index 5160f0df91..7664663d29 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -10,7 +10,7 @@ export { redef record ResultVal += { ## If cardinality is being tracked, the number of unique ## items is tracked here. - unique: count &optional; + unique: count &default=0; }; } diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index 438529f579..1e7a293e17 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -1,4 +1,4 @@ -##! A FIFO string queue. +##! A FIFO queue. module Queue; @@ -23,17 +23,17 @@ export { ## Push a string onto the top of a queue. ## - ## q: The queue to push the string into. + ## q: The queue to put the value into. ## - ## val: The string to push - global push: function(q: Queue, val: any); + ## val: The value to insert into the queue. + global put: function(q: Queue, val: any); ## Pop a string from the bottom of a queue. ## - ## q: The queue to pop the string from. + ## q: The queue to get the string from. ## - ## Returns: The string popped from the queue. - global pop: function(q: Queue): any; + ## Returns: The value gotten from the queue. + global get: function(q: Queue): any; ## Merge two queue's together. If any settings are applied ## to the queues, the settings from q1 are used for the new @@ -53,23 +53,14 @@ export { ## Returns: The length of the queue. global len: function(q: Queue): count; - ## Get the contents of the queue as a string vector. + ## Get the contents of the queue as a vector. ## ## q: The queue. ## - ## Returns: A :bro:type:`vector of string` containing the - ## current contents of q. - global get_str_vector: function(q: Queue): vector of string; + ## ret: A vector containing the + ## current contents of q as the type of ret. + global get_vector: function(q: Queue, ret: vector of any); - ## Get the contents of the queue as a count vector. Use care - ## with this function. If the data put into the queue wasn't - ## integers you will get conversion errors. - ## - ## q: The queue. - ## - ## Returns: A :bro:type:`vector of count` containing the - ## current contents of q. - global get_cnt_vector: function(q: Queue): vector of count; } redef record Queue += { @@ -96,15 +87,15 @@ function init(s: Settings): Queue return q; } -function push(q: Queue, val: any) +function put(q: Queue, val: any) { if ( q$settings?$max_len && len(q) >= q$settings$max_len ) - pop(q); + get(q); q$vals[q$top] = val; ++q$top; } -function pop(q: Queue): any +function get(q: Queue): any { local ret = q$vals[q$bottom]; delete q$vals[q$bottom]; @@ -120,9 +111,9 @@ function merge(q1: Queue, q2: Queue): Queue for ( ignored_val in q1$vals ) { if ( i in q1$vals ) - push(ret, q1$vals[i]); + put(ret, q1$vals[i]); if ( j in q2$vals ) - push(ret, q2$vals[j]); + put(ret, q2$vals[j]); ++i; ++j; } @@ -134,9 +125,8 @@ function len(q: Queue): count return |q$vals|; } -function get_str_vector(q: Queue): vector of string +function get_vector(q: Queue, ret: vector of any) { - local ret: vector of string; local i = q$bottom; local j = 0; # Really dumb hack, this is only to provide @@ -147,32 +137,7 @@ function get_str_vector(q: Queue): vector of string if ( i >= q$top ) break; - ret[j] = cat(q$vals[i]); + ret[j] = q$vals[i]; ++j; ++i; } - return ret; } - -function get_cnt_vector(q: Queue): vector of count - { - local ret: vector of count; - local i = q$bottom; - local j = 0; - # Really dumb hack, this is only to provide - # the iteration for the correct number of - # values in q$vals. - for ( ignored_val in q$vals ) - { - if ( i >= q$top ) - break; - - # TODO: this is terrible and should be replaced by - # a more generic version of the various - # functions to get vectors of values. - # (the way "any" works right now makes this impossible though) - ret[j] = to_count(cat(q$vals[i])); - ++j; ++i; - } - return ret; - } - diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index d76511fe98..967d5eb88f 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -8,22 +8,28 @@ export { redef enum Log::ID += { LOG }; type Info: record { + ## Timestamp when the log line was finished and written. ts: time &log; + ## Time interval that the log line covers. + ts_delta: interval &log; + ## The name of the "app", like "facebook" or "netflix". app: string &log; + ## The number of unique local hosts using the app. uniq_hosts: count &log; + ## The number of hits to the app in total. hits: count &log; + ## The total number of bytes received by users of the app. bytes: count &log; }; ## The frequency of logging the stats collected by this script. - const break_interval = 1min &redef; + const break_interval = 15mins &redef; } redef record connection += { resp_hostname: string &optional; }; - event bro_init() &priority=3 { Log::create_stream(AppMeasurement::LOG, [$columns=Info]); @@ -32,10 +38,11 @@ event bro_init() &priority=3 local r2: Measurement::Reducer = [$stream="apps.hits", $apply=set(Measurement::UNIQUE)]; Measurement::create([$epoch=break_interval, $reducers=set(r1, r2), - $period_finished(data: Measurement::ResultTable) = + $epoch_finished(data: Measurement::ResultTable) = { local l: Info; l$ts = network_time(); + l$ts_delta = break_interval; for ( key in data ) { local result = data[key]; @@ -48,7 +55,7 @@ event bro_init() &priority=3 }]); } -function do_metric(id: conn_id, hostname: string, size: count) +function do_measurement(id: conn_id, hostname: string, size: count) { if ( /\.youtube\.com$/ in hostname && size > 512*1024 ) { @@ -92,11 +99,11 @@ event ssl_established(c: connection) event connection_finished(c: connection) { if ( c?$resp_hostname ) - do_metric(c$id, c$resp_hostname, c$resp$size); + do_measurement(c$id, c$resp_hostname, c$resp$size); } event HTTP::log_http(rec: HTTP::Info) { if( rec?$host ) - do_metric(rec$id, rec$host, rec$response_body_len); + do_measurement(rec$id, rec$host, rec$response_body_len); } diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 7656ed8d03..1b9f369ca5 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -49,53 +49,45 @@ export { global log_traceroute: event(rec: Traceroute::Info); } -# Track hosts that have sent low TTL packets and which hosts they -# sent them to. -global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized; - -function traceroute_detected(src: addr, dst: addr) - { - Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); - NOTICE([$note=Traceroute::Detected, - $msg=fmt("%s seems to be running traceroute", src), - $src=src, $dst=dst, - $identifier=cat(src)]); - } - - event bro_init() &priority=5 { Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); - Metrics::add_filter("traceroute.time_exceeded", - [$log=F, - $every=icmp_time_exceeded_interval, - $measure=set(Metrics::UNIQUE), + local r1: Measurement::Reducer = [$stream="traceroute.time_exceeded", $apply=set(Measurement::UNIQUE)]; + local r2: Measurement::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=icmp_time_exceeded_interval, + $reducers=set(r1, r2), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + # Give a threshold value of zero depending on if the host + # sends a low ttl packet. + if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) + return 0; + else + return result["traceroute.time_exceeded"]$unique; + }, $threshold=icmp_time_exceeded_threshold, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - local parts = split1(index$str, /-/); + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local parts = split1(key$str, /-/); local src = to_addr(parts[1]); local dst = to_addr(parts[2]); - if ( require_low_ttl_packets ) - { - when ( [src, dst] in low_ttlers ) - { - traceroute_detected(src, dst); - } - } - else - traceroute_detected(src, dst); - }]); + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + NOTICE([$note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute", src), + $src=src, $dst=dst, + $identifier=cat(src)]); + }]); } # Low TTL packets are detected with a signature. event signature_match(state: signature_state, msg: string, data: string) { if ( state$sig_id == /traceroute-detector.*/ ) - add low_ttlers[state$conn$id$orig_h, state$conn$id$resp_h]; + Measurement::add_data("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h)], [$num=1]); } event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) { - Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + Measurement::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 570dbfe6b0..2ea1e9c0fe 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -52,59 +52,64 @@ export { } -function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVal): bool - { - # We don't need to do this if no custom thresholds are defined. - if ( |addr_scan_custom_thresholds| == 0 ) - return F; - - local service = to_port(index$str); - return ( service in addr_scan_custom_thresholds && - val$sum > addr_scan_custom_thresholds[service] ); - } - -function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) - { - local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(val$end-val$begin); - local message=fmt("%s scanned at least %d unique hosts on port %s in %s", index$host, val$unique, index$str, dur); - - NOTICE([$note=Address_Scan, - $src=index$host, - $p=to_port(index$str), - $sub=side, - $msg=message, - $identifier=cat(index$host)]); - } - -function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) - { - local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(val$end-val$begin); - local message = fmt("%s scanned at least %d unique ports of host %s in %s", index$host, val$unique, index$str, dur); - - NOTICE([$note=Port_Scan, - $src=index$host, - $dst=to_addr(index$str), - $sub=side, - $msg=message, - $identifier=cat(index$host)]); - } +#function check_addr_scan_threshold(key: Measurement::Key, val: Measurement::Result): bool +# { +# # We don't need to do this if no custom thresholds are defined. +# if ( |addr_scan_custom_thresholds| == 0 ) +# return F; +# +# local service = to_port(key$str); +# return ( service in addr_scan_custom_thresholds && +# val$sum > addr_scan_custom_thresholds[service] ); +# } event bro_init() &priority=5 { - # Note: addr scans are trcked similar to: table[src_ip, port] of set(dst); - Metrics::add_filter("scan.addr.fail", [$every=addr_scan_interval, - $measure=set(Metrics::UNIQUE), - $threshold_func=check_addr_scan_threshold, - $threshold=addr_scan_threshold, - $threshold_crossed=addr_scan_threshold_crossed]); + local r1: Measurement::Reducer = [$stream="scan.addr.fail", $apply=set(Measurement::UNIQUE)]; + Measurement::create([$epoch=addr_scan_interval, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["scan.addr.fail"]$unique); + }, + #$threshold_func=check_addr_scan_threshold, + $threshold=addr_scan_threshold, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["scan.addr.fail"]; + local side = Site::is_local_addr(key$host) ? "local" : "remote"; + local dur = duration_to_mins_secs(r$end-r$begin); + local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur); + NOTICE([$note=Address_Scan, + $src=key$host, + $p=to_port(key$str), + $sub=side, + $msg=message, + $identifier=cat(key$host)]); + }]); # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); - Metrics::add_filter("scan.port.fail", [$every=port_scan_interval, - $measure=set(Metrics::UNIQUE), - $threshold=port_scan_threshold, - $threshold_crossed=port_scan_threshold_crossed]); + local r2: Measurement::Reducer = [$stream="scan.port.fail", $apply=set(Measurement::UNIQUE)]; + Measurement::create([$epoch=port_scan_interval, + $reducers=set(r2), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["scan.port.fail"]$unique); + }, + $threshold=port_scan_threshold, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["scan.port.fail"]; + local side = Site::is_local_addr(key$host) ? "local" : "remote"; + local dur = duration_to_mins_secs(r$end-r$begin); + local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur); + NOTICE([$note=Port_Scan, + $src=key$host, + $dst=to_addr(key$str), + $sub=side, + $msg=message, + $identifier=cat(key$host)]); + }]); } function add_metrics(id: conn_id, reverse: bool) @@ -145,10 +150,10 @@ function add_metrics(id: conn_id, reverse: bool) # return F; if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) - Metrics::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); + Measurement::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) - Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); + Measurement::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } function is_failed_conn(c: connection): bool diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 59c8525c7e..286cc95979 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -27,9 +27,9 @@ event bro_init() { Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, $measure=set(Metrics::UNIQUE), - $threshold_val_func(val: Metrics::ResultVal) = { return val$num; }, + $threshold_val_func(val: Metrics::Result) = { return val$num; }, $threshold=bruteforce_threshold, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = + $threshold_crossed(index: Metrics::Index, val: Metrics::Result) = { local dur = duration_to_mins_secs(val$end-val$begin); local plural = val$unique>1 ? "s" : ""; diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 410d3fde31..bb47ec2f47 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -50,11 +50,11 @@ export { | /\/\*![[:digit:]]{5}.*?\*\// &redef; } -function format_sqli_samples(samples: vector of string): string +function format_sqli_samples(samples: vector of Measurement::DataPoint): string { local ret = "SQL Injection samples\n---------------------"; for ( i in samples ) - ret += "\n" + samples[i]; + ret += "\n" + samples[i]$str; return ret; } @@ -63,31 +63,41 @@ event bro_init() &priority=3 # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - Metrics::add_filter("http.sqli.attacker", - [$every=sqli_requests_interval, - $measure=set(Metrics::SUM), + local r1: Measurement::Reducer = [$stream="http.sqli.attacker", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples]; + Measurement::create([$epoch=sqli_requests_interval, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["http.sqli.attacker"]$sum); + }, $threshold=sqli_requests_threshold, - $samples=collect_SQLi_samples, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["http.sqli.attacker"]; NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", - $email_body_sections=vector(format_sqli_samples(val$samples)), - $src=index$host, - $identifier=cat(index$host)]); - }]); + $email_body_sections=vector(format_sqli_samples(r$samples)), + $src=key$host, + $identifier=cat(key$host)]); + }]); - Metrics::add_filter("http.sqli.victim", - [$every=sqli_requests_interval, - $measure=set(Metrics::SUM), + local r2: Measurement::Reducer = [$stream="http.sqli.victim", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples]; + Measurement::create([$epoch=sqli_requests_interval, + $reducers=set(r2), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["http.sqli.victim"]$sum); + }, $threshold=sqli_requests_threshold, - $samples=collect_SQLi_samples, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["http.sqli.victim"]; NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", - $email_body_sections=vector(format_sqli_samples(val$samples)), - $src=index$host, - $identifier=cat(index$host)]); - }]); + $email_body_sections=vector(format_sqli_samples(r$samples)), + $src=key$host, + $identifier=cat(key$host)]); + }]); } event http_request(c: connection, method: string, original_URI: string, @@ -97,7 +107,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); - Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); + Measurement::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); + Measurement::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); } } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index 44e94eb361..cf2d4030fd 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -42,21 +42,27 @@ export { event bro_init() { - Metrics::add_filter("ssh.login.failure", [$name="detect-bruteforcing", $log=F, - $every=guessing_timeout, - $measure=set(Metrics::SUM), - $threshold=password_guesses_limit, - $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { - # Generate the notice. - NOTICE([$note=Password_Guessing, - $msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum), - $src=index$host, - $identifier=cat(index$host)]); - # Insert the guesser into the intel framework. - Intel::insert([$host=index$host, - $meta=[$source="local", - $desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]); - }]); + local r1: Measurement::Reducer = [$stream="ssh.login.failure", $apply=set(Measurement::SUM)]; + Measurement::create([$epoch=guessing_timeout, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return double_to_count(result["ssh.login.failure"]$sum); + }, + $threshold=password_guesses_limit, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["ssh.login.failure"]; + # Generate the notice. + NOTICE([$note=Password_Guessing, + $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), + $src=key$host, + $identifier=cat(key$host)]); + # Insert the guesser into the intel framework. + Intel::insert([$host=key$host, + $meta=[$source="local", + $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]); + }]); } event SSH::heuristic_successful_login(c: connection) @@ -76,5 +82,5 @@ event SSH::heuristic_failed_login(c: connection) # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) - Metrics::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]); + Measurement::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]); } From d11a1dab73fc6c34585c478b08787951293fc582 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:15:55 -0400 Subject: [PATCH 068/134] Removed the example metrics scripts. Better real world examples exist now. --- .../frameworks/metrics/conn-example.bro | 26 ----------------- .../frameworks/metrics/http-example.bro | 29 ------------------- .../policy/frameworks/metrics/ssl-example.bro | 23 --------------- 3 files changed, 78 deletions(-) delete mode 100644 scripts/policy/frameworks/metrics/conn-example.bro delete mode 100644 scripts/policy/frameworks/metrics/http-example.bro delete mode 100644 scripts/policy/frameworks/metrics/ssl-example.bro diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro deleted file mode 100644 index 3f87ecb283..0000000000 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ /dev/null @@ -1,26 +0,0 @@ -##! An example of using the metrics framework to collect connection metrics -##! aggregated into /24 CIDR ranges. - -@load base/frameworks/measurement -@load base/utils/site - -event bro_init() - { - #Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]); - Metrics::add_filter("conns.originated", [$every=1mins, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - - - # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("conns.responded", [$every=1mins, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - - } - -event connection_established(c: connection) - { - Metrics::add_data("conns.originated", [$host=c$id$orig_h], [$num=1]); - Metrics::add_data("conns.responded", [$host=c$id$resp_h], [$num=1]); - } diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro deleted file mode 100644 index d7aa304754..0000000000 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ /dev/null @@ -1,29 +0,0 @@ -##! Provides an example of aggregating and limiting collection down to -##! only local networks. Additionally, the status code for the response from -##! the request is added into the metric. - -@load base/frameworks/measurement -@load base/protocols/http -@load base/utils/site - -event bro_init() - { - Metrics::add_filter("http.request.by_host_header", - [$every=1min, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return T; return Site::is_local_addr(index$host); }, - $aggregation_mask=24, - $period_finished=Metrics::write_log]); - - # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("http.request.by_status_code", [$every=1min, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - } - -event HTTP::log_http(rec: HTTP::Info) - { - if ( rec?$host ) - Metrics::add_data("http.request.by_host_header", [$str=rec$host], [$num=1]); - if ( rec?$status_code ) - Metrics::add_data("http.request.by_status_code", [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], [$num=1]); - } diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro deleted file mode 100644 index 400373c06c..0000000000 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ /dev/null @@ -1,23 +0,0 @@ -##! Provides an example of using the metrics framework to collect the number -##! of times a specific server name indicator value is seen in SSL session -##! establishments. Names ending in google.com are being filtered out as an -##! example of the predicate based filtering in metrics filters. - -@load base/frameworks/measurement -@load base/protocols/ssl - -event bro_init() - { - Metrics::add_filter("ssl.by_servername", - [$name="no-google-ssl-servers", - $every=10secs, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { - return (/google\.com$/ !in index$str); - }]); - } - -event SSL::log_ssl(rec: SSL::Info) - { - if ( rec?$server_name ) - Metrics::add_data("ssl.by_servername", [$str=rec$server_name], [$num=1]); - } From f1d165956a7e3f61f54a9294d369d30e7e028ea8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:16:56 -0400 Subject: [PATCH 069/134] Fix path compression to include removing "/./". - This involved a fix to the FTP scripts that relied on the old behavior. --- scripts/base/protocols/ftp/main.bro | 11 ++++++++--- scripts/base/utils/paths.bro | 4 ++-- scripts/policy/misc/loaded-scripts.bro | 3 ++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..69e7c331ae 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -56,10 +56,10 @@ export { tags: set[string] &log &default=set(); ## Current working directory that this session is in. By making - ## the default value '/.', we can indicate that unless something + ## the default value '.', we can indicate that unless something ## more concrete is discovered that the existing but unknown ## directory is ok to use. - cwd: string &default="/."; + cwd: string &default="."; ## Command that is currently waiting for a response. cmdarg: CmdArg &optional; @@ -172,7 +172,12 @@ function ftp_message(s: Info) local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) - arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), build_path_compressed(s$cwd, arg)); + { + local comp_path = build_path_compressed(s$cwd, arg); + if ( s$cwd[0] != "/" ) + comp_path = cat("/", comp_path); + arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); + } s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro index aa083ddf5b..f8ad384ea7 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.bro @@ -19,7 +19,7 @@ function extract_path(input: string): string } ## Compresses a given path by removing '..'s and the parent directory it -## references and also removing '/'s. +## references and also removing dual '/'s and extraneous '/./'s. ## dir: a path string, either relative or absolute ## Returns: a compressed version of the input path function compress_path(dir: string): string @@ -41,7 +41,7 @@ function compress_path(dir: string): string return compress_path(dir); } - const multislash_sep = /(\/){2,}/; + const multislash_sep = /(\/\.?){2,}/; parts = split_all(dir, multislash_sep); for ( i in parts ) if ( i % 2 == 0 ) diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro index 468478e682..516826aa7e 100644 --- a/scripts/policy/misc/loaded-scripts.bro +++ b/scripts/policy/misc/loaded-scripts.bro @@ -1,4 +1,5 @@ ##! Log the loaded scripts. +@load base/utils/paths module LoadedScripts; @@ -34,5 +35,5 @@ event bro_init() &priority=5 event bro_script_loaded(path: string, level: count) { - Log::write(LoadedScripts::LOG, [$name=cat(depth[level], path)]); + Log::write(LoadedScripts::LOG, [$name=cat(depth[level], compress_path(path))]); } \ No newline at end of file From 0e3c84e863b285e45e11c937f7b77ace76373c96 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:19:06 -0400 Subject: [PATCH 070/134] Fixed the measurement "sample" plugin. --- .../frameworks/measurement/plugins/sample.bro | 46 ++++++++++--------- scripts/policy/protocols/http/detect-sqli.bro | 4 +- .../Baseline/scripts.base.utils.queue/output | 10 ++-- testing/btest/scripts/base/utils/queue.test | 34 +++++++------- 4 files changed, 46 insertions(+), 48 deletions(-) diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro index 018b7c9652..399f572490 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement @load base/utils/queue module Measurement; @@ -10,40 +11,41 @@ export { }; redef record ResultVal += { - ## A sample of something being measured. This is helpful in - ## some cases for collecting information to do further detection - ## or better logging for forensic purposes. - samples: vector of Measurement::DataPoint &optional; + # This is the queue where samples + # are maintained. Use the :bro:see:`Measurement::get_samples` + ## function to get a vector of the samples. + samples: Queue::Queue &optional; }; + + ## Get a vector of sample DataPoint values from a ResultVal. + global get_samples: function(rv: ResultVal): vector of DataPoint; } -redef record ResultVal += { - # Internal use only. This is the queue where samples - # are maintained since the queue is self managing for - # the number of samples requested. - sample_queue: Queue::Queue &optional; -}; +function get_samples(rv: ResultVal): vector of DataPoint + { + local s: vector of DataPoint = vector(); + if ( rv?$samples ) + Queue::get_vector(rv$samples, s); + return s; + } hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( r$samples > 0 ) { - if ( ! rv?$sample_queue ) - rv$sample_queue = Queue::init([$max_len=r$samples]); if ( ! rv?$samples ) - rv$samples = vector(); - Queue::put(rv$sample_queue, data); - Queue::get_vector(rv$sample_queue, rv$samples); + rv$samples = Queue::init([$max_len=r$samples]); + Queue::put(rv$samples, data); } } hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { - # Merge $sample_queue - if ( rv1?$sample_queue && rv2?$sample_queue ) - result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); - else if ( rv1?$sample_queue ) - result$sample_queue = rv1$sample_queue; - else if ( rv2?$sample_queue ) - result$sample_queue = rv2$sample_queue; + # Merge $samples + if ( rv1?$samples && rv2?$samples ) + result$samples = Queue::merge(rv1$samples, rv2$samples); + else if ( rv1?$samples ) + result$samples = rv1$samples; + else if ( rv2?$samples ) + result$samples = rv2$samples; } \ No newline at end of file diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index bb47ec2f47..f5e15c5505 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -76,7 +76,7 @@ event bro_init() &priority=3 local r = result["http.sqli.attacker"]; NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), + $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), $src=key$host, $identifier=cat(key$host)]); }]); @@ -94,7 +94,7 @@ event bro_init() &priority=3 local r = result["http.sqli.victim"]; NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), + $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), $src=key$host, $identifier=cat(key$host)]); }]); diff --git a/testing/btest/Baseline/scripts.base.utils.queue/output b/testing/btest/Baseline/scripts.base.utils.queue/output index b878006310..e54dd89f7a 100644 --- a/testing/btest/Baseline/scripts.base.utils.queue/output +++ b/testing/btest/Baseline/scripts.base.utils.queue/output @@ -1,9 +1,7 @@ -This is a get_cnt_vector test: 3 -This is a get_cnt_vector test: 4 -This is a get_str_vector test: 3 -This is a get_str_vector test: 4 -Testing pop: 3 -Length after pop: 1 +This is a get_vector test: 3 +This is a get_vector test: 4 +Testing get: 3 +Length after get: 1 Size of q2: 4 String queue value: test 1 String queue value: test 2 diff --git a/testing/btest/scripts/base/utils/queue.test b/testing/btest/scripts/base/utils/queue.test index 50f541a25f..344ea73f45 100644 --- a/testing/btest/scripts/base/utils/queue.test +++ b/testing/btest/scripts/base/utils/queue.test @@ -7,29 +7,27 @@ event bro_init() { local q = Queue::init([$max_len=2]); - Queue::push(q, 1); - Queue::push(q, 2); - Queue::push(q, 3); - Queue::push(q, 4); - local test1 = Queue::get_cnt_vector(q); + Queue::put(q, 1); + Queue::put(q, 2); + Queue::put(q, 3); + Queue::put(q, 4); + local test1: vector of count = vector(); + Queue::get_vector(q, test1); for ( i in test1 ) - print fmt("This is a get_cnt_vector test: %d", test1[i]); + print fmt("This is a get_vector test: %d", test1[i]); - local test2 = Queue::get_str_vector(q); - for ( i in test2 ) - print fmt("This is a get_str_vector test: %s", test2[i]); - - local test_val = Queue::pop(q); - print fmt("Testing pop: %s", test_val); - print fmt("Length after pop: %d", Queue::len(q)); + local test_val = Queue::get(q); + print fmt("Testing get: %s", test_val); + print fmt("Length after get: %d", Queue::len(q)); local q2 = Queue::init([]); - Queue::push(q2, "test 1"); - Queue::push(q2, "test 2"); - Queue::push(q2, "test 2"); - Queue::push(q2, "test 1"); + Queue::put(q2, "test 1"); + Queue::put(q2, "test 2"); + Queue::put(q2, "test 2"); + Queue::put(q2, "test 1"); print fmt("Size of q2: %d", Queue::len(q2)); - local test3: vector of string = Queue::get_str_vector(q2); + local test3: vector of string = vector(); + Queue::get_vector(q2, test3); for ( i in test3 ) print fmt("String queue value: %s", test3[i]); } \ No newline at end of file From 423bf3b3bff4721f75424492c845c64c11403b91 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:30:14 -0400 Subject: [PATCH 071/134] Test updates and cleanup. --- doc/scripts/DocSourcesList.cmake | 15 +- scripts/base/frameworks/measurement/main.bro | 6 +- .../measurement/plugins/average.bro | 1 + .../frameworks/measurement/plugins/max.bro | 1 + .../frameworks/measurement/plugins/min.bro | 1 + .../measurement/plugins/std-dev.bro | 2 +- .../frameworks/measurement/plugins/sum.bro | 1 + .../frameworks/measurement/plugins/unique.bro | 1 + .../measurement/plugins/variance.bro | 1 + scripts/test-all-policy.bro | 3 - .../canonified_loaded_scripts.log | 29 ++-- .../canonified_loaded_scripts.log | 148 ++++++++++-------- .../coverage.init-default/missing_loads | 2 +- .../manager-1.metrics.log | 12 -- .../metrics.log | 12 -- .../manager-1..stdout | 1 - .../manager-1.notice.log | 10 -- .../notice.log | 11 -- .../.stdout | 8 - .../manager-1.notice.log | 10 +- .../manager-1.notice.log | 10 +- .../notice.log | 10 +- 22 files changed, 130 insertions(+), 165 deletions(-) delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 4e957d03a0..d4498b2fe3 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -49,6 +49,14 @@ rest_target(${psd} base/frameworks/logging/writers/none.bro) rest_target(${psd} base/frameworks/measurement/cluster.bro) rest_target(${psd} base/frameworks/measurement/main.bro) rest_target(${psd} base/frameworks/measurement/non-cluster.bro) +rest_target(${psd} base/frameworks/measurement/plugins/average.bro) +rest_target(${psd} base/frameworks/measurement/plugins/max.bro) +rest_target(${psd} base/frameworks/measurement/plugins/min.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) +rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) +rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) +rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -107,6 +115,7 @@ rest_target(${psd} base/utils/queue.bro) rest_target(${psd} base/utils/site.bro) rest_target(${psd} base/utils/strings.bro) rest_target(${psd} base/utils/thresholds.bro) +rest_target(${psd} base/utils/time.bro) rest_target(${psd} base/utils/urls.bro) rest_target(${psd} policy/frameworks/communication/listen.bro) rest_target(${psd} policy/frameworks/control/controllee.bro) @@ -122,9 +131,6 @@ rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) rest_target(${psd} policy/frameworks/intel/smtp.bro) rest_target(${psd} policy/frameworks/intel/ssl.bro) rest_target(${psd} policy/frameworks/intel/where-locations.bro) -rest_target(${psd} policy/frameworks/metrics/conn-example.bro) -rest_target(${psd} policy/frameworks/metrics/http-example.bro) -rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) @@ -136,16 +142,17 @@ rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) +rest_target(${psd} policy/misc/scan.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) rest_target(${psd} policy/protocols/conn/metrics.bro) -rest_target(${psd} policy/protocols/conn/scan.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) +rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ftp/detect.bro) rest_target(${psd} policy/protocols/ftp/software.bro) rest_target(${psd} policy/protocols/http/detect-MHR.bro) diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index f649dbe1f2..5e33ff7a25 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -1,6 +1,4 @@ -##! The metrics framework provides a way to count and measure data. - -@load base/utils/queue +##! The measurement framework provides a way to count and measure data. module Measurement; @@ -12,7 +10,7 @@ export { ## Represents a thing which is having measurement results collected for it. type Key: record { - ## A non-address related metric or a sub-key for an address based metric. + ## A non-address related measurement or a sub-key for an address based measurement. ## An example might be successful SSH connections by client IP address ## where the client string would be the key value. ## Another example might be number of HTTP requests to a particular diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/measurement/plugins/average.bro index 172e8c788d..9a3938640e 100644 --- a/scripts/base/frameworks/measurement/plugins/average.bro +++ b/scripts/base/frameworks/measurement/plugins/average.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/measurement/plugins/max.bro index 02b536f849..816d249de3 100644 --- a/scripts/base/frameworks/measurement/plugins/max.bro +++ b/scripts/base/frameworks/measurement/plugins/max.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/measurement/plugins/min.bro index 944ee9fcb4..910d2c76d7 100644 --- a/scripts/base/frameworks/measurement/plugins/min.bro +++ b/scripts/base/frameworks/measurement/plugins/min.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro index bcf2cdcb00..bfcaa67910 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -1,5 +1,5 @@ -@load ./sum @load ./variance +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro index 5a25573870..2ada26e1d0 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro index 7664663d29..f1027157a7 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro index dc94f39840..2868a8a3ad 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -1,4 +1,5 @@ @load ./average +@load base/frameworks/measurement module Measurement; diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a213031f4c..2fe32a4788 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -24,9 +24,6 @@ @load frameworks/intel/smtp.bro @load frameworks/intel/ssl.bro @load frameworks/intel/where-locations.bro -@load frameworks/metrics/conn-example.bro -@load frameworks/metrics/http-example.bro -@load frameworks/metrics/ssl-example.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 41209a4084..d521c151db 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-07-20-14-34-11 +#open 2013-04-02-04-24-03 #fields name #types string scripts/base/init-bare.bro @@ -14,20 +14,21 @@ scripts/base/init-bare.bro build/src/base/reporter.bif.bro build/src/base/event.bif.bro scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/./main.bro + scripts/base/frameworks/logging/main.bro build/src/base/logging.bif.bro - scripts/base/frameworks/logging/./postprocessors/__load__.bro - scripts/base/frameworks/logging/./postprocessors/./scp.bro - scripts/base/frameworks/logging/./postprocessors/./sftp.bro - scripts/base/frameworks/logging/./writers/ascii.bro - scripts/base/frameworks/logging/./writers/dataseries.bro - scripts/base/frameworks/logging/./writers/elasticsearch.bro - scripts/base/frameworks/logging/./writers/none.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/./main.bro + scripts/base/frameworks/input/main.bro build/src/base/input.bif.bro - scripts/base/frameworks/input/./readers/ascii.bro - scripts/base/frameworks/input/./readers/raw.bro - scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-07-20-14-34-11 + scripts/base/utils/paths.bro +#close 2013-04-02-04-24-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 097fc1f2ca..e691a906c2 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-02-11-18-44-43 +#open 2013-04-02-04-22-32 #fields name #types string scripts/base/init-bare.bro @@ -14,24 +14,24 @@ scripts/base/init-bare.bro build/src/base/reporter.bif.bro build/src/base/event.bif.bro scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/./main.bro + scripts/base/frameworks/logging/main.bro build/src/base/logging.bif.bro - scripts/base/frameworks/logging/./postprocessors/__load__.bro - scripts/base/frameworks/logging/./postprocessors/./scp.bro - scripts/base/frameworks/logging/./postprocessors/./sftp.bro - scripts/base/frameworks/logging/./writers/ascii.bro - scripts/base/frameworks/logging/./writers/dataseries.bro - scripts/base/frameworks/logging/./writers/elasticsearch.bro - scripts/base/frameworks/logging/./writers/none.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/./main.bro + scripts/base/frameworks/input/main.bro build/src/base/input.bif.bro - scripts/base/frameworks/input/./readers/ascii.bro - scripts/base/frameworks/input/./readers/raw.bro - scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro scripts/base/init-default.bro scripts/base/utils/site.bro - scripts/base/utils/./patterns.bro + scripts/base/utils/patterns.bro scripts/base/utils/addrs.bro scripts/base/utils/conn-ids.bro scripts/base/utils/directions-and-hosts.bro @@ -41,83 +41,93 @@ scripts/base/init-default.bro scripts/base/utils/queue.bro scripts/base/utils/strings.bro scripts/base/utils/thresholds.bro + scripts/base/utils/time.bro scripts/base/utils/urls.bro scripts/base/frameworks/notice/__load__.bro - scripts/base/frameworks/notice/./main.bro - scripts/base/frameworks/notice/./weird.bro - scripts/base/frameworks/notice/./actions/drop.bro - scripts/base/frameworks/notice/./actions/email_admin.bro - scripts/base/frameworks/notice/./actions/page.bro - scripts/base/frameworks/notice/./actions/add-geodata.bro - scripts/base/frameworks/notice/./extend-email/hostnames.bro + scripts/base/frameworks/notice/main.bro + scripts/base/frameworks/notice/weird.bro + scripts/base/frameworks/notice/actions/drop.bro + scripts/base/frameworks/notice/actions/email_admin.bro + scripts/base/frameworks/notice/actions/page.bro + scripts/base/frameworks/notice/actions/add-geodata.bro + scripts/base/frameworks/notice/extend-email/hostnames.bro scripts/base/frameworks/cluster/__load__.bro - scripts/base/frameworks/cluster/./main.bro + scripts/base/frameworks/cluster/main.bro scripts/base/frameworks/control/__load__.bro - scripts/base/frameworks/control/./main.bro - scripts/base/frameworks/notice/./non-cluster.bro - scripts/base/frameworks/notice/./actions/pp-alarms.bro + scripts/base/frameworks/control/main.bro + scripts/base/frameworks/notice/non-cluster.bro + scripts/base/frameworks/notice/actions/pp-alarms.bro scripts/base/frameworks/dpd/__load__.bro - scripts/base/frameworks/dpd/./main.bro + scripts/base/frameworks/dpd/main.bro scripts/base/frameworks/signatures/__load__.bro - scripts/base/frameworks/signatures/./main.bro + scripts/base/frameworks/signatures/main.bro scripts/base/frameworks/packet-filter/__load__.bro - scripts/base/frameworks/packet-filter/./main.bro - scripts/base/frameworks/packet-filter/./netstats.bro + scripts/base/frameworks/packet-filter/main.bro + scripts/base/frameworks/packet-filter/netstats.bro scripts/base/frameworks/software/__load__.bro - scripts/base/frameworks/software/./main.bro + scripts/base/frameworks/software/main.bro scripts/base/frameworks/communication/__load__.bro - scripts/base/frameworks/communication/./main.bro - scripts/base/frameworks/metrics/__load__.bro - scripts/base/frameworks/metrics/./main.bro - scripts/base/frameworks/metrics/./non-cluster.bro + scripts/base/frameworks/communication/main.bro + scripts/base/frameworks/measurement/__load__.bro + scripts/base/frameworks/measurement/main.bro + scripts/base/frameworks/measurement/plugins/__load__.bro + scripts/base/frameworks/measurement/plugins/average.bro + scripts/base/frameworks/measurement/plugins/max.bro + scripts/base/frameworks/measurement/plugins/min.bro + scripts/base/frameworks/measurement/plugins/sample.bro + scripts/base/frameworks/measurement/plugins/std-dev.bro + scripts/base/frameworks/measurement/plugins/variance.bro + scripts/base/frameworks/measurement/plugins/sum.bro + scripts/base/frameworks/measurement/plugins/unique.bro + scripts/base/frameworks/measurement/non-cluster.bro scripts/base/frameworks/intel/__load__.bro - scripts/base/frameworks/intel/./main.bro - scripts/base/frameworks/intel/./input.bro + scripts/base/frameworks/intel/main.bro + scripts/base/frameworks/intel/input.bro scripts/base/frameworks/reporter/__load__.bro - scripts/base/frameworks/reporter/./main.bro + scripts/base/frameworks/reporter/main.bro scripts/base/frameworks/tunnels/__load__.bro - scripts/base/frameworks/tunnels/./main.bro + scripts/base/frameworks/tunnels/main.bro scripts/base/protocols/conn/__load__.bro - scripts/base/protocols/conn/./main.bro - scripts/base/protocols/conn/./contents.bro - scripts/base/protocols/conn/./inactivity.bro - scripts/base/protocols/conn/./polling.bro + scripts/base/protocols/conn/main.bro + scripts/base/protocols/conn/contents.bro + scripts/base/protocols/conn/inactivity.bro + scripts/base/protocols/conn/polling.bro scripts/base/protocols/dns/__load__.bro - scripts/base/protocols/dns/./consts.bro - scripts/base/protocols/dns/./main.bro + scripts/base/protocols/dns/consts.bro + scripts/base/protocols/dns/main.bro scripts/base/protocols/ftp/__load__.bro - scripts/base/protocols/ftp/./utils-commands.bro - scripts/base/protocols/ftp/./main.bro - scripts/base/protocols/ftp/./file-extract.bro - scripts/base/protocols/ftp/./gridftp.bro + scripts/base/protocols/ftp/utils-commands.bro + scripts/base/protocols/ftp/main.bro + scripts/base/protocols/ftp/file-extract.bro + scripts/base/protocols/ftp/gridftp.bro scripts/base/protocols/ssl/__load__.bro - scripts/base/protocols/ssl/./consts.bro - scripts/base/protocols/ssl/./main.bro - scripts/base/protocols/ssl/./mozilla-ca-list.bro + scripts/base/protocols/ssl/consts.bro + scripts/base/protocols/ssl/main.bro + scripts/base/protocols/ssl/mozilla-ca-list.bro scripts/base/protocols/http/__load__.bro - scripts/base/protocols/http/./main.bro - scripts/base/protocols/http/./utils.bro - scripts/base/protocols/http/./file-ident.bro - scripts/base/protocols/http/./file-hash.bro - scripts/base/protocols/http/./file-extract.bro + scripts/base/protocols/http/main.bro + scripts/base/protocols/http/utils.bro + scripts/base/protocols/http/file-ident.bro + scripts/base/protocols/http/file-hash.bro + scripts/base/protocols/http/file-extract.bro scripts/base/protocols/irc/__load__.bro - scripts/base/protocols/irc/./main.bro - scripts/base/protocols/irc/./dcc-send.bro + scripts/base/protocols/irc/main.bro + scripts/base/protocols/irc/dcc-send.bro scripts/base/protocols/modbus/__load__.bro - scripts/base/protocols/modbus/./consts.bro - scripts/base/protocols/modbus/./main.bro + scripts/base/protocols/modbus/consts.bro + scripts/base/protocols/modbus/main.bro scripts/base/protocols/smtp/__load__.bro - scripts/base/protocols/smtp/./main.bro - scripts/base/protocols/smtp/./entities.bro - scripts/base/protocols/smtp/./entities-excerpt.bro + scripts/base/protocols/smtp/main.bro + scripts/base/protocols/smtp/entities.bro + scripts/base/protocols/smtp/entities-excerpt.bro scripts/base/protocols/socks/__load__.bro - scripts/base/protocols/socks/./consts.bro - scripts/base/protocols/socks/./main.bro + scripts/base/protocols/socks/consts.bro + scripts/base/protocols/socks/main.bro scripts/base/protocols/ssh/__load__.bro - scripts/base/protocols/ssh/./main.bro + scripts/base/protocols/ssh/main.bro scripts/base/protocols/syslog/__load__.bro - scripts/base/protocols/syslog/./consts.bro - scripts/base/protocols/syslog/./main.bro + scripts/base/protocols/syslog/consts.bro + scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-02-11-18-44-43 +#close 2013-04-02-04-22-32 diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 34ba654dec..554fcf012e 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -3,5 +3,5 @@ -./frameworks/cluster/nodes/worker.bro -./frameworks/cluster/setup-connections.bro -./frameworks/intel/cluster.bro --./frameworks/metrics/cluster.bro +-./frameworks/measurement/cluster.bro -./frameworks/notice/cluster.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log deleted file mode 100644 index bdc86c68bb..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ /dev/null @@ -1,12 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path metrics -#open 2012-12-17-18-43-15 -#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string addr subnet time time count double double double double double double count -1355769795.365325 3.000000 test.metric - 6.5.4.3 - 1355769793.449322 1355769793.458467 2 6.0 1.0 5.0 3.0 4.0 2.0 2 -1355769795.365325 3.000000 test.metric - 1.2.3.4 - 1355769793.449322 1355769793.458467 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 8 -1355769795.365325 3.000000 test.metric - 7.2.1.5 - 1355769793.449322 1355769793.458467 2 145.0 54.0 91.0 72.5 342.25 18.5 2 -#close 2012-12-17-18-43-21 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log deleted file mode 100644 index 51d892e8d5..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ /dev/null @@ -1,12 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path metrics -#open 2012-12-17-18-43-45 -#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string addr subnet time time count double double double double double double count -1355769825.947161 3.000000 test.metric - 6.5.4.3 - 1355769825.947161 1355769825.947161 1 2.0 2.0 2.0 2.0 0.0 0.0 - -1355769825.947161 3.000000 test.metric - 1.2.3.4 - 1355769825.947161 1355769825.947161 5 221.0 5.0 94.0 44.2 915.36 30.254917 - -1355769825.947161 3.000000 test.metric - 7.2.1.5 - 1355769825.947161 1355769825.947161 1 1.0 1.0 1.0 1.0 0.0 0.0 - -#close 2012-12-17-18-43-45 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout deleted file mode 100644 index 2d0750ca18..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout +++ /dev/null @@ -1 +0,0 @@ -A test metric threshold was crossed! diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log deleted file mode 100644 index c87853e2b4..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path notice -#open 2013-02-11-18-41-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - - -#close 2013-02-11-18-41-03 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log deleted file mode 100644 index ba6c680e27..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log +++ /dev/null @@ -1,11 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path notice -#open 2012-07-20-01-49-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342748963.085888 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - -1342748963.085888 - - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 6.5.4.3 - - -#close 2012-07-20-01-49-23 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout deleted file mode 100644 index da692f2fe2..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -THRESHOLD_SERIES: hit a threshold series value at 3 for metric_index(host=1.2.3.4) -THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4) -THRESHOLD_FUNC: hit a threshold function value at 2 for metric_index(host=6.5.4.3) -THRESHOLD_FUNC: hit a threshold function value at 1 for metric_index(host=7.2.1.5) -THRESHOLD: hit a threshold value at 6 for metric_index(host=1.2.3.4) -THRESHOLD_SERIES: hit a threshold series value at 6 for metric_index(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1001 for metric_index(host=7.2.1.5) -THRESHOLD_SERIES: hit a threshold series value at 1001 for metric_index(host=7.2.1.5) diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log index ddbb59c565..e17610d69e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-45-43 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-45-43 +#open 2013-04-02-02-21-00 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1364869260.950557 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-21-00 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log index 2f163a5491..c8b4306d22 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-45-14 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-45-17 +#open 2013-04-02-02-21-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1364869289.545369 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-21-32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log index da5489e0b7..051f1c6266 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-33-41 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-33-41 +#open 2013-04-02-02-19-21 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-19-21 From e8b60d1ba85a23696926f028eea030b31b0c0cb9 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:55:25 -0400 Subject: [PATCH 072/134] Updated FTP bruteforce detection and a few other small changes. --- .../base/frameworks/measurement/simple.bro | 6 ---- .../protocols/conn/conn-stats-per-host.bro | 27 -------------- .../protocols/ftp/detect-bruteforcing.bro | 35 +++++++++++-------- .../.stdout | 4 +-- 4 files changed, 22 insertions(+), 50 deletions(-) delete mode 100644 scripts/base/frameworks/measurement/simple.bro delete mode 100644 scripts/policy/protocols/conn/conn-stats-per-host.bro diff --git a/scripts/base/frameworks/measurement/simple.bro b/scripts/base/frameworks/measurement/simple.bro deleted file mode 100644 index 51bf7e8c44..0000000000 --- a/scripts/base/frameworks/measurement/simple.bro +++ /dev/null @@ -1,6 +0,0 @@ - -module Metrics; - -export { - -} \ No newline at end of file diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro deleted file mode 100644 index d537d13b72..0000000000 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ /dev/null @@ -1,27 +0,0 @@ - -@load base/protocols/conn -@load base/frameworks/measurement - -event bro_init() &priority=5 - { - Metrics::add_filter("conn.orig.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - Metrics::add_filter("conn.resp.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - } - - -event connection_state_remove(c: connection) - { - if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) ) - return; - - if ( Site::is_local_addr(c$id$orig_h) ) - Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]); - if ( Site::is_local_addr(c$id$resp_h) ) - Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]); - } \ No newline at end of file diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 286cc95979..bcf7a59d06 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -25,20 +25,25 @@ export { event bro_init() { - Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, - $measure=set(Metrics::UNIQUE), - $threshold_val_func(val: Metrics::Result) = { return val$num; }, - $threshold=bruteforce_threshold, - $threshold_crossed(index: Metrics::Index, val: Metrics::Result) = - { - local dur = duration_to_mins_secs(val$end-val$begin); - local plural = val$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=index$host, - $msg=message, - $identifier=cat(index$host)]); - }]); + local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)]; + Measurement::create([$epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return result["ftp.failed_auth"]$num; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); } event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -47,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } } \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout index 09c65c3864..ac8785d182 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout @@ -1,6 +1,6 @@ THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5) From 94f39fee2a67db955a90339129dba9725e692cd2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 01:04:40 -0400 Subject: [PATCH 073/134] Updating DocSourcesList --- DocSourcesList.cmake | 59 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/DocSourcesList.cmake b/DocSourcesList.cmake index 1743b0258f..5ac87a6305 100644 --- a/DocSourcesList.cmake +++ b/DocSourcesList.cmake @@ -19,6 +19,7 @@ rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) @@ -31,15 +32,31 @@ rest_target(${psd} base/frameworks/cluster/setup-connections.bro) rest_target(${psd} base/frameworks/communication/main.bro) rest_target(${psd} base/frameworks/control/main.bro) rest_target(${psd} base/frameworks/dpd/main.bro) +rest_target(${psd} base/frameworks/input/main.bro) +rest_target(${psd} base/frameworks/input/readers/ascii.bro) +rest_target(${psd} base/frameworks/input/readers/benchmark.bro) +rest_target(${psd} base/frameworks/input/readers/raw.bro) +rest_target(${psd} base/frameworks/intel/cluster.bro) +rest_target(${psd} base/frameworks/intel/input.bro) rest_target(${psd} base/frameworks/intel/main.bro) rest_target(${psd} base/frameworks/logging/main.bro) rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro) rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro) rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) -rest_target(${psd} base/frameworks/metrics/cluster.bro) -rest_target(${psd} base/frameworks/metrics/main.bro) -rest_target(${psd} base/frameworks/metrics/non-cluster.bro) +rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) +rest_target(${psd} base/frameworks/logging/writers/none.bro) +rest_target(${psd} base/frameworks/measurement/cluster.bro) +rest_target(${psd} base/frameworks/measurement/main.bro) +rest_target(${psd} base/frameworks/measurement/non-cluster.bro) +rest_target(${psd} base/frameworks/measurement/plugins/average.bro) +rest_target(${psd} base/frameworks/measurement/plugins/max.bro) +rest_target(${psd} base/frameworks/measurement/plugins/min.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) +rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) +rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) +rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -48,18 +65,23 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro) rest_target(${psd} base/frameworks/notice/cluster.bro) rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro) rest_target(${psd} base/frameworks/notice/main.bro) +rest_target(${psd} base/frameworks/notice/non-cluster.bro) rest_target(${psd} base/frameworks/notice/weird.bro) rest_target(${psd} base/frameworks/packet-filter/main.bro) rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) +rest_target(${psd} base/frameworks/tunnels/main.bro) +rest_target(${psd} base/misc/find-checksum-offloading.bro) rest_target(${psd} base/protocols/conn/contents.bro) rest_target(${psd} base/protocols/conn/inactivity.bro) rest_target(${psd} base/protocols/conn/main.bro) +rest_target(${psd} base/protocols/conn/polling.bro) rest_target(${psd} base/protocols/dns/consts.bro) rest_target(${psd} base/protocols/dns/main.bro) rest_target(${psd} base/protocols/ftp/file-extract.bro) +rest_target(${psd} base/protocols/ftp/gridftp.bro) rest_target(${psd} base/protocols/ftp/main.bro) rest_target(${psd} base/protocols/ftp/utils-commands.bro) rest_target(${psd} base/protocols/http/file-extract.bro) @@ -69,9 +91,13 @@ rest_target(${psd} base/protocols/http/main.bro) rest_target(${psd} base/protocols/http/utils.bro) rest_target(${psd} base/protocols/irc/dcc-send.bro) rest_target(${psd} base/protocols/irc/main.bro) +rest_target(${psd} base/protocols/modbus/consts.bro) +rest_target(${psd} base/protocols/modbus/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) rest_target(${psd} base/protocols/smtp/main.bro) +rest_target(${psd} base/protocols/socks/consts.bro) +rest_target(${psd} base/protocols/socks/main.bro) rest_target(${psd} base/protocols/ssh/main.bro) rest_target(${psd} base/protocols/ssl/consts.bro) rest_target(${psd} base/protocols/ssl/main.bro) @@ -85,36 +111,50 @@ rest_target(${psd} base/utils/files.bro) rest_target(${psd} base/utils/numbers.bro) rest_target(${psd} base/utils/paths.bro) rest_target(${psd} base/utils/patterns.bro) +rest_target(${psd} base/utils/queue.bro) rest_target(${psd} base/utils/site.bro) rest_target(${psd} base/utils/strings.bro) rest_target(${psd} base/utils/thresholds.bro) +rest_target(${psd} base/utils/time.bro) +rest_target(${psd} base/utils/urls.bro) rest_target(${psd} policy/frameworks/communication/listen.bro) rest_target(${psd} policy/frameworks/control/controllee.bro) rest_target(${psd} policy/frameworks/control/controller.bro) rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro) rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro) -rest_target(${psd} policy/frameworks/metrics/conn-example.bro) -rest_target(${psd} policy/frameworks/metrics/http-example.bro) -rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) +rest_target(${psd} policy/frameworks/intel/conn-established.bro) +rest_target(${psd} policy/frameworks/intel/dns.bro) +rest_target(${psd} policy/frameworks/intel/http-host-header.bro) +rest_target(${psd} policy/frameworks/intel/http-url.bro) +rest_target(${psd} policy/frameworks/intel/http-user-agents.bro) +rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) +rest_target(${psd} policy/frameworks/intel/smtp.bro) +rest_target(${psd} policy/frameworks/intel/ssl.bro) +rest_target(${psd} policy/frameworks/intel/where-locations.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) +rest_target(${psd} policy/integration/collective-intel/main.bro) rest_target(${psd} policy/misc/analysis-groups.bro) +rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) +rest_target(${psd} policy/misc/detect-traceroute/main.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) +rest_target(${psd} policy/misc/scan.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) +rest_target(${psd} policy/protocols/conn/metrics.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) +rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ftp/detect.bro) rest_target(${psd} policy/protocols/ftp/software.bro) rest_target(${psd} policy/protocols/http/detect-MHR.bro) -rest_target(${psd} policy/protocols/http/detect-intel.bro) rest_target(${psd} policy/protocols/http/detect-sqli.bro) rest_target(${psd} policy/protocols/http/detect-webapps.bro) rest_target(${psd} policy/protocols/http/header-names.bro) @@ -122,8 +162,11 @@ rest_target(${psd} policy/protocols/http/software-browser-plugins.bro) rest_target(${psd} policy/protocols/http/software.bro) rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro) rest_target(${psd} policy/protocols/http/var-extraction-uri.bro) +rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) +rest_target(${psd} policy/protocols/modbus/track-memmap.bro) rest_target(${psd} policy/protocols/smtp/blocklists.bro) rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) +rest_target(${psd} policy/protocols/smtp/metrics.bro) rest_target(${psd} policy/protocols/smtp/software.bro) rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ssh/geo-data.bro) @@ -133,9 +176,11 @@ rest_target(${psd} policy/protocols/ssl/cert-hash.bro) rest_target(${psd} policy/protocols/ssl/expiring-certs.bro) rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro) rest_target(${psd} policy/protocols/ssl/known-certs.bro) +rest_target(${psd} policy/protocols/ssl/notary.bro) rest_target(${psd} policy/protocols/ssl/validate-certs.bro) rest_target(${psd} policy/tuning/defaults/packet-fragments.bro) rest_target(${psd} policy/tuning/defaults/warnings.bro) +rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro) rest_target(${psd} policy/tuning/track-all-assets.bro) rest_target(${psd} site/local-manager.bro) rest_target(${psd} site/local-proxy.bro) From a615601269dd2b1e3d7cdf1e65c5257afa8c2952 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 11 Apr 2013 09:42:46 -0400 Subject: [PATCH 074/134] Trying to fix a state maintenance issue. --- scripts/base/frameworks/measurement/main.bro | 30 +++++++++++--------- scripts/base/utils/queue.bro | 4 +-- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index 5e33ff7a25..7685099068 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -142,12 +142,12 @@ type Thresholding: record { threshold_series_index: count &default=0; }; +# Internal use only. For tracking thresholds per measurement and key. +global threshold_tracker: table[string] of table[Key] of Thresholding &optional; + redef record Measurement += { # Internal use only (mostly for cluster coherency). id: string &optional; - - # Internal use only. For tracking tresholds per key. - threshold_tracker: table[Key] of Thresholding &optional; }; # Store of measurements indexed on the measurement id. @@ -249,6 +249,7 @@ function reset(m: Measurement) delete result_store[m$id]; result_store[m$id] = table(); + threshold_tracker[m$id] = table(); } function create(m: Measurement) @@ -260,8 +261,7 @@ function create(m: Measurement) if ( ! m?$id ) m$id=unique_id(""); - local tmp: table[Key] of Thresholding = table(); - m$threshold_tracker = tmp; + threshold_tracker[m$id] = table(); measurement_store[m$id] = m; for ( reducer in m$reducers ) @@ -322,12 +322,6 @@ function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: if ( ! (m?$threshold || m?$threshold_series) ) return F; - if ( key !in m$threshold_tracker ) - { - local tmp: Thresholding; - m$threshold_tracker[key] = tmp; - } - # Add in the extra ResultVals to make threshold_vals easier to write. if ( |m$reducers| != |result| ) { @@ -343,7 +337,17 @@ function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: if ( modify_pct < 1.0 && modify_pct > 0.0 ) watch = double_to_count(floor(watch/modify_pct)); - local tt = m$threshold_tracker[key]; + if ( m$id !in threshold_tracker ) + threshold_tracker[m$id] = table(); + local t_tracker = threshold_tracker[m$id]; + + if ( key !in t_tracker ) + { + local ttmp: Thresholding; + t_tracker[key] = ttmp; + } + local tt = threshold_tracker[m$id][key]; + if ( m?$threshold && ! tt$is_threshold_crossed && watch >= m$threshold ) { # Value crossed the threshold. @@ -379,7 +383,7 @@ function threshold_crossed(m: Measurement, key: Key, result: Result) } m$threshold_crossed(key, result); - local tt = m$threshold_tracker[key]; + local tt = threshold_tracker[m$id][key]; tt$is_threshold_crossed = T; # Bump up to the next threshold series index if a threshold series is being used. diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index 1e7a293e17..ed45b034f5 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -21,14 +21,14 @@ export { ## Returns: An opaque queue record. global init: function(s: Settings): Queue; - ## Push a string onto the top of a queue. + ## Put a string onto the beginning of a queue. ## ## q: The queue to put the value into. ## ## val: The value to insert into the queue. global put: function(q: Queue, val: any); - ## Pop a string from the bottom of a queue. + ## Get a string from the end of a queue. ## ## q: The queue to get the string from. ## From e93fd69cf20c41a28b44c18796793ac93c0df6c2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 12 Apr 2013 09:28:38 -0400 Subject: [PATCH 075/134] Small updates to hopefully correct reporter errors leading to lost memory. --- scripts/base/frameworks/measurement/main.bro | 13 +++++++++---- .../base/frameworks/measurement/plugins/sample.bro | 8 ++++---- .../base/frameworks/measurement/plugins/std-dev.bro | 4 +--- .../frameworks/measurement/plugins/variance.bro | 3 ++- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index 7685099068..db59a7ba85 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -293,14 +293,19 @@ function add_data(id: string, key: Key, point: DataPoint) key = r$normalize_key(copy(key)); local m = measurement_store[r$mid]; - local results = result_store[m$id]; + + if ( r$mid !in result_store ) + result_store[m$id] = table(); + local results = result_store[r$mid]; + if ( key !in results ) results[key] = table(); - if ( id !in results[key] ) - results[key][id] = init_resultval(r); - local result = results[key]; + + if ( id !in result ) + result[id] = init_resultval(r); local result_val = result[id]; + ++result_val$num; # Continually update the $end field. result_val$end=network_time(); diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro index 399f572490..0187946d61 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -4,16 +4,16 @@ module Measurement; export { - redef record Reducer += { ## A number of sample DataPoints to collect. samples: count &default=0; }; redef record ResultVal += { - # This is the queue where samples - # are maintained. Use the :bro:see:`Measurement::get_samples` - ## function to get a vector of the samples. + ## This is the queue where samples + ## are maintained. Use the + ## :bro:see:`Measurement::get_samples` function + ## to get a vector of the samples. samples: Queue::Queue &optional; }; diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro index bfcaa67910..63dcc62d4b 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -11,7 +11,7 @@ export { redef record ResultVal += { ## For numeric data, this calculates the standard deviation. - std_dev: double &optional; + std_dev: double &default=0.0; }; } @@ -28,8 +28,6 @@ hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal { if ( rv?$variance ) calc_std_dev(rv); - else - rv$std_dev = 0.0; } } diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro index 2868a8a3ad..3c2223430d 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -44,7 +44,8 @@ hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal # Reduced priority since this depends on the average hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-5 { - if ( rv1?$var_s && rv2?$var_s ) + if ( rv1?$var_s && rv1?$average && + rv2?$var_s && rv2?$average ) { local rv1_avg_sq = (rv1$average - result$average); rv1_avg_sq = rv1_avg_sq*rv1_avg_sq; From 8165d6077d4935ada81b9e57ce88f314eaea3ce8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 12 Apr 2013 11:20:45 -0400 Subject: [PATCH 076/134] Fix another occasional reporter error. --- scripts/base/frameworks/measurement/cluster.bro | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/measurement/cluster.bro b/scripts/base/frameworks/measurement/cluster.bro index 481b306417..fa5d58e5f6 100644 --- a/scripts/base/frameworks/measurement/cluster.bro +++ b/scripts/base/frameworks/measurement/cluster.bro @@ -132,8 +132,11 @@ event Measurement::cluster_measurement_request(uid: string, mid: string) #print fmt("WORKER %s: received the cluster_measurement_request event for %s.", Cluster::node, id); # Initiate sending all of the data for the requested measurement. - event Measurement::send_data(uid, mid, result_store[mid]); - + if ( mid in result_store ) + event Measurement::send_data(uid, mid, result_store[mid]); + else + event Measurement::send_data(uid, mid, table()); + # Lookup the actual measurement and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. if ( mid in measurement_store ) From fbe967e16a473b7768e0608b164c674d4f9fdbb1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 15 Apr 2013 15:12:28 -0400 Subject: [PATCH 077/134] Checkpoint for SumStats rename. --- .../{measurement => sumstats}/__load__.bro | 0 .../{measurement => sumstats}/cluster.bro | 111 ++++---- .../{measurement => sumstats}/main.bro | 236 +++++++++--------- .../{measurement => sumstats}/non-cluster.bro | 8 +- .../plugins/__load__.bro | 2 +- .../plugins/average.bro | 6 +- .../{measurement => sumstats}/plugins/max.bro | 6 +- .../{measurement => sumstats}/plugins/min.bro | 6 +- .../plugins/sample.bro | 18 +- .../plugins/std-dev.bro | 6 +- .../{measurement => sumstats}/plugins/sum.bro | 10 +- .../plugins/unique.bro | 8 +- .../plugins/variance.bro | 6 +- scripts/base/protocols/ssh/main.bro | 3 +- scripts/policy/misc/app-metrics.bro | 74 +++--- .../policy/misc/detect-traceroute/main.bro | 56 ++--- scripts/policy/misc/scan.bro | 108 ++++---- .../protocols/ftp/detect-bruteforcing.bro | 42 ++-- scripts/policy/protocols/http/detect-sqli.bro | 76 +++--- scripts/policy/protocols/smtp/metrics.bro | 4 +- .../protocols/ssh/detect-bruteforcing.bro | 46 ++-- .../manager-1..stdout | 0 .../.stdout | 0 .../manager-1..stdout | 0 .../.stdout | 0 .../frameworks/measurement/basic-cluster.bro | 83 ------ .../base/frameworks/measurement/basic.bro | 34 --- .../frameworks/measurement/thresholding.bro | 73 ------ .../frameworks/sumstats/basic-cluster.bro | 82 ++++++ .../base/frameworks/sumstats/basic.bro | 34 +++ .../cluster-intermediate-update.bro | 35 ++- .../base/frameworks/sumstats/thresholding.bro | 73 ++++++ 32 files changed, 626 insertions(+), 620 deletions(-) rename scripts/base/frameworks/{measurement => sumstats}/__load__.bro (100%) rename scripts/base/frameworks/{measurement => sumstats}/cluster.bro (74%) rename scripts/base/frameworks/{measurement => sumstats}/main.bro (52%) rename scripts/base/frameworks/{measurement => sumstats}/non-cluster.bro (58%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/__load__.bro (85%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/average.bro (83%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/max.bro (81%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/min.bro (81%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/sample.bro (63%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/std-dev.bro (80%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/sum.bro (74%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/unique.bro (86%) rename scripts/base/frameworks/{measurement => sumstats}/plugins/variance.bro (91%) rename testing/btest/Baseline/{scripts.base.frameworks.measurement.basic-cluster => scripts.base.frameworks.sumstats.basic-cluster}/manager-1..stdout (100%) rename testing/btest/Baseline/{scripts.base.frameworks.measurement.basic => scripts.base.frameworks.sumstats.basic}/.stdout (100%) rename testing/btest/Baseline/{scripts.base.frameworks.measurement.cluster-intermediate-update => scripts.base.frameworks.sumstats.cluster-intermediate-update}/manager-1..stdout (100%) rename testing/btest/Baseline/{scripts.base.frameworks.measurement.thresholding => scripts.base.frameworks.sumstats.thresholding}/.stdout (100%) delete mode 100644 testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro delete mode 100644 testing/btest/scripts/base/frameworks/measurement/basic.bro delete mode 100644 testing/btest/scripts/base/frameworks/measurement/thresholding.bro create mode 100644 testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro create mode 100644 testing/btest/scripts/base/frameworks/sumstats/basic.bro rename testing/btest/scripts/base/frameworks/{measurement => sumstats}/cluster-intermediate-update.bro (59%) create mode 100644 testing/btest/scripts/base/frameworks/sumstats/thresholding.bro diff --git a/scripts/base/frameworks/measurement/__load__.bro b/scripts/base/frameworks/sumstats/__load__.bro similarity index 100% rename from scripts/base/frameworks/measurement/__load__.bro rename to scripts/base/frameworks/sumstats/__load__.bro diff --git a/scripts/base/frameworks/measurement/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro similarity index 74% rename from scripts/base/frameworks/measurement/cluster.bro rename to scripts/base/frameworks/sumstats/cluster.bro index fa5d58e5f6..098c047961 100644 --- a/scripts/base/frameworks/measurement/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -7,7 +7,7 @@ @load base/frameworks/cluster @load ./main -module Measurement; +module SumStats; export { ## Allows a user to decide how large of result groups the @@ -48,22 +48,21 @@ export { global cluster_key_request: event(uid: string, mid: string, key: Key); ## This event is sent by nodes in response to a - ## :bro:id:`Measurement::cluster_key_request` event. + ## :bro:id:`SumStats::cluster_key_request` event. global cluster_key_response: event(uid: string, mid: string, key: Key, result: Result); ## This is sent by workers to indicate that they crossed the percent of the ## current threshold by the percentage defined globally in - ## :bro:id:`Measurement::cluster_request_global_view_percent` - global cluster_key_intermediate_response: event(mid: string, key: Measurement::Key); + ## :bro:id:`SumStats::cluster_request_global_view_percent` + global cluster_key_intermediate_response: event(mid: string, key: SumStats::Key); ## This event is scheduled internally on workers to send result chunks. global send_data: event(uid: string, mid: string, data: ResultTable); } # Add events to the cluster framework to make this work. -redef Cluster::manager2worker_events += /Measurement::cluster_(measurement_request|key_request)/; -redef Cluster::manager2worker_events += /Measurement::new_measurement/; -redef Cluster::worker2manager_events += /Measurement::cluster_(measurement_response|key_response|key_intermediate_response)/; +redef Cluster::manager2worker_events += /SumStats::cluster_(measurement_request|key_request)/; +redef Cluster::worker2manager_events += /SumStats::cluster_(measurement_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) # This variable is maintained to know what keys have recently sent as @@ -75,32 +74,32 @@ global recent_global_view_keys: table[string, Key] of count &create_expire=1min event bro_init() &priority=-100 { # The manager is the only host allowed to track these. - measurement_store = table(); + stats_store = table(); reducer_store = table(); } # This is done on all non-manager node types in the event that a metric is # being collected somewhere other than a worker. -function data_added(m: Measurement, key: Key, result: Result) +function data_added(ss: SumStat, key: Key, result: Result) { # If an intermediate update for this value was sent recently, don't send # it again. - if ( [m$id, key] in recent_global_view_keys ) + if ( [ss$id, key] in recent_global_view_keys ) return; # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that # crosses the full threshold then it's a candidate to send as an # intermediate update. if ( enable_intermediate_updates && - check_thresholds(m, key, result, cluster_request_global_view_percent) ) + check_thresholds(ss, key, result, cluster_request_global_view_percent) ) { # kick off intermediate update - event Measurement::cluster_key_intermediate_response(m$id, key); - ++recent_global_view_keys[m$id, key]; + event SumStats::cluster_key_intermediate_response(ss$id, key); + ++recent_global_view_keys[ss$id, key]; } } -event Measurement::send_data(uid: string, mid: string, data: ResultTable) +event SumStats::send_data(uid: string, mid: string, data: ResultTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); @@ -122,39 +121,39 @@ event Measurement::send_data(uid: string, mid: string, data: ResultTable) if ( |data| == 0 ) done = T; - event Measurement::cluster_measurement_response(uid, mid, local_data, done); + event SumStats::cluster_measurement_response(uid, mid, local_data, done); if ( ! done ) - schedule 0.01 sec { Measurement::send_data(uid, mid, data) }; + schedule 0.01 sec { SumStats::send_data(uid, mid, data) }; } -event Measurement::cluster_measurement_request(uid: string, mid: string) +event SumStats::cluster_measurement_request(uid: string, mid: string) { #print fmt("WORKER %s: received the cluster_measurement_request event for %s.", Cluster::node, id); # Initiate sending all of the data for the requested measurement. if ( mid in result_store ) - event Measurement::send_data(uid, mid, result_store[mid]); + event SumStats::send_data(uid, mid, result_store[mid]); else - event Measurement::send_data(uid, mid, table()); + event SumStats::send_data(uid, mid, table()); # Lookup the actual measurement and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. - if ( mid in measurement_store ) - reset(measurement_store[mid]); + if ( mid in stats_store ) + reset(stats_store[mid]); } -event Measurement::cluster_key_request(uid: string, mid: string, key: Key) +event SumStats::cluster_key_request(uid: string, mid: string, key: Key) { if ( mid in result_store && key in result_store[mid] ) { #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); - event Measurement::cluster_key_response(uid, mid, key, result_store[mid][key]); + event SumStats::cluster_key_response(uid, mid, key, result_store[mid][key]); } else { # We need to send an empty response if we don't have the data so that the manager # can know that it heard back from all of the workers. - event Measurement::cluster_key_response(uid, mid, key, table()); + event SumStats::cluster_key_response(uid, mid, key, table()); } } @@ -166,7 +165,7 @@ event Measurement::cluster_key_request(uid: string, mid: string, key: Key) # This variable is maintained by manager nodes as they collect and aggregate # results. # Index on a uid. -global measurement_results: table[string] of ResultTable &read_expire=1min; +global stats_results: table[string] of ResultTable &read_expire=1min; # This variable is maintained by manager nodes to track how many "dones" they # collected per collection unique id. Once the number of results for a uid @@ -189,7 +188,7 @@ global outstanding_global_views: table[string] of count &default=0; const zero_time = double_to_time(0.0); # Managers handle logging. -event Measurement::finish_epoch(m: Measurement) +event SumStats::finish_epoch(ss: SumStat) { if ( network_time() > zero_time ) { @@ -198,25 +197,25 @@ event Measurement::finish_epoch(m: Measurement) if ( uid in measurement_results ) delete measurement_results[uid]; - measurement_results[uid] = table(); + stats_results[uid] = table(); # Request data from peers. - event Measurement::cluster_measurement_request(uid, m$id); + event SumStats::cluster_measurement_request(uid, ss$id); } # Schedule the next finish_epoch event. - schedule m$epoch { Measurement::finish_epoch(m) }; + schedule m$epoch { SumStats::finish_epoch(m) }; } # This is unlikely to be called often, but it's here in case there are measurements # being collected by managers. -function data_added(m: Measurement, key: Key, result: Result) +function data_added(ss: SumStat, key: Key, result: Result) { - if ( check_thresholds(m, key, result, 1.0) ) - threshold_crossed(m, key, result); + if ( check_thresholds(ss, key, result, 1.0) ) + threshold_crossed(ss, key, result); } -event Measurement::cluster_key_response(uid: string, mid: string, key: Key, result: Result) +event SumStats::cluster_key_response(uid: string, ssid: string, key: Key, result: Result) { #print fmt("%0.6f MANAGER: receiving key data from %s - %s=%s", network_time(), get_event_peer()$descr, key2str(key), result); @@ -233,26 +232,26 @@ event Measurement::cluster_key_response(uid: string, mid: string, key: Key, resu #print fmt("worker_count:%d :: done_with:%d", Cluster::worker_count, done_with[uid]); if ( Cluster::worker_count == done_with[uid] ) { - local m = measurement_store[mid]; + local ss = stats_store[ssid]; local ir = key_requests[uid]; - if ( check_thresholds(m, key, ir, 1.0) ) - threshold_crossed(m, key, ir); + if ( check_thresholds(ss, key, ir, 1.0) ) + threshold_crossed(ss, key, ir); delete done_with[uid]; delete key_requests[uid]; # Check that there is an outstanding view before subtracting. - if ( outstanding_global_views[mid] > 0 ) - --outstanding_global_views[mid]; + if ( outstanding_global_views[ssid] > 0 ) + --outstanding_global_views[ssid]; } } # Managers handle intermediate updates here. -event Measurement::cluster_key_intermediate_response(mid: string, key: Key) +event SumStats::cluster_key_intermediate_response(ssid: string, key: Key) { #print fmt("MANAGER: receiving intermediate key data from %s", get_event_peer()$descr); #print fmt("MANAGER: requesting key data for %s", key2str(key)); - if ( mid in outstanding_global_views && + if ( ssid in outstanding_global_views && |outstanding_global_views[mid]| > max_outstanding_global_views ) { # Don't do this intermediate update. Perhaps at some point in the future @@ -261,13 +260,13 @@ event Measurement::cluster_key_intermediate_response(mid: string, key: Key) return; } - ++outstanding_global_views[mid]; + ++outstanding_global_views[ssid]; local uid = unique_id(""); - event Measurement::cluster_key_request(uid, mid, key); + event SumStats::cluster_key_request(uid, ssid, key); } -event Measurement::cluster_measurement_response(uid: string, mid: string, data: ResultTable, done: bool) +event SumStats::cluster_measurement_response(uid: string, ssid: string, data: ResultTable, done: bool) { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); @@ -275,8 +274,8 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: if ( done ) ++done_with[uid]; - local local_data = measurement_results[uid]; - local m = measurement_store[mid]; + local local_data = stats_results[uid]; + local ss = stats_store[ssid]; for ( key in data ) { @@ -285,14 +284,14 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: else local_data[key] = data[key]; - # If a measurement is done being collected, thresholds for each key - # need to be checked so we're doing it here to avoid doubly iterating - # over each key. + # If a stat is done being collected, thresholds for each key + # need to be checked so we're doing it here to avoid doubly + # iterating over each key. if ( Cluster::worker_count == done_with[uid] ) { - if ( check_thresholds(m, key, local_data[key], 1.0) ) + if ( check_thresholds(ss, key, local_data[key], 1.0) ) { - threshold_crossed(m, key, local_data[key]); + threshold_crossed(ss, key, local_data[key]); } } } @@ -300,20 +299,20 @@ event Measurement::cluster_measurement_response(uid: string, mid: string, data: # If the data has been collected from all peers, we are done and ready to finish. if ( Cluster::worker_count == done_with[uid] ) { - if ( m?$epoch_finished ) - m$epoch_finished(local_data); + if ( ss?$epoch_finished ) + ss$epoch_finished(local_data); # Clean up - delete measurement_results[uid]; + delete stats_results[uid]; delete done_with[uid]; # Not sure I need to reset the measurement on the manager. - reset(m); + reset(ss); } } event remote_connection_handshake_done(p: event_peer) &priority=5 { - send_id(p, "Measurement::measurement_store"); - send_id(p, "Measurement::reducer_store"); + send_id(p, "SumStats::stats_store"); + send_id(p, "SumStats::reducer_store"); } @endif diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/sumstats/main.bro similarity index 52% rename from scripts/base/frameworks/measurement/main.bro rename to scripts/base/frameworks/sumstats/main.bro index db59a7ba85..a5c41ba1f3 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -1,6 +1,8 @@ -##! The measurement framework provides a way to count and measure data. +##! The summary statistics framework provides a way to +##! summarize large streams of data into simple reduced +##! measurements. -module Measurement; +module SumStats; export { ## The various calculations are all defined as plugins. @@ -8,14 +10,17 @@ export { PLACEHOLDER }; - ## Represents a thing which is having measurement results collected for it. + ## Represents a thing which is having summarization + ## results collected for it. type Key: record { - ## A non-address related measurement or a sub-key for an address based measurement. - ## An example might be successful SSH connections by client IP address + ## A non-address related summarization or a sub-key for + ## an address based summarization. An example might be + ## successful SSH connections by client IP address ## where the client string would be the key value. - ## Another example might be number of HTTP requests to a particular - ## value in a Host header. This is an example of a non-host based - ## metric since multiple IP addresses could respond for the same Host + ## Another example might be number of HTTP requests to + ## a particular value in a Host header. This is an + ## example of a non-host based metric since multiple + ## IP addresses could respond for the same Host ## header value. str: string &optional; @@ -23,9 +28,9 @@ export { host: addr &optional; }; - ## Represents data being added for a single metric data point. - ## Only supply a single value here at a time. - type DataPoint: record { + ## Represents data being added for a single observation. + ## Only supply a single field at a time! + type Observation: record { ## Count value. num: count &optional; ## Double value. @@ -35,102 +40,110 @@ export { }; type Reducer: record { - ## Data stream identifier for the reducer to attach to. + ## Observation stream identifier for the reducer + ## to attach to. stream: string; ## The calculations to perform on the data points. apply: set[Calculation]; - ## A predicate so that you can decide per key if you would like - ## to accept the data being inserted. - pred: function(key: Measurement::Key, point: Measurement::DataPoint): bool &optional; + ## A predicate so that you can decide per key if you + ## would like to accept the data being inserted. + pred: function(key: SumStats::Key, obs: SumStats::Observation): bool &optional; ## A function to normalize the key. This can be used to aggregate or ## normalize the entire key. - normalize_key: function(key: Measurement::Key): Key &optional; + normalize_key: function(key: SumStats::Key): Key &optional; }; - ## Value calculated for a data point stream fed into a reducer. + ## Value calculated for an observation stream fed into a reducer. ## Most of the fields are added by plugins. type ResultVal: record { - ## The time when the first data point was added to this result value. + ## The time when the first observation was added to + ## this result value. begin: time; - ## The time when the last data point was added to this result value. + ## The time when the last observation was added to + ## this result value. end: time; - ## The number of measurements received. + ## The number of observations received. num: count &default=0; }; ## Type to store results for multiple reducers. type Result: table[string] of ResultVal; - ## Type to store a table of measurement results indexed by the measurement key. + ## Type to store a table of sumstats results indexed + ## by keys. type ResultTable: table[Key] of Result; - ## Measurements represent an aggregation of reducers along with + ## SumStats represent an aggregation of reducers along with ## mechanisms to handle various situations like the epoch ending ## or thresholds being crossed. - type Measurement: record { - ## The interval at which this filter should be "broken" and the - ## '$epoch_finished' callback called. The results are also reset - ## at this time so any threshold based detection needs to be set to a - ## number that should be expected to happen within this epoch. + ## It's best to not access any global state outside + ## of the variables given to the callbacks because there + ## is no assurance provided as to where the callbacks + ## will be executed on clusters. + type SumStat: record { + ## The interval at which this filter should be "broken" + ## and the '$epoch_finished' callback called. The + ## results are also reset at this time so any threshold + ## based detection needs to be set to a + ## value that should be expected to happen within + ## this epoch. epoch: interval; - ## The reducers for the measurement indexed by data id. + ## The reducers for the SumStat reducers: set[Reducer]; - ## Provide a function to calculate a value from the :bro:see:`Result` - ## structure which will be used for thresholding. - threshold_val: function(key: Measurement::Key, result: Measurement::Result): count &optional; + ## Provide a function to calculate a value from the + ## :bro:see:`Result` structure which will be used + ## for thresholding. + ## This is required if a $threshold value is given. + threshold_val: function(key: SumStats::Key, result: SumStats::Result): count &optional; - ## The threshold value for calling the $threshold_crossed callback. + ## The threshold value for calling the + ## $threshold_crossed callback. threshold: count &optional; - ## A series of thresholds for calling the $threshold_crossed callback. + ## A series of thresholds for calling the + ## $threshold_crossed callback. threshold_series: vector of count &optional; ## A callback that is called when a threshold is crossed. - threshold_crossed: function(key: Measurement::Key, result: Measurement::Result) &optional; + threshold_crossed: function(key: SumStats::Key, result: SumStats::Result) &optional; - ## A callback with the full collection of Results for this filter. - ## It's best to not access any global state outside of the variables - ## given to the callback because there is no assurance provided as to - ## where the callback will be executed on clusters. - epoch_finished: function(rt: Measurement::ResultTable) &optional; + ## A callback with the full collection of Results for + ## this SumStat. + epoch_finished: function(rt: SumStats::ResultTable) &optional; }; - ## Create a measurement. - global create: function(m: Measurement::Measurement); + ## Create a summary statistic. + global create: function(m: SumStats::SumStat); - ## Add data into a data point stream. This should be called when - ## a script has measured some point value. + ## Add data into an observation stream. This should be + ## called when a script has measured some point value. ## - ## id: The stream identifier that the data point represents. + ## id: The observation stream identifier that the data + ## point represents. ## - ## key: The measurement key that the value is to be added to. + ## key: The key that the value is related to. ## - ## point: The data point to send into the stream. - global add_data: function(id: string, key: Measurement::Key, point: Measurement::DataPoint); + ## obs: The data point to send into the stream. + global observe: function(id: string, key: SumStats::Key, obs: SumStats::Observation); - ## Helper function to represent a :bro:type:`Measurement::Key` value as + ## Helper function to represent a :bro:type:`SumStats::Key` value as ## a simple string. ## ## key: The metric key that is to be converted into a string. ## ## Returns: A string representation of the metric key. - global key2str: function(key: Measurement::Key): string; - - ## This event is generated for each new measurement that is created. - ## - ## m: The record which describes a measurement. - global new_measurement: event(m: Measurement); + global key2str: function(key: SumStats::Key): string; } redef record Reducer += { - # Internal use only. Provides a reference back to the related Measurement by it's ID. + # Internal use only. Provides a reference back to the related SumStats by it's ID. mid: string &optional; }; @@ -142,16 +155,16 @@ type Thresholding: record { threshold_series_index: count &default=0; }; -# Internal use only. For tracking thresholds per measurement and key. +# Internal use only. For tracking thresholds per sumstat and key. global threshold_tracker: table[string] of table[Key] of Thresholding &optional; -redef record Measurement += { +redef record SumStats += { # Internal use only (mostly for cluster coherency). id: string &optional; }; -# Store of measurements indexed on the measurement id. -global measurement_store: table[string] of Measurement = table(); +# Store of sumstats indexed on the sumstat id. +global stats_store: table[string] of SumStats = table(); # Store of reducers indexed on the data point stream id. global reducer_store: table[string] of set[Reducer] = table(); @@ -166,10 +179,10 @@ global thresholds_store: table[string, Key] of bool = table(); # key values are updated and the new val is given as the `val` argument. # It's only prototyped here because cluster and non-cluster have separate # implementations. -global data_added: function(m: Measurement, key: Key, result: Result); +global data_added: function(m: SumStats, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. -global add_to_reducer_hook: hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal); +global add_to_reducer_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal); # Prototype the hook point for plugins to initialize any result values. global init_resultval_hook: hook(r: Reducer, rv: ResultVal); # Prototype the hook point for plugins to merge Results. @@ -177,7 +190,7 @@ global compose_resultvals_hook: hook(result: ResultVal, rv1: ResultVal, rv2: Res # Event that is used to "finish" measurements and adapt the measurement # framework for clustered or non-clustered usage. -global finish_epoch: event(m: Measurement); +global finish_epoch: event(m: SumStats); function key2str(key: Key): string { @@ -186,7 +199,7 @@ function key2str(key: Key): string out = fmt("%shost=%s", out, key$host); if ( key?$str ) out = fmt("%s%sstr=%s", out, |out|==0 ? "" : ", ", key$str); - return fmt("measurement_key(%s)", out); + return fmt("sumstats_key(%s)", out); } function init_resultval(r: Reducer): ResultVal @@ -200,17 +213,12 @@ function compose_resultvals(rv1: ResultVal, rv2: ResultVal): ResultVal { local result: ResultVal; - # Merge $begin (take the earliest one) result$begin = (rv1$begin < rv2$begin) ? rv1$begin : rv2$begin; - - # Merge $end (take the latest one) result$end = (rv1$end > rv2$end) ? rv1$end : rv2$end; - - # Merge $num result$num = rv1$num + rv2$num; + # Run the plugin composition hooks. hook compose_resultvals_hook(result, rv1, rv2); - return result; } @@ -243,59 +251,59 @@ function compose_results(r1: Result, r2: Result): Result } -function reset(m: Measurement) +function reset(ss: SumStat) { - if ( m$id in result_store ) - delete result_store[m$id]; + if ( ss$id in result_store ) + delete result_store[ss$id]; - result_store[m$id] = table(); - threshold_tracker[m$id] = table(); + result_store[ss$id] = table(); + threshold_tracker[ss$id] = table(); } -function create(m: Measurement) +function create(ss: SumStat) { - if ( (m?$threshold || m?$threshold_series) && ! m?$threshold_val ) + if ( (ss?$threshold || ss?$threshold_series) && ! ss?$threshold_val ) { - Reporter::error("Measurement given a threshold with no $threshold_val function"); + Reporter::error("SumStats given a threshold with no $threshold_val function"); } - if ( ! m?$id ) - m$id=unique_id(""); - threshold_tracker[m$id] = table(); - measurement_store[m$id] = m; + if ( ! ss?$id ) + ss$id=unique_id(""); + threshold_tracker[ss$id] = table(); + stats_store[ss$id] = ss; - for ( reducer in m$reducers ) + for ( reducer in ss$reducers ) { - reducer$mid = m$id; + reducer$mid = ss$id; if ( reducer$stream !in reducer_store ) reducer_store[reducer$stream] = set(); add reducer_store[reducer$stream][reducer]; } - reset(m); - schedule m$epoch { Measurement::finish_epoch(m) }; + reset(ss); + schedule ss$epoch { SumStats::finish_epoch(ss) }; } -function add_data(id: string, key: Key, point: DataPoint) +function observe(id: string, key: Key, obs: Observation) { - # Try to add the data to all of the defined reducers. if ( id !in reducer_store ) return; + # Try to add the data to all of the defined reducers. for ( r in reducer_store[id] ) { # If this reducer has a predicate, run the predicate # and skip this key if the predicate return false. - if ( r?$pred && ! r$pred(key, point) ) + if ( r?$pred && ! r$pred(key, obs) ) next; if ( r?$normalize_key ) key = r$normalize_key(copy(key)); - local m = measurement_store[r$mid]; + local ss = stats_store[r$mid]; if ( r$mid !in result_store ) - result_store[m$id] = table(); + result_store[ss$id] = table(); local results = result_store[r$mid]; if ( key !in results ) @@ -312,56 +320,56 @@ function add_data(id: string, key: Key, point: DataPoint) # If a string was given, fall back to 1.0 as the value. local val = 1.0; - if ( point?$num || point?$dbl ) - val = point?$dbl ? point$dbl : point$num; + if ( obs?$num || obs?$dbl ) + val = obs?$dbl ? obs$dbl : obs$num; - hook add_to_reducer_hook(r, val, point, result_val); - data_added(m, key, result); + hook add_to_reducer_hook(r, val, obs, result_val); + data_added(ss, key, result); } } # This function checks if a threshold has been crossed. It is also used as a method to implement # mid-break-interval threshold crossing detection for cluster deployments. -function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: double): bool +function check_thresholds(ss: SumStat, key: Key, result: Result, modify_pct: double): bool { - if ( ! (m?$threshold || m?$threshold_series) ) + if ( ! (ss?$threshold || ss?$threshold_series) ) return F; # Add in the extra ResultVals to make threshold_vals easier to write. - if ( |m$reducers| != |result| ) + if ( |ss$reducers| != |result| ) { - for ( reducer in m$reducers ) + for ( reducer in ss$reducers ) { if ( reducer$stream !in result ) result[reducer$stream] = init_resultval(reducer); } } - local watch = m$threshold_val(key, result); + local watch = ss$threshold_val(key, result); if ( modify_pct < 1.0 && modify_pct > 0.0 ) watch = double_to_count(floor(watch/modify_pct)); - if ( m$id !in threshold_tracker ) - threshold_tracker[m$id] = table(); - local t_tracker = threshold_tracker[m$id]; + if ( ss$id !in threshold_tracker ) + threshold_tracker[ss$id] = table(); + local t_tracker = threshold_tracker[ss$id]; if ( key !in t_tracker ) { local ttmp: Thresholding; t_tracker[key] = ttmp; } - local tt = threshold_tracker[m$id][key]; + local tt = t_tracker[key]; - if ( m?$threshold && ! tt$is_threshold_crossed && watch >= m$threshold ) + if ( ss?$threshold && ! tt$is_threshold_crossed && watch >= ss$threshold ) { # Value crossed the threshold. return T; } - if ( m?$threshold_series && - |m$threshold_series| >= tt$threshold_series_index && - watch >= m$threshold_series[tt$threshold_series_index] ) + if ( ss?$threshold_series && + |ss$threshold_series| >= tt$threshold_series_index && + watch >= ss$threshold_series[tt$threshold_series_index] ) { # A threshold series was given and the value crossed the next # value in the series. @@ -371,28 +379,28 @@ function check_thresholds(m: Measurement, key: Key, result: Result, modify_pct: return F; } -function threshold_crossed(m: Measurement, key: Key, result: Result) +function threshold_crossed(ss: SumStat, key: Key, result: Result) { # If there is no callback, there is no point in any of this. - if ( ! m?$threshold_crossed ) + if ( ! ss?$threshold_crossed ) return; # Add in the extra ResultVals to make threshold_crossed callbacks easier to write. - if ( |m$reducers| != |result| ) + if ( |ss$reducers| != |result| ) { - for ( reducer in m$reducers ) + for ( reducer in ss$reducers ) { if ( reducer$stream !in result ) result[reducer$stream] = init_resultval(reducer); } } - m$threshold_crossed(key, result); - local tt = threshold_tracker[m$id][key]; + ss$threshold_crossed(key, result); + local tt = threshold_tracker[ss$id][key]; tt$is_threshold_crossed = T; # Bump up to the next threshold series index if a threshold series is being used. - if ( m?$threshold_series ) + if ( ss?$threshold_series ) ++tt$threshold_series_index; } diff --git a/scripts/base/frameworks/measurement/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro similarity index 58% rename from scripts/base/frameworks/measurement/non-cluster.bro rename to scripts/base/frameworks/sumstats/non-cluster.bro index 35ff9dc935..6163548ec6 100644 --- a/scripts/base/frameworks/measurement/non-cluster.bro +++ b/scripts/base/frameworks/sumstats/non-cluster.bro @@ -1,8 +1,8 @@ @load ./main -module Measurement; +module SumStats; -event Measurement::finish_epoch(m: Measurement) +event SumStats::finish_epoch(m: SumStats) { if ( m$id in result_store ) { @@ -13,11 +13,11 @@ event Measurement::finish_epoch(m: Measurement) reset(m); } - schedule m$epoch { Measurement::finish_epoch(m) }; + schedule m$epoch { SumStats::finish_epoch(m) }; } -function data_added(m: Measurement, key: Key, result: Result) +function data_added(m: SumStats, key: Key, result: Result) { if ( check_thresholds(m, key, result, 1.0) ) threshold_crossed(m, key, result); diff --git a/scripts/base/frameworks/measurement/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.bro similarity index 85% rename from scripts/base/frameworks/measurement/plugins/__load__.bro rename to scripts/base/frameworks/sumstats/plugins/__load__.bro index 0d4c2ed302..d739af29a7 100644 --- a/scripts/base/frameworks/measurement/plugins/__load__.bro +++ b/scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -2,7 +2,7 @@ @load ./max @load ./min @load ./sample +@load ./variance @load ./std-dev @load ./sum @load ./unique -@load ./variance \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro similarity index 83% rename from scripts/base/frameworks/measurement/plugins/average.bro rename to scripts/base/frameworks/sumstats/plugins/average.bro index 9a3938640e..002a0147ff 100644 --- a/scripts/base/frameworks/measurement/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -1,6 +1,6 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( AVERAGE in r$apply ) { diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro similarity index 81% rename from scripts/base/frameworks/measurement/plugins/max.bro rename to scripts/base/frameworks/sumstats/plugins/max.bro index 816d249de3..0e377ff320 100644 --- a/scripts/base/frameworks/measurement/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -1,6 +1,6 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( MAX in r$apply ) { diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro similarity index 81% rename from scripts/base/frameworks/measurement/plugins/min.bro rename to scripts/base/frameworks/sumstats/plugins/min.bro index 910d2c76d7..5e1e3fbbb7 100644 --- a/scripts/base/frameworks/measurement/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -1,6 +1,6 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( MIN in r$apply ) { diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro similarity index 63% rename from scripts/base/frameworks/measurement/plugins/sample.bro rename to scripts/base/frameworks/sumstats/plugins/sample.bro index 0187946d61..a694296727 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -1,35 +1,35 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/utils/queue -module Measurement; +module SumStats; export { redef record Reducer += { - ## A number of sample DataPoints to collect. + ## A number of sample Observations to collect. samples: count &default=0; }; redef record ResultVal += { ## This is the queue where samples ## are maintained. Use the - ## :bro:see:`Measurement::get_samples` function + ## :bro:see:`SumStats::get_samples` function ## to get a vector of the samples. samples: Queue::Queue &optional; }; - ## Get a vector of sample DataPoint values from a ResultVal. - global get_samples: function(rv: ResultVal): vector of DataPoint; + ## Get a vector of sample Observation values from a ResultVal. + global get_samples: function(rv: ResultVal): vector of Observation; } -function get_samples(rv: ResultVal): vector of DataPoint +function get_samples(rv: ResultVal): vector of Observation { - local s: vector of DataPoint = vector(); + local s: vector of Observation = vector(); if ( rv?$samples ) Queue::get_vector(rv$samples, s); return s; } -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( r$samples > 0 ) { diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro similarity index 80% rename from scripts/base/frameworks/measurement/plugins/std-dev.bro rename to scripts/base/frameworks/sumstats/plugins/std-dev.bro index 63dcc62d4b..af6eea8cdc 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -1,7 +1,7 @@ @load ./variance -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -22,7 +22,7 @@ function calc_std_dev(rv: ResultVal) } # This depends on the variance plugin which uses priority -5 -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) &priority=-10 +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) &priority=-10 { if ( STD_DEV in r$apply ) { diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro similarity index 74% rename from scripts/base/frameworks/measurement/plugins/sum.bro rename to scripts/base/frameworks/sumstats/plugins/sum.bro index 2ada26e1d0..572402d6c5 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -1,6 +1,6 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -14,13 +14,13 @@ export { sum: double &default=0.0; }; - type threshold_function: function(key: Measurement::Key, result: Measurement::Result): count; + type threshold_function: function(key: SumStats::Key, result: SumStats::Result): count; global sum_threshold: function(data_id: string): threshold_function; } function sum_threshold(data_id: string): threshold_function { - return function(key: Measurement::Key, result: Measurement::Result): count + return function(key: SumStats::Key, result: SumStats::Result): count { print fmt("data_id: %s", data_id); print result; @@ -34,7 +34,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal) rv$sum = 0; } -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( SUM in r$apply ) rv$sum += val; diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro similarity index 86% rename from scripts/base/frameworks/measurement/plugins/unique.bro rename to scripts/base/frameworks/sumstats/plugins/unique.bro index f1027157a7..f260148af4 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -1,6 +1,6 @@ -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -20,10 +20,10 @@ redef record ResultVal += { # because we don't want to trust that we can inspect the values # since we will like move to a probalistic data structure in the future. # TODO: in the future this will optionally be a hyperloglog structure - unique_vals: set[DataPoint] &optional; + unique_vals: set[Observation] &optional; }; -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) { if ( UNIQUE in r$apply ) { diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro similarity index 91% rename from scripts/base/frameworks/measurement/plugins/variance.bro rename to scripts/base/frameworks/sumstats/plugins/variance.bro index 3c2223430d..a26a2d4095 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -1,7 +1,7 @@ @load ./average -@load base/frameworks/measurement +@load base/frameworks/sumstats -module Measurement; +module SumStats; export { redef enum Calculation += { @@ -29,7 +29,7 @@ function calc_variance(rv: ResultVal) } # Reduced priority since this depends on the average -hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) &priority=-5 +hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) &priority=-5 { if ( VARIANCE in r$apply ) { diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index d782c4fa37..f4112efde0 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -5,6 +5,7 @@ ##! Requires that :bro:id:`use_conn_size_analyzer` is set to T! The heuristic ##! is not attempted if the connection size analyzer isn't enabled. +@load base/protocols/conn @load base/frameworks/notice @load base/utils/site @load base/utils/thresholds @@ -115,7 +116,7 @@ function check_ssh_connection(c: connection, done: bool) # Responder must have sent fewer than 40 packets. c$resp$num_pkts < 40 && # If there was a content gap we can't reliably do this heuristic. - c$conn$missed_bytes == 0)# && + c?$conn && c$conn$missed_bytes == 0)# && # Only "normal" connections can count. #c$conn?$conn_state && c$conn$conn_state in valid_states ) { diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 967d5eb88f..53f210b46a 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -1,8 +1,8 @@ @load base/protocols/http @load base/protocols/ssl -@load base/frameworks/measurement +@load base/frameworks/sumstats -module AppMeasurement; +module AppStats; export { redef enum Log::ID += { LOG }; @@ -32,60 +32,60 @@ redef record connection += { event bro_init() &priority=3 { - Log::create_stream(AppMeasurement::LOG, [$columns=Info]); + Log::create_stream(AppSumStats::LOG, [$columns=Info]); - local r1: Measurement::Reducer = [$stream="apps.bytes", $apply=set(Measurement::SUM)]; - local r2: Measurement::Reducer = [$stream="apps.hits", $apply=set(Measurement::UNIQUE)]; - Measurement::create([$epoch=break_interval, - $reducers=set(r1, r2), - $epoch_finished(data: Measurement::ResultTable) = - { - local l: Info; - l$ts = network_time(); - l$ts_delta = break_interval; - for ( key in data ) - { - local result = data[key]; - l$app = key$str; - l$bytes = double_to_count(floor(result["apps.bytes"]$sum)); - l$hits = result["apps.hits"]$num; - l$uniq_hosts = result["apps.hits"]$unique; - Log::write(LOG, l); - } - }]); + local r1: SumStats::Reducer = [$stream="apps.bytes", $apply=set(SumStats::SUM)]; + local r2: SumStats::Reducer = [$stream="apps.hits", $apply=set(SumStats::UNIQUE)]; + SumStats::create([$epoch=break_interval, + $reducers=set(r1, r2), + $epoch_finished(data: SumStats::ResultTable) = + { + local l: Info; + l$ts = network_time(); + l$ts_delta = break_interval; + for ( key in data ) + { + local result = data[key]; + l$app = key$str; + l$bytes = double_to_count(floor(result["apps.bytes"]$sum)); + l$hits = result["apps.hits"]$num; + l$uniq_hosts = result["apps.hits"]$unique; + Log::write(LOG, l); + } + }]); } -function do_measurement(id: conn_id, hostname: string, size: count) +function add_sumstats(id: conn_id, hostname: string, size: count) { if ( /\.youtube\.com$/ in hostname && size > 512*1024 ) { - Measurement::add_data("apps.bytes", [$str="youtube"], [$num=size]); - Measurement::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="youtube"], [$num=size]); + SumStats::observe("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]); } else if ( /(\.facebook\.com|\.fbcdn\.net)$/ in hostname && size > 20 ) { - Measurement::add_data("apps.bytes", [$str="facebook"], [$num=size]); - Measurement::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="facebook"], [$num=size]); + SumStats::observe("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); } else if ( /\.google\.com$/ in hostname && size > 20 ) { - Measurement::add_data("apps.bytes", [$str="google"], [$num=size]); - Measurement::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="google"], [$num=size]); + SumStats::observe("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); } else if ( /\.nflximg\.com$/ in hostname && size > 200*1024 ) { - Measurement::add_data("apps.bytes", [$str="netflix"], [$num=size]); - Measurement::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="netflix"], [$num=size]); + SumStats::observe("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); } else if ( /\.(pandora|p-cdn)\.com$/ in hostname && size > 512*1024 ) { - Measurement::add_data("apps.bytes", [$str="pandora"], [$num=size]); - Measurement::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="pandora"], [$num=size]); + SumStats::observe("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]); } else if ( /\.gmail\.com$/ in hostname && size > 20 ) { - Measurement::add_data("apps.bytes", [$str="gmail"], [$num=size]); - Measurement::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); + SumStats::observe("apps.bytes", [$str="gmail"], [$num=size]); + SumStats::observe("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]); } } @@ -99,11 +99,11 @@ event ssl_established(c: connection) event connection_finished(c: connection) { if ( c?$resp_hostname ) - do_measurement(c$id, c$resp_hostname, c$resp$size); + add_sumstats(c$id, c$resp_hostname, c$resp$size); } event HTTP::log_http(rec: HTTP::Info) { if( rec?$host ) - do_measurement(rec$id, rec$host, rec$response_body_len); + add_sumstats(rec$id, rec$host, rec$response_body_len); } diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 1b9f369ca5..9ac0f5c2f9 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -2,7 +2,7 @@ ##! toward hosts that have sent low TTL packets. ##! It generates a notice when the number of ICMP Time Exceeded ##! messages for a source-destination pair exceeds threshold -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/frameworks/signatures @load-sigs ./detect-low-ttls.sig @@ -53,41 +53,41 @@ event bro_init() &priority=5 { Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); - local r1: Measurement::Reducer = [$stream="traceroute.time_exceeded", $apply=set(Measurement::UNIQUE)]; - local r2: Measurement::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=icmp_time_exceeded_interval, - $reducers=set(r1, r2), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - # Give a threshold value of zero depending on if the host - # sends a low ttl packet. - if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) - return 0; - else - return result["traceroute.time_exceeded"]$unique; - }, - $threshold=icmp_time_exceeded_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local parts = split1(key$str, /-/); - local src = to_addr(parts[1]); - local dst = to_addr(parts[2]); - Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); - NOTICE([$note=Traceroute::Detected, - $msg=fmt("%s seems to be running traceroute", src), - $src=src, $dst=dst, - $identifier=cat(src)]); - }]); + local r1: SumStats::Reducer = [$stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE)]; + local r2: SumStats::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=icmp_time_exceeded_interval, + $reducers=set(r1, r2), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + # Give a threshold value of zero depending on if the host + # sends a low ttl packet. + if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) + return 0; + else + return result["traceroute.time_exceeded"]$unique; + }, + $threshold=icmp_time_exceeded_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local parts = split1(key$str, /-/); + local src = to_addr(parts[1]); + local dst = to_addr(parts[2]); + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + NOTICE([$note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute", src), + $src=src, $dst=dst, + $identifier=cat(src)]); + }]); } # Low TTL packets are detected with a signature. event signature_match(state: signature_state, msg: string, data: string) { if ( state$sig_id == /traceroute-detector.*/ ) - Measurement::add_data("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h)], [$num=1]); + SumStats::observe("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h)], [$num=1]); } event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) { - Measurement::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 2ea1e9c0fe..9a95cf9917 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -5,7 +5,7 @@ ##! All the authors of the old scan.bro @load base/frameworks/notice -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/utils/time @@ -52,7 +52,7 @@ export { } -#function check_addr_scan_threshold(key: Measurement::Key, val: Measurement::Result): bool +#function check_addr_scan_threshold(key: SumStats::Key, val: SumStats::Result): bool # { # # We don't need to do this if no custom thresholds are defined. # if ( |addr_scan_custom_thresholds| == 0 ) @@ -65,54 +65,54 @@ export { event bro_init() &priority=5 { - local r1: Measurement::Reducer = [$stream="scan.addr.fail", $apply=set(Measurement::UNIQUE)]; - Measurement::create([$epoch=addr_scan_interval, - $reducers=set(r1), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["scan.addr.fail"]$unique); - }, - #$threshold_func=check_addr_scan_threshold, - $threshold=addr_scan_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["scan.addr.fail"]; - local side = Site::is_local_addr(key$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(r$end-r$begin); - local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur); - NOTICE([$note=Address_Scan, - $src=key$host, - $p=to_port(key$str), - $sub=side, - $msg=message, - $identifier=cat(key$host)]); - }]); + local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE)]; + SumStats::create([$epoch=addr_scan_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["scan.addr.fail"]$unique); + }, + #$threshold_func=check_addr_scan_threshold, + $threshold=addr_scan_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["scan.addr.fail"]; + local side = Site::is_local_addr(key$host) ? "local" : "remote"; + local dur = duration_to_mins_secs(r$end-r$begin); + local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur); + NOTICE([$note=Address_Scan, + $src=key$host, + $p=to_port(key$str), + $sub=side, + $msg=message, + $identifier=cat(key$host)]); + }]); # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); - local r2: Measurement::Reducer = [$stream="scan.port.fail", $apply=set(Measurement::UNIQUE)]; - Measurement::create([$epoch=port_scan_interval, - $reducers=set(r2), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["scan.port.fail"]$unique); - }, - $threshold=port_scan_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["scan.port.fail"]; - local side = Site::is_local_addr(key$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(r$end-r$begin); - local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur); - NOTICE([$note=Port_Scan, - $src=key$host, - $dst=to_addr(key$str), - $sub=side, - $msg=message, - $identifier=cat(key$host)]); - }]); + local r2: SumStats::Reducer = [$stream="scan.port.fail", $apply=set(SumStats::UNIQUE)]; + SumStats::create([$epoch=port_scan_interval, + $reducers=set(r2), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["scan.port.fail"]$unique); + }, + $threshold=port_scan_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["scan.port.fail"]; + local side = Site::is_local_addr(key$host) ? "local" : "remote"; + local dur = duration_to_mins_secs(r$end-r$begin); + local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur); + NOTICE([$note=Port_Scan, + $src=key$host, + $dst=to_addr(key$str), + $sub=side, + $msg=message, + $identifier=cat(key$host)]); + }]); } -function add_metrics(id: conn_id, reverse: bool) +function add_sumstats(id: conn_id, reverse: bool) { local scanner = id$orig_h; local victim = id$resp_h; @@ -150,10 +150,10 @@ function add_metrics(id: conn_id, reverse: bool) # return F; if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) - Measurement::add_data("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); + SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) - Measurement::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); + SumStats::observe("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); } function is_failed_conn(c: connection): bool @@ -193,7 +193,7 @@ event connection_attempt(c: connection) if ( "H" in c$history ) is_reverse_scan = T; - add_metrics(c$id, is_reverse_scan); + add_sumstats(c$id, is_reverse_scan); } ## Generated for a rejected TCP connection. This event @@ -206,7 +206,7 @@ event connection_rejected(c: connection) if ( "s" in c$history ) is_reverse_scan = T; - add_metrics(c$id, is_reverse_scan); + add_sumstats(c$id, is_reverse_scan); } ## Generated when an endpoint aborted a TCP connection. @@ -215,16 +215,16 @@ event connection_rejected(c: connection) event connection_reset(c: connection) { if ( is_failed_conn(c) ) - add_metrics(c$id, F); + add_sumstats(c$id, F); else if ( is_reverse_failed_conn(c) ) - add_metrics(c$id, T); + add_sumstats(c$id, T); } ## Generated for each still-open connection when Bro terminates. event connection_pending(c: connection) { if ( is_failed_conn(c) ) - add_metrics(c$id, F); + add_sumstats(c$id, F); else if ( is_reverse_failed_conn(c) ) - add_metrics(c$id, T); + add_sumstats(c$id, T); } diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index bcf7a59d06..e6c44ddb64 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -1,6 +1,6 @@ @load base/protocols/ftp -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/utils/time @@ -25,25 +25,25 @@ export { event bro_init() { - local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)]; - Measurement::create([$epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return result["ftp.failed_auth"]$num; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); + local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE)]; + SumStats::create([$epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["ftp.failed_auth"]$num; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); } event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -52,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } } \ No newline at end of file diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index f5e15c5505..daec0b0fb0 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -1,7 +1,7 @@ ##! SQL injection attack detection in HTTP. @load base/frameworks/notice -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/protocols/http module HTTP; @@ -50,7 +50,7 @@ export { | /\/\*![[:digit:]]{5}.*?\*\// &redef; } -function format_sqli_samples(samples: vector of Measurement::DataPoint): string +function format_sqli_samples(samples: vector of SumStats::Observation): string { local ret = "SQL Injection samples\n---------------------"; for ( i in samples ) @@ -63,41 +63,41 @@ event bro_init() &priority=3 # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - local r1: Measurement::Reducer = [$stream="http.sqli.attacker", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples]; - Measurement::create([$epoch=sqli_requests_interval, - $reducers=set(r1), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["http.sqli.attacker"]$sum); - }, - $threshold=sqli_requests_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["http.sqli.attacker"]; - NOTICE([$note=SQL_Injection_Attacker, - $msg="An SQL injection attacker was discovered!", - $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), - $src=key$host, - $identifier=cat(key$host)]); - }]); + local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples]; + SumStats::create([$epoch=sqli_requests_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["http.sqli.attacker"]$sum); + }, + $threshold=sqli_requests_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["http.sqli.attacker"]; + NOTICE([$note=SQL_Injection_Attacker, + $msg="An SQL injection attacker was discovered!", + $email_body_sections=vector(format_sqli_samples(SumStats::get_samples(r))), + $src=key$host, + $identifier=cat(key$host)]); + }]); - local r2: Measurement::Reducer = [$stream="http.sqli.victim", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples]; - Measurement::create([$epoch=sqli_requests_interval, - $reducers=set(r2), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["http.sqli.victim"]$sum); - }, - $threshold=sqli_requests_threshold, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["http.sqli.victim"]; - NOTICE([$note=SQL_Injection_Victim, - $msg="An SQL injection victim was discovered!", - $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), - $src=key$host, - $identifier=cat(key$host)]); - }]); + local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples]; + SumStats::create([$epoch=sqli_requests_interval, + $reducers=set(r2), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["http.sqli.victim"]$sum); + }, + $threshold=sqli_requests_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["http.sqli.victim"]; + NOTICE([$note=SQL_Injection_Victim, + $msg="An SQL injection victim was discovered!", + $email_body_sections=vector(format_sqli_samples(SumStats::get_samples(r))), + $src=key$host, + $identifier=cat(key$host)]); + }]); } event http_request(c: connection, method: string, original_URI: string, @@ -107,7 +107,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - Measurement::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); - Measurement::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); + SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); + SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); } } diff --git a/scripts/policy/protocols/smtp/metrics.bro b/scripts/policy/protocols/smtp/metrics.bro index 19a3220805..04e1185e25 100644 --- a/scripts/policy/protocols/smtp/metrics.bro +++ b/scripts/policy/protocols/smtp/metrics.bro @@ -18,12 +18,12 @@ event bro_init() &priority=5 { Metrics::add_filter("smtp.mailfrom", [$every=breaks, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { + $pred(index: Metrics::Index, data: Metrics::Observation) = { return addr_matches_host(index$host, LOCAL_HOSTS); }]); Metrics::add_filter("smtp.messages", [$every=breaks, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { + $pred(index: Metrics::Index, data: Metrics::Observation) = { return addr_matches_host(index$host, LOCAL_HOSTS); }]); } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index cf2d4030fd..82c0bb0f08 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -2,7 +2,7 @@ ##! bruteforcing over SSH. @load base/protocols/ssh -@load base/frameworks/measurement +@load base/frameworks/sumstats @load base/frameworks/notice @load base/frameworks/intel @@ -42,27 +42,27 @@ export { event bro_init() { - local r1: Measurement::Reducer = [$stream="ssh.login.failure", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=guessing_timeout, - $reducers=set(r1), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["ssh.login.failure"]$sum); - }, - $threshold=password_guesses_limit, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["ssh.login.failure"]; - # Generate the notice. - NOTICE([$note=Password_Guessing, - $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), - $src=key$host, - $identifier=cat(key$host)]); - # Insert the guesser into the intel framework. - Intel::insert([$host=key$host, - $meta=[$source="local", - $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]); - }]); + local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=guessing_timeout, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["ssh.login.failure"]$sum); + }, + $threshold=password_guesses_limit, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ssh.login.failure"]; + # Generate the notice. + NOTICE([$note=Password_Guessing, + $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), + $src=key$host, + $identifier=cat(key$host)]); + # Insert the guesser into the intel framework. + Intel::insert([$host=key$host, + $meta=[$source="local", + $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]); + }]); } event SSH::heuristic_successful_login(c: connection) @@ -82,5 +82,5 @@ event SSH::heuristic_failed_login(c: connection) # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) - Measurement::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]); + SumStats::observe("ssh.login.failure", [$host=id$orig_h], [$num=1]); } diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic-cluster/manager-1..stdout similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.measurement.basic-cluster/manager-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.sumstats.basic-cluster/manager-1..stdout diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/.stdout similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.measurement.basic/.stdout rename to testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/.stdout diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.measurement.cluster-intermediate-update/manager-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout rename to testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout diff --git a/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro b/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro deleted file mode 100644 index e2f5e4e7d5..0000000000 --- a/testing/btest/scripts/base/frameworks/measurement/basic-cluster.bro +++ /dev/null @@ -1,83 +0,0 @@ -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT -# @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT -# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT -# @TEST-EXEC: btest-bg-wait 15 - -# @TEST-EXEC: btest-diff manager-1/.stdout - -@TEST-START-FILE cluster-layout.bro -redef Cluster::nodes = { - ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"], -}; -@TEST-END-FILE - -redef Log::default_rotation_interval = 0secs; - -global n = 0; - -event bro_init() &priority=5 - { - local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM, Measurement::MIN, Measurement::MAX, Measurement::AVERAGE, Measurement::STD_DEV, Measurement::VARIANCE, Measurement::UNIQUE)]; - Measurement::create([$epoch=5secs, - $reducers=set(r1), - $epoch_finished(rt: Measurement::ResultTable) = - { - for ( key in rt ) - { - local r = rt[key]["test.metric"]; - print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique); - } - - terminate(); - } - ]); - } - -event remote_connection_closed(p: event_peer) - { - terminate(); - } - -global ready_for_data: event(); -redef Cluster::manager2worker_events += /^ready_for_data$/; - -event ready_for_data() - { - if ( Cluster::node == "worker-1" ) - { - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=34]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=30]); - Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=1]); - Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=54]); - } - if ( Cluster::node == "worker-2" ) - { - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=75]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=30]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=57]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=52]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=61]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=95]); - Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=5]); - Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=91]); - Measurement::add_data("test.metric", [$host=10.10.10.10], [$num=5]); - } - } - -@if ( Cluster::local_node_type() == Cluster::MANAGER ) - -global peer_count = 0; -event remote_connection_handshake_done(p: event_peer) &priority=-5 - { - ++peer_count; - if ( peer_count == 2 ) - event ready_for_data(); - } - -@endif diff --git a/testing/btest/scripts/base/frameworks/measurement/basic.bro b/testing/btest/scripts/base/frameworks/measurement/basic.bro deleted file mode 100644 index e9dd21e0ef..0000000000 --- a/testing/btest/scripts/base/frameworks/measurement/basic.bro +++ /dev/null @@ -1,34 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff .stdout - -event bro_init() &priority=5 - { - local r1: Measurement::Reducer = [$stream="test.metric", - $apply=set(Measurement::SUM, - Measurement::VARIANCE, - Measurement::AVERAGE, - Measurement::MAX, - Measurement::MIN, - Measurement::STD_DEV, - Measurement::UNIQUE)]; - Measurement::create([$epoch=3secs, - $reducers=set(r1), - $epoch_finished(data: Measurement::ResultTable) = - { - for ( key in data ) - { - local r = data[key]["test.metric"]; - print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique); - } - } - ]); - - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=5]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=22]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=94]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=50]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=50]); - - Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=2]); - Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1]); - } diff --git a/testing/btest/scripts/base/frameworks/measurement/thresholding.bro b/testing/btest/scripts/base/frameworks/measurement/thresholding.bro deleted file mode 100644 index d25350930e..0000000000 --- a/testing/btest/scripts/base/frameworks/measurement/thresholding.bro +++ /dev/null @@ -1,73 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff .stdout - -redef enum Notice::Type += { - Test_Notice, -}; - -event bro_init() &priority=5 - { - local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=3secs, - $reducers=set(r1), - #$threshold_val = Measurement::sum_threshold("test.metric"), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["test.metric"]$sum); - }, - $threshold=5, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["test.metric"]; - print fmt("THRESHOLD: hit a threshold value at %.0f for %s", r$sum, Measurement::key2str(key)); - } - ]); - - local r2: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=3secs, - $reducers=set(r2), - #$threshold_val = Measurement::sum_threshold("test.metric"), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["test.metric"]$sum); - }, - $threshold_series=vector(3,6,800), - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local r = result["test.metric"]; - print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", r$sum, Measurement::key2str(key)); - } - ]); - - local r3: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; - local r4: Measurement::Reducer = [$stream="test.metric2", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=3secs, - $reducers=set(r3, r4), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - # Calculate a ratio between sums of two reducers. - if ( "test.metric2" in result && "test.metric" in result && - result["test.metric"]$sum > 0 ) - return double_to_count(result["test.metric2"]$sum / result["test.metric"]$sum); - else - return 0; - }, - # Looking for metric2 sum to be 5 times the sum of metric - $threshold=5, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - local thold = result["test.metric2"]$sum / result["test.metric"]$sum; - print fmt("THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at %.0fx for %s", thold, Measurement::key2str(key)); - } - ]); - - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Measurement::add_data("test.metric", [$host=6.5.4.3], [$num=2]); - Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1]); - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=3]); - Measurement::add_data("test.metric", [$host=7.2.1.5], [$num=1000]); - Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=10]); - Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=1000]); - Measurement::add_data("test.metric2", [$host=7.2.1.5], [$num=54321]); - - } diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro new file mode 100644 index 0000000000..9d4653d77e --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro @@ -0,0 +1,82 @@ +# @TEST-SERIALIZE: comm +# +# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT +# @TEST-EXEC: sleep 1 +# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT +# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT +# @TEST-EXEC: btest-bg-wait 15 + +# @TEST-EXEC: btest-diff manager-1/.stdout + +@TEST-START-FILE cluster-layout.bro +redef Cluster::nodes = { + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"], +}; +@TEST-END-FILE + +redef Log::default_rotation_interval = 0secs; + +global n = 0; + +event bro_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; + SumStats::create([$epoch=5secs, + $reducers=set(r1), + $epoch_finished(rt: SumStats::ResultTable) = + { + for ( key in rt ) + { + local r = rt[key]["test.metric"]; + print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique); + } + + terminate(); + }]); + } + +event remote_connection_closed(p: event_peer) + { + terminate(); + } + +global ready_for_data: event(); +redef Cluster::manager2worker_events += /^ready_for_data$/; + +event ready_for_data() + { + if ( Cluster::node == "worker-1" ) + { + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=34]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=1]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=54]); + } + if ( Cluster::node == "worker-2" ) + { + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=75]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=57]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=52]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=61]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=95]); + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=5]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=91]); + SumStats::observe("test.metric", [$host=10.10.10.10], [$num=5]); + } + } + +@if ( Cluster::local_node_type() == Cluster::MANAGER ) + +global peer_count = 0; +event remote_connection_handshake_done(p: event_peer) &priority=-5 + { + ++peer_count; + if ( peer_count == 2 ) + event ready_for_data(); + } + +@endif diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro new file mode 100644 index 0000000000..0b2851bf10 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro @@ -0,0 +1,34 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test.metric", + $apply=set(SumStats::SUM, + SumStats::VARIANCE, + SumStats::AVERAGE, + SumStats::MAX, + SumStats::MIN, + SumStats::STD_DEV, + SumStats::UNIQUE)]; + SumStats::create([$epoch=3secs, + $reducers=set(r1), + $epoch_finished(data: SumStats::ResultTable) = + { + for ( key in data ) + { + local r = data[key]["test.metric"]; + print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique); + } + } + ]); + + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=94]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]); + + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=2]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1]); + } diff --git a/testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro similarity index 59% rename from testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro index 56f44db2eb..303a0dc852 100644 --- a/testing/btest/scripts/base/frameworks/measurement/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro @@ -19,20 +19,19 @@ redef Log::default_rotation_interval = 0secs; event bro_init() &priority=5 { - local r1: Measurement::Reducer = [$stream="test.metric", $apply=set(Measurement::SUM)]; - Measurement::create([$epoch=1hr, - $reducers=set(r1), - $threshold_val(key: Measurement::Key, result: Measurement::Result) = - { - return double_to_count(result["test.metric"]$sum); - }, - $threshold=100, - $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = - { - print fmt("A test metric threshold was crossed with a value of: %.1f", result["test.metric"]$sum); - terminate(); - } - ]); + local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=1hr, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, + $threshold=100, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + print fmt("A test metric threshold was crossed with a value of: %.1f", result["test.metric"]$sum); + terminate(); + }]); } event remote_connection_closed(p: event_peer) @@ -40,12 +39,12 @@ event remote_connection_closed(p: event_peer) terminate(); } -event do_metrics(i: count) +event do_stats(i: count) { # Worker-1 will trigger an intermediate update and then if everything # works correctly, the data from worker-2 will hit the threshold and # should trigger the notice. - Measurement::add_data("test.metric", [$host=1.2.3.4], [$num=i]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=i]); } event remote_connection_handshake_done(p: event_peer) @@ -53,8 +52,8 @@ event remote_connection_handshake_done(p: event_peer) if ( p$descr == "manager-1" ) { if ( Cluster::node == "worker-1" ) - schedule 0.1sec { do_metrics(1) }; + schedule 0.1sec { do_stats(1) }; if ( Cluster::node == "worker-2" ) - schedule 0.5sec { do_metrics(99) }; + schedule 0.5sec { do_stats(99) }; } } diff --git a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro b/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro new file mode 100644 index 0000000000..ddc053bd23 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro @@ -0,0 +1,73 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + +redef enum Notice::Type += { + Test_Notice, +}; + +event bro_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=3secs, + $reducers=set(r1), + #$threshold_val = SumStats::sum_threshold("test.metric"), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, + $threshold=5, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["test.metric"]; + print fmt("THRESHOLD: hit a threshold value at %.0f for %s", r$sum, SumStats::key2str(key)); + } + ]); + + local r2: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=3secs, + $reducers=set(r2), + #$threshold_val = SumStats::sum_threshold("test.metric"), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return double_to_count(result["test.metric"]$sum); + }, + $threshold_series=vector(3,6,800), + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["test.metric"]; + print fmt("THRESHOLD_SERIES: hit a threshold series value at %.0f for %s", r$sum, SumStats::key2str(key)); + } + ]); + + local r3: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; + local r4: SumStats::Reducer = [$stream="test.metric2", $apply=set(SumStats::SUM)]; + SumStats::create([$epoch=3secs, + $reducers=set(r3, r4), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + # Calculate a ratio between sums of two reducers. + if ( "test.metric2" in result && "test.metric" in result && + result["test.metric"]$sum > 0 ) + return double_to_count(result["test.metric2"]$sum / result["test.metric"]$sum); + else + return 0; + }, + # Looking for metric2 sum to be 5 times the sum of metric + $threshold=5, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local thold = result["test.metric2"]$sum / result["test.metric"]$sum; + print fmt("THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at %.0fx for %s", thold, SumStats::key2str(key)); + } + ]); + + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=2]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1000]); + SumStats::observe("test.metric2", [$host=7.2.1.5], [$num=10]); + SumStats::observe("test.metric2", [$host=7.2.1.5], [$num=1000]); + SumStats::observe("test.metric2", [$host=7.2.1.5], [$num=54321]); + + } From 437815454d275392c91bcffd9e981e7baced0df6 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 15 Apr 2013 15:28:11 -0400 Subject: [PATCH 078/134] SumStats tests pass. --- scripts/base/frameworks/sumstats/cluster.bro | 56 +++++++++---------- scripts/base/frameworks/sumstats/main.bro | 10 ++-- .../base/frameworks/sumstats/non-cluster.bro | 20 +++---- scripts/base/init-default.bro | 2 +- .../.stdout | 12 ++-- .../frameworks/sumstats/basic-cluster.bro | 32 +++++------ 6 files changed, 66 insertions(+), 66 deletions(-) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index 098c047961..ee763c1d9d 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -35,34 +35,34 @@ export { ## Event sent by the manager in a cluster to initiate the ## collection of metrics values for a measurement. - global cluster_measurement_request: event(uid: string, mid: string); + global cluster_ss_request: event(uid: string, ssid: string); ## Event sent by nodes that are collecting metrics after receiving ## a request for the metric measurement from the manager. - global cluster_measurement_response: event(uid: string, mid: string, data: ResultTable, done: bool); + global cluster_ss_response: event(uid: string, ssid: string, data: ResultTable, done: bool); ## This event is sent by the manager in a cluster to initiate the ## collection of a single key value from a measurement. It's typically ## used to get intermediate updates before the break interval triggers ## to speed detection of a value crossing a threshold. - global cluster_key_request: event(uid: string, mid: string, key: Key); + global cluster_key_request: event(uid: string, ssid: string, key: Key); ## This event is sent by nodes in response to a ## :bro:id:`SumStats::cluster_key_request` event. - global cluster_key_response: event(uid: string, mid: string, key: Key, result: Result); + global cluster_key_response: event(uid: string, ssid: string, key: Key, result: Result); ## This is sent by workers to indicate that they crossed the percent of the ## current threshold by the percentage defined globally in ## :bro:id:`SumStats::cluster_request_global_view_percent` - global cluster_key_intermediate_response: event(mid: string, key: SumStats::Key); + global cluster_key_intermediate_response: event(ssid: string, key: SumStats::Key); ## This event is scheduled internally on workers to send result chunks. - global send_data: event(uid: string, mid: string, data: ResultTable); + global send_data: event(uid: string, ssid: string, data: ResultTable); } # Add events to the cluster framework to make this work. -redef Cluster::manager2worker_events += /SumStats::cluster_(measurement_request|key_request)/; -redef Cluster::worker2manager_events += /SumStats::cluster_(measurement_response|key_response|key_intermediate_response)/; +redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|key_request)/; +redef Cluster::worker2manager_events += /SumStats::cluster_(ss_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) # This variable is maintained to know what keys have recently sent as @@ -99,7 +99,7 @@ function data_added(ss: SumStat, key: Key, result: Result) } } -event SumStats::send_data(uid: string, mid: string, data: ResultTable) +event SumStats::send_data(uid: string, ssid: string, data: ResultTable) { #print fmt("WORKER %s: sending data for uid %s...", Cluster::node, uid); @@ -121,39 +121,39 @@ event SumStats::send_data(uid: string, mid: string, data: ResultTable) if ( |data| == 0 ) done = T; - event SumStats::cluster_measurement_response(uid, mid, local_data, done); + event SumStats::cluster_ss_response(uid, ssid, local_data, done); if ( ! done ) - schedule 0.01 sec { SumStats::send_data(uid, mid, data) }; + schedule 0.01 sec { SumStats::send_data(uid, ssid, data) }; } -event SumStats::cluster_measurement_request(uid: string, mid: string) +event SumStats::cluster_ss_request(uid: string, ssid: string) { - #print fmt("WORKER %s: received the cluster_measurement_request event for %s.", Cluster::node, id); + #print fmt("WORKER %s: received the cluster_ss_request event for %s.", Cluster::node, id); # Initiate sending all of the data for the requested measurement. - if ( mid in result_store ) - event SumStats::send_data(uid, mid, result_store[mid]); + if ( ssid in result_store ) + event SumStats::send_data(uid, ssid, result_store[ssid]); else - event SumStats::send_data(uid, mid, table()); + event SumStats::send_data(uid, ssid, table()); # Lookup the actual measurement and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. - if ( mid in stats_store ) - reset(stats_store[mid]); + if ( ssid in stats_store ) + reset(stats_store[ssid]); } -event SumStats::cluster_key_request(uid: string, mid: string, key: Key) +event SumStats::cluster_key_request(uid: string, ssid: string, key: Key) { - if ( mid in result_store && key in result_store[mid] ) + if ( ssid in result_store && key in result_store[ssid] ) { #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); - event SumStats::cluster_key_response(uid, mid, key, result_store[mid][key]); + event SumStats::cluster_key_response(uid, ssid, key, result_store[ssid][key]); } else { # We need to send an empty response if we don't have the data so that the manager # can know that it heard back from all of the workers. - event SumStats::cluster_key_response(uid, mid, key, table()); + event SumStats::cluster_key_response(uid, ssid, key, table()); } } @@ -195,16 +195,16 @@ event SumStats::finish_epoch(ss: SumStat) #print fmt("%.6f MANAGER: breaking %s measurement for %s metric", network_time(), measurement$name, measurement$id); local uid = unique_id(""); - if ( uid in measurement_results ) - delete measurement_results[uid]; + if ( uid in stats_results ) + delete stats_results[uid]; stats_results[uid] = table(); # Request data from peers. - event SumStats::cluster_measurement_request(uid, ss$id); + event SumStats::cluster_ss_request(uid, ss$id); } # Schedule the next finish_epoch event. - schedule m$epoch { SumStats::finish_epoch(m) }; + schedule ss$epoch { SumStats::finish_epoch(ss) }; } # This is unlikely to be called often, but it's here in case there are measurements @@ -252,7 +252,7 @@ event SumStats::cluster_key_intermediate_response(ssid: string, key: Key) #print fmt("MANAGER: requesting key data for %s", key2str(key)); if ( ssid in outstanding_global_views && - |outstanding_global_views[mid]| > max_outstanding_global_views ) + |outstanding_global_views[ssid]| > max_outstanding_global_views ) { # Don't do this intermediate update. Perhaps at some point in the future # we will queue and randomly select from these ignored intermediate @@ -266,7 +266,7 @@ event SumStats::cluster_key_intermediate_response(ssid: string, key: Key) event SumStats::cluster_key_request(uid, ssid, key); } -event SumStats::cluster_measurement_response(uid: string, ssid: string, data: ResultTable, done: bool) +event SumStats::cluster_ss_response(uid: string, ssid: string, data: ResultTable, done: bool) { #print fmt("MANAGER: receiving results from %s", get_event_peer()$descr); diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index a5c41ba1f3..643502efb4 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -120,7 +120,7 @@ export { }; ## Create a summary statistic. - global create: function(m: SumStats::SumStat); + global create: function(ss: SumStats::SumStat); ## Add data into an observation stream. This should be ## called when a script has measured some point value. @@ -158,13 +158,13 @@ type Thresholding: record { # Internal use only. For tracking thresholds per sumstat and key. global threshold_tracker: table[string] of table[Key] of Thresholding &optional; -redef record SumStats += { +redef record SumStat += { # Internal use only (mostly for cluster coherency). id: string &optional; }; # Store of sumstats indexed on the sumstat id. -global stats_store: table[string] of SumStats = table(); +global stats_store: table[string] of SumStat = table(); # Store of reducers indexed on the data point stream id. global reducer_store: table[string] of set[Reducer] = table(); @@ -179,7 +179,7 @@ global thresholds_store: table[string, Key] of bool = table(); # key values are updated and the new val is given as the `val` argument. # It's only prototyped here because cluster and non-cluster have separate # implementations. -global data_added: function(m: SumStats, key: Key, result: Result); +global data_added: function(ss: SumStat, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. global add_to_reducer_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal); @@ -190,7 +190,7 @@ global compose_resultvals_hook: hook(result: ResultVal, rv1: ResultVal, rv2: Res # Event that is used to "finish" measurements and adapt the measurement # framework for clustered or non-clustered usage. -global finish_epoch: event(m: SumStats); +global finish_epoch: event(ss: SumStat); function key2str(key: Key): string { diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro index 6163548ec6..21386a246e 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.bro +++ b/scripts/base/frameworks/sumstats/non-cluster.bro @@ -2,23 +2,23 @@ module SumStats; -event SumStats::finish_epoch(m: SumStats) +event SumStats::finish_epoch(ss: SumStat) { - if ( m$id in result_store ) + if ( ss$id in result_store ) { - local data = result_store[m$id]; - if ( m?$epoch_finished ) - m$epoch_finished(data); + local data = result_store[ss$id]; + if ( ss?$epoch_finished ) + ss$epoch_finished(data); - reset(m); + reset(ss); } - schedule m$epoch { SumStats::finish_epoch(m) }; + schedule ss$epoch { SumStats::finish_epoch(ss) }; } -function data_added(m: SumStats, key: Key, result: Result) +function data_added(ss: SumStat, key: Key, result: Result) { - if ( check_thresholds(m, key, result, 1.0) ) - threshold_crossed(m, key, result); + if ( check_thresholds(ss, key, result, 1.0) ) + threshold_crossed(ss, key, result); } diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index bb64accaea..829a1b9982 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -29,9 +29,9 @@ @load base/frameworks/communication @load base/frameworks/control @load base/frameworks/cluster -@load base/frameworks/measurement @load base/frameworks/intel @load base/frameworks/reporter +@load base/frameworks/sumstats @load base/frameworks/tunnels @load base/protocols/conn diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout index ac8785d182..132a1114fc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.thresholding/.stdout @@ -1,6 +1,6 @@ -THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) -THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) -THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) -THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) -THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5) +THRESHOLD_SERIES: hit a threshold series value at 3 for sumstats_key(host=1.2.3.4) +THRESHOLD_SERIES: hit a threshold series value at 6 for sumstats_key(host=1.2.3.4) +THRESHOLD: hit a threshold value at 6 for sumstats_key(host=1.2.3.4) +THRESHOLD_SERIES: hit a threshold series value at 1001 for sumstats_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 1001 for sumstats_key(host=7.2.1.5) +THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for sumstats_key(host=7.2.1.5) diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro index 9d4653d77e..1b7903ca1a 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro @@ -22,14 +22,14 @@ global n = 0; event bro_init() &priority=5 { - local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; + local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; SumStats::create([$epoch=5secs, $reducers=set(r1), $epoch_finished(rt: SumStats::ResultTable) = { for ( key in rt ) { - local r = rt[key]["test.metric"]; + local r = rt[key]["test"]; print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique); } @@ -49,23 +49,23 @@ event ready_for_data() { if ( Cluster::node == "worker-1" ) { - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=34]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=30]); - SumStats::observe("test.metric", [$host=6.5.4.3], [$num=1]); - SumStats::observe("test.metric", [$host=7.2.1.5], [$num=54]); + SumStats::observe("test", [$host=1.2.3.4], [$num=34]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=6.5.4.3], [$num=1]); + SumStats::observe("test", [$host=7.2.1.5], [$num=54]); } if ( Cluster::node == "worker-2" ) { - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=75]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=30]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=3]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=57]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=52]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=61]); - SumStats::observe("test.metric", [$host=1.2.3.4], [$num=95]); - SumStats::observe("test.metric", [$host=6.5.4.3], [$num=5]); - SumStats::observe("test.metric", [$host=7.2.1.5], [$num=91]); - SumStats::observe("test.metric", [$host=10.10.10.10], [$num=5]); + SumStats::observe("test", [$host=1.2.3.4], [$num=75]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test", [$host=1.2.3.4], [$num=57]); + SumStats::observe("test", [$host=1.2.3.4], [$num=52]); + SumStats::observe("test", [$host=1.2.3.4], [$num=61]); + SumStats::observe("test", [$host=1.2.3.4], [$num=95]); + SumStats::observe("test", [$host=6.5.4.3], [$num=5]); + SumStats::observe("test", [$host=7.2.1.5], [$num=91]); + SumStats::observe("test", [$host=10.10.10.10], [$num=5]); } } From 1cac89e4f8bd0efe9e5ed9c4dbb4070448a74d47 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 16 Apr 2013 00:54:41 -0400 Subject: [PATCH 079/134] SumStats test checkpoint. --- DocSourcesList.cmake | 24 ++++++------ scripts/base/frameworks/sumstats/cluster.bro | 24 ++++++------ .../frameworks/sumstats/plugins/average.bro | 2 +- .../base/frameworks/sumstats/plugins/max.bro | 2 +- .../base/frameworks/sumstats/plugins/min.bro | 2 +- .../frameworks/sumstats/plugins/sample.bro | 4 +- .../frameworks/sumstats/plugins/std-dev.bro | 7 +--- .../base/frameworks/sumstats/plugins/sum.bro | 2 +- .../frameworks/sumstats/plugins/unique.bro | 4 +- .../frameworks/sumstats/plugins/variance.bro | 2 +- scripts/policy/misc/app-metrics.bro | 2 +- scripts/policy/protocols/conn/metrics.bro | 24 ------------ scripts/policy/protocols/smtp/metrics.bro | 37 ------------------- scripts/test-all-policy.bro | 5 +++ .../canonified_loaded_scripts.log | 28 +++++++------- .../coverage.init-default/missing_loads | 2 +- 16 files changed, 55 insertions(+), 116 deletions(-) delete mode 100644 scripts/policy/protocols/conn/metrics.bro delete mode 100644 scripts/policy/protocols/smtp/metrics.bro diff --git a/DocSourcesList.cmake b/DocSourcesList.cmake index 5ac87a6305..a9ba4838db 100644 --- a/DocSourcesList.cmake +++ b/DocSourcesList.cmake @@ -46,17 +46,6 @@ rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) rest_target(${psd} base/frameworks/logging/writers/none.bro) -rest_target(${psd} base/frameworks/measurement/cluster.bro) -rest_target(${psd} base/frameworks/measurement/main.bro) -rest_target(${psd} base/frameworks/measurement/non-cluster.bro) -rest_target(${psd} base/frameworks/measurement/plugins/average.bro) -rest_target(${psd} base/frameworks/measurement/plugins/max.bro) -rest_target(${psd} base/frameworks/measurement/plugins/min.bro) -rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) -rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) -rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) -rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) -rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -72,6 +61,17 @@ rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) +rest_target(${psd} base/frameworks/sumstats/cluster.bro) +rest_target(${psd} base/frameworks/sumstats/main.bro) +rest_target(${psd} base/frameworks/sumstats/non-cluster.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/average.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/max.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/min.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/sample.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/sum.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/unique.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/variance.bro) rest_target(${psd} base/frameworks/tunnels/main.bro) rest_target(${psd} base/misc/find-checksum-offloading.bro) rest_target(${psd} base/protocols/conn/contents.bro) @@ -147,7 +147,6 @@ rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) -rest_target(${psd} policy/protocols/conn/metrics.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) @@ -166,7 +165,6 @@ rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) rest_target(${psd} policy/protocols/modbus/track-memmap.bro) rest_target(${psd} policy/protocols/smtp/blocklists.bro) rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) -rest_target(${psd} policy/protocols/smtp/metrics.bro) rest_target(${psd} policy/protocols/smtp/software.bro) rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ssh/geo-data.bro) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index ee763c1d9d..4f9743547b 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -34,15 +34,15 @@ export { const enable_intermediate_updates = T &redef; ## Event sent by the manager in a cluster to initiate the - ## collection of metrics values for a measurement. + ## collection of metrics values for a sumstat. global cluster_ss_request: event(uid: string, ssid: string); ## Event sent by nodes that are collecting metrics after receiving - ## a request for the metric measurement from the manager. + ## a request for the metric sumstat from the manager. global cluster_ss_response: event(uid: string, ssid: string, data: ResultTable, done: bool); ## This event is sent by the manager in a cluster to initiate the - ## collection of a single key value from a measurement. It's typically + ## collection of a single key value from a sumstat. It's typically ## used to get intermediate updates before the break interval triggers ## to speed detection of a value crossing a threshold. global cluster_key_request: event(uid: string, ssid: string, key: Key); @@ -130,13 +130,13 @@ event SumStats::cluster_ss_request(uid: string, ssid: string) { #print fmt("WORKER %s: received the cluster_ss_request event for %s.", Cluster::node, id); - # Initiate sending all of the data for the requested measurement. + # Initiate sending all of the data for the requested stats. if ( ssid in result_store ) event SumStats::send_data(uid, ssid, result_store[ssid]); else event SumStats::send_data(uid, ssid, table()); - # Lookup the actual measurement and reset it, the reference to the data + # Lookup the actual sumstats and reset it, the reference to the data # currently stored will be maintained internally by the send_data event. if ( ssid in stats_store ) reset(stats_store[ssid]); @@ -181,9 +181,9 @@ global done_with: table[string] of count &read_expire=1min &default=0; global key_requests: table[string] of Result &read_expire=1min; # This variable is maintained by managers to prevent overwhelming communication due -# to too many intermediate updates. Each measurement is tracked separately so that -# one won't overwhelm and degrade other quieter measurements. -# Indexed on a measurement id. +# to too many intermediate updates. Each sumstat is tracked separately so that +# one won't overwhelm and degrade other quieter sumstats. +# Indexed on a sumstat id. global outstanding_global_views: table[string] of count &default=0; const zero_time = double_to_time(0.0); @@ -192,7 +192,7 @@ event SumStats::finish_epoch(ss: SumStat) { if ( network_time() > zero_time ) { - #print fmt("%.6f MANAGER: breaking %s measurement for %s metric", network_time(), measurement$name, measurement$id); + #print fmt("%.6f MANAGER: breaking %s sumstat for %s metric", network_time(), ss$name, ss$id); local uid = unique_id(""); if ( uid in stats_results ) @@ -207,8 +207,8 @@ event SumStats::finish_epoch(ss: SumStat) schedule ss$epoch { SumStats::finish_epoch(ss) }; } -# This is unlikely to be called often, but it's here in case there are measurements -# being collected by managers. +# This is unlikely to be called often, but it's here in +# case there are sumstats being collected by managers. function data_added(ss: SumStat, key: Key, result: Result) { if ( check_thresholds(ss, key, result, 1.0) ) @@ -305,7 +305,7 @@ event SumStats::cluster_ss_response(uid: string, ssid: string, data: ResultTable # Clean up delete stats_results[uid]; delete done_with[uid]; - # Not sure I need to reset the measurement on the manager. + # Not sure I need to reset the sumstat on the manager. reset(ss); } } diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro index 002a0147ff..35228a28f5 100644 --- a/scripts/base/frameworks/sumstats/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( AVERAGE in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro index 0e377ff320..0a959f2d09 100644 --- a/scripts/base/frameworks/sumstats/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MAX in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro index 5e1e3fbbb7..16c2dfc3d7 100644 --- a/scripts/base/frameworks/sumstats/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MIN in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index a694296727..622b160cbe 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -29,13 +29,13 @@ function get_samples(rv: ResultVal): vector of Observation return s; } -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( r$samples > 0 ) { if ( ! rv?$samples ) rv$samples = Queue::init([$max_len=r$samples]); - Queue::put(rv$samples, data); + Queue::put(rv$samples, obs); } } diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro index af6eea8cdc..7c2754570a 100644 --- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -22,13 +22,10 @@ function calc_std_dev(rv: ResultVal) } # This depends on the variance plugin which uses priority -5 -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) &priority=-10 +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10 { if ( STD_DEV in r$apply ) - { - if ( rv?$variance ) - calc_std_dev(rv); - } + calc_std_dev(rv); } hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) &priority=-10 diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro index 572402d6c5..8c8c65cd61 100644 --- a/scripts/base/frameworks/sumstats/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -34,7 +34,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal) rv$sum = 0; } -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( SUM in r$apply ) rv$sum += val; diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index f260148af4..d3a4464d0d 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -23,13 +23,13 @@ redef record ResultVal += { unique_vals: set[Observation] &optional; }; -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( UNIQUE in r$apply ) { if ( ! rv?$unique_vals ) rv$unique_vals=set(); - add rv$unique_vals[data]; + add rv$unique_vals[obs]; rv$unique = |rv$unique_vals|; } } diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro index a26a2d4095..29118b284b 100644 --- a/scripts/base/frameworks/sumstats/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -29,7 +29,7 @@ function calc_variance(rv: ResultVal) } # Reduced priority since this depends on the average -hook add_to_reducer_hook(r: Reducer, val: double, data: Observation, rv: ResultVal) &priority=-5 +hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5 { if ( VARIANCE in r$apply ) { diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index 53f210b46a..ec2e8f8d48 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -32,7 +32,7 @@ redef record connection += { event bro_init() &priority=3 { - Log::create_stream(AppSumStats::LOG, [$columns=Info]); + Log::create_stream(AppStats::LOG, [$columns=Info]); local r1: SumStats::Reducer = [$stream="apps.bytes", $apply=set(SumStats::SUM)]; local r2: SumStats::Reducer = [$stream="apps.hits", $apply=set(SumStats::UNIQUE)]; diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro deleted file mode 100644 index 62ca96ea0a..0000000000 --- a/scripts/policy/protocols/conn/metrics.bro +++ /dev/null @@ -1,24 +0,0 @@ -@load base/frameworks/measurement -@load base/utils/site - -event bro_init() &priority=3 - { - Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM), - $period_finished=Metrics::write_log]); - Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM), - $period_finished=Metrics::write_log]); - } - -event connection_established(c: connection) &priority=3 - { - if ( Site::is_local_addr(c$id$orig_h) ) - { - local loc = lookup_location(c$id$resp_h); - if ( loc?$country_code ) - Metrics::add_data("conns.country", [$str=loc$country_code], [$num=1]); - } - - local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h; - # There is no index for this. - Metrics::add_data("hosts.active", [], [$str=cat(the_host)]); - } diff --git a/scripts/policy/protocols/smtp/metrics.bro b/scripts/policy/protocols/smtp/metrics.bro deleted file mode 100644 index 04e1185e25..0000000000 --- a/scripts/policy/protocols/smtp/metrics.bro +++ /dev/null @@ -1,37 +0,0 @@ -##! This script is meant to answer the following questions... -##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?" -##! "How much mail is being sent from each local mail server per hour?" - -@load base/protocols/smtp -@load base/frameworks/measurement -@load base/utils/site -@load base/utils/directions-and-hosts - -module SMTPMetrics; - -export { - ## Define the break intervals for all of the metrics collected and logged by this script. - const breaks=1hr &redef; -} - -event bro_init() &priority=5 - { - Metrics::add_filter("smtp.mailfrom", [$every=breaks, - $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::Observation) = { - return addr_matches_host(index$host, LOCAL_HOSTS); - }]); - Metrics::add_filter("smtp.messages", [$every=breaks, - $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::Observation) = { - return addr_matches_host(index$host, LOCAL_HOSTS); - }]); - } - -event SMTP::log_smtp(rec: SMTP::Info) - { - Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], [$num=1]); - - if ( rec?$mailfrom ) - Metrics::add_data("smtp.mailfrom", [$host=rec$id$orig_h], [$str=rec$mailfrom]); - } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 2fe32a4788..35d9f89de9 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -32,9 +32,13 @@ @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro @load misc/analysis-groups.bro +@load misc/app-metrics.bro @load misc/capture-loss.bro +@load misc/detect-traceroute/__load__.bro +@load misc/detect-traceroute/main.bro @load misc/loaded-scripts.bro @load misc/profiling.bro +@load misc/scan.bro @load misc/stats.bro @load misc/trim-trace-file.bro @load protocols/conn/known-hosts.bro @@ -42,6 +46,7 @@ @load protocols/conn/weirds.bro @load protocols/dns/auth-addl.bro @load protocols/dns/detect-external-names.bro +@load protocols/ftp/detect-bruteforcing.bro @load protocols/ftp/detect.bro @load protocols/ftp/software.bro @load protocols/http/detect-MHR.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index e691a906c2..a34f4dd3fc 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-02-04-22-32 +#open 2013-04-16-03-43-22 #fields name #types string scripts/base/init-bare.bro @@ -68,23 +68,23 @@ scripts/base/init-default.bro scripts/base/frameworks/software/main.bro scripts/base/frameworks/communication/__load__.bro scripts/base/frameworks/communication/main.bro - scripts/base/frameworks/measurement/__load__.bro - scripts/base/frameworks/measurement/main.bro - scripts/base/frameworks/measurement/plugins/__load__.bro - scripts/base/frameworks/measurement/plugins/average.bro - scripts/base/frameworks/measurement/plugins/max.bro - scripts/base/frameworks/measurement/plugins/min.bro - scripts/base/frameworks/measurement/plugins/sample.bro - scripts/base/frameworks/measurement/plugins/std-dev.bro - scripts/base/frameworks/measurement/plugins/variance.bro - scripts/base/frameworks/measurement/plugins/sum.bro - scripts/base/frameworks/measurement/plugins/unique.bro - scripts/base/frameworks/measurement/non-cluster.bro scripts/base/frameworks/intel/__load__.bro scripts/base/frameworks/intel/main.bro scripts/base/frameworks/intel/input.bro scripts/base/frameworks/reporter/__load__.bro scripts/base/frameworks/reporter/main.bro + scripts/base/frameworks/sumstats/__load__.bro + scripts/base/frameworks/sumstats/main.bro + scripts/base/frameworks/sumstats/plugins/__load__.bro + scripts/base/frameworks/sumstats/plugins/average.bro + scripts/base/frameworks/sumstats/plugins/max.bro + scripts/base/frameworks/sumstats/plugins/min.bro + scripts/base/frameworks/sumstats/plugins/sample.bro + scripts/base/frameworks/sumstats/plugins/variance.bro + scripts/base/frameworks/sumstats/plugins/std-dev.bro + scripts/base/frameworks/sumstats/plugins/sum.bro + scripts/base/frameworks/sumstats/plugins/unique.bro + scripts/base/frameworks/sumstats/non-cluster.bro scripts/base/frameworks/tunnels/__load__.bro scripts/base/frameworks/tunnels/main.bro scripts/base/protocols/conn/__load__.bro @@ -130,4 +130,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-02-04-22-32 +#close 2013-04-16-03-43-22 diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 554fcf012e..23cae7b694 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -3,5 +3,5 @@ -./frameworks/cluster/nodes/worker.bro -./frameworks/cluster/setup-connections.bro -./frameworks/intel/cluster.bro --./frameworks/measurement/cluster.bro -./frameworks/notice/cluster.bro +-./frameworks/sumstats/cluster.bro From 60605412abe961f0844ca74db90fdb629ce20869 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Apr 2013 14:14:50 -0400 Subject: [PATCH 080/134] Fix a few tests. --- DocSourcesList.cmake | 187 ------------------ doc/scripts/DocSourcesList.cmake | 25 ++- .../canonified_loaded_scripts.log | 6 +- 3 files changed, 14 insertions(+), 204 deletions(-) delete mode 100644 DocSourcesList.cmake diff --git a/DocSourcesList.cmake b/DocSourcesList.cmake deleted file mode 100644 index a9ba4838db..0000000000 --- a/DocSourcesList.cmake +++ /dev/null @@ -1,187 +0,0 @@ -# DO NOT EDIT -# This file is auto-generated from the genDocSourcesList.sh script. -# -# This is a list of Bro script sources for which to generate reST documentation. -# It will be included inline in the CMakeLists.txt found in the same directory -# in order to create Makefile targets that define how to generate reST from -# a given Bro script. -# -# Note: any path prefix of the script (2nd argument of rest_target macro) -# will be used to derive what path under scripts/ the generated documentation -# will be placed. - -set(psd ${PROJECT_SOURCE_DIR}/scripts) - -rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) -rest_target(${psd} base/init-default.bro internal) -rest_target(${psd} base/init-bare.bro internal) - -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) -rest_target(${psd} base/frameworks/cluster/main.bro) -rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) -rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) -rest_target(${psd} base/frameworks/cluster/nodes/worker.bro) -rest_target(${psd} base/frameworks/cluster/setup-connections.bro) -rest_target(${psd} base/frameworks/communication/main.bro) -rest_target(${psd} base/frameworks/control/main.bro) -rest_target(${psd} base/frameworks/dpd/main.bro) -rest_target(${psd} base/frameworks/input/main.bro) -rest_target(${psd} base/frameworks/input/readers/ascii.bro) -rest_target(${psd} base/frameworks/input/readers/benchmark.bro) -rest_target(${psd} base/frameworks/input/readers/raw.bro) -rest_target(${psd} base/frameworks/intel/cluster.bro) -rest_target(${psd} base/frameworks/intel/input.bro) -rest_target(${psd} base/frameworks/intel/main.bro) -rest_target(${psd} base/frameworks/logging/main.bro) -rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro) -rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro) -rest_target(${psd} base/frameworks/logging/writers/ascii.bro) -rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) -rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) -rest_target(${psd} base/frameworks/logging/writers/none.bro) -rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) -rest_target(${psd} base/frameworks/notice/actions/drop.bro) -rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) -rest_target(${psd} base/frameworks/notice/actions/page.bro) -rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro) -rest_target(${psd} base/frameworks/notice/cluster.bro) -rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro) -rest_target(${psd} base/frameworks/notice/main.bro) -rest_target(${psd} base/frameworks/notice/non-cluster.bro) -rest_target(${psd} base/frameworks/notice/weird.bro) -rest_target(${psd} base/frameworks/packet-filter/main.bro) -rest_target(${psd} base/frameworks/packet-filter/netstats.bro) -rest_target(${psd} base/frameworks/reporter/main.bro) -rest_target(${psd} base/frameworks/signatures/main.bro) -rest_target(${psd} base/frameworks/software/main.bro) -rest_target(${psd} base/frameworks/sumstats/cluster.bro) -rest_target(${psd} base/frameworks/sumstats/main.bro) -rest_target(${psd} base/frameworks/sumstats/non-cluster.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/average.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/max.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/min.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/sample.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/std-dev.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/sum.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/unique.bro) -rest_target(${psd} base/frameworks/sumstats/plugins/variance.bro) -rest_target(${psd} base/frameworks/tunnels/main.bro) -rest_target(${psd} base/misc/find-checksum-offloading.bro) -rest_target(${psd} base/protocols/conn/contents.bro) -rest_target(${psd} base/protocols/conn/inactivity.bro) -rest_target(${psd} base/protocols/conn/main.bro) -rest_target(${psd} base/protocols/conn/polling.bro) -rest_target(${psd} base/protocols/dns/consts.bro) -rest_target(${psd} base/protocols/dns/main.bro) -rest_target(${psd} base/protocols/ftp/file-extract.bro) -rest_target(${psd} base/protocols/ftp/gridftp.bro) -rest_target(${psd} base/protocols/ftp/main.bro) -rest_target(${psd} base/protocols/ftp/utils-commands.bro) -rest_target(${psd} base/protocols/http/file-extract.bro) -rest_target(${psd} base/protocols/http/file-hash.bro) -rest_target(${psd} base/protocols/http/file-ident.bro) -rest_target(${psd} base/protocols/http/main.bro) -rest_target(${psd} base/protocols/http/utils.bro) -rest_target(${psd} base/protocols/irc/dcc-send.bro) -rest_target(${psd} base/protocols/irc/main.bro) -rest_target(${psd} base/protocols/modbus/consts.bro) -rest_target(${psd} base/protocols/modbus/main.bro) -rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) -rest_target(${psd} base/protocols/smtp/entities.bro) -rest_target(${psd} base/protocols/smtp/main.bro) -rest_target(${psd} base/protocols/socks/consts.bro) -rest_target(${psd} base/protocols/socks/main.bro) -rest_target(${psd} base/protocols/ssh/main.bro) -rest_target(${psd} base/protocols/ssl/consts.bro) -rest_target(${psd} base/protocols/ssl/main.bro) -rest_target(${psd} base/protocols/ssl/mozilla-ca-list.bro) -rest_target(${psd} base/protocols/syslog/consts.bro) -rest_target(${psd} base/protocols/syslog/main.bro) -rest_target(${psd} base/utils/addrs.bro) -rest_target(${psd} base/utils/conn-ids.bro) -rest_target(${psd} base/utils/directions-and-hosts.bro) -rest_target(${psd} base/utils/files.bro) -rest_target(${psd} base/utils/numbers.bro) -rest_target(${psd} base/utils/paths.bro) -rest_target(${psd} base/utils/patterns.bro) -rest_target(${psd} base/utils/queue.bro) -rest_target(${psd} base/utils/site.bro) -rest_target(${psd} base/utils/strings.bro) -rest_target(${psd} base/utils/thresholds.bro) -rest_target(${psd} base/utils/time.bro) -rest_target(${psd} base/utils/urls.bro) -rest_target(${psd} policy/frameworks/communication/listen.bro) -rest_target(${psd} policy/frameworks/control/controllee.bro) -rest_target(${psd} policy/frameworks/control/controller.bro) -rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro) -rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro) -rest_target(${psd} policy/frameworks/intel/conn-established.bro) -rest_target(${psd} policy/frameworks/intel/dns.bro) -rest_target(${psd} policy/frameworks/intel/http-host-header.bro) -rest_target(${psd} policy/frameworks/intel/http-url.bro) -rest_target(${psd} policy/frameworks/intel/http-user-agents.bro) -rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) -rest_target(${psd} policy/frameworks/intel/smtp.bro) -rest_target(${psd} policy/frameworks/intel/ssl.bro) -rest_target(${psd} policy/frameworks/intel/where-locations.bro) -rest_target(${psd} policy/frameworks/software/version-changes.bro) -rest_target(${psd} policy/frameworks/software/vulnerable.bro) -rest_target(${psd} policy/integration/barnyard2/main.bro) -rest_target(${psd} policy/integration/barnyard2/types.bro) -rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) -rest_target(${psd} policy/misc/app-metrics.bro) -rest_target(${psd} policy/misc/capture-loss.bro) -rest_target(${psd} policy/misc/detect-traceroute/main.bro) -rest_target(${psd} policy/misc/loaded-scripts.bro) -rest_target(${psd} policy/misc/profiling.bro) -rest_target(${psd} policy/misc/scan.bro) -rest_target(${psd} policy/misc/stats.bro) -rest_target(${psd} policy/misc/trim-trace-file.bro) -rest_target(${psd} policy/protocols/conn/known-hosts.bro) -rest_target(${psd} policy/protocols/conn/known-services.bro) -rest_target(${psd} policy/protocols/conn/weirds.bro) -rest_target(${psd} policy/protocols/dns/auth-addl.bro) -rest_target(${psd} policy/protocols/dns/detect-external-names.bro) -rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro) -rest_target(${psd} policy/protocols/ftp/detect.bro) -rest_target(${psd} policy/protocols/ftp/software.bro) -rest_target(${psd} policy/protocols/http/detect-MHR.bro) -rest_target(${psd} policy/protocols/http/detect-sqli.bro) -rest_target(${psd} policy/protocols/http/detect-webapps.bro) -rest_target(${psd} policy/protocols/http/header-names.bro) -rest_target(${psd} policy/protocols/http/software-browser-plugins.bro) -rest_target(${psd} policy/protocols/http/software.bro) -rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro) -rest_target(${psd} policy/protocols/http/var-extraction-uri.bro) -rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) -rest_target(${psd} policy/protocols/modbus/track-memmap.bro) -rest_target(${psd} policy/protocols/smtp/blocklists.bro) -rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) -rest_target(${psd} policy/protocols/smtp/software.bro) -rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) -rest_target(${psd} policy/protocols/ssh/geo-data.bro) -rest_target(${psd} policy/protocols/ssh/interesting-hostnames.bro) -rest_target(${psd} policy/protocols/ssh/software.bro) -rest_target(${psd} policy/protocols/ssl/cert-hash.bro) -rest_target(${psd} policy/protocols/ssl/expiring-certs.bro) -rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro) -rest_target(${psd} policy/protocols/ssl/known-certs.bro) -rest_target(${psd} policy/protocols/ssl/notary.bro) -rest_target(${psd} policy/protocols/ssl/validate-certs.bro) -rest_target(${psd} policy/tuning/defaults/packet-fragments.bro) -rest_target(${psd} policy/tuning/defaults/warnings.bro) -rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro) -rest_target(${psd} policy/tuning/track-all-assets.bro) -rest_target(${psd} site/local-manager.bro) -rest_target(${psd} site/local-proxy.bro) -rest_target(${psd} site/local-worker.bro) -rest_target(${psd} site/local.bro) -rest_target(${psd} test-all-policy.bro) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index d4498b2fe3..a9ba4838db 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -46,17 +46,6 @@ rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) rest_target(${psd} base/frameworks/logging/writers/none.bro) -rest_target(${psd} base/frameworks/measurement/cluster.bro) -rest_target(${psd} base/frameworks/measurement/main.bro) -rest_target(${psd} base/frameworks/measurement/non-cluster.bro) -rest_target(${psd} base/frameworks/measurement/plugins/average.bro) -rest_target(${psd} base/frameworks/measurement/plugins/max.bro) -rest_target(${psd} base/frameworks/measurement/plugins/min.bro) -rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) -rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) -rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) -rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) -rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -72,6 +61,17 @@ rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) +rest_target(${psd} base/frameworks/sumstats/cluster.bro) +rest_target(${psd} base/frameworks/sumstats/main.bro) +rest_target(${psd} base/frameworks/sumstats/non-cluster.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/average.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/max.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/min.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/sample.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/sum.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/unique.bro) +rest_target(${psd} base/frameworks/sumstats/plugins/variance.bro) rest_target(${psd} base/frameworks/tunnels/main.bro) rest_target(${psd} base/misc/find-checksum-offloading.bro) rest_target(${psd} base/protocols/conn/contents.bro) @@ -145,10 +145,8 @@ rest_target(${psd} policy/misc/profiling.bro) rest_target(${psd} policy/misc/scan.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) -rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) -rest_target(${psd} policy/protocols/conn/metrics.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) @@ -167,7 +165,6 @@ rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) rest_target(${psd} policy/protocols/modbus/track-memmap.bro) rest_target(${psd} policy/protocols/smtp/blocklists.bro) rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) -rest_target(${psd} policy/protocols/smtp/metrics.bro) rest_target(${psd} policy/protocols/smtp/software.bro) rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ssh/geo-data.bro) diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index a34f4dd3fc..221e9b7a4a 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-16-03-43-22 +#open 2013-04-22-18-02-50 #fields name #types string scripts/base/init-bare.bro @@ -80,8 +80,8 @@ scripts/base/init-default.bro scripts/base/frameworks/sumstats/plugins/max.bro scripts/base/frameworks/sumstats/plugins/min.bro scripts/base/frameworks/sumstats/plugins/sample.bro - scripts/base/frameworks/sumstats/plugins/variance.bro scripts/base/frameworks/sumstats/plugins/std-dev.bro + scripts/base/frameworks/sumstats/plugins/variance.bro scripts/base/frameworks/sumstats/plugins/sum.bro scripts/base/frameworks/sumstats/plugins/unique.bro scripts/base/frameworks/sumstats/non-cluster.bro @@ -130,4 +130,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-16-03-43-22 +#close 2013-04-22-18-02-50 From 8f987e5066c5214f809ce3e7a0d897bca97f7955 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Apr 2013 14:15:20 -0400 Subject: [PATCH 081/134] Fix a bug with path building in FTP. Came up when changing the path utils. --- scripts/base/protocols/ftp/main.bro | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 69e7c331ae..b9709b6176 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -174,8 +174,9 @@ function ftp_message(s: Info) if ( s$cmdarg$cmd in file_cmds ) { local comp_path = build_path_compressed(s$cwd, arg); - if ( s$cwd[0] != "/" ) + if ( comp_path[0] != "/" ) comp_path = cat("/", comp_path); + arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); } @@ -245,16 +246,13 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=5 { - # TODO: figure out what to do with continued FTP response (not used much) - #if ( cont_resp ) return; - - local id = c$id; set_ftp_session(c); - c$ftp$cmdarg = get_pending_cmd(c$ftp$pending_commands, code, msg); - c$ftp$reply_code = code; c$ftp$reply_msg = msg; + + # TODO: figure out what to do with continued FTP response (not used much) + if ( cont_resp ) return; # TODO: do some sort of generic clear text login processing here. local response_xyz = parse_ftp_reply_code(code); @@ -283,10 +281,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior c$ftp$passive=T; if ( code == 229 && data$h == [::] ) - data$h = id$resp_h; + data$h = c$id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); + expect_connection(c$id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); } else { From 95744993825f69d84d7e6fb64799246f33625bf7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Apr 2013 14:15:37 -0400 Subject: [PATCH 082/134] Move loading variance back to where it should be alphabetically. --- scripts/base/frameworks/sumstats/plugins/__load__.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.bro index d739af29a7..0d4c2ed302 100644 --- a/scripts/base/frameworks/sumstats/plugins/__load__.bro +++ b/scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -2,7 +2,7 @@ @load ./max @load ./min @load ./sample -@load ./variance @load ./std-dev @load ./sum @load ./unique +@load ./variance \ No newline at end of file From 91362717da2822e2af33d315c03fe4905036087c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Apr 2013 15:27:03 -0400 Subject: [PATCH 083/134] Renamed a plugin hook in sumstats framework. --- scripts/base/frameworks/sumstats/main.bro | 4 ++-- scripts/base/frameworks/sumstats/plugins/average.bro | 2 +- scripts/base/frameworks/sumstats/plugins/max.bro | 2 +- scripts/base/frameworks/sumstats/plugins/min.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sample.bro | 2 +- scripts/base/frameworks/sumstats/plugins/std-dev.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sum.bro | 2 +- scripts/base/frameworks/sumstats/plugins/unique.bro | 2 +- scripts/base/frameworks/sumstats/plugins/variance.bro | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index 643502efb4..f6bd9ebfac 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -182,7 +182,7 @@ global thresholds_store: table[string, Key] of bool = table(); global data_added: function(ss: SumStat, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. -global add_to_reducer_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal); +global observe_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal); # Prototype the hook point for plugins to initialize any result values. global init_resultval_hook: hook(r: Reducer, rv: ResultVal); # Prototype the hook point for plugins to merge Results. @@ -323,7 +323,7 @@ function observe(id: string, key: Key, obs: Observation) if ( obs?$num || obs?$dbl ) val = obs?$dbl ? obs$dbl : obs$num; - hook add_to_reducer_hook(r, val, obs, result_val); + hook observe_hook(r, val, obs, result_val); data_added(ss, key, result); } } diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro index 35228a28f5..baabb8ca5e 100644 --- a/scripts/base/frameworks/sumstats/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( AVERAGE in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro index 0a959f2d09..532883d46e 100644 --- a/scripts/base/frameworks/sumstats/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MAX in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro index 16c2dfc3d7..2940b34a9b 100644 --- a/scripts/base/frameworks/sumstats/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -14,7 +14,7 @@ export { }; } -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MIN in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index 622b160cbe..91a295775d 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -29,7 +29,7 @@ function get_samples(rv: ResultVal): vector of Observation return s; } -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( r$samples > 0 ) { diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro index 7c2754570a..cbe9197581 100644 --- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -22,7 +22,7 @@ function calc_std_dev(rv: ResultVal) } # This depends on the variance plugin which uses priority -5 -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10 +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10 { if ( STD_DEV in r$apply ) calc_std_dev(rv); diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro index 8c8c65cd61..18056d14fb 100644 --- a/scripts/base/frameworks/sumstats/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -34,7 +34,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal) rv$sum = 0; } -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( SUM in r$apply ) rv$sum += val; diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index d3a4464d0d..f44da07e07 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -23,7 +23,7 @@ redef record ResultVal += { unique_vals: set[Observation] &optional; }; -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( UNIQUE in r$apply ) { diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro index 29118b284b..9aadd58bdd 100644 --- a/scripts/base/frameworks/sumstats/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -29,7 +29,7 @@ function calc_variance(rv: ResultVal) } # Reduced priority since this depends on the average -hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5 +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5 { if ( VARIANCE in r$apply ) { From 2c689b7f4041670d687953ad56d38c84d4ce3da1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Apr 2013 15:27:14 -0400 Subject: [PATCH 084/134] Removed some dead code in scan.bro --- scripts/policy/misc/scan.bro | 39 +----------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 9a95cf9917..508e9316a8 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -1,4 +1,4 @@ -##! Scan detection +##! TCP Scan detection ##! ##! ..Authors: Sheharbano Khattak ##! Seth Hall @@ -47,22 +47,9 @@ export { const addr_scan_custom_thresholds: table[port] of count &redef; global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); - global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); } - -#function check_addr_scan_threshold(key: SumStats::Key, val: SumStats::Result): bool -# { -# # We don't need to do this if no custom thresholds are defined. -# if ( |addr_scan_custom_thresholds| == 0 ) -# return F; -# -# local service = to_port(key$str); -# return ( service in addr_scan_custom_thresholds && -# val$sum > addr_scan_custom_thresholds[service] ); -# } - event bro_init() &priority=5 { local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE)]; @@ -124,30 +111,6 @@ function add_sumstats(id: conn_id, reverse: bool) victim = id$orig_h; scanned_port = id$orig_p; } - - # Defaults to be implemented with a hook... - #local transport_layer_proto = get_port_transport_proto(service); - #if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) ) - # return F; - #else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) ) - # return F; - #else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) ) - # return F; - - # TODO: all of this whitelist/blacklist will be done - # through the upcoming hook mechanism - # Blacklisting/whitelisting services - #if ( |analyze_services| > 0 ) - # { - # if ( service !in analyze_services ) - # return F; - # } - #else if ( service in skip_services ) - # return F; - # - ## Blacklisting/whitelisting subnets - #if ( |analyze_subnets| > 0 && host !in analyze_subnets ) - # return F; if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); From 48cbb31747f39a8823260f6d86eab07b306125f9 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 25 Apr 2013 12:51:55 -0400 Subject: [PATCH 085/134] Added an automatic state limiter for threshold based SumStats. --- scripts/base/frameworks/sumstats/cluster.bro | 44 ++++++++++---- scripts/base/frameworks/sumstats/main.bro | 62 ++++++++++++++------ 2 files changed, 79 insertions(+), 27 deletions(-) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index 4f9743547b..405395a687 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -1,7 +1,7 @@ -##! This implements transparent cluster support for the metrics framework. +##! This implements transparent cluster support for the SumStats framework. ##! Do not load this file directly. It's only meant to be loaded automatically ##! and will be depending on if the cluster framework has been enabled. -##! The goal of this script is to make metric calculation completely and +##! The goal of this script is to make sumstats calculation completely and ##! transparently automated when running on a cluster. @load base/frameworks/cluster @@ -11,7 +11,7 @@ module SumStats; export { ## Allows a user to decide how large of result groups the - ## workers should transmit values for cluster metric aggregation. + ## workers should transmit values for cluster stats aggregation. const cluster_send_in_groups_of = 50 &redef; ## The percent of the full threshold value that needs to be met @@ -34,11 +34,11 @@ export { const enable_intermediate_updates = T &redef; ## Event sent by the manager in a cluster to initiate the - ## collection of metrics values for a sumstat. + ## collection of values for a sumstat. global cluster_ss_request: event(uid: string, ssid: string); - ## Event sent by nodes that are collecting metrics after receiving - ## a request for the metric sumstat from the manager. + ## Event sent by nodes that are collecting sumstats after receiving + ## a request for the sumstat from the manager. global cluster_ss_response: event(uid: string, ssid: string, data: ResultTable, done: bool); ## This event is sent by the manager in a cluster to initiate the @@ -58,10 +58,14 @@ export { ## This event is scheduled internally on workers to send result chunks. global send_data: event(uid: string, ssid: string, data: ResultTable); + + ## This event is generated when a threshold is crossed. + global cluster_threshold_crossed: event(ssid: string, key: SumStats::Key, thold: Thresholding); } # Add events to the cluster framework to make this work. -redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|key_request)/; +redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|key_request|threshold_crossed)/; +redef Cluster::manager2worker_events += /SumStats::thresholds_reset/; redef Cluster::worker2manager_events += /SumStats::cluster_(ss_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) @@ -78,7 +82,7 @@ event bro_init() &priority=-100 reducer_store = table(); } -# This is done on all non-manager node types in the event that a metric is +# This is done on all non-manager node types in the event that a sumstat is # being collected somewhere other than a worker. function data_added(ss: SumStat, key: Key, result: Result) { @@ -117,7 +121,7 @@ event SumStats::send_data(uid: string, ssid: string, data: ResultTable) } local done = F; - # If data is empty, this metric is done. + # If data is empty, this sumstat is done. if ( |data| == 0 ) done = T; @@ -157,6 +161,19 @@ event SumStats::cluster_key_request(uid: string, ssid: string, key: Key) } } +event SumStats::cluster_threshold_crossed(ssid: string, key: SumStats::Key, thold: Thresholding) + { + if ( ssid !in threshold_tracker ) + threshold_tracker[ssid] = table(); + + threshold_tracker[ssid][key] = thold; + } + +event SumStats::thresholds_reset(ssid: string) + { + threshold_tracker[ssid] = table(); + } + @endif @@ -192,7 +209,7 @@ event SumStats::finish_epoch(ss: SumStat) { if ( network_time() > zero_time ) { - #print fmt("%.6f MANAGER: breaking %s sumstat for %s metric", network_time(), ss$name, ss$id); + #print fmt("%.6f MANAGER: breaking %s sumstat for %s sumstat", network_time(), ss$name, ss$id); local uid = unique_id(""); if ( uid in stats_results ) @@ -212,7 +229,10 @@ event SumStats::finish_epoch(ss: SumStat) function data_added(ss: SumStat, key: Key, result: Result) { if ( check_thresholds(ss, key, result, 1.0) ) + { threshold_crossed(ss, key, result); + event SumStats::cluster_threshold_crossed(ss$id, key, threshold_tracker[ss$id][key]); + } } event SumStats::cluster_key_response(uid: string, ssid: string, key: Key, result: Result) @@ -235,7 +255,10 @@ event SumStats::cluster_key_response(uid: string, ssid: string, key: Key, result local ss = stats_store[ssid]; local ir = key_requests[uid]; if ( check_thresholds(ss, key, ir, 1.0) ) + { threshold_crossed(ss, key, ir); + event SumStats::cluster_threshold_crossed(ss$id, key, threshold_tracker[ss$id][key]); + } delete done_with[uid]; delete key_requests[uid]; @@ -292,6 +315,7 @@ event SumStats::cluster_ss_response(uid: string, ssid: string, data: ResultTable if ( check_thresholds(ss, key, local_data[key], 1.0) ) { threshold_crossed(ss, key, local_data[key]); + event SumStats::cluster_threshold_crossed(ss$id, key, threshold_tracker[ss$id][key]); } } } diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index f6bd9ebfac..ef7a34a4a4 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -133,6 +133,20 @@ export { ## obs: The data point to send into the stream. global observe: function(id: string, key: SumStats::Key, obs: SumStats::Observation); + ## This record is primarily used for internal threshold tracking. + type Thresholding: record { + # Internal use only. Indicates if a simple threshold was already crossed. + is_threshold_crossed: bool &default=F; + + # Internal use only. Current key for threshold series. + threshold_series_index: count &default=0; + }; + + ## This event is generated when thresholds are reset for a SumStat. + ## + ## ssid: SumStats ID that thresholds were reset for. + global thresholds_reset: event(ssid: string); + ## Helper function to represent a :bro:type:`SumStats::Key` value as ## a simple string. ## @@ -144,15 +158,7 @@ export { redef record Reducer += { # Internal use only. Provides a reference back to the related SumStats by it's ID. - mid: string &optional; -}; - -type Thresholding: record { - # Internal use only. Indicates if a simple threshold was already crossed. - is_threshold_crossed: bool &default=F; - - # Internal use only. Current key for threshold series. - threshold_series_index: count &default=0; + sid: string &optional; }; # Internal use only. For tracking thresholds per sumstat and key. @@ -257,7 +263,12 @@ function reset(ss: SumStat) delete result_store[ss$id]; result_store[ss$id] = table(); - threshold_tracker[ss$id] = table(); + + if ( ss?$threshold || ss?$threshold_series ) + { + threshold_tracker[ss$id] = table(); + event SumStats::thresholds_reset(ss$id); + } } function create(ss: SumStat) @@ -274,7 +285,7 @@ function create(ss: SumStat) for ( reducer in ss$reducers ) { - reducer$mid = ss$id; + reducer$sid = ss$id; if ( reducer$stream !in reducer_store ) reducer_store[reducer$stream] = set(); add reducer_store[reducer$stream][reducer]; @@ -292,19 +303,36 @@ function observe(id: string, key: Key, obs: Observation) # Try to add the data to all of the defined reducers. for ( r in reducer_store[id] ) { + if ( r?$normalize_key ) + key = r$normalize_key(copy(key)); + # If this reducer has a predicate, run the predicate # and skip this key if the predicate return false. if ( r?$pred && ! r$pred(key, obs) ) next; - if ( r?$normalize_key ) - key = r$normalize_key(copy(key)); + local ss = stats_store[r$sid]; - local ss = stats_store[r$mid]; - - if ( r$mid !in result_store ) + # If there is a threshold and no epoch_finished callback + # we don't need to continue counting since the data will + # never be accessed. This was leading + # to some state management issues when measuring + # uniqueness. + # NOTE: this optimization could need removed in the + # future if on demand access is provided to the + # SumStats results. + if ( ! ss?$epoch_finished && + r$sid in threshold_tracker && + key in threshold_tracker[r$sid] && + ( ss?$threshold && + threshold_tracker[r$sid][key]$is_threshold_crossed ) || + ( ss?$threshold_series && + threshold_tracker[r$sid][key]$threshold_series_index+1 == |ss$threshold_series| ) ) + next; + + if ( r$sid !in result_store ) result_store[ss$id] = table(); - local results = result_store[r$mid]; + local results = result_store[r$sid]; if ( key !in results ) results[key] = table(); From 04410237c2b694c204e7713fee518ad9c1e96e98 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 26 Apr 2013 12:24:46 -0400 Subject: [PATCH 086/134] Added protocol to the traceroute detection script. --- .../policy/misc/detect-traceroute/main.bro | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index 9ac0f5c2f9..fd4190f8a6 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -39,11 +39,13 @@ export { ## The log record for the traceroute log. type Info: record { ## Timestamp - ts: time &log; + ts: time &log; ## Address initiaing the traceroute. - src: addr &log; + src: addr &log; ## Destination address of the traceroute. - dst: addr &log; + dst: addr &log; + ## Protocol used for the traceroute. + proto: string &log; }; global log_traceroute: event(rec: Traceroute::Info); @@ -69,14 +71,15 @@ event bro_init() &priority=5 $threshold=icmp_time_exceeded_threshold, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { - local parts = split1(key$str, /-/); + local parts = split_n(key$str, /-/, F, 2); local src = to_addr(parts[1]); local dst = to_addr(parts[2]); - Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + local proto = parts[3]; + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]); NOTICE([$note=Traceroute::Detected, - $msg=fmt("%s seems to be running traceroute", src), - $src=src, $dst=dst, - $identifier=cat(src)]); + $msg=fmt("%s seems to be running traceroute using %s", src, proto), + $src=src, + $identifier=cat(src,proto)]); }]); } @@ -84,10 +87,12 @@ event bro_init() &priority=5 event signature_match(state: signature_state, msg: string, data: string) { if ( state$sig_id == /traceroute-detector.*/ ) - SumStats::observe("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h)], [$num=1]); + { + SumStats::observe("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h,"-",get_port_transport_proto(state$conn$id$resp_p))], [$num=1]); + } } event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) { - SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h,"-",get_port_transport_proto(context$id$resp_p))], [$str=cat(c$id$orig_h)]); } From b9249ecf9d415b33771c4f56183db0c4e9e7b7fe Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 28 Apr 2013 15:34:20 -0700 Subject: [PATCH 087/134] Layout tweaks for the sumstats code, and preliminary updates for NEWS. The layout changes are mostly whitespace and some comment rewrapping. No functional changes. --- NEWS | 24 ++++ scripts/base/frameworks/sumstats/cluster.bro | 99 ++++++++-------- scripts/base/frameworks/sumstats/main.bro | 106 +++++++++--------- .../base/frameworks/sumstats/non-cluster.bro | 4 +- .../frameworks/sumstats/plugins/average.bro | 4 +- .../base/frameworks/sumstats/plugins/max.bro | 4 +- .../base/frameworks/sumstats/plugins/min.bro | 6 +- .../frameworks/sumstats/plugins/sample.bro | 8 +- .../frameworks/sumstats/plugins/std-dev.bro | 2 +- .../base/frameworks/sumstats/plugins/sum.bro | 4 +- .../frameworks/sumstats/plugins/unique.bro | 12 +- .../frameworks/sumstats/plugins/variance.bro | 4 +- scripts/base/protocols/ssh/main.bro | 44 ++++---- scripts/base/utils/queue.bro | 26 ++--- scripts/base/utils/time.bro | 2 +- scripts/policy/misc/app-metrics.bro | 8 +- .../policy/misc/detect-traceroute/main.bro | 14 +-- scripts/policy/misc/scan.bro | 74 ++++++------ .../protocols/ftp/detect-bruteforcing.bro | 14 ++- scripts/policy/protocols/http/detect-sqli.bro | 24 ++-- .../protocols/ssh/detect-bruteforcing.bro | 22 ++-- 21 files changed, 265 insertions(+), 240 deletions(-) diff --git a/NEWS b/NEWS index 8605dcdbd4..4c0e2b45cc 100644 --- a/NEWS +++ b/NEWS @@ -126,6 +126,9 @@ Changed Functionality - Removed the byte_len() and length() bif functions. Use the "|...|" operator instead. +- The SSH::Login notice has been superseded by an corresponding + intelligence framework observation (SSH::SUCCESSFUL_LOGIN). + Bro 2.1 ------- @@ -209,6 +212,27 @@ New Functionality outputs. We do not yet recommend them for production (but welcome feedback!) +- Summary statistics framework. [Extend] + +- A number of new applications build on top of the summary statistics + framework: + + * Scan detection: Detectors for port and address scans return. See + policy/misc/scan.bro. + + * Tracerouter detector: policy/misc/detect-traceroute + + * Web application detection/measurement: policy/misc/app-metrics.bro + + * FTP brute-forcing detector: policy/protocols/ftp/detect-bruteforcing.bro + + * HTTP-based SQL injection detector: policy/protocols/http/detect-sqli.bro + (existed before, but now ported to the new framework) + + * SSH brute-forcing detector feeding the intelligence framework: + policy/protocols/ssh/detect-bruteforcing.bro + + Changed Functionality ~~~~~~~~~~~~~~~~~~~~~ diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index 405395a687..9ee63a674e 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -10,49 +10,48 @@ module SumStats; export { - ## Allows a user to decide how large of result groups the - ## workers should transmit values for cluster stats aggregation. + ## Allows a user to decide how large of result groups the workers should transmit + ## values for cluster stats aggregation. const cluster_send_in_groups_of = 50 &redef; - - ## The percent of the full threshold value that needs to be met - ## on a single worker for that worker to send the value to its manager in - ## order for it to request a global view for that value. There is no - ## requirement that the manager requests a global view for the key - ## since it may opt not to if it requested a global view for the key - ## recently. + + ## The percent of the full threshold value that needs to be met on a single worker + ## for that worker to send the value to its manager in order for it to request a + ## global view for that value. There is no requirement that the manager requests + ## a global view for the key since it may opt not to if it requested a global view + ## for the key recently. const cluster_request_global_view_percent = 0.2 &redef; ## This is to deal with intermediate update overload. A manager will only allow - ## this many intermediate update requests to the workers to be inflight at - ## any given time. Requested intermediate updates are currently thrown out - ## and not performed. In practice this should hopefully have a minimal effect. + ## this many intermediate update requests to the workers to be inflight at any + ## given time. Requested intermediate updates are currently thrown out and not + ## performed. In practice this should hopefully have a minimal effect. const max_outstanding_global_views = 10 &redef; - ## Intermediate updates can cause overload situations on very large clusters. - ## This option may help reduce load and correct intermittent problems. - ## The goal for this option is also meant to be temporary. + ## Intermediate updates can cause overload situations on very large clusters. This + ## option may help reduce load and correct intermittent problems. The goal for this + ## option is also meant to be temporary. const enable_intermediate_updates = T &redef; - ## Event sent by the manager in a cluster to initiate the - ## collection of values for a sumstat. + ## Event sent by the manager in a cluster to initiate the collection of values for + ## a sumstat. global cluster_ss_request: event(uid: string, ssid: string); - ## Event sent by nodes that are collecting sumstats after receiving - ## a request for the sumstat from the manager. + ## Event sent by nodes that are collecting sumstats after receiving a request for + ## the sumstat from the manager. global cluster_ss_response: event(uid: string, ssid: string, data: ResultTable, done: bool); - ## This event is sent by the manager in a cluster to initiate the - ## collection of a single key value from a sumstat. It's typically - ## used to get intermediate updates before the break interval triggers - ## to speed detection of a value crossing a threshold. + ## This event is sent by the manager in a cluster to initiate the collection of + ## a single key value from a sumstat. It's typically used to get intermediate + ## updates before the break interval triggers to speed detection of a value + ## crossing a threshold. global cluster_key_request: event(uid: string, ssid: string, key: Key); - ## This event is sent by nodes in response to a + ## This event is sent by nodes in response to a ## :bro:id:`SumStats::cluster_key_request` event. global cluster_key_response: event(uid: string, ssid: string, key: Key, result: Result); - ## This is sent by workers to indicate that they crossed the percent of the - ## current threshold by the percentage defined globally in + ## This is sent by workers to indicate that they crossed the percent + ## of the current threshold by the percentage defined globally in ## :bro:id:`SumStats::cluster_request_global_view_percent` global cluster_key_intermediate_response: event(ssid: string, key: SumStats::Key); @@ -69,7 +68,7 @@ redef Cluster::manager2worker_events += /SumStats::thresholds_reset/; redef Cluster::worker2manager_events += /SumStats::cluster_(ss_response|key_response|key_intermediate_response)/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -# This variable is maintained to know what keys have recently sent as +# This variable is maintained to know what keys have recently sent as # intermediate updates so they don't overwhelm their manager. The count that is # yielded is the number of times the percentage threshold has been crossed and # an intermediate result has been received. @@ -82,7 +81,7 @@ event bro_init() &priority=-100 reducer_store = table(); } -# This is done on all non-manager node types in the event that a sumstat is +# This is done on all non-manager node types in the event that a sumstat is # being collected somewhere other than a worker. function data_added(ss: SumStat, key: Key, result: Result) { @@ -92,9 +91,9 @@ function data_added(ss: SumStat, key: Key, result: Result) return; # If val is 5 and global view % is 0.1 (10%), pct_val will be 50. If that - # crosses the full threshold then it's a candidate to send as an + # crosses the full threshold then it's a candidate to send as an # intermediate update. - if ( enable_intermediate_updates && + if ( enable_intermediate_updates && check_thresholds(ss, key, result, cluster_request_global_view_percent) ) { # kick off intermediate update @@ -113,18 +112,18 @@ event SumStats::send_data(uid: string, ssid: string, data: ResultTable) { local_data[key] = data[key]; delete data[key]; - + # Only send cluster_send_in_groups_of at a time. Queue another # event to send the next group. if ( cluster_send_in_groups_of == ++num_added ) break; } - + local done = F; # If data is empty, this sumstat is done. if ( |data| == 0 ) done = T; - + event SumStats::cluster_ss_response(uid, ssid, local_data, done); if ( ! done ) schedule 0.01 sec { SumStats::send_data(uid, ssid, data) }; @@ -133,7 +132,7 @@ event SumStats::send_data(uid: string, ssid: string, data: ResultTable) event SumStats::cluster_ss_request(uid: string, ssid: string) { #print fmt("WORKER %s: received the cluster_ss_request event for %s.", Cluster::node, id); - + # Initiate sending all of the data for the requested stats. if ( ssid in result_store ) event SumStats::send_data(uid, ssid, result_store[ssid]); @@ -145,7 +144,7 @@ event SumStats::cluster_ss_request(uid: string, ssid: string) if ( ssid in stats_store ) reset(stats_store[ssid]); } - + event SumStats::cluster_key_request(uid: string, ssid: string, key: Key) { if ( ssid in result_store && key in result_store[ssid] ) @@ -179,27 +178,27 @@ event SumStats::thresholds_reset(ssid: string) @if ( Cluster::local_node_type() == Cluster::MANAGER ) -# This variable is maintained by manager nodes as they collect and aggregate -# results. +# This variable is maintained by manager nodes as they collect and aggregate +# results. # Index on a uid. global stats_results: table[string] of ResultTable &read_expire=1min; # This variable is maintained by manager nodes to track how many "dones" they -# collected per collection unique id. Once the number of results for a uid -# matches the number of peer nodes that results should be coming from, the +# collected per collection unique id. Once the number of results for a uid +# matches the number of peer nodes that results should be coming from, the # result is written out and deleted from here. # Indexed on a uid. # TODO: add an &expire_func in case not all results are received. global done_with: table[string] of count &read_expire=1min &default=0; -# This variable is maintained by managers to track intermediate responses as -# they are getting a global view for a certain key. +# This variable is maintained by managers to track intermediate responses as +# they are getting a global view for a certain key. # Indexed on a uid. global key_requests: table[string] of Result &read_expire=1min; # This variable is maintained by managers to prevent overwhelming communication due -# to too many intermediate updates. Each sumstat is tracked separately so that -# one won't overwhelm and degrade other quieter sumstats. +# to too many intermediate updates. Each sumstat is tracked separately so that +# one won't overwhelm and degrade other quieter sumstats. # Indexed on a sumstat id. global outstanding_global_views: table[string] of count &default=0; @@ -211,11 +210,11 @@ event SumStats::finish_epoch(ss: SumStat) { #print fmt("%.6f MANAGER: breaking %s sumstat for %s sumstat", network_time(), ss$name, ss$id); local uid = unique_id(""); - + if ( uid in stats_results ) delete stats_results[uid]; stats_results[uid] = table(); - + # Request data from peers. event SumStats::cluster_ss_request(uid, ss$id); } @@ -224,7 +223,7 @@ event SumStats::finish_epoch(ss: SumStat) schedule ss$epoch { SumStats::finish_epoch(ss) }; } -# This is unlikely to be called often, but it's here in +# This is unlikely to be called often, but it's here in # case there are sumstats being collected by managers. function data_added(ss: SumStat, key: Key, result: Result) { @@ -234,7 +233,7 @@ function data_added(ss: SumStat, key: Key, result: Result) event SumStats::cluster_threshold_crossed(ss$id, key, threshold_tracker[ss$id][key]); } } - + event SumStats::cluster_key_response(uid: string, ssid: string, key: Key, result: Result) { #print fmt("%0.6f MANAGER: receiving key data from %s - %s=%s", network_time(), get_event_peer()$descr, key2str(key), result); @@ -277,7 +276,7 @@ event SumStats::cluster_key_intermediate_response(ssid: string, key: Key) if ( ssid in outstanding_global_views && |outstanding_global_views[ssid]| > max_outstanding_global_views ) { - # Don't do this intermediate update. Perhaps at some point in the future + # Don't do this intermediate update. Perhaps at some point in the future # we will queue and randomly select from these ignored intermediate # update requests. return; @@ -308,7 +307,7 @@ event SumStats::cluster_ss_response(uid: string, ssid: string, data: ResultTable local_data[key] = data[key]; # If a stat is done being collected, thresholds for each key - # need to be checked so we're doing it here to avoid doubly + # need to be checked so we're doing it here to avoid doubly # iterating over each key. if ( Cluster::worker_count == done_with[uid] ) { @@ -319,7 +318,7 @@ event SumStats::cluster_ss_response(uid: string, ssid: string, data: ResultTable } } } - + # If the data has been collected from all peers, we are done and ready to finish. if ( Cluster::worker_count == done_with[uid] ) { diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index ef7a34a4a4..6864966766 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -1,5 +1,5 @@ -##! The summary statistics framework provides a way to -##! summarize large streams of data into simple reduced +##! The summary statistics framework provides a way to +##! summarize large streams of data into simple reduced ##! measurements. module SumStats; @@ -10,24 +10,24 @@ export { PLACEHOLDER }; - ## Represents a thing which is having summarization + ## Represents a thing which is having summarization ## results collected for it. type Key: record { - ## A non-address related summarization or a sub-key for - ## an address based summarization. An example might be + ## A non-address related summarization or a sub-key for + ## an address based summarization. An example might be ## successful SSH connections by client IP address ## where the client string would be the key value. - ## Another example might be number of HTTP requests to - ## a particular value in a Host header. This is an - ## example of a non-host based metric since multiple - ## IP addresses could respond for the same Host + ## Another example might be number of HTTP requests to + ## a particular value in a Host header. This is an + ## example of a non-host based metric since multiple + ## IP addresses could respond for the same Host ## header value. str: string &optional; - + ## Host is the value to which this metric applies. host: addr &optional; }; - + ## Represents data being added for a single observation. ## Only supply a single field at a time! type Observation: record { @@ -40,17 +40,17 @@ export { }; type Reducer: record { - ## Observation stream identifier for the reducer + ## Observation stream identifier for the reducer ## to attach to. stream: string; ## The calculations to perform on the data points. apply: set[Calculation]; - - ## A predicate so that you can decide per key if you + + ## A predicate so that you can decide per key if you ## would like to accept the data being inserted. pred: function(key: SumStats::Key, obs: SumStats::Observation): bool &optional; - + ## A function to normalize the key. This can be used to aggregate or ## normalize the entire key. normalize_key: function(key: SumStats::Key): Key &optional; @@ -59,11 +59,11 @@ export { ## Value calculated for an observation stream fed into a reducer. ## Most of the fields are added by plugins. type ResultVal: record { - ## The time when the first observation was added to + ## The time when the first observation was added to ## this result value. begin: time; - ## The time when the last observation was added to + ## The time when the last observation was added to ## this result value. end: time; @@ -74,55 +74,56 @@ export { ## Type to store results for multiple reducers. type Result: table[string] of ResultVal; - ## Type to store a table of sumstats results indexed + ## Type to store a table of sumstats results indexed ## by keys. type ResultTable: table[Key] of Result; - ## SumStats represent an aggregation of reducers along with + ## SumStats represent an aggregation of reducers along with ## mechanisms to handle various situations like the epoch ending ## or thresholds being crossed. - ## It's best to not access any global state outside - ## of the variables given to the callbacks because there - ## is no assurance provided as to where the callbacks + ## + ## It's best to not access any global state outside + ## of the variables given to the callbacks because there + ## is no assurance provided as to where the callbacks ## will be executed on clusters. type SumStat: record { - ## The interval at which this filter should be "broken" - ## and the '$epoch_finished' callback called. The + ## The interval at which this filter should be "broken" + ## and the '$epoch_finished' callback called. The ## results are also reset at this time so any threshold - ## based detection needs to be set to a - ## value that should be expected to happen within + ## based detection needs to be set to a + ## value that should be expected to happen within ## this epoch. epoch: interval; ## The reducers for the SumStat reducers: set[Reducer]; - ## Provide a function to calculate a value from the - ## :bro:see:`Result` structure which will be used - ## for thresholding. + ## Provide a function to calculate a value from the + ## :bro:see:`Result` structure which will be used + ## for thresholding. ## This is required if a $threshold value is given. threshold_val: function(key: SumStats::Key, result: SumStats::Result): count &optional; - ## The threshold value for calling the + ## The threshold value for calling the ## $threshold_crossed callback. threshold: count &optional; - - ## A series of thresholds for calling the + + ## A series of thresholds for calling the ## $threshold_crossed callback. threshold_series: vector of count &optional; ## A callback that is called when a threshold is crossed. threshold_crossed: function(key: SumStats::Key, result: SumStats::Result) &optional; - - ## A callback with the full collection of Results for + + ## A callback with the full collection of Results for ## this SumStat. epoch_finished: function(rt: SumStats::ResultTable) &optional; }; - + ## Create a summary statistic. global create: function(ss: SumStats::SumStat); - ## Add data into an observation stream. This should be + ## Add data into an observation stream. This should be ## called when a script has measured some point value. ## ## id: The observation stream identifier that the data @@ -143,13 +144,13 @@ export { }; ## This event is generated when thresholds are reset for a SumStat. - ## + ## ## ssid: SumStats ID that thresholds were reset for. global thresholds_reset: event(ssid: string); - ## Helper function to represent a :bro:type:`SumStats::Key` value as + ## Helper function to represent a :bro:type:`SumStats::Key` value as ## a simple string. - ## + ## ## key: The metric key that is to be converted into a string. ## ## Returns: A string representation of the metric key. @@ -181,16 +182,17 @@ global result_store: table[string] of ResultTable = table(); # Store of threshold information. global thresholds_store: table[string, Key] of bool = table(); -# This is called whenever -# key values are updated and the new val is given as the `val` argument. -# It's only prototyped here because cluster and non-cluster have separate -# implementations. +# This is called whenever key values are updated and the new val is given as the +# `val` argument. It's only prototyped here because cluster and non-cluster have +# separate implementations. global data_added: function(ss: SumStat, key: Key, result: Result); # Prototype the hook point for plugins to do calculations. global observe_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal); + # Prototype the hook point for plugins to initialize any result values. global init_resultval_hook: hook(r: Reducer, rv: ResultVal); + # Prototype the hook point for plugins to merge Results. global compose_resultvals_hook: hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal); @@ -252,7 +254,7 @@ function compose_results(r1: Result, r2: Result): Result result[data_id] = r2[data_id]; } } - + return result; } @@ -306,25 +308,25 @@ function observe(id: string, key: Key, obs: Observation) if ( r?$normalize_key ) key = r$normalize_key(copy(key)); - # If this reducer has a predicate, run the predicate + # If this reducer has a predicate, run the predicate # and skip this key if the predicate return false. if ( r?$pred && ! r$pred(key, obs) ) next; - + local ss = stats_store[r$sid]; - + # If there is a threshold and no epoch_finished callback # we don't need to continue counting since the data will # never be accessed. This was leading - # to some state management issues when measuring + # to some state management issues when measuring # uniqueness. - # NOTE: this optimization could need removed in the + # NOTE: this optimization could need removed in the # future if on demand access is provided to the # SumStats results. if ( ! ss?$epoch_finished && r$sid in threshold_tracker && key in threshold_tracker[r$sid] && - ( ss?$threshold && + ( ss?$threshold && threshold_tracker[r$sid][key]$is_threshold_crossed ) || ( ss?$threshold_series && threshold_tracker[r$sid][key]$threshold_series_index+1 == |ss$threshold_series| ) ) @@ -356,7 +358,7 @@ function observe(id: string, key: Key, obs: Observation) } } -# This function checks if a threshold has been crossed. It is also used as a method to implement +# This function checks if a threshold has been crossed. It is also used as a method to implement # mid-break-interval threshold crossing detection for cluster deployments. function check_thresholds(ss: SumStat, key: Key, result: Result, modify_pct: double): bool { @@ -399,7 +401,7 @@ function check_thresholds(ss: SumStat, key: Key, result: Result, modify_pct: dou |ss$threshold_series| >= tt$threshold_series_index && watch >= ss$threshold_series[tt$threshold_series_index] ) { - # A threshold series was given and the value crossed the next + # A threshold series was given and the value crossed the next # value in the series. return T; } diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro index 21386a246e..f27d4b5cfb 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.bro +++ b/scripts/base/frameworks/sumstats/non-cluster.bro @@ -15,8 +15,8 @@ event SumStats::finish_epoch(ss: SumStat) schedule ss$epoch { SumStats::finish_epoch(ss) }; } - - + + function data_added(ss: SumStat, key: Key, result: Result) { if ( check_thresholds(ss, key, result, 1.0) ) diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro index baabb8ca5e..a409bb9408 100644 --- a/scripts/base/frameworks/sumstats/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -3,7 +3,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Calculate the average of the values. AVERAGE }; @@ -33,4 +33,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) result$average = rv1$average; else if ( rv2?$average ) result$average = rv2$average; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro index 532883d46e..6167d31f10 100644 --- a/scripts/base/frameworks/sumstats/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -3,7 +3,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Find the maximum value. MAX }; @@ -18,7 +18,7 @@ hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MAX in r$apply ) { - if ( ! rv?$max ) + if ( ! rv?$max ) rv$max = val; else if ( val > rv$max ) rv$max = val; diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro index 2940b34a9b..a15ed0e733 100644 --- a/scripts/base/frameworks/sumstats/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -3,7 +3,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Find the minimum value. MIN }; @@ -18,7 +18,7 @@ hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( MIN in r$apply ) { - if ( ! rv?$min ) + if ( ! rv?$min ) rv$min = val; else if ( val < rv$min ) rv$min = val; @@ -33,4 +33,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) result$min = rv1$min; else if ( rv2?$min ) result$min = rv2$min; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index 91a295775d..d0587bde08 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -10,10 +10,8 @@ export { }; redef record ResultVal += { - ## This is the queue where samples - ## are maintained. Use the - ## :bro:see:`SumStats::get_samples` function - ## to get a vector of the samples. + ## This is the queue where samples are maintained. Use the + ## :bro:see:`SumStats::get_samples` function to get a vector of the samples. samples: Queue::Queue &optional; }; @@ -48,4 +46,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) result$samples = rv1$samples; else if ( rv2?$samples ) result$samples = rv2$samples; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro index cbe9197581..6411fe4bce 100644 --- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -4,7 +4,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Find the standard deviation of the values. STD_DEV }; diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro index 18056d14fb..3e5b28e2be 100644 --- a/scripts/base/frameworks/sumstats/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -3,7 +3,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Sums the values given. For string values, ## this will be the number of strings given. SUM @@ -48,4 +48,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) if ( rv2?$sum ) result$sum += rv2$sum; } - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index f44da07e07..a407a487a2 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -3,7 +3,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Calculate the number of unique values. UNIQUE }; @@ -16,8 +16,8 @@ export { } redef record ResultVal += { - # Internal use only. This is not meant to be publically available - # because we don't want to trust that we can inspect the values + # Internal use only. This is not meant to be publically available + # because we don't want to trust that we can inspect the values # since we will like move to a probalistic data structure in the future. # TODO: in the future this will optionally be a hyperloglog structure unique_vals: set[Observation] &optional; @@ -27,7 +27,7 @@ hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { if ( UNIQUE in r$apply ) { - if ( ! rv?$unique_vals ) + if ( ! rv?$unique_vals ) rv$unique_vals=set(); add rv$unique_vals[obs]; rv$unique = |rv$unique_vals|; @@ -40,7 +40,7 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { if ( rv1?$unique_vals ) result$unique_vals = rv1$unique_vals; - + if ( rv2?$unique_vals ) if ( ! result?$unique_vals ) result$unique_vals = rv2$unique_vals; @@ -50,4 +50,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) result$unique = |result$unique_vals|; } - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro index 9aadd58bdd..1e7a00ea97 100644 --- a/scripts/base/frameworks/sumstats/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -4,7 +4,7 @@ module SumStats; export { - redef enum Calculation += { + redef enum Calculation += { ## Find the variance of the values. VARIANCE }; @@ -66,4 +66,4 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) result$prev_avg = rv2$prev_avg; calc_variance(result); - } \ No newline at end of file + } diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index f4112efde0..d069486e67 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -1,7 +1,7 @@ -##! Base SSH analysis script. The heuristic to blindly determine success or +##! Base SSH analysis script. The heuristic to blindly determine success or ##! failure for SSH connections is implemented here. At this time, it only ##! uses the size of the data being returned from the server to make the -##! heuristic determination about success of the connection. +##! heuristic determination about success of the connection. ##! Requires that :bro:id:`use_conn_size_analyzer` is set to T! The heuristic ##! is not attempted if the connection size analyzer isn't enabled. @@ -17,7 +17,7 @@ module SSH; export { ## The SSH protocol logging stream identifier. redef enum Log::ID += { LOG }; - + type Info: record { ## Time when the SSH connection began. ts: time &log; @@ -26,9 +26,9 @@ export { ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; ## Indicates if the login was heuristically guessed to be "success", - ## "failure", or "undetermined". + ## "failure", or "undetermined". status: string &log &default="undetermined"; - ## Direction of the connection. If the client was a local host + ## Direction of the connection. If the client was a local host ## logging into an external host, this would be OUTBOUND. INBOUND ## would be set for the opposite situation. # TODO: handle local-local and remote-remote better. @@ -38,33 +38,33 @@ export { ## Software string from the server. server: string &log &optional; ## Amount of data returned from the server. This is currently - ## the only measure of the success heuristic and it is logged to + ## the only measure of the success heuristic and it is logged to ## assist analysts looking at the logs to make their own determination ## about the success on a case-by-case basis. resp_size: count &log &default=0; - + ## Indicate if the SSH session is done being watched. done: bool &default=F; }; - - ## The size in bytes of data sent by the server at which the SSH + + ## The size in bytes of data sent by the server at which the SSH ## connection is presumed to be successful. const authentication_data_size = 4000 &redef; - + ## If true, we tell the event engine to not look at further data ## packets after the initial SSH handshake. Helps with performance ## (especially with large file transfers) but precludes some ## kinds of analyses. const skip_processing_after_detection = F &redef; - + ## Event that is generated when the heuristic thinks that a login ## was successful. global heuristic_successful_login: event(c: connection); - + ## Event that is generated when the heuristic thinks that a login ## failed. global heuristic_failed_login: event(c: connection); - + ## Event that can be handled to access the :bro:type:`SSH::Info` ## record as it is sent on to the logging framework. global log_ssh: event(rec: Info); @@ -102,21 +102,21 @@ function check_ssh_connection(c: connection, done: bool) # If already done watching this connection, just return. if ( c$ssh$done ) return; - + if ( done ) { - # If this connection is done, then we can look to see if + # If this connection is done, then we can look to see if # this matches the conditions for a failed login. Failed # logins are only detected at connection state removal. - if ( # Require originators to have sent at least 50 bytes. + if ( # Require originators to have sent at least 50 bytes. c$orig$size > 50 && # Responders must be below 4000 bytes. - c$resp$size < 4000 && + c$resp$size < 4000 && # Responder must have sent fewer than 40 packets. c$resp$num_pkts < 40 && # If there was a content gap we can't reliably do this heuristic. - c?$conn && c$conn$missed_bytes == 0)# && + c?$conn && c$conn$missed_bytes == 0)# && # Only "normal" connections can count. #c$conn?$conn_state && c$conn$conn_state in valid_states ) { @@ -147,13 +147,13 @@ function check_ssh_connection(c: connection, done: bool) # Set the direction for the log. c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND; - + # Set the "done" flag to prevent the watching event from rescheduling # after detection is done. c$ssh$done=T; Log::write(SSH::LOG, c$ssh); - + if ( skip_processing_after_detection ) { # Stop watching this connection, we don't care about it anymore. @@ -186,12 +186,12 @@ event ssh_server_version(c: connection, version: string) &priority=5 set_session(c); c$ssh$server = version; } - + event ssh_client_version(c: connection, version: string) &priority=5 { set_session(c); c$ssh$client = version; - + # The heuristic detection for SSH relies on the ConnSize analyzer. # Don't do the heuristics if it's disabled. if ( use_conn_size_analyzer ) diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index ed45b034f5..11e85f229d 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -6,7 +6,7 @@ export { ## Settings for initializing the queue. type Settings: record { ## If a maximum length is set for the queue - ## it will maintain itself at that + ## it will maintain itself at that ## maximum length automatically. max_len: count &optional; }; @@ -15,17 +15,17 @@ export { type Queue: record {}; ## Initialize a queue record structure. - ## + ## ## s: A :bro:record:`Settings` record configuring the queue. ## ## Returns: An opaque queue record. global init: function(s: Settings): Queue; ## Put a string onto the beginning of a queue. - ## + ## ## q: The queue to put the value into. - ## - ## val: The value to insert into the queue. + ## + ## val: The value to insert into the queue. global put: function(q: Queue, val: any); ## Get a string from the end of a queue. @@ -35,29 +35,29 @@ export { ## Returns: The value gotten from the queue. global get: function(q: Queue): any; - ## Merge two queue's together. If any settings are applied + ## Merge two queue's together. If any settings are applied ## to the queues, the settings from q1 are used for the new ## merged queue. - ## + ## ## q1: The first queue. Settings are taken from here. ## ## q2: The second queue. - ## + ## ## Returns: A new queue from merging the other two together. global merge: function(q1: Queue, q2: Queue): Queue; ## Get the number of items in a queue. - ## + ## ## q: The queue. ## ## Returns: The length of the queue. global len: function(q: Queue): count; - + ## Get the contents of the queue as a vector. - ## + ## ## q: The queue. ## - ## ret: A vector containing the + ## ret: A vector containing the ## current contents of q as the type of ret. global get_vector: function(q: Queue, ret: vector of any); @@ -130,7 +130,7 @@ function get_vector(q: Queue, ret: vector of any) local i = q$bottom; local j = 0; # Really dumb hack, this is only to provide - # the iteration for the correct number of + # the iteration for the correct number of # values in q$vals. for ( ignored_val in q$vals ) { diff --git a/scripts/base/utils/time.bro b/scripts/base/utils/time.bro index abae46c144..2e3788e681 100644 --- a/scripts/base/utils/time.bro +++ b/scripts/base/utils/time.bro @@ -1,6 +1,6 @@ ## Given an interval, returns a string of the form 3m34s to -## give a minimalized human readable string for the minutes +## give a minimalized human readable string for the minutes ## and seconds represented by the interval. function duration_to_mins_secs(dur: interval): string { diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro index ec2e8f8d48..3df38ad8ad 100644 --- a/scripts/policy/misc/app-metrics.bro +++ b/scripts/policy/misc/app-metrics.bro @@ -36,9 +36,9 @@ event bro_init() &priority=3 local r1: SumStats::Reducer = [$stream="apps.bytes", $apply=set(SumStats::SUM)]; local r2: SumStats::Reducer = [$stream="apps.hits", $apply=set(SumStats::UNIQUE)]; - SumStats::create([$epoch=break_interval, + SumStats::create([$epoch=break_interval, $reducers=set(r1, r2), - $epoch_finished(data: SumStats::ResultTable) = + $epoch_finished(data: SumStats::ResultTable) = { local l: Info; l$ts = network_time(); @@ -67,12 +67,12 @@ function add_sumstats(id: conn_id, hostname: string, size: count) SumStats::observe("apps.bytes", [$str="facebook"], [$num=size]); SumStats::observe("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]); } - else if ( /\.google\.com$/ in hostname && size > 20 ) + else if ( /\.google\.com$/ in hostname && size > 20 ) { SumStats::observe("apps.bytes", [$str="google"], [$num=size]); SumStats::observe("apps.hits", [$str="google"], [$str=cat(id$orig_h)]); } - else if ( /\.nflximg\.com$/ in hostname && size > 200*1024 ) + else if ( /\.nflximg\.com$/ in hostname && size > 200*1024 ) { SumStats::observe("apps.bytes", [$str="netflix"], [$num=size]); SumStats::observe("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]); diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index fd4190f8a6..c194d03e13 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -1,7 +1,7 @@ -##! This script detects large number of ICMP Time Exceeded messages heading -##! toward hosts that have sent low TTL packets. -##! It generates a notice when the number of ICMP Time Exceeded -##! messages for a source-destination pair exceeds threshold +##! This script detects a large number of ICMP Time Exceeded messages heading toward +##! hosts that have sent low TTL packets. It generates a notice when the number of +##! ICMP Time Exceeded messages for a source-destination pair exceeds a +##! threshold. @load base/frameworks/sumstats @load base/frameworks/signatures @load-sigs ./detect-low-ttls.sig @@ -22,10 +22,10 @@ export { ## By default this script requires that any host detected running traceroutes ## first send low TTL packets (TTL < 10) to the traceroute destination host. - ## Changing this this setting to `F` will relax the detection a bit by + ## Changing this this setting to `F` will relax the detection a bit by ## solely relying on ICMP time-exceeded messages to detect traceroute. const require_low_ttl_packets = T &redef; - + ## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. ## This threshold only comes into play after a host is found to be ## sending low ttl packets. @@ -61,7 +61,7 @@ event bro_init() &priority=5 $reducers=set(r1, r2), $threshold_val(key: SumStats::Key, result: SumStats::Result) = { - # Give a threshold value of zero depending on if the host + # Give a threshold value of zero depending on if the host # sends a low ttl packet. if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) return 0; diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index 508e9316a8..f3dcaf2291 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -13,36 +13,39 @@ module Scan; export { redef enum Notice::Type += { - ## Address scans detect that a host appears to be scanning some number - ## of hosts on a single port. This notice is generated when more than - ## :bro:id:`addr_scan_threshold` unique hosts are seen over the - ## previous :bro:id:`addr_scan_interval` time range. + ## Address scans detect that a host appears to be scanning some number of + ## destinations on a single port. This notice is generated when more than + ## :bro:id:`addr_scan_threshold` unique hosts are seen over the previous + ## :bro:id:`addr_scan_interval` time range. Address_Scan, - ## Port scans detect that an attacking host appears to be scanning a - ## single victim host on several ports. This notice is generated when - ## an attacking host attempts to connect to :bro:id:`port_scan_threshold` - ## unique ports on a single host over the previous + + ## Port scans detect that an attacking host appears to be scanning a + ## single victim host on several ports. This notice is generated when + ## an attacking host attempts to connect to :bro:id:`port_scan_threshold` + ## unique ports on a single host over the previous ## :bro:id:`port_scan_interval` time range. Port_Scan, }; - ## Failed connection attempts are tracked over this time interval for the address - ## scan detection. A higher interval will detect slower scanners, but may - ## also yield more false positives. + ## Failed connection attempts are tracked over this time interval for the address + ## scan detection. A higher interval will detect slower scanners, but may also + ## yield more false positives. const addr_scan_interval = 5min &redef; - ## Failed connection attempts are tracked over this time interval for the port - ## scan detection. A higher interval will detect slower scanners, but may - ## also yield more false positives. + + ## Failed connection attempts are tracked over this time interval for the port scan + ## detection. A higher interval will detect slower scanners, but may also yield + ## more false positives. const port_scan_interval = 5min &redef; - ## The threshold of a unique number of hosts a scanning host has to have failed + ## The threshold of a unique number of hosts a scanning host has to have failed ## connections with on a single port. const addr_scan_threshold = 25 &redef; + ## The threshold of a number of unique ports a scanning host has to have failed ## connections with on a single victim host. const port_scan_threshold = 15 &redef; - ## Custom thresholds based on service for address scan. This is primarily + ## Custom thresholds based on service for address scan. This is primarily ## useful for setting reduced thresholds for specific ports. const addr_scan_custom_thresholds: table[port] of count &redef; @@ -73,14 +76,14 @@ event bro_init() &priority=5 $sub=side, $msg=message, $identifier=cat(key$host)]); - }]); + }]); # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); local r2: SumStats::Reducer = [$stream="scan.port.fail", $apply=set(SumStats::UNIQUE)]; SumStats::create([$epoch=port_scan_interval, $reducers=set(r2), $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { + { return double_to_count(result["scan.port.fail"]$unique); }, $threshold=port_scan_threshold, @@ -90,13 +93,13 @@ event bro_init() &priority=5 local side = Site::is_local_addr(key$host) ? "local" : "remote"; local dur = duration_to_mins_secs(r$end-r$begin); local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur); - NOTICE([$note=Port_Scan, + NOTICE([$note=Port_Scan, $src=key$host, $dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); - }]); + }]); } function add_sumstats(id: conn_id, reverse: bool) @@ -111,7 +114,7 @@ function add_sumstats(id: conn_id, reverse: bool) victim = id$orig_h; scanned_port = id$orig_p; } - + if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); @@ -121,7 +124,7 @@ function add_sumstats(id: conn_id, reverse: bool) function is_failed_conn(c: connection): bool { - # Sr || ( (hR || ShR) && (data not sent in any direction) ) + # Sr || ( (hR || ShR) && (data not sent in any direction) ) if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) @@ -134,7 +137,7 @@ function is_failed_conn(c: connection): bool function is_reverse_failed_conn(c: connection): bool { # reverse scan i.e. conn dest is the scanner - # sR || ( (Hr || sHr) && (data not sent in any direction) ) + # sR || ( (Hr || sHr) && (data not sent in any direction) ) if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) @@ -144,37 +147,34 @@ function is_reverse_failed_conn(c: connection): bool return F; } -## Generated for an unsuccessful connection attempt. This -## event is raised when an originator unsuccessfully attempted -## to establish a connection. “Unsuccessful” is defined as at least -## tcp_attempt_delay seconds having elapsed since the originator -## first sent a connection establishment packet to the destination -## without seeing a reply. +## Generated for an unsuccessful connection attempt. This +## event is raised when an originator unsuccessfully attempted +## to establish a connection. “Unsuccessful” is defined as at least +## tcp_attempt_delay seconds having elapsed since the originator first sent a +## connection establishment packet to the destination without seeing a reply. event connection_attempt(c: connection) { local is_reverse_scan = F; if ( "H" in c$history ) is_reverse_scan = T; - + add_sumstats(c$id, is_reverse_scan); } -## Generated for a rejected TCP connection. This event -## is raised when an originator attempted to setup a TCP -## connection but the responder replied with a RST packet +## Generated for a rejected TCP connection. This event is raised when an originator +## attempted to setup a TCP connection but the responder replied with a RST packet ## denying it. event connection_rejected(c: connection) { local is_reverse_scan = F; if ( "s" in c$history ) is_reverse_scan = T; - + add_sumstats(c$id, is_reverse_scan); } -## Generated when an endpoint aborted a TCP connection. -## The event is raised when one endpoint of an *established* -## TCP connection aborted by sending a RST packet. +## Generated when an endpoint aborted a TCP connection. The event is raised when +## one endpoint of an *established* TCP connection aborted by sending a RST packet. event connection_reset(c: connection) { if ( is_failed_conn(c) ) diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index e6c44ddb64..21c9c403c7 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -1,3 +1,5 @@ +##! FTP brute-forcing detector, triggering when too many rejected usernames or +##! failed passwords have occured from a single address. @load base/protocols/ftp @load base/frameworks/sumstats @@ -7,13 +9,13 @@ module FTP; export { - redef enum Notice::Type += { + redef enum Notice::Type += { ## Indicates a host bruteforcing FTP logins by watching for too many ## rejected usernames or failed passwords. Bruteforcing }; - ## How many rejected usernames or passwords are required before being + ## How many rejected usernames or passwords are required before being ## considered to be bruteforcing. const bruteforce_threshold = 20 &redef; @@ -29,17 +31,17 @@ event bro_init() SumStats::create([$epoch=bruteforce_measurement_interval, $reducers=set(r1), $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { + { return result["ftp.failed_auth"]$num; }, $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local r = result["ftp.failed_auth"]; local dur = duration_to_mins_secs(r$end-r$begin); local plural = r$unique>1 ? "s" : ""; local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, + NOTICE([$note=FTP::Bruteforcing, $src=key$host, $msg=message, $identifier=cat(key$host)]); @@ -54,4 +56,4 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( FTP::parse_ftp_reply_code(code)$x == 5 ) SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index daec0b0fb0..11dba0dc46 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -14,22 +14,22 @@ export { ## it. This is tracked by IP address as opposed to hostname. SQL_Injection_Victim, }; - + redef enum Tags += { ## Indicator of a URI based SQL injection attack. URI_SQLI, - ## Indicator of client body based SQL injection attack. This is + ## Indicator of client body based SQL injection attack. This is ## typically the body content of a POST request. Not implemented yet. POST_SQLI, ## Indicator of a cookie based SQL injection attack. Not implemented yet. COOKIE_SQLI, }; - + ## Defines the threshold that determines if an SQL injection attack - ## is ongoing based on the number of requests that appear to be SQL + ## is ongoing based on the number of requests that appear to be SQL ## injection attacks. const sqli_requests_threshold = 50 &redef; - + ## Interval at which to watch for the ## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed. ## At the end of each interval the counter is reset. @@ -41,7 +41,7 @@ export { const collect_SQLi_samples = 5 &redef; ## Regular expression is used to match URI based SQL injections. - const match_sql_injection_uri = + const match_sql_injection_uri = /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/ | /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ | /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ @@ -60,18 +60,18 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string event bro_init() &priority=3 { - # Add filters to the metrics so that the metrics framework knows how to + # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when # thresholds are crossed. local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples]; SumStats::create([$epoch=sqli_requests_interval, $reducers=set(r1), $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { + { return double_to_count(result["http.sqli.attacker"]$sum); }, $threshold=sqli_requests_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local r = result["http.sqli.attacker"]; NOTICE([$note=SQL_Injection_Attacker, @@ -85,11 +85,11 @@ event bro_init() &priority=3 SumStats::create([$epoch=sqli_requests_interval, $reducers=set(r2), $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { + { return double_to_count(result["http.sqli.victim"]$sum); }, $threshold=sqli_requests_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local r = result["http.sqli.victim"]; NOTICE([$note=SQL_Injection_Victim, @@ -106,7 +106,7 @@ event http_request(c: connection, method: string, original_URI: string, if ( match_sql_injection_uri in unescaped_URI ) { add c$http$tags[URI_SQLI]; - + SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index 82c0bb0f08..309905e939 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -10,7 +10,7 @@ module SSH; export { redef enum Notice::Type += { - ## Indicates that a host has been identified as crossing the + ## Indicates that a host has been identified as crossing the ## :bro:id:`SSH::password_guesses_limit` threshold with heuristically ## determined failed logins. Password_Guessing, @@ -24,7 +24,7 @@ export { ## An indicator of the login for the intel framework. SSH::SUCCESSFUL_LOGIN, }; - + ## The number of failed SSH connections before a host is designated as ## guessing passwords. const password_guesses_limit = 30 &redef; @@ -33,9 +33,9 @@ export { ## model of a password guesser. const guessing_timeout = 30 mins &redef; - ## This value can be used to exclude hosts or entire networks from being + ## This value can be used to exclude hosts or entire networks from being ## tracked as potential "guessers". There are cases where the success - ## heuristic fails and this acts as the whitelist. The index represents + ## heuristic fails and this acts as the whitelist. The index represents ## client subnets and the yield value represents server subnets. const ignore_guessers: table[subnet] of subnet &redef; } @@ -46,21 +46,21 @@ event bro_init() SumStats::create([$epoch=guessing_timeout, $reducers=set(r1), $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { + { return double_to_count(result["ssh.login.failure"]$sum); }, $threshold=password_guesses_limit, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local r = result["ssh.login.failure"]; # Generate the notice. - NOTICE([$note=Password_Guessing, + NOTICE([$note=Password_Guessing, $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), $src=key$host, $identifier=cat(key$host)]); # Insert the guesser into the intel framework. Intel::insert([$host=key$host, - $meta=[$source="local", + $meta=[$source="local", $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]); }]); } @@ -68,7 +68,7 @@ event bro_init() event SSH::heuristic_successful_login(c: connection) { local id = c$id; - + Intel::seen([$host=id$orig_h, $conn=c, $where=SSH::SUCCESSFUL_LOGIN]); @@ -77,8 +77,8 @@ event SSH::heuristic_successful_login(c: connection) event SSH::heuristic_failed_login(c: connection) { local id = c$id; - - # Add data to the FAILED_LOGIN metric unless this connection should + + # Add data to the FAILED_LOGIN metric unless this connection should # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) From c1f08cc435e934287eb0a9803e9373d8fdc60838 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 28 Apr 2013 15:36:49 -0700 Subject: [PATCH 088/134] Updating test for removed metric_* log fields. --- .../notice.log | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log index 21b5342a13..f2cf09cab6 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-04-25-18-55-26 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1366916126.685057 - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - -1366916126.685057 - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-04-25-18-55-26 +#open 2013-04-28-22-36-26 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1367188586.649122 - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - +1367188586.649122 - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-28-22-36-26 From 0141f5180171f42981bcce58c6fdc457b779f551 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 29 Apr 2013 11:34:27 -0500 Subject: [PATCH 089/134] FileAnalysis: load custom mime magic database just once. This works around a bug in libmagic since version 5.12 (current at time of writing is 5.14) -- second call to magic_load() w/ non-default database segfaults. --- src/FileAnalyzer.cc | 18 +++--------------- src/FileAnalyzer.h | 4 ---- src/bro.bif | 6 +----- src/file_analysis/File.cc | 6 +----- src/file_analysis/File.h | 3 --- src/main.cc | 7 +++++++ src/util.h | 3 +++ 7 files changed, 15 insertions(+), 32 deletions(-) diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 508ae23335..a43bba2246 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -5,16 +5,10 @@ #include "Reporter.h" #include "util.h" -magic_t File_Analyzer::magic = 0; -magic_t File_Analyzer::magic_mime = 0; - File_Analyzer::File_Analyzer(AnalyzerTag::Tag tag, Connection* conn) : TCP_ApplicationAnalyzer(tag, conn) { buffer_len = 0; - - bro_init_magic(&magic, MAGIC_NONE); - bro_init_magic(&magic_mime, MAGIC_MIME); } void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) @@ -49,19 +43,13 @@ void File_Analyzer::Done() void File_Analyzer::Identify() { - const char* descr = 0; - const char* mime = 0; - - if ( magic ) - descr = bro_magic_buffer(magic, buffer, buffer_len); - - if ( magic_mime ) - mime = bro_magic_buffer(magic_mime, buffer, buffer_len); + const char* desc = bro_magic_buffer(magic_desc_cookie, buffer, buffer_len); + const char* mime = bro_magic_buffer(magic_mime_cookie, buffer, buffer_len); val_list* vl = new val_list; vl->append(BuildConnVal()); vl->append(new StringVal(buffer_len, buffer)); - vl->append(new StringVal(descr ? descr : "")); + vl->append(new StringVal(desc ? desc : "")); vl->append(new StringVal(mime ? mime : "")); ConnectionEvent(file_transferred, vl); } diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index c4bd084cdc..59ec5cdb37 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -6,7 +6,6 @@ #include "TCP.h" #include -#include class File_Analyzer : public TCP_ApplicationAnalyzer { public: @@ -31,9 +30,6 @@ protected: static const int BUFFER_SIZE = 1024; char buffer[BUFFER_SIZE]; int buffer_len; - - static magic_t magic; - static magic_t magic_mime; }; class IRC_Data : public File_Analyzer { diff --git a/src/bro.bif b/src/bro.bif index ba300d1502..b46ae41d7d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -849,11 +849,7 @@ extern "C" { ## Returns: The MIME type of *data*, or "" if there was an error. function identify_data%(data: string, return_mime: bool%): string %{ - static magic_t magic_mime = 0; - static magic_t magic_descr = 0; - - magic_t* magic = return_mime ? &magic_mime : &magic_descr; - bro_init_magic(magic, return_mime ? MAGIC_MIME : MAGIC_NONE); + magic_t* magic = return_mime ? &magic_mime_cookie : &magic_desc_cookie; if( ! *magic ) return new StringVal(""); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index f70257a4af..70f7b174be 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -49,8 +49,6 @@ int File::bof_buffer_size_idx = -1; int File::bof_buffer_idx = -1; int File::mime_type_idx = -1; -magic_t File::magic_mime = 0; - string File::salt; void File::StaticInit() @@ -72,8 +70,6 @@ void File::StaticInit() bof_buffer_idx = Idx("bof_buffer"); mime_type_idx = Idx("mime_type"); - bro_init_magic(&magic_mime, MAGIC_MIME); - salt = BifConst::FileAnalysis::salt->CheckString(); } @@ -250,7 +246,7 @@ bool File::BufferBOF(const u_char* data, uint64 len) bool File::DetectMIME(const u_char* data, uint64 len) { - const char* mime = bro_magic_buffer(magic_mime, data, len); + const char* mime = bro_magic_buffer(magic_mime_cookie, data, len); if ( mime ) { diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 07d8d66825..e6438a9e64 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -3,7 +3,6 @@ #include #include -#include #include "AnalyzerTags.h" #include "Conn.h" @@ -207,8 +206,6 @@ protected: */ static void StaticInit(); - static magic_t magic_mime; - static string salt; static int id_idx; diff --git a/src/main.cc b/src/main.cc index 7318058038..fe445165fe 100644 --- a/src/main.cc +++ b/src/main.cc @@ -23,6 +23,7 @@ extern "C" { #endif #include +#include extern "C" void OPENSSL_add_all_algorithms_conf(void); @@ -64,6 +65,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); Brofiler brofiler; +magic_t magic_desc_cookie = 0; +magic_t magic_mime_cookie = 0; + #ifndef HAVE_STRSEP extern "C" { char* strsep(char**, const char*); @@ -730,6 +734,9 @@ int main(int argc, char** argv) curl_global_init(CURL_GLOBAL_ALL); #endif + bro_init_magic(&magic_desc_cookie, MAGIC_NONE); + bro_init_magic(&magic_mime_cookie, MAGIC_MIME); + // FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't // seed the PRNG. We should do this here (but at least Linux, FreeBSD // and Solaris provide /dev/urandom). diff --git a/src/util.h b/src/util.h index 4e352457b7..b0ac760117 100644 --- a/src/util.h +++ b/src/util.h @@ -370,6 +370,9 @@ struct CompareString } }; +extern magic_t magic_desc_cookie; +extern magic_t magic_mime_cookie; + void bro_init_magic(magic_t* cookie_ptr, int flags); const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length); From 7f0e25bdeff598d85dde9adf668e3875f0a4f591 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 20:47:44 -0700 Subject: [PATCH 090/134] Replacing cluster leak test. The former one used the old metrics framework, now switching to sumstats. --- testing/btest/core/leaks/basic-cluster.bro | 84 +++++++++++----------- 1 file changed, 43 insertions(+), 41 deletions(-) diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro index 319368bc6e..d25af55b3f 100644 --- a/testing/btest/core/leaks/basic-cluster.bro +++ b/testing/btest/core/leaks/basic-cluster.bro @@ -6,33 +6,38 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # # @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT -# @TEST-EXEC: btest-bg-run proxy-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro -m %INPUT # @TEST-EXEC: sleep 1 -# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m -r $TRACES/web.trace --pseudo-realtime %INPUT -# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m -r $TRACES/web.trace --pseudo-realtime %INPUT -# @TEST-EXEC: btest-bg-wait 60 -# @TEST-EXEC: btest-diff manager-1/metrics.log +# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m %INPUT +# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT +# @TEST-EXEC: btest-bg-wait 15 @TEST-START-FILE cluster-layout.bro redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], - ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], - ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], - ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"], }; @TEST-END-FILE redef Log::default_rotation_interval = 0secs; -redef enum Metrics::ID += { - TEST_METRIC, -}; +global n = 0; event bro_init() &priority=5 { - Metrics::add_filter(TEST_METRIC, - [$name="foo-bar", - $break_interval=3secs]); + local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; + SumStats::create([$epoch=5secs, + $reducers=set(r1), + $epoch_finished(rt: SumStats::ResultTable) = + { + for ( key in rt ) + { + local r = rt[key]["test"]; + print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique); + } + + terminate(); + }]); } event remote_connection_closed(p: event_peer) @@ -41,43 +46,40 @@ event remote_connection_closed(p: event_peer) } global ready_for_data: event(); - -redef Cluster::manager2worker_events += /ready_for_data/; - -@if ( Cluster::local_node_type() == Cluster::WORKER ) +redef Cluster::manager2worker_events += /^ready_for_data$/; event ready_for_data() { - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); + if ( Cluster::node == "worker-1" ) + { + SumStats::observe("test", [$host=1.2.3.4], [$num=34]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=6.5.4.3], [$num=1]); + SumStats::observe("test", [$host=7.2.1.5], [$num=54]); + } + if ( Cluster::node == "worker-2" ) + { + SumStats::observe("test", [$host=1.2.3.4], [$num=75]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test", [$host=1.2.3.4], [$num=57]); + SumStats::observe("test", [$host=1.2.3.4], [$num=52]); + SumStats::observe("test", [$host=1.2.3.4], [$num=61]); + SumStats::observe("test", [$host=1.2.3.4], [$num=95]); + SumStats::observe("test", [$host=6.5.4.3], [$num=5]); + SumStats::observe("test", [$host=7.2.1.5], [$num=91]); + SumStats::observe("test", [$host=10.10.10.10], [$num=5]); + } } -@endif - @if ( Cluster::local_node_type() == Cluster::MANAGER ) -global n = 0; global peer_count = 0; - -event Metrics::log_metrics(rec: Metrics::Info) +event remote_connection_handshake_done(p: event_peer) &priority=-5 { - n = n + 1; - if ( n == 3 ) - { - terminate_communication(); - terminate(); - } - } - -event remote_connection_handshake_done(p: event_peer) - { - print p; - peer_count = peer_count + 1; - if ( peer_count == 3 ) - { + ++peer_count; + if ( peer_count == 2 ) event ready_for_data(); - } } @endif From 95cf662ff59513f16949425675344e89bf4a8ee0 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 20:37:26 -0700 Subject: [PATCH 091/134] Fixing memory leak in CompHash. Amazing what code still has memory leaks ... Closes #987. --- src/CompHash.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/CompHash.cc b/src/CompHash.cc index 05d3e515d2..202ddf6305 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -830,7 +830,10 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0, } for ( int i = 0; i < n; ++i ) + { tv->Assign(keys[i], t->IsSet() ? 0 : values[i]); + Unref(keys[i]); + } pval = tv; } From e8c9c2ee0b59e594c4b093ce789bb6e79c63813a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 21:10:59 -0700 Subject: [PATCH 092/134] Fixing more memory leaks. --- src/CompHash.cc | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/CompHash.cc b/src/CompHash.cc index 202ddf6305..e793a104e0 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -77,7 +77,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, *kp = ( v ? 1 : 0); kp0 = reinterpret_cast(kp+1); - if ( ! v ) + if ( ! v ) return kp0; } @@ -181,16 +181,24 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, Val* key = lv->Index(i); if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key, false)) ) + { + Unref(lv); return 0; + } if ( ! v->Type()->IsSet() ) { Val* val = tv->Lookup(key); if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(), val, false)) ) + { + Unref(lv); return 0; + } } } + + Unref(lv); } break; @@ -454,16 +462,27 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v, Val* key = lv->Index(i); sz = SingleTypeKeySize(key->Type(), key, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } + if ( ! bt->IsSet() ) { Val* val = tv->Lookup(key); sz = SingleTypeKeySize(val->Type(), val, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } } } + Unref(lv); + break; } From 1a41bfa0ef0bf2a8fc1829388a350609f98a6a42 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 20:37:26 -0700 Subject: [PATCH 093/134] Fixing memory leak in CompHash. Amazing what code still has memory leaks ... Closes #987. --- src/CompHash.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/CompHash.cc b/src/CompHash.cc index 05d3e515d2..202ddf6305 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -830,7 +830,10 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0, } for ( int i = 0; i < n; ++i ) + { tv->Assign(keys[i], t->IsSet() ? 0 : values[i]); + Unref(keys[i]); + } pval = tv; } From a201d2e033646d6d77741270bd0bc952e221c840 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 21:10:59 -0700 Subject: [PATCH 094/134] Fixing more memory leaks. --- CHANGES | 5 +++++ VERSION | 2 +- src/CompHash.cc | 25 ++++++++++++++++++++++--- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 03dd47d3e9..e3d20b84b6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-397 | 2013-04-29 21:19:00 -0700 + + * Fixing memory leaks in CompHash implementation. Addresses #987. + (Robin Sommer) + 2.1-394 | 2013-04-27 15:02:31 -0700 * Fixed a bug in the vulnerable software script and added a test. diff --git a/VERSION b/VERSION index 962239ea7b..4809e9f2e9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-394 +2.1-397 diff --git a/src/CompHash.cc b/src/CompHash.cc index 202ddf6305..e793a104e0 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -77,7 +77,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, *kp = ( v ? 1 : 0); kp0 = reinterpret_cast(kp+1); - if ( ! v ) + if ( ! v ) return kp0; } @@ -181,16 +181,24 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, Val* key = lv->Index(i); if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key, false)) ) + { + Unref(lv); return 0; + } if ( ! v->Type()->IsSet() ) { Val* val = tv->Lookup(key); if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(), val, false)) ) + { + Unref(lv); return 0; + } } } + + Unref(lv); } break; @@ -454,16 +462,27 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v, Val* key = lv->Index(i); sz = SingleTypeKeySize(key->Type(), key, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } + if ( ! bt->IsSet() ) { Val* val = tv->Lookup(key); sz = SingleTypeKeySize(val->Type(), val, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } } } + Unref(lv); + break; } From 9ea5a470e65e7a29fb53a54beeb8fa21f1305cc8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 1 May 2013 15:28:45 -0700 Subject: [PATCH 095/134] Fixing coverage.bare-mode-errors test. --- scripts/base/frameworks/sumstats/plugins/__load__.bro | 2 +- scripts/base/frameworks/sumstats/plugins/average.bro | 2 +- scripts/base/frameworks/sumstats/plugins/max.bro | 2 +- scripts/base/frameworks/sumstats/plugins/min.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sample.bro | 2 +- scripts/base/frameworks/sumstats/plugins/std-dev.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sum.bro | 2 +- scripts/base/frameworks/sumstats/plugins/unique.bro | 2 +- scripts/base/frameworks/sumstats/plugins/variance.bro | 2 +- testing/btest/coverage/bare-mode-errors.test | 7 ++++--- 10 files changed, 13 insertions(+), 12 deletions(-) diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.bro index 0d4c2ed302..3b2bb553e6 100644 --- a/scripts/base/frameworks/sumstats/plugins/__load__.bro +++ b/scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -5,4 +5,4 @@ @load ./std-dev @load ./sum @load ./unique -@load ./variance \ No newline at end of file +@load ./variance diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro index a409bb9408..ad82a91d20 100644 --- a/scripts/base/frameworks/sumstats/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro index 6167d31f10..f9ff9258ee 100644 --- a/scripts/base/frameworks/sumstats/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro index a15ed0e733..95d492f428 100644 --- a/scripts/base/frameworks/sumstats/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index d0587bde08..dc2f438c79 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main @load base/utils/queue module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro index 6411fe4bce..0f32e25a68 100644 --- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -1,5 +1,5 @@ +@load base/frameworks/sumstats/main @load ./variance -@load base/frameworks/sumstats module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro index 3e5b28e2be..db2246742b 100644 --- a/scripts/base/frameworks/sumstats/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index a407a487a2..ef62caaffa 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro index 1e7a00ea97..773c7d697c 100644 --- a/scripts/base/frameworks/sumstats/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -1,5 +1,5 @@ +@load base/frameworks/sumstats/main @load ./average -@load base/frameworks/sumstats module SumStats; diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index 894c9e67f4..da968d5601 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -3,12 +3,13 @@ # scripts that block after loading, e.g. start listening on a socket. # # Commonly, this test may fail if one forgets to @load some base/ scripts -# when writing a new bro scripts. +# when writing a new bro scripts. Look into "allerrors" to find out +# which script had trouble. # # @TEST-SERIALIZE: comm # # @TEST-EXEC: test -d $DIST/scripts -# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo $script; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 -# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors +# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo "=== $script" >>allerrors; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 +# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | grep -v '===' | sort | uniq > unique_errors # @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then cp unique_errors unique_errors_no_elasticsearch; fi # @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then btest-diff unique_errors_no_elasticsearch; else btest-diff unique_errors; fi From 9d483b7e74a07a0e8cabfae0abe4564b80f6681c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 1 May 2013 15:28:45 -0700 Subject: [PATCH 096/134] Fixing coverage.bare-mode-errors test. --- CHANGES | 7 +++++++ VERSION | 2 +- scripts/base/frameworks/sumstats/plugins/__load__.bro | 2 +- scripts/base/frameworks/sumstats/plugins/average.bro | 2 +- scripts/base/frameworks/sumstats/plugins/max.bro | 2 +- scripts/base/frameworks/sumstats/plugins/min.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sample.bro | 2 +- scripts/base/frameworks/sumstats/plugins/std-dev.bro | 2 +- scripts/base/frameworks/sumstats/plugins/sum.bro | 2 +- scripts/base/frameworks/sumstats/plugins/unique.bro | 2 +- scripts/base/frameworks/sumstats/plugins/variance.bro | 2 +- testing/btest/coverage/bare-mode-errors.test | 7 ++++--- 12 files changed, 21 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index e3d20b84b6..912be889e1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.1-486 | 2013-05-01 15:28:45 -0700 + + * New framework for computing summary statistics in + base/framework/sumstats. This replaces the metrics frameworks, and + comes with a number of applications build on top, see NEWS. More + documentation to follow. (Seth Hall) + 2.1-397 | 2013-04-29 21:19:00 -0700 * Fixing memory leaks in CompHash implementation. Addresses #987. diff --git a/VERSION b/VERSION index 4809e9f2e9..bcb469c27e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-397 +2.1-486 diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.bro index 0d4c2ed302..3b2bb553e6 100644 --- a/scripts/base/frameworks/sumstats/plugins/__load__.bro +++ b/scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -5,4 +5,4 @@ @load ./std-dev @load ./sum @load ./unique -@load ./variance \ No newline at end of file +@load ./variance diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro index a409bb9408..ad82a91d20 100644 --- a/scripts/base/frameworks/sumstats/plugins/average.bro +++ b/scripts/base/frameworks/sumstats/plugins/average.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro index 6167d31f10..f9ff9258ee 100644 --- a/scripts/base/frameworks/sumstats/plugins/max.bro +++ b/scripts/base/frameworks/sumstats/plugins/max.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro index a15ed0e733..95d492f428 100644 --- a/scripts/base/frameworks/sumstats/plugins/min.bro +++ b/scripts/base/frameworks/sumstats/plugins/min.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index d0587bde08..dc2f438c79 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main @load base/utils/queue module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro index 6411fe4bce..0f32e25a68 100644 --- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro +++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro @@ -1,5 +1,5 @@ +@load base/frameworks/sumstats/main @load ./variance -@load base/frameworks/sumstats module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro index 3e5b28e2be..db2246742b 100644 --- a/scripts/base/frameworks/sumstats/plugins/sum.bro +++ b/scripts/base/frameworks/sumstats/plugins/sum.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index a407a487a2..ef62caaffa 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -1,4 +1,4 @@ -@load base/frameworks/sumstats +@load base/frameworks/sumstats/main module SumStats; diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro index 1e7a00ea97..773c7d697c 100644 --- a/scripts/base/frameworks/sumstats/plugins/variance.bro +++ b/scripts/base/frameworks/sumstats/plugins/variance.bro @@ -1,5 +1,5 @@ +@load base/frameworks/sumstats/main @load ./average -@load base/frameworks/sumstats module SumStats; diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index 894c9e67f4..da968d5601 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -3,12 +3,13 @@ # scripts that block after loading, e.g. start listening on a socket. # # Commonly, this test may fail if one forgets to @load some base/ scripts -# when writing a new bro scripts. +# when writing a new bro scripts. Look into "allerrors" to find out +# which script had trouble. # # @TEST-SERIALIZE: comm # # @TEST-EXEC: test -d $DIST/scripts -# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo $script; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 -# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors +# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo "=== $script" >>allerrors; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 +# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | grep -v '===' | sort | uniq > unique_errors # @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then cp unique_errors unique_errors_no_elasticsearch; fi # @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then btest-diff unique_errors_no_elasticsearch; else btest-diff unique_errors; fi From 1603da5af35e2738264bd675f868e5eb43689bb3 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 28 Apr 2013 16:40:39 -0700 Subject: [PATCH 097/134] Always apply tcp_connection_attempt. Before this change it was only applied when a connection_attempt() event handler was defined. --- CHANGES | 5 +++++ VERSION | 2 +- src/TCP.cc | 21 ++----------------- .../socks.log | 6 +++--- 4 files changed, 11 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index 912be889e1..50aa198652 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-487 | 2013-05-01 18:03:22 -0700 + + * Always apply tcp_connection_attempt timer, even if no + connection_attempt() event handler is defined. (Robin Sommer) + 2.1-486 | 2013-05-01 15:28:45 -0700 * New framework for computing summary statistics in diff --git a/VERSION b/VERSION index bcb469c27e..655811d583 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-486 +2.1-487 diff --git a/src/TCP.cc b/src/TCP.cc index da977d8157..c291f8e76c 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -566,7 +566,7 @@ void TCP_Analyzer::UpdateInactiveState(double t, else endpoint->SetState(TCP_ENDPOINT_SYN_SENT); - if ( connection_attempt ) + if ( tcp_attempt_delay ) ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer, t + tcp_attempt_delay, 1, TIMER_TCP_ATTEMPT); @@ -1497,24 +1497,7 @@ void TCP_Analyzer::ExpireTimer(double t) if ( resp->state == TCP_ENDPOINT_INACTIVE ) { - if ( (orig->state == TCP_ENDPOINT_SYN_SENT || - orig->state == TCP_ENDPOINT_SYN_ACK_SENT) ) - { - if ( ! connection_attempt ) - { - // Time out the connection attempt, - // since the AttemptTimer isn't going - // to do it for us, and we don't want - // to clog the data structures with - // old, failed attempts. - Event(connection_timeout); - is_active = 0; - sessions->Remove(Conn()); - return; - } - } - - else if ( orig->state == TCP_ENDPOINT_INACTIVE ) + if ( orig->state == TCP_ENDPOINT_INACTIVE ) { // Nothing ever happened on this connection. // This can occur when we see a trashed diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log index b2a8ef7d4c..8529e18186 100644 --- a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path socks -#open 2012-06-20-17-23-38 +#open 2013-05-02-01-02-50 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status request.host request.name request_p bound.host bound.name bound_p #types time string addr port addr port count string string addr string port addr string port -1340213015.276495 UWkUyAuUGXf 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688 -#close 2012-06-20-17-28-10 +1340213015.276495 arKYeMETxOg 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688 +#close 2013-05-02-01-02-50 From d984243a772d39eeb93a53991ffa4497a3ebef00 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 2 May 2013 11:34:33 -0700 Subject: [PATCH 098/134] duct-tape fix of values not propagating after intermediate check in cluster environments. --- scripts/base/frameworks/sumstats/cluster.bro | 6 +++--- .../manager-1..stdout | 4 +++- .../sumstats/cluster-intermediate-update.bro | 19 +++++++++++++++---- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index 9ee63a674e..ef2d818f2c 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -97,7 +97,7 @@ function data_added(ss: SumStat, key: Key, result: Result) check_thresholds(ss, key, result, cluster_request_global_view_percent) ) { # kick off intermediate update - event SumStats::cluster_key_intermediate_response(ss$id, key); + event SumStats::cluster_key_intermediate_response(ss$id, copy(key)); ++recent_global_view_keys[ss$id, key]; } } @@ -124,7 +124,7 @@ event SumStats::send_data(uid: string, ssid: string, data: ResultTable) if ( |data| == 0 ) done = T; - event SumStats::cluster_ss_response(uid, ssid, local_data, done); + event SumStats::cluster_ss_response(uid, ssid, copy(local_data), done); if ( ! done ) schedule 0.01 sec { SumStats::send_data(uid, ssid, data) }; } @@ -150,7 +150,7 @@ event SumStats::cluster_key_request(uid: string, ssid: string, key: Key) if ( ssid in result_store && key in result_store[ssid] ) { #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); - event SumStats::cluster_key_response(uid, ssid, key, result_store[ssid][key]); + event SumStats::cluster_key_response(uid, ssid, key, copy(result_store[ssid][key])); } else { diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout index 2a53389dc3..a5428dd3b7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout @@ -1 +1,3 @@ -A test metric threshold was crossed with a value of: 100.0 +A test metric threshold was crossed with a value of: 101.0 +End of epoch handler was called +101.0 diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro index 303a0dc852..bed1793721 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro @@ -4,7 +4,7 @@ # @TEST-EXEC: sleep 3 # @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT # @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT -# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/.stdout @TEST-START-FILE cluster-layout.bro @@ -20,8 +20,15 @@ redef Log::default_rotation_interval = 0secs; event bro_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; - SumStats::create([$epoch=1hr, + SumStats::create([$epoch=10secs, $reducers=set(r1), + $epoch_finished(data: SumStats::ResultTable) = + { + print "End of epoch handler was called"; + for ( res in data ) + print data[res]["test.metric"]$sum; + terminate(); + }, $threshold_val(key: SumStats::Key, result: SumStats::Result) = { return double_to_count(result["test.metric"]$sum); @@ -30,7 +37,6 @@ event bro_init() &priority=5 $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { print fmt("A test metric threshold was crossed with a value of: %.1f", result["test.metric"]$sum); - terminate(); }]); } @@ -52,8 +58,13 @@ event remote_connection_handshake_done(p: event_peer) if ( p$descr == "manager-1" ) { if ( Cluster::node == "worker-1" ) + { schedule 0.1sec { do_stats(1) }; + schedule 5secs { do_stats(60) }; + } if ( Cluster::node == "worker-2" ) - schedule 0.5sec { do_stats(99) }; + schedule 0.5sec { do_stats(40) }; } } + + From fe779575d59b50d58b5b27b72d14e6e98b1fc87c Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 2 May 2013 11:38:40 -0700 Subject: [PATCH 099/134] fix the fix (thanks seth) --- scripts/base/frameworks/sumstats/cluster.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index ef2d818f2c..65a4fa28bf 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -97,7 +97,7 @@ function data_added(ss: SumStat, key: Key, result: Result) check_thresholds(ss, key, result, cluster_request_global_view_percent) ) { # kick off intermediate update - event SumStats::cluster_key_intermediate_response(ss$id, copy(key)); + event SumStats::cluster_key_intermediate_response(ss$id, key); ++recent_global_view_keys[ss$id, key]; } } From 2cfef36116bb08ca15535fc0525f6faf68ee728b Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 2 May 2013 11:42:34 -0700 Subject: [PATCH 100/134] add comment for seth to make us not forget about the copy statements --- scripts/base/frameworks/sumstats/cluster.bro | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro index 65a4fa28bf..b0633e812b 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.bro @@ -124,6 +124,7 @@ event SumStats::send_data(uid: string, ssid: string, data: ResultTable) if ( |data| == 0 ) done = T; + # Note: copy is needed to compensate serialization caching issue. This should be changed to something else later. event SumStats::cluster_ss_response(uid, ssid, copy(local_data), done); if ( ! done ) schedule 0.01 sec { SumStats::send_data(uid, ssid, data) }; @@ -150,6 +151,8 @@ event SumStats::cluster_key_request(uid: string, ssid: string, key: Key) if ( ssid in result_store && key in result_store[ssid] ) { #print fmt("WORKER %s: received the cluster_key_request event for %s=%s.", Cluster::node, key2str(key), data); + + # Note: copy is needed to compensate serialization caching issue. This should be changed to something else later. event SumStats::cluster_key_response(uid, ssid, key, copy(result_store[ssid][key])); } else From 6a7a242db93bc470d77026c894ad8d19a7f50010 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 3 May 2013 11:22:15 -0500 Subject: [PATCH 101/134] Table lookups return copy of non-const &default vals (addresses #981). This prevents unintentional modifications to the &default value itself. --- src/Val.cc | 2 +- .../language.table-default-record/out | 7 ++++++ .../btest/language/table-default-record.bro | 24 +++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/language.table-default-record/out create mode 100644 testing/btest/language/table-default-record.bro diff --git a/src/Val.cc b/src/Val.cc index dd86e71a9e..33b2d0eacd 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1749,7 +1749,7 @@ Val* TableVal::Default(Val* index) if ( def_val->Type()->Tag() != TYPE_FUNC || same_type(def_val->Type(), Type()->YieldType()) ) - return def_val->Ref(); + return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone(); const Func* f = def_val->AsFunc(); val_list* vl = new val_list(); diff --git a/testing/btest/Baseline/language.table-default-record/out b/testing/btest/Baseline/language.table-default-record/out new file mode 100644 index 0000000000..aeb44cf221 --- /dev/null +++ b/testing/btest/Baseline/language.table-default-record/out @@ -0,0 +1,7 @@ +0 +0 +0 +0 +{ + +} diff --git a/testing/btest/language/table-default-record.bro b/testing/btest/language/table-default-record.bro new file mode 100644 index 0000000000..3894f3ac09 --- /dev/null +++ b/testing/btest/language/table-default-record.bro @@ -0,0 +1,24 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type Foo: record { + x: count &default=0; +}; + +global foo: table[count] of Foo = {} &default=[]; + +# returns the &default value as usual +print(foo[0]$x); +print(foo[1]$x); + +# these are essentially no-ops since a copy of the &default value is returned +# by the lookup +foo[0]$x = 0; +foo[1]$x = 1; + +# the &default value isn't modified +print(foo[0]$x); +print(foo[1]$x); + +# table membership isn't modified +print(foo); From e78c20c0f87ec30c7cbeb76aa8e16b6afea1c655 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 3 May 2013 14:26:02 -0700 Subject: [PATCH 102/134] Fix memory-leak in OpaqueVal. Addresses #986. --- src/Val.cc | 3 ++- src/Val.h | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Val.cc b/src/Val.cc index dd86e71a9e..2aafc30ab2 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -3125,12 +3125,13 @@ void VectorVal::ValDescribe(ODesc* d) const d->Add("]"); } -OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t) +OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t), type(t) { } OpaqueVal::~OpaqueVal() { + Unref(type); } IMPLEMENT_SERIAL(OpaqueVal, SER_OPAQUE_VAL); diff --git a/src/Val.h b/src/Val.h index 4b2705c5b4..8544fbadfd 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1024,6 +1024,9 @@ protected: OpaqueVal() { } DECLARE_SERIAL(OpaqueVal); + +private: + OpaqueType* type; }; // Checks the given value for consistency with the given type. If an From 9ac00f8c79f49972923ac2db5b5fc56b8dac26c1 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 3 May 2013 15:48:06 -0700 Subject: [PATCH 103/134] Do not allocate one OpaqueType per OpaqueVal. Instead, we now allocate type information globally in NetVar.cc. Addresses #986. --- src/NetVar.cc | 10 ++++++++++ src/NetVar.h | 6 ++++++ src/OpaqueVal.cc | 8 ++++++++ src/OpaqueVal.h | 8 ++++---- src/Val.cc | 3 +-- src/Val.h | 3 --- 6 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..4a98dc4a25 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -149,6 +149,11 @@ RecordType* OS_version; EnumType* OS_version_inference; TableVal* generate_OS_version_event; +OpaqueType* md5_type; +OpaqueType* sha1_type; +OpaqueType* sha256_type; +OpaqueType* entropy_type; + double table_expire_interval; double table_expire_delay; int table_incremental_step; @@ -253,6 +258,11 @@ void init_event_handlers() void init_general_global_var() { + md5_type = new OpaqueType("md5"); + sha1_type = new OpaqueType("sha1"); + sha256_type = new OpaqueType("sha256"); + entropy_type = new OpaqueType("entropy"); + table_expire_interval = opt_internal_double("table_expire_interval"); table_expire_delay = opt_internal_double("table_expire_delay"); table_incremental_step = opt_internal_int("table_incremental_step"); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..bc0935f1ec 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -152,6 +152,12 @@ extern RecordType* OS_version; extern EnumType* OS_version_inference; extern TableVal* generate_OS_version_event; +class OpaqueType; +extern OpaqueType* md5_type; +extern OpaqueType* sha1_type; +extern OpaqueType* sha256_type; +extern OpaqueType* entropy_type; + extern double table_expire_interval; extern double table_expire_delay; extern int table_incremental_step; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 51f975edf8..23abc91721 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -1,4 +1,5 @@ #include "OpaqueVal.h" +#include "NetVar.h" #include "Reporter.h" #include "Serializer.h" @@ -72,6 +73,8 @@ bool HashVal::DoUnserialize(UnserialInfo* info) return UNSERIALIZE(&valid); } +MD5Val::MD5Val() : HashVal(md5_type) { } + void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]) { MD5_CTX h; @@ -189,6 +192,8 @@ bool MD5Val::DoUnserialize(UnserialInfo* info) return true; } +SHA1Val::SHA1Val() : HashVal(sha1_type) { } + void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]) { SHA_CTX h; @@ -297,6 +302,8 @@ bool SHA1Val::DoUnserialize(UnserialInfo* info) return true; } +SHA256Val::SHA256Val() : HashVal(sha256_type) { } + void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]) { SHA256_CTX h; @@ -410,6 +417,7 @@ bool SHA256Val::DoUnserialize(UnserialInfo* info) return true; } +EntropyVal::EntropyVal() : OpaqueVal(entropy_type) { } bool EntropyVal::Feed(const void* data, size_t size) { diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 0428e50bdb..78fa5da5e9 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -36,7 +36,7 @@ public: u_char key[MD5_DIGEST_LENGTH], u_char result[MD5_DIGEST_LENGTH]); - MD5Val() : HashVal(new OpaqueType("md5")) { } + MD5Val(); protected: friend class Val; @@ -55,7 +55,7 @@ class SHA1Val : public HashVal { public: static void digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]); - SHA1Val() : HashVal(new OpaqueType("sha1")) { } + SHA1Val(); protected: friend class Val; @@ -74,7 +74,7 @@ class SHA256Val : public HashVal { public: static void digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]); - SHA256Val() : HashVal(new OpaqueType("sha256")) { } + SHA256Val(); protected: friend class Val; @@ -91,7 +91,7 @@ private: class EntropyVal : public OpaqueVal { public: - EntropyVal() : OpaqueVal(new OpaqueType("entropy")) { } + EntropyVal(); bool Feed(const void* data, size_t size); bool Get(double *r_ent, double *r_chisq, double *r_mean, diff --git a/src/Val.cc b/src/Val.cc index 2aafc30ab2..dd86e71a9e 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -3125,13 +3125,12 @@ void VectorVal::ValDescribe(ODesc* d) const d->Add("]"); } -OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t), type(t) +OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t) { } OpaqueVal::~OpaqueVal() { - Unref(type); } IMPLEMENT_SERIAL(OpaqueVal, SER_OPAQUE_VAL); diff --git a/src/Val.h b/src/Val.h index 8544fbadfd..4b2705c5b4 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1024,9 +1024,6 @@ protected: OpaqueVal() { } DECLARE_SERIAL(OpaqueVal); - -private: - OpaqueType* type; }; // Checks the given value for consistency with the given type. If an From 663082e2d51ada8011cd64a27c54ee533ce18c5b Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 5 May 2013 11:18:19 -0700 Subject: [PATCH 104/134] reservoir sampler. untested. --- .../frameworks/sumstats/plugins/__load__.bro | 1 + .../base/frameworks/sumstats/plugins/last.bro | 49 ++++++++ .../frameworks/sumstats/plugins/sample.bro | 116 ++++++++++++++---- .../.stdout | 9 ++ .../scripts/base/frameworks/sumstats/last.bro | 47 +++++++ 5 files changed, 198 insertions(+), 24 deletions(-) create mode 100644 scripts/base/frameworks/sumstats/plugins/last.bro create mode 100644 testing/btest/Baseline/scripts.base.frameworks.sumstats.last/.stdout create mode 100644 testing/btest/scripts/base/frameworks/sumstats/last.bro diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.bro index 3b2bb553e6..c0ee3a6767 100644 --- a/scripts/base/frameworks/sumstats/plugins/__load__.bro +++ b/scripts/base/frameworks/sumstats/plugins/__load__.bro @@ -1,4 +1,5 @@ @load ./average +@load ./last @load ./max @load ./min @load ./sample diff --git a/scripts/base/frameworks/sumstats/plugins/last.bro b/scripts/base/frameworks/sumstats/plugins/last.bro new file mode 100644 index 0000000000..d0587bde08 --- /dev/null +++ b/scripts/base/frameworks/sumstats/plugins/last.bro @@ -0,0 +1,49 @@ +@load base/frameworks/sumstats +@load base/utils/queue + +module SumStats; + +export { + redef record Reducer += { + ## A number of sample Observations to collect. + samples: count &default=0; + }; + + redef record ResultVal += { + ## This is the queue where samples are maintained. Use the + ## :bro:see:`SumStats::get_samples` function to get a vector of the samples. + samples: Queue::Queue &optional; + }; + + ## Get a vector of sample Observation values from a ResultVal. + global get_samples: function(rv: ResultVal): vector of Observation; +} + +function get_samples(rv: ResultVal): vector of Observation + { + local s: vector of Observation = vector(); + if ( rv?$samples ) + Queue::get_vector(rv$samples, s); + return s; + } + +hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) + { + if ( r$samples > 0 ) + { + if ( ! rv?$samples ) + rv$samples = Queue::init([$max_len=r$samples]); + Queue::put(rv$samples, obs); + } + } + +hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) + { + # Merge $samples + if ( rv1?$samples && rv2?$samples ) + result$samples = Queue::merge(rv1$samples, rv2$samples); + else if ( rv1?$samples ) + result$samples = rv1$samples; + else if ( rv2?$samples ) + result$samples = rv2$samples; + } diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro index dc2f438c79..b04d2cf57c 100644 --- a/scripts/base/frameworks/sumstats/plugins/sample.bro +++ b/scripts/base/frameworks/sumstats/plugins/sample.bro @@ -1,49 +1,117 @@ @load base/frameworks/sumstats/main -@load base/utils/queue module SumStats; export { + redef enum Calculation += { + ## Get uniquely distributed random samples from the observation stream + SAMPLE + }; + redef record Reducer += { ## A number of sample Observations to collect. - samples: count &default=0; + num_samples: count &default=0; }; redef record ResultVal += { - ## This is the queue where samples are maintained. Use the - ## :bro:see:`SumStats::get_samples` function to get a vector of the samples. - samples: Queue::Queue &optional; - }; + ## This is the vector in which the samples are maintained. + sample_vector: vector of Observation &default=vector(); - ## Get a vector of sample Observation values from a ResultVal. - global get_samples: function(rv: ResultVal): vector of Observation; + ## Number of total observed elements. + sample_elements: count &default=0; + }; } -function get_samples(rv: ResultVal): vector of Observation +redef record ResultVal += { + # Internal use only. This is not meant to be publically available + # and just a copy of num_samples from the Reducer. Needed for availability + # in the compose hook. + num_samples: count &default=0; +}; + +hook init_resultval_hook(r: Reducer, rv: ResultVal) { - local s: vector of Observation = vector(); - if ( rv?$samples ) - Queue::get_vector(rv$samples, s); - return s; + if ( SAMPLE in r$apply ) + rv$num_samples = r$num_samples; } +function sample_add_sample(obs:Observation, rv: ResultVal) + { + ++rv$sample_elements; + + if ( |rv$sample_vector| < rv$num_samples ) + rv$sample_vector[|rv$sample_vector|] = obs; + else + { + local ra = rand(rv$sample_elements); + if ( ra < rv$num_samples ) + rv$sample_vector[ra] = obs; + } + + } + hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) { - if ( r$samples > 0 ) + if ( SAMPLE in r$apply ) { - if ( ! rv?$samples ) - rv$samples = Queue::init([$max_len=r$samples]); - Queue::put(rv$samples, obs); + sample_add_sample(obs, rv); } } hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { - # Merge $samples - if ( rv1?$samples && rv2?$samples ) - result$samples = Queue::merge(rv1$samples, rv2$samples); - else if ( rv1?$samples ) - result$samples = rv1$samples; - else if ( rv2?$samples ) - result$samples = rv2$samples; + if ( rv1$num_samples != rv2$num_samples ) + { + Reporter::error("Merging sample sets with differing sizes is not supported"); + return; + } + + local num_samples = rv1$num_samples; + + if ( |rv1$sample_vector| > num_samples || |rv2$sample_vector| > num_samples ) + { + Reporter::error("Sample vector with too many elements. Aborting."); + return; + } + + + if ( |rv1$sample_vector| != num_samples && |rv2$sample_vector| < num_samples ) + { + if ( |rv1$sample_vector| != rv1$sample_elements || |rv2$sample_vector| < rv2$sample_elements ) + { + Reporter::error("Mismatch in sample element size and tracking. Aborting merge"); + return; + } + + for ( i in rv1$sample_vector ) + sample_add_sample(rv1$sample_vector[i], result); + + for ( i in rv2$sample_vector) + sample_add_sample(rv2$sample_vector[i], result); + } + else + { + local other_vector: vector of Observation; + local othercount: count; + if ( rv1$sample_elements > rv2$sample_elements ) + { + result$sample_vector = copy(rv1$sample_vector); + other_vector = rv2$sample_vector; + othercount = rv2$sample_elements; + } + else + { + result$sample_vector = copy(rv2$sample_vector); + other_vector = rv1$sample_vector; + othercount = rv1$sample_elements; + } + + local totalcount = rv1$sample_elements + rv2$sample_elements; + + for ( i in other_vector ) + { + if ( rand(totalcount) <= othercount ) + result$sample_vector[i] = other_vector[i]; + } + } } diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.last/.stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.last/.stdout new file mode 100644 index 0000000000..35219765af --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.last/.stdout @@ -0,0 +1,9 @@ +6.5.4.3 +[[num=2, dbl=, str=]] +1 +1.2.3.4 +[[num=5, dbl=, str=], [num=51, dbl=, str=]] +20 +7.2.1.5 +[[num=1, dbl=, str=]] +1 diff --git a/testing/btest/scripts/base/frameworks/sumstats/last.bro b/testing/btest/scripts/base/frameworks/sumstats/last.bro new file mode 100644 index 0000000000..e0cef0ec10 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/last.bro @@ -0,0 +1,47 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test.metric", + $apply=set(SumStats::SAMPLE), $num_samples=2]; + SumStats::create([$epoch=3secs, + $reducers=set(r1), + $epoch_finished(data: SumStats::ResultTable) = + { + for ( key in data ) + { + print key$host; + local r = data[key]["test.metric"]; + print r$sample_vector; + print r$sample_elements; + } + } + ]); + + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=94]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]); + # I checked the random numbers. seems legit. + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=51]); + + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=2]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1]); + } + From 70f3f4343a00605d962cca71d69f032b8123c022 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 7 May 2013 11:16:59 -0700 Subject: [PATCH 105/134] prevent merge-hook of sumstats unique plugin from damaging source data. --- scripts/base/frameworks/sumstats/plugins/unique.bro | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro index ef62caaffa..b8bfc6a4e2 100644 --- a/scripts/base/frameworks/sumstats/plugins/unique.bro +++ b/scripts/base/frameworks/sumstats/plugins/unique.bro @@ -39,14 +39,14 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) if ( rv1?$unique_vals || rv2?$unique_vals ) { if ( rv1?$unique_vals ) - result$unique_vals = rv1$unique_vals; + result$unique_vals = copy(rv1$unique_vals); if ( rv2?$unique_vals ) if ( ! result?$unique_vals ) - result$unique_vals = rv2$unique_vals; + result$unique_vals = copy(rv2$unique_vals); else for ( val2 in rv2$unique_vals ) - add result$unique_vals[val2]; + add result$unique_vals[copy(val2)]; result$unique = |result$unique_vals|; } From e2a1d4a233f71fc74c10930a71568104207ca789 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 7 May 2013 14:32:22 -0500 Subject: [PATCH 106/134] Allow default function/hook/event parameters. Addresses #972. And changed the endianness parameter of bytestring_to_count() BIF to default to false (big endian), mostly just to prove that the BIF parser doesn't choke on default parameters. --- doc/scripts/builtins.rst | 33 ++++++++-- src/Expr.cc | 44 +++++++++++++ src/Expr.h | 3 +- src/Type.cc | 18 ++++- src/Var.cc | 28 ++++++++ src/bif_arg.cc | 7 +- src/bif_arg.h | 6 +- src/bro.bif | 2 +- src/builtin-func.l | 9 ++- src/builtin-func.y | 33 +++++----- .../Baseline/bifs.bytestring_to_count/out | 1 + .../Baseline/language.default-params/out | 15 +++++ testing/btest/bifs/bytestring_to_count.bro | 3 + testing/btest/language/default-params.bro | 65 +++++++++++++++++++ 14 files changed, 239 insertions(+), 28 deletions(-) create mode 100644 testing/btest/Baseline/language.default-params/out create mode 100644 testing/btest/language/default-params.bro diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index b9febb176c..06d61232ad 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -459,6 +459,31 @@ The Bro scripting language supports the following built-in types. print greeting("Dave"); + Function parameters may specify default values as long as they appear + last in the parameter list: + + .. code:: bro + + global foo: function(s: string, t: string &default="abc", u: count &default=0); + + If a function was previously declared with default parameters, the + default expressions can be omitted when implementing the function + body and they will still be used for function calls that lack those + arguments. + + .. code:: bro + + function foo(s: string, t: string, u: count) + { + print s, t, u; + } + + And calls to the function may omit the defaults from the argument list: + + .. code:: bro + + foo("test"); + .. bro:type:: event Event handlers are nearly identical in both syntax and semantics to @@ -597,10 +622,10 @@ scripting language supports the following built-in attributes. .. bro:attr:: &default - Uses a default value for a record field or container elements. For - example, ``table[int] of string &default="foo" }`` would create a - table that returns the :bro:type:`string` ``"foo"`` for any - non-existing index. + Uses a default value for a record field, a function/hook/event + parameter, or container elements. For example, ``table[int] of + string &default="foo" }`` would create a table that returns the + :bro:type:`string` ``"foo"`` for any non-existing index. .. bro:attr:: &redef diff --git a/src/Expr.cc b/src/Expr.cc index 37e1770673..12d3d72304 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -5478,6 +5478,50 @@ int check_and_promote_exprs(ListExpr*& elements, TypeList* types) return 1; } +int check_and_promote_args(ListExpr*& args, RecordType* types) + { + expr_list& el = args->Exprs(); + int ntypes = types->NumFields(); + + // give variadic BIFs automatic pass + if ( ntypes == 1 && types->FieldDecl(0)->type->Tag() == TYPE_ANY ) + return 1; + + if ( el.length() < ntypes ) + { + expr_list def_elements; + + // Start from rightmost parameter, work backward to fill in missing + // arguments using &default expressions. + for ( int i = ntypes - 1; i >= el.length(); --i ) + { + TypeDecl* td = types->FieldDecl(i); + Attr* def_attr = td->attrs ? td->attrs->FindAttr(ATTR_DEFAULT) : 0; + + if ( ! def_attr ) + { + types->Error("parameter mismatch", args); + return 0; + } + + def_elements.insert(def_attr->AttrExpr()); + } + + loop_over_list(def_elements, i) + el.append(def_elements[i]->Ref()); + } + + TypeList* tl = new TypeList(); + + for ( int i = 0; i < types->NumFields(); ++i ) + tl->Append(types->FieldType(i)->Ref()); + + int rval = check_and_promote_exprs(args, tl); + Unref(tl); + + return rval; + } + int check_and_promote_exprs_to_type(ListExpr*& elements, BroType* type) { expr_list& el = elements->Exprs(); diff --git a/src/Expr.h b/src/Expr.h index 1e07708d14..bb7526d502 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -1082,13 +1082,14 @@ Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init); // match, promote it as necessary (modifying the ref parameter accordingly) // and return 1. // -// The second and third forms are for promoting a list of +// The second, third, and fourth forms are for promoting a list of // expressions (which is updated in place) to either match a list of // types or a single type. // // Note, the type is not "const" because it can be ref'd. extern int check_and_promote_expr(Expr*& e, BroType* t); extern int check_and_promote_exprs(ListExpr*& elements, TypeList* types); +extern int check_and_promote_args(ListExpr*& args, RecordType* types); extern int check_and_promote_exprs_to_type(ListExpr*& elements, BroType* type); // Returns a fully simplified form of the expression. Note that passed diff --git a/src/Type.cc b/src/Type.cc index db6e940e87..6461bf2560 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -671,8 +671,24 @@ FuncType::FuncType(RecordType* arg_args, BroType* arg_yield, function_flavor arg arg_types = new TypeList(); + bool has_default_arg = false; + for ( int i = 0; i < args->NumFields(); ++i ) + { + const TypeDecl* td = args->FieldDecl(i); + + if ( td->attrs && td->attrs->FindAttr(ATTR_DEFAULT) ) + has_default_arg = true; + + else if ( has_default_arg ) + { + const char* err_str = fmt("required parameter '%s' must precede " + "default parameters", td->id); + args->Error(err_str); + } + arg_types->Append(args->FieldType(i)->Ref()); + } } string FuncType::FlavorString() const @@ -708,7 +724,7 @@ BroType* FuncType::YieldType() int FuncType::MatchesIndex(ListExpr*& index) const { - return check_and_promote_exprs(index, arg_types) ? + return check_and_promote_args(index, args) ? MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX; } diff --git a/src/Var.cc b/src/Var.cc index 0aadd93e92..cee231d26f 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -318,6 +318,29 @@ void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */) id->SetAttrs(new Attributes(attr, tnew, false)); } +static void transfer_arg_defaults(RecordType* args, RecordType* recv) + { + for ( int i = 0; i < args->NumFields(); ++i ) + { + TypeDecl* args_i = args->FieldDecl(i); + TypeDecl* recv_i = recv->FieldDecl(i); + + Attr* def = args_i->attrs ? args_i->attrs->FindAttr(ATTR_DEFAULT) : 0; + + if ( ! def ) continue; + + if ( ! recv_i->attrs ) + { + attr_list* a = new attr_list(); + a->append(def); + recv_i->attrs = new Attributes(a, recv_i->type, true); + } + + else if ( ! recv_i->attrs->FindAttr(ATTR_DEFAULT) ) + recv_i->attrs->AddAttr(def); + } + } + void begin_func(ID* id, const char* module_name, function_flavor flavor, int is_redef, FuncType* t) { @@ -335,6 +358,11 @@ void begin_func(ID* id, const char* module_name, function_flavor flavor, { if ( ! same_type(id->Type(), t) ) id->Type()->Error("incompatible types", t); + + // If a previous declaration of the function had &default params, + // automatically transfer any that are missing (convenience so that + // implementations don't need to specify the &default expression again). + transfer_arg_defaults(id->Type()->AsFuncType()->Args(), t->Args()); } else if ( is_redef ) diff --git a/src/bif_arg.cc b/src/bif_arg.cc index a4772e4d73..64b0cb131a 100644 --- a/src/bif_arg.cc +++ b/src/bif_arg.cc @@ -30,11 +30,13 @@ BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type) type_str = ""; } -BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str) +BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str, + const char* arg_attr_str) { name = arg_name; type = TYPE_OTHER; type_str = arg_type_str; + attr_str = arg_attr_str; for ( int i = 0; builtin_func_arg_type[i].bif_type[0] != '\0'; ++i ) if ( ! strcmp(builtin_func_arg_type[i].bif_type, arg_type_str) ) @@ -46,7 +48,8 @@ BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str) void BuiltinFuncArg::PrintBro(FILE* fp) { - fprintf(fp, "%s: %s%s", name, builtin_func_arg_type[type].bro_type, type_str); + fprintf(fp, "%s: %s%s %s", name, builtin_func_arg_type[type].bro_type, + type_str, attr_str); } void BuiltinFuncArg::PrintCDef(FILE* fp, int n) diff --git a/src/bif_arg.h b/src/bif_arg.h index 4ba6fa0c4f..1d8b565241 100644 --- a/src/bif_arg.h +++ b/src/bif_arg.h @@ -25,7 +25,10 @@ extern const char* builtin_func_arg_type_bro_name[]; class BuiltinFuncArg { public: BuiltinFuncArg(const char* arg_name, int arg_type); - BuiltinFuncArg(const char* arg_name, const char* arg_type_str); + BuiltinFuncArg(const char* arg_name, const char* arg_type_str, + const char* arg_attr_str = ""); + + void SetAttrStr(const char* arg_attr_str) { attr_str = arg_attr_str; }; const char* Name() const { return name; } int Type() const { return type; } @@ -39,6 +42,7 @@ protected: const char* name; int type; const char* type_str; + const char* attr_str; }; #endif diff --git a/src/bro.bif b/src/bro.bif index bea8e343c0..9f32892e99 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2472,7 +2472,7 @@ function bytestring_to_double%(s: string%): double ## ## Returns: The value contained in *s*, or 0 if the conversion failed. ## -function bytestring_to_count%(s: string, is_le: bool%): count +function bytestring_to_count%(s: string, is_le: bool &default=F%): count %{ #ifdef HOST_BIGENDIAN static const bool host_bigendian = true; diff --git a/src/builtin-func.l b/src/builtin-func.l index 9baeb1a9f9..fa9915077f 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -26,6 +26,7 @@ int check_c_mode(int t) %} WS [ \t]+ +OWS [ \t]* /* Note, bifcl only accepts a single "::" in IDs while the policy layer acceptes multiple. (But the policy layer doesn't have a hierachy. */ @@ -101,7 +102,13 @@ HEX [0-9a-fA-F]+ return TOK_ID; } -&{ID} { + /* + Hacky way to pass along arbitrary attribute expressions since the BIF parser + has little understanding of valid Bro expressions. With this pattern, the + attribute expression should stop when it reaches another attribute, another + function argument, or the end of the function declaration. + */ +&{ID}({OWS}={OWS}[^&%;,]+)? { int t = check_c_mode(TOK_ATTR); if ( t == TOK_ATTR ) diff --git a/src/builtin-func.y b/src/builtin-func.y index 474f321ccd..54ec5a29f6 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -277,7 +277,7 @@ void print_event_c_body(FILE *fp) %left ',' ':' -%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type +%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list %type TOK_ATOM TOK_BOOL %union { @@ -375,7 +375,8 @@ type_def_types: TOK_RECORD { set_definition_type(TYPE_DEF, "Table"); } ; -event_def: event_prefix opt_ws plain_head opt_attr end_of_head ';' +event_def: event_prefix opt_ws plain_head opt_attr_list + { fprintf(fp_bro_init, "%s", $4); } end_of_head ';' { print_event_c_prototype(fp_func_h, true); print_event_c_prototype(fp_func_def, false); @@ -458,20 +459,17 @@ const_def: TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';' accessor); } - -/* Currently support only boolean and string values */ -opt_attr_init: /* nothing */ - | '=' opt_ws TOK_BOOL opt_ws - { - fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4); - } - | '=' opt_ws TOK_CSTR opt_ws - { fprintf(fp_bro_init, "=%s%s%s", $2, $3, $4); } +attr_list: + attr_list TOK_ATTR + { $$ = concat($1, $2); } + | + TOK_ATTR ; -opt_attr: /* nothing */ - | opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); } - opt_ws opt_attr_init +opt_attr_list: + attr_list + | /* nothing */ + { $$ = ""; } ; func_prefix: TOK_FUNCTION @@ -579,9 +577,10 @@ args: args_1 { /* empty, to avoid yacc complaint about type clash */ } ; -args_1: args_1 ',' opt_ws arg opt_ws - | opt_ws arg opt_ws - { /* empty */ } +args_1: args_1 ',' opt_ws arg opt_ws opt_attr_list + { if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($6); } + | opt_ws arg opt_ws opt_attr_list + { if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($4); } ; // TODO: Migrate all other compound types to this rule. Once the BiF language diff --git a/testing/btest/Baseline/bifs.bytestring_to_count/out b/testing/btest/Baseline/bifs.bytestring_to_count/out index e5f8c84f26..36e3526756 100644 --- a/testing/btest/Baseline/bifs.bytestring_to_count/out +++ b/testing/btest/Baseline/bifs.bytestring_to_count/out @@ -34,3 +34,4 @@ 65535 0 0 +65535 diff --git a/testing/btest/Baseline/language.default-params/out b/testing/btest/Baseline/language.default-params/out new file mode 100644 index 0000000000..0ae804cc6b --- /dev/null +++ b/testing/btest/Baseline/language.default-params/out @@ -0,0 +1,15 @@ +foo_func, test +foo_func, hello +bar_func, hmm, hi, 5 +bar_func, cool, beans, 5 +bar_func, cool, beans, 13 +foo_hook, test +foo_hook, hello +bar_hook, hmm, hi, 5 +bar_hook, cool, beans, 5 +bar_hook, cool, beans, 13 +foo_event, test +foo_event, hello +bar_event, hmm, hi, 5 +bar_event, cool, beans, 5 +bar_event, cool, beans, 13 diff --git a/testing/btest/bifs/bytestring_to_count.bro b/testing/btest/bifs/bytestring_to_count.bro index e26b201f26..db50929cb7 100644 --- a/testing/btest/bifs/bytestring_to_count.bro +++ b/testing/btest/bifs/bytestring_to_count.bro @@ -52,4 +52,7 @@ event bro_init() print bytestring_to_count("\x00\x00\x00\x00\x00\x00\x00\x00", T); # 0 print bytestring_to_count("\x00\x00\x00\x00\x00\x00\x00\x00", F); # 0 + # test the default endianness parameter + print bytestring_to_count("\x00\x00\x00\x00\x00\x00\xff\xff"); # 65535 + } diff --git a/testing/btest/language/default-params.bro b/testing/btest/language/default-params.bro new file mode 100644 index 0000000000..c11adbf3b5 --- /dev/null +++ b/testing/btest/language/default-params.bro @@ -0,0 +1,65 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +### functions + +global foo_func: function(a: string &default="hello"); + +# &defaults transfer from the declaration automatically +function foo_func(a: string) + { + print "foo_func", a; + } + +function bar_func(a: string, b: string &default="hi", c: count &default=5) + { + print "bar_func", a, b, c; + } + +### events + +global foo_event: event(a: string &default="hello"); + +event foo_event(a: string) + { + print "foo_event", a; + } + +event bar_event(a: string, b: string &default="hi", c: count &default=5) + { + print "bar_event", a, b, c; + } + +### hooks + +global foo_hook: hook(a: string &default="hello"); + +hook foo_hook(a: string) + { + print "foo_hook", a; + } + +hook bar_hook(a: string, b: string &default="hi", c: count &default=5) + { + print "bar_hook", a, b, c; + } + +{} + +foo_func("test"); +foo_func(); +bar_func("hmm"); +bar_func("cool", "beans"); +bar_func("cool", "beans", 13); + +event foo_event("test"); +event foo_event(); +event bar_event("hmm"); +event bar_event("cool", "beans"); +event bar_event("cool", "beans", 13); + +hook foo_hook("test"); +hook foo_hook(); +hook bar_hook("hmm"); +hook bar_hook("cool", "beans"); +hook bar_hook("cool", "beans", 13); From 6392acecd2b6963fd8663a9b42774416f88561df Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 12 May 2013 20:48:17 -0700 Subject: [PATCH 107/134] fix warnings, update baselines, handle rotation --- .../base/frameworks/input/readers/sqlite.bro | 17 +++++ src/logging/writers/SQLite.cc | 18 ++++- src/logging/writers/SQLite.h | 2 +- .../conn.select | 68 +++++++++---------- .../http.select | 28 ++++---- .../base/frameworks/logging/sqlite/types.bro | 1 + .../frameworks/logging/sqlite/wikipedia.bro | 1 + 7 files changed, 83 insertions(+), 52 deletions(-) create mode 100644 scripts/base/frameworks/input/readers/sqlite.bro diff --git a/scripts/base/frameworks/input/readers/sqlite.bro b/scripts/base/frameworks/input/readers/sqlite.bro new file mode 100644 index 0000000000..67179f42e4 --- /dev/null +++ b/scripts/base/frameworks/input/readers/sqlite.bro @@ -0,0 +1,17 @@ +##! Interface for the SQLite input reader. +##! +##! The defaults are set to match Bro's ASCII output. + +module InputSQLite; + +export { + ## Separator between set elements. + ## Please note that the separator has to be exactly one character long + const set_separator = Input::set_separator &redef; + + ## String to use for an unset &optional field. + const unset_field = Input::unset_field &redef; + + ## String to use for empty fields. + const empty_field = Input::empty_field &redef; +} diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 23d7799b1e..c11ad8dfa3 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -150,7 +150,7 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields, string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; //"id SERIAL UNIQUE NOT NULL"; // SQLite has rowids, we do not need a counter here. - for ( int i = 0; i < num_fields; ++i ) + for ( unsigned int i = 0; i < num_fields; ++i ) { const Field* field = fields[i]; @@ -195,7 +195,7 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields, string insert = "VALUES ("; string names = "INSERT INTO "+dbname+" ( "; - for ( int i = 0; i < num_fields; i++ ) + for ( unsigned int i = 0; i < num_fields; i++ ) { bool ac = true; @@ -252,7 +252,7 @@ int SQLite::AddParams(Value* val, int pos) switch ( val->type ) { case TYPE_BOOL: - return sqlite3_bind_int(st, pos, val->val.int_val ? 1 : 0 ); + return sqlite3_bind_int(st, pos, val->val.int_val != 0 ? 1 : 0 ); case TYPE_INT: return sqlite3_bind_int(st, pos, val->val.int_val); @@ -377,4 +377,16 @@ bool SQLite::DoWrite(int num_fields, const Field* const * fields, Value** vals) return true; } +bool SQLite::DoRotate(const char* rotated_path, double open, double close, bool terminating) + { + if ( ! FinishedRotation("/dev/null", Info().path, open, close, terminating)) + { + Error(Fmt("error rotating %s", Info().path)); + return false; + } + + return true; + } + #endif /* USE_SQLITE */ + diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h index e5444a89b9..fc86acbc2c 100644 --- a/src/logging/writers/SQLite.h +++ b/src/logging/writers/SQLite.h @@ -31,7 +31,7 @@ protected: threading::Value** vals); virtual bool DoSetBuf(bool enabled) { return true; } virtual bool DoRotate(const char* rotated_path, double open, - double close, bool terminating) { return true; } + double close, bool terminating); virtual bool DoFlush(double network_time) { return true; } virtual bool DoFinish(double network_time) { return true; } virtual bool DoHeartbeat(double network_time, double current_time) { return true; } diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select index 0e93dc54e1..e284fc0882 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select @@ -1,34 +1,34 @@ -1300475167.09653|UWkUyAuUGXf|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0| -1300475167.09701|arKYeMETxOg|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0| -1300475167.09982|k6kgXLOoSKl|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0| -1300475168.652|nQcgTWjvg4c|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402| -1300475168.72401|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396| -1300475168.8539|TEfuqmmG4bh|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117| -1300475168.85438|FrJExwHcSal|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127| -1300475168.85484|5OKnoww6xl4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211| -1300475168.85533|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950| -1300475168.8553|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949| -1300475168.85796|fRFu0wcOle6|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117| -1300475168.85831|qSsw6ESzHV4|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127| -1300475168.85871|iE6yhOq3SF|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211| -1300475168.85916|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950| -1300475168.89164|qCaWGmzFtM5|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117| -1300475168.89204|70MGiRM1Qf4|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127| -1300475168.89241|h5DsfNtYzi1|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211| -1300475168.89291|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949| -1300475168.89294|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950| -1300475168.89399|c4Zw9TmAE05|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117| -1300475168.89442|EAr0uf4mhq|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127| -1300475168.89479|GvmoxJFXdTa|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211| -1300475168.89527|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950| -1300475168.90175|slFea8xwSmb|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159| -1300475168.90219|UfGkYA2HI2g|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226| -1300475168.90264|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576| -1300475169.78033|2cx26uAvUPl|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48| -1300475169.89944|BWaU4aSuwkc|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0| -1300475170.86238|10XodEwRycf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0| -1300475171.67537|zno26fFZkrh|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0| -1300475171.67708|v5rgkJBig5l|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0| -1300475173.11675|eWZCH7OONC1|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0| -1300475173.11736|0Pwk3ntf8O3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0| -1300475173.15368|0HKorjr8Zp7|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0| +1300475167.09654|UWkUyAuUGXf|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0|(empty) +1300475167.09701|arKYeMETxOg|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0|(empty) +1300475167.09982|k6kgXLOoSKl|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0|(empty) +1300475168.652|nQcgTWjvg4c|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402|(empty) +1300475168.72401|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396|(empty) +1300475168.8539|TEfuqmmG4bh|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117|(empty) +1300475168.85438|FrJExwHcSal|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127|(empty) +1300475168.85484|5OKnoww6xl4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211|(empty) +1300475168.85531|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949|(empty) +1300475168.85533|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950|(empty) +1300475168.85796|fRFu0wcOle6|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117|(empty) +1300475168.85831|qSsw6ESzHV4|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127|(empty) +1300475168.85871|iE6yhOq3SF|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211|(empty) +1300475168.85916|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950|(empty) +1300475168.89164|qCaWGmzFtM5|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117|(empty) +1300475168.89204|70MGiRM1Qf4|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127|(empty) +1300475168.89241|h5DsfNtYzi1|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211|(empty) +1300475168.89291|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949|(empty) +1300475168.89294|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950|(empty) +1300475168.89399|c4Zw9TmAE05|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117|(empty) +1300475168.89442|EAr0uf4mhq|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127|(empty) +1300475168.89479|GvmoxJFXdTa|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211|(empty) +1300475168.89527|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950|(empty) +1300475168.90175|slFea8xwSmb|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159|(empty) +1300475168.9022|UfGkYA2HI2g|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226|(empty) +1300475168.90264|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576|(empty) +1300475169.78033|2cx26uAvUPl|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48|(empty) +1300475169.89944|BWaU4aSuwkc|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0|(empty) +1300475170.86238|10XodEwRycf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0|(empty) +1300475171.67537|zno26fFZkrh|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0|(empty) +1300475171.67708|v5rgkJBig5l|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0|(empty) +1300475173.11675|eWZCH7OONC1|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0|(empty) +1300475173.11736|0Pwk3ntf8O3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0|(empty) +1300475173.15368|0HKorjr8Zp7|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0|(empty) diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select index 774a93408a..5d5ac10d45 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select @@ -1,14 +1,14 @@ -1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| -1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro index 24fcf7362b..d27717aaaf 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro @@ -1,4 +1,5 @@ # +# @TEST-REQUIRES: has-writer SQLite && which sqlite3 # @TEST-GROUP: sqlite # # @TEST-EXEC: bro -b %INPUT diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro index d4af793788..a431cd9cb6 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro @@ -1,4 +1,5 @@ # +# @TEST-REQUIRES: has-writer SQLite && which sqlite3 # @TEST-GROUP: sqlite # # @TEST-EXEC: bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE From 7610aa31b647ea3b73c0ca732998e019ab7dc691 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 10 May 2013 19:20:27 -0700 Subject: [PATCH 108/134] Various smalle tweaks in preparation for merging. --- NEWS | 30 ++++++++++++++ src/HTTP.cc | 6 +++ src/MIME.cc | 4 +- src/SMTP.cc | 1 + src/event.bif | 2 +- src/file_analysis.bif | 21 ++++++++++ src/file_analysis/Analyzer.h | 5 ++- src/file_analysis/AnalyzerSet.cc | 9 +++- src/file_analysis/AnalyzerSet.h | 5 ++- src/file_analysis/DataEvent.cc | 6 ++- src/file_analysis/DataEvent.h | 9 ++-- src/file_analysis/Extract.cc | 8 +++- src/file_analysis/Extract.h | 9 ++-- src/file_analysis/File.cc | 43 ++++++++++++------- src/file_analysis/File.h | 27 ++++++------ src/file_analysis/FileID.h | 2 + src/file_analysis/FileTimer.cc | 6 ++- src/file_analysis/FileTimer.h | 6 +-- src/file_analysis/Hash.cc | 10 +++-- src/file_analysis/Hash.h | 11 ++--- src/file_analysis/Manager.cc | 71 ++++++++++++++++++++++---------- src/file_analysis/Manager.h | 28 ++++++------- src/input/readers/Binary.cc | 10 +++-- src/input/readers/Binary.h | 3 +- src/types.bif | 25 ----------- src/util.cc | 8 +++- 26 files changed, 236 insertions(+), 129 deletions(-) diff --git a/NEWS b/NEWS index 4c0e2b45cc..6a64318748 100644 --- a/NEWS +++ b/NEWS @@ -51,6 +51,36 @@ New Functionality can take up to two indices for the start and end index of the substring to return (e.g. "mystring[1,3]"). +- The new file analysis framework moves most of the processing of file + content from script-land into the core, where it belongs. Much of + this is an internal change, the framework comes with the following + user-visibible functionality (some of that was already available + before, but done differently): + + [TODO: This will probably change with further script updates.] + + - A binary input reader interfaces the input framework with file + analysis, allowing to inject files on disk into Bro's + processing. + + - Supports for analyzing data transfereed via HTTP range + requests. + + - HTTP: + * Identify MIME type of message. + * Extract message to disk. + * Compute MD5 for messages. + + - SMTP: + * Identify MIME type of message. + * Extract message to disk. + * Compute MD5 for messages. + * Provide access to start of entity data. + + - FTP data transfers: Identify MIME type; record to disk. + + - IRC DCC transfers: Record to disk. + Changed Functionality ~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/HTTP.cc b/src/HTTP.cc index 3ae17714d6..07868555e1 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -299,10 +299,12 @@ void HTTP_Entity::SubmitData(int len, const char* buf) http_message->MyHTTP_Analyzer()->GetTag(), http_message->MyHTTP_Analyzer()->Conn(), http_message->IsOrig()); + file_mgr->DataIn(reinterpret_cast(buf), len, offset, http_message->MyHTTP_Analyzer()->GetTag(), http_message->MyHTTP_Analyzer()->Conn(), http_message->IsOrig()); + offset += len; } else @@ -312,6 +314,7 @@ void HTTP_Entity::SubmitData(int len, const char* buf) http_message->MyHTTP_Analyzer()->GetTag(), http_message->MyHTTP_Analyzer()->Conn(), http_message->IsOrig()); + file_mgr->DataIn(reinterpret_cast(buf), len, http_message->MyHTTP_Analyzer()->GetTag(), http_message->MyHTTP_Analyzer()->Conn(), @@ -407,6 +410,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) instance_length) ) instance_length = 0; } + is_partial_content = true; offset = f; content_length = len; @@ -642,6 +646,7 @@ void HTTP_Message::EndEntity(MIME_Entity* entity) // SubmitAllHeaders (through EndOfData). if ( entity == top_level ) Done(); + else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) file_mgr->EndOfFile(MyHTTP_Analyzer()->GetTag(), MyHTTP_Analyzer()->Conn(), is_orig); @@ -904,6 +909,7 @@ void HTTP_Analyzer::Done() } file_mgr->EndOfFile(GetTag(), Conn(), true); + /* TODO: this might be nice to have, but reply code is cleared by now. if ( HTTP_ReplyCode() != 206 ) // multipart/byteranges may span multiple connections diff --git a/src/MIME.cc b/src/MIME.cc index 12729f1a07..3104ed2e8e 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -1034,12 +1034,14 @@ MIME_Mail::~MIME_Mail() void MIME_Mail::BeginEntity(MIME_Entity* /* entity */) { cur_entity_len = 0; + if ( mime_begin_entity ) { val_list* vl = new val_list; vl->append(analyzer->BuildConnVal()); analyzer->ConnectionEvent(mime_begin_entity, vl); } + buffer_start = data_start = 0; ASSERT(entity_content.size() == 0); } @@ -1131,8 +1133,8 @@ void MIME_Mail::SubmitData(int len, const char* buf) // is_orig param not available, doesn't matter as long as it's consistent file_mgr->DataIn(reinterpret_cast(buf), len, analyzer->GetTag(), analyzer->Conn(), false); - cur_entity_len += len; + cur_entity_len += len; buffer_start = (buf + len) - (char*)data_buffer->Bytes(); } diff --git a/src/SMTP.cc b/src/SMTP.cc index 0f6dafedc4..33f65ed743 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -90,6 +90,7 @@ void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) // ongoing mail transaction. if ( mail ) mail->Undelivered(len); + EndData(); } diff --git a/src/event.bif b/src/event.bif index 638a7ce141..0fcbd1cb5d 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7000,7 +7000,7 @@ event event_queue_flush_point%(%); ## .. bro:see:: set_file_handle event get_file_handle%(tag: count, c: connection, is_orig: bool%); -## Indicates that a analysis of a new file has begun. The analysis can be +## Indicates that an analysis of a new file has begun. The analysis can be ## augmented at this time via :bro:see:`FileAnalysis::add_analyzer`. ## ## f: The file. diff --git a/src/file_analysis.bif b/src/file_analysis.bif index a2ef2b3e9f..cdece0d350 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -6,6 +6,27 @@ module FileAnalysis; #include "file_analysis/Manager.h" %%} +type AnalyzerArgs: record; + +## An enumeration of various file analysis actions that can be taken. +enum Analyzer %{ + + ## Extract a file to local filesystem + ANALYZER_EXTRACT, + + ## Calculate an MD5 digest of the file's contents. + ANALYZER_MD5, + + ## Calculate an SHA1 digest of the file's contents. + ANALYZER_SHA1, + + ## Calculate an SHA256 digest of the file's contents. + ANALYZER_SHA256, + + ## Deliver the file contents to the script-layer in an event. + ANALYZER_DATA_EVENT, +%} + ## :bro:see:`FileAnalysis::postpone_timeout`. function FileAnalysis::__postpone_timeout%(file_id: string%): bool %{ diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 77139f5547..6ba76317a7 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_ANALYZER_H #define FILE_ANALYSIS_ANALYZER_H @@ -15,7 +17,6 @@ class File; */ class Analyzer { public: - virtual ~Analyzer() { DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %d", tag); @@ -83,13 +84,13 @@ public: } protected: - Analyzer(RecordVal* arg_args, File* arg_file) : tag(file_analysis::Analyzer::ArgsTag(arg_args)), args(arg_args->Ref()->AsRecordVal()), file(arg_file) {} +private: FA_Tag tag; RecordVal* args; File* file; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index bdf23c2446..83c60d9abe 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "AnalyzerSet.h" #include "File.h" #include "Analyzer.h" @@ -39,6 +41,7 @@ AnalyzerSet::~AnalyzerSet() delete mod; mod_queue.pop(); } + delete analyzer_hash; } @@ -108,6 +111,7 @@ bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key) { file_analysis::Analyzer* a = (file_analysis::Analyzer*) analyzer_map.Remove(key); + delete key; if ( ! a ) @@ -119,6 +123,7 @@ bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key) DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %d for file id %s", a->Tag(), file->GetID().c_str()); + delete a; return true; } @@ -143,6 +148,7 @@ HashKey* AnalyzerSet::GetKey(const RecordVal* args) const HashKey* key = analyzer_hash->ComputeHash(args, 1); if ( ! key ) reporter->InternalError("AnalyzerArgs type mismatch"); + return key; } @@ -172,7 +178,8 @@ void AnalyzerSet::Insert(file_analysis::Analyzer* a, HashKey* key) void AnalyzerSet::DrainModifications() { - if ( mod_queue.empty() ) return; + if ( mod_queue.empty() ) + return; DBG_LOG(DBG_FILE_ANALYSIS, "Start analyzer mod queue flush of file id %s", file->GetID().c_str()); diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index 357ca8d9de..e982cc9f8f 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_ANALYZERSET_H #define FILE_ANALYSIS_ANALYZERSET_H @@ -20,7 +22,6 @@ declare(PDict,Analyzer); */ class AnalyzerSet { public: - AnalyzerSet(File* arg_file); ~AnalyzerSet(); @@ -57,12 +58,12 @@ public: { return analyzer_map.NextEntry(c); } protected: - HashKey* GetKey(const RecordVal* args) const; file_analysis::Analyzer* InstantiateAnalyzer(RecordVal* args) const; void Insert(file_analysis::Analyzer* a, HashKey* key); bool Remove(FA_Tag tag, HashKey* key); +private: File* file; CompositeHash* analyzer_hash; /**< AnalyzerArgs hashes. */ PDict(file_analysis::Analyzer) analyzer_map; /**< Indexed by AnalyzerArgs. */ diff --git a/src/file_analysis/DataEvent.cc b/src/file_analysis/DataEvent.cc index 39652c6a53..b1107fff16 100644 --- a/src/file_analysis/DataEvent.cc +++ b/src/file_analysis/DataEvent.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include #include "DataEvent.h" @@ -44,7 +46,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset) if ( ! chunk_event ) return true; val_list* args = new val_list; - args->append(file->GetVal()->Ref()); + args->append(GetFile()->GetVal()->Ref()); args->append(new StringVal(new BroString(data, len, 0))); args->append(new Val(offset, TYPE_COUNT)); @@ -58,7 +60,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len) if ( ! stream_event ) return true; val_list* args = new val_list; - args->append(file->GetVal()->Ref()); + args->append(GetFile()->GetVal()->Ref()); args->append(new StringVal(new BroString(data, len, 0))); mgr.QueueEvent(stream_event, args); diff --git a/src/file_analysis/DataEvent.h b/src/file_analysis/DataEvent.h index be6f03e178..40a7f5971f 100644 --- a/src/file_analysis/DataEvent.h +++ b/src/file_analysis/DataEvent.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_DATAEVENT_H #define FILE_ANALYSIS_DATAEVENT_H @@ -14,18 +16,17 @@ namespace file_analysis { */ class DataEvent : public file_analysis::Analyzer { public: - - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); - virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); virtual bool DeliverStream(const u_char* data, uint64 len); -protected: + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); +protected: DataEvent(RecordVal* args, File* file, EventHandlerPtr ce, EventHandlerPtr se); +private: EventHandlerPtr chunk_event; EventHandlerPtr stream_event; }; diff --git a/src/file_analysis/Extract.cc b/src/file_analysis/Extract.cc index 860f55bdea..ad212273c7 100644 --- a/src/file_analysis/Extract.cc +++ b/src/file_analysis/Extract.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include #include "Extract.h" @@ -31,14 +33,16 @@ file_analysis::Analyzer* Extract::Instantiate(RecordVal* args, File* file) const char* field = "extract_filename"; Val* v = args->Lookup(AnalyzerArgs->FieldOffset(field)); - if ( ! v ) return 0; + if ( ! v ) + return 0; return new Extract(args, file, v->AsString()->CheckString()); } bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset) { - if ( ! fd ) return false; + if ( ! fd ) + return false; safe_pwrite(fd, data, len, offset); return true; diff --git a/src/file_analysis/Extract.h b/src/file_analysis/Extract.h index 97d2436469..1f5ee3a185 100644 --- a/src/file_analysis/Extract.h +++ b/src/file_analysis/Extract.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_EXTRACT_H #define FILE_ANALYSIS_EXTRACT_H @@ -14,17 +16,16 @@ namespace file_analysis { */ class Extract : public file_analysis::Analyzer { public: - - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); - virtual ~Extract(); virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); -protected: + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); +protected: Extract(RecordVal* args, File* file, const string& arg_filename); +private: string filename; int fd; }; diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 70f7b174be..17b01f6b39 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include #include @@ -53,7 +55,8 @@ string File::salt; void File::StaticInit() { - if ( id_idx != -1 ) return; + if ( id_idx != -1 ) + return; id_idx = Idx("id"); parent_id_idx = Idx("parent_id"); @@ -75,9 +78,9 @@ void File::StaticInit() File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag, bool is_orig) - : id(""), unique(unique), val(0), postpone_timeout(false), - first_chunk(true), missed_bof(false), need_reassembly(false), done(false), - analyzers(this) + : id(""), unique(unique), val(0), postpone_timeout(false), + first_chunk(true), missed_bof(false), need_reassembly(false), done(false), + analyzers(this) { StaticInit(); @@ -127,7 +130,8 @@ double File::GetLastActivityTime() const void File::UpdateConnectionFields(Connection* conn) { - if ( ! conn ) return; + if ( ! conn ) + return; Val* conns = val->Lookup(conns_idx); @@ -136,7 +140,8 @@ void File::UpdateConnectionFields(Connection* conn) if ( ! conns ) { is_first = true; - val->Assign(conns_idx, conns = empty_connection_table()); + conns = empty_connection_table(); + val->Assign(conns_idx, conns); } Val* idx = get_conn_id_val(conn); @@ -178,6 +183,7 @@ int File::Idx(const string& field) int rval = fa_file_type->FieldOffset(field.c_str()); if ( rval < 0 ) reporter->InternalError("Unknown fa_file field: %s", field.c_str()); + return rval; } @@ -205,9 +211,12 @@ void File::SetTotalBytes(uint64 size) bool File::IsComplete() const { Val* total = val->Lookup(total_bytes_idx); - if ( ! total ) return false; + if ( ! total ) + return false; + if ( LookupFieldDefaultCount(seen_bytes_idx) >= total->AsCount() ) return true; + return false; } @@ -228,7 +237,8 @@ bool File::RemoveAnalyzer(const RecordVal* args) bool File::BufferBOF(const u_char* data, uint64 len) { - if ( bof_buffer.full || bof_buffer.replayed ) return false; + if ( bof_buffer.full || bof_buffer.replayed ) + return false; uint64 desired_size = LookupFieldDefaultCount(bof_buffer_size_idx); @@ -264,7 +274,9 @@ bool File::DetectMIME(const u_char* data, uint64 len) void File::ReplayBOF() { - if ( bof_buffer.replayed ) return; + if ( bof_buffer.replayed ) + return; + bof_buffer.replayed = true; if ( bof_buffer.chunks.empty() ) @@ -310,9 +322,7 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset) // TODO: check reassembly requirement based on buffer size in record if ( need_reassembly ) - { - // TODO - } + reporter->InternalError("file_analyzer::File TODO: reassembly not yet supported"); // TODO: reassembly overflow stuff, increment overflow count, eval trigger @@ -323,7 +333,8 @@ void File::DataIn(const u_char* data, uint64 len) { analyzers.DrainModifications(); - if ( BufferBOF(data, len) ) return; + if ( BufferBOF(data, len) ) + return; if ( missed_bof ) { @@ -356,7 +367,8 @@ void File::DataIn(const u_char* data, uint64 len) void File::EndOfFile() { - if ( done ) return; + if ( done ) + return; analyzers.DrainModifications(); @@ -416,7 +428,8 @@ bool File::FileEventAvailable(EventHandlerPtr h) void File::FileEvent(EventHandlerPtr h) { - if ( ! FileEventAvailable(h) ) return; + if ( ! FileEventAvailable(h) ) + return; val_list* vl = new val_list(); vl->append(val->Ref()); diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index e6438a9e64..a31f0bfa41 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_FILE_H #define FILE_ANALYSIS_FILE_H @@ -17,10 +19,7 @@ namespace file_analysis { * Wrapper class around \c fa_file record values from script layer. */ class File { -friend class Manager; - public: - ~File(); /** @@ -127,6 +126,7 @@ public: void FileEvent(EventHandlerPtr h, val_list* vl); protected: + friend class Manager; /** * Constructor; only file_analysis::Manager should be creating these. @@ -175,6 +175,17 @@ protected: */ bool DetectMIME(const u_char* data, uint64 len); + /** + * @return the field offset in #val record corresponding to \a field_name. + */ + static int Idx(const string& field_name); + + /** + * Initializes static member. + */ + static void StaticInit(); + +private: FileID id; /**< A pretty hash that likely identifies file */ string unique; /**< A string that uniquely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ @@ -196,16 +207,6 @@ protected: BroString::CVec chunks; } bof_buffer; /**< Beginning of file buffer. */ - /** - * @return the field offset in #val record corresponding to \a field_name. - */ - static int Idx(const string& field_name); - - /** - * Initializes static member. - */ - static void StaticInit(); - static string salt; static int id_idx; diff --git a/src/file_analysis/FileID.h b/src/file_analysis/FileID.h index 6d594d6b37..9816437214 100644 --- a/src/file_analysis/FileID.h +++ b/src/file_analysis/FileID.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_FILEID_H #define FILE_ANALYSIS_FILEID_H diff --git a/src/file_analysis/FileTimer.cc b/src/file_analysis/FileTimer.cc index 349d8a9de4..84d4138616 100644 --- a/src/file_analysis/FileTimer.cc +++ b/src/file_analysis/FileTimer.cc @@ -1,9 +1,10 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "Manager.h" #include "File.h" using namespace file_analysis; - FileTimer::FileTimer(double t, const FileID& id, double interval) : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) { @@ -15,7 +16,8 @@ void FileTimer::Dispatch(double t, int is_expire) { File* file = file_mgr->Lookup(file_id); - if ( ! file ) return; + if ( ! file ) + return; double last_active = file->GetLastActivityTime(); double inactive_time = t > last_active ? t - last_active : 0.0; diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h index 71a1274e8c..6ab2638e5f 100644 --- a/src/file_analysis/FileTimer.h +++ b/src/file_analysis/FileTimer.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_FILETIMER_H #define FILE_ANALYSIS_FILETIMER_H @@ -12,7 +14,6 @@ namespace file_analysis { */ class FileTimer : public Timer { public: - FileTimer(double t, const FileID& id, double interval); /** @@ -21,8 +22,7 @@ public: */ void Dispatch(double t, int is_expire); -protected: - +private: FileID file_id; }; diff --git a/src/file_analysis/Hash.cc b/src/file_analysis/Hash.cc index 7b36eb007f..9835f343b6 100644 --- a/src/file_analysis/Hash.cc +++ b/src/file_analysis/Hash.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include #include "Hash.h" @@ -19,7 +21,8 @@ Hash::~Hash() bool Hash::DeliverStream(const u_char* data, uint64 len) { - if ( ! hash->IsValid() ) return false; + if ( ! hash->IsValid() ) + return false; if ( ! fed ) fed = len > 0; @@ -41,10 +44,11 @@ bool Hash::Undelivered(uint64 offset, uint64 len) void Hash::Finalize() { - if ( ! hash->IsValid() || ! fed ) return; + if ( ! hash->IsValid() || ! fed ) + return; val_list* vl = new val_list(); - vl->append(file->GetVal()->Ref()); + vl->append(GetFile()->GetVal()->Ref()); vl->append(new StringVal(kind)); vl->append(hash->Get()); diff --git a/src/file_analysis/Hash.h b/src/file_analysis/Hash.h index 2456777281..e4bc8f1747 100644 --- a/src/file_analysis/Hash.h +++ b/src/file_analysis/Hash.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_HASH_H #define FILE_ANALYSIS_HASH_H @@ -15,7 +17,6 @@ namespace file_analysis { */ class Hash : public file_analysis::Analyzer { public: - virtual ~Hash(); virtual bool DeliverStream(const u_char* data, uint64 len); @@ -25,11 +26,11 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); protected: - Hash(RecordVal* args, File* file, HashVal* hv, const char* kind); void Finalize(); +private: HashVal* hash; bool fed; const char* kind; @@ -37,12 +38,10 @@ protected: class MD5 : public Hash { public: - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new MD5(args, file) : 0; } protected: - MD5(RecordVal* args, File* file) : Hash(args, file, new MD5Val(), "md5") {} @@ -50,12 +49,10 @@ protected: class SHA1 : public Hash { public: - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new SHA1(args, file) : 0; } protected: - SHA1(RecordVal* args, File* file) : Hash(args, file, new SHA1Val(), "sha1") {} @@ -63,12 +60,10 @@ protected: class SHA256 : public Hash { public: - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new SHA256(args, file) : 0; } protected: - SHA256(RecordVal* args, File* file) : Hash(args, file, new SHA256Val(), "sha256") {} diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index e316fdc66a..9d55682264 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include #include @@ -25,6 +27,7 @@ void Manager::Terminate() vector keys; for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it ) keys.push_back(it->first); + for ( size_t i = 0; i < keys.size(); ++i ) Timeout(keys[i], true); } @@ -37,7 +40,8 @@ void Manager::SetHandle(const string& handle) void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) return; + if ( IsDisabled(tag) ) + return; GetFileHandle(tag, conn, is_orig); DataIn(data, len, offset, GetFile(current_handle, conn, tag, is_orig)); @@ -52,7 +56,8 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, File* file) { - if ( ! file ) return; + if ( ! file ) + return; file->DataIn(data, len, offset); @@ -63,8 +68,11 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) return; + if ( IsDisabled(tag) ) + return; + GetFileHandle(tag, conn, is_orig); + // Sequential data input shouldn't be going over multiple conns, so don't // do the check to update connection set. DataIn(data, len, GetFile(current_handle, conn, tag, is_orig, false)); @@ -77,7 +85,8 @@ void Manager::DataIn(const u_char* data, uint64 len, const string& unique) void Manager::DataIn(const u_char* data, uint64 len, File* file) { - if ( ! file ) return; + if ( ! file ) + return; file->DataIn(data, len); @@ -93,7 +102,8 @@ void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn) void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) return; + if ( IsDisabled(tag) ) + return; GetFileHandle(tag, conn, is_orig); EndOfFile(current_handle); @@ -107,7 +117,8 @@ void Manager::EndOfFile(const string& unique) void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) return; + if ( IsDisabled(tag) ) + return; GetFileHandle(tag, conn, is_orig); Gap(offset, len, GetFile(current_handle, conn, tag, is_orig)); @@ -120,7 +131,8 @@ void Manager::Gap(uint64 offset, uint64 len, const string& unique) void Manager::Gap(uint64 offset, uint64 len, File* file) { - if ( ! file ) return; + if ( ! file ) + return; file->Gap(offset, len); } @@ -128,7 +140,8 @@ void Manager::Gap(uint64 offset, uint64 len, File* file) void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) return; + if ( IsDisabled(tag) ) + return; GetFileHandle(tag, conn, is_orig); SetSize(size, GetFile(current_handle, conn, tag, is_orig)); @@ -141,7 +154,8 @@ void Manager::SetSize(uint64 size, const string& unique) void Manager::SetSize(uint64 size, File* file) { - if ( ! file ) return; + if ( ! file ) + return; file->SetTotalBytes(size); @@ -153,7 +167,8 @@ bool Manager::PostponeTimeout(const FileID& file_id) const { File* file = Lookup(file_id); - if ( ! file ) return false; + if ( ! file ) + return false; file->postpone_timeout = true; return true; @@ -163,7 +178,8 @@ bool Manager::SetTimeoutInterval(const FileID& file_id, double interval) const { File* file = Lookup(file_id); - if ( ! file ) return false; + if ( ! file ) + return false; file->SetTimeoutInterval(interval); return true; @@ -173,7 +189,8 @@ bool Manager::AddAnalyzer(const FileID& file_id, RecordVal* args) const { File* file = Lookup(file_id); - if ( ! file ) return false; + if ( ! file ) + return false; return file->AddAnalyzer(args); } @@ -182,7 +199,8 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const { File* file = Lookup(file_id); - if ( ! file ) return false; + if ( ! file ) + return false; return file->RemoveAnalyzer(args); } @@ -190,8 +208,11 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const File* Manager::GetFile(const string& unique, Connection* conn, AnalyzerTag::Tag tag, bool is_orig, bool update_conn) { - if ( unique.empty() ) return 0; - if ( IsIgnored(unique) ) return 0; + if ( unique.empty() ) + return 0; + + if ( IsIgnored(unique) ) + return 0; File* rval = str_map[unique]; @@ -208,11 +229,14 @@ File* Manager::GetFile(const string& unique, Connection* conn, id_map[id] = rval; rval->ScheduleInactivityTimer(); - if ( IsIgnored(unique) ) return 0; + + if ( IsIgnored(unique) ) + return 0; } else { rval->UpdateLastActivityTime(); + if ( update_conn ) rval->UpdateConnectionFields(conn); } @@ -224,7 +248,8 @@ File* Manager::Lookup(const FileID& file_id) const { IDMap::const_iterator it = id_map.find(file_id); - if ( it == id_map.end() ) return 0; + if ( it == id_map.end() ) + return 0; return it->second; } @@ -233,7 +258,8 @@ void Manager::Timeout(const FileID& file_id, bool is_terminating) { File* file = Lookup(file_id); - if ( ! file ) return; + if ( ! file ) + return; file->postpone_timeout = false; @@ -258,7 +284,8 @@ bool Manager::IgnoreFile(const FileID& file_id) { IDMap::iterator it = id_map.find(file_id); - if ( it == id_map.end() ) return false; + if ( it == id_map.end() ) + return false; DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str()); @@ -271,7 +298,8 @@ bool Manager::RemoveFile(const string& unique) { StrMap::iterator it = str_map.find(unique); - if ( it == str_map.end() ) return false; + if ( it == str_map.end() ) + return false; it->second->EndOfFile(); @@ -317,7 +345,8 @@ bool Manager::IsDisabled(AnalyzerTag::Tag tag) Val* yield = disabled->Lookup(index); Unref(index); - if ( ! yield ) return false; + if ( ! yield ) + return false; bool rval = yield->AsBool(); Unref(yield); diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 16aec474cd..faa4fdaf33 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef FILE_ANALYSIS_MANAGER_H #define FILE_ANALYSIS_MANAGER_H @@ -24,12 +26,8 @@ namespace file_analysis { * Main entry point for interacting with file analysis. */ class Manager { -friend class FileTimer; - public: - Manager(); - ~Manager(); /** @@ -45,12 +43,12 @@ public: /** * Pass in non-sequential file data. */ - void DataIn(const u_char* data, uint64 len, uint64 offset, - AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void DataIn(const u_char* data, uint64 len, uint64 offset, - const string& unique); - void DataIn(const u_char* data, uint64 len, uint64 offset, - File* file); + void DataIn(const u_char* data, uint64 len, uint64 offset, + AnalyzerTag::Tag tag, Connection* conn, bool is_orig); + void DataIn(const u_char* data, uint64 len, uint64 offset, + const string& unique); + void DataIn(const u_char* data, uint64 len, uint64 offset, + File* file); /** * Pass in sequential file data. @@ -121,6 +119,7 @@ public: bool IsIgnored(const string& unique); protected: + friend class FileTimer; typedef map StrMap; typedef set StrSet; @@ -167,10 +166,11 @@ protected: */ static bool IsDisabled(AnalyzerTag::Tag tag); - StrMap str_map; /**< Map unique string to file_analysis::File. */ - IDMap id_map; /**< Map file ID to file_analysis::File records. */ - StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */ - string current_handle; /**< Last file handle set by get_file_handle event.*/ +private: + StrMap str_map; /**< Map unique string to file_analysis::File. */ + IDMap id_map; /**< Map file ID to file_analysis::File records. */ + StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */ + string current_handle; /**< Last file handle set by get_file_handle event.*/ static TableVal* disabled; /**< Table of disabled analyzers. */ }; diff --git a/src/input/readers/Binary.cc b/src/input/readers/Binary.cc index da86753303..43df6d7e6b 100644 --- a/src/input/readers/Binary.cc +++ b/src/input/readers/Binary.cc @@ -19,6 +19,7 @@ Binary::Binary(ReaderFrontend *frontend) if ( ! chunk_size ) { chunk_size = BifConst::InputBinary::chunk_size; + if ( ! chunk_size ) chunk_size = 1024; } @@ -99,12 +100,14 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, return false; } - // do Initialization + // do initialization fname = info.source; - if ( ! OpenInput() ) return false; + if ( ! OpenInput() ) + return false; - if ( UpdateModificationTime() == -1 ) return false; + if ( UpdateModificationTime() == -1 ) + return false; #ifdef DEBUG Debug(DBG_INPUT, "Binary reader created, will perform first update"); @@ -198,6 +201,7 @@ bool Binary::DoUpdate() } CloseInput(); + if ( ! OpenInput() ) return false; diff --git a/src/input/readers/Binary.h b/src/input/readers/Binary.h index 2705800ab8..a2283d1980 100644 --- a/src/input/readers/Binary.h +++ b/src/input/readers/Binary.h @@ -3,9 +3,10 @@ #ifndef INPUT_READERS_BINARY_H #define INPUT_READERS_BINARY_H -#include "../ReaderBackend.h" #include +#include "../ReaderBackend.h" + namespace input { namespace reader { /** diff --git a/src/types.bif b/src/types.bif index 954c33ce21..420908b76b 100644 --- a/src/types.bif +++ b/src/types.bif @@ -226,28 +226,3 @@ type gtp_rai: record; type gtp_qos_profile: record; type gtp_private_extension: record; type gtp_gsn_addr: record; - -module FileAnalysis; - -type AnalyzerArgs: record; - -## An enumeration of various file analysis actions that can be taken. -enum Analyzer %{ - - ## Extract a file to local filesystem - ANALYZER_EXTRACT, - - ## Calculate an MD5 digest of the file's contents. - ANALYZER_MD5, - - ## Calculate an SHA1 digest of the file's contents. - ANALYZER_SHA1, - - ## Calculate an SHA256 digest of the file's contents. - ANALYZER_SHA256, - - ## Deliver the file contents to the script-layer in an event. - ANALYZER_DATA_EVENT, -%} - -module GLOBAL; diff --git a/src/util.cc b/src/util.cc index 85d43020f6..a031f41ffe 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1577,14 +1577,18 @@ void bro_init_magic(magic_t* cookie_ptr, int flags) if ( ! *cookie_ptr ) { const char* err = magic_error(*cookie_ptr); - if ( ! err ) err = "unknown"; + if ( ! err ) + err = "unknown"; + reporter->InternalError("can't init libmagic: %s", err); } else if ( magic_load(*cookie_ptr, database) < 0 ) { const char* err = magic_error(*cookie_ptr); - if ( ! err ) err = "unknown"; + if ( ! err ) + err = "unknown"; + const char* db_name = database ? database : ""; reporter->InternalError("can't load magic file %s: %s", db_name, err); magic_close(*cookie_ptr); From 2aa2641844a72ba67259ea6dc8f78f4d4f5087e7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 13 May 2013 16:51:34 -0700 Subject: [PATCH 109/134] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 786b83664c..19eb25de24 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 786b83664c6a15faeb153d118310526b7790deae +Subproject commit 19eb25de240b533573891fe9c5bc5bc72a92d9f2 From 2b8c2f23160c42acbe8255a0be38b3e4269ae417 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 13 May 2013 18:41:04 -0700 Subject: [PATCH 110/134] add sqlite distribution. Note that tests currently still require an external sqlite3 for the command-line client. However, for that the version does not matter - so I guess while not completely nice it could be ok... --- src/CMakeLists.txt | 2 + src/external/sqlite3.c | 138114 ++++++++++++++++++++++++++++++++++ src/external/sqlite3.h | 7174 ++ src/input/readers/SQLite.h | 2 +- 4 files changed, 145291 insertions(+), 1 deletion(-) create mode 100644 src/external/sqlite3.c create mode 100644 src/external/sqlite3.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c721093ccf..9b11007e4a 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -448,6 +448,8 @@ set(bro_SRCS input/readers/Raw.cc input/readers/Benchmark.cc input/readers/SQLite.cc + + external/sqlite3.c nb_dns.c digest.h diff --git a/src/external/sqlite3.c b/src/external/sqlite3.c new file mode 100644 index 0000000000..51e54a1894 --- /dev/null +++ b/src/external/sqlite3.c @@ -0,0 +1,138114 @@ +/****************************************************************************** +** This file is an amalgamation of many separate C source files from SQLite +** version 3.7.16.2. By combining all the individual C code files into this +** single large file, the entire code can be compiled as a single translation +** unit. This allows many compilers to do optimizations that would not be +** possible if the files were compiled separately. Performance improvements +** of 5% or more are commonly seen when SQLite is compiled as a single +** translation unit. +** +** This file is all you need to compile SQLite. To use SQLite in other +** programs, you need this file and the "sqlite3.h" header file that defines +** the programming interface to the SQLite library. (If you do not have +** the "sqlite3.h" header file at hand, you will find a copy embedded within +** the text of this file. Search for "Begin file sqlite3.h" to find the start +** of the embedded sqlite3.h header file.) Additional code files may be needed +** if you want a wrapper to interface SQLite with your choice of programming +** language. The code for the "sqlite3" command-line shell is also in a +** separate file. This file contains only code for the core SQLite library. +*/ +#define SQLITE_CORE 1 +#define SQLITE_AMALGAMATION 1 +#ifndef SQLITE_PRIVATE +# define SQLITE_PRIVATE static +#endif +#ifndef SQLITE_API +# define SQLITE_API +#endif +/************** Begin file sqliteInt.h ***************************************/ +/* +** 2001 September 15 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** Internal interface definitions for SQLite. +** +*/ +#ifndef _SQLITEINT_H_ +#define _SQLITEINT_H_ + +/* +** These #defines should enable >2GB file support on POSIX if the +** underlying operating system supports it. If the OS lacks +** large file support, or if the OS is windows, these should be no-ops. +** +** Ticket #2739: The _LARGEFILE_SOURCE macro must appear before any +** system #includes. Hence, this block of code must be the very first +** code in all source files. +** +** Large file support can be disabled using the -DSQLITE_DISABLE_LFS switch +** on the compiler command line. This is necessary if you are compiling +** on a recent machine (ex: Red Hat 7.2) but you want your code to work +** on an older machine (ex: Red Hat 6.0). If you compile on Red Hat 7.2 +** without this option, LFS is enable. But LFS does not exist in the kernel +** in Red Hat 6.0, so the code won't work. Hence, for maximum binary +** portability you should omit LFS. +** +** Similar is true for Mac OS X. LFS is only supported on Mac OS X 9 and later. +*/ +#ifndef SQLITE_DISABLE_LFS +# define _LARGE_FILE 1 +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 +# endif +# define _LARGEFILE_SOURCE 1 +#endif + +/* +** Include the configuration header output by 'configure' if we're using the +** autoconf-based build +*/ +#ifdef _HAVE_SQLITE_CONFIG_H +#include "config.h" +#endif + +/************** Include sqliteLimit.h in the middle of sqliteInt.h ***********/ +/************** Begin file sqliteLimit.h *************************************/ +/* +** 2007 May 7 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** +** This file defines various limits of what SQLite can process. +*/ + +/* +** The maximum length of a TEXT or BLOB in bytes. This also +** limits the size of a row in a table or index. +** +** The hard limit is the ability of a 32-bit signed integer +** to count the size: 2^31-1 or 2147483647. +*/ +#ifndef SQLITE_MAX_LENGTH +# define SQLITE_MAX_LENGTH 1000000000 +#endif + +/* +** This is the maximum number of +** +** * Columns in a table +** * Columns in an index +** * Columns in a view +** * Terms in the SET clause of an UPDATE statement +** * Terms in the result set of a SELECT statement +** * Terms in the GROUP BY or ORDER BY clauses of a SELECT statement. +** * Terms in the VALUES clause of an INSERT statement +** +** The hard upper limit here is 32676. Most database people will +** tell you that in a well-normalized database, you usually should +** not have more than a dozen or so columns in any table. And if +** that is the case, there is no point in having more than a few +** dozen values in any of the other situations described above. +*/ +#ifndef SQLITE_MAX_COLUMN +# define SQLITE_MAX_COLUMN 2000 +#endif + +/* +** The maximum length of a single SQL statement in bytes. +** +** It used to be the case that setting this value to zero would +** turn the limit off. That is no longer true. It is not possible +** to turn this limit off. +*/ +#ifndef SQLITE_MAX_SQL_LENGTH +# define SQLITE_MAX_SQL_LENGTH 1000000000 +#endif + +/* +** The maximum depth of an expression tree. This is limited to +** some extent by SQLITE_MAX_SQL_LENGTH. But sometime you might +** want to place more severe limits on the complexity of an +** expression. +** +** A value of 0 used to mean that the limit was not enforced. +** But that is no longer true. The limit is now strictly enforced +** at all times. +*/ +#ifndef SQLITE_MAX_EXPR_DEPTH +# define SQLITE_MAX_EXPR_DEPTH 1000 +#endif + +/* +** The maximum number of terms in a compound SELECT statement. +** The code generator for compound SELECT statements does one +** level of recursion for each term. A stack overflow can result +** if the number of terms is too large. In practice, most SQL +** never has more than 3 or 4 terms. Use a value of 0 to disable +** any limit on the number of terms in a compount SELECT. +*/ +#ifndef SQLITE_MAX_COMPOUND_SELECT +# define SQLITE_MAX_COMPOUND_SELECT 500 +#endif + +/* +** The maximum number of opcodes in a VDBE program. +** Not currently enforced. +*/ +#ifndef SQLITE_MAX_VDBE_OP +# define SQLITE_MAX_VDBE_OP 25000 +#endif + +/* +** The maximum number of arguments to an SQL function. +*/ +#ifndef SQLITE_MAX_FUNCTION_ARG +# define SQLITE_MAX_FUNCTION_ARG 127 +#endif + +/* +** The maximum number of in-memory pages to use for the main database +** table and for temporary tables. The SQLITE_DEFAULT_CACHE_SIZE +*/ +#ifndef SQLITE_DEFAULT_CACHE_SIZE +# define SQLITE_DEFAULT_CACHE_SIZE 2000 +#endif +#ifndef SQLITE_DEFAULT_TEMP_CACHE_SIZE +# define SQLITE_DEFAULT_TEMP_CACHE_SIZE 500 +#endif + +/* +** The default number of frames to accumulate in the log file before +** checkpointing the database in WAL mode. +*/ +#ifndef SQLITE_DEFAULT_WAL_AUTOCHECKPOINT +# define SQLITE_DEFAULT_WAL_AUTOCHECKPOINT 1000 +#endif + +/* +** The maximum number of attached databases. This must be between 0 +** and 62. The upper bound on 62 is because a 64-bit integer bitmap +** is used internally to track attached databases. +*/ +#ifndef SQLITE_MAX_ATTACHED +# define SQLITE_MAX_ATTACHED 10 +#endif + + +/* +** The maximum value of a ?nnn wildcard that the parser will accept. +*/ +#ifndef SQLITE_MAX_VARIABLE_NUMBER +# define SQLITE_MAX_VARIABLE_NUMBER 999 +#endif + +/* Maximum page size. The upper bound on this value is 65536. This a limit +** imposed by the use of 16-bit offsets within each page. +** +** Earlier versions of SQLite allowed the user to change this value at +** compile time. This is no longer permitted, on the grounds that it creates +** a library that is technically incompatible with an SQLite library +** compiled with a different limit. If a process operating on a database +** with a page-size of 65536 bytes crashes, then an instance of SQLite +** compiled with the default page-size limit will not be able to rollback +** the aborted transaction. This could lead to database corruption. +*/ +#ifdef SQLITE_MAX_PAGE_SIZE +# undef SQLITE_MAX_PAGE_SIZE +#endif +#define SQLITE_MAX_PAGE_SIZE 65536 + + +/* +** The default size of a database page. +*/ +#ifndef SQLITE_DEFAULT_PAGE_SIZE +# define SQLITE_DEFAULT_PAGE_SIZE 1024 +#endif +#if SQLITE_DEFAULT_PAGE_SIZE>SQLITE_MAX_PAGE_SIZE +# undef SQLITE_DEFAULT_PAGE_SIZE +# define SQLITE_DEFAULT_PAGE_SIZE SQLITE_MAX_PAGE_SIZE +#endif + +/* +** Ordinarily, if no value is explicitly provided, SQLite creates databases +** with page size SQLITE_DEFAULT_PAGE_SIZE. However, based on certain +** device characteristics (sector-size and atomic write() support), +** SQLite may choose a larger value. This constant is the maximum value +** SQLite will choose on its own. +*/ +#ifndef SQLITE_MAX_DEFAULT_PAGE_SIZE +# define SQLITE_MAX_DEFAULT_PAGE_SIZE 8192 +#endif +#if SQLITE_MAX_DEFAULT_PAGE_SIZE>SQLITE_MAX_PAGE_SIZE +# undef SQLITE_MAX_DEFAULT_PAGE_SIZE +# define SQLITE_MAX_DEFAULT_PAGE_SIZE SQLITE_MAX_PAGE_SIZE +#endif + + +/* +** Maximum number of pages in one database file. +** +** This is really just the default value for the max_page_count pragma. +** This value can be lowered (or raised) at run-time using that the +** max_page_count macro. +*/ +#ifndef SQLITE_MAX_PAGE_COUNT +# define SQLITE_MAX_PAGE_COUNT 1073741823 +#endif + +/* +** Maximum length (in bytes) of the pattern in a LIKE or GLOB +** operator. +*/ +#ifndef SQLITE_MAX_LIKE_PATTERN_LENGTH +# define SQLITE_MAX_LIKE_PATTERN_LENGTH 50000 +#endif + +/* +** Maximum depth of recursion for triggers. +** +** A value of 1 means that a trigger program will not be able to itself +** fire any triggers. A value of 0 means that no trigger programs at all +** may be executed. +*/ +#ifndef SQLITE_MAX_TRIGGER_DEPTH +# define SQLITE_MAX_TRIGGER_DEPTH 1000 +#endif + +/************** End of sqliteLimit.h *****************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ + +/* Disable nuisance warnings on Borland compilers */ +#if defined(__BORLANDC__) +#pragma warn -rch /* unreachable code */ +#pragma warn -ccc /* Condition is always true or false */ +#pragma warn -aus /* Assigned value is never used */ +#pragma warn -csu /* Comparing signed and unsigned */ +#pragma warn -spa /* Suspicious pointer arithmetic */ +#endif + +/* Needed for various definitions... */ +#ifndef _GNU_SOURCE +# define _GNU_SOURCE +#endif + +#if defined(__OpenBSD__) && !defined(_BSD_SOURCE) +# define _BSD_SOURCE +#endif + +/* +** Include standard header files as necessary +*/ +#ifdef HAVE_STDINT_H +#include +#endif +#ifdef HAVE_INTTYPES_H +#include +#endif + +/* +** The following macros are used to cast pointers to integers and +** integers to pointers. The way you do this varies from one compiler +** to the next, so we have developed the following set of #if statements +** to generate appropriate macros for a wide range of compilers. +** +** The correct "ANSI" way to do this is to use the intptr_t type. +** Unfortunately, that typedef is not available on all compilers, or +** if it is available, it requires an #include of specific headers +** that vary from one machine to the next. +** +** Ticket #3860: The llvm-gcc-4.2 compiler from Apple chokes on +** the ((void*)&((char*)0)[X]) construct. But MSVC chokes on ((void*)(X)). +** So we have to define the macros in different ways depending on the +** compiler. +*/ +#if defined(__PTRDIFF_TYPE__) /* This case should work for GCC */ +# define SQLITE_INT_TO_PTR(X) ((void*)(__PTRDIFF_TYPE__)(X)) +# define SQLITE_PTR_TO_INT(X) ((int)(__PTRDIFF_TYPE__)(X)) +#elif !defined(__GNUC__) /* Works for compilers other than LLVM */ +# define SQLITE_INT_TO_PTR(X) ((void*)&((char*)0)[X]) +# define SQLITE_PTR_TO_INT(X) ((int)(((char*)X)-(char*)0)) +#elif defined(HAVE_STDINT_H) /* Use this case if we have ANSI headers */ +# define SQLITE_INT_TO_PTR(X) ((void*)(intptr_t)(X)) +# define SQLITE_PTR_TO_INT(X) ((int)(intptr_t)(X)) +#else /* Generates a warning - but it always works */ +# define SQLITE_INT_TO_PTR(X) ((void*)(X)) +# define SQLITE_PTR_TO_INT(X) ((int)(X)) +#endif + +/* +** The SQLITE_THREADSAFE macro must be defined as 0, 1, or 2. +** 0 means mutexes are permanently disable and the library is never +** threadsafe. 1 means the library is serialized which is the highest +** level of threadsafety. 2 means the libary is multithreaded - multiple +** threads can use SQLite as long as no two threads try to use the same +** database connection at the same time. +** +** Older versions of SQLite used an optional THREADSAFE macro. +** We support that for legacy. +*/ +#if !defined(SQLITE_THREADSAFE) +#if defined(THREADSAFE) +# define SQLITE_THREADSAFE THREADSAFE +#else +# define SQLITE_THREADSAFE 1 /* IMP: R-07272-22309 */ +#endif +#endif + +/* +** Powersafe overwrite is on by default. But can be turned off using +** the -DSQLITE_POWERSAFE_OVERWRITE=0 command-line option. +*/ +#ifndef SQLITE_POWERSAFE_OVERWRITE +# define SQLITE_POWERSAFE_OVERWRITE 1 +#endif + +/* +** The SQLITE_DEFAULT_MEMSTATUS macro must be defined as either 0 or 1. +** It determines whether or not the features related to +** SQLITE_CONFIG_MEMSTATUS are available by default or not. This value can +** be overridden at runtime using the sqlite3_config() API. +*/ +#if !defined(SQLITE_DEFAULT_MEMSTATUS) +# define SQLITE_DEFAULT_MEMSTATUS 1 +#endif + +/* +** Exactly one of the following macros must be defined in order to +** specify which memory allocation subsystem to use. +** +** SQLITE_SYSTEM_MALLOC // Use normal system malloc() +** SQLITE_WIN32_MALLOC // Use Win32 native heap API +** SQLITE_ZERO_MALLOC // Use a stub allocator that always fails +** SQLITE_MEMDEBUG // Debugging version of system malloc() +** +** On Windows, if the SQLITE_WIN32_MALLOC_VALIDATE macro is defined and the +** assert() macro is enabled, each call into the Win32 native heap subsystem +** will cause HeapValidate to be called. If heap validation should fail, an +** assertion will be triggered. +** +** (Historical note: There used to be several other options, but we've +** pared it down to just these three.) +** +** If none of the above are defined, then set SQLITE_SYSTEM_MALLOC as +** the default. +*/ +#if defined(SQLITE_SYSTEM_MALLOC) \ + + defined(SQLITE_WIN32_MALLOC) \ + + defined(SQLITE_ZERO_MALLOC) \ + + defined(SQLITE_MEMDEBUG)>1 +# error "Two or more of the following compile-time configuration options\ + are defined but at most one is allowed:\ + SQLITE_SYSTEM_MALLOC, SQLITE_WIN32_MALLOC, SQLITE_MEMDEBUG,\ + SQLITE_ZERO_MALLOC" +#endif +#if defined(SQLITE_SYSTEM_MALLOC) \ + + defined(SQLITE_WIN32_MALLOC) \ + + defined(SQLITE_ZERO_MALLOC) \ + + defined(SQLITE_MEMDEBUG)==0 +# define SQLITE_SYSTEM_MALLOC 1 +#endif + +/* +** If SQLITE_MALLOC_SOFT_LIMIT is not zero, then try to keep the +** sizes of memory allocations below this value where possible. +*/ +#if !defined(SQLITE_MALLOC_SOFT_LIMIT) +# define SQLITE_MALLOC_SOFT_LIMIT 1024 +#endif + +/* +** We need to define _XOPEN_SOURCE as follows in order to enable +** recursive mutexes on most Unix systems. But Mac OS X is different. +** The _XOPEN_SOURCE define causes problems for Mac OS X we are told, +** so it is omitted there. See ticket #2673. +** +** Later we learn that _XOPEN_SOURCE is poorly or incorrectly +** implemented on some systems. So we avoid defining it at all +** if it is already defined or if it is unneeded because we are +** not doing a threadsafe build. Ticket #2681. +** +** See also ticket #2741. +*/ +#if !defined(_XOPEN_SOURCE) && !defined(__DARWIN__) \ + && !defined(__APPLE__) && SQLITE_THREADSAFE +# define _XOPEN_SOURCE 500 /* Needed to enable pthread recursive mutexes */ +#endif + +/* +** The TCL headers are only needed when compiling the TCL bindings. +*/ +#if defined(SQLITE_TCL) || defined(TCLSH) +# include +#endif + +/* +** NDEBUG and SQLITE_DEBUG are opposites. It should always be true that +** defined(NDEBUG)==!defined(SQLITE_DEBUG). If this is not currently true, +** make it true by defining or undefining NDEBUG. +** +** Setting NDEBUG makes the code smaller and run faster by disabling the +** number assert() statements in the code. So we want the default action +** to be for NDEBUG to be set and NDEBUG to be undefined only if SQLITE_DEBUG +** is set. Thus NDEBUG becomes an opt-in rather than an opt-out +** feature. +*/ +#if !defined(NDEBUG) && !defined(SQLITE_DEBUG) +# define NDEBUG 1 +#endif +#if defined(NDEBUG) && defined(SQLITE_DEBUG) +# undef NDEBUG +#endif + +/* +** The testcase() macro is used to aid in coverage testing. When +** doing coverage testing, the condition inside the argument to +** testcase() must be evaluated both true and false in order to +** get full branch coverage. The testcase() macro is inserted +** to help ensure adequate test coverage in places where simple +** condition/decision coverage is inadequate. For example, testcase() +** can be used to make sure boundary values are tested. For +** bitmask tests, testcase() can be used to make sure each bit +** is significant and used at least once. On switch statements +** where multiple cases go to the same block of code, testcase() +** can insure that all cases are evaluated. +** +*/ +#ifdef SQLITE_COVERAGE_TEST +SQLITE_PRIVATE void sqlite3Coverage(int); +# define testcase(X) if( X ){ sqlite3Coverage(__LINE__); } +#else +# define testcase(X) +#endif + +/* +** The TESTONLY macro is used to enclose variable declarations or +** other bits of code that are needed to support the arguments +** within testcase() and assert() macros. +*/ +#if !defined(NDEBUG) || defined(SQLITE_COVERAGE_TEST) +# define TESTONLY(X) X +#else +# define TESTONLY(X) +#endif + +/* +** Sometimes we need a small amount of code such as a variable initialization +** to setup for a later assert() statement. We do not want this code to +** appear when assert() is disabled. The following macro is therefore +** used to contain that setup code. The "VVA" acronym stands for +** "Verification, Validation, and Accreditation". In other words, the +** code within VVA_ONLY() will only run during verification processes. +*/ +#ifndef NDEBUG +# define VVA_ONLY(X) X +#else +# define VVA_ONLY(X) +#endif + +/* +** The ALWAYS and NEVER macros surround boolean expressions which +** are intended to always be true or false, respectively. Such +** expressions could be omitted from the code completely. But they +** are included in a few cases in order to enhance the resilience +** of SQLite to unexpected behavior - to make the code "self-healing" +** or "ductile" rather than being "brittle" and crashing at the first +** hint of unplanned behavior. +** +** In other words, ALWAYS and NEVER are added for defensive code. +** +** When doing coverage testing ALWAYS and NEVER are hard-coded to +** be true and false so that the unreachable code then specify will +** not be counted as untested code. +*/ +#if defined(SQLITE_COVERAGE_TEST) +# define ALWAYS(X) (1) +# define NEVER(X) (0) +#elif !defined(NDEBUG) +# define ALWAYS(X) ((X)?1:(assert(0),0)) +# define NEVER(X) ((X)?(assert(0),1):0) +#else +# define ALWAYS(X) (X) +# define NEVER(X) (X) +#endif + +/* +** Return true (non-zero) if the input is a integer that is too large +** to fit in 32-bits. This macro is used inside of various testcase() +** macros to verify that we have tested SQLite for large-file support. +*/ +#define IS_BIG_INT(X) (((X)&~(i64)0xffffffff)!=0) + +/* +** The macro unlikely() is a hint that surrounds a boolean +** expression that is usually false. Macro likely() surrounds +** a boolean expression that is usually true. GCC is able to +** use these hints to generate better code, sometimes. +*/ +#if defined(__GNUC__) && 0 +# define likely(X) __builtin_expect((X),1) +# define unlikely(X) __builtin_expect((X),0) +#else +# define likely(X) !!(X) +# define unlikely(X) !!(X) +#endif + +/************** Include sqlite3.h in the middle of sqliteInt.h ***************/ +/************** Begin file sqlite3.h *****************************************/ +/* +** 2001 September 15 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** This header file defines the interface that the SQLite library +** presents to client programs. If a C-function, structure, datatype, +** or constant definition does not appear in this file, then it is +** not a published API of SQLite, is subject to change without +** notice, and should not be referenced by programs that use SQLite. +** +** Some of the definitions that are in this file are marked as +** "experimental". Experimental interfaces are normally new +** features recently added to SQLite. We do not anticipate changes +** to experimental interfaces but reserve the right to make minor changes +** if experience from use "in the wild" suggest such changes are prudent. +** +** The official C-language API documentation for SQLite is derived +** from comments in this file. This file is the authoritative source +** on how SQLite interfaces are suppose to operate. +** +** The name of this file under configuration management is "sqlite.h.in". +** The makefile makes some minor changes to this file (such as inserting +** the version number) and changes its name to "sqlite3.h" as +** part of the build process. +*/ +#ifndef _SQLITE3_H_ +#define _SQLITE3_H_ +#include /* Needed for the definition of va_list */ + +/* +** Make sure we can call this stuff from C++. +*/ +#if 0 +extern "C" { +#endif + + +/* +** Add the ability to override 'extern' +*/ +#ifndef SQLITE_EXTERN +# define SQLITE_EXTERN extern +#endif + +#ifndef SQLITE_API +# define SQLITE_API +#endif + + +/* +** These no-op macros are used in front of interfaces to mark those +** interfaces as either deprecated or experimental. New applications +** should not use deprecated interfaces - they are support for backwards +** compatibility only. Application writers should be aware that +** experimental interfaces are subject to change in point releases. +** +** These macros used to resolve to various kinds of compiler magic that +** would generate warning messages when they were used. But that +** compiler magic ended up generating such a flurry of bug reports +** that we have taken it all out and gone back to using simple +** noop macros. +*/ +#define SQLITE_DEPRECATED +#define SQLITE_EXPERIMENTAL + +/* +** Ensure these symbols were not defined by some previous header file. +*/ +#ifdef SQLITE_VERSION +# undef SQLITE_VERSION +#endif +#ifdef SQLITE_VERSION_NUMBER +# undef SQLITE_VERSION_NUMBER +#endif + +/* +** CAPI3REF: Compile-Time Library Version Numbers +** +** ^(The [SQLITE_VERSION] C preprocessor macro in the sqlite3.h header +** evaluates to a string literal that is the SQLite version in the +** format "X.Y.Z" where X is the major version number (always 3 for +** SQLite3) and Y is the minor version number and Z is the release number.)^ +** ^(The [SQLITE_VERSION_NUMBER] C preprocessor macro resolves to an integer +** with the value (X*1000000 + Y*1000 + Z) where X, Y, and Z are the same +** numbers used in [SQLITE_VERSION].)^ +** The SQLITE_VERSION_NUMBER for any given release of SQLite will also +** be larger than the release from which it is derived. Either Y will +** be held constant and Z will be incremented or else Y will be incremented +** and Z will be reset to zero. +** +** Since version 3.6.18, SQLite source code has been stored in the +** Fossil configuration management +** system. ^The SQLITE_SOURCE_ID macro evaluates to +** a string which identifies a particular check-in of SQLite +** within its configuration management system. ^The SQLITE_SOURCE_ID +** string contains the date and time of the check-in (UTC) and an SHA1 +** hash of the entire source tree. +** +** See also: [sqlite3_libversion()], +** [sqlite3_libversion_number()], [sqlite3_sourceid()], +** [sqlite_version()] and [sqlite_source_id()]. +*/ +#define SQLITE_VERSION "3.7.16.2" +#define SQLITE_VERSION_NUMBER 3007016 +#define SQLITE_SOURCE_ID "2013-04-12 11:52:43 cbea02d93865ce0e06789db95fd9168ebac970c7" + +/* +** CAPI3REF: Run-Time Library Version Numbers +** KEYWORDS: sqlite3_version, sqlite3_sourceid +** +** These interfaces provide the same information as the [SQLITE_VERSION], +** [SQLITE_VERSION_NUMBER], and [SQLITE_SOURCE_ID] C preprocessor macros +** but are associated with the library instead of the header file. ^(Cautious +** programmers might include assert() statements in their application to +** verify that values returned by these interfaces match the macros in +** the header, and thus insure that the application is +** compiled with matching library and header files. +** +** 
+** assert( sqlite3_libversion_number()==SQLITE_VERSION_NUMBER );
+** assert( strcmp(sqlite3_sourceid(),SQLITE_SOURCE_ID)==0 );
+** assert( strcmp(sqlite3_libversion(),SQLITE_VERSION)==0 );
+**
)^ +** +** ^The sqlite3_version[] string constant contains the text of [SQLITE_VERSION] +** macro. ^The sqlite3_libversion() function returns a pointer to the +** to the sqlite3_version[] string constant. The sqlite3_libversion() +** function is provided for use in DLLs since DLL users usually do not have +** direct access to string constants within the DLL. ^The +** sqlite3_libversion_number() function returns an integer equal to +** [SQLITE_VERSION_NUMBER]. ^The sqlite3_sourceid() function returns +** a pointer to a string constant whose value is the same as the +** [SQLITE_SOURCE_ID] C preprocessor macro. +** +** See also: [sqlite_version()] and [sqlite_source_id()]. +*/ +SQLITE_API const char sqlite3_version[] = SQLITE_VERSION; +SQLITE_API const char *sqlite3_libversion(void); +SQLITE_API const char *sqlite3_sourceid(void); +SQLITE_API int sqlite3_libversion_number(void); + +/* +** CAPI3REF: Run-Time Library Compilation Options Diagnostics +** +** ^The sqlite3_compileoption_used() function returns 0 or 1 +** indicating whether the specified option was defined at +** compile time. ^The SQLITE_ prefix may be omitted from the +** option name passed to sqlite3_compileoption_used(). +** +** ^The sqlite3_compileoption_get() function allows iterating +** over the list of options that were defined at compile time by +** returning the N-th compile time option string. ^If N is out of range, +** sqlite3_compileoption_get() returns a NULL pointer. ^The SQLITE_ +** prefix is omitted from any strings returned by +** sqlite3_compileoption_get(). +** +** ^Support for the diagnostic functions sqlite3_compileoption_used() +** and sqlite3_compileoption_get() may be omitted by specifying the +** [SQLITE_OMIT_COMPILEOPTION_DIAGS] option at compile time. +** +** See also: SQL functions [sqlite_compileoption_used()] and +** [sqlite_compileoption_get()] and the [compile_options pragma]. +*/ +#ifndef SQLITE_OMIT_COMPILEOPTION_DIAGS +SQLITE_API int sqlite3_compileoption_used(const char *zOptName); +SQLITE_API const char *sqlite3_compileoption_get(int N); +#endif + +/* +** CAPI3REF: Test To See If The Library Is Threadsafe +** +** ^The sqlite3_threadsafe() function returns zero if and only if +** SQLite was compiled with mutexing code omitted due to the +** [SQLITE_THREADSAFE] compile-time option being set to 0. +** +** SQLite can be compiled with or without mutexes. When +** the [SQLITE_THREADSAFE] C preprocessor macro is 1 or 2, mutexes +** are enabled and SQLite is threadsafe. When the +** [SQLITE_THREADSAFE] macro is 0, +** the mutexes are omitted. Without the mutexes, it is not safe +** to use SQLite concurrently from more than one thread. +** +** Enabling mutexes incurs a measurable performance penalty. +** So if speed is of utmost importance, it makes sense to disable +** the mutexes. But for maximum safety, mutexes should be enabled. +** ^The default behavior is for mutexes to be enabled. +** +** This interface can be used by an application to make sure that the +** version of SQLite that it is linking against was compiled with +** the desired setting of the [SQLITE_THREADSAFE] macro. +** +** This interface only reports on the compile-time mutex setting +** of the [SQLITE_THREADSAFE] flag. If SQLite is compiled with +** SQLITE_THREADSAFE=1 or =2 then mutexes are enabled by default but +** can be fully or partially disabled using a call to [sqlite3_config()] +** with the verbs [SQLITE_CONFIG_SINGLETHREAD], [SQLITE_CONFIG_MULTITHREAD], +** or [SQLITE_CONFIG_MUTEX]. ^(The return value of the +** sqlite3_threadsafe() function shows only the compile-time setting of +** thread safety, not any run-time changes to that setting made by +** sqlite3_config(). In other words, the return value from sqlite3_threadsafe() +** is unchanged by calls to sqlite3_config().)^ +** +** See the [threading mode] documentation for additional information. +*/ +SQLITE_API int sqlite3_threadsafe(void); + +/* +** CAPI3REF: Database Connection Handle +** KEYWORDS: {database connection} {database connections} +** +** Each open SQLite database is represented by a pointer to an instance of +** the opaque structure named "sqlite3". It is useful to think of an sqlite3 +** pointer as an object. The [sqlite3_open()], [sqlite3_open16()], and +** [sqlite3_open_v2()] interfaces are its constructors, and [sqlite3_close()] +** and [sqlite3_close_v2()] are its destructors. There are many other +** interfaces (such as +** [sqlite3_prepare_v2()], [sqlite3_create_function()], and +** [sqlite3_busy_timeout()] to name but three) that are methods on an +** sqlite3 object. +*/ +typedef struct sqlite3 sqlite3; + +/* +** CAPI3REF: 64-Bit Integer Types +** KEYWORDS: sqlite_int64 sqlite_uint64 +** +** Because there is no cross-platform way to specify 64-bit integer types +** SQLite includes typedefs for 64-bit signed and unsigned integers. +** +** The sqlite3_int64 and sqlite3_uint64 are the preferred type definitions. +** The sqlite_int64 and sqlite_uint64 types are supported for backwards +** compatibility only. +** +** ^The sqlite3_int64 and sqlite_int64 types can store integer values +** between -9223372036854775808 and +9223372036854775807 inclusive. ^The +** sqlite3_uint64 and sqlite_uint64 types can store integer values +** between 0 and +18446744073709551615 inclusive. +*/ +#ifdef SQLITE_INT64_TYPE + typedef SQLITE_INT64_TYPE sqlite_int64; + typedef unsigned SQLITE_INT64_TYPE sqlite_uint64; +#elif defined(_MSC_VER) || defined(__BORLANDC__) + typedef __int64 sqlite_int64; + typedef unsigned __int64 sqlite_uint64; +#else + typedef long long int sqlite_int64; + typedef unsigned long long int sqlite_uint64; +#endif +typedef sqlite_int64 sqlite3_int64; +typedef sqlite_uint64 sqlite3_uint64; + +/* +** If compiling for a processor that lacks floating point support, +** substitute integer for floating-point. +*/ +#ifdef SQLITE_OMIT_FLOATING_POINT +# define double sqlite3_int64 +#endif + +/* +** CAPI3REF: Closing A Database Connection +** +** ^The sqlite3_close() and sqlite3_close_v2() routines are destructors +** for the [sqlite3] object. +** ^Calls to sqlite3_close() and sqlite3_close_v2() return SQLITE_OK if +** the [sqlite3] object is successfully destroyed and all associated +** resources are deallocated. +** +** ^If the database connection is associated with unfinalized prepared +** statements or unfinished sqlite3_backup objects then sqlite3_close() +** will leave the database connection open and return [SQLITE_BUSY]. +** ^If sqlite3_close_v2() is called with unfinalized prepared statements +** and unfinished sqlite3_backups, then the database connection becomes +** an unusable "zombie" which will automatically be deallocated when the +** last prepared statement is finalized or the last sqlite3_backup is +** finished. The sqlite3_close_v2() interface is intended for use with +** host languages that are garbage collected, and where the order in which +** destructors are called is arbitrary. +** +** Applications should [sqlite3_finalize | finalize] all [prepared statements], +** [sqlite3_blob_close | close] all [BLOB handles], and +** [sqlite3_backup_finish | finish] all [sqlite3_backup] objects associated +** with the [sqlite3] object prior to attempting to close the object. ^If +** sqlite3_close_v2() is called on a [database connection] that still has +** outstanding [prepared statements], [BLOB handles], and/or +** [sqlite3_backup] objects then it returns SQLITE_OK but the deallocation +** of resources is deferred until all [prepared statements], [BLOB handles], +** and [sqlite3_backup] objects are also destroyed. +** +** ^If an [sqlite3] object is destroyed while a transaction is open, +** the transaction is automatically rolled back. +** +** The C parameter to [sqlite3_close(C)] and [sqlite3_close_v2(C)] +** must be either a NULL +** pointer or an [sqlite3] object pointer obtained +** from [sqlite3_open()], [sqlite3_open16()], or +** [sqlite3_open_v2()], and not previously closed. +** ^Calling sqlite3_close() or sqlite3_close_v2() with a NULL pointer +** argument is a harmless no-op. +*/ +SQLITE_API int sqlite3_close(sqlite3*); +SQLITE_API int sqlite3_close_v2(sqlite3*); + +/* +** The type for a callback function. +** This is legacy and deprecated. It is included for historical +** compatibility and is not documented. +*/ +typedef int (*sqlite3_callback)(void*,int,char**, char**); + +/* +** CAPI3REF: One-Step Query Execution Interface +** +** The sqlite3_exec() interface is a convenience wrapper around +** [sqlite3_prepare_v2()], [sqlite3_step()], and [sqlite3_finalize()], +** that allows an application to run multiple statements of SQL +** without having to use a lot of C code. +** +** ^The sqlite3_exec() interface runs zero or more UTF-8 encoded, +** semicolon-separate SQL statements passed into its 2nd argument, +** in the context of the [database connection] passed in as its 1st +** argument. ^If the callback function of the 3rd argument to +** sqlite3_exec() is not NULL, then it is invoked for each result row +** coming out of the evaluated SQL statements. ^The 4th argument to +** sqlite3_exec() is relayed through to the 1st argument of each +** callback invocation. ^If the callback pointer to sqlite3_exec() +** is NULL, then no callback is ever invoked and result rows are +** ignored. +** +** ^If an error occurs while evaluating the SQL statements passed into +** sqlite3_exec(), then execution of the current statement stops and +** subsequent statements are skipped. ^If the 5th parameter to sqlite3_exec() +** is not NULL then any error message is written into memory obtained +** from [sqlite3_malloc()] and passed back through the 5th parameter. +** To avoid memory leaks, the application should invoke [sqlite3_free()] +** on error message strings returned through the 5th parameter of +** of sqlite3_exec() after the error message string is no longer needed. +** ^If the 5th parameter to sqlite3_exec() is not NULL and no errors +** occur, then sqlite3_exec() sets the pointer in its 5th parameter to +** NULL before returning. +** +** ^If an sqlite3_exec() callback returns non-zero, the sqlite3_exec() +** routine returns SQLITE_ABORT without invoking the callback again and +** without running any subsequent SQL statements. +** +** ^The 2nd argument to the sqlite3_exec() callback function is the +** number of columns in the result. ^The 3rd argument to the sqlite3_exec() +** callback is an array of pointers to strings obtained as if from +** [sqlite3_column_text()], one for each column. ^If an element of a +** result row is NULL then the corresponding string pointer for the +** sqlite3_exec() callback is a NULL pointer. ^The 4th argument to the +** sqlite3_exec() callback is an array of pointers to strings where each +** entry represents the name of corresponding result column as obtained +** from [sqlite3_column_name()]. +** +** ^If the 2nd parameter to sqlite3_exec() is a NULL pointer, a pointer +** to an empty string, or a pointer that contains only whitespace and/or +** SQL comments, then no SQL statements are evaluated and the database +** is not changed. +** +** Restrictions: +** +**
    +**
  • The application must insure that the 1st parameter to sqlite3_exec() +** is a valid and open [database connection]. +**
  • The application must not close [database connection] specified by +** the 1st parameter to sqlite3_exec() while sqlite3_exec() is running. +**
  • The application must not modify the SQL statement text passed into +** the 2nd parameter of sqlite3_exec() while sqlite3_exec() is running. +**
+*/ +SQLITE_API int sqlite3_exec( + sqlite3*, /* An open database */ + const char *sql, /* SQL to be evaluated */ + int (*callback)(void*,int,char**,char**), /* Callback function */ + void *, /* 1st argument to callback */ + char **errmsg /* Error msg written here */ +); + +/* +** CAPI3REF: Result Codes +** KEYWORDS: SQLITE_OK {error code} {error codes} +** KEYWORDS: {result code} {result codes} +** +** Many SQLite functions return an integer result code from the set shown +** here in order to indicate success or failure. +** +** New error codes may be added in future versions of SQLite. +** +** See also: [SQLITE_IOERR_READ | extended result codes], +** [sqlite3_vtab_on_conflict()] [SQLITE_ROLLBACK | result codes]. +*/ +#define SQLITE_OK 0 /* Successful result */ +/* beginning-of-error-codes */ +#define SQLITE_ERROR 1 /* SQL error or missing database */ +#define SQLITE_INTERNAL 2 /* Internal logic error in SQLite */ +#define SQLITE_PERM 3 /* Access permission denied */ +#define SQLITE_ABORT 4 /* Callback routine requested an abort */ +#define SQLITE_BUSY 5 /* The database file is locked */ +#define SQLITE_LOCKED 6 /* A table in the database is locked */ +#define SQLITE_NOMEM 7 /* A malloc() failed */ +#define SQLITE_READONLY 8 /* Attempt to write a readonly database */ +#define SQLITE_INTERRUPT 9 /* Operation terminated by sqlite3_interrupt()*/ +#define SQLITE_IOERR 10 /* Some kind of disk I/O error occurred */ +#define SQLITE_CORRUPT 11 /* The database disk image is malformed */ +#define SQLITE_NOTFOUND 12 /* Unknown opcode in sqlite3_file_control() */ +#define SQLITE_FULL 13 /* Insertion failed because database is full */ +#define SQLITE_CANTOPEN 14 /* Unable to open the database file */ +#define SQLITE_PROTOCOL 15 /* Database lock protocol error */ +#define SQLITE_EMPTY 16 /* Database is empty */ +#define SQLITE_SCHEMA 17 /* The database schema changed */ +#define SQLITE_TOOBIG 18 /* String or BLOB exceeds size limit */ +#define SQLITE_CONSTRAINT 19 /* Abort due to constraint violation */ +#define SQLITE_MISMATCH 20 /* Data type mismatch */ +#define SQLITE_MISUSE 21 /* Library used incorrectly */ +#define SQLITE_NOLFS 22 /* Uses OS features not supported on host */ +#define SQLITE_AUTH 23 /* Authorization denied */ +#define SQLITE_FORMAT 24 /* Auxiliary database format error */ +#define SQLITE_RANGE 25 /* 2nd parameter to sqlite3_bind out of range */ +#define SQLITE_NOTADB 26 /* File opened that is not a database file */ +#define SQLITE_ROW 100 /* sqlite3_step() has another row ready */ +#define SQLITE_DONE 101 /* sqlite3_step() has finished executing */ +/* end-of-error-codes */ + +/* +** CAPI3REF: Extended Result Codes +** KEYWORDS: {extended error code} {extended error codes} +** KEYWORDS: {extended result code} {extended result codes} +** +** In its default configuration, SQLite API routines return one of 26 integer +** [SQLITE_OK | result codes]. However, experience has shown that many of +** these result codes are too coarse-grained. They do not provide as +** much information about problems as programmers might like. In an effort to +** address this, newer versions of SQLite (version 3.3.8 and later) include +** support for additional result codes that provide more detailed information +** about errors. The extended result codes are enabled or disabled +** on a per database connection basis using the +** [sqlite3_extended_result_codes()] API. +** +** Some of the available extended result codes are listed here. +** One may expect the number of extended result codes will be expand +** over time. Software that uses extended result codes should expect +** to see new result codes in future releases of SQLite. +** +** The SQLITE_OK result code will never be extended. It will always +** be exactly zero. +*/ +#define SQLITE_IOERR_READ (SQLITE_IOERR | (1<<8)) +#define SQLITE_IOERR_SHORT_READ (SQLITE_IOERR | (2<<8)) +#define SQLITE_IOERR_WRITE (SQLITE_IOERR | (3<<8)) +#define SQLITE_IOERR_FSYNC (SQLITE_IOERR | (4<<8)) +#define SQLITE_IOERR_DIR_FSYNC (SQLITE_IOERR | (5<<8)) +#define SQLITE_IOERR_TRUNCATE (SQLITE_IOERR | (6<<8)) +#define SQLITE_IOERR_FSTAT (SQLITE_IOERR | (7<<8)) +#define SQLITE_IOERR_UNLOCK (SQLITE_IOERR | (8<<8)) +#define SQLITE_IOERR_RDLOCK (SQLITE_IOERR | (9<<8)) +#define SQLITE_IOERR_DELETE (SQLITE_IOERR | (10<<8)) +#define SQLITE_IOERR_BLOCKED (SQLITE_IOERR | (11<<8)) +#define SQLITE_IOERR_NOMEM (SQLITE_IOERR | (12<<8)) +#define SQLITE_IOERR_ACCESS (SQLITE_IOERR | (13<<8)) +#define SQLITE_IOERR_CHECKRESERVEDLOCK (SQLITE_IOERR | (14<<8)) +#define SQLITE_IOERR_LOCK (SQLITE_IOERR | (15<<8)) +#define SQLITE_IOERR_CLOSE (SQLITE_IOERR | (16<<8)) +#define SQLITE_IOERR_DIR_CLOSE (SQLITE_IOERR | (17<<8)) +#define SQLITE_IOERR_SHMOPEN (SQLITE_IOERR | (18<<8)) +#define SQLITE_IOERR_SHMSIZE (SQLITE_IOERR | (19<<8)) +#define SQLITE_IOERR_SHMLOCK (SQLITE_IOERR | (20<<8)) +#define SQLITE_IOERR_SHMMAP (SQLITE_IOERR | (21<<8)) +#define SQLITE_IOERR_SEEK (SQLITE_IOERR | (22<<8)) +#define SQLITE_IOERR_DELETE_NOENT (SQLITE_IOERR | (23<<8)) +#define SQLITE_LOCKED_SHAREDCACHE (SQLITE_LOCKED | (1<<8)) +#define SQLITE_BUSY_RECOVERY (SQLITE_BUSY | (1<<8)) +#define SQLITE_CANTOPEN_NOTEMPDIR (SQLITE_CANTOPEN | (1<<8)) +#define SQLITE_CANTOPEN_ISDIR (SQLITE_CANTOPEN | (2<<8)) +#define SQLITE_CANTOPEN_FULLPATH (SQLITE_CANTOPEN | (3<<8)) +#define SQLITE_CORRUPT_VTAB (SQLITE_CORRUPT | (1<<8)) +#define SQLITE_READONLY_RECOVERY (SQLITE_READONLY | (1<<8)) +#define SQLITE_READONLY_CANTLOCK (SQLITE_READONLY | (2<<8)) +#define SQLITE_READONLY_ROLLBACK (SQLITE_READONLY | (3<<8)) +#define SQLITE_ABORT_ROLLBACK (SQLITE_ABORT | (2<<8)) +#define SQLITE_CONSTRAINT_CHECK (SQLITE_CONSTRAINT | (1<<8)) +#define SQLITE_CONSTRAINT_COMMITHOOK (SQLITE_CONSTRAINT | (2<<8)) +#define SQLITE_CONSTRAINT_FOREIGNKEY (SQLITE_CONSTRAINT | (3<<8)) +#define SQLITE_CONSTRAINT_FUNCTION (SQLITE_CONSTRAINT | (4<<8)) +#define SQLITE_CONSTRAINT_NOTNULL (SQLITE_CONSTRAINT | (5<<8)) +#define SQLITE_CONSTRAINT_PRIMARYKEY (SQLITE_CONSTRAINT | (6<<8)) +#define SQLITE_CONSTRAINT_TRIGGER (SQLITE_CONSTRAINT | (7<<8)) +#define SQLITE_CONSTRAINT_UNIQUE (SQLITE_CONSTRAINT | (8<<8)) +#define SQLITE_CONSTRAINT_VTAB (SQLITE_CONSTRAINT | (9<<8)) + +/* +** CAPI3REF: Flags For File Open Operations +** +** These bit values are intended for use in the +** 3rd parameter to the [sqlite3_open_v2()] interface and +** in the 4th parameter to the [sqlite3_vfs.xOpen] method. +*/ +#define SQLITE_OPEN_READONLY 0x00000001 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_READWRITE 0x00000002 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_CREATE 0x00000004 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_DELETEONCLOSE 0x00000008 /* VFS only */ +#define SQLITE_OPEN_EXCLUSIVE 0x00000010 /* VFS only */ +#define SQLITE_OPEN_AUTOPROXY 0x00000020 /* VFS only */ +#define SQLITE_OPEN_URI 0x00000040 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_MEMORY 0x00000080 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_MAIN_DB 0x00000100 /* VFS only */ +#define SQLITE_OPEN_TEMP_DB 0x00000200 /* VFS only */ +#define SQLITE_OPEN_TRANSIENT_DB 0x00000400 /* VFS only */ +#define SQLITE_OPEN_MAIN_JOURNAL 0x00000800 /* VFS only */ +#define SQLITE_OPEN_TEMP_JOURNAL 0x00001000 /* VFS only */ +#define SQLITE_OPEN_SUBJOURNAL 0x00002000 /* VFS only */ +#define SQLITE_OPEN_MASTER_JOURNAL 0x00004000 /* VFS only */ +#define SQLITE_OPEN_NOMUTEX 0x00008000 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_FULLMUTEX 0x00010000 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_SHAREDCACHE 0x00020000 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_PRIVATECACHE 0x00040000 /* Ok for sqlite3_open_v2() */ +#define SQLITE_OPEN_WAL 0x00080000 /* VFS only */ + +/* Reserved: 0x00F00000 */ + +/* +** CAPI3REF: Device Characteristics +** +** The xDeviceCharacteristics method of the [sqlite3_io_methods] +** object returns an integer which is a vector of these +** bit values expressing I/O characteristics of the mass storage +** device that holds the file that the [sqlite3_io_methods] +** refers to. +** +** The SQLITE_IOCAP_ATOMIC property means that all writes of +** any size are atomic. The SQLITE_IOCAP_ATOMICnnn values +** mean that writes of blocks that are nnn bytes in size and +** are aligned to an address which is an integer multiple of +** nnn are atomic. The SQLITE_IOCAP_SAFE_APPEND value means +** that when data is appended to a file, the data is appended +** first then the size of the file is extended, never the other +** way around. The SQLITE_IOCAP_SEQUENTIAL property means that +** information is written to disk in the same order as calls +** to xWrite(). The SQLITE_IOCAP_POWERSAFE_OVERWRITE property means that +** after reboot following a crash or power loss, the only bytes in a +** file that were written at the application level might have changed +** and that adjacent bytes, even bytes within the same sector are +** guaranteed to be unchanged. +*/ +#define SQLITE_IOCAP_ATOMIC 0x00000001 +#define SQLITE_IOCAP_ATOMIC512 0x00000002 +#define SQLITE_IOCAP_ATOMIC1K 0x00000004 +#define SQLITE_IOCAP_ATOMIC2K 0x00000008 +#define SQLITE_IOCAP_ATOMIC4K 0x00000010 +#define SQLITE_IOCAP_ATOMIC8K 0x00000020 +#define SQLITE_IOCAP_ATOMIC16K 0x00000040 +#define SQLITE_IOCAP_ATOMIC32K 0x00000080 +#define SQLITE_IOCAP_ATOMIC64K 0x00000100 +#define SQLITE_IOCAP_SAFE_APPEND 0x00000200 +#define SQLITE_IOCAP_SEQUENTIAL 0x00000400 +#define SQLITE_IOCAP_UNDELETABLE_WHEN_OPEN 0x00000800 +#define SQLITE_IOCAP_POWERSAFE_OVERWRITE 0x00001000 + +/* +** CAPI3REF: File Locking Levels +** +** SQLite uses one of these integer values as the second +** argument to calls it makes to the xLock() and xUnlock() methods +** of an [sqlite3_io_methods] object. +*/ +#define SQLITE_LOCK_NONE 0 +#define SQLITE_LOCK_SHARED 1 +#define SQLITE_LOCK_RESERVED 2 +#define SQLITE_LOCK_PENDING 3 +#define SQLITE_LOCK_EXCLUSIVE 4 + +/* +** CAPI3REF: Synchronization Type Flags +** +** When SQLite invokes the xSync() method of an +** [sqlite3_io_methods] object it uses a combination of +** these integer values as the second argument. +** +** When the SQLITE_SYNC_DATAONLY flag is used, it means that the +** sync operation only needs to flush data to mass storage. Inode +** information need not be flushed. If the lower four bits of the flag +** equal SQLITE_SYNC_NORMAL, that means to use normal fsync() semantics. +** If the lower four bits equal SQLITE_SYNC_FULL, that means +** to use Mac OS X style fullsync instead of fsync(). +** +** Do not confuse the SQLITE_SYNC_NORMAL and SQLITE_SYNC_FULL flags +** with the [PRAGMA synchronous]=NORMAL and [PRAGMA synchronous]=FULL +** settings. The [synchronous pragma] determines when calls to the +** xSync VFS method occur and applies uniformly across all platforms. +** The SQLITE_SYNC_NORMAL and SQLITE_SYNC_FULL flags determine how +** energetic or rigorous or forceful the sync operations are and +** only make a difference on Mac OSX for the default SQLite code. +** (Third-party VFS implementations might also make the distinction +** between SQLITE_SYNC_NORMAL and SQLITE_SYNC_FULL, but among the +** operating systems natively supported by SQLite, only Mac OSX +** cares about the difference.) +*/ +#define SQLITE_SYNC_NORMAL 0x00002 +#define SQLITE_SYNC_FULL 0x00003 +#define SQLITE_SYNC_DATAONLY 0x00010 + +/* +** CAPI3REF: OS Interface Open File Handle +** +** An [sqlite3_file] object represents an open file in the +** [sqlite3_vfs | OS interface layer]. Individual OS interface +** implementations will +** want to subclass this object by appending additional fields +** for their own use. The pMethods entry is a pointer to an +** [sqlite3_io_methods] object that defines methods for performing +** I/O operations on the open file. +*/ +typedef struct sqlite3_file sqlite3_file; +struct sqlite3_file { + const struct sqlite3_io_methods *pMethods; /* Methods for an open file */ +}; + +/* +** CAPI3REF: OS Interface File Virtual Methods Object +** +** Every file opened by the [sqlite3_vfs.xOpen] method populates an +** [sqlite3_file] object (or, more commonly, a subclass of the +** [sqlite3_file] object) with a pointer to an instance of this object. +** This object defines the methods used to perform various operations +** against the open file represented by the [sqlite3_file] object. +** +** If the [sqlite3_vfs.xOpen] method sets the sqlite3_file.pMethods element +** to a non-NULL pointer, then the sqlite3_io_methods.xClose method +** may be invoked even if the [sqlite3_vfs.xOpen] reported that it failed. The +** only way to prevent a call to xClose following a failed [sqlite3_vfs.xOpen] +** is for the [sqlite3_vfs.xOpen] to set the sqlite3_file.pMethods element +** to NULL. +** +** The flags argument to xSync may be one of [SQLITE_SYNC_NORMAL] or +** [SQLITE_SYNC_FULL]. The first choice is the normal fsync(). +** The second choice is a Mac OS X style fullsync. The [SQLITE_SYNC_DATAONLY] +** flag may be ORed in to indicate that only the data of the file +** and not its inode needs to be synced. +** +** The integer values to xLock() and xUnlock() are one of +**
    +**
  • [SQLITE_LOCK_NONE], +**
  • [SQLITE_LOCK_SHARED], +**
  • [SQLITE_LOCK_RESERVED], +**
  • [SQLITE_LOCK_PENDING], or +**
  • [SQLITE_LOCK_EXCLUSIVE]. +**
+** xLock() increases the lock. xUnlock() decreases the lock. +** The xCheckReservedLock() method checks whether any database connection, +** either in this process or in some other process, is holding a RESERVED, +** PENDING, or EXCLUSIVE lock on the file. It returns true +** if such a lock exists and false otherwise. +** +** The xFileControl() method is a generic interface that allows custom +** VFS implementations to directly control an open file using the +** [sqlite3_file_control()] interface. The second "op" argument is an +** integer opcode. The third argument is a generic pointer intended to +** point to a structure that may contain arguments or space in which to +** write return values. Potential uses for xFileControl() might be +** functions to enable blocking locks with timeouts, to change the +** locking strategy (for example to use dot-file locks), to inquire +** about the status of a lock, or to break stale locks. The SQLite +** core reserves all opcodes less than 100 for its own use. +** A [SQLITE_FCNTL_LOCKSTATE | list of opcodes] less than 100 is available. +** Applications that define a custom xFileControl method should use opcodes +** greater than 100 to avoid conflicts. VFS implementations should +** return [SQLITE_NOTFOUND] for file control opcodes that they do not +** recognize. +** +** The xSectorSize() method returns the sector size of the +** device that underlies the file. The sector size is the +** minimum write that can be performed without disturbing +** other bytes in the file. The xDeviceCharacteristics() +** method returns a bit vector describing behaviors of the +** underlying device: +** +**
    +**
  • [SQLITE_IOCAP_ATOMIC] +**
  • [SQLITE_IOCAP_ATOMIC512] +**
  • [SQLITE_IOCAP_ATOMIC1K] +**
  • [SQLITE_IOCAP_ATOMIC2K] +**
  • [SQLITE_IOCAP_ATOMIC4K] +**
  • [SQLITE_IOCAP_ATOMIC8K] +**
  • [SQLITE_IOCAP_ATOMIC16K] +**
  • [SQLITE_IOCAP_ATOMIC32K] +**
  • [SQLITE_IOCAP_ATOMIC64K] +**
  • [SQLITE_IOCAP_SAFE_APPEND] +**
  • [SQLITE_IOCAP_SEQUENTIAL] +**
+** +** The SQLITE_IOCAP_ATOMIC property means that all writes of +** any size are atomic. The SQLITE_IOCAP_ATOMICnnn values +** mean that writes of blocks that are nnn bytes in size and +** are aligned to an address which is an integer multiple of +** nnn are atomic. The SQLITE_IOCAP_SAFE_APPEND value means +** that when data is appended to a file, the data is appended +** first then the size of the file is extended, never the other +** way around. The SQLITE_IOCAP_SEQUENTIAL property means that +** information is written to disk in the same order as calls +** to xWrite(). +** +** If xRead() returns SQLITE_IOERR_SHORT_READ it must also fill +** in the unread portions of the buffer with zeros. A VFS that +** fails to zero-fill short reads might seem to work. However, +** failure to zero-fill short reads will eventually lead to +** database corruption. +*/ +typedef struct sqlite3_io_methods sqlite3_io_methods; +struct sqlite3_io_methods { + int iVersion; + int (*xClose)(sqlite3_file*); + int (*xRead)(sqlite3_file*, void*, int iAmt, sqlite3_int64 iOfst); + int (*xWrite)(sqlite3_file*, const void*, int iAmt, sqlite3_int64 iOfst); + int (*xTruncate)(sqlite3_file*, sqlite3_int64 size); + int (*xSync)(sqlite3_file*, int flags); + int (*xFileSize)(sqlite3_file*, sqlite3_int64 *pSize); + int (*xLock)(sqlite3_file*, int); + int (*xUnlock)(sqlite3_file*, int); + int (*xCheckReservedLock)(sqlite3_file*, int *pResOut); + int (*xFileControl)(sqlite3_file*, int op, void *pArg); + int (*xSectorSize)(sqlite3_file*); + int (*xDeviceCharacteristics)(sqlite3_file*); + /* Methods above are valid for version 1 */ + int (*xShmMap)(sqlite3_file*, int iPg, int pgsz, int, void volatile**); + int (*xShmLock)(sqlite3_file*, int offset, int n, int flags); + void (*xShmBarrier)(sqlite3_file*); + int (*xShmUnmap)(sqlite3_file*, int deleteFlag); + /* Methods above are valid for version 2 */ + /* Additional methods may be added in future releases */ +}; + +/* +** CAPI3REF: Standard File Control Opcodes +** +** These integer constants are opcodes for the xFileControl method +** of the [sqlite3_io_methods] object and for the [sqlite3_file_control()] +** interface. +** +** The [SQLITE_FCNTL_LOCKSTATE] opcode is used for debugging. This +** opcode causes the xFileControl method to write the current state of +** the lock (one of [SQLITE_LOCK_NONE], [SQLITE_LOCK_SHARED], +** [SQLITE_LOCK_RESERVED], [SQLITE_LOCK_PENDING], or [SQLITE_LOCK_EXCLUSIVE]) +** into an integer that the pArg argument points to. This capability +** is used during testing and only needs to be supported when SQLITE_TEST +** is defined. +**
    +**
  • [[SQLITE_FCNTL_SIZE_HINT]] +** The [SQLITE_FCNTL_SIZE_HINT] opcode is used by SQLite to give the VFS +** layer a hint of how large the database file will grow to be during the +** current transaction. This hint is not guaranteed to be accurate but it +** is often close. The underlying VFS might choose to preallocate database +** file space based on this hint in order to help writes to the database +** file run faster. +** +**
  • [[SQLITE_FCNTL_CHUNK_SIZE]] +** The [SQLITE_FCNTL_CHUNK_SIZE] opcode is used to request that the VFS +** extends and truncates the database file in chunks of a size specified +** by the user. The fourth argument to [sqlite3_file_control()] should +** point to an integer (type int) containing the new chunk-size to use +** for the nominated database. Allocating database file space in large +** chunks (say 1MB at a time), may reduce file-system fragmentation and +** improve performance on some systems. +** +**
  • [[SQLITE_FCNTL_FILE_POINTER]] +** The [SQLITE_FCNTL_FILE_POINTER] opcode is used to obtain a pointer +** to the [sqlite3_file] object associated with a particular database +** connection. See the [sqlite3_file_control()] documentation for +** additional information. +** +**
  • [[SQLITE_FCNTL_SYNC_OMITTED]] +** ^(The [SQLITE_FCNTL_SYNC_OMITTED] opcode is generated internally by +** SQLite and sent to all VFSes in place of a call to the xSync method +** when the database connection has [PRAGMA synchronous] set to OFF.)^ +** Some specialized VFSes need this signal in order to operate correctly +** when [PRAGMA synchronous | PRAGMA synchronous=OFF] is set, but most +** VFSes do not need this signal and should silently ignore this opcode. +** Applications should not call [sqlite3_file_control()] with this +** opcode as doing so may disrupt the operation of the specialized VFSes +** that do require it. +** +**
  • [[SQLITE_FCNTL_WIN32_AV_RETRY]] +** ^The [SQLITE_FCNTL_WIN32_AV_RETRY] opcode is used to configure automatic +** retry counts and intervals for certain disk I/O operations for the +** windows [VFS] in order to provide robustness in the presence of +** anti-virus programs. By default, the windows VFS will retry file read, +** file write, and file delete operations up to 10 times, with a delay +** of 25 milliseconds before the first retry and with the delay increasing +** by an additional 25 milliseconds with each subsequent retry. This +** opcode allows these two values (10 retries and 25 milliseconds of delay) +** to be adjusted. The values are changed for all database connections +** within the same process. The argument is a pointer to an array of two +** integers where the first integer i the new retry count and the second +** integer is the delay. If either integer is negative, then the setting +** is not changed but instead the prior value of that setting is written +** into the array entry, allowing the current retry settings to be +** interrogated. The zDbName parameter is ignored. +** +**
  • [[SQLITE_FCNTL_PERSIST_WAL]] +** ^The [SQLITE_FCNTL_PERSIST_WAL] opcode is used to set or query the +** persistent [WAL | Write Ahead Log] setting. By default, the auxiliary +** write ahead log and shared memory files used for transaction control +** are automatically deleted when the latest connection to the database +** closes. Setting persistent WAL mode causes those files to persist after +** close. Persisting the files is useful when other processes that do not +** have write permission on the directory containing the database file want +** to read the database file, as the WAL and shared memory files must exist +** in order for the database to be readable. The fourth parameter to +** [sqlite3_file_control()] for this opcode should be a pointer to an integer. +** That integer is 0 to disable persistent WAL mode or 1 to enable persistent +** WAL mode. If the integer is -1, then it is overwritten with the current +** WAL persistence setting. +** +**
  • [[SQLITE_FCNTL_POWERSAFE_OVERWRITE]] +** ^The [SQLITE_FCNTL_POWERSAFE_OVERWRITE] opcode is used to set or query the +** persistent "powersafe-overwrite" or "PSOW" setting. The PSOW setting +** determines the [SQLITE_IOCAP_POWERSAFE_OVERWRITE] bit of the +** xDeviceCharacteristics methods. The fourth parameter to +** [sqlite3_file_control()] for this opcode should be a pointer to an integer. +** That integer is 0 to disable zero-damage mode or 1 to enable zero-damage +** mode. If the integer is -1, then it is overwritten with the current +** zero-damage mode setting. +** +**
  • [[SQLITE_FCNTL_OVERWRITE]] +** ^The [SQLITE_FCNTL_OVERWRITE] opcode is invoked by SQLite after opening +** a write transaction to indicate that, unless it is rolled back for some +** reason, the entire database file will be overwritten by the current +** transaction. This is used by VACUUM operations. +** +**
  • [[SQLITE_FCNTL_VFSNAME]] +** ^The [SQLITE_FCNTL_VFSNAME] opcode can be used to obtain the names of +** all [VFSes] in the VFS stack. The names are of all VFS shims and the +** final bottom-level VFS are written into memory obtained from +** [sqlite3_malloc()] and the result is stored in the char* variable +** that the fourth parameter of [sqlite3_file_control()] points to. +** The caller is responsible for freeing the memory when done. As with +** all file-control actions, there is no guarantee that this will actually +** do anything. Callers should initialize the char* variable to a NULL +** pointer in case this file-control is not implemented. This file-control +** is intended for diagnostic use only. +** +**
  • [[SQLITE_FCNTL_PRAGMA]] +** ^Whenever a [PRAGMA] statement is parsed, an [SQLITE_FCNTL_PRAGMA] +** file control is sent to the open [sqlite3_file] object corresponding +** to the database file to which the pragma statement refers. ^The argument +** to the [SQLITE_FCNTL_PRAGMA] file control is an array of +** pointers to strings (char**) in which the second element of the array +** is the name of the pragma and the third element is the argument to the +** pragma or NULL if the pragma has no argument. ^The handler for an +** [SQLITE_FCNTL_PRAGMA] file control can optionally make the first element +** of the char** argument point to a string obtained from [sqlite3_mprintf()] +** or the equivalent and that string will become the result of the pragma or +** the error message if the pragma fails. ^If the +** [SQLITE_FCNTL_PRAGMA] file control returns [SQLITE_NOTFOUND], then normal +** [PRAGMA] processing continues. ^If the [SQLITE_FCNTL_PRAGMA] +** file control returns [SQLITE_OK], then the parser assumes that the +** VFS has handled the PRAGMA itself and the parser generates a no-op +** prepared statement. ^If the [SQLITE_FCNTL_PRAGMA] file control returns +** any result code other than [SQLITE_OK] or [SQLITE_NOTFOUND], that means +** that the VFS encountered an error while handling the [PRAGMA] and the +** compilation of the PRAGMA fails with an error. ^The [SQLITE_FCNTL_PRAGMA] +** file control occurs at the beginning of pragma statement analysis and so +** it is able to override built-in [PRAGMA] statements. +** +**
  • [[SQLITE_FCNTL_BUSYHANDLER]] +** ^This file-control may be invoked by SQLite on the database file handle +** shortly after it is opened in order to provide a custom VFS with access +** to the connections busy-handler callback. The argument is of type (void **) +** - an array of two (void *) values. The first (void *) actually points +** to a function of type (int (*)(void *)). In order to invoke the connections +** busy-handler, this function should be invoked with the second (void *) in +** the array as the only argument. If it returns non-zero, then the operation +** should be retried. If it returns zero, the custom VFS should abandon the +** current operation. +** +**
  • [[SQLITE_FCNTL_TEMPFILENAME]] +** ^Application can invoke this file-control to have SQLite generate a +** temporary filename using the same algorithm that is followed to generate +** temporary filenames for TEMP tables and other internal uses. The +** argument should be a char** which will be filled with the filename +** written into memory obtained from [sqlite3_malloc()]. The caller should +** invoke [sqlite3_free()] on the result to avoid a memory leak. +** +**
+*/ +#define SQLITE_FCNTL_LOCKSTATE 1 +#define SQLITE_GET_LOCKPROXYFILE 2 +#define SQLITE_SET_LOCKPROXYFILE 3 +#define SQLITE_LAST_ERRNO 4 +#define SQLITE_FCNTL_SIZE_HINT 5 +#define SQLITE_FCNTL_CHUNK_SIZE 6 +#define SQLITE_FCNTL_FILE_POINTER 7 +#define SQLITE_FCNTL_SYNC_OMITTED 8 +#define SQLITE_FCNTL_WIN32_AV_RETRY 9 +#define SQLITE_FCNTL_PERSIST_WAL 10 +#define SQLITE_FCNTL_OVERWRITE 11 +#define SQLITE_FCNTL_VFSNAME 12 +#define SQLITE_FCNTL_POWERSAFE_OVERWRITE 13 +#define SQLITE_FCNTL_PRAGMA 14 +#define SQLITE_FCNTL_BUSYHANDLER 15 +#define SQLITE_FCNTL_TEMPFILENAME 16 + +/* +** CAPI3REF: Mutex Handle +** +** The mutex module within SQLite defines [sqlite3_mutex] to be an +** abstract type for a mutex object. The SQLite core never looks +** at the internal representation of an [sqlite3_mutex]. It only +** deals with pointers to the [sqlite3_mutex] object. +** +** Mutexes are created using [sqlite3_mutex_alloc()]. +*/ +typedef struct sqlite3_mutex sqlite3_mutex; + +/* +** CAPI3REF: OS Interface Object +** +** An instance of the sqlite3_vfs object defines the interface between +** the SQLite core and the underlying operating system. The "vfs" +** in the name of the object stands for "virtual file system". See +** the [VFS | VFS documentation] for further information. +** +** The value of the iVersion field is initially 1 but may be larger in +** future versions of SQLite. Additional fields may be appended to this +** object when the iVersion value is increased. Note that the structure +** of the sqlite3_vfs object changes in the transaction between +** SQLite version 3.5.9 and 3.6.0 and yet the iVersion field was not +** modified. +** +** The szOsFile field is the size of the subclassed [sqlite3_file] +** structure used by this VFS. mxPathname is the maximum length of +** a pathname in this VFS. +** +** Registered sqlite3_vfs objects are kept on a linked list formed by +** the pNext pointer. The [sqlite3_vfs_register()] +** and [sqlite3_vfs_unregister()] interfaces manage this list +** in a thread-safe way. The [sqlite3_vfs_find()] interface +** searches the list. Neither the application code nor the VFS +** implementation should use the pNext pointer. +** +** The pNext field is the only field in the sqlite3_vfs +** structure that SQLite will ever modify. SQLite will only access +** or modify this field while holding a particular static mutex. +** The application should never modify anything within the sqlite3_vfs +** object once the object has been registered. +** +** The zName field holds the name of the VFS module. The name must +** be unique across all VFS modules. +** +** [[sqlite3_vfs.xOpen]] +** ^SQLite guarantees that the zFilename parameter to xOpen +** is either a NULL pointer or string obtained +** from xFullPathname() with an optional suffix added. +** ^If a suffix is added to the zFilename parameter, it will +** consist of a single "-" character followed by no more than +** 11 alphanumeric and/or "-" characters. +** ^SQLite further guarantees that +** the string will be valid and unchanged until xClose() is +** called. Because of the previous sentence, +** the [sqlite3_file] can safely store a pointer to the +** filename if it needs to remember the filename for some reason. +** If the zFilename parameter to xOpen is a NULL pointer then xOpen +** must invent its own temporary name for the file. ^Whenever the +** xFilename parameter is NULL it will also be the case that the +** flags parameter will include [SQLITE_OPEN_DELETEONCLOSE]. +** +** The flags argument to xOpen() includes all bits set in +** the flags argument to [sqlite3_open_v2()]. Or if [sqlite3_open()] +** or [sqlite3_open16()] is used, then flags includes at least +** [SQLITE_OPEN_READWRITE] | [SQLITE_OPEN_CREATE]. +** If xOpen() opens a file read-only then it sets *pOutFlags to +** include [SQLITE_OPEN_READONLY]. Other bits in *pOutFlags may be set. +** +** ^(SQLite will also add one of the following flags to the xOpen() +** call, depending on the object being opened: +** +**
    +**
  • [SQLITE_OPEN_MAIN_DB] +**
  • [SQLITE_OPEN_MAIN_JOURNAL] +**
  • [SQLITE_OPEN_TEMP_DB] +**
  • [SQLITE_OPEN_TEMP_JOURNAL] +**
  • [SQLITE_OPEN_TRANSIENT_DB] +**
  • [SQLITE_OPEN_SUBJOURNAL] +**
  • [SQLITE_OPEN_MASTER_JOURNAL] +**
  • [SQLITE_OPEN_WAL] +**
)^ +** +** The file I/O implementation can use the object type flags to +** change the way it deals with files. For example, an application +** that does not care about crash recovery or rollback might make +** the open of a journal file a no-op. Writes to this journal would +** also be no-ops, and any attempt to read the journal would return +** SQLITE_IOERR. Or the implementation might recognize that a database +** file will be doing page-aligned sector reads and writes in a random +** order and set up its I/O subsystem accordingly. +** +** SQLite might also add one of the following flags to the xOpen method: +** +**
    +**
  • [SQLITE_OPEN_DELETEONCLOSE] +**
  • [SQLITE_OPEN_EXCLUSIVE] +**
+** +** The [SQLITE_OPEN_DELETEONCLOSE] flag means the file should be +** deleted when it is closed. ^The [SQLITE_OPEN_DELETEONCLOSE] +** will be set for TEMP databases and their journals, transient +** databases, and subjournals. +** +** ^The [SQLITE_OPEN_EXCLUSIVE] flag is always used in conjunction +** with the [SQLITE_OPEN_CREATE] flag, which are both directly +** analogous to the O_EXCL and O_CREAT flags of the POSIX open() +** API. The SQLITE_OPEN_EXCLUSIVE flag, when paired with the +** SQLITE_OPEN_CREATE, is used to indicate that file should always +** be created, and that it is an error if it already exists. +** It is not used to indicate the file should be opened +** for exclusive access. +** +** ^At least szOsFile bytes of memory are allocated by SQLite +** to hold the [sqlite3_file] structure passed as the third +** argument to xOpen. The xOpen method does not have to +** allocate the structure; it should just fill it in. Note that +** the xOpen method must set the sqlite3_file.pMethods to either +** a valid [sqlite3_io_methods] object or to NULL. xOpen must do +** this even if the open fails. SQLite expects that the sqlite3_file.pMethods +** element will be valid after xOpen returns regardless of the success +** or failure of the xOpen call. +** +** [[sqlite3_vfs.xAccess]] +** ^The flags argument to xAccess() may be [SQLITE_ACCESS_EXISTS] +** to test for the existence of a file, or [SQLITE_ACCESS_READWRITE] to +** test whether a file is readable and writable, or [SQLITE_ACCESS_READ] +** to test whether a file is at least readable. The file can be a +** directory. +** +** ^SQLite will always allocate at least mxPathname+1 bytes for the +** output buffer xFullPathname. The exact size of the output buffer +** is also passed as a parameter to both methods. If the output buffer +** is not large enough, [SQLITE_CANTOPEN] should be returned. Since this is +** handled as a fatal error by SQLite, vfs implementations should endeavor +** to prevent this by setting mxPathname to a sufficiently large value. +** +** The xRandomness(), xSleep(), xCurrentTime(), and xCurrentTimeInt64() +** interfaces are not strictly a part of the filesystem, but they are +** included in the VFS structure for completeness. +** The xRandomness() function attempts to return nBytes bytes +** of good-quality randomness into zOut. The return value is +** the actual number of bytes of randomness obtained. +** The xSleep() method causes the calling thread to sleep for at +** least the number of microseconds given. ^The xCurrentTime() +** method returns a Julian Day Number for the current date and time as +** a floating point value. +** ^The xCurrentTimeInt64() method returns, as an integer, the Julian +** Day Number multiplied by 86400000 (the number of milliseconds in +** a 24-hour day). +** ^SQLite will use the xCurrentTimeInt64() method to get the current +** date and time if that method is available (if iVersion is 2 or +** greater and the function pointer is not NULL) and will fall back +** to xCurrentTime() if xCurrentTimeInt64() is unavailable. +** +** ^The xSetSystemCall(), xGetSystemCall(), and xNestSystemCall() interfaces +** are not used by the SQLite core. These optional interfaces are provided +** by some VFSes to facilitate testing of the VFS code. By overriding +** system calls with functions under its control, a test program can +** simulate faults and error conditions that would otherwise be difficult +** or impossible to induce. The set of system calls that can be overridden +** varies from one VFS to another, and from one version of the same VFS to the +** next. Applications that use these interfaces must be prepared for any +** or all of these interfaces to be NULL or for their behavior to change +** from one release to the next. Applications must not attempt to access +** any of these methods if the iVersion of the VFS is less than 3. +*/ +typedef struct sqlite3_vfs sqlite3_vfs; +typedef void (*sqlite3_syscall_ptr)(void); +struct sqlite3_vfs { + int iVersion; /* Structure version number (currently 3) */ + int szOsFile; /* Size of subclassed sqlite3_file */ + int mxPathname; /* Maximum file pathname length */ + sqlite3_vfs *pNext; /* Next registered VFS */ + const char *zName; /* Name of this virtual file system */ + void *pAppData; /* Pointer to application-specific data */ + int (*xOpen)(sqlite3_vfs*, const char *zName, sqlite3_file*, + int flags, int *pOutFlags); + int (*xDelete)(sqlite3_vfs*, const char *zName, int syncDir); + int (*xAccess)(sqlite3_vfs*, const char *zName, int flags, int *pResOut); + int (*xFullPathname)(sqlite3_vfs*, const char *zName, int nOut, char *zOut); + void *(*xDlOpen)(sqlite3_vfs*, const char *zFilename); + void (*xDlError)(sqlite3_vfs*, int nByte, char *zErrMsg); + void (*(*xDlSym)(sqlite3_vfs*,void*, const char *zSymbol))(void); + void (*xDlClose)(sqlite3_vfs*, void*); + int (*xRandomness)(sqlite3_vfs*, int nByte, char *zOut); + int (*xSleep)(sqlite3_vfs*, int microseconds); + int (*xCurrentTime)(sqlite3_vfs*, double*); + int (*xGetLastError)(sqlite3_vfs*, int, char *); + /* + ** The methods above are in version 1 of the sqlite_vfs object + ** definition. Those that follow are added in version 2 or later + */ + int (*xCurrentTimeInt64)(sqlite3_vfs*, sqlite3_int64*); + /* + ** The methods above are in versions 1 and 2 of the sqlite_vfs object. + ** Those below are for version 3 and greater. + */ + int (*xSetSystemCall)(sqlite3_vfs*, const char *zName, sqlite3_syscall_ptr); + sqlite3_syscall_ptr (*xGetSystemCall)(sqlite3_vfs*, const char *zName); + const char *(*xNextSystemCall)(sqlite3_vfs*, const char *zName); + /* + ** The methods above are in versions 1 through 3 of the sqlite_vfs object. + ** New fields may be appended in figure versions. The iVersion + ** value will increment whenever this happens. + */ +}; + +/* +** CAPI3REF: Flags for the xAccess VFS method +** +** These integer constants can be used as the third parameter to +** the xAccess method of an [sqlite3_vfs] object. They determine +** what kind of permissions the xAccess method is looking for. +** With SQLITE_ACCESS_EXISTS, the xAccess method +** simply checks whether the file exists. +** With SQLITE_ACCESS_READWRITE, the xAccess method +** checks whether the named directory is both readable and writable +** (in other words, if files can be added, removed, and renamed within +** the directory). +** The SQLITE_ACCESS_READWRITE constant is currently used only by the +** [temp_store_directory pragma], though this could change in a future +** release of SQLite. +** With SQLITE_ACCESS_READ, the xAccess method +** checks whether the file is readable. The SQLITE_ACCESS_READ constant is +** currently unused, though it might be used in a future release of +** SQLite. +*/ +#define SQLITE_ACCESS_EXISTS 0 +#define SQLITE_ACCESS_READWRITE 1 /* Used by PRAGMA temp_store_directory */ +#define SQLITE_ACCESS_READ 2 /* Unused */ + +/* +** CAPI3REF: Flags for the xShmLock VFS method +** +** These integer constants define the various locking operations +** allowed by the xShmLock method of [sqlite3_io_methods]. The +** following are the only legal combinations of flags to the +** xShmLock method: +** +**
    +**
  • SQLITE_SHM_LOCK | SQLITE_SHM_SHARED +**
  • SQLITE_SHM_LOCK | SQLITE_SHM_EXCLUSIVE +**
  • SQLITE_SHM_UNLOCK | SQLITE_SHM_SHARED +**
  • SQLITE_SHM_UNLOCK | SQLITE_SHM_EXCLUSIVE +**
+** +** When unlocking, the same SHARED or EXCLUSIVE flag must be supplied as +** was given no the corresponding lock. +** +** The xShmLock method can transition between unlocked and SHARED or +** between unlocked and EXCLUSIVE. It cannot transition between SHARED +** and EXCLUSIVE. +*/ +#define SQLITE_SHM_UNLOCK 1 +#define SQLITE_SHM_LOCK 2 +#define SQLITE_SHM_SHARED 4 +#define SQLITE_SHM_EXCLUSIVE 8 + +/* +** CAPI3REF: Maximum xShmLock index +** +** The xShmLock method on [sqlite3_io_methods] may use values +** between 0 and this upper bound as its "offset" argument. +** The SQLite core will never attempt to acquire or release a +** lock outside of this range +*/ +#define SQLITE_SHM_NLOCK 8 + + +/* +** CAPI3REF: Initialize The SQLite Library +** +** ^The sqlite3_initialize() routine initializes the +** SQLite library. ^The sqlite3_shutdown() routine +** deallocates any resources that were allocated by sqlite3_initialize(). +** These routines are designed to aid in process initialization and +** shutdown on embedded systems. Workstation applications using +** SQLite normally do not need to invoke either of these routines. +** +** A call to sqlite3_initialize() is an "effective" call if it is +** the first time sqlite3_initialize() is invoked during the lifetime of +** the process, or if it is the first time sqlite3_initialize() is invoked +** following a call to sqlite3_shutdown(). ^(Only an effective call +** of sqlite3_initialize() does any initialization. All other calls +** are harmless no-ops.)^ +** +** A call to sqlite3_shutdown() is an "effective" call if it is the first +** call to sqlite3_shutdown() since the last sqlite3_initialize(). ^(Only +** an effective call to sqlite3_shutdown() does any deinitialization. +** All other valid calls to sqlite3_shutdown() are harmless no-ops.)^ +** +** The sqlite3_initialize() interface is threadsafe, but sqlite3_shutdown() +** is not. The sqlite3_shutdown() interface must only be called from a +** single thread. All open [database connections] must be closed and all +** other SQLite resources must be deallocated prior to invoking +** sqlite3_shutdown(). +** +** Among other things, ^sqlite3_initialize() will invoke +** sqlite3_os_init(). Similarly, ^sqlite3_shutdown() +** will invoke sqlite3_os_end(). +** +** ^The sqlite3_initialize() routine returns [SQLITE_OK] on success. +** ^If for some reason, sqlite3_initialize() is unable to initialize +** the library (perhaps it is unable to allocate a needed resource such +** as a mutex) it returns an [error code] other than [SQLITE_OK]. +** +** ^The sqlite3_initialize() routine is called internally by many other +** SQLite interfaces so that an application usually does not need to +** invoke sqlite3_initialize() directly. For example, [sqlite3_open()] +** calls sqlite3_initialize() so the SQLite library will be automatically +** initialized when [sqlite3_open()] is called if it has not be initialized +** already. ^However, if SQLite is compiled with the [SQLITE_OMIT_AUTOINIT] +** compile-time option, then the automatic calls to sqlite3_initialize() +** are omitted and the application must call sqlite3_initialize() directly +** prior to using any other SQLite interface. For maximum portability, +** it is recommended that applications always invoke sqlite3_initialize() +** directly prior to using any other SQLite interface. Future releases +** of SQLite may require this. In other words, the behavior exhibited +** when SQLite is compiled with [SQLITE_OMIT_AUTOINIT] might become the +** default behavior in some future release of SQLite. +** +** The sqlite3_os_init() routine does operating-system specific +** initialization of the SQLite library. The sqlite3_os_end() +** routine undoes the effect of sqlite3_os_init(). Typical tasks +** performed by these routines include allocation or deallocation +** of static resources, initialization of global variables, +** setting up a default [sqlite3_vfs] module, or setting up +** a default configuration using [sqlite3_config()]. +** +** The application should never invoke either sqlite3_os_init() +** or sqlite3_os_end() directly. The application should only invoke +** sqlite3_initialize() and sqlite3_shutdown(). The sqlite3_os_init() +** interface is called automatically by sqlite3_initialize() and +** sqlite3_os_end() is called by sqlite3_shutdown(). Appropriate +** implementations for sqlite3_os_init() and sqlite3_os_end() +** are built into SQLite when it is compiled for Unix, Windows, or OS/2. +** When [custom builds | built for other platforms] +** (using the [SQLITE_OS_OTHER=1] compile-time +** option) the application must supply a suitable implementation for +** sqlite3_os_init() and sqlite3_os_end(). An application-supplied +** implementation of sqlite3_os_init() or sqlite3_os_end() +** must return [SQLITE_OK] on success and some other [error code] upon +** failure. +*/ +SQLITE_API int sqlite3_initialize(void); +SQLITE_API int sqlite3_shutdown(void); +SQLITE_API int sqlite3_os_init(void); +SQLITE_API int sqlite3_os_end(void); + +/* +** CAPI3REF: Configuring The SQLite Library +** +** The sqlite3_config() interface is used to make global configuration +** changes to SQLite in order to tune SQLite to the specific needs of +** the application. The default configuration is recommended for most +** applications and so this routine is usually not necessary. It is +** provided to support rare applications with unusual needs. +** +** The sqlite3_config() interface is not threadsafe. The application +** must insure that no other SQLite interfaces are invoked by other +** threads while sqlite3_config() is running. Furthermore, sqlite3_config() +** may only be invoked prior to library initialization using +** [sqlite3_initialize()] or after shutdown by [sqlite3_shutdown()]. +** ^If sqlite3_config() is called after [sqlite3_initialize()] and before +** [sqlite3_shutdown()] then it will return SQLITE_MISUSE. +** Note, however, that ^sqlite3_config() can be called as part of the +** implementation of an application-defined [sqlite3_os_init()]. +** +** The first argument to sqlite3_config() is an integer +** [configuration option] that determines +** what property of SQLite is to be configured. Subsequent arguments +** vary depending on the [configuration option] +** in the first argument. +** +** ^When a configuration option is set, sqlite3_config() returns [SQLITE_OK]. +** ^If the option is unknown or SQLite is unable to set the option +** then this routine returns a non-zero [error code]. +*/ +SQLITE_API int sqlite3_config(int, ...); + +/* +** CAPI3REF: Configure database connections +** +** The sqlite3_db_config() interface is used to make configuration +** changes to a [database connection]. The interface is similar to +** [sqlite3_config()] except that the changes apply to a single +** [database connection] (specified in the first argument). +** +** The second argument to sqlite3_db_config(D,V,...) is the +** [SQLITE_DBCONFIG_LOOKASIDE | configuration verb] - an integer code +** that indicates what aspect of the [database connection] is being configured. +** Subsequent arguments vary depending on the configuration verb. +** +** ^Calls to sqlite3_db_config() return SQLITE_OK if and only if +** the call is considered successful. +*/ +SQLITE_API int sqlite3_db_config(sqlite3*, int op, ...); + +/* +** CAPI3REF: Memory Allocation Routines +** +** An instance of this object defines the interface between SQLite +** and low-level memory allocation routines. +** +** This object is used in only one place in the SQLite interface. +** A pointer to an instance of this object is the argument to +** [sqlite3_config()] when the configuration option is +** [SQLITE_CONFIG_MALLOC] or [SQLITE_CONFIG_GETMALLOC]. +** By creating an instance of this object +** and passing it to [sqlite3_config]([SQLITE_CONFIG_MALLOC]) +** during configuration, an application can specify an alternative +** memory allocation subsystem for SQLite to use for all of its +** dynamic memory needs. +** +** Note that SQLite comes with several [built-in memory allocators] +** that are perfectly adequate for the overwhelming majority of applications +** and that this object is only useful to a tiny minority of applications +** with specialized memory allocation requirements. This object is +** also used during testing of SQLite in order to specify an alternative +** memory allocator that simulates memory out-of-memory conditions in +** order to verify that SQLite recovers gracefully from such +** conditions. +** +** The xMalloc, xRealloc, and xFree methods must work like the +** malloc(), realloc() and free() functions from the standard C library. +** ^SQLite guarantees that the second argument to +** xRealloc is always a value returned by a prior call to xRoundup. +** +** xSize should return the allocated size of a memory allocation +** previously obtained from xMalloc or xRealloc. The allocated size +** is always at least as big as the requested size but may be larger. +** +** The xRoundup method returns what would be the allocated size of +** a memory allocation given a particular requested size. Most memory +** allocators round up memory allocations at least to the next multiple +** of 8. Some allocators round up to a larger multiple or to a power of 2. +** Every memory allocation request coming in through [sqlite3_malloc()] +** or [sqlite3_realloc()] first calls xRoundup. If xRoundup returns 0, +** that causes the corresponding memory allocation to fail. +** +** The xInit method initializes the memory allocator. (For example, +** it might allocate any require mutexes or initialize internal data +** structures. The xShutdown method is invoked (indirectly) by +** [sqlite3_shutdown()] and should deallocate any resources acquired +** by xInit. The pAppData pointer is used as the only parameter to +** xInit and xShutdown. +** +** SQLite holds the [SQLITE_MUTEX_STATIC_MASTER] mutex when it invokes +** the xInit method, so the xInit method need not be threadsafe. The +** xShutdown method is only called from [sqlite3_shutdown()] so it does +** not need to be threadsafe either. For all other methods, SQLite +** holds the [SQLITE_MUTEX_STATIC_MEM] mutex as long as the +** [SQLITE_CONFIG_MEMSTATUS] configuration option is turned on (which +** it is by default) and so the methods are automatically serialized. +** However, if [SQLITE_CONFIG_MEMSTATUS] is disabled, then the other +** methods must be threadsafe or else make their own arrangements for +** serialization. +** +** SQLite will never invoke xInit() more than once without an intervening +** call to xShutdown(). +*/ +typedef struct sqlite3_mem_methods sqlite3_mem_methods; +struct sqlite3_mem_methods { + void *(*xMalloc)(int); /* Memory allocation function */ + void (*xFree)(void*); /* Free a prior allocation */ + void *(*xRealloc)(void*,int); /* Resize an allocation */ + int (*xSize)(void*); /* Return the size of an allocation */ + int (*xRoundup)(int); /* Round up request size to allocation size */ + int (*xInit)(void*); /* Initialize the memory allocator */ + void (*xShutdown)(void*); /* Deinitialize the memory allocator */ + void *pAppData; /* Argument to xInit() and xShutdown() */ +}; + +/* +** CAPI3REF: Configuration Options +** KEYWORDS: {configuration option} +** +** These constants are the available integer configuration options that +** can be passed as the first argument to the [sqlite3_config()] interface. +** +** New configuration options may be added in future releases of SQLite. +** Existing configuration options might be discontinued. Applications +** should check the return code from [sqlite3_config()] to make sure that +** the call worked. The [sqlite3_config()] interface will return a +** non-zero [error code] if a discontinued or unsupported configuration option +** is invoked. +** +**
+** [[SQLITE_CONFIG_SINGLETHREAD]]
SQLITE_CONFIG_SINGLETHREAD
+**
There are no arguments to this option. ^This option sets the +** [threading mode] to Single-thread. In other words, it disables +** all mutexing and puts SQLite into a mode where it can only be used +** by a single thread. ^If SQLite is compiled with +** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then +** it is not possible to change the [threading mode] from its default +** value of Single-thread and so [sqlite3_config()] will return +** [SQLITE_ERROR] if called with the SQLITE_CONFIG_SINGLETHREAD +** configuration option.
+** +** [[SQLITE_CONFIG_MULTITHREAD]]
SQLITE_CONFIG_MULTITHREAD
+**
There are no arguments to this option. ^This option sets the +** [threading mode] to Multi-thread. In other words, it disables +** mutexing on [database connection] and [prepared statement] objects. +** The application is responsible for serializing access to +** [database connections] and [prepared statements]. But other mutexes +** are enabled so that SQLite will be safe to use in a multi-threaded +** environment as long as no two threads attempt to use the same +** [database connection] at the same time. ^If SQLite is compiled with +** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then +** it is not possible to set the Multi-thread [threading mode] and +** [sqlite3_config()] will return [SQLITE_ERROR] if called with the +** SQLITE_CONFIG_MULTITHREAD configuration option.
+** +** [[SQLITE_CONFIG_SERIALIZED]]
SQLITE_CONFIG_SERIALIZED
+**
There are no arguments to this option. ^This option sets the +** [threading mode] to Serialized. In other words, this option enables +** all mutexes including the recursive +** mutexes on [database connection] and [prepared statement] objects. +** In this mode (which is the default when SQLite is compiled with +** [SQLITE_THREADSAFE=1]) the SQLite library will itself serialize access +** to [database connections] and [prepared statements] so that the +** application is free to use the same [database connection] or the +** same [prepared statement] in different threads at the same time. +** ^If SQLite is compiled with +** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then +** it is not possible to set the Serialized [threading mode] and +** [sqlite3_config()] will return [SQLITE_ERROR] if called with the +** SQLITE_CONFIG_SERIALIZED configuration option.
+** +** [[SQLITE_CONFIG_MALLOC]]
SQLITE_CONFIG_MALLOC
+**
^(This option takes a single argument which is a pointer to an +** instance of the [sqlite3_mem_methods] structure. The argument specifies +** alternative low-level memory allocation routines to be used in place of +** the memory allocation routines built into SQLite.)^ ^SQLite makes +** its own private copy of the content of the [sqlite3_mem_methods] structure +** before the [sqlite3_config()] call returns.
+** +** [[SQLITE_CONFIG_GETMALLOC]]
SQLITE_CONFIG_GETMALLOC
+**
^(This option takes a single argument which is a pointer to an +** instance of the [sqlite3_mem_methods] structure. The [sqlite3_mem_methods] +** structure is filled with the currently defined memory allocation routines.)^ +** This option can be used to overload the default memory allocation +** routines with a wrapper that simulations memory allocation failure or +** tracks memory usage, for example.
+** +** [[SQLITE_CONFIG_MEMSTATUS]]
SQLITE_CONFIG_MEMSTATUS
+**
^This option takes single argument of type int, interpreted as a +** boolean, which enables or disables the collection of memory allocation +** statistics. ^(When memory allocation statistics are disabled, the +** following SQLite interfaces become non-operational: +**
    +**
  • [sqlite3_memory_used()] +**
  • [sqlite3_memory_highwater()] +**
  • [sqlite3_soft_heap_limit64()] +**
  • [sqlite3_status()] +**
)^ +** ^Memory allocation statistics are enabled by default unless SQLite is +** compiled with [SQLITE_DEFAULT_MEMSTATUS]=0 in which case memory +** allocation statistics are disabled by default. +**
+** +** [[SQLITE_CONFIG_SCRATCH]]
SQLITE_CONFIG_SCRATCH
+**
^This option specifies a static memory buffer that SQLite can use for +** scratch memory. There are three arguments: A pointer an 8-byte +** aligned memory buffer from which the scratch allocations will be +** drawn, the size of each scratch allocation (sz), +** and the maximum number of scratch allocations (N). The sz +** argument must be a multiple of 16. +** The first argument must be a pointer to an 8-byte aligned buffer +** of at least sz*N bytes of memory. +** ^SQLite will use no more than two scratch buffers per thread. So +** N should be set to twice the expected maximum number of threads. +** ^SQLite will never require a scratch buffer that is more than 6 +** times the database page size. ^If SQLite needs needs additional +** scratch memory beyond what is provided by this configuration option, then +** [sqlite3_malloc()] will be used to obtain the memory needed.
+** +** [[SQLITE_CONFIG_PAGECACHE]]
SQLITE_CONFIG_PAGECACHE
+**
^This option specifies a static memory buffer that SQLite can use for +** the database page cache with the default page cache implementation. +** This configuration should not be used if an application-define page +** cache implementation is loaded using the SQLITE_CONFIG_PCACHE2 option. +** There are three arguments to this option: A pointer to 8-byte aligned +** memory, the size of each page buffer (sz), and the number of pages (N). +** The sz argument should be the size of the largest database page +** (a power of two between 512 and 32768) plus a little extra for each +** page header. ^The page header size is 20 to 40 bytes depending on +** the host architecture. ^It is harmless, apart from the wasted memory, +** to make sz a little too large. The first +** argument should point to an allocation of at least sz*N bytes of memory. +** ^SQLite will use the memory provided by the first argument to satisfy its +** memory needs for the first N pages that it adds to cache. ^If additional +** page cache memory is needed beyond what is provided by this option, then +** SQLite goes to [sqlite3_malloc()] for the additional storage space. +** The pointer in the first argument must +** be aligned to an 8-byte boundary or subsequent behavior of SQLite +** will be undefined.
+** +** [[SQLITE_CONFIG_HEAP]]
SQLITE_CONFIG_HEAP
+**
^This option specifies a static memory buffer that SQLite will use +** for all of its dynamic memory allocation needs beyond those provided +** for by [SQLITE_CONFIG_SCRATCH] and [SQLITE_CONFIG_PAGECACHE]. +** There are three arguments: An 8-byte aligned pointer to the memory, +** the number of bytes in the memory buffer, and the minimum allocation size. +** ^If the first pointer (the memory pointer) is NULL, then SQLite reverts +** to using its default memory allocator (the system malloc() implementation), +** undoing any prior invocation of [SQLITE_CONFIG_MALLOC]. ^If the +** memory pointer is not NULL and either [SQLITE_ENABLE_MEMSYS3] or +** [SQLITE_ENABLE_MEMSYS5] are defined, then the alternative memory +** allocator is engaged to handle all of SQLites memory allocation needs. +** The first pointer (the memory pointer) must be aligned to an 8-byte +** boundary or subsequent behavior of SQLite will be undefined. +** The minimum allocation size is capped at 2**12. Reasonable values +** for the minimum allocation size are 2**5 through 2**8.
+** +** [[SQLITE_CONFIG_MUTEX]]
SQLITE_CONFIG_MUTEX
+**
^(This option takes a single argument which is a pointer to an +** instance of the [sqlite3_mutex_methods] structure. The argument specifies +** alternative low-level mutex routines to be used in place +** the mutex routines built into SQLite.)^ ^SQLite makes a copy of the +** content of the [sqlite3_mutex_methods] structure before the call to +** [sqlite3_config()] returns. ^If SQLite is compiled with +** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then +** the entire mutexing subsystem is omitted from the build and hence calls to +** [sqlite3_config()] with the SQLITE_CONFIG_MUTEX configuration option will +** return [SQLITE_ERROR].
+** +** [[SQLITE_CONFIG_GETMUTEX]]
SQLITE_CONFIG_GETMUTEX
+**
^(This option takes a single argument which is a pointer to an +** instance of the [sqlite3_mutex_methods] structure. The +** [sqlite3_mutex_methods] +** structure is filled with the currently defined mutex routines.)^ +** This option can be used to overload the default mutex allocation +** routines with a wrapper used to track mutex usage for performance +** profiling or testing, for example. ^If SQLite is compiled with +** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then +** the entire mutexing subsystem is omitted from the build and hence calls to +** [sqlite3_config()] with the SQLITE_CONFIG_GETMUTEX configuration option will +** return [SQLITE_ERROR].
+** +** [[SQLITE_CONFIG_LOOKASIDE]]
SQLITE_CONFIG_LOOKASIDE
+**
^(This option takes two arguments that determine the default +** memory allocation for the lookaside memory allocator on each +** [database connection]. The first argument is the +** size of each lookaside buffer slot and the second is the number of +** slots allocated to each database connection.)^ ^(This option sets the +** default lookaside size. The [SQLITE_DBCONFIG_LOOKASIDE] +** verb to [sqlite3_db_config()] can be used to change the lookaside +** configuration on individual connections.)^
+** +** [[SQLITE_CONFIG_PCACHE2]]
SQLITE_CONFIG_PCACHE2
+**
^(This option takes a single argument which is a pointer to +** an [sqlite3_pcache_methods2] object. This object specifies the interface +** to a custom page cache implementation.)^ ^SQLite makes a copy of the +** object and uses it for page cache memory allocations.
+** +** [[SQLITE_CONFIG_GETPCACHE2]]
SQLITE_CONFIG_GETPCACHE2
+**
^(This option takes a single argument which is a pointer to an +** [sqlite3_pcache_methods2] object. SQLite copies of the current +** page cache implementation into that object.)^
+** +** [[SQLITE_CONFIG_LOG]]
SQLITE_CONFIG_LOG
+**
^The SQLITE_CONFIG_LOG option takes two arguments: a pointer to a +** function with a call signature of void(*)(void*,int,const char*), +** and a pointer to void. ^If the function pointer is not NULL, it is +** invoked by [sqlite3_log()] to process each logging event. ^If the +** function pointer is NULL, the [sqlite3_log()] interface becomes a no-op. +** ^The void pointer that is the second argument to SQLITE_CONFIG_LOG is +** passed through as the first parameter to the application-defined logger +** function whenever that function is invoked. ^The second parameter to +** the logger function is a copy of the first parameter to the corresponding +** [sqlite3_log()] call and is intended to be a [result code] or an +** [extended result code]. ^The third parameter passed to the logger is +** log message after formatting via [sqlite3_snprintf()]. +** The SQLite logging interface is not reentrant; the logger function +** supplied by the application must not invoke any SQLite interface. +** In a multi-threaded application, the application-defined logger +** function must be threadsafe.
+** +** [[SQLITE_CONFIG_URI]]
SQLITE_CONFIG_URI +**
This option takes a single argument of type int. If non-zero, then +** URI handling is globally enabled. If the parameter is zero, then URI handling +** is globally disabled. If URI handling is globally enabled, all filenames +** passed to [sqlite3_open()], [sqlite3_open_v2()], [sqlite3_open16()] or +** specified as part of [ATTACH] commands are interpreted as URIs, regardless +** of whether or not the [SQLITE_OPEN_URI] flag is set when the database +** connection is opened. If it is globally disabled, filenames are +** only interpreted as URIs if the SQLITE_OPEN_URI flag is set when the +** database connection is opened. By default, URI handling is globally +** disabled. The default value may be changed by compiling with the +** [SQLITE_USE_URI] symbol defined. +** +** [[SQLITE_CONFIG_COVERING_INDEX_SCAN]]
SQLITE_CONFIG_COVERING_INDEX_SCAN +**
This option takes a single integer argument which is interpreted as +** a boolean in order to enable or disable the use of covering indices for +** full table scans in the query optimizer. The default setting is determined +** by the [SQLITE_ALLOW_COVERING_INDEX_SCAN] compile-time option, or is "on" +** if that compile-time option is omitted. +** The ability to disable the use of covering indices for full table scans +** is because some incorrectly coded legacy applications might malfunction +** malfunction when the optimization is enabled. Providing the ability to +** disable the optimization allows the older, buggy application code to work +** without change even with newer versions of SQLite. +** +** [[SQLITE_CONFIG_PCACHE]] [[SQLITE_CONFIG_GETPCACHE]] +**
SQLITE_CONFIG_PCACHE and SQLITE_CONFIG_GETPCACHE +**
These options are obsolete and should not be used by new code. +** They are retained for backwards compatibility but are now no-ops. +**
+** +** [[SQLITE_CONFIG_SQLLOG]] +**
SQLITE_CONFIG_SQLLOG +**
This option is only available if sqlite is compiled with the +** SQLITE_ENABLE_SQLLOG pre-processor macro defined. The first argument should +** be a pointer to a function of type void(*)(void*,sqlite3*,const char*, int). +** The second should be of type (void*). The callback is invoked by the library +** in three separate circumstances, identified by the value passed as the +** fourth parameter. If the fourth parameter is 0, then the database connection +** passed as the second argument has just been opened. The third argument +** points to a buffer containing the name of the main database file. If the +** fourth parameter is 1, then the SQL statement that the third parameter +** points to has just been executed. Or, if the fourth parameter is 2, then +** the connection being passed as the second parameter is being closed. The +** third parameter is passed NULL In this case. +** +*/ +#define SQLITE_CONFIG_SINGLETHREAD 1 /* nil */ +#define SQLITE_CONFIG_MULTITHREAD 2 /* nil */ +#define SQLITE_CONFIG_SERIALIZED 3 /* nil */ +#define SQLITE_CONFIG_MALLOC 4 /* sqlite3_mem_methods* */ +#define SQLITE_CONFIG_GETMALLOC 5 /* sqlite3_mem_methods* */ +#define SQLITE_CONFIG_SCRATCH 6 /* void*, int sz, int N */ +#define SQLITE_CONFIG_PAGECACHE 7 /* void*, int sz, int N */ +#define SQLITE_CONFIG_HEAP 8 /* void*, int nByte, int min */ +#define SQLITE_CONFIG_MEMSTATUS 9 /* boolean */ +#define SQLITE_CONFIG_MUTEX 10 /* sqlite3_mutex_methods* */ +#define SQLITE_CONFIG_GETMUTEX 11 /* sqlite3_mutex_methods* */ +/* previously SQLITE_CONFIG_CHUNKALLOC 12 which is now unused. */ +#define SQLITE_CONFIG_LOOKASIDE 13 /* int int */ +#define SQLITE_CONFIG_PCACHE 14 /* no-op */ +#define SQLITE_CONFIG_GETPCACHE 15 /* no-op */ +#define SQLITE_CONFIG_LOG 16 /* xFunc, void* */ +#define SQLITE_CONFIG_URI 17 /* int */ +#define SQLITE_CONFIG_PCACHE2 18 /* sqlite3_pcache_methods2* */ +#define SQLITE_CONFIG_GETPCACHE2 19 /* sqlite3_pcache_methods2* */ +#define SQLITE_CONFIG_COVERING_INDEX_SCAN 20 /* int */ +#define SQLITE_CONFIG_SQLLOG 21 /* xSqllog, void* */ + +/* +** CAPI3REF: Database Connection Configuration Options +** +** These constants are the available integer configuration options that +** can be passed as the second argument to the [sqlite3_db_config()] interface. +** +** New configuration options may be added in future releases of SQLite. +** Existing configuration options might be discontinued. Applications +** should check the return code from [sqlite3_db_config()] to make sure that +** the call worked. ^The [sqlite3_db_config()] interface will return a +** non-zero [error code] if a discontinued or unsupported configuration option +** is invoked. +** +**
+**
SQLITE_DBCONFIG_LOOKASIDE
+**
^This option takes three additional arguments that determine the +** [lookaside memory allocator] configuration for the [database connection]. +** ^The first argument (the third parameter to [sqlite3_db_config()] is a +** pointer to a memory buffer to use for lookaside memory. +** ^The first argument after the SQLITE_DBCONFIG_LOOKASIDE verb +** may be NULL in which case SQLite will allocate the +** lookaside buffer itself using [sqlite3_malloc()]. ^The second argument is the +** size of each lookaside buffer slot. ^The third argument is the number of +** slots. The size of the buffer in the first argument must be greater than +** or equal to the product of the second and third arguments. The buffer +** must be aligned to an 8-byte boundary. ^If the second argument to +** SQLITE_DBCONFIG_LOOKASIDE is not a multiple of 8, it is internally +** rounded down to the next smaller multiple of 8. ^(The lookaside memory +** configuration for a database connection can only be changed when that +** connection is not currently using lookaside memory, or in other words +** when the "current value" returned by +** [sqlite3_db_status](D,[SQLITE_CONFIG_LOOKASIDE],...) is zero. +** Any attempt to change the lookaside memory configuration when lookaside +** memory is in use leaves the configuration unchanged and returns +** [SQLITE_BUSY].)^
+** +**
SQLITE_DBCONFIG_ENABLE_FKEY
+**
^This option is used to enable or disable the enforcement of +** [foreign key constraints]. There should be two additional arguments. +** The first argument is an integer which is 0 to disable FK enforcement, +** positive to enable FK enforcement or negative to leave FK enforcement +** unchanged. The second parameter is a pointer to an integer into which +** is written 0 or 1 to indicate whether FK enforcement is off or on +** following this call. The second parameter may be a NULL pointer, in +** which case the FK enforcement setting is not reported back.
+** +**
SQLITE_DBCONFIG_ENABLE_TRIGGER
+**
^This option is used to enable or disable [CREATE TRIGGER | triggers]. +** There should be two additional arguments. +** The first argument is an integer which is 0 to disable triggers, +** positive to enable triggers or negative to leave the setting unchanged. +** The second parameter is a pointer to an integer into which +** is written 0 or 1 to indicate whether triggers are disabled or enabled +** following this call. The second parameter may be a NULL pointer, in +** which case the trigger setting is not reported back.
+** +**
+*/ +#define SQLITE_DBCONFIG_LOOKASIDE 1001 /* void* int int */ +#define SQLITE_DBCONFIG_ENABLE_FKEY 1002 /* int int* */ +#define SQLITE_DBCONFIG_ENABLE_TRIGGER 1003 /* int int* */ + + +/* +** CAPI3REF: Enable Or Disable Extended Result Codes +** +** ^The sqlite3_extended_result_codes() routine enables or disables the +** [extended result codes] feature of SQLite. ^The extended result +** codes are disabled by default for historical compatibility. +*/ +SQLITE_API int sqlite3_extended_result_codes(sqlite3*, int onoff); + +/* +** CAPI3REF: Last Insert Rowid +** +** ^Each entry in an SQLite table has a unique 64-bit signed +** integer key called the [ROWID | "rowid"]. ^The rowid is always available +** as an undeclared column named ROWID, OID, or _ROWID_ as long as those +** names are not also used by explicitly declared columns. ^If +** the table has a column of type [INTEGER PRIMARY KEY] then that column +** is another alias for the rowid. +** +** ^This routine returns the [rowid] of the most recent +** successful [INSERT] into the database from the [database connection] +** in the first argument. ^As of SQLite version 3.7.7, this routines +** records the last insert rowid of both ordinary tables and [virtual tables]. +** ^If no successful [INSERT]s +** have ever occurred on that database connection, zero is returned. +** +** ^(If an [INSERT] occurs within a trigger or within a [virtual table] +** method, then this routine will return the [rowid] of the inserted +** row as long as the trigger or virtual table method is running. +** But once the trigger or virtual table method ends, the value returned +** by this routine reverts to what it was before the trigger or virtual +** table method began.)^ +** +** ^An [INSERT] that fails due to a constraint violation is not a +** successful [INSERT] and does not change the value returned by this +** routine. ^Thus INSERT OR FAIL, INSERT OR IGNORE, INSERT OR ROLLBACK, +** and INSERT OR ABORT make no changes to the return value of this +** routine when their insertion fails. ^(When INSERT OR REPLACE +** encounters a constraint violation, it does not fail. The +** INSERT continues to completion after deleting rows that caused +** the constraint problem so INSERT OR REPLACE will always change +** the return value of this interface.)^ +** +** ^For the purposes of this routine, an [INSERT] is considered to +** be successful even if it is subsequently rolled back. +** +** This function is accessible to SQL statements via the +** [last_insert_rowid() SQL function]. +** +** If a separate thread performs a new [INSERT] on the same +** database connection while the [sqlite3_last_insert_rowid()] +** function is running and thus changes the last insert [rowid], +** then the value returned by [sqlite3_last_insert_rowid()] is +** unpredictable and might not equal either the old or the new +** last insert [rowid]. +*/ +SQLITE_API sqlite3_int64 sqlite3_last_insert_rowid(sqlite3*); + +/* +** CAPI3REF: Count The Number Of Rows Modified +** +** ^This function returns the number of database rows that were changed +** or inserted or deleted by the most recently completed SQL statement +** on the [database connection] specified by the first parameter. +** ^(Only changes that are directly specified by the [INSERT], [UPDATE], +** or [DELETE] statement are counted. Auxiliary changes caused by +** triggers or [foreign key actions] are not counted.)^ Use the +** [sqlite3_total_changes()] function to find the total number of changes +** including changes caused by triggers and foreign key actions. +** +** ^Changes to a view that are simulated by an [INSTEAD OF trigger] +** are not counted. Only real table changes are counted. +** +** ^(A "row change" is a change to a single row of a single table +** caused by an INSERT, DELETE, or UPDATE statement. Rows that +** are changed as side effects of [REPLACE] constraint resolution, +** rollback, ABORT processing, [DROP TABLE], or by any other +** mechanisms do not count as direct row changes.)^ +** +** A "trigger context" is a scope of execution that begins and +** ends with the script of a [CREATE TRIGGER | trigger]. +** Most SQL statements are +** evaluated outside of any trigger. This is the "top level" +** trigger context. If a trigger fires from the top level, a +** new trigger context is entered for the duration of that one +** trigger. Subtriggers create subcontexts for their duration. +** +** ^Calling [sqlite3_exec()] or [sqlite3_step()] recursively does +** not create a new trigger context. +** +** ^This function returns the number of direct row changes in the +** most recent INSERT, UPDATE, or DELETE statement within the same +** trigger context. +** +** ^Thus, when called from the top level, this function returns the +** number of changes in the most recent INSERT, UPDATE, or DELETE +** that also occurred at the top level. ^(Within the body of a trigger, +** the sqlite3_changes() interface can be called to find the number of +** changes in the most recently completed INSERT, UPDATE, or DELETE +** statement within the body of the same trigger. +** However, the number returned does not include changes +** caused by subtriggers since those have their own context.)^ +** +** See also the [sqlite3_total_changes()] interface, the +** [count_changes pragma], and the [changes() SQL function]. +** +** If a separate thread makes changes on the same database connection +** while [sqlite3_changes()] is running then the value returned +** is unpredictable and not meaningful. +*/ +SQLITE_API int sqlite3_changes(sqlite3*); + +/* +** CAPI3REF: Total Number Of Rows Modified +** +** ^This function returns the number of row changes caused by [INSERT], +** [UPDATE] or [DELETE] statements since the [database connection] was opened. +** ^(The count returned by sqlite3_total_changes() includes all changes +** from all [CREATE TRIGGER | trigger] contexts and changes made by +** [foreign key actions]. However, +** the count does not include changes used to implement [REPLACE] constraints, +** do rollbacks or ABORT processing, or [DROP TABLE] processing. The +** count does not include rows of views that fire an [INSTEAD OF trigger], +** though if the INSTEAD OF trigger makes changes of its own, those changes +** are counted.)^ +** ^The sqlite3_total_changes() function counts the changes as soon as +** the statement that makes them is completed (when the statement handle +** is passed to [sqlite3_reset()] or [sqlite3_finalize()]). +** +** See also the [sqlite3_changes()] interface, the +** [count_changes pragma], and the [total_changes() SQL function]. +** +** If a separate thread makes changes on the same database connection +** while [sqlite3_total_changes()] is running then the value +** returned is unpredictable and not meaningful. +*/ +SQLITE_API int sqlite3_total_changes(sqlite3*); + +/* +** CAPI3REF: Interrupt A Long-Running Query +** +** ^This function causes any pending database operation to abort and +** return at its earliest opportunity. This routine is typically +** called in response to a user action such as pressing "Cancel" +** or Ctrl-C where the user wants a long query operation to halt +** immediately. +** +** ^It is safe to call this routine from a thread different from the +** thread that is currently running the database operation. But it +** is not safe to call this routine with a [database connection] that +** is closed or might close before sqlite3_interrupt() returns. +** +** ^If an SQL operation is very nearly finished at the time when +** sqlite3_interrupt() is called, then it might not have an opportunity +** to be interrupted and might continue to completion. +** +** ^An SQL operation that is interrupted will return [SQLITE_INTERRUPT]. +** ^If the interrupted SQL operation is an INSERT, UPDATE, or DELETE +** that is inside an explicit transaction, then the entire transaction +** will be rolled back automatically. +** +** ^The sqlite3_interrupt(D) call is in effect until all currently running +** SQL statements on [database connection] D complete. ^Any new SQL statements +** that are started after the sqlite3_interrupt() call and before the +** running statements reaches zero are interrupted as if they had been +** running prior to the sqlite3_interrupt() call. ^New SQL statements +** that are started after the running statement count reaches zero are +** not effected by the sqlite3_interrupt(). +** ^A call to sqlite3_interrupt(D) that occurs when there are no running +** SQL statements is a no-op and has no effect on SQL statements +** that are started after the sqlite3_interrupt() call returns. +** +** If the database connection closes while [sqlite3_interrupt()] +** is running then bad things will likely happen. +*/ +SQLITE_API void sqlite3_interrupt(sqlite3*); + +/* +** CAPI3REF: Determine If An SQL Statement Is Complete +** +** These routines are useful during command-line input to determine if the +** currently entered text seems to form a complete SQL statement or +** if additional input is needed before sending the text into +** SQLite for parsing. ^These routines return 1 if the input string +** appears to be a complete SQL statement. ^A statement is judged to be +** complete if it ends with a semicolon token and is not a prefix of a +** well-formed CREATE TRIGGER statement. ^Semicolons that are embedded within +** string literals or quoted identifier names or comments are not +** independent tokens (they are part of the token in which they are +** embedded) and thus do not count as a statement terminator. ^Whitespace +** and comments that follow the final semicolon are ignored. +** +** ^These routines return 0 if the statement is incomplete. ^If a +** memory allocation fails, then SQLITE_NOMEM is returned. +** +** ^These routines do not parse the SQL statements thus +** will not detect syntactically incorrect SQL. +** +** ^(If SQLite has not been initialized using [sqlite3_initialize()] prior +** to invoking sqlite3_complete16() then sqlite3_initialize() is invoked +** automatically by sqlite3_complete16(). If that initialization fails, +** then the return value from sqlite3_complete16() will be non-zero +** regardless of whether or not the input SQL is complete.)^ +** +** The input to [sqlite3_complete()] must be a zero-terminated +** UTF-8 string. +** +** The input to [sqlite3_complete16()] must be a zero-terminated +** UTF-16 string in native byte order. +*/ +SQLITE_API int sqlite3_complete(const char *sql); +SQLITE_API int sqlite3_complete16(const void *sql); + +/* +** CAPI3REF: Register A Callback To Handle SQLITE_BUSY Errors +** +** ^This routine sets a callback function that might be invoked whenever +** an attempt is made to open a database table that another thread +** or process has locked. +** +** ^If the busy callback is NULL, then [SQLITE_BUSY] or [SQLITE_IOERR_BLOCKED] +** is returned immediately upon encountering the lock. ^If the busy callback +** is not NULL, then the callback might be invoked with two arguments. +** +** ^The first argument to the busy handler is a copy of the void* pointer which +** is the third argument to sqlite3_busy_handler(). ^The second argument to +** the busy handler callback is the number of times that the busy handler has +** been invoked for this locking event. ^If the +** busy callback returns 0, then no additional attempts are made to +** access the database and [SQLITE_BUSY] or [SQLITE_IOERR_BLOCKED] is returned. +** ^If the callback returns non-zero, then another attempt +** is made to open the database for reading and the cycle repeats. +** +** The presence of a busy handler does not guarantee that it will be invoked +** when there is lock contention. ^If SQLite determines that invoking the busy +** handler could result in a deadlock, it will go ahead and return [SQLITE_BUSY] +** or [SQLITE_IOERR_BLOCKED] instead of invoking the busy handler. +** Consider a scenario where one process is holding a read lock that +** it is trying to promote to a reserved lock and +** a second process is holding a reserved lock that it is trying +** to promote to an exclusive lock. The first process cannot proceed +** because it is blocked by the second and the second process cannot +** proceed because it is blocked by the first. If both processes +** invoke the busy handlers, neither will make any progress. Therefore, +** SQLite returns [SQLITE_BUSY] for the first process, hoping that this +** will induce the first process to release its read lock and allow +** the second process to proceed. +** +** ^The default busy callback is NULL. +** +** ^The [SQLITE_BUSY] error is converted to [SQLITE_IOERR_BLOCKED] +** when SQLite is in the middle of a large transaction where all the +** changes will not fit into the in-memory cache. SQLite will +** already hold a RESERVED lock on the database file, but it needs +** to promote this lock to EXCLUSIVE so that it can spill cache +** pages into the database file without harm to concurrent +** readers. ^If it is unable to promote the lock, then the in-memory +** cache will be left in an inconsistent state and so the error +** code is promoted from the relatively benign [SQLITE_BUSY] to +** the more severe [SQLITE_IOERR_BLOCKED]. ^This error code promotion +** forces an automatic rollback of the changes. See the +** +** CorruptionFollowingBusyError wiki page for a discussion of why +** this is important. +** +** ^(There can only be a single busy handler defined for each +** [database connection]. Setting a new busy handler clears any +** previously set handler.)^ ^Note that calling [sqlite3_busy_timeout()] +** will also set or clear the busy handler. +** +** The busy callback should not take any actions which modify the +** database connection that invoked the busy handler. Any such actions +** result in undefined behavior. +** +** A busy handler must not close the database connection +** or [prepared statement] that invoked the busy handler. +*/ +SQLITE_API int sqlite3_busy_handler(sqlite3*, int(*)(void*,int), void*); + +/* +** CAPI3REF: Set A Busy Timeout +** +** ^This routine sets a [sqlite3_busy_handler | busy handler] that sleeps +** for a specified amount of time when a table is locked. ^The handler +** will sleep multiple times until at least "ms" milliseconds of sleeping +** have accumulated. ^After at least "ms" milliseconds of sleeping, +** the handler returns 0 which causes [sqlite3_step()] to return +** [SQLITE_BUSY] or [SQLITE_IOERR_BLOCKED]. +** +** ^Calling this routine with an argument less than or equal to zero +** turns off all busy handlers. +** +** ^(There can only be a single busy handler for a particular +** [database connection] any any given moment. If another busy handler +** was defined (using [sqlite3_busy_handler()]) prior to calling +** this routine, that other busy handler is cleared.)^ +*/ +SQLITE_API int sqlite3_busy_timeout(sqlite3*, int ms); + +/* +** CAPI3REF: Convenience Routines For Running Queries +** +** This is a legacy interface that is preserved for backwards compatibility. +** Use of this interface is not recommended. +** +** Definition: A result table is memory data structure created by the +** [sqlite3_get_table()] interface. A result table records the +** complete query results from one or more queries. +** +** The table conceptually has a number of rows and columns. But +** these numbers are not part of the result table itself. These +** numbers are obtained separately. Let N be the number of rows +** and M be the number of columns. +** +** A result table is an array of pointers to zero-terminated UTF-8 strings. +** There are (N+1)*M elements in the array. The first M pointers point +** to zero-terminated strings that contain the names of the columns. +** The remaining entries all point to query results. NULL values result +** in NULL pointers. All other values are in their UTF-8 zero-terminated +** string representation as returned by [sqlite3_column_text()]. +** +** A result table might consist of one or more memory allocations. +** It is not safe to pass a result table directly to [sqlite3_free()]. +** A result table should be deallocated using [sqlite3_free_table()]. +** +** ^(As an example of the result table format, suppose a query result +** is as follows: +** +** 
+**        Name        | Age
+**        -----------------------
+**        Alice       | 43
+**        Bob         | 28
+**        Cindy       | 21
+**
+** +** There are two column (M==2) and three rows (N==3). Thus the +** result table has 8 entries. Suppose the result table is stored +** in an array names azResult. Then azResult holds this content: +** +** 
+**        azResult[0] = "Name";
+**        azResult[1] = "Age";
+**        azResult[2] = "Alice";
+**        azResult[3] = "43";
+**        azResult[4] = "Bob";
+**        azResult[5] = "28";
+**        azResult[6] = "Cindy";
+**        azResult[7] = "21";
+**
)^ +** +** ^The sqlite3_get_table() function evaluates one or more +** semicolon-separated SQL statements in the zero-terminated UTF-8 +** string of its 2nd parameter and returns a result table to the +** pointer given in its 3rd parameter. +** +** After the application has finished with the result from sqlite3_get_table(), +** it must pass the result table pointer to sqlite3_free_table() in order to +** release the memory that was malloced. Because of the way the +** [sqlite3_malloc()] happens within sqlite3_get_table(), the calling +** function must not try to call [sqlite3_free()] directly. Only +** [sqlite3_free_table()] is able to release the memory properly and safely. +** +** The sqlite3_get_table() interface is implemented as a wrapper around +** [sqlite3_exec()]. The sqlite3_get_table() routine does not have access +** to any internal data structures of SQLite. It uses only the public +** interface defined here. As a consequence, errors that occur in the +** wrapper layer outside of the internal [sqlite3_exec()] call are not +** reflected in subsequent calls to [sqlite3_errcode()] or +** [sqlite3_errmsg()]. +*/ +SQLITE_API int sqlite3_get_table( + sqlite3 *db, /* An open database */ + const char *zSql, /* SQL to be evaluated */ + char ***pazResult, /* Results of the query */ + int *pnRow, /* Number of result rows written here */ + int *pnColumn, /* Number of result columns written here */ + char **pzErrmsg /* Error msg written here */ +); +SQLITE_API void sqlite3_free_table(char **result); + +/* +** CAPI3REF: Formatted String Printing Functions +** +** These routines are work-alikes of the "printf()" family of functions +** from the standard C library. +** +** ^The sqlite3_mprintf() and sqlite3_vmprintf() routines write their +** results into memory obtained from [sqlite3_malloc()]. +** The strings returned by these two routines should be +** released by [sqlite3_free()]. ^Both routines return a +** NULL pointer if [sqlite3_malloc()] is unable to allocate enough +** memory to hold the resulting string. +** +** ^(The sqlite3_snprintf() routine is similar to "snprintf()" from +** the standard C library. The result is written into the +** buffer supplied as the second parameter whose size is given by +** the first parameter. Note that the order of the +** first two parameters is reversed from snprintf().)^ This is an +** historical accident that cannot be fixed without breaking +** backwards compatibility. ^(Note also that sqlite3_snprintf() +** returns a pointer to its buffer instead of the number of +** characters actually written into the buffer.)^ We admit that +** the number of characters written would be a more useful return +** value but we cannot change the implementation of sqlite3_snprintf() +** now without breaking compatibility. +** +** ^As long as the buffer size is greater than zero, sqlite3_snprintf() +** guarantees that the buffer is always zero-terminated. ^The first +** parameter "n" is the total size of the buffer, including space for +** the zero terminator. So the longest string that can be completely +** written will be n-1 characters. +** +** ^The sqlite3_vsnprintf() routine is a varargs version of sqlite3_snprintf(). +** +** These routines all implement some additional formatting +** options that are useful for constructing SQL statements. +** All of the usual printf() formatting options apply. In addition, there +** is are "%q", "%Q", and "%z" options. +** +** ^(The %q option works like %s in that it substitutes a nul-terminated +** string from the argument list. But %q also doubles every '\'' character. +** %q is designed for use inside a string literal.)^ By doubling each '\'' +** character it escapes that character and allows it to be inserted into +** the string. +** +** For example, assume the string variable zText contains text as follows: +** +** 
+**  char *zText = "It's a happy day!";
+**
+** +** One can use this text in an SQL statement as follows: +** +** 
+**  char *zSQL = sqlite3_mprintf("INSERT INTO table VALUES('%q')", zText);
+**  sqlite3_exec(db, zSQL, 0, 0, 0);
+**  sqlite3_free(zSQL);
+**
+** +** Because the %q format string is used, the '\'' character in zText +** is escaped and the SQL generated is as follows: +** +** 
+**  INSERT INTO table1 VALUES('It''s a happy day!')
+**
+** +** This is correct. Had we used %s instead of %q, the generated SQL +** would have looked like this: +** +** 
+**  INSERT INTO table1 VALUES('It's a happy day!');
+**
+** +** This second example is an SQL syntax error. As a general rule you should +** always use %q instead of %s when inserting text into a string literal. +** +** ^(The %Q option works like %q except it also adds single quotes around +** the outside of the total string. Additionally, if the parameter in the +** argument list is a NULL pointer, %Q substitutes the text "NULL" (without +** single quotes).)^ So, for example, one could say: +** +** 
+**  char *zSQL = sqlite3_mprintf("INSERT INTO table VALUES(%Q)", zText);
+**  sqlite3_exec(db, zSQL, 0, 0, 0);
+**  sqlite3_free(zSQL);
+**
+** +** The code above will render a correct SQL statement in the zSQL +** variable even if the zText variable is a NULL pointer. +** +** ^(The "%z" formatting option works like "%s" but with the +** addition that after the string has been read and copied into +** the result, [sqlite3_free()] is called on the input string.)^ +*/ +SQLITE_API char *sqlite3_mprintf(const char*,...); +SQLITE_API char *sqlite3_vmprintf(const char*, va_list); +SQLITE_API char *sqlite3_snprintf(int,char*,const char*, ...); +SQLITE_API char *sqlite3_vsnprintf(int,char*,const char*, va_list); + +/* +** CAPI3REF: Memory Allocation Subsystem +** +** The SQLite core uses these three routines for all of its own +** internal memory allocation needs. "Core" in the previous sentence +** does not include operating-system specific VFS implementation. The +** Windows VFS uses native malloc() and free() for some operations. +** +** ^The sqlite3_malloc() routine returns a pointer to a block +** of memory at least N bytes in length, where N is the parameter. +** ^If sqlite3_malloc() is unable to obtain sufficient free +** memory, it returns a NULL pointer. ^If the parameter N to +** sqlite3_malloc() is zero or negative then sqlite3_malloc() returns +** a NULL pointer. +** +** ^Calling sqlite3_free() with a pointer previously returned +** by sqlite3_malloc() or sqlite3_realloc() releases that memory so +** that it might be reused. ^The sqlite3_free() routine is +** a no-op if is called with a NULL pointer. Passing a NULL pointer +** to sqlite3_free() is harmless. After being freed, memory +** should neither be read nor written. Even reading previously freed +** memory might result in a segmentation fault or other severe error. +** Memory corruption, a segmentation fault, or other severe error +** might result if sqlite3_free() is called with a non-NULL pointer that +** was not obtained from sqlite3_malloc() or sqlite3_realloc(). +** +** ^(The sqlite3_realloc() interface attempts to resize a +** prior memory allocation to be at least N bytes, where N is the +** second parameter. The memory allocation to be resized is the first +** parameter.)^ ^ If the first parameter to sqlite3_realloc() +** is a NULL pointer then its behavior is identical to calling +** sqlite3_malloc(N) where N is the second parameter to sqlite3_realloc(). +** ^If the second parameter to sqlite3_realloc() is zero or +** negative then the behavior is exactly the same as calling +** sqlite3_free(P) where P is the first parameter to sqlite3_realloc(). +** ^sqlite3_realloc() returns a pointer to a memory allocation +** of at least N bytes in size or NULL if sufficient memory is unavailable. +** ^If M is the size of the prior allocation, then min(N,M) bytes +** of the prior allocation are copied into the beginning of buffer returned +** by sqlite3_realloc() and the prior allocation is freed. +** ^If sqlite3_realloc() returns NULL, then the prior allocation +** is not freed. +** +** ^The memory returned by sqlite3_malloc() and sqlite3_realloc() +** is always aligned to at least an 8 byte boundary, or to a +** 4 byte boundary if the [SQLITE_4_BYTE_ALIGNED_MALLOC] compile-time +** option is used. +** +** In SQLite version 3.5.0 and 3.5.1, it was possible to define +** the SQLITE_OMIT_MEMORY_ALLOCATION which would cause the built-in +** implementation of these routines to be omitted. That capability +** is no longer provided. Only built-in memory allocators can be used. +** +** Prior to SQLite version 3.7.10, the Windows OS interface layer called +** the system malloc() and free() directly when converting +** filenames between the UTF-8 encoding used by SQLite +** and whatever filename encoding is used by the particular Windows +** installation. Memory allocation errors were detected, but +** they were reported back as [SQLITE_CANTOPEN] or +** [SQLITE_IOERR] rather than [SQLITE_NOMEM]. +** +** The pointer arguments to [sqlite3_free()] and [sqlite3_realloc()] +** must be either NULL or else pointers obtained from a prior +** invocation of [sqlite3_malloc()] or [sqlite3_realloc()] that have +** not yet been released. +** +** The application must not read or write any part of +** a block of memory after it has been released using +** [sqlite3_free()] or [sqlite3_realloc()]. +*/ +SQLITE_API void *sqlite3_malloc(int); +SQLITE_API void *sqlite3_realloc(void*, int); +SQLITE_API void sqlite3_free(void*); + +/* +** CAPI3REF: Memory Allocator Statistics +** +** SQLite provides these two interfaces for reporting on the status +** of the [sqlite3_malloc()], [sqlite3_free()], and [sqlite3_realloc()] +** routines, which form the built-in memory allocation subsystem. +** +** ^The [sqlite3_memory_used()] routine returns the number of bytes +** of memory currently outstanding (malloced but not freed). +** ^The [sqlite3_memory_highwater()] routine returns the maximum +** value of [sqlite3_memory_used()] since the high-water mark +** was last reset. ^The values returned by [sqlite3_memory_used()] and +** [sqlite3_memory_highwater()] include any overhead +** added by SQLite in its implementation of [sqlite3_malloc()], +** but not overhead added by the any underlying system library +** routines that [sqlite3_malloc()] may call. +** +** ^The memory high-water mark is reset to the current value of +** [sqlite3_memory_used()] if and only if the parameter to +** [sqlite3_memory_highwater()] is true. ^The value returned +** by [sqlite3_memory_highwater(1)] is the high-water mark +** prior to the reset. +*/ +SQLITE_API sqlite3_int64 sqlite3_memory_used(void); +SQLITE_API sqlite3_int64 sqlite3_memory_highwater(int resetFlag); + +/* +** CAPI3REF: Pseudo-Random Number Generator +** +** SQLite contains a high-quality pseudo-random number generator (PRNG) used to +** select random [ROWID | ROWIDs] when inserting new records into a table that +** already uses the largest possible [ROWID]. The PRNG is also used for +** the build-in random() and randomblob() SQL functions. This interface allows +** applications to access the same PRNG for other purposes. +** +** ^A call to this routine stores N bytes of randomness into buffer P. +** +** ^The first time this routine is invoked (either internally or by +** the application) the PRNG is seeded using randomness obtained +** from the xRandomness method of the default [sqlite3_vfs] object. +** ^On all subsequent invocations, the pseudo-randomness is generated +** internally and without recourse to the [sqlite3_vfs] xRandomness +** method. +*/ +SQLITE_API void sqlite3_randomness(int N, void *P); + +/* +** CAPI3REF: Compile-Time Authorization Callbacks +** +** ^This routine registers an authorizer callback with a particular +** [database connection], supplied in the first argument. +** ^The authorizer callback is invoked as SQL statements are being compiled +** by [sqlite3_prepare()] or its variants [sqlite3_prepare_v2()], +** [sqlite3_prepare16()] and [sqlite3_prepare16_v2()]. ^At various +** points during the compilation process, as logic is being created +** to perform various actions, the authorizer callback is invoked to +** see if those actions are allowed. ^The authorizer callback should +** return [SQLITE_OK] to allow the action, [SQLITE_IGNORE] to disallow the +** specific action but allow the SQL statement to continue to be +** compiled, or [SQLITE_DENY] to cause the entire SQL statement to be +** rejected with an error. ^If the authorizer callback returns +** any value other than [SQLITE_IGNORE], [SQLITE_OK], or [SQLITE_DENY] +** then the [sqlite3_prepare_v2()] or equivalent call that triggered +** the authorizer will fail with an error message. +** +** When the callback returns [SQLITE_OK], that means the operation +** requested is ok. ^When the callback returns [SQLITE_DENY], the +** [sqlite3_prepare_v2()] or equivalent call that triggered the +** authorizer will fail with an error message explaining that +** access is denied. +** +** ^The first parameter to the authorizer callback is a copy of the third +** parameter to the sqlite3_set_authorizer() interface. ^The second parameter +** to the callback is an integer [SQLITE_COPY | action code] that specifies +** the particular action to be authorized. ^The third through sixth parameters +** to the callback are zero-terminated strings that contain additional +** details about the action to be authorized. +** +** ^If the action code is [SQLITE_READ] +** and the callback returns [SQLITE_IGNORE] then the +** [prepared statement] statement is constructed to substitute +** a NULL value in place of the table column that would have +** been read if [SQLITE_OK] had been returned. The [SQLITE_IGNORE] +** return can be used to deny an untrusted user access to individual +** columns of a table. +** ^If the action code is [SQLITE_DELETE] and the callback returns +** [SQLITE_IGNORE] then the [DELETE] operation proceeds but the +** [truncate optimization] is disabled and all rows are deleted individually. +** +** An authorizer is used when [sqlite3_prepare | preparing] +** SQL statements from an untrusted source, to ensure that the SQL statements +** do not try to access data they are not allowed to see, or that they do not +** try to execute malicious statements that damage the database. For +** example, an application may allow a user to enter arbitrary +** SQL queries for evaluation by a database. But the application does +** not want the user to be able to make arbitrary changes to the +** database. An authorizer could then be put in place while the +** user-entered SQL is being [sqlite3_prepare | prepared] that +** disallows everything except [SELECT] statements. +** +** Applications that need to process SQL from untrusted sources +** might also consider lowering resource limits using [sqlite3_limit()] +** and limiting database size using the [max_page_count] [PRAGMA] +** in addition to using an authorizer. +** +** ^(Only a single authorizer can be in place on a database connection +** at a time. Each call to sqlite3_set_authorizer overrides the +** previous call.)^ ^Disable the authorizer by installing a NULL callback. +** The authorizer is disabled by default. +** +** The authorizer callback must not do anything that will modify +** the database connection that invoked the authorizer callback. +** Note that [sqlite3_prepare_v2()] and [sqlite3_step()] both modify their +** database connections for the meaning of "modify" in this paragraph. +** +** ^When [sqlite3_prepare_v2()] is used to prepare a statement, the +** statement might be re-prepared during [sqlite3_step()] due to a +** schema change. Hence, the application should ensure that the +** correct authorizer callback remains in place during the [sqlite3_step()]. +** +** ^Note that the authorizer callback is invoked only during +** [sqlite3_prepare()] or its variants. Authorization is not +** performed during statement evaluation in [sqlite3_step()], unless +** as stated in the previous paragraph, sqlite3_step() invokes +** sqlite3_prepare_v2() to reprepare a statement after a schema change. +*/ +SQLITE_API int sqlite3_set_authorizer( + sqlite3*, + int (*xAuth)(void*,int,const char*,const char*,const char*,const char*), + void *pUserData +); + +/* +** CAPI3REF: Authorizer Return Codes +** +** The [sqlite3_set_authorizer | authorizer callback function] must +** return either [SQLITE_OK] or one of these two constants in order +** to signal SQLite whether or not the action is permitted. See the +** [sqlite3_set_authorizer | authorizer documentation] for additional +** information. +** +** Note that SQLITE_IGNORE is also used as a [SQLITE_ROLLBACK | return code] +** from the [sqlite3_vtab_on_conflict()] interface. +*/ +#define SQLITE_DENY 1 /* Abort the SQL statement with an error */ +#define SQLITE_IGNORE 2 /* Don't allow access, but don't generate an error */ + +/* +** CAPI3REF: Authorizer Action Codes +** +** The [sqlite3_set_authorizer()] interface registers a callback function +** that is invoked to authorize certain SQL statement actions. The +** second parameter to the callback is an integer code that specifies +** what action is being authorized. These are the integer action codes that +** the authorizer callback may be passed. +** +** These action code values signify what kind of operation is to be +** authorized. The 3rd and 4th parameters to the authorization +** callback function will be parameters or NULL depending on which of these +** codes is used as the second parameter. ^(The 5th parameter to the +** authorizer callback is the name of the database ("main", "temp", +** etc.) if applicable.)^ ^The 6th parameter to the authorizer callback +** is the name of the inner-most trigger or view that is responsible for +** the access attempt or NULL if this access attempt is directly from +** top-level SQL code. +*/ +/******************************************* 3rd ************ 4th ***********/ +#define SQLITE_CREATE_INDEX 1 /* Index Name Table Name */ +#define SQLITE_CREATE_TABLE 2 /* Table Name NULL */ +#define SQLITE_CREATE_TEMP_INDEX 3 /* Index Name Table Name */ +#define SQLITE_CREATE_TEMP_TABLE 4 /* Table Name NULL */ +#define SQLITE_CREATE_TEMP_TRIGGER 5 /* Trigger Name Table Name */ +#define SQLITE_CREATE_TEMP_VIEW 6 /* View Name NULL */ +#define SQLITE_CREATE_TRIGGER 7 /* Trigger Name Table Name */ +#define SQLITE_CREATE_VIEW 8 /* View Name NULL */ +#define SQLITE_DELETE 9 /* Table Name NULL */ +#define SQLITE_DROP_INDEX 10 /* Index Name Table Name */ +#define SQLITE_DROP_TABLE 11 /* Table Name NULL */ +#define SQLITE_DROP_TEMP_INDEX 12 /* Index Name Table Name */ +#define SQLITE_DROP_TEMP_TABLE 13 /* Table Name NULL */ +#define SQLITE_DROP_TEMP_TRIGGER 14 /* Trigger Name Table Name */ +#define SQLITE_DROP_TEMP_VIEW 15 /* View Name NULL */ +#define SQLITE_DROP_TRIGGER 16 /* Trigger Name Table Name */ +#define SQLITE_DROP_VIEW 17 /* View Name NULL */ +#define SQLITE_INSERT 18 /* Table Name NULL */ +#define SQLITE_PRAGMA 19 /* Pragma Name 1st arg or NULL */ +#define SQLITE_READ 20 /* Table Name Column Name */ +#define SQLITE_SELECT 21 /* NULL NULL */ +#define SQLITE_TRANSACTION 22 /* Operation NULL */ +#define SQLITE_UPDATE 23 /* Table Name Column Name */ +#define SQLITE_ATTACH 24 /* Filename NULL */ +#define SQLITE_DETACH 25 /* Database Name NULL */ +#define SQLITE_ALTER_TABLE 26 /* Database Name Table Name */ +#define SQLITE_REINDEX 27 /* Index Name NULL */ +#define SQLITE_ANALYZE 28 /* Table Name NULL */ +#define SQLITE_CREATE_VTABLE 29 /* Table Name Module Name */ +#define SQLITE_DROP_VTABLE 30 /* Table Name Module Name */ +#define SQLITE_FUNCTION 31 /* NULL Function Name */ +#define SQLITE_SAVEPOINT 32 /* Operation Savepoint Name */ +#define SQLITE_COPY 0 /* No longer used */ + +/* +** CAPI3REF: Tracing And Profiling Functions +** +** These routines register callback functions that can be used for +** tracing and profiling the execution of SQL statements. +** +** ^The callback function registered by sqlite3_trace() is invoked at +** various times when an SQL statement is being run by [sqlite3_step()]. +** ^The sqlite3_trace() callback is invoked with a UTF-8 rendering of the +** SQL statement text as the statement first begins executing. +** ^(Additional sqlite3_trace() callbacks might occur +** as each triggered subprogram is entered. The callbacks for triggers +** contain a UTF-8 SQL comment that identifies the trigger.)^ +** +** ^The callback function registered by sqlite3_profile() is invoked +** as each SQL statement finishes. ^The profile callback contains +** the original statement text and an estimate of wall-clock time +** of how long that statement took to run. ^The profile callback +** time is in units of nanoseconds, however the current implementation +** is only capable of millisecond resolution so the six least significant +** digits in the time are meaningless. Future versions of SQLite +** might provide greater resolution on the profiler callback. The +** sqlite3_profile() function is considered experimental and is +** subject to change in future versions of SQLite. +*/ +SQLITE_API void *sqlite3_trace(sqlite3*, void(*xTrace)(void*,const char*), void*); +SQLITE_API SQLITE_EXPERIMENTAL void *sqlite3_profile(sqlite3*, + void(*xProfile)(void*,const char*,sqlite3_uint64), void*); + +/* +** CAPI3REF: Query Progress Callbacks +** +** ^The sqlite3_progress_handler(D,N,X,P) interface causes the callback +** function X to be invoked periodically during long running calls to +** [sqlite3_exec()], [sqlite3_step()] and [sqlite3_get_table()] for +** database connection D. An example use for this +** interface is to keep a GUI updated during a large query. +** +** ^The parameter P is passed through as the only parameter to the +** callback function X. ^The parameter N is the number of +** [virtual machine instructions] that are evaluated between successive +** invocations of the callback X. +** +** ^Only a single progress handler may be defined at one time per +** [database connection]; setting a new progress handler cancels the +** old one. ^Setting parameter X to NULL disables the progress handler. +** ^The progress handler is also disabled by setting N to a value less +** than 1. +** +** ^If the progress callback returns non-zero, the operation is +** interrupted. This feature can be used to implement a +** "Cancel" button on a GUI progress dialog box. +** +** The progress handler callback must not do anything that will modify +** the database connection that invoked the progress handler. +** Note that [sqlite3_prepare_v2()] and [sqlite3_step()] both modify their +** database connections for the meaning of "modify" in this paragraph. +** +*/ +SQLITE_API void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*); + +/* +** CAPI3REF: Opening A New Database Connection +** +** ^These routines open an SQLite database file as specified by the +** filename argument. ^The filename argument is interpreted as UTF-8 for +** sqlite3_open() and sqlite3_open_v2() and as UTF-16 in the native byte +** order for sqlite3_open16(). ^(A [database connection] handle is usually +** returned in *ppDb, even if an error occurs. The only exception is that +** if SQLite is unable to allocate memory to hold the [sqlite3] object, +** a NULL will be written into *ppDb instead of a pointer to the [sqlite3] +** object.)^ ^(If the database is opened (and/or created) successfully, then +** [SQLITE_OK] is returned. Otherwise an [error code] is returned.)^ ^The +** [sqlite3_errmsg()] or [sqlite3_errmsg16()] routines can be used to obtain +** an English language description of the error following a failure of any +** of the sqlite3_open() routines. +** +** ^The default encoding for the database will be UTF-8 if +** sqlite3_open() or sqlite3_open_v2() is called and +** UTF-16 in the native byte order if sqlite3_open16() is used. +** +** Whether or not an error occurs when it is opened, resources +** associated with the [database connection] handle should be released by +** passing it to [sqlite3_close()] when it is no longer required. +** +** The sqlite3_open_v2() interface works like sqlite3_open() +** except that it accepts two additional parameters for additional control +** over the new database connection. ^(The flags parameter to +** sqlite3_open_v2() can take one of +** the following three values, optionally combined with the +** [SQLITE_OPEN_NOMUTEX], [SQLITE_OPEN_FULLMUTEX], [SQLITE_OPEN_SHAREDCACHE], +** [SQLITE_OPEN_PRIVATECACHE], and/or [SQLITE_OPEN_URI] flags:)^ +** +**
+** ^(
[SQLITE_OPEN_READONLY]
+**
The database is opened in read-only mode. If the database does not +** already exist, an error is returned.
)^ +** +** ^(
[SQLITE_OPEN_READWRITE]
+**
The database is opened for reading and writing if possible, or reading +** only if the file is write protected by the operating system. In either +** case the database must already exist, otherwise an error is returned.
)^ +** +** ^(
[SQLITE_OPEN_READWRITE] | [SQLITE_OPEN_CREATE]
+**
The database is opened for reading and writing, and is created if +** it does not already exist. This is the behavior that is always used for +** sqlite3_open() and sqlite3_open16().
)^ +**
+** +** If the 3rd parameter to sqlite3_open_v2() is not one of the +** combinations shown above optionally combined with other +** [SQLITE_OPEN_READONLY | SQLITE_OPEN_* bits] +** then the behavior is undefined. +** +** ^If the [SQLITE_OPEN_NOMUTEX] flag is set, then the database connection +** opens in the multi-thread [threading mode] as long as the single-thread +** mode has not been set at compile-time or start-time. ^If the +** [SQLITE_OPEN_FULLMUTEX] flag is set then the database connection opens +** in the serialized [threading mode] unless single-thread was +** previously selected at compile-time or start-time. +** ^The [SQLITE_OPEN_SHAREDCACHE] flag causes the database connection to be +** eligible to use [shared cache mode], regardless of whether or not shared +** cache is enabled using [sqlite3_enable_shared_cache()]. ^The +** [SQLITE_OPEN_PRIVATECACHE] flag causes the database connection to not +** participate in [shared cache mode] even if it is enabled. +** +** ^The fourth parameter to sqlite3_open_v2() is the name of the +** [sqlite3_vfs] object that defines the operating system interface that +** the new database connection should use. ^If the fourth parameter is +** a NULL pointer then the default [sqlite3_vfs] object is used. +** +** ^If the filename is ":memory:", then a private, temporary in-memory database +** is created for the connection. ^This in-memory database will vanish when +** the database connection is closed. Future versions of SQLite might +** make use of additional special filenames that begin with the ":" character. +** It is recommended that when a database filename actually does begin with +** a ":" character you should prefix the filename with a pathname such as +** "./" to avoid ambiguity. +** +** ^If the filename is an empty string, then a private, temporary +** on-disk database will be created. ^This private database will be +** automatically deleted as soon as the database connection is closed. +** +** [[URI filenames in sqlite3_open()]]

URI Filenames

+** +** ^If [URI filename] interpretation is enabled, and the filename argument +** begins with "file:", then the filename is interpreted as a URI. ^URI +** filename interpretation is enabled if the [SQLITE_OPEN_URI] flag is +** set in the fourth argument to sqlite3_open_v2(), or if it has +** been enabled globally using the [SQLITE_CONFIG_URI] option with the +** [sqlite3_config()] method or by the [SQLITE_USE_URI] compile-time option. +** As of SQLite version 3.7.7, URI filename interpretation is turned off +** by default, but future releases of SQLite might enable URI filename +** interpretation by default. See "[URI filenames]" for additional +** information. +** +** URI filenames are parsed according to RFC 3986. ^If the URI contains an +** authority, then it must be either an empty string or the string +** "localhost". ^If the authority is not an empty string or "localhost", an +** error is returned to the caller. ^The fragment component of a URI, if +** present, is ignored. +** +** ^SQLite uses the path component of the URI as the name of the disk file +** which contains the database. ^If the path begins with a '/' character, +** then it is interpreted as an absolute path. ^If the path does not begin +** with a '/' (meaning that the authority section is omitted from the URI) +** then the path is interpreted as a relative path. +** ^On windows, the first component of an absolute path +** is a drive specification (e.g. "C:"). +** +** [[core URI query parameters]] +** The query component of a URI may contain parameters that are interpreted +** either by SQLite itself, or by a [VFS | custom VFS implementation]. +** SQLite interprets the following three query parameters: +** +**
    +**
  • vfs: ^The "vfs" parameter may be used to specify the name of +** a VFS object that provides the operating system interface that should +** be used to access the database file on disk. ^If this option is set to +** an empty string the default VFS object is used. ^Specifying an unknown +** VFS is an error. ^If sqlite3_open_v2() is used and the vfs option is +** present, then the VFS specified by the option takes precedence over +** the value passed as the fourth parameter to sqlite3_open_v2(). +** +**
  • mode: ^(The mode parameter may be set to either "ro", "rw", +** "rwc", or "memory". Attempting to set it to any other value is +** an error)^. +** ^If "ro" is specified, then the database is opened for read-only +** access, just as if the [SQLITE_OPEN_READONLY] flag had been set in the +** third argument to sqlite3_open_v2(). ^If the mode option is set to +** "rw", then the database is opened for read-write (but not create) +** access, as if SQLITE_OPEN_READWRITE (but not SQLITE_OPEN_CREATE) had +** been set. ^Value "rwc" is equivalent to setting both +** SQLITE_OPEN_READWRITE and SQLITE_OPEN_CREATE. ^If the mode option is +** set to "memory" then a pure [in-memory database] that never reads +** or writes from disk is used. ^It is an error to specify a value for +** the mode parameter that is less restrictive than that specified by +** the flags passed in the third parameter to sqlite3_open_v2(). +** +**
  • cache: ^The cache parameter may be set to either "shared" or +** "private". ^Setting it to "shared" is equivalent to setting the +** SQLITE_OPEN_SHAREDCACHE bit in the flags argument passed to +** sqlite3_open_v2(). ^Setting the cache parameter to "private" is +** equivalent to setting the SQLITE_OPEN_PRIVATECACHE bit. +** ^If sqlite3_open_v2() is used and the "cache" parameter is present in +** a URI filename, its value overrides any behavior requested by setting +** SQLITE_OPEN_PRIVATECACHE or SQLITE_OPEN_SHAREDCACHE flag. +**
+** +** ^Specifying an unknown parameter in the query component of a URI is not an +** error. Future versions of SQLite might understand additional query +** parameters. See "[query parameters with special meaning to SQLite]" for +** additional information. +** +** [[URI filename examples]]

URI filename examples

+** +** +**
URI filenames Results +**
file:data.db +** Open the file "data.db" in the current directory. +**
file:/home/fred/data.db
+** file:///home/fred/data.db
+** file://localhost/home/fred/data.db
+** Open the database file "/home/fred/data.db". +**
file://darkstar/home/fred/data.db +** An error. "darkstar" is not a recognized authority. +**
+** file:///C:/Documents%20and%20Settings/fred/Desktop/data.db +** Windows only: Open the file "data.db" on fred's desktop on drive +** C:. Note that the %20 escaping in this example is not strictly +** necessary - space characters can be used literally +** in URI filenames. +**
file:data.db?mode=ro&cache=private +** Open file "data.db" in the current directory for read-only access. +** Regardless of whether or not shared-cache mode is enabled by +** default, use a private cache. +**
file:/home/fred/data.db?vfs=unix-nolock +** Open file "/home/fred/data.db". Use the special VFS "unix-nolock". +**
file:data.db?mode=readonly +** An error. "readonly" is not a valid option for the "mode" parameter. +**
+** +** ^URI hexadecimal escape sequences (%HH) are supported within the path and +** query components of a URI. A hexadecimal escape sequence consists of a +** percent sign - "%" - followed by exactly two hexadecimal digits +** specifying an octet value. ^Before the path or query components of a +** URI filename are interpreted, they are encoded using UTF-8 and all +** hexadecimal escape sequences replaced by a single byte containing the +** corresponding octet. If this process generates an invalid UTF-8 encoding, +** the results are undefined. +** +** Note to Windows users: The encoding used for the filename argument +** of sqlite3_open() and sqlite3_open_v2() must be UTF-8, not whatever +** codepage is currently defined. Filenames containing international +** characters must be converted to UTF-8 prior to passing them into +** sqlite3_open() or sqlite3_open_v2(). +** +** Note to Windows Runtime users: The temporary directory must be set +** prior to calling sqlite3_open() or sqlite3_open_v2(). Otherwise, various +** features that require the use of temporary files may fail. +** +** See also: [sqlite3_temp_directory] +*/ +SQLITE_API int sqlite3_open( + const char *filename, /* Database filename (UTF-8) */ + sqlite3 **ppDb /* OUT: SQLite db handle */ +); +SQLITE_API int sqlite3_open16( + const void *filename, /* Database filename (UTF-16) */ + sqlite3 **ppDb /* OUT: SQLite db handle */ +); +SQLITE_API int sqlite3_open_v2( + const char *filename, /* Database filename (UTF-8) */ + sqlite3 **ppDb, /* OUT: SQLite db handle */ + int flags, /* Flags */ + const char *zVfs /* Name of VFS module to use */ +); + +/* +** CAPI3REF: Obtain Values For URI Parameters +** +** These are utility routines, useful to VFS implementations, that check +** to see if a database file was a URI that contained a specific query +** parameter, and if so obtains the value of that query parameter. +** +** If F is the database filename pointer passed into the xOpen() method of +** a VFS implementation when the flags parameter to xOpen() has one or +** more of the [SQLITE_OPEN_URI] or [SQLITE_OPEN_MAIN_DB] bits set and +** P is the name of the query parameter, then +** sqlite3_uri_parameter(F,P) returns the value of the P +** parameter if it exists or a NULL pointer if P does not appear as a +** query parameter on F. If P is a query parameter of F +** has no explicit value, then sqlite3_uri_parameter(F,P) returns +** a pointer to an empty string. +** +** The sqlite3_uri_boolean(F,P,B) routine assumes that P is a boolean +** parameter and returns true (1) or false (0) according to the value +** of P. The sqlite3_uri_boolean(F,P,B) routine returns true (1) if the +** value of query parameter P is one of "yes", "true", or "on" in any +** case or if the value begins with a non-zero number. The +** sqlite3_uri_boolean(F,P,B) routines returns false (0) if the value of +** query parameter P is one of "no", "false", or "off" in any case or +** if the value begins with a numeric zero. If P is not a query +** parameter on F or if the value of P is does not match any of the +** above, then sqlite3_uri_boolean(F,P,B) returns (B!=0). +** +** The sqlite3_uri_int64(F,P,D) routine converts the value of P into a +** 64-bit signed integer and returns that integer, or D if P does not +** exist. If the value of P is something other than an integer, then +** zero is returned. +** +** If F is a NULL pointer, then sqlite3_uri_parameter(F,P) returns NULL and +** sqlite3_uri_boolean(F,P,B) returns B. If F is not a NULL pointer and +** is not a database file pathname pointer that SQLite passed into the xOpen +** VFS method, then the behavior of this routine is undefined and probably +** undesirable. +*/ +SQLITE_API const char *sqlite3_uri_parameter(const char *zFilename, const char *zParam); +SQLITE_API int sqlite3_uri_boolean(const char *zFile, const char *zParam, int bDefault); +SQLITE_API sqlite3_int64 sqlite3_uri_int64(const char*, const char*, sqlite3_int64); + + +/* +** CAPI3REF: Error Codes And Messages +** +** ^The sqlite3_errcode() interface returns the numeric [result code] or +** [extended result code] for the most recent failed sqlite3_* API call +** associated with a [database connection]. If a prior API call failed +** but the most recent API call succeeded, the return value from +** sqlite3_errcode() is undefined. ^The sqlite3_extended_errcode() +** interface is the same except that it always returns the +** [extended result code] even when extended result codes are +** disabled. +** +** ^The sqlite3_errmsg() and sqlite3_errmsg16() return English-language +** text that describes the error, as either UTF-8 or UTF-16 respectively. +** ^(Memory to hold the error message string is managed internally. +** The application does not need to worry about freeing the result. +** However, the error string might be overwritten or deallocated by +** subsequent calls to other SQLite interface functions.)^ +** +** ^The sqlite3_errstr() interface returns the English-language text +** that describes the [result code], as UTF-8. +** ^(Memory to hold the error message string is managed internally +** and must not be freed by the application)^. +** +** When the serialized [threading mode] is in use, it might be the +** case that a second error occurs on a separate thread in between +** the time of the first error and the call to these interfaces. +** When that happens, the second error will be reported since these +** interfaces always report the most recent result. To avoid +** this, each thread can obtain exclusive use of the [database connection] D +** by invoking [sqlite3_mutex_enter]([sqlite3_db_mutex](D)) before beginning +** to use D and invoking [sqlite3_mutex_leave]([sqlite3_db_mutex](D)) after +** all calls to the interfaces listed here are completed. +** +** If an interface fails with SQLITE_MISUSE, that means the interface +** was invoked incorrectly by the application. In that case, the +** error code and message may or may not be set. +*/ +SQLITE_API int sqlite3_errcode(sqlite3 *db); +SQLITE_API int sqlite3_extended_errcode(sqlite3 *db); +SQLITE_API const char *sqlite3_errmsg(sqlite3*); +SQLITE_API const void *sqlite3_errmsg16(sqlite3*); +SQLITE_API const char *sqlite3_errstr(int); + +/* +** CAPI3REF: SQL Statement Object +** KEYWORDS: {prepared statement} {prepared statements} +** +** An instance of this object represents a single SQL statement. +** This object is variously known as a "prepared statement" or a +** "compiled SQL statement" or simply as a "statement". +** +** The life of a statement object goes something like this: +** +**
    +**
  1. Create the object using [sqlite3_prepare_v2()] or a related +** function. +**
  2. Bind values to [host parameters] using the sqlite3_bind_*() +** interfaces. +**
  3. Run the SQL by calling [sqlite3_step()] one or more times. +**
  4. Reset the statement using [sqlite3_reset()] then go back +** to step 2. Do this zero or more times. +**
  5. Destroy the object using [sqlite3_finalize()]. +**
+** +** Refer to documentation on individual methods above for additional +** information. +*/ +typedef struct sqlite3_stmt sqlite3_stmt; + +/* +** CAPI3REF: Run-time Limits +** +** ^(This interface allows the size of various constructs to be limited +** on a connection by connection basis. The first parameter is the +** [database connection] whose limit is to be set or queried. The +** second parameter is one of the [limit categories] that define a +** class of constructs to be size limited. The third parameter is the +** new limit for that construct.)^ +** +** ^If the new limit is a negative number, the limit is unchanged. +** ^(For each limit category SQLITE_LIMIT_NAME there is a +** [limits | hard upper bound] +** set at compile-time by a C preprocessor macro called +** [limits | SQLITE_MAX_NAME]. +** (The "_LIMIT_" in the name is changed to "_MAX_".))^ +** ^Attempts to increase a limit above its hard upper bound are +** silently truncated to the hard upper bound. +** +** ^Regardless of whether or not the limit was changed, the +** [sqlite3_limit()] interface returns the prior value of the limit. +** ^Hence, to find the current value of a limit without changing it, +** simply invoke this interface with the third parameter set to -1. +** +** Run-time limits are intended for use in applications that manage +** both their own internal database and also databases that are controlled +** by untrusted external sources. An example application might be a +** web browser that has its own databases for storing history and +** separate databases controlled by JavaScript applications downloaded +** off the Internet. The internal databases can be given the +** large, default limits. Databases managed by external sources can +** be given much smaller limits designed to prevent a denial of service +** attack. Developers might also want to use the [sqlite3_set_authorizer()] +** interface to further control untrusted SQL. The size of the database +** created by an untrusted script can be contained using the +** [max_page_count] [PRAGMA]. +** +** New run-time limit categories may be added in future releases. +*/ +SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal); + +/* +** CAPI3REF: Run-Time Limit Categories +** KEYWORDS: {limit category} {*limit categories} +** +** These constants define various performance limits +** that can be lowered at run-time using [sqlite3_limit()]. +** The synopsis of the meanings of the various limits is shown below. +** Additional information is available at [limits | Limits in SQLite]. +** +**
+** [[SQLITE_LIMIT_LENGTH]] ^(
SQLITE_LIMIT_LENGTH
+**
The maximum size of any string or BLOB or table row, in bytes.
)^ +** +** [[SQLITE_LIMIT_SQL_LENGTH]] ^(
SQLITE_LIMIT_SQL_LENGTH
+**
The maximum length of an SQL statement, in bytes.
)^ +** +** [[SQLITE_LIMIT_COLUMN]] ^(
SQLITE_LIMIT_COLUMN
+**
The maximum number of columns in a table definition or in the +** result set of a [SELECT] or the maximum number of columns in an index +** or in an ORDER BY or GROUP BY clause.
)^ +** +** [[SQLITE_LIMIT_EXPR_DEPTH]] ^(
SQLITE_LIMIT_EXPR_DEPTH
+**
The maximum depth of the parse tree on any expression.
)^ +** +** [[SQLITE_LIMIT_COMPOUND_SELECT]] ^(
SQLITE_LIMIT_COMPOUND_SELECT
+**
The maximum number of terms in a compound SELECT statement.
)^ +** +** [[SQLITE_LIMIT_VDBE_OP]] ^(
SQLITE_LIMIT_VDBE_OP
+**
The maximum number of instructions in a virtual machine program +** used to implement an SQL statement. This limit is not currently +** enforced, though that might be added in some future release of +** SQLite.
)^ +** +** [[SQLITE_LIMIT_FUNCTION_ARG]] ^(
SQLITE_LIMIT_FUNCTION_ARG
+**
The maximum number of arguments on a function.
)^ +** +** [[SQLITE_LIMIT_ATTACHED]] ^(
SQLITE_LIMIT_ATTACHED
+**
The maximum number of [ATTACH | attached databases].)^
+** +** [[SQLITE_LIMIT_LIKE_PATTERN_LENGTH]] +** ^(
SQLITE_LIMIT_LIKE_PATTERN_LENGTH
+**
The maximum length of the pattern argument to the [LIKE] or +** [GLOB] operators.
)^ +** +** [[SQLITE_LIMIT_VARIABLE_NUMBER]] +** ^(
SQLITE_LIMIT_VARIABLE_NUMBER
+**
The maximum index number of any [parameter] in an SQL statement.)^ +** +** [[SQLITE_LIMIT_TRIGGER_DEPTH]] ^(
SQLITE_LIMIT_TRIGGER_DEPTH
+**
The maximum depth of recursion for triggers.
)^ +**
+*/ +#define SQLITE_LIMIT_LENGTH 0 +#define SQLITE_LIMIT_SQL_LENGTH 1 +#define SQLITE_LIMIT_COLUMN 2 +#define SQLITE_LIMIT_EXPR_DEPTH 3 +#define SQLITE_LIMIT_COMPOUND_SELECT 4 +#define SQLITE_LIMIT_VDBE_OP 5 +#define SQLITE_LIMIT_FUNCTION_ARG 6 +#define SQLITE_LIMIT_ATTACHED 7 +#define SQLITE_LIMIT_LIKE_PATTERN_LENGTH 8 +#define SQLITE_LIMIT_VARIABLE_NUMBER 9 +#define SQLITE_LIMIT_TRIGGER_DEPTH 10 + +/* +** CAPI3REF: Compiling An SQL Statement +** KEYWORDS: {SQL statement compiler} +** +** To execute an SQL query, it must first be compiled into a byte-code +** program using one of these routines. +** +** The first argument, "db", is a [database connection] obtained from a +** prior successful call to [sqlite3_open()], [sqlite3_open_v2()] or +** [sqlite3_open16()]. The database connection must not have been closed. +** +** The second argument, "zSql", is the statement to be compiled, encoded +** as either UTF-8 or UTF-16. The sqlite3_prepare() and sqlite3_prepare_v2() +** interfaces use UTF-8, and sqlite3_prepare16() and sqlite3_prepare16_v2() +** use UTF-16. +** +** ^If the nByte argument is less than zero, then zSql is read up to the +** first zero terminator. ^If nByte is non-negative, then it is the maximum +** number of bytes read from zSql. ^When nByte is non-negative, the +** zSql string ends at either the first '\000' or '\u0000' character or +** the nByte-th byte, whichever comes first. If the caller knows +** that the supplied string is nul-terminated, then there is a small +** performance advantage to be gained by passing an nByte parameter that +** is equal to the number of bytes in the input string including +** the nul-terminator bytes as this saves SQLite from having to +** make a copy of the input string. +** +** ^If pzTail is not NULL then *pzTail is made to point to the first byte +** past the end of the first SQL statement in zSql. These routines only +** compile the first statement in zSql, so *pzTail is left pointing to +** what remains uncompiled. +** +** ^*ppStmt is left pointing to a compiled [prepared statement] that can be +** executed using [sqlite3_step()]. ^If there is an error, *ppStmt is set +** to NULL. ^If the input text contains no SQL (if the input is an empty +** string or a comment) then *ppStmt is set to NULL. +** The calling procedure is responsible for deleting the compiled +** SQL statement using [sqlite3_finalize()] after it has finished with it. +** ppStmt may not be NULL. +** +** ^On success, the sqlite3_prepare() family of routines return [SQLITE_OK]; +** otherwise an [error code] is returned. +** +** The sqlite3_prepare_v2() and sqlite3_prepare16_v2() interfaces are +** recommended for all new programs. The two older interfaces are retained +** for backwards compatibility, but their use is discouraged. +** ^In the "v2" interfaces, the prepared statement +** that is returned (the [sqlite3_stmt] object) contains a copy of the +** original SQL text. This causes the [sqlite3_step()] interface to +** behave differently in three ways: +** +**
    +**
  1. +** ^If the database schema changes, instead of returning [SQLITE_SCHEMA] as it +** always used to do, [sqlite3_step()] will automatically recompile the SQL +** statement and try to run it again. +**
    2. +** +**
  2. +** ^When an error occurs, [sqlite3_step()] will return one of the detailed +** [error codes] or [extended error codes]. ^The legacy behavior was that +** [sqlite3_step()] would only return a generic [SQLITE_ERROR] result code +** and the application would have to make a second call to [sqlite3_reset()] +** in order to find the underlying cause of the problem. With the "v2" prepare +** interfaces, the underlying reason for the error is returned immediately. +**
    3. +** +**
  3. +** ^If the specific value bound to [parameter | host parameter] in the +** WHERE clause might influence the choice of query plan for a statement, +** then the statement will be automatically recompiled, as if there had been +** a schema change, on the first [sqlite3_step()] call following any change +** to the [sqlite3_bind_text | bindings] of that [parameter]. +** ^The specific value of WHERE-clause [parameter] might influence the +** choice of query plan if the parameter is the left-hand side of a [LIKE] +** or [GLOB] operator or if the parameter is compared to an indexed column +** and the [SQLITE_ENABLE_STAT3] compile-time option is enabled. +** the +**
    4. +**
+*/ +SQLITE_API int sqlite3_prepare( + sqlite3 *db, /* Database handle */ + const char *zSql, /* SQL statement, UTF-8 encoded */ + int nByte, /* Maximum length of zSql in bytes. */ + sqlite3_stmt **ppStmt, /* OUT: Statement handle */ + const char **pzTail /* OUT: Pointer to unused portion of zSql */ +); +SQLITE_API int sqlite3_prepare_v2( + sqlite3 *db, /* Database handle */ + const char *zSql, /* SQL statement, UTF-8 encoded */ + int nByte, /* Maximum length of zSql in bytes. */ + sqlite3_stmt **ppStmt, /* OUT: Statement handle */ + const char **pzTail /* OUT: Pointer to unused portion of zSql */ +); +SQLITE_API int sqlite3_prepare16( + sqlite3 *db, /* Database handle */ + const void *zSql, /* SQL statement, UTF-16 encoded */ + int nByte, /* Maximum length of zSql in bytes. */ + sqlite3_stmt **ppStmt, /* OUT: Statement handle */ + const void **pzTail /* OUT: Pointer to unused portion of zSql */ +); +SQLITE_API int sqlite3_prepare16_v2( + sqlite3 *db, /* Database handle */ + const void *zSql, /* SQL statement, UTF-16 encoded */ + int nByte, /* Maximum length of zSql in bytes. */ + sqlite3_stmt **ppStmt, /* OUT: Statement handle */ + const void **pzTail /* OUT: Pointer to unused portion of zSql */ +); + +/* +** CAPI3REF: Retrieving Statement SQL +** +** ^This interface can be used to retrieve a saved copy of the original +** SQL text used to create a [prepared statement] if that statement was +** compiled using either [sqlite3_prepare_v2()] or [sqlite3_prepare16_v2()]. +*/ +SQLITE_API const char *sqlite3_sql(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Determine If An SQL Statement Writes The Database +** +** ^The sqlite3_stmt_readonly(X) interface returns true (non-zero) if +** and only if the [prepared statement] X makes no direct changes to +** the content of the database file. +** +** Note that [application-defined SQL functions] or +** [virtual tables] might change the database indirectly as a side effect. +** ^(For example, if an application defines a function "eval()" that +** calls [sqlite3_exec()], then the following SQL statement would +** change the database file through side-effects: +** +** 
+**    SELECT eval('DELETE FROM t1') FROM t2;
+**
+** +** But because the [SELECT] statement does not change the database file +** directly, sqlite3_stmt_readonly() would still return true.)^ +** +** ^Transaction control statements such as [BEGIN], [COMMIT], [ROLLBACK], +** [SAVEPOINT], and [RELEASE] cause sqlite3_stmt_readonly() to return true, +** since the statements themselves do not actually modify the database but +** rather they control the timing of when other statements modify the +** database. ^The [ATTACH] and [DETACH] statements also cause +** sqlite3_stmt_readonly() to return true since, while those statements +** change the configuration of a database connection, they do not make +** changes to the content of the database files on disk. +*/ +SQLITE_API int sqlite3_stmt_readonly(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Determine If A Prepared Statement Has Been Reset +** +** ^The sqlite3_stmt_busy(S) interface returns true (non-zero) if the +** [prepared statement] S has been stepped at least once using +** [sqlite3_step(S)] but has not run to completion and/or has not +** been reset using [sqlite3_reset(S)]. ^The sqlite3_stmt_busy(S) +** interface returns false if S is a NULL pointer. If S is not a +** NULL pointer and is not a pointer to a valid [prepared statement] +** object, then the behavior is undefined and probably undesirable. +** +** This interface can be used in combination [sqlite3_next_stmt()] +** to locate all prepared statements associated with a database +** connection that are in need of being reset. This can be used, +** for example, in diagnostic routines to search for prepared +** statements that are holding a transaction open. +*/ +SQLITE_API int sqlite3_stmt_busy(sqlite3_stmt*); + +/* +** CAPI3REF: Dynamically Typed Value Object +** KEYWORDS: {protected sqlite3_value} {unprotected sqlite3_value} +** +** SQLite uses the sqlite3_value object to represent all values +** that can be stored in a database table. SQLite uses dynamic typing +** for the values it stores. ^Values stored in sqlite3_value objects +** can be integers, floating point values, strings, BLOBs, or NULL. +** +** An sqlite3_value object may be either "protected" or "unprotected". +** Some interfaces require a protected sqlite3_value. Other interfaces +** will accept either a protected or an unprotected sqlite3_value. +** Every interface that accepts sqlite3_value arguments specifies +** whether or not it requires a protected sqlite3_value. +** +** The terms "protected" and "unprotected" refer to whether or not +** a mutex is held. An internal mutex is held for a protected +** sqlite3_value object but no mutex is held for an unprotected +** sqlite3_value object. If SQLite is compiled to be single-threaded +** (with [SQLITE_THREADSAFE=0] and with [sqlite3_threadsafe()] returning 0) +** or if SQLite is run in one of reduced mutex modes +** [SQLITE_CONFIG_SINGLETHREAD] or [SQLITE_CONFIG_MULTITHREAD] +** then there is no distinction between protected and unprotected +** sqlite3_value objects and they can be used interchangeably. However, +** for maximum code portability it is recommended that applications +** still make the distinction between protected and unprotected +** sqlite3_value objects even when not strictly required. +** +** ^The sqlite3_value objects that are passed as parameters into the +** implementation of [application-defined SQL functions] are protected. +** ^The sqlite3_value object returned by +** [sqlite3_column_value()] is unprotected. +** Unprotected sqlite3_value objects may only be used with +** [sqlite3_result_value()] and [sqlite3_bind_value()]. +** The [sqlite3_value_blob | sqlite3_value_type()] family of +** interfaces require protected sqlite3_value objects. +*/ +typedef struct Mem sqlite3_value; + +/* +** CAPI3REF: SQL Function Context Object +** +** The context in which an SQL function executes is stored in an +** sqlite3_context object. ^A pointer to an sqlite3_context object +** is always first parameter to [application-defined SQL functions]. +** The application-defined SQL function implementation will pass this +** pointer through into calls to [sqlite3_result_int | sqlite3_result()], +** [sqlite3_aggregate_context()], [sqlite3_user_data()], +** [sqlite3_context_db_handle()], [sqlite3_get_auxdata()], +** and/or [sqlite3_set_auxdata()]. +*/ +typedef struct sqlite3_context sqlite3_context; + +/* +** CAPI3REF: Binding Values To Prepared Statements +** KEYWORDS: {host parameter} {host parameters} {host parameter name} +** KEYWORDS: {SQL parameter} {SQL parameters} {parameter binding} +** +** ^(In the SQL statement text input to [sqlite3_prepare_v2()] and its variants, +** literals may be replaced by a [parameter] that matches one of following +** templates: +** +**
    +**
  • ? +**
  • ?NNN +**
  • :VVV +**
  • @VVV +**
  • $VVV +**
+** +** In the templates above, NNN represents an integer literal, +** and VVV represents an alphanumeric identifier.)^ ^The values of these +** parameters (also called "host parameter names" or "SQL parameters") +** can be set using the sqlite3_bind_*() routines defined here. +** +** ^The first argument to the sqlite3_bind_*() routines is always +** a pointer to the [sqlite3_stmt] object returned from +** [sqlite3_prepare_v2()] or its variants. +** +** ^The second argument is the index of the SQL parameter to be set. +** ^The leftmost SQL parameter has an index of 1. ^When the same named +** SQL parameter is used more than once, second and subsequent +** occurrences have the same index as the first occurrence. +** ^The index for named parameters can be looked up using the +** [sqlite3_bind_parameter_index()] API if desired. ^The index +** for "?NNN" parameters is the value of NNN. +** ^The NNN value must be between 1 and the [sqlite3_limit()] +** parameter [SQLITE_LIMIT_VARIABLE_NUMBER] (default value: 999). +** +** ^The third argument is the value to bind to the parameter. +** +** ^(In those routines that have a fourth argument, its value is the +** number of bytes in the parameter. To be clear: the value is the +** number of bytes in the value, not the number of characters.)^ +** ^If the fourth parameter to sqlite3_bind_text() or sqlite3_bind_text16() +** is negative, then the length of the string is +** the number of bytes up to the first zero terminator. +** If the fourth parameter to sqlite3_bind_blob() is negative, then +** the behavior is undefined. +** If a non-negative fourth parameter is provided to sqlite3_bind_text() +** or sqlite3_bind_text16() then that parameter must be the byte offset +** where the NUL terminator would occur assuming the string were NUL +** terminated. If any NUL characters occur at byte offsets less than +** the value of the fourth parameter then the resulting string value will +** contain embedded NULs. The result of expressions involving strings +** with embedded NULs is undefined. +** +** ^The fifth argument to sqlite3_bind_blob(), sqlite3_bind_text(), and +** sqlite3_bind_text16() is a destructor used to dispose of the BLOB or +** string after SQLite has finished with it. ^The destructor is called +** to dispose of the BLOB or string even if the call to sqlite3_bind_blob(), +** sqlite3_bind_text(), or sqlite3_bind_text16() fails. +** ^If the fifth argument is +** the special value [SQLITE_STATIC], then SQLite assumes that the +** information is in static, unmanaged space and does not need to be freed. +** ^If the fifth argument has the value [SQLITE_TRANSIENT], then +** SQLite makes its own private copy of the data immediately, before +** the sqlite3_bind_*() routine returns. +** +** ^The sqlite3_bind_zeroblob() routine binds a BLOB of length N that +** is filled with zeroes. ^A zeroblob uses a fixed amount of memory +** (just an integer to hold its size) while it is being processed. +** Zeroblobs are intended to serve as placeholders for BLOBs whose +** content is later written using +** [sqlite3_blob_open | incremental BLOB I/O] routines. +** ^A negative value for the zeroblob results in a zero-length BLOB. +** +** ^If any of the sqlite3_bind_*() routines are called with a NULL pointer +** for the [prepared statement] or with a prepared statement for which +** [sqlite3_step()] has been called more recently than [sqlite3_reset()], +** then the call will return [SQLITE_MISUSE]. If any sqlite3_bind_() +** routine is passed a [prepared statement] that has been finalized, the +** result is undefined and probably harmful. +** +** ^Bindings are not cleared by the [sqlite3_reset()] routine. +** ^Unbound parameters are interpreted as NULL. +** +** ^The sqlite3_bind_* routines return [SQLITE_OK] on success or an +** [error code] if anything goes wrong. +** ^[SQLITE_RANGE] is returned if the parameter +** index is out of range. ^[SQLITE_NOMEM] is returned if malloc() fails. +** +** See also: [sqlite3_bind_parameter_count()], +** [sqlite3_bind_parameter_name()], and [sqlite3_bind_parameter_index()]. +*/ +SQLITE_API int sqlite3_bind_blob(sqlite3_stmt*, int, const void*, int n, void(*)(void*)); +SQLITE_API int sqlite3_bind_double(sqlite3_stmt*, int, double); +SQLITE_API int sqlite3_bind_int(sqlite3_stmt*, int, int); +SQLITE_API int sqlite3_bind_int64(sqlite3_stmt*, int, sqlite3_int64); +SQLITE_API int sqlite3_bind_null(sqlite3_stmt*, int); +SQLITE_API int sqlite3_bind_text(sqlite3_stmt*, int, const char*, int n, void(*)(void*)); +SQLITE_API int sqlite3_bind_text16(sqlite3_stmt*, int, const void*, int, void(*)(void*)); +SQLITE_API int sqlite3_bind_value(sqlite3_stmt*, int, const sqlite3_value*); +SQLITE_API int sqlite3_bind_zeroblob(sqlite3_stmt*, int, int n); + +/* +** CAPI3REF: Number Of SQL Parameters +** +** ^This routine can be used to find the number of [SQL parameters] +** in a [prepared statement]. SQL parameters are tokens of the +** form "?", "?NNN", ":AAA", "$AAA", or "@AAA" that serve as +** placeholders for values that are [sqlite3_bind_blob | bound] +** to the parameters at a later time. +** +** ^(This routine actually returns the index of the largest (rightmost) +** parameter. For all forms except ?NNN, this will correspond to the +** number of unique parameters. If parameters of the ?NNN form are used, +** there may be gaps in the list.)^ +** +** See also: [sqlite3_bind_blob|sqlite3_bind()], +** [sqlite3_bind_parameter_name()], and +** [sqlite3_bind_parameter_index()]. +*/ +SQLITE_API int sqlite3_bind_parameter_count(sqlite3_stmt*); + +/* +** CAPI3REF: Name Of A Host Parameter +** +** ^The sqlite3_bind_parameter_name(P,N) interface returns +** the name of the N-th [SQL parameter] in the [prepared statement] P. +** ^(SQL parameters of the form "?NNN" or ":AAA" or "@AAA" or "$AAA" +** have a name which is the string "?NNN" or ":AAA" or "@AAA" or "$AAA" +** respectively. +** In other words, the initial ":" or "$" or "@" or "?" +** is included as part of the name.)^ +** ^Parameters of the form "?" without a following integer have no name +** and are referred to as "nameless" or "anonymous parameters". +** +** ^The first host parameter has an index of 1, not 0. +** +** ^If the value N is out of range or if the N-th parameter is +** nameless, then NULL is returned. ^The returned string is +** always in UTF-8 encoding even if the named parameter was +** originally specified as UTF-16 in [sqlite3_prepare16()] or +** [sqlite3_prepare16_v2()]. +** +** See also: [sqlite3_bind_blob|sqlite3_bind()], +** [sqlite3_bind_parameter_count()], and +** [sqlite3_bind_parameter_index()]. +*/ +SQLITE_API const char *sqlite3_bind_parameter_name(sqlite3_stmt*, int); + +/* +** CAPI3REF: Index Of A Parameter With A Given Name +** +** ^Return the index of an SQL parameter given its name. ^The +** index value returned is suitable for use as the second +** parameter to [sqlite3_bind_blob|sqlite3_bind()]. ^A zero +** is returned if no matching parameter is found. ^The parameter +** name must be given in UTF-8 even if the original statement +** was prepared from UTF-16 text using [sqlite3_prepare16_v2()]. +** +** See also: [sqlite3_bind_blob|sqlite3_bind()], +** [sqlite3_bind_parameter_count()], and +** [sqlite3_bind_parameter_index()]. +*/ +SQLITE_API int sqlite3_bind_parameter_index(sqlite3_stmt*, const char *zName); + +/* +** CAPI3REF: Reset All Bindings On A Prepared Statement +** +** ^Contrary to the intuition of many, [sqlite3_reset()] does not reset +** the [sqlite3_bind_blob | bindings] on a [prepared statement]. +** ^Use this routine to reset all host parameters to NULL. +*/ +SQLITE_API int sqlite3_clear_bindings(sqlite3_stmt*); + +/* +** CAPI3REF: Number Of Columns In A Result Set +** +** ^Return the number of columns in the result set returned by the +** [prepared statement]. ^This routine returns 0 if pStmt is an SQL +** statement that does not return data (for example an [UPDATE]). +** +** See also: [sqlite3_data_count()] +*/ +SQLITE_API int sqlite3_column_count(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Column Names In A Result Set +** +** ^These routines return the name assigned to a particular column +** in the result set of a [SELECT] statement. ^The sqlite3_column_name() +** interface returns a pointer to a zero-terminated UTF-8 string +** and sqlite3_column_name16() returns a pointer to a zero-terminated +** UTF-16 string. ^The first parameter is the [prepared statement] +** that implements the [SELECT] statement. ^The second parameter is the +** column number. ^The leftmost column is number 0. +** +** ^The returned string pointer is valid until either the [prepared statement] +** is destroyed by [sqlite3_finalize()] or until the statement is automatically +** reprepared by the first call to [sqlite3_step()] for a particular run +** or until the next call to +** sqlite3_column_name() or sqlite3_column_name16() on the same column. +** +** ^If sqlite3_malloc() fails during the processing of either routine +** (for example during a conversion from UTF-8 to UTF-16) then a +** NULL pointer is returned. +** +** ^The name of a result column is the value of the "AS" clause for +** that column, if there is an AS clause. If there is no AS clause +** then the name of the column is unspecified and may change from +** one release of SQLite to the next. +*/ +SQLITE_API const char *sqlite3_column_name(sqlite3_stmt*, int N); +SQLITE_API const void *sqlite3_column_name16(sqlite3_stmt*, int N); + +/* +** CAPI3REF: Source Of Data In A Query Result +** +** ^These routines provide a means to determine the database, table, and +** table column that is the origin of a particular result column in +** [SELECT] statement. +** ^The name of the database or table or column can be returned as +** either a UTF-8 or UTF-16 string. ^The _database_ routines return +** the database name, the _table_ routines return the table name, and +** the origin_ routines return the column name. +** ^The returned string is valid until the [prepared statement] is destroyed +** using [sqlite3_finalize()] or until the statement is automatically +** reprepared by the first call to [sqlite3_step()] for a particular run +** or until the same information is requested +** again in a different encoding. +** +** ^The names returned are the original un-aliased names of the +** database, table, and column. +** +** ^The first argument to these interfaces is a [prepared statement]. +** ^These functions return information about the Nth result column returned by +** the statement, where N is the second function argument. +** ^The left-most column is column 0 for these routines. +** +** ^If the Nth column returned by the statement is an expression or +** subquery and is not a column value, then all of these functions return +** NULL. ^These routine might also return NULL if a memory allocation error +** occurs. ^Otherwise, they return the name of the attached database, table, +** or column that query result column was extracted from. +** +** ^As with all other SQLite APIs, those whose names end with "16" return +** UTF-16 encoded strings and the other functions return UTF-8. +** +** ^These APIs are only available if the library was compiled with the +** [SQLITE_ENABLE_COLUMN_METADATA] C-preprocessor symbol. +** +** If two or more threads call one or more of these routines against the same +** prepared statement and column at the same time then the results are +** undefined. +** +** If two or more threads call one or more +** [sqlite3_column_database_name | column metadata interfaces] +** for the same [prepared statement] and result column +** at the same time then the results are undefined. +*/ +SQLITE_API const char *sqlite3_column_database_name(sqlite3_stmt*,int); +SQLITE_API const void *sqlite3_column_database_name16(sqlite3_stmt*,int); +SQLITE_API const char *sqlite3_column_table_name(sqlite3_stmt*,int); +SQLITE_API const void *sqlite3_column_table_name16(sqlite3_stmt*,int); +SQLITE_API const char *sqlite3_column_origin_name(sqlite3_stmt*,int); +SQLITE_API const void *sqlite3_column_origin_name16(sqlite3_stmt*,int); + +/* +** CAPI3REF: Declared Datatype Of A Query Result +** +** ^(The first parameter is a [prepared statement]. +** If this statement is a [SELECT] statement and the Nth column of the +** returned result set of that [SELECT] is a table column (not an +** expression or subquery) then the declared type of the table +** column is returned.)^ ^If the Nth column of the result set is an +** expression or subquery, then a NULL pointer is returned. +** ^The returned string is always UTF-8 encoded. +** +** ^(For example, given the database schema: +** +** CREATE TABLE t1(c1 VARIANT); +** +** and the following statement to be compiled: +** +** SELECT c1 + 1, c1 FROM t1; +** +** this routine would return the string "VARIANT" for the second result +** column (i==1), and a NULL pointer for the first result column (i==0).)^ +** +** ^SQLite uses dynamic run-time typing. ^So just because a column +** is declared to contain a particular type does not mean that the +** data stored in that column is of the declared type. SQLite is +** strongly typed, but the typing is dynamic not static. ^Type +** is associated with individual values, not with the containers +** used to hold those values. +*/ +SQLITE_API const char *sqlite3_column_decltype(sqlite3_stmt*,int); +SQLITE_API const void *sqlite3_column_decltype16(sqlite3_stmt*,int); + +/* +** CAPI3REF: Evaluate An SQL Statement +** +** After a [prepared statement] has been prepared using either +** [sqlite3_prepare_v2()] or [sqlite3_prepare16_v2()] or one of the legacy +** interfaces [sqlite3_prepare()] or [sqlite3_prepare16()], this function +** must be called one or more times to evaluate the statement. +** +** The details of the behavior of the sqlite3_step() interface depend +** on whether the statement was prepared using the newer "v2" interface +** [sqlite3_prepare_v2()] and [sqlite3_prepare16_v2()] or the older legacy +** interface [sqlite3_prepare()] and [sqlite3_prepare16()]. The use of the +** new "v2" interface is recommended for new applications but the legacy +** interface will continue to be supported. +** +** ^In the legacy interface, the return value will be either [SQLITE_BUSY], +** [SQLITE_DONE], [SQLITE_ROW], [SQLITE_ERROR], or [SQLITE_MISUSE]. +** ^With the "v2" interface, any of the other [result codes] or +** [extended result codes] might be returned as well. +** +** ^[SQLITE_BUSY] means that the database engine was unable to acquire the +** database locks it needs to do its job. ^If the statement is a [COMMIT] +** or occurs outside of an explicit transaction, then you can retry the +** statement. If the statement is not a [COMMIT] and occurs within an +** explicit transaction then you should rollback the transaction before +** continuing. +** +** ^[SQLITE_DONE] means that the statement has finished executing +** successfully. sqlite3_step() should not be called again on this virtual +** machine without first calling [sqlite3_reset()] to reset the virtual +** machine back to its initial state. +** +** ^If the SQL statement being executed returns any data, then [SQLITE_ROW] +** is returned each time a new row of data is ready for processing by the +** caller. The values may be accessed using the [column access functions]. +** sqlite3_step() is called again to retrieve the next row of data. +** +** ^[SQLITE_ERROR] means that a run-time error (such as a constraint +** violation) has occurred. sqlite3_step() should not be called again on +** the VM. More information may be found by calling [sqlite3_errmsg()]. +** ^With the legacy interface, a more specific error code (for example, +** [SQLITE_INTERRUPT], [SQLITE_SCHEMA], [SQLITE_CORRUPT], and so forth) +** can be obtained by calling [sqlite3_reset()] on the +** [prepared statement]. ^In the "v2" interface, +** the more specific error code is returned directly by sqlite3_step(). +** +** [SQLITE_MISUSE] means that the this routine was called inappropriately. +** Perhaps it was called on a [prepared statement] that has +** already been [sqlite3_finalize | finalized] or on one that had +** previously returned [SQLITE_ERROR] or [SQLITE_DONE]. Or it could +** be the case that the same database connection is being used by two or +** more threads at the same moment in time. +** +** For all versions of SQLite up to and including 3.6.23.1, a call to +** [sqlite3_reset()] was required after sqlite3_step() returned anything +** other than [SQLITE_ROW] before any subsequent invocation of +** sqlite3_step(). Failure to reset the prepared statement using +** [sqlite3_reset()] would result in an [SQLITE_MISUSE] return from +** sqlite3_step(). But after version 3.6.23.1, sqlite3_step() began +** calling [sqlite3_reset()] automatically in this circumstance rather +** than returning [SQLITE_MISUSE]. This is not considered a compatibility +** break because any application that ever receives an SQLITE_MISUSE error +** is broken by definition. The [SQLITE_OMIT_AUTORESET] compile-time option +** can be used to restore the legacy behavior. +** +** Goofy Interface Alert: In the legacy interface, the sqlite3_step() +** API always returns a generic error code, [SQLITE_ERROR], following any +** error other than [SQLITE_BUSY] and [SQLITE_MISUSE]. You must call +** [sqlite3_reset()] or [sqlite3_finalize()] in order to find one of the +** specific [error codes] that better describes the error. +** We admit that this is a goofy design. The problem has been fixed +** with the "v2" interface. If you prepare all of your SQL statements +** using either [sqlite3_prepare_v2()] or [sqlite3_prepare16_v2()] instead +** of the legacy [sqlite3_prepare()] and [sqlite3_prepare16()] interfaces, +** then the more specific [error codes] are returned directly +** by sqlite3_step(). The use of the "v2" interface is recommended. +*/ +SQLITE_API int sqlite3_step(sqlite3_stmt*); + +/* +** CAPI3REF: Number of columns in a result set +** +** ^The sqlite3_data_count(P) interface returns the number of columns in the +** current row of the result set of [prepared statement] P. +** ^If prepared statement P does not have results ready to return +** (via calls to the [sqlite3_column_int | sqlite3_column_*()] of +** interfaces) then sqlite3_data_count(P) returns 0. +** ^The sqlite3_data_count(P) routine also returns 0 if P is a NULL pointer. +** ^The sqlite3_data_count(P) routine returns 0 if the previous call to +** [sqlite3_step](P) returned [SQLITE_DONE]. ^The sqlite3_data_count(P) +** will return non-zero if previous call to [sqlite3_step](P) returned +** [SQLITE_ROW], except in the case of the [PRAGMA incremental_vacuum] +** where it always returns zero since each step of that multi-step +** pragma returns 0 columns of data. +** +** See also: [sqlite3_column_count()] +*/ +SQLITE_API int sqlite3_data_count(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Fundamental Datatypes +** KEYWORDS: SQLITE_TEXT +** +** ^(Every value in SQLite has one of five fundamental datatypes: +** +**
    +**
  • 64-bit signed integer +**
  • 64-bit IEEE floating point number +**
  • string +**
  • BLOB +**
  • NULL +**
)^ +** +** These constants are codes for each of those types. +** +** Note that the SQLITE_TEXT constant was also used in SQLite version 2 +** for a completely different meaning. Software that links against both +** SQLite version 2 and SQLite version 3 should use SQLITE3_TEXT, not +** SQLITE_TEXT. +*/ +#define SQLITE_INTEGER 1 +#define SQLITE_FLOAT 2 +#define SQLITE_BLOB 4 +#define SQLITE_NULL 5 +#ifdef SQLITE_TEXT +# undef SQLITE_TEXT +#else +# define SQLITE_TEXT 3 +#endif +#define SQLITE3_TEXT 3 + +/* +** CAPI3REF: Result Values From A Query +** KEYWORDS: {column access functions} +** +** These routines form the "result set" interface. +** +** ^These routines return information about a single column of the current +** result row of a query. ^In every case the first argument is a pointer +** to the [prepared statement] that is being evaluated (the [sqlite3_stmt*] +** that was returned from [sqlite3_prepare_v2()] or one of its variants) +** and the second argument is the index of the column for which information +** should be returned. ^The leftmost column of the result set has the index 0. +** ^The number of columns in the result can be determined using +** [sqlite3_column_count()]. +** +** If the SQL statement does not currently point to a valid row, or if the +** column index is out of range, the result is undefined. +** These routines may only be called when the most recent call to +** [sqlite3_step()] has returned [SQLITE_ROW] and neither +** [sqlite3_reset()] nor [sqlite3_finalize()] have been called subsequently. +** If any of these routines are called after [sqlite3_reset()] or +** [sqlite3_finalize()] or after [sqlite3_step()] has returned +** something other than [SQLITE_ROW], the results are undefined. +** If [sqlite3_step()] or [sqlite3_reset()] or [sqlite3_finalize()] +** are called from a different thread while any of these routines +** are pending, then the results are undefined. +** +** ^The sqlite3_column_type() routine returns the +** [SQLITE_INTEGER | datatype code] for the initial data type +** of the result column. ^The returned value is one of [SQLITE_INTEGER], +** [SQLITE_FLOAT], [SQLITE_TEXT], [SQLITE_BLOB], or [SQLITE_NULL]. The value +** returned by sqlite3_column_type() is only meaningful if no type +** conversions have occurred as described below. After a type conversion, +** the value returned by sqlite3_column_type() is undefined. Future +** versions of SQLite may change the behavior of sqlite3_column_type() +** following a type conversion. +** +** ^If the result is a BLOB or UTF-8 string then the sqlite3_column_bytes() +** routine returns the number of bytes in that BLOB or string. +** ^If the result is a UTF-16 string, then sqlite3_column_bytes() converts +** the string to UTF-8 and then returns the number of bytes. +** ^If the result is a numeric value then sqlite3_column_bytes() uses +** [sqlite3_snprintf()] to convert that value to a UTF-8 string and returns +** the number of bytes in that string. +** ^If the result is NULL, then sqlite3_column_bytes() returns zero. +** +** ^If the result is a BLOB or UTF-16 string then the sqlite3_column_bytes16() +** routine returns the number of bytes in that BLOB or string. +** ^If the result is a UTF-8 string, then sqlite3_column_bytes16() converts +** the string to UTF-16 and then returns the number of bytes. +** ^If the result is a numeric value then sqlite3_column_bytes16() uses +** [sqlite3_snprintf()] to convert that value to a UTF-16 string and returns +** the number of bytes in that string. +** ^If the result is NULL, then sqlite3_column_bytes16() returns zero. +** +** ^The values returned by [sqlite3_column_bytes()] and +** [sqlite3_column_bytes16()] do not include the zero terminators at the end +** of the string. ^For clarity: the values returned by +** [sqlite3_column_bytes()] and [sqlite3_column_bytes16()] are the number of +** bytes in the string, not the number of characters. +** +** ^Strings returned by sqlite3_column_text() and sqlite3_column_text16(), +** even empty strings, are always zero-terminated. ^The return +** value from sqlite3_column_blob() for a zero-length BLOB is a NULL pointer. +** +** ^The object returned by [sqlite3_column_value()] is an +** [unprotected sqlite3_value] object. An unprotected sqlite3_value object +** may only be used with [sqlite3_bind_value()] and [sqlite3_result_value()]. +** If the [unprotected sqlite3_value] object returned by +** [sqlite3_column_value()] is used in any other way, including calls +** to routines like [sqlite3_value_int()], [sqlite3_value_text()], +** or [sqlite3_value_bytes()], then the behavior is undefined. +** +** These routines attempt to convert the value where appropriate. ^For +** example, if the internal representation is FLOAT and a text result +** is requested, [sqlite3_snprintf()] is used internally to perform the +** conversion automatically. ^(The following table details the conversions +** that are applied: +** +**
+** +**
Internal
Type 		Requested
Type 		Conversion +** +**
NULL INTEGER Result is 0 +**
NULL FLOAT Result is 0.0 +**
NULL TEXT Result is NULL pointer +**
NULL BLOB Result is NULL pointer +**
INTEGER FLOAT Convert from integer to float +**
INTEGER TEXT ASCII rendering of the integer +**
INTEGER BLOB Same as INTEGER->TEXT +**
FLOAT INTEGER Convert from float to integer +**
FLOAT TEXT ASCII rendering of the float +**
FLOAT BLOB Same as FLOAT->TEXT +**
TEXT INTEGER Use atoi() +**
TEXT FLOAT Use atof() +**
TEXT BLOB No change +**
BLOB INTEGER Convert to TEXT then use atoi() +**
BLOB FLOAT Convert to TEXT then use atof() +**
BLOB TEXT Add a zero terminator if needed +**
+**
)^ +** +** The table above makes reference to standard C library functions atoi() +** and atof(). SQLite does not really use these functions. It has its +** own equivalent internal routines. The atoi() and atof() names are +** used in the table for brevity and because they are familiar to most +** C programmers. +** +** Note that when type conversions occur, pointers returned by prior +** calls to sqlite3_column_blob(), sqlite3_column_text(), and/or +** sqlite3_column_text16() may be invalidated. +** Type conversions and pointer invalidations might occur +** in the following cases: +** +**
    +**
  • The initial content is a BLOB and sqlite3_column_text() or +** sqlite3_column_text16() is called. A zero-terminator might +** need to be added to the string.
    • +**
  • The initial content is UTF-8 text and sqlite3_column_bytes16() or +** sqlite3_column_text16() is called. The content must be converted +** to UTF-16.
    • +**
  • The initial content is UTF-16 text and sqlite3_column_bytes() or +** sqlite3_column_text() is called. The content must be converted +** to UTF-8.
    • +**
+** +** ^Conversions between UTF-16be and UTF-16le are always done in place and do +** not invalidate a prior pointer, though of course the content of the buffer +** that the prior pointer references will have been modified. Other kinds +** of conversion are done in place when it is possible, but sometimes they +** are not possible and in those cases prior pointers are invalidated. +** +** The safest and easiest to remember policy is to invoke these routines +** in one of the following ways: +** +**
    +**
  • sqlite3_column_text() followed by sqlite3_column_bytes()
    • +**
  • sqlite3_column_blob() followed by sqlite3_column_bytes()
    • +**
  • sqlite3_column_text16() followed by sqlite3_column_bytes16()
    • +**
+** +** In other words, you should call sqlite3_column_text(), +** sqlite3_column_blob(), or sqlite3_column_text16() first to force the result +** into the desired format, then invoke sqlite3_column_bytes() or +** sqlite3_column_bytes16() to find the size of the result. Do not mix calls +** to sqlite3_column_text() or sqlite3_column_blob() with calls to +** sqlite3_column_bytes16(), and do not mix calls to sqlite3_column_text16() +** with calls to sqlite3_column_bytes(). +** +** ^The pointers returned are valid until a type conversion occurs as +** described above, or until [sqlite3_step()] or [sqlite3_reset()] or +** [sqlite3_finalize()] is called. ^The memory space used to hold strings +** and BLOBs is freed automatically. Do not pass the pointers returned +** [sqlite3_column_blob()], [sqlite3_column_text()], etc. into +** [sqlite3_free()]. +** +** ^(If a memory allocation error occurs during the evaluation of any +** of these routines, a default value is returned. The default value +** is either the integer 0, the floating point number 0.0, or a NULL +** pointer. Subsequent calls to [sqlite3_errcode()] will return +** [SQLITE_NOMEM].)^ +*/ +SQLITE_API const void *sqlite3_column_blob(sqlite3_stmt*, int iCol); +SQLITE_API int sqlite3_column_bytes(sqlite3_stmt*, int iCol); +SQLITE_API int sqlite3_column_bytes16(sqlite3_stmt*, int iCol); +SQLITE_API double sqlite3_column_double(sqlite3_stmt*, int iCol); +SQLITE_API int sqlite3_column_int(sqlite3_stmt*, int iCol); +SQLITE_API sqlite3_int64 sqlite3_column_int64(sqlite3_stmt*, int iCol); +SQLITE_API const unsigned char *sqlite3_column_text(sqlite3_stmt*, int iCol); +SQLITE_API const void *sqlite3_column_text16(sqlite3_stmt*, int iCol); +SQLITE_API int sqlite3_column_type(sqlite3_stmt*, int iCol); +SQLITE_API sqlite3_value *sqlite3_column_value(sqlite3_stmt*, int iCol); + +/* +** CAPI3REF: Destroy A Prepared Statement Object +** +** ^The sqlite3_finalize() function is called to delete a [prepared statement]. +** ^If the most recent evaluation of the statement encountered no errors +** or if the statement is never been evaluated, then sqlite3_finalize() returns +** SQLITE_OK. ^If the most recent evaluation of statement S failed, then +** sqlite3_finalize(S) returns the appropriate [error code] or +** [extended error code]. +** +** ^The sqlite3_finalize(S) routine can be called at any point during +** the life cycle of [prepared statement] S: +** before statement S is ever evaluated, after +** one or more calls to [sqlite3_reset()], or after any call +** to [sqlite3_step()] regardless of whether or not the statement has +** completed execution. +** +** ^Invoking sqlite3_finalize() on a NULL pointer is a harmless no-op. +** +** The application must finalize every [prepared statement] in order to avoid +** resource leaks. It is a grievous error for the application to try to use +** a prepared statement after it has been finalized. Any use of a prepared +** statement after it has been finalized can result in undefined and +** undesirable behavior such as segfaults and heap corruption. +*/ +SQLITE_API int sqlite3_finalize(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Reset A Prepared Statement Object +** +** The sqlite3_reset() function is called to reset a [prepared statement] +** object back to its initial state, ready to be re-executed. +** ^Any SQL statement variables that had values bound to them using +** the [sqlite3_bind_blob | sqlite3_bind_*() API] retain their values. +** Use [sqlite3_clear_bindings()] to reset the bindings. +** +** ^The [sqlite3_reset(S)] interface resets the [prepared statement] S +** back to the beginning of its program. +** +** ^If the most recent call to [sqlite3_step(S)] for the +** [prepared statement] S returned [SQLITE_ROW] or [SQLITE_DONE], +** or if [sqlite3_step(S)] has never before been called on S, +** then [sqlite3_reset(S)] returns [SQLITE_OK]. +** +** ^If the most recent call to [sqlite3_step(S)] for the +** [prepared statement] S indicated an error, then +** [sqlite3_reset(S)] returns an appropriate [error code]. +** +** ^The [sqlite3_reset(S)] interface does not change the values +** of any [sqlite3_bind_blob|bindings] on the [prepared statement] S. +*/ +SQLITE_API int sqlite3_reset(sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Create Or Redefine SQL Functions +** KEYWORDS: {function creation routines} +** KEYWORDS: {application-defined SQL function} +** KEYWORDS: {application-defined SQL functions} +** +** ^These functions (collectively known as "function creation routines") +** are used to add SQL functions or aggregates or to redefine the behavior +** of existing SQL functions or aggregates. The only differences between +** these routines are the text encoding expected for +** the second parameter (the name of the function being created) +** and the presence or absence of a destructor callback for +** the application data pointer. +** +** ^The first parameter is the [database connection] to which the SQL +** function is to be added. ^If an application uses more than one database +** connection then application-defined SQL functions must be added +** to each database connection separately. +** +** ^The second parameter is the name of the SQL function to be created or +** redefined. ^The length of the name is limited to 255 bytes in a UTF-8 +** representation, exclusive of the zero-terminator. ^Note that the name +** length limit is in UTF-8 bytes, not characters nor UTF-16 bytes. +** ^Any attempt to create a function with a longer name +** will result in [SQLITE_MISUSE] being returned. +** +** ^The third parameter (nArg) +** is the number of arguments that the SQL function or +** aggregate takes. ^If this parameter is -1, then the SQL function or +** aggregate may take any number of arguments between 0 and the limit +** set by [sqlite3_limit]([SQLITE_LIMIT_FUNCTION_ARG]). If the third +** parameter is less than -1 or greater than 127 then the behavior is +** undefined. +** +** ^The fourth parameter, eTextRep, specifies what +** [SQLITE_UTF8 | text encoding] this SQL function prefers for +** its parameters. Every SQL function implementation must be able to work +** with UTF-8, UTF-16le, or UTF-16be. But some implementations may be +** more efficient with one encoding than another. ^An application may +** invoke sqlite3_create_function() or sqlite3_create_function16() multiple +** times with the same function but with different values of eTextRep. +** ^When multiple implementations of the same function are available, SQLite +** will pick the one that involves the least amount of data conversion. +** If there is only a single implementation which does not care what text +** encoding is used, then the fourth argument should be [SQLITE_ANY]. +** +** ^(The fifth parameter is an arbitrary pointer. The implementation of the +** function can gain access to this pointer using [sqlite3_user_data()].)^ +** +** ^The sixth, seventh and eighth parameters, xFunc, xStep and xFinal, are +** pointers to C-language functions that implement the SQL function or +** aggregate. ^A scalar SQL function requires an implementation of the xFunc +** callback only; NULL pointers must be passed as the xStep and xFinal +** parameters. ^An aggregate SQL function requires an implementation of xStep +** and xFinal and NULL pointer must be passed for xFunc. ^To delete an existing +** SQL function or aggregate, pass NULL pointers for all three function +** callbacks. +** +** ^(If the ninth parameter to sqlite3_create_function_v2() is not NULL, +** then it is destructor for the application data pointer. +** The destructor is invoked when the function is deleted, either by being +** overloaded or when the database connection closes.)^ +** ^The destructor is also invoked if the call to +** sqlite3_create_function_v2() fails. +** ^When the destructor callback of the tenth parameter is invoked, it +** is passed a single argument which is a copy of the application data +** pointer which was the fifth parameter to sqlite3_create_function_v2(). +** +** ^It is permitted to register multiple implementations of the same +** functions with the same name but with either differing numbers of +** arguments or differing preferred text encodings. ^SQLite will use +** the implementation that most closely matches the way in which the +** SQL function is used. ^A function implementation with a non-negative +** nArg parameter is a better match than a function implementation with +** a negative nArg. ^A function where the preferred text encoding +** matches the database encoding is a better +** match than a function where the encoding is different. +** ^A function where the encoding difference is between UTF16le and UTF16be +** is a closer match than a function where the encoding difference is +** between UTF8 and UTF16. +** +** ^Built-in functions may be overloaded by new application-defined functions. +** +** ^An application-defined function is permitted to call other +** SQLite interfaces. However, such calls must not +** close the database connection nor finalize or reset the prepared +** statement in which the function is running. +*/ +SQLITE_API int sqlite3_create_function( + sqlite3 *db, + const char *zFunctionName, + int nArg, + int eTextRep, + void *pApp, + void (*xFunc)(sqlite3_context*,int,sqlite3_value**), + void (*xStep)(sqlite3_context*,int,sqlite3_value**), + void (*xFinal)(sqlite3_context*) +); +SQLITE_API int sqlite3_create_function16( + sqlite3 *db, + const void *zFunctionName, + int nArg, + int eTextRep, + void *pApp, + void (*xFunc)(sqlite3_context*,int,sqlite3_value**), + void (*xStep)(sqlite3_context*,int,sqlite3_value**), + void (*xFinal)(sqlite3_context*) +); +SQLITE_API int sqlite3_create_function_v2( + sqlite3 *db, + const char *zFunctionName, + int nArg, + int eTextRep, + void *pApp, + void (*xFunc)(sqlite3_context*,int,sqlite3_value**), + void (*xStep)(sqlite3_context*,int,sqlite3_value**), + void (*xFinal)(sqlite3_context*), + void(*xDestroy)(void*) +); + +/* +** CAPI3REF: Text Encodings +** +** These constant define integer codes that represent the various +** text encodings supported by SQLite. +*/ +#define SQLITE_UTF8 1 +#define SQLITE_UTF16LE 2 +#define SQLITE_UTF16BE 3 +#define SQLITE_UTF16 4 /* Use native byte order */ +#define SQLITE_ANY 5 /* sqlite3_create_function only */ +#define SQLITE_UTF16_ALIGNED 8 /* sqlite3_create_collation only */ + +/* +** CAPI3REF: Deprecated Functions +** DEPRECATED +** +** These functions are [deprecated]. In order to maintain +** backwards compatibility with older code, these functions continue +** to be supported. However, new applications should avoid +** the use of these functions. To help encourage people to avoid +** using these functions, we are not going to tell you what they do. +*/ +#ifndef SQLITE_OMIT_DEPRECATED +SQLITE_API SQLITE_DEPRECATED int sqlite3_aggregate_count(sqlite3_context*); +SQLITE_API SQLITE_DEPRECATED int sqlite3_expired(sqlite3_stmt*); +SQLITE_API SQLITE_DEPRECATED int sqlite3_transfer_bindings(sqlite3_stmt*, sqlite3_stmt*); +SQLITE_API SQLITE_DEPRECATED int sqlite3_global_recover(void); +SQLITE_API SQLITE_DEPRECATED void sqlite3_thread_cleanup(void); +SQLITE_API SQLITE_DEPRECATED int sqlite3_memory_alarm(void(*)(void*,sqlite3_int64,int), + void*,sqlite3_int64); +#endif + +/* +** CAPI3REF: Obtaining SQL Function Parameter Values +** +** The C-language implementation of SQL functions and aggregates uses +** this set of interface routines to access the parameter values on +** the function or aggregate. +** +** The xFunc (for scalar functions) or xStep (for aggregates) parameters +** to [sqlite3_create_function()] and [sqlite3_create_function16()] +** define callbacks that implement the SQL functions and aggregates. +** The 3rd parameter to these callbacks is an array of pointers to +** [protected sqlite3_value] objects. There is one [sqlite3_value] object for +** each parameter to the SQL function. These routines are used to +** extract values from the [sqlite3_value] objects. +** +** These routines work only with [protected sqlite3_value] objects. +** Any attempt to use these routines on an [unprotected sqlite3_value] +** object results in undefined behavior. +** +** ^These routines work just like the corresponding [column access functions] +** except that these routines take a single [protected sqlite3_value] object +** pointer instead of a [sqlite3_stmt*] pointer and an integer column number. +** +** ^The sqlite3_value_text16() interface extracts a UTF-16 string +** in the native byte-order of the host machine. ^The +** sqlite3_value_text16be() and sqlite3_value_text16le() interfaces +** extract UTF-16 strings as big-endian and little-endian respectively. +** +** ^(The sqlite3_value_numeric_type() interface attempts to apply +** numeric affinity to the value. This means that an attempt is +** made to convert the value to an integer or floating point. If +** such a conversion is possible without loss of information (in other +** words, if the value is a string that looks like a number) +** then the conversion is performed. Otherwise no conversion occurs. +** The [SQLITE_INTEGER | datatype] after conversion is returned.)^ +** +** Please pay particular attention to the fact that the pointer returned +** from [sqlite3_value_blob()], [sqlite3_value_text()], or +** [sqlite3_value_text16()] can be invalidated by a subsequent call to +** [sqlite3_value_bytes()], [sqlite3_value_bytes16()], [sqlite3_value_text()], +** or [sqlite3_value_text16()]. +** +** These routines must be called from the same thread as +** the SQL function that supplied the [sqlite3_value*] parameters. +*/ +SQLITE_API const void *sqlite3_value_blob(sqlite3_value*); +SQLITE_API int sqlite3_value_bytes(sqlite3_value*); +SQLITE_API int sqlite3_value_bytes16(sqlite3_value*); +SQLITE_API double sqlite3_value_double(sqlite3_value*); +SQLITE_API int sqlite3_value_int(sqlite3_value*); +SQLITE_API sqlite3_int64 sqlite3_value_int64(sqlite3_value*); +SQLITE_API const unsigned char *sqlite3_value_text(sqlite3_value*); +SQLITE_API const void *sqlite3_value_text16(sqlite3_value*); +SQLITE_API const void *sqlite3_value_text16le(sqlite3_value*); +SQLITE_API const void *sqlite3_value_text16be(sqlite3_value*); +SQLITE_API int sqlite3_value_type(sqlite3_value*); +SQLITE_API int sqlite3_value_numeric_type(sqlite3_value*); + +/* +** CAPI3REF: Obtain Aggregate Function Context +** +** Implementations of aggregate SQL functions use this +** routine to allocate memory for storing their state. +** +** ^The first time the sqlite3_aggregate_context(C,N) routine is called +** for a particular aggregate function, SQLite +** allocates N of memory, zeroes out that memory, and returns a pointer +** to the new memory. ^On second and subsequent calls to +** sqlite3_aggregate_context() for the same aggregate function instance, +** the same buffer is returned. Sqlite3_aggregate_context() is normally +** called once for each invocation of the xStep callback and then one +** last time when the xFinal callback is invoked. ^(When no rows match +** an aggregate query, the xStep() callback of the aggregate function +** implementation is never called and xFinal() is called exactly once. +** In those cases, sqlite3_aggregate_context() might be called for the +** first time from within xFinal().)^ +** +** ^The sqlite3_aggregate_context(C,N) routine returns a NULL pointer +** when first called if N is less than or equal to zero or if a memory +** allocate error occurs. +** +** ^(The amount of space allocated by sqlite3_aggregate_context(C,N) is +** determined by the N parameter on first successful call. Changing the +** value of N in subsequent call to sqlite3_aggregate_context() within +** the same aggregate function instance will not resize the memory +** allocation.)^ Within the xFinal callback, it is customary to set +** N=0 in calls to sqlite3_aggregate_context(C,N) so that no +** pointless memory allocations occur. +** +** ^SQLite automatically frees the memory allocated by +** sqlite3_aggregate_context() when the aggregate query concludes. +** +** The first parameter must be a copy of the +** [sqlite3_context | SQL function context] that is the first parameter +** to the xStep or xFinal callback routine that implements the aggregate +** function. +** +** This routine must be called from the same thread in which +** the aggregate SQL function is running. +*/ +SQLITE_API void *sqlite3_aggregate_context(sqlite3_context*, int nBytes); + +/* +** CAPI3REF: User Data For Functions +** +** ^The sqlite3_user_data() interface returns a copy of +** the pointer that was the pUserData parameter (the 5th parameter) +** of the [sqlite3_create_function()] +** and [sqlite3_create_function16()] routines that originally +** registered the application defined function. +** +** This routine must be called from the same thread in which +** the application-defined function is running. +*/ +SQLITE_API void *sqlite3_user_data(sqlite3_context*); + +/* +** CAPI3REF: Database Connection For Functions +** +** ^The sqlite3_context_db_handle() interface returns a copy of +** the pointer to the [database connection] (the 1st parameter) +** of the [sqlite3_create_function()] +** and [sqlite3_create_function16()] routines that originally +** registered the application defined function. +*/ +SQLITE_API sqlite3 *sqlite3_context_db_handle(sqlite3_context*); + +/* +** CAPI3REF: Function Auxiliary Data +** +** The following two functions may be used by scalar SQL functions to +** associate metadata with argument values. If the same value is passed to +** multiple invocations of the same SQL function during query execution, under +** some circumstances the associated metadata may be preserved. This may +** be used, for example, to add a regular-expression matching scalar +** function. The compiled version of the regular expression is stored as +** metadata associated with the SQL value passed as the regular expression +** pattern. The compiled regular expression can be reused on multiple +** invocations of the same function so that the original pattern string +** does not need to be recompiled on each invocation. +** +** ^The sqlite3_get_auxdata() interface returns a pointer to the metadata +** associated by the sqlite3_set_auxdata() function with the Nth argument +** value to the application-defined function. ^If no metadata has been ever +** been set for the Nth argument of the function, or if the corresponding +** function parameter has changed since the meta-data was set, +** then sqlite3_get_auxdata() returns a NULL pointer. +** +** ^The sqlite3_set_auxdata() interface saves the metadata +** pointed to by its 3rd parameter as the metadata for the N-th +** argument of the application-defined function. Subsequent +** calls to sqlite3_get_auxdata() might return this data, if it has +** not been destroyed. +** ^If it is not NULL, SQLite will invoke the destructor +** function given by the 4th parameter to sqlite3_set_auxdata() on +** the metadata when the corresponding function parameter changes +** or when the SQL statement completes, whichever comes first. +** +** SQLite is free to call the destructor and drop metadata on any +** parameter of any function at any time. ^The only guarantee is that +** the destructor will be called before the metadata is dropped. +** +** ^(In practice, metadata is preserved between function calls for +** expressions that are constant at compile time. This includes literal +** values and [parameters].)^ +** +** These routines must be called from the same thread in which +** the SQL function is running. +*/ +SQLITE_API void *sqlite3_get_auxdata(sqlite3_context*, int N); +SQLITE_API void sqlite3_set_auxdata(sqlite3_context*, int N, void*, void (*)(void*)); + + +/* +** CAPI3REF: Constants Defining Special Destructor Behavior +** +** These are special values for the destructor that is passed in as the +** final argument to routines like [sqlite3_result_blob()]. ^If the destructor +** argument is SQLITE_STATIC, it means that the content pointer is constant +** and will never change. It does not need to be destroyed. ^The +** SQLITE_TRANSIENT value means that the content will likely change in +** the near future and that SQLite should make its own private copy of +** the content before returning. +** +** The typedef is necessary to work around problems in certain +** C++ compilers. See ticket #2191. +*/ +typedef void (*sqlite3_destructor_type)(void*); +#define SQLITE_STATIC ((sqlite3_destructor_type)0) +#define SQLITE_TRANSIENT ((sqlite3_destructor_type)-1) + +/* +** CAPI3REF: Setting The Result Of An SQL Function +** +** These routines are used by the xFunc or xFinal callbacks that +** implement SQL functions and aggregates. See +** [sqlite3_create_function()] and [sqlite3_create_function16()] +** for additional information. +** +** These functions work very much like the [parameter binding] family of +** functions used to bind values to host parameters in prepared statements. +** Refer to the [SQL parameter] documentation for additional information. +** +** ^The sqlite3_result_blob() interface sets the result from +** an application-defined function to be the BLOB whose content is pointed +** to by the second parameter and which is N bytes long where N is the +** third parameter. +** +** ^The sqlite3_result_zeroblob() interfaces set the result of +** the application-defined function to be a BLOB containing all zero +** bytes and N bytes in size, where N is the value of the 2nd parameter. +** +** ^The sqlite3_result_double() interface sets the result from +** an application-defined function to be a floating point value specified +** by its 2nd argument. +** +** ^The sqlite3_result_error() and sqlite3_result_error16() functions +** cause the implemented SQL function to throw an exception. +** ^SQLite uses the string pointed to by the +** 2nd parameter of sqlite3_result_error() or sqlite3_result_error16() +** as the text of an error message. ^SQLite interprets the error +** message string from sqlite3_result_error() as UTF-8. ^SQLite +** interprets the string from sqlite3_result_error16() as UTF-16 in native +** byte order. ^If the third parameter to sqlite3_result_error() +** or sqlite3_result_error16() is negative then SQLite takes as the error +** message all text up through the first zero character. +** ^If the third parameter to sqlite3_result_error() or +** sqlite3_result_error16() is non-negative then SQLite takes that many +** bytes (not characters) from the 2nd parameter as the error message. +** ^The sqlite3_result_error() and sqlite3_result_error16() +** routines make a private copy of the error message text before +** they return. Hence, the calling function can deallocate or +** modify the text after they return without harm. +** ^The sqlite3_result_error_code() function changes the error code +** returned by SQLite as a result of an error in a function. ^By default, +** the error code is SQLITE_ERROR. ^A subsequent call to sqlite3_result_error() +** or sqlite3_result_error16() resets the error code to SQLITE_ERROR. +** +** ^The sqlite3_result_error_toobig() interface causes SQLite to throw an +** error indicating that a string or BLOB is too long to represent. +** +** ^The sqlite3_result_error_nomem() interface causes SQLite to throw an +** error indicating that a memory allocation failed. +** +** ^The sqlite3_result_int() interface sets the return value +** of the application-defined function to be the 32-bit signed integer +** value given in the 2nd argument. +** ^The sqlite3_result_int64() interface sets the return value +** of the application-defined function to be the 64-bit signed integer +** value given in the 2nd argument. +** +** ^The sqlite3_result_null() interface sets the return value +** of the application-defined function to be NULL. +** +** ^The sqlite3_result_text(), sqlite3_result_text16(), +** sqlite3_result_text16le(), and sqlite3_result_text16be() interfaces +** set the return value of the application-defined function to be +** a text string which is represented as UTF-8, UTF-16 native byte order, +** UTF-16 little endian, or UTF-16 big endian, respectively. +** ^SQLite takes the text result from the application from +** the 2nd parameter of the sqlite3_result_text* interfaces. +** ^If the 3rd parameter to the sqlite3_result_text* interfaces +** is negative, then SQLite takes result text from the 2nd parameter +** through the first zero character. +** ^If the 3rd parameter to the sqlite3_result_text* interfaces +** is non-negative, then as many bytes (not characters) of the text +** pointed to by the 2nd parameter are taken as the application-defined +** function result. If the 3rd parameter is non-negative, then it +** must be the byte offset into the string where the NUL terminator would +** appear if the string where NUL terminated. If any NUL characters occur +** in the string at a byte offset that is less than the value of the 3rd +** parameter, then the resulting string will contain embedded NULs and the +** result of expressions operating on strings with embedded NULs is undefined. +** ^If the 4th parameter to the sqlite3_result_text* interfaces +** or sqlite3_result_blob is a non-NULL pointer, then SQLite calls that +** function as the destructor on the text or BLOB result when it has +** finished using that result. +** ^If the 4th parameter to the sqlite3_result_text* interfaces or to +** sqlite3_result_blob is the special constant SQLITE_STATIC, then SQLite +** assumes that the text or BLOB result is in constant space and does not +** copy the content of the parameter nor call a destructor on the content +** when it has finished using that result. +** ^If the 4th parameter to the sqlite3_result_text* interfaces +** or sqlite3_result_blob is the special constant SQLITE_TRANSIENT +** then SQLite makes a copy of the result into space obtained from +** from [sqlite3_malloc()] before it returns. +** +** ^The sqlite3_result_value() interface sets the result of +** the application-defined function to be a copy the +** [unprotected sqlite3_value] object specified by the 2nd parameter. ^The +** sqlite3_result_value() interface makes a copy of the [sqlite3_value] +** so that the [sqlite3_value] specified in the parameter may change or +** be deallocated after sqlite3_result_value() returns without harm. +** ^A [protected sqlite3_value] object may always be used where an +** [unprotected sqlite3_value] object is required, so either +** kind of [sqlite3_value] object can be used with this interface. +** +** If these routines are called from within the different thread +** than the one containing the application-defined function that received +** the [sqlite3_context] pointer, the results are undefined. +*/ +SQLITE_API void sqlite3_result_blob(sqlite3_context*, const void*, int, void(*)(void*)); +SQLITE_API void sqlite3_result_double(sqlite3_context*, double); +SQLITE_API void sqlite3_result_error(sqlite3_context*, const char*, int); +SQLITE_API void sqlite3_result_error16(sqlite3_context*, const void*, int); +SQLITE_API void sqlite3_result_error_toobig(sqlite3_context*); +SQLITE_API void sqlite3_result_error_nomem(sqlite3_context*); +SQLITE_API void sqlite3_result_error_code(sqlite3_context*, int); +SQLITE_API void sqlite3_result_int(sqlite3_context*, int); +SQLITE_API void sqlite3_result_int64(sqlite3_context*, sqlite3_int64); +SQLITE_API void sqlite3_result_null(sqlite3_context*); +SQLITE_API void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*)); +SQLITE_API void sqlite3_result_text16(sqlite3_context*, const void*, int, void(*)(void*)); +SQLITE_API void sqlite3_result_text16le(sqlite3_context*, const void*, int,void(*)(void*)); +SQLITE_API void sqlite3_result_text16be(sqlite3_context*, const void*, int,void(*)(void*)); +SQLITE_API void sqlite3_result_value(sqlite3_context*, sqlite3_value*); +SQLITE_API void sqlite3_result_zeroblob(sqlite3_context*, int n); + +/* +** CAPI3REF: Define New Collating Sequences +** +** ^These functions add, remove, or modify a [collation] associated +** with the [database connection] specified as the first argument. +** +** ^The name of the collation is a UTF-8 string +** for sqlite3_create_collation() and sqlite3_create_collation_v2() +** and a UTF-16 string in native byte order for sqlite3_create_collation16(). +** ^Collation names that compare equal according to [sqlite3_strnicmp()] are +** considered to be the same name. +** +** ^(The third argument (eTextRep) must be one of the constants: +**
    +**
  • [SQLITE_UTF8], +**
  • [SQLITE_UTF16LE], +**
  • [SQLITE_UTF16BE], +**
  • [SQLITE_UTF16], or +**
  • [SQLITE_UTF16_ALIGNED]. +**
)^ +** ^The eTextRep argument determines the encoding of strings passed +** to the collating function callback, xCallback. +** ^The [SQLITE_UTF16] and [SQLITE_UTF16_ALIGNED] values for eTextRep +** force strings to be UTF16 with native byte order. +** ^The [SQLITE_UTF16_ALIGNED] value for eTextRep forces strings to begin +** on an even byte address. +** +** ^The fourth argument, pArg, is an application data pointer that is passed +** through as the first argument to the collating function callback. +** +** ^The fifth argument, xCallback, is a pointer to the collating function. +** ^Multiple collating functions can be registered using the same name but +** with different eTextRep parameters and SQLite will use whichever +** function requires the least amount of data transformation. +** ^If the xCallback argument is NULL then the collating function is +** deleted. ^When all collating functions having the same name are deleted, +** that collation is no longer usable. +** +** ^The collating function callback is invoked with a copy of the pArg +** application data pointer and with two strings in the encoding specified +** by the eTextRep argument. The collating function must return an +** integer that is negative, zero, or positive +** if the first string is less than, equal to, or greater than the second, +** respectively. A collating function must always return the same answer +** given the same inputs. If two or more collating functions are registered +** to the same collation name (using different eTextRep values) then all +** must give an equivalent answer when invoked with equivalent strings. +** The collating function must obey the following properties for all +** strings A, B, and C: +** +**
    +**
  1. If A==B then B==A. +**
  2. If A==B and B==C then A==C. +**
  3. If A<B THEN B>A. +**
  4. If A<B and B<C then A<C. +**
+** +** If a collating function fails any of the above constraints and that +** collating function is registered and used, then the behavior of SQLite +** is undefined. +** +** ^The sqlite3_create_collation_v2() works like sqlite3_create_collation() +** with the addition that the xDestroy callback is invoked on pArg when +** the collating function is deleted. +** ^Collating functions are deleted when they are overridden by later +** calls to the collation creation functions or when the +** [database connection] is closed using [sqlite3_close()]. +** +** ^The xDestroy callback is not called if the +** sqlite3_create_collation_v2() function fails. Applications that invoke +** sqlite3_create_collation_v2() with a non-NULL xDestroy argument should +** check the return code and dispose of the application data pointer +** themselves rather than expecting SQLite to deal with it for them. +** This is different from every other SQLite interface. The inconsistency +** is unfortunate but cannot be changed without breaking backwards +** compatibility. +** +** See also: [sqlite3_collation_needed()] and [sqlite3_collation_needed16()]. +*/ +SQLITE_API int sqlite3_create_collation( + sqlite3*, + const char *zName, + int eTextRep, + void *pArg, + int(*xCompare)(void*,int,const void*,int,const void*) +); +SQLITE_API int sqlite3_create_collation_v2( + sqlite3*, + const char *zName, + int eTextRep, + void *pArg, + int(*xCompare)(void*,int,const void*,int,const void*), + void(*xDestroy)(void*) +); +SQLITE_API int sqlite3_create_collation16( + sqlite3*, + const void *zName, + int eTextRep, + void *pArg, + int(*xCompare)(void*,int,const void*,int,const void*) +); + +/* +** CAPI3REF: Collation Needed Callbacks +** +** ^To avoid having to register all collation sequences before a database +** can be used, a single callback function may be registered with the +** [database connection] to be invoked whenever an undefined collation +** sequence is required. +** +** ^If the function is registered using the sqlite3_collation_needed() API, +** then it is passed the names of undefined collation sequences as strings +** encoded in UTF-8. ^If sqlite3_collation_needed16() is used, +** the names are passed as UTF-16 in machine native byte order. +** ^A call to either function replaces the existing collation-needed callback. +** +** ^(When the callback is invoked, the first argument passed is a copy +** of the second argument to sqlite3_collation_needed() or +** sqlite3_collation_needed16(). The second argument is the database +** connection. The third argument is one of [SQLITE_UTF8], [SQLITE_UTF16BE], +** or [SQLITE_UTF16LE], indicating the most desirable form of the collation +** sequence function required. The fourth parameter is the name of the +** required collation sequence.)^ +** +** The callback function should register the desired collation using +** [sqlite3_create_collation()], [sqlite3_create_collation16()], or +** [sqlite3_create_collation_v2()]. +*/ +SQLITE_API int sqlite3_collation_needed( + sqlite3*, + void*, + void(*)(void*,sqlite3*,int eTextRep,const char*) +); +SQLITE_API int sqlite3_collation_needed16( + sqlite3*, + void*, + void(*)(void*,sqlite3*,int eTextRep,const void*) +); + +#ifdef SQLITE_HAS_CODEC +/* +** Specify the key for an encrypted database. This routine should be +** called right after sqlite3_open(). +** +** The code to implement this API is not available in the public release +** of SQLite. +*/ +SQLITE_API int sqlite3_key( + sqlite3 *db, /* Database to be rekeyed */ + const void *pKey, int nKey /* The key */ +); + +/* +** Change the key on an open database. If the current database is not +** encrypted, this routine will encrypt it. If pNew==0 or nNew==0, the +** database is decrypted. +** +** The code to implement this API is not available in the public release +** of SQLite. +*/ +SQLITE_API int sqlite3_rekey( + sqlite3 *db, /* Database to be rekeyed */ + const void *pKey, int nKey /* The new key */ +); + +/* +** Specify the activation key for a SEE database. Unless +** activated, none of the SEE routines will work. +*/ +SQLITE_API void sqlite3_activate_see( + const char *zPassPhrase /* Activation phrase */ +); +#endif + +#ifdef SQLITE_ENABLE_CEROD +/* +** Specify the activation key for a CEROD database. Unless +** activated, none of the CEROD routines will work. +*/ +SQLITE_API void sqlite3_activate_cerod( + const char *zPassPhrase /* Activation phrase */ +); +#endif + +/* +** CAPI3REF: Suspend Execution For A Short Time +** +** The sqlite3_sleep() function causes the current thread to suspend execution +** for at least a number of milliseconds specified in its parameter. +** +** If the operating system does not support sleep requests with +** millisecond time resolution, then the time will be rounded up to +** the nearest second. The number of milliseconds of sleep actually +** requested from the operating system is returned. +** +** ^SQLite implements this interface by calling the xSleep() +** method of the default [sqlite3_vfs] object. If the xSleep() method +** of the default VFS is not implemented correctly, or not implemented at +** all, then the behavior of sqlite3_sleep() may deviate from the description +** in the previous paragraphs. +*/ +SQLITE_API int sqlite3_sleep(int); + +/* +** CAPI3REF: Name Of The Folder Holding Temporary Files +** +** ^(If this global variable is made to point to a string which is +** the name of a folder (a.k.a. directory), then all temporary files +** created by SQLite when using a built-in [sqlite3_vfs | VFS] +** will be placed in that directory.)^ ^If this variable +** is a NULL pointer, then SQLite performs a search for an appropriate +** temporary file directory. +** +** It is not safe to read or modify this variable in more than one +** thread at a time. It is not safe to read or modify this variable +** if a [database connection] is being used at the same time in a separate +** thread. +** It is intended that this variable be set once +** as part of process initialization and before any SQLite interface +** routines have been called and that this variable remain unchanged +** thereafter. +** +** ^The [temp_store_directory pragma] may modify this variable and cause +** it to point to memory obtained from [sqlite3_malloc]. ^Furthermore, +** the [temp_store_directory pragma] always assumes that any string +** that this variable points to is held in memory obtained from +** [sqlite3_malloc] and the pragma may attempt to free that memory +** using [sqlite3_free]. +** Hence, if this variable is modified directly, either it should be +** made NULL or made to point to memory obtained from [sqlite3_malloc] +** or else the use of the [temp_store_directory pragma] should be avoided. +** +** Note to Windows Runtime users: The temporary directory must be set +** prior to calling [sqlite3_open] or [sqlite3_open_v2]. Otherwise, various +** features that require the use of temporary files may fail. Here is an +** example of how to do this using C++ with the Windows Runtime: +** +** 
+** LPCWSTR zPath = Windows::Storage::ApplicationData::Current->
+**       TemporaryFolder->Path->Data();
+** char zPathBuf[MAX_PATH + 1];
+** memset(zPathBuf, 0, sizeof(zPathBuf));
+** WideCharToMultiByte(CP_UTF8, 0, zPath, -1, zPathBuf, sizeof(zPathBuf),
+**       NULL, NULL);
+** sqlite3_temp_directory = sqlite3_mprintf("%s", zPathBuf);
+**
+*/ +SQLITE_API char *sqlite3_temp_directory; + +/* +** CAPI3REF: Name Of The Folder Holding Database Files +** +** ^(If this global variable is made to point to a string which is +** the name of a folder (a.k.a. directory), then all database files +** specified with a relative pathname and created or accessed by +** SQLite when using a built-in windows [sqlite3_vfs | VFS] will be assumed +** to be relative to that directory.)^ ^If this variable is a NULL +** pointer, then SQLite assumes that all database files specified +** with a relative pathname are relative to the current directory +** for the process. Only the windows VFS makes use of this global +** variable; it is ignored by the unix VFS. +** +** Changing the value of this variable while a database connection is +** open can result in a corrupt database. +** +** It is not safe to read or modify this variable in more than one +** thread at a time. It is not safe to read or modify this variable +** if a [database connection] is being used at the same time in a separate +** thread. +** It is intended that this variable be set once +** as part of process initialization and before any SQLite interface +** routines have been called and that this variable remain unchanged +** thereafter. +** +** ^The [data_store_directory pragma] may modify this variable and cause +** it to point to memory obtained from [sqlite3_malloc]. ^Furthermore, +** the [data_store_directory pragma] always assumes that any string +** that this variable points to is held in memory obtained from +** [sqlite3_malloc] and the pragma may attempt to free that memory +** using [sqlite3_free]. +** Hence, if this variable is modified directly, either it should be +** made NULL or made to point to memory obtained from [sqlite3_malloc] +** or else the use of the [data_store_directory pragma] should be avoided. +*/ +SQLITE_API char *sqlite3_data_directory; + +/* +** CAPI3REF: Test For Auto-Commit Mode +** KEYWORDS: {autocommit mode} +** +** ^The sqlite3_get_autocommit() interface returns non-zero or +** zero if the given database connection is or is not in autocommit mode, +** respectively. ^Autocommit mode is on by default. +** ^Autocommit mode is disabled by a [BEGIN] statement. +** ^Autocommit mode is re-enabled by a [COMMIT] or [ROLLBACK]. +** +** If certain kinds of errors occur on a statement within a multi-statement +** transaction (errors including [SQLITE_FULL], [SQLITE_IOERR], +** [SQLITE_NOMEM], [SQLITE_BUSY], and [SQLITE_INTERRUPT]) then the +** transaction might be rolled back automatically. The only way to +** find out whether SQLite automatically rolled back the transaction after +** an error is to use this function. +** +** If another thread changes the autocommit status of the database +** connection while this routine is running, then the return value +** is undefined. +*/ +SQLITE_API int sqlite3_get_autocommit(sqlite3*); + +/* +** CAPI3REF: Find The Database Handle Of A Prepared Statement +** +** ^The sqlite3_db_handle interface returns the [database connection] handle +** to which a [prepared statement] belongs. ^The [database connection] +** returned by sqlite3_db_handle is the same [database connection] +** that was the first argument +** to the [sqlite3_prepare_v2()] call (or its variants) that was used to +** create the statement in the first place. +*/ +SQLITE_API sqlite3 *sqlite3_db_handle(sqlite3_stmt*); + +/* +** CAPI3REF: Return The Filename For A Database Connection +** +** ^The sqlite3_db_filename(D,N) interface returns a pointer to a filename +** associated with database N of connection D. ^The main database file +** has the name "main". If there is no attached database N on the database +** connection D, or if database N is a temporary or in-memory database, then +** a NULL pointer is returned. +** +** ^The filename returned by this function is the output of the +** xFullPathname method of the [VFS]. ^In other words, the filename +** will be an absolute pathname, even if the filename used +** to open the database originally was a URI or relative pathname. +*/ +SQLITE_API const char *sqlite3_db_filename(sqlite3 *db, const char *zDbName); + +/* +** CAPI3REF: Determine if a database is read-only +** +** ^The sqlite3_db_readonly(D,N) interface returns 1 if the database N +** of connection D is read-only, 0 if it is read/write, or -1 if N is not +** the name of a database on connection D. +*/ +SQLITE_API int sqlite3_db_readonly(sqlite3 *db, const char *zDbName); + +/* +** CAPI3REF: Find the next prepared statement +** +** ^This interface returns a pointer to the next [prepared statement] after +** pStmt associated with the [database connection] pDb. ^If pStmt is NULL +** then this interface returns a pointer to the first prepared statement +** associated with the database connection pDb. ^If no prepared statement +** satisfies the conditions of this routine, it returns NULL. +** +** The [database connection] pointer D in a call to +** [sqlite3_next_stmt(D,S)] must refer to an open database +** connection and in particular must not be a NULL pointer. +*/ +SQLITE_API sqlite3_stmt *sqlite3_next_stmt(sqlite3 *pDb, sqlite3_stmt *pStmt); + +/* +** CAPI3REF: Commit And Rollback Notification Callbacks +** +** ^The sqlite3_commit_hook() interface registers a callback +** function to be invoked whenever a transaction is [COMMIT | committed]. +** ^Any callback set by a previous call to sqlite3_commit_hook() +** for the same database connection is overridden. +** ^The sqlite3_rollback_hook() interface registers a callback +** function to be invoked whenever a transaction is [ROLLBACK | rolled back]. +** ^Any callback set by a previous call to sqlite3_rollback_hook() +** for the same database connection is overridden. +** ^The pArg argument is passed through to the callback. +** ^If the callback on a commit hook function returns non-zero, +** then the commit is converted into a rollback. +** +** ^The sqlite3_commit_hook(D,C,P) and sqlite3_rollback_hook(D,C,P) functions +** return the P argument from the previous call of the same function +** on the same [database connection] D, or NULL for +** the first call for each function on D. +** +** The commit and rollback hook callbacks are not reentrant. +** The callback implementation must not do anything that will modify +** the database connection that invoked the callback. Any actions +** to modify the database connection must be deferred until after the +** completion of the [sqlite3_step()] call that triggered the commit +** or rollback hook in the first place. +** Note that running any other SQL statements, including SELECT statements, +** or merely calling [sqlite3_prepare_v2()] and [sqlite3_step()] will modify +** the database connections for the meaning of "modify" in this paragraph. +** +** ^Registering a NULL function disables the callback. +** +** ^When the commit hook callback routine returns zero, the [COMMIT] +** operation is allowed to continue normally. ^If the commit hook +** returns non-zero, then the [COMMIT] is converted into a [ROLLBACK]. +** ^The rollback hook is invoked on a rollback that results from a commit +** hook returning non-zero, just as it would be with any other rollback. +** +** ^For the purposes of this API, a transaction is said to have been +** rolled back if an explicit "ROLLBACK" statement is executed, or +** an error or constraint causes an implicit rollback to occur. +** ^The rollback callback is not invoked if a transaction is +** automatically rolled back because the database connection is closed. +** +** See also the [sqlite3_update_hook()] interface. +*/ +SQLITE_API void *sqlite3_commit_hook(sqlite3*, int(*)(void*), void*); +SQLITE_API void *sqlite3_rollback_hook(sqlite3*, void(*)(void *), void*); + +/* +** CAPI3REF: Data Change Notification Callbacks +** +** ^The sqlite3_update_hook() interface registers a callback function +** with the [database connection] identified by the first argument +** to be invoked whenever a row is updated, inserted or deleted. +** ^Any callback set by a previous call to this function +** for the same database connection is overridden. +** +** ^The second argument is a pointer to the function to invoke when a +** row is updated, inserted or deleted. +** ^The first argument to the callback is a copy of the third argument +** to sqlite3_update_hook(). +** ^The second callback argument is one of [SQLITE_INSERT], [SQLITE_DELETE], +** or [SQLITE_UPDATE], depending on the operation that caused the callback +** to be invoked. +** ^The third and fourth arguments to the callback contain pointers to the +** database and table name containing the affected row. +** ^The final callback parameter is the [rowid] of the row. +** ^In the case of an update, this is the [rowid] after the update takes place. +** +** ^(The update hook is not invoked when internal system tables are +** modified (i.e. sqlite_master and sqlite_sequence).)^ +** +** ^In the current implementation, the update hook +** is not invoked when duplication rows are deleted because of an +** [ON CONFLICT | ON CONFLICT REPLACE] clause. ^Nor is the update hook +** invoked when rows are deleted using the [truncate optimization]. +** The exceptions defined in this paragraph might change in a future +** release of SQLite. +** +** The update hook implementation must not do anything that will modify +** the database connection that invoked the update hook. Any actions +** to modify the database connection must be deferred until after the +** completion of the [sqlite3_step()] call that triggered the update hook. +** Note that [sqlite3_prepare_v2()] and [sqlite3_step()] both modify their +** database connections for the meaning of "modify" in this paragraph. +** +** ^The sqlite3_update_hook(D,C,P) function +** returns the P argument from the previous call +** on the same [database connection] D, or NULL for +** the first call on D. +** +** See also the [sqlite3_commit_hook()] and [sqlite3_rollback_hook()] +** interfaces. +*/ +SQLITE_API void *sqlite3_update_hook( + sqlite3*, + void(*)(void *,int ,char const *,char const *,sqlite3_int64), + void* +); + +/* +** CAPI3REF: Enable Or Disable Shared Pager Cache +** +** ^(This routine enables or disables the sharing of the database cache +** and schema data structures between [database connection | connections] +** to the same database. Sharing is enabled if the argument is true +** and disabled if the argument is false.)^ +** +** ^Cache sharing is enabled and disabled for an entire process. +** This is a change as of SQLite version 3.5.0. In prior versions of SQLite, +** sharing was enabled or disabled for each thread separately. +** +** ^(The cache sharing mode set by this interface effects all subsequent +** calls to [sqlite3_open()], [sqlite3_open_v2()], and [sqlite3_open16()]. +** Existing database connections continue use the sharing mode +** that was in effect at the time they were opened.)^ +** +** ^(This routine returns [SQLITE_OK] if shared cache was enabled or disabled +** successfully. An [error code] is returned otherwise.)^ +** +** ^Shared cache is disabled by default. But this might change in +** future releases of SQLite. Applications that care about shared +** cache setting should set it explicitly. +** +** This interface is threadsafe on processors where writing a +** 32-bit integer is atomic. +** +** See Also: [SQLite Shared-Cache Mode] +*/ +SQLITE_API int sqlite3_enable_shared_cache(int); + +/* +** CAPI3REF: Attempt To Free Heap Memory +** +** ^The sqlite3_release_memory() interface attempts to free N bytes +** of heap memory by deallocating non-essential memory allocations +** held by the database library. Memory used to cache database +** pages to improve performance is an example of non-essential memory. +** ^sqlite3_release_memory() returns the number of bytes actually freed, +** which might be more or less than the amount requested. +** ^The sqlite3_release_memory() routine is a no-op returning zero +** if SQLite is not compiled with [SQLITE_ENABLE_MEMORY_MANAGEMENT]. +** +** See also: [sqlite3_db_release_memory()] +*/ +SQLITE_API int sqlite3_release_memory(int); + +/* +** CAPI3REF: Free Memory Used By A Database Connection +** +** ^The sqlite3_db_release_memory(D) interface attempts to free as much heap +** memory as possible from database connection D. Unlike the +** [sqlite3_release_memory()] interface, this interface is effect even +** when then [SQLITE_ENABLE_MEMORY_MANAGEMENT] compile-time option is +** omitted. +** +** See also: [sqlite3_release_memory()] +*/ +SQLITE_API int sqlite3_db_release_memory(sqlite3*); + +/* +** CAPI3REF: Impose A Limit On Heap Size +** +** ^The sqlite3_soft_heap_limit64() interface sets and/or queries the +** soft limit on the amount of heap memory that may be allocated by SQLite. +** ^SQLite strives to keep heap memory utilization below the soft heap +** limit by reducing the number of pages held in the page cache +** as heap memory usages approaches the limit. +** ^The soft heap limit is "soft" because even though SQLite strives to stay +** below the limit, it will exceed the limit rather than generate +** an [SQLITE_NOMEM] error. In other words, the soft heap limit +** is advisory only. +** +** ^The return value from sqlite3_soft_heap_limit64() is the size of +** the soft heap limit prior to the call, or negative in the case of an +** error. ^If the argument N is negative +** then no change is made to the soft heap limit. Hence, the current +** size of the soft heap limit can be determined by invoking +** sqlite3_soft_heap_limit64() with a negative argument. +** +** ^If the argument N is zero then the soft heap limit is disabled. +** +** ^(The soft heap limit is not enforced in the current implementation +** if one or more of following conditions are true: +** +**
    +**
  • The soft heap limit is set to zero. +**
  • Memory accounting is disabled using a combination of the +** [sqlite3_config]([SQLITE_CONFIG_MEMSTATUS],...) start-time option and +** the [SQLITE_DEFAULT_MEMSTATUS] compile-time option. +**
  • An alternative page cache implementation is specified using +** [sqlite3_config]([SQLITE_CONFIG_PCACHE2],...). +**
  • The page cache allocates from its own memory pool supplied +** by [sqlite3_config]([SQLITE_CONFIG_PAGECACHE],...) rather than +** from the heap. +**
)^ +** +** Beginning with SQLite version 3.7.3, the soft heap limit is enforced +** regardless of whether or not the [SQLITE_ENABLE_MEMORY_MANAGEMENT] +** compile-time option is invoked. With [SQLITE_ENABLE_MEMORY_MANAGEMENT], +** the soft heap limit is enforced on every memory allocation. Without +** [SQLITE_ENABLE_MEMORY_MANAGEMENT], the soft heap limit is only enforced +** when memory is allocated by the page cache. Testing suggests that because +** the page cache is the predominate memory user in SQLite, most +** applications will achieve adequate soft heap limit enforcement without +** the use of [SQLITE_ENABLE_MEMORY_MANAGEMENT]. +** +** The circumstances under which SQLite will enforce the soft heap limit may +** changes in future releases of SQLite. +*/ +SQLITE_API sqlite3_int64 sqlite3_soft_heap_limit64(sqlite3_int64 N); + +/* +** CAPI3REF: Deprecated Soft Heap Limit Interface +** DEPRECATED +** +** This is a deprecated version of the [sqlite3_soft_heap_limit64()] +** interface. This routine is provided for historical compatibility +** only. All new applications should use the +** [sqlite3_soft_heap_limit64()] interface rather than this one. +*/ +SQLITE_API SQLITE_DEPRECATED void sqlite3_soft_heap_limit(int N); + + +/* +** CAPI3REF: Extract Metadata About A Column Of A Table +** +** ^This routine returns metadata about a specific column of a specific +** database table accessible using the [database connection] handle +** passed as the first function argument. +** +** ^The column is identified by the second, third and fourth parameters to +** this function. ^The second parameter is either the name of the database +** (i.e. "main", "temp", or an attached database) containing the specified +** table or NULL. ^If it is NULL, then all attached databases are searched +** for the table using the same algorithm used by the database engine to +** resolve unqualified table references. +** +** ^The third and fourth parameters to this function are the table and column +** name of the desired column, respectively. Neither of these parameters +** may be NULL. +** +** ^Metadata is returned by writing to the memory locations passed as the 5th +** and subsequent parameters to this function. ^Any of these arguments may be +** NULL, in which case the corresponding element of metadata is omitted. +** +** ^(
+** +**
Parameter Output
Type 		Description +** +**
5th const char* Data type +**
6th const char* Name of default collation sequence +**
7th int True if column has a NOT NULL constraint +**
8th int True if column is part of the PRIMARY KEY +**
9th int True if column is [AUTOINCREMENT] +**
+**
)^ +** +** ^The memory pointed to by the character pointers returned for the +** declaration type and collation sequence is valid only until the next +** call to any SQLite API function. +** +** ^If the specified table is actually a view, an [error code] is returned. +** +** ^If the specified column is "rowid", "oid" or "_rowid_" and an +** [INTEGER PRIMARY KEY] column has been explicitly declared, then the output +** parameters are set for the explicitly declared column. ^(If there is no +** explicitly declared [INTEGER PRIMARY KEY] column, then the output +** parameters are set as follows: +** +** 
+**     data type: "INTEGER"
+**     collation sequence: "BINARY"
+**     not null: 0
+**     primary key: 1
+**     auto increment: 0
+**
)^ +** +** ^(This function may load one or more schemas from database files. If an +** error occurs during this process, or if the requested table or column +** cannot be found, an [error code] is returned and an error message left +** in the [database connection] (to be retrieved using sqlite3_errmsg()).)^ +** +** ^This API is only available if the library was compiled with the +** [SQLITE_ENABLE_COLUMN_METADATA] C-preprocessor symbol defined. +*/ +SQLITE_API int sqlite3_table_column_metadata( + sqlite3 *db, /* Connection handle */ + const char *zDbName, /* Database name or NULL */ + const char *zTableName, /* Table name */ + const char *zColumnName, /* Column name */ + char const **pzDataType, /* OUTPUT: Declared data type */ + char const **pzCollSeq, /* OUTPUT: Collation sequence name */ + int *pNotNull, /* OUTPUT: True if NOT NULL constraint exists */ + int *pPrimaryKey, /* OUTPUT: True if column part of PK */ + int *pAutoinc /* OUTPUT: True if column is auto-increment */ +); + +/* +** CAPI3REF: Load An Extension +** +** ^This interface loads an SQLite extension library from the named file. +** +** ^The sqlite3_load_extension() interface attempts to load an +** SQLite extension library contained in the file zFile. +** +** ^The entry point is zProc. +** ^zProc may be 0, in which case the name of the entry point +** defaults to "sqlite3_extension_init". +** ^The sqlite3_load_extension() interface returns +** [SQLITE_OK] on success and [SQLITE_ERROR] if something goes wrong. +** ^If an error occurs and pzErrMsg is not 0, then the +** [sqlite3_load_extension()] interface shall attempt to +** fill *pzErrMsg with error message text stored in memory +** obtained from [sqlite3_malloc()]. The calling function +** should free this memory by calling [sqlite3_free()]. +** +** ^Extension loading must be enabled using +** [sqlite3_enable_load_extension()] prior to calling this API, +** otherwise an error will be returned. +** +** See also the [load_extension() SQL function]. +*/ +SQLITE_API int sqlite3_load_extension( + sqlite3 *db, /* Load the extension into this database connection */ + const char *zFile, /* Name of the shared library containing extension */ + const char *zProc, /* Entry point. Derived from zFile if 0 */ + char **pzErrMsg /* Put error message here if not 0 */ +); + +/* +** CAPI3REF: Enable Or Disable Extension Loading +** +** ^So as not to open security holes in older applications that are +** unprepared to deal with extension loading, and as a means of disabling +** extension loading while evaluating user-entered SQL, the following API +** is provided to turn the [sqlite3_load_extension()] mechanism on and off. +** +** ^Extension loading is off by default. See ticket #1863. +** ^Call the sqlite3_enable_load_extension() routine with onoff==1 +** to turn extension loading on and call it with onoff==0 to turn +** it back off again. +*/ +SQLITE_API int sqlite3_enable_load_extension(sqlite3 *db, int onoff); + +/* +** CAPI3REF: Automatically Load Statically Linked Extensions +** +** ^This interface causes the xEntryPoint() function to be invoked for +** each new [database connection] that is created. The idea here is that +** xEntryPoint() is the entry point for a statically linked SQLite extension +** that is to be automatically loaded into all new database connections. +** +** ^(Even though the function prototype shows that xEntryPoint() takes +** no arguments and returns void, SQLite invokes xEntryPoint() with three +** arguments and expects and integer result as if the signature of the +** entry point where as follows: +** +** 
+**    int xEntryPoint(
+**      sqlite3 *db,
+**      const char **pzErrMsg,
+**      const struct sqlite3_api_routines *pThunk
+**    );
+**
)^ +** +** If the xEntryPoint routine encounters an error, it should make *pzErrMsg +** point to an appropriate error message (obtained from [sqlite3_mprintf()]) +** and return an appropriate [error code]. ^SQLite ensures that *pzErrMsg +** is NULL before calling the xEntryPoint(). ^SQLite will invoke +** [sqlite3_free()] on *pzErrMsg after xEntryPoint() returns. ^If any +** xEntryPoint() returns an error, the [sqlite3_open()], [sqlite3_open16()], +** or [sqlite3_open_v2()] call that provoked the xEntryPoint() will fail. +** +** ^Calling sqlite3_auto_extension(X) with an entry point X that is already +** on the list of automatic extensions is a harmless no-op. ^No entry point +** will be called more than once for each database connection that is opened. +** +** See also: [sqlite3_reset_auto_extension()]. +*/ +SQLITE_API int sqlite3_auto_extension(void (*xEntryPoint)(void)); + +/* +** CAPI3REF: Reset Automatic Extension Loading +** +** ^This interface disables all automatic extensions previously +** registered using [sqlite3_auto_extension()]. +*/ +SQLITE_API void sqlite3_reset_auto_extension(void); + +/* +** The interface to the virtual-table mechanism is currently considered +** to be experimental. The interface might change in incompatible ways. +** If this is a problem for you, do not use the interface at this time. +** +** When the virtual-table mechanism stabilizes, we will declare the +** interface fixed, support it indefinitely, and remove this comment. +*/ + +/* +** Structures used by the virtual table interface +*/ +typedef struct sqlite3_vtab sqlite3_vtab; +typedef struct sqlite3_index_info sqlite3_index_info; +typedef struct sqlite3_vtab_cursor sqlite3_vtab_cursor; +typedef struct sqlite3_module sqlite3_module; + +/* +** CAPI3REF: Virtual Table Object +** KEYWORDS: sqlite3_module {virtual table module} +** +** This structure, sometimes called a "virtual table module", +** defines the implementation of a [virtual tables]. +** This structure consists mostly of methods for the module. +** +** ^A virtual table module is created by filling in a persistent +** instance of this structure and passing a pointer to that instance +** to [sqlite3_create_module()] or [sqlite3_create_module_v2()]. +** ^The registration remains valid until it is replaced by a different +** module or until the [database connection] closes. The content +** of this structure must not change while it is registered with +** any database connection. +*/ +struct sqlite3_module { + int iVersion; + int (*xCreate)(sqlite3*, void *pAux, + int argc, const char *const*argv, + sqlite3_vtab **ppVTab, char**); + int (*xConnect)(sqlite3*, void *pAux, + int argc, const char *const*argv, + sqlite3_vtab **ppVTab, char**); + int (*xBestIndex)(sqlite3_vtab *pVTab, sqlite3_index_info*); + int (*xDisconnect)(sqlite3_vtab *pVTab); + int (*xDestroy)(sqlite3_vtab *pVTab); + int (*xOpen)(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor); + int (*xClose)(sqlite3_vtab_cursor*); + int (*xFilter)(sqlite3_vtab_cursor*, int idxNum, const char *idxStr, + int argc, sqlite3_value **argv); + int (*xNext)(sqlite3_vtab_cursor*); + int (*xEof)(sqlite3_vtab_cursor*); + int (*xColumn)(sqlite3_vtab_cursor*, sqlite3_context*, int); + int (*xRowid)(sqlite3_vtab_cursor*, sqlite3_int64 *pRowid); + int (*xUpdate)(sqlite3_vtab *, int, sqlite3_value **, sqlite3_int64 *); + int (*xBegin)(sqlite3_vtab *pVTab); + int (*xSync)(sqlite3_vtab *pVTab); + int (*xCommit)(sqlite3_vtab *pVTab); + int (*xRollback)(sqlite3_vtab *pVTab); + int (*xFindFunction)(sqlite3_vtab *pVtab, int nArg, const char *zName, + void (**pxFunc)(sqlite3_context*,int,sqlite3_value**), + void **ppArg); + int (*xRename)(sqlite3_vtab *pVtab, const char *zNew); + /* The methods above are in version 1 of the sqlite_module object. Those + ** below are for version 2 and greater. */ + int (*xSavepoint)(sqlite3_vtab *pVTab, int); + int (*xRelease)(sqlite3_vtab *pVTab, int); + int (*xRollbackTo)(sqlite3_vtab *pVTab, int); +}; + +/* +** CAPI3REF: Virtual Table Indexing Information +** KEYWORDS: sqlite3_index_info +** +** The sqlite3_index_info structure and its substructures is used as part +** of the [virtual table] interface to +** pass information into and receive the reply from the [xBestIndex] +** method of a [virtual table module]. The fields under **Inputs** are the +** inputs to xBestIndex and are read-only. xBestIndex inserts its +** results into the **Outputs** fields. +** +** ^(The aConstraint[] array records WHERE clause constraints of the form: +** +**
column OP expr
+** +** where OP is =, <, <=, >, or >=.)^ ^(The particular operator is +** stored in aConstraint[].op using one of the +** [SQLITE_INDEX_CONSTRAINT_EQ | SQLITE_INDEX_CONSTRAINT_ values].)^ +** ^(The index of the column is stored in +** aConstraint[].iColumn.)^ ^(aConstraint[].usable is TRUE if the +** expr on the right-hand side can be evaluated (and thus the constraint +** is usable) and false if it cannot.)^ +** +** ^The optimizer automatically inverts terms of the form "expr OP column" +** and makes other simplifications to the WHERE clause in an attempt to +** get as many WHERE clause terms into the form shown above as possible. +** ^The aConstraint[] array only reports WHERE clause terms that are +** relevant to the particular virtual table being queried. +** +** ^Information about the ORDER BY clause is stored in aOrderBy[]. +** ^Each term of aOrderBy records a column of the ORDER BY clause. +** +** The [xBestIndex] method must fill aConstraintUsage[] with information +** about what parameters to pass to xFilter. ^If argvIndex>0 then +** the right-hand side of the corresponding aConstraint[] is evaluated +** and becomes the argvIndex-th entry in argv. ^(If aConstraintUsage[].omit +** is true, then the constraint is assumed to be fully handled by the +** virtual table and is not checked again by SQLite.)^ +** +** ^The idxNum and idxPtr values are recorded and passed into the +** [xFilter] method. +** ^[sqlite3_free()] is used to free idxPtr if and only if +** needToFreeIdxPtr is true. +** +** ^The orderByConsumed means that output from [xFilter]/[xNext] will occur in +** the correct order to satisfy the ORDER BY clause so that no separate +** sorting step is required. +** +** ^The estimatedCost value is an estimate of the cost of doing the +** particular lookup. A full scan of a table with N entries should have +** a cost of N. A binary search of a table of N entries should have a +** cost of approximately log(N). +*/ +struct sqlite3_index_info { + /* Inputs */ + int nConstraint; /* Number of entries in aConstraint */ + struct sqlite3_index_constraint { + int iColumn; /* Column on left-hand side of constraint */ + unsigned char op; /* Constraint operator */ + unsigned char usable; /* True if this constraint is usable */ + int iTermOffset; /* Used internally - xBestIndex should ignore */ + } *aConstraint; /* Table of WHERE clause constraints */ + int nOrderBy; /* Number of terms in the ORDER BY clause */ + struct sqlite3_index_orderby { + int iColumn; /* Column number */ + unsigned char desc; /* True for DESC. False for ASC. */ + } *aOrderBy; /* The ORDER BY clause */ + /* Outputs */ + struct sqlite3_index_constraint_usage { + int argvIndex; /* if >0, constraint is part of argv to xFilter */ + unsigned char omit; /* Do not code a test for this constraint */ + } *aConstraintUsage; + int idxNum; /* Number used to identify the index */ + char *idxStr; /* String, possibly obtained from sqlite3_malloc */ + int needToFreeIdxStr; /* Free idxStr using sqlite3_free() if true */ + int orderByConsumed; /* True if output is already ordered */ + double estimatedCost; /* Estimated cost of using this index */ +}; + +/* +** CAPI3REF: Virtual Table Constraint Operator Codes +** +** These macros defined the allowed values for the +** [sqlite3_index_info].aConstraint[].op field. Each value represents +** an operator that is part of a constraint term in the wHERE clause of +** a query that uses a [virtual table]. +*/ +#define SQLITE_INDEX_CONSTRAINT_EQ 2 +#define SQLITE_INDEX_CONSTRAINT_GT 4 +#define SQLITE_INDEX_CONSTRAINT_LE 8 +#define SQLITE_INDEX_CONSTRAINT_LT 16 +#define SQLITE_INDEX_CONSTRAINT_GE 32 +#define SQLITE_INDEX_CONSTRAINT_MATCH 64 + +/* +** CAPI3REF: Register A Virtual Table Implementation +** +** ^These routines are used to register a new [virtual table module] name. +** ^Module names must be registered before +** creating a new [virtual table] using the module and before using a +** preexisting [virtual table] for the module. +** +** ^The module name is registered on the [database connection] specified +** by the first parameter. ^The name of the module is given by the +** second parameter. ^The third parameter is a pointer to +** the implementation of the [virtual table module]. ^The fourth +** parameter is an arbitrary client data pointer that is passed through +** into the [xCreate] and [xConnect] methods of the virtual table module +** when a new virtual table is be being created or reinitialized. +** +** ^The sqlite3_create_module_v2() interface has a fifth parameter which +** is a pointer to a destructor for the pClientData. ^SQLite will +** invoke the destructor function (if it is not NULL) when SQLite +** no longer needs the pClientData pointer. ^The destructor will also +** be invoked if the call to sqlite3_create_module_v2() fails. +** ^The sqlite3_create_module() +** interface is equivalent to sqlite3_create_module_v2() with a NULL +** destructor. +*/ +SQLITE_API int sqlite3_create_module( + sqlite3 *db, /* SQLite connection to register module with */ + const char *zName, /* Name of the module */ + const sqlite3_module *p, /* Methods for the module */ + void *pClientData /* Client data for xCreate/xConnect */ +); +SQLITE_API int sqlite3_create_module_v2( + sqlite3 *db, /* SQLite connection to register module with */ + const char *zName, /* Name of the module */ + const sqlite3_module *p, /* Methods for the module */ + void *pClientData, /* Client data for xCreate/xConnect */ + void(*xDestroy)(void*) /* Module destructor function */ +); + +/* +** CAPI3REF: Virtual Table Instance Object +** KEYWORDS: sqlite3_vtab +** +** Every [virtual table module] implementation uses a subclass +** of this object to describe a particular instance +** of the [virtual table]. Each subclass will +** be tailored to the specific needs of the module implementation. +** The purpose of this superclass is to define certain fields that are +** common to all module implementations. +** +** ^Virtual tables methods can set an error message by assigning a +** string obtained from [sqlite3_mprintf()] to zErrMsg. The method should +** take care that any prior string is freed by a call to [sqlite3_free()] +** prior to assigning a new string to zErrMsg. ^After the error message +** is delivered up to the client application, the string will be automatically +** freed by sqlite3_free() and the zErrMsg field will be zeroed. +*/ +struct sqlite3_vtab { + const sqlite3_module *pModule; /* The module for this virtual table */ + int nRef; /* NO LONGER USED */ + char *zErrMsg; /* Error message from sqlite3_mprintf() */ + /* Virtual table implementations will typically add additional fields */ +}; + +/* +** CAPI3REF: Virtual Table Cursor Object +** KEYWORDS: sqlite3_vtab_cursor {virtual table cursor} +** +** Every [virtual table module] implementation uses a subclass of the +** following structure to describe cursors that point into the +** [virtual table] and are used +** to loop through the virtual table. Cursors are created using the +** [sqlite3_module.xOpen | xOpen] method of the module and are destroyed +** by the [sqlite3_module.xClose | xClose] method. Cursors are used +** by the [xFilter], [xNext], [xEof], [xColumn], and [xRowid] methods +** of the module. Each module implementation will define +** the content of a cursor structure to suit its own needs. +** +** This superclass exists in order to define fields of the cursor that +** are common to all implementations. +*/ +struct sqlite3_vtab_cursor { + sqlite3_vtab *pVtab; /* Virtual table of this cursor */ + /* Virtual table implementations will typically add additional fields */ +}; + +/* +** CAPI3REF: Declare The Schema Of A Virtual Table +** +** ^The [xCreate] and [xConnect] methods of a +** [virtual table module] call this interface +** to declare the format (the names and datatypes of the columns) of +** the virtual tables they implement. +*/ +SQLITE_API int sqlite3_declare_vtab(sqlite3*, const char *zSQL); + +/* +** CAPI3REF: Overload A Function For A Virtual Table +** +** ^(Virtual tables can provide alternative implementations of functions +** using the [xFindFunction] method of the [virtual table module]. +** But global versions of those functions +** must exist in order to be overloaded.)^ +** +** ^(This API makes sure a global version of a function with a particular +** name and number of parameters exists. If no such function exists +** before this API is called, a new function is created.)^ ^The implementation +** of the new function always causes an exception to be thrown. So +** the new function is not good for anything by itself. Its only +** purpose is to be a placeholder function that can be overloaded +** by a [virtual table]. +*/ +SQLITE_API int sqlite3_overload_function(sqlite3*, const char *zFuncName, int nArg); + +/* +** The interface to the virtual-table mechanism defined above (back up +** to a comment remarkably similar to this one) is currently considered +** to be experimental. The interface might change in incompatible ways. +** If this is a problem for you, do not use the interface at this time. +** +** When the virtual-table mechanism stabilizes, we will declare the +** interface fixed, support it indefinitely, and remove this comment. +*/ + +/* +** CAPI3REF: A Handle To An Open BLOB +** KEYWORDS: {BLOB handle} {BLOB handles} +** +** An instance of this object represents an open BLOB on which +** [sqlite3_blob_open | incremental BLOB I/O] can be performed. +** ^Objects of this type are created by [sqlite3_blob_open()] +** and destroyed by [sqlite3_blob_close()]. +** ^The [sqlite3_blob_read()] and [sqlite3_blob_write()] interfaces +** can be used to read or write small subsections of the BLOB. +** ^The [sqlite3_blob_bytes()] interface returns the size of the BLOB in bytes. +*/ +typedef struct sqlite3_blob sqlite3_blob; + +/* +** CAPI3REF: Open A BLOB For Incremental I/O +** +** ^(This interfaces opens a [BLOB handle | handle] to the BLOB located +** in row iRow, column zColumn, table zTable in database zDb; +** in other words, the same BLOB that would be selected by: +** +** 
+**     SELECT zColumn FROM zDb.zTable WHERE [rowid] = iRow;
+**
)^ +** +** ^If the flags parameter is non-zero, then the BLOB is opened for read +** and write access. ^If it is zero, the BLOB is opened for read access. +** ^It is not possible to open a column that is part of an index or primary +** key for writing. ^If [foreign key constraints] are enabled, it is +** not possible to open a column that is part of a [child key] for writing. +** +** ^Note that the database name is not the filename that contains +** the database but rather the symbolic name of the database that +** appears after the AS keyword when the database is connected using [ATTACH]. +** ^For the main database file, the database name is "main". +** ^For TEMP tables, the database name is "temp". +** +** ^(On success, [SQLITE_OK] is returned and the new [BLOB handle] is written +** to *ppBlob. Otherwise an [error code] is returned and *ppBlob is set +** to be a null pointer.)^ +** ^This function sets the [database connection] error code and message +** accessible via [sqlite3_errcode()] and [sqlite3_errmsg()] and related +** functions. ^Note that the *ppBlob variable is always initialized in a +** way that makes it safe to invoke [sqlite3_blob_close()] on *ppBlob +** regardless of the success or failure of this routine. +** +** ^(If the row that a BLOB handle points to is modified by an +** [UPDATE], [DELETE], or by [ON CONFLICT] side-effects +** then the BLOB handle is marked as "expired". +** This is true if any column of the row is changed, even a column +** other than the one the BLOB handle is open on.)^ +** ^Calls to [sqlite3_blob_read()] and [sqlite3_blob_write()] for +** an expired BLOB handle fail with a return code of [SQLITE_ABORT]. +** ^(Changes written into a BLOB prior to the BLOB expiring are not +** rolled back by the expiration of the BLOB. Such changes will eventually +** commit if the transaction continues to completion.)^ +** +** ^Use the [sqlite3_blob_bytes()] interface to determine the size of +** the opened blob. ^The size of a blob may not be changed by this +** interface. Use the [UPDATE] SQL command to change the size of a +** blob. +** +** ^The [sqlite3_bind_zeroblob()] and [sqlite3_result_zeroblob()] interfaces +** and the built-in [zeroblob] SQL function can be used, if desired, +** to create an empty, zero-filled blob in which to read or write using +** this interface. +** +** To avoid a resource leak, every open [BLOB handle] should eventually +** be released by a call to [sqlite3_blob_close()]. +*/ +SQLITE_API int sqlite3_blob_open( + sqlite3*, + const char *zDb, + const char *zTable, + const char *zColumn, + sqlite3_int64 iRow, + int flags, + sqlite3_blob **ppBlob +); + +/* +** CAPI3REF: Move a BLOB Handle to a New Row +** +** ^This function is used to move an existing blob handle so that it points +** to a different row of the same database table. ^The new row is identified +** by the rowid value passed as the second argument. Only the row can be +** changed. ^The database, table and column on which the blob handle is open +** remain the same. Moving an existing blob handle to a new row can be +** faster than closing the existing handle and opening a new one. +** +** ^(The new row must meet the same criteria as for [sqlite3_blob_open()] - +** it must exist and there must be either a blob or text value stored in +** the nominated column.)^ ^If the new row is not present in the table, or if +** it does not contain a blob or text value, or if another error occurs, an +** SQLite error code is returned and the blob handle is considered aborted. +** ^All subsequent calls to [sqlite3_blob_read()], [sqlite3_blob_write()] or +** [sqlite3_blob_reopen()] on an aborted blob handle immediately return +** SQLITE_ABORT. ^Calling [sqlite3_blob_bytes()] on an aborted blob handle +** always returns zero. +** +** ^This function sets the database handle error code and message. +*/ +SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_blob_reopen(sqlite3_blob *, sqlite3_int64); + +/* +** CAPI3REF: Close A BLOB Handle +** +** ^Closes an open [BLOB handle]. +** +** ^Closing a BLOB shall cause the current transaction to commit +** if there are no other BLOBs, no pending prepared statements, and the +** database connection is in [autocommit mode]. +** ^If any writes were made to the BLOB, they might be held in cache +** until the close operation if they will fit. +** +** ^(Closing the BLOB often forces the changes +** out to disk and so if any I/O errors occur, they will likely occur +** at the time when the BLOB is closed. Any errors that occur during +** closing are reported as a non-zero return value.)^ +** +** ^(The BLOB is closed unconditionally. Even if this routine returns +** an error code, the BLOB is still closed.)^ +** +** ^Calling this routine with a null pointer (such as would be returned +** by a failed call to [sqlite3_blob_open()]) is a harmless no-op. +*/ +SQLITE_API int sqlite3_blob_close(sqlite3_blob *); + +/* +** CAPI3REF: Return The Size Of An Open BLOB +** +** ^Returns the size in bytes of the BLOB accessible via the +** successfully opened [BLOB handle] in its only argument. ^The +** incremental blob I/O routines can only read or overwriting existing +** blob content; they cannot change the size of a blob. +** +** This routine only works on a [BLOB handle] which has been created +** by a prior successful call to [sqlite3_blob_open()] and which has not +** been closed by [sqlite3_blob_close()]. Passing any other pointer in +** to this routine results in undefined and probably undesirable behavior. +*/ +SQLITE_API int sqlite3_blob_bytes(sqlite3_blob *); + +/* +** CAPI3REF: Read Data From A BLOB Incrementally +** +** ^(This function is used to read data from an open [BLOB handle] into a +** caller-supplied buffer. N bytes of data are copied into buffer Z +** from the open BLOB, starting at offset iOffset.)^ +** +** ^If offset iOffset is less than N bytes from the end of the BLOB, +** [SQLITE_ERROR] is returned and no data is read. ^If N or iOffset is +** less than zero, [SQLITE_ERROR] is returned and no data is read. +** ^The size of the blob (and hence the maximum value of N+iOffset) +** can be determined using the [sqlite3_blob_bytes()] interface. +** +** ^An attempt to read from an expired [BLOB handle] fails with an +** error code of [SQLITE_ABORT]. +** +** ^(On success, sqlite3_blob_read() returns SQLITE_OK. +** Otherwise, an [error code] or an [extended error code] is returned.)^ +** +** This routine only works on a [BLOB handle] which has been created +** by a prior successful call to [sqlite3_blob_open()] and which has not +** been closed by [sqlite3_blob_close()]. Passing any other pointer in +** to this routine results in undefined and probably undesirable behavior. +** +** See also: [sqlite3_blob_write()]. +*/ +SQLITE_API int sqlite3_blob_read(sqlite3_blob *, void *Z, int N, int iOffset); + +/* +** CAPI3REF: Write Data Into A BLOB Incrementally +** +** ^This function is used to write data into an open [BLOB handle] from a +** caller-supplied buffer. ^N bytes of data are copied from the buffer Z +** into the open BLOB, starting at offset iOffset. +** +** ^If the [BLOB handle] passed as the first argument was not opened for +** writing (the flags parameter to [sqlite3_blob_open()] was zero), +** this function returns [SQLITE_READONLY]. +** +** ^This function may only modify the contents of the BLOB; it is +** not possible to increase the size of a BLOB using this API. +** ^If offset iOffset is less than N bytes from the end of the BLOB, +** [SQLITE_ERROR] is returned and no data is written. ^If N is +** less than zero [SQLITE_ERROR] is returned and no data is written. +** The size of the BLOB (and hence the maximum value of N+iOffset) +** can be determined using the [sqlite3_blob_bytes()] interface. +** +** ^An attempt to write to an expired [BLOB handle] fails with an +** error code of [SQLITE_ABORT]. ^Writes to the BLOB that occurred +** before the [BLOB handle] expired are not rolled back by the +** expiration of the handle, though of course those changes might +** have been overwritten by the statement that expired the BLOB handle +** or by other independent statements. +** +** ^(On success, sqlite3_blob_write() returns SQLITE_OK. +** Otherwise, an [error code] or an [extended error code] is returned.)^ +** +** This routine only works on a [BLOB handle] which has been created +** by a prior successful call to [sqlite3_blob_open()] and which has not +** been closed by [sqlite3_blob_close()]. Passing any other pointer in +** to this routine results in undefined and probably undesirable behavior. +** +** See also: [sqlite3_blob_read()]. +*/ +SQLITE_API int sqlite3_blob_write(sqlite3_blob *, const void *z, int n, int iOffset); + +/* +** CAPI3REF: Virtual File System Objects +** +** A virtual filesystem (VFS) is an [sqlite3_vfs] object +** that SQLite uses to interact +** with the underlying operating system. Most SQLite builds come with a +** single default VFS that is appropriate for the host computer. +** New VFSes can be registered and existing VFSes can be unregistered. +** The following interfaces are provided. +** +** ^The sqlite3_vfs_find() interface returns a pointer to a VFS given its name. +** ^Names are case sensitive. +** ^Names are zero-terminated UTF-8 strings. +** ^If there is no match, a NULL pointer is returned. +** ^If zVfsName is NULL then the default VFS is returned. +** +** ^New VFSes are registered with sqlite3_vfs_register(). +** ^Each new VFS becomes the default VFS if the makeDflt flag is set. +** ^The same VFS can be registered multiple times without injury. +** ^To make an existing VFS into the default VFS, register it again +** with the makeDflt flag set. If two different VFSes with the +** same name are registered, the behavior is undefined. If a +** VFS is registered with a name that is NULL or an empty string, +** then the behavior is undefined. +** +** ^Unregister a VFS with the sqlite3_vfs_unregister() interface. +** ^(If the default VFS is unregistered, another VFS is chosen as +** the default. The choice for the new VFS is arbitrary.)^ +*/ +SQLITE_API sqlite3_vfs *sqlite3_vfs_find(const char *zVfsName); +SQLITE_API int sqlite3_vfs_register(sqlite3_vfs*, int makeDflt); +SQLITE_API int sqlite3_vfs_unregister(sqlite3_vfs*); + +/* +** CAPI3REF: Mutexes +** +** The SQLite core uses these routines for thread +** synchronization. Though they are intended for internal +** use by SQLite, code that links against SQLite is +** permitted to use any of these routines. +** +** The SQLite source code contains multiple implementations +** of these mutex routines. An appropriate implementation +** is selected automatically at compile-time. ^(The following +** implementations are available in the SQLite core: +** +**
    +**
  • SQLITE_MUTEX_PTHREADS +**
  • SQLITE_MUTEX_W32 +**
  • SQLITE_MUTEX_NOOP +**
)^ +** +** ^The SQLITE_MUTEX_NOOP implementation is a set of routines +** that does no real locking and is appropriate for use in +** a single-threaded application. ^The SQLITE_MUTEX_PTHREADS and +** SQLITE_MUTEX_W32 implementations are appropriate for use on Unix +** and Windows. +** +** ^(If SQLite is compiled with the SQLITE_MUTEX_APPDEF preprocessor +** macro defined (with "-DSQLITE_MUTEX_APPDEF=1"), then no mutex +** implementation is included with the library. In this case the +** application must supply a custom mutex implementation using the +** [SQLITE_CONFIG_MUTEX] option of the sqlite3_config() function +** before calling sqlite3_initialize() or any other public sqlite3_ +** function that calls sqlite3_initialize().)^ +** +** ^The sqlite3_mutex_alloc() routine allocates a new +** mutex and returns a pointer to it. ^If it returns NULL +** that means that a mutex could not be allocated. ^SQLite +** will unwind its stack and return an error. ^(The argument +** to sqlite3_mutex_alloc() is one of these integer constants: +** +**
    +**
  • SQLITE_MUTEX_FAST +**
  • SQLITE_MUTEX_RECURSIVE +**
  • SQLITE_MUTEX_STATIC_MASTER +**
  • SQLITE_MUTEX_STATIC_MEM +**
  • SQLITE_MUTEX_STATIC_MEM2 +**
  • SQLITE_MUTEX_STATIC_PRNG +**
  • SQLITE_MUTEX_STATIC_LRU +**
  • SQLITE_MUTEX_STATIC_LRU2 +**
)^ +** +** ^The first two constants (SQLITE_MUTEX_FAST and SQLITE_MUTEX_RECURSIVE) +** cause sqlite3_mutex_alloc() to create +** a new mutex. ^The new mutex is recursive when SQLITE_MUTEX_RECURSIVE +** is used but not necessarily so when SQLITE_MUTEX_FAST is used. +** The mutex implementation does not need to make a distinction +** between SQLITE_MUTEX_RECURSIVE and SQLITE_MUTEX_FAST if it does +** not want to. ^SQLite will only request a recursive mutex in +** cases where it really needs one. ^If a faster non-recursive mutex +** implementation is available on the host platform, the mutex subsystem +** might return such a mutex in response to SQLITE_MUTEX_FAST. +** +** ^The other allowed parameters to sqlite3_mutex_alloc() (anything other +** than SQLITE_MUTEX_FAST and SQLITE_MUTEX_RECURSIVE) each return +** a pointer to a static preexisting mutex. ^Six static mutexes are +** used by the current version of SQLite. Future versions of SQLite +** may add additional static mutexes. Static mutexes are for internal +** use by SQLite only. Applications that use SQLite mutexes should +** use only the dynamic mutexes returned by SQLITE_MUTEX_FAST or +** SQLITE_MUTEX_RECURSIVE. +** +** ^Note that if one of the dynamic mutex parameters (SQLITE_MUTEX_FAST +** or SQLITE_MUTEX_RECURSIVE) is used then sqlite3_mutex_alloc() +** returns a different mutex on every call. ^But for the static +** mutex types, the same mutex is returned on every call that has +** the same type number. +** +** ^The sqlite3_mutex_free() routine deallocates a previously +** allocated dynamic mutex. ^SQLite is careful to deallocate every +** dynamic mutex that it allocates. The dynamic mutexes must not be in +** use when they are deallocated. Attempting to deallocate a static +** mutex results in undefined behavior. ^SQLite never deallocates +** a static mutex. +** +** ^The sqlite3_mutex_enter() and sqlite3_mutex_try() routines attempt +** to enter a mutex. ^If another thread is already within the mutex, +** sqlite3_mutex_enter() will block and sqlite3_mutex_try() will return +** SQLITE_BUSY. ^The sqlite3_mutex_try() interface returns [SQLITE_OK] +** upon successful entry. ^(Mutexes created using +** SQLITE_MUTEX_RECURSIVE can be entered multiple times by the same thread. +** In such cases the, +** mutex must be exited an equal number of times before another thread +** can enter.)^ ^(If the same thread tries to enter any other +** kind of mutex more than once, the behavior is undefined. +** SQLite will never exhibit +** such behavior in its own use of mutexes.)^ +** +** ^(Some systems (for example, Windows 95) do not support the operation +** implemented by sqlite3_mutex_try(). On those systems, sqlite3_mutex_try() +** will always return SQLITE_BUSY. The SQLite core only ever uses +** sqlite3_mutex_try() as an optimization so this is acceptable behavior.)^ +** +** ^The sqlite3_mutex_leave() routine exits a mutex that was +** previously entered by the same thread. ^(The behavior +** is undefined if the mutex is not currently entered by the +** calling thread or is not currently allocated. SQLite will +** never do either.)^ +** +** ^If the argument to sqlite3_mutex_enter(), sqlite3_mutex_try(), or +** sqlite3_mutex_leave() is a NULL pointer, then all three routines +** behave as no-ops. +** +** See also: [sqlite3_mutex_held()] and [sqlite3_mutex_notheld()]. +*/ +SQLITE_API sqlite3_mutex *sqlite3_mutex_alloc(int); +SQLITE_API void sqlite3_mutex_free(sqlite3_mutex*); +SQLITE_API void sqlite3_mutex_enter(sqlite3_mutex*); +SQLITE_API int sqlite3_mutex_try(sqlite3_mutex*); +SQLITE_API void sqlite3_mutex_leave(sqlite3_mutex*); + +/* +** CAPI3REF: Mutex Methods Object +** +** An instance of this structure defines the low-level routines +** used to allocate and use mutexes. +** +** Usually, the default mutex implementations provided by SQLite are +** sufficient, however the user has the option of substituting a custom +** implementation for specialized deployments or systems for which SQLite +** does not provide a suitable implementation. In this case, the user +** creates and populates an instance of this structure to pass +** to sqlite3_config() along with the [SQLITE_CONFIG_MUTEX] option. +** Additionally, an instance of this structure can be used as an +** output variable when querying the system for the current mutex +** implementation, using the [SQLITE_CONFIG_GETMUTEX] option. +** +** ^The xMutexInit method defined by this structure is invoked as +** part of system initialization by the sqlite3_initialize() function. +** ^The xMutexInit routine is called by SQLite exactly once for each +** effective call to [sqlite3_initialize()]. +** +** ^The xMutexEnd method defined by this structure is invoked as +** part of system shutdown by the sqlite3_shutdown() function. The +** implementation of this method is expected to release all outstanding +** resources obtained by the mutex methods implementation, especially +** those obtained by the xMutexInit method. ^The xMutexEnd() +** interface is invoked exactly once for each call to [sqlite3_shutdown()]. +** +** ^(The remaining seven methods defined by this structure (xMutexAlloc, +** xMutexFree, xMutexEnter, xMutexTry, xMutexLeave, xMutexHeld and +** xMutexNotheld) implement the following interfaces (respectively): +** +**
    +**
  • [sqlite3_mutex_alloc()]
    • +**
  • [sqlite3_mutex_free()]
    • +**
  • [sqlite3_mutex_enter()]
    • +**
  • [sqlite3_mutex_try()]
    • +**
  • [sqlite3_mutex_leave()]
    • +**
  • [sqlite3_mutex_held()]
    • +**
  • [sqlite3_mutex_notheld()]
    • +**
)^ +** +** The only difference is that the public sqlite3_XXX functions enumerated +** above silently ignore any invocations that pass a NULL pointer instead +** of a valid mutex handle. The implementations of the methods defined +** by this structure are not required to handle this case, the results +** of passing a NULL pointer instead of a valid mutex handle are undefined +** (i.e. it is acceptable to provide an implementation that segfaults if +** it is passed a NULL pointer). +** +** The xMutexInit() method must be threadsafe. ^It must be harmless to +** invoke xMutexInit() multiple times within the same process and without +** intervening calls to xMutexEnd(). Second and subsequent calls to +** xMutexInit() must be no-ops. +** +** ^xMutexInit() must not use SQLite memory allocation ([sqlite3_malloc()] +** and its associates). ^Similarly, xMutexAlloc() must not use SQLite memory +** allocation for a static mutex. ^However xMutexAlloc() may use SQLite +** memory allocation for a fast or recursive mutex. +** +** ^SQLite will invoke the xMutexEnd() method when [sqlite3_shutdown()] is +** called, but only if the prior call to xMutexInit returned SQLITE_OK. +** If xMutexInit fails in any way, it is expected to clean up after itself +** prior to returning. +*/ +typedef struct sqlite3_mutex_methods sqlite3_mutex_methods; +struct sqlite3_mutex_methods { + int (*xMutexInit)(void); + int (*xMutexEnd)(void); + sqlite3_mutex *(*xMutexAlloc)(int); + void (*xMutexFree)(sqlite3_mutex *); + void (*xMutexEnter)(sqlite3_mutex *); + int (*xMutexTry)(sqlite3_mutex *); + void (*xMutexLeave)(sqlite3_mutex *); + int (*xMutexHeld)(sqlite3_mutex *); + int (*xMutexNotheld)(sqlite3_mutex *); +}; + +/* +** CAPI3REF: Mutex Verification Routines +** +** The sqlite3_mutex_held() and sqlite3_mutex_notheld() routines +** are intended for use inside assert() statements. ^The SQLite core +** never uses these routines except inside an assert() and applications +** are advised to follow the lead of the core. ^The SQLite core only +** provides implementations for these routines when it is compiled +** with the SQLITE_DEBUG flag. ^External mutex implementations +** are only required to provide these routines if SQLITE_DEBUG is +** defined and if NDEBUG is not defined. +** +** ^These routines should return true if the mutex in their argument +** is held or not held, respectively, by the calling thread. +** +** ^The implementation is not required to provide versions of these +** routines that actually work. If the implementation does not provide working +** versions of these routines, it should at least provide stubs that always +** return true so that one does not get spurious assertion failures. +** +** ^If the argument to sqlite3_mutex_held() is a NULL pointer then +** the routine should return 1. This seems counter-intuitive since +** clearly the mutex cannot be held if it does not exist. But +** the reason the mutex does not exist is because the build is not +** using mutexes. And we do not want the assert() containing the +** call to sqlite3_mutex_held() to fail, so a non-zero return is +** the appropriate thing to do. ^The sqlite3_mutex_notheld() +** interface should also return 1 when given a NULL pointer. +*/ +#ifndef NDEBUG +SQLITE_API int sqlite3_mutex_held(sqlite3_mutex*); +SQLITE_API int sqlite3_mutex_notheld(sqlite3_mutex*); +#endif + +/* +** CAPI3REF: Mutex Types +** +** The [sqlite3_mutex_alloc()] interface takes a single argument +** which is one of these integer constants. +** +** The set of static mutexes may change from one SQLite release to the +** next. Applications that override the built-in mutex logic must be +** prepared to accommodate additional static mutexes. +*/ +#define SQLITE_MUTEX_FAST 0 +#define SQLITE_MUTEX_RECURSIVE 1 +#define SQLITE_MUTEX_STATIC_MASTER 2 +#define SQLITE_MUTEX_STATIC_MEM 3 /* sqlite3_malloc() */ +#define SQLITE_MUTEX_STATIC_MEM2 4 /* NOT USED */ +#define SQLITE_MUTEX_STATIC_OPEN 4 /* sqlite3BtreeOpen() */ +#define SQLITE_MUTEX_STATIC_PRNG 5 /* sqlite3_random() */ +#define SQLITE_MUTEX_STATIC_LRU 6 /* lru page list */ +#define SQLITE_MUTEX_STATIC_LRU2 7 /* NOT USED */ +#define SQLITE_MUTEX_STATIC_PMEM 7 /* sqlite3PageMalloc() */ + +/* +** CAPI3REF: Retrieve the mutex for a database connection +** +** ^This interface returns a pointer the [sqlite3_mutex] object that +** serializes access to the [database connection] given in the argument +** when the [threading mode] is Serialized. +** ^If the [threading mode] is Single-thread or Multi-thread then this +** routine returns a NULL pointer. +*/ +SQLITE_API sqlite3_mutex *sqlite3_db_mutex(sqlite3*); + +/* +** CAPI3REF: Low-Level Control Of Database Files +** +** ^The [sqlite3_file_control()] interface makes a direct call to the +** xFileControl method for the [sqlite3_io_methods] object associated +** with a particular database identified by the second argument. ^The +** name of the database is "main" for the main database or "temp" for the +** TEMP database, or the name that appears after the AS keyword for +** databases that are added using the [ATTACH] SQL command. +** ^A NULL pointer can be used in place of "main" to refer to the +** main database file. +** ^The third and fourth parameters to this routine +** are passed directly through to the second and third parameters of +** the xFileControl method. ^The return value of the xFileControl +** method becomes the return value of this routine. +** +** ^The SQLITE_FCNTL_FILE_POINTER value for the op parameter causes +** a pointer to the underlying [sqlite3_file] object to be written into +** the space pointed to by the 4th parameter. ^The SQLITE_FCNTL_FILE_POINTER +** case is a short-circuit path which does not actually invoke the +** underlying sqlite3_io_methods.xFileControl method. +** +** ^If the second parameter (zDbName) does not match the name of any +** open database file, then SQLITE_ERROR is returned. ^This error +** code is not remembered and will not be recalled by [sqlite3_errcode()] +** or [sqlite3_errmsg()]. The underlying xFileControl method might +** also return SQLITE_ERROR. There is no way to distinguish between +** an incorrect zDbName and an SQLITE_ERROR return from the underlying +** xFileControl method. +** +** See also: [SQLITE_FCNTL_LOCKSTATE] +*/ +SQLITE_API int sqlite3_file_control(sqlite3*, const char *zDbName, int op, void*); + +/* +** CAPI3REF: Testing Interface +** +** ^The sqlite3_test_control() interface is used to read out internal +** state of SQLite and to inject faults into SQLite for testing +** purposes. ^The first parameter is an operation code that determines +** the number, meaning, and operation of all subsequent parameters. +** +** This interface is not for use by applications. It exists solely +** for verifying the correct operation of the SQLite library. Depending +** on how the SQLite library is compiled, this interface might not exist. +** +** The details of the operation codes, their meanings, the parameters +** they take, and what they do are all subject to change without notice. +** Unlike most of the SQLite API, this function is not guaranteed to +** operate consistently from one release to the next. +*/ +SQLITE_API int sqlite3_test_control(int op, ...); + +/* +** CAPI3REF: Testing Interface Operation Codes +** +** These constants are the valid operation code parameters used +** as the first argument to [sqlite3_test_control()]. +** +** These parameters and their meanings are subject to change +** without notice. These values are for testing purposes only. +** Applications should not use any of these parameters or the +** [sqlite3_test_control()] interface. +*/ +#define SQLITE_TESTCTRL_FIRST 5 +#define SQLITE_TESTCTRL_PRNG_SAVE 5 +#define SQLITE_TESTCTRL_PRNG_RESTORE 6 +#define SQLITE_TESTCTRL_PRNG_RESET 7 +#define SQLITE_TESTCTRL_BITVEC_TEST 8 +#define SQLITE_TESTCTRL_FAULT_INSTALL 9 +#define SQLITE_TESTCTRL_BENIGN_MALLOC_HOOKS 10 +#define SQLITE_TESTCTRL_PENDING_BYTE 11 +#define SQLITE_TESTCTRL_ASSERT 12 +#define SQLITE_TESTCTRL_ALWAYS 13 +#define SQLITE_TESTCTRL_RESERVE 14 +#define SQLITE_TESTCTRL_OPTIMIZATIONS 15 +#define SQLITE_TESTCTRL_ISKEYWORD 16 +#define SQLITE_TESTCTRL_SCRATCHMALLOC 17 +#define SQLITE_TESTCTRL_LOCALTIME_FAULT 18 +#define SQLITE_TESTCTRL_EXPLAIN_STMT 19 +#define SQLITE_TESTCTRL_LAST 19 + +/* +** CAPI3REF: SQLite Runtime Status +** +** ^This interface is used to retrieve runtime status information +** about the performance of SQLite, and optionally to reset various +** highwater marks. ^The first argument is an integer code for +** the specific parameter to measure. ^(Recognized integer codes +** are of the form [status parameters | SQLITE_STATUS_...].)^ +** ^The current value of the parameter is returned into *pCurrent. +** ^The highest recorded value is returned in *pHighwater. ^If the +** resetFlag is true, then the highest record value is reset after +** *pHighwater is written. ^(Some parameters do not record the highest +** value. For those parameters +** nothing is written into *pHighwater and the resetFlag is ignored.)^ +** ^(Other parameters record only the highwater mark and not the current +** value. For these latter parameters nothing is written into *pCurrent.)^ +** +** ^The sqlite3_status() routine returns SQLITE_OK on success and a +** non-zero [error code] on failure. +** +** This routine is threadsafe but is not atomic. This routine can be +** called while other threads are running the same or different SQLite +** interfaces. However the values returned in *pCurrent and +** *pHighwater reflect the status of SQLite at different points in time +** and it is possible that another thread might change the parameter +** in between the times when *pCurrent and *pHighwater are written. +** +** See also: [sqlite3_db_status()] +*/ +SQLITE_API int sqlite3_status(int op, int *pCurrent, int *pHighwater, int resetFlag); + + +/* +** CAPI3REF: Status Parameters +** KEYWORDS: {status parameters} +** +** These integer constants designate various run-time status parameters +** that can be returned by [sqlite3_status()]. +** +**
+** [[SQLITE_STATUS_MEMORY_USED]] ^(
SQLITE_STATUS_MEMORY_USED
+**
This parameter is the current amount of memory checked out +** using [sqlite3_malloc()], either directly or indirectly. The +** figure includes calls made to [sqlite3_malloc()] by the application +** and internal memory usage by the SQLite library. Scratch memory +** controlled by [SQLITE_CONFIG_SCRATCH] and auxiliary page-cache +** memory controlled by [SQLITE_CONFIG_PAGECACHE] is not included in +** this parameter. The amount returned is the sum of the allocation +** sizes as reported by the xSize method in [sqlite3_mem_methods].
)^ +** +** [[SQLITE_STATUS_MALLOC_SIZE]] ^(
SQLITE_STATUS_MALLOC_SIZE
+**
This parameter records the largest memory allocation request +** handed to [sqlite3_malloc()] or [sqlite3_realloc()] (or their +** internal equivalents). Only the value returned in the +** *pHighwater parameter to [sqlite3_status()] is of interest. +** The value written into the *pCurrent parameter is undefined.
)^ +** +** [[SQLITE_STATUS_MALLOC_COUNT]] ^(
SQLITE_STATUS_MALLOC_COUNT
+**
This parameter records the number of separate memory allocations +** currently checked out.
)^ +** +** [[SQLITE_STATUS_PAGECACHE_USED]] ^(
SQLITE_STATUS_PAGECACHE_USED
+**
This parameter returns the number of pages used out of the +** [pagecache memory allocator] that was configured using +** [SQLITE_CONFIG_PAGECACHE]. The +** value returned is in pages, not in bytes.
)^ +** +** [[SQLITE_STATUS_PAGECACHE_OVERFLOW]] +** ^(
SQLITE_STATUS_PAGECACHE_OVERFLOW
+**
This parameter returns the number of bytes of page cache +** allocation which could not be satisfied by the [SQLITE_CONFIG_PAGECACHE] +** buffer and where forced to overflow to [sqlite3_malloc()]. The +** returned value includes allocations that overflowed because they +** where too large (they were larger than the "sz" parameter to +** [SQLITE_CONFIG_PAGECACHE]) and allocations that overflowed because +** no space was left in the page cache.
)^ +** +** [[SQLITE_STATUS_PAGECACHE_SIZE]] ^(
SQLITE_STATUS_PAGECACHE_SIZE
+**
This parameter records the largest memory allocation request +** handed to [pagecache memory allocator]. Only the value returned in the +** *pHighwater parameter to [sqlite3_status()] is of interest. +** The value written into the *pCurrent parameter is undefined.
)^ +** +** [[SQLITE_STATUS_SCRATCH_USED]] ^(
SQLITE_STATUS_SCRATCH_USED
+**
This parameter returns the number of allocations used out of the +** [scratch memory allocator] configured using +** [SQLITE_CONFIG_SCRATCH]. The value returned is in allocations, not +** in bytes. Since a single thread may only have one scratch allocation +** outstanding at time, this parameter also reports the number of threads +** using scratch memory at the same time.
)^ +** +** [[SQLITE_STATUS_SCRATCH_OVERFLOW]] ^(
SQLITE_STATUS_SCRATCH_OVERFLOW
+**
This parameter returns the number of bytes of scratch memory +** allocation which could not be satisfied by the [SQLITE_CONFIG_SCRATCH] +** buffer and where forced to overflow to [sqlite3_malloc()]. The values +** returned include overflows because the requested allocation was too +** larger (that is, because the requested allocation was larger than the +** "sz" parameter to [SQLITE_CONFIG_SCRATCH]) and because no scratch buffer +** slots were available. +**
)^ +** +** [[SQLITE_STATUS_SCRATCH_SIZE]] ^(
SQLITE_STATUS_SCRATCH_SIZE
+**
This parameter records the largest memory allocation request +** handed to [scratch memory allocator]. Only the value returned in the +** *pHighwater parameter to [sqlite3_status()] is of interest. +** The value written into the *pCurrent parameter is undefined.
)^ +** +** [[SQLITE_STATUS_PARSER_STACK]] ^(
SQLITE_STATUS_PARSER_STACK
+**
This parameter records the deepest parser stack. It is only +** meaningful if SQLite is compiled with [YYTRACKMAXSTACKDEPTH].
)^ +**
+** +** New status parameters may be added from time to time. +*/ +#define SQLITE_STATUS_MEMORY_USED 0 +#define SQLITE_STATUS_PAGECACHE_USED 1 +#define SQLITE_STATUS_PAGECACHE_OVERFLOW 2 +#define SQLITE_STATUS_SCRATCH_USED 3 +#define SQLITE_STATUS_SCRATCH_OVERFLOW 4 +#define SQLITE_STATUS_MALLOC_SIZE 5 +#define SQLITE_STATUS_PARSER_STACK 6 +#define SQLITE_STATUS_PAGECACHE_SIZE 7 +#define SQLITE_STATUS_SCRATCH_SIZE 8 +#define SQLITE_STATUS_MALLOC_COUNT 9 + +/* +** CAPI3REF: Database Connection Status +** +** ^This interface is used to retrieve runtime status information +** about a single [database connection]. ^The first argument is the +** database connection object to be interrogated. ^The second argument +** is an integer constant, taken from the set of +** [SQLITE_DBSTATUS options], that +** determines the parameter to interrogate. The set of +** [SQLITE_DBSTATUS options] is likely +** to grow in future releases of SQLite. +** +** ^The current value of the requested parameter is written into *pCur +** and the highest instantaneous value is written into *pHiwtr. ^If +** the resetFlg is true, then the highest instantaneous value is +** reset back down to the current value. +** +** ^The sqlite3_db_status() routine returns SQLITE_OK on success and a +** non-zero [error code] on failure. +** +** See also: [sqlite3_status()] and [sqlite3_stmt_status()]. +*/ +SQLITE_API int sqlite3_db_status(sqlite3*, int op, int *pCur, int *pHiwtr, int resetFlg); + +/* +** CAPI3REF: Status Parameters for database connections +** KEYWORDS: {SQLITE_DBSTATUS options} +** +** These constants are the available integer "verbs" that can be passed as +** the second argument to the [sqlite3_db_status()] interface. +** +** New verbs may be added in future releases of SQLite. Existing verbs +** might be discontinued. Applications should check the return code from +** [sqlite3_db_status()] to make sure that the call worked. +** The [sqlite3_db_status()] interface will return a non-zero error code +** if a discontinued or unsupported verb is invoked. +** +**
+** [[SQLITE_DBSTATUS_LOOKASIDE_USED]] ^(
SQLITE_DBSTATUS_LOOKASIDE_USED
+**
This parameter returns the number of lookaside memory slots currently +** checked out.
)^ +** +** [[SQLITE_DBSTATUS_LOOKASIDE_HIT]] ^(
SQLITE_DBSTATUS_LOOKASIDE_HIT
+**
This parameter returns the number malloc attempts that were +** satisfied using lookaside memory. Only the high-water value is meaningful; +** the current value is always zero.)^ +** +** [[SQLITE_DBSTATUS_LOOKASIDE_MISS_SIZE]] +** ^(
SQLITE_DBSTATUS_LOOKASIDE_MISS_SIZE
+**
This parameter returns the number malloc attempts that might have +** been satisfied using lookaside memory but failed due to the amount of +** memory requested being larger than the lookaside slot size. +** Only the high-water value is meaningful; +** the current value is always zero.)^ +** +** [[SQLITE_DBSTATUS_LOOKASIDE_MISS_FULL]] +** ^(
SQLITE_DBSTATUS_LOOKASIDE_MISS_FULL
+**
This parameter returns the number malloc attempts that might have +** been satisfied using lookaside memory but failed due to all lookaside +** memory already being in use. +** Only the high-water value is meaningful; +** the current value is always zero.)^ +** +** [[SQLITE_DBSTATUS_CACHE_USED]] ^(
SQLITE_DBSTATUS_CACHE_USED
+**
This parameter returns the approximate number of of bytes of heap +** memory used by all pager caches associated with the database connection.)^ +** ^The highwater mark associated with SQLITE_DBSTATUS_CACHE_USED is always 0. +** +** [[SQLITE_DBSTATUS_SCHEMA_USED]] ^(
SQLITE_DBSTATUS_SCHEMA_USED
+**
This parameter returns the approximate number of of bytes of heap +** memory used to store the schema for all databases associated +** with the connection - main, temp, and any [ATTACH]-ed databases.)^ +** ^The full amount of memory used by the schemas is reported, even if the +** schema memory is shared with other database connections due to +** [shared cache mode] being enabled. +** ^The highwater mark associated with SQLITE_DBSTATUS_SCHEMA_USED is always 0. +** +** [[SQLITE_DBSTATUS_STMT_USED]] ^(
SQLITE_DBSTATUS_STMT_USED
+**
This parameter returns the approximate number of of bytes of heap +** and lookaside memory used by all prepared statements associated with +** the database connection.)^ +** ^The highwater mark associated with SQLITE_DBSTATUS_STMT_USED is always 0. +**
+** +** [[SQLITE_DBSTATUS_CACHE_HIT]] ^(
SQLITE_DBSTATUS_CACHE_HIT
+**
This parameter returns the number of pager cache hits that have +** occurred.)^ ^The highwater mark associated with SQLITE_DBSTATUS_CACHE_HIT +** is always 0. +**
+** +** [[SQLITE_DBSTATUS_CACHE_MISS]] ^(
SQLITE_DBSTATUS_CACHE_MISS
+**
This parameter returns the number of pager cache misses that have +** occurred.)^ ^The highwater mark associated with SQLITE_DBSTATUS_CACHE_MISS +** is always 0. +**
+** +** [[SQLITE_DBSTATUS_CACHE_WRITE]] ^(
SQLITE_DBSTATUS_CACHE_WRITE
+**
This parameter returns the number of dirty cache entries that have +** been written to disk. Specifically, the number of pages written to the +** wal file in wal mode databases, or the number of pages written to the +** database file in rollback mode databases. Any pages written as part of +** transaction rollback or database recovery operations are not included. +** If an IO or other error occurs while writing a page to disk, the effect +** on subsequent SQLITE_DBSTATUS_CACHE_WRITE requests is undefined.)^ ^The +** highwater mark associated with SQLITE_DBSTATUS_CACHE_WRITE is always 0. +**
+**
+*/ +#define SQLITE_DBSTATUS_LOOKASIDE_USED 0 +#define SQLITE_DBSTATUS_CACHE_USED 1 +#define SQLITE_DBSTATUS_SCHEMA_USED 2 +#define SQLITE_DBSTATUS_STMT_USED 3 +#define SQLITE_DBSTATUS_LOOKASIDE_HIT 4 +#define SQLITE_DBSTATUS_LOOKASIDE_MISS_SIZE 5 +#define SQLITE_DBSTATUS_LOOKASIDE_MISS_FULL 6 +#define SQLITE_DBSTATUS_CACHE_HIT 7 +#define SQLITE_DBSTATUS_CACHE_MISS 8 +#define SQLITE_DBSTATUS_CACHE_WRITE 9 +#define SQLITE_DBSTATUS_MAX 9 /* Largest defined DBSTATUS */ + + +/* +** CAPI3REF: Prepared Statement Status +** +** ^(Each prepared statement maintains various +** [SQLITE_STMTSTATUS counters] that measure the number +** of times it has performed specific operations.)^ These counters can +** be used to monitor the performance characteristics of the prepared +** statements. For example, if the number of table steps greatly exceeds +** the number of table searches or result rows, that would tend to indicate +** that the prepared statement is using a full table scan rather than +** an index. +** +** ^(This interface is used to retrieve and reset counter values from +** a [prepared statement]. The first argument is the prepared statement +** object to be interrogated. The second argument +** is an integer code for a specific [SQLITE_STMTSTATUS counter] +** to be interrogated.)^ +** ^The current value of the requested counter is returned. +** ^If the resetFlg is true, then the counter is reset to zero after this +** interface call returns. +** +** See also: [sqlite3_status()] and [sqlite3_db_status()]. +*/ +SQLITE_API int sqlite3_stmt_status(sqlite3_stmt*, int op,int resetFlg); + +/* +** CAPI3REF: Status Parameters for prepared statements +** KEYWORDS: {SQLITE_STMTSTATUS counter} {SQLITE_STMTSTATUS counters} +** +** These preprocessor macros define integer codes that name counter +** values associated with the [sqlite3_stmt_status()] interface. +** The meanings of the various counters are as follows: +** +**
+** [[SQLITE_STMTSTATUS_FULLSCAN_STEP]]
SQLITE_STMTSTATUS_FULLSCAN_STEP
+**
^This is the number of times that SQLite has stepped forward in +** a table as part of a full table scan. Large numbers for this counter +** may indicate opportunities for performance improvement through +** careful use of indices.
+** +** [[SQLITE_STMTSTATUS_SORT]]
SQLITE_STMTSTATUS_SORT
+**
^This is the number of sort operations that have occurred. +** A non-zero value in this counter may indicate an opportunity to +** improvement performance through careful use of indices.
+** +** [[SQLITE_STMTSTATUS_AUTOINDEX]]
SQLITE_STMTSTATUS_AUTOINDEX
+**
^This is the number of rows inserted into transient indices that +** were created automatically in order to help joins run faster. +** A non-zero value in this counter may indicate an opportunity to +** improvement performance by adding permanent indices that do not +** need to be reinitialized each time the statement is run.
+**
+*/ +#define SQLITE_STMTSTATUS_FULLSCAN_STEP 1 +#define SQLITE_STMTSTATUS_SORT 2 +#define SQLITE_STMTSTATUS_AUTOINDEX 3 + +/* +** CAPI3REF: Custom Page Cache Object +** +** The sqlite3_pcache type is opaque. It is implemented by +** the pluggable module. The SQLite core has no knowledge of +** its size or internal structure and never deals with the +** sqlite3_pcache object except by holding and passing pointers +** to the object. +** +** See [sqlite3_pcache_methods2] for additional information. +*/ +typedef struct sqlite3_pcache sqlite3_pcache; + +/* +** CAPI3REF: Custom Page Cache Object +** +** The sqlite3_pcache_page object represents a single page in the +** page cache. The page cache will allocate instances of this +** object. Various methods of the page cache use pointers to instances +** of this object as parameters or as their return value. +** +** See [sqlite3_pcache_methods2] for additional information. +*/ +typedef struct sqlite3_pcache_page sqlite3_pcache_page; +struct sqlite3_pcache_page { + void *pBuf; /* The content of the page */ + void *pExtra; /* Extra information associated with the page */ +}; + +/* +** CAPI3REF: Application Defined Page Cache. +** KEYWORDS: {page cache} +** +** ^(The [sqlite3_config]([SQLITE_CONFIG_PCACHE2], ...) interface can +** register an alternative page cache implementation by passing in an +** instance of the sqlite3_pcache_methods2 structure.)^ +** In many applications, most of the heap memory allocated by +** SQLite is used for the page cache. +** By implementing a +** custom page cache using this API, an application can better control +** the amount of memory consumed by SQLite, the way in which +** that memory is allocated and released, and the policies used to +** determine exactly which parts of a database file are cached and for +** how long. +** +** The alternative page cache mechanism is an +** extreme measure that is only needed by the most demanding applications. +** The built-in page cache is recommended for most uses. +** +** ^(The contents of the sqlite3_pcache_methods2 structure are copied to an +** internal buffer by SQLite within the call to [sqlite3_config]. Hence +** the application may discard the parameter after the call to +** [sqlite3_config()] returns.)^ +** +** [[the xInit() page cache method]] +** ^(The xInit() method is called once for each effective +** call to [sqlite3_initialize()])^ +** (usually only once during the lifetime of the process). ^(The xInit() +** method is passed a copy of the sqlite3_pcache_methods2.pArg value.)^ +** The intent of the xInit() method is to set up global data structures +** required by the custom page cache implementation. +** ^(If the xInit() method is NULL, then the +** built-in default page cache is used instead of the application defined +** page cache.)^ +** +** [[the xShutdown() page cache method]] +** ^The xShutdown() method is called by [sqlite3_shutdown()]. +** It can be used to clean up +** any outstanding resources before process shutdown, if required. +** ^The xShutdown() method may be NULL. +** +** ^SQLite automatically serializes calls to the xInit method, +** so the xInit method need not be threadsafe. ^The +** xShutdown method is only called from [sqlite3_shutdown()] so it does +** not need to be threadsafe either. All other methods must be threadsafe +** in multithreaded applications. +** +** ^SQLite will never invoke xInit() more than once without an intervening +** call to xShutdown(). +** +** [[the xCreate() page cache methods]] +** ^SQLite invokes the xCreate() method to construct a new cache instance. +** SQLite will typically create one cache instance for each open database file, +** though this is not guaranteed. ^The +** first parameter, szPage, is the size in bytes of the pages that must +** be allocated by the cache. ^szPage will always a power of two. ^The +** second parameter szExtra is a number of bytes of extra storage +** associated with each page cache entry. ^The szExtra parameter will +** a number less than 250. SQLite will use the +** extra szExtra bytes on each page to store metadata about the underlying +** database page on disk. The value passed into szExtra depends +** on the SQLite version, the target platform, and how SQLite was compiled. +** ^The third argument to xCreate(), bPurgeable, is true if the cache being +** created will be used to cache database pages of a file stored on disk, or +** false if it is used for an in-memory database. The cache implementation +** does not have to do anything special based with the value of bPurgeable; +** it is purely advisory. ^On a cache where bPurgeable is false, SQLite will +** never invoke xUnpin() except to deliberately delete a page. +** ^In other words, calls to xUnpin() on a cache with bPurgeable set to +** false will always have the "discard" flag set to true. +** ^Hence, a cache created with bPurgeable false will +** never contain any unpinned pages. +** +** [[the xCachesize() page cache method]] +** ^(The xCachesize() method may be called at any time by SQLite to set the +** suggested maximum cache-size (number of pages stored by) the cache +** instance passed as the first argument. This is the value configured using +** the SQLite "[PRAGMA cache_size]" command.)^ As with the bPurgeable +** parameter, the implementation is not required to do anything with this +** value; it is advisory only. +** +** [[the xPagecount() page cache methods]] +** The xPagecount() method must return the number of pages currently +** stored in the cache, both pinned and unpinned. +** +** [[the xFetch() page cache methods]] +** The xFetch() method locates a page in the cache and returns a pointer to +** an sqlite3_pcache_page object associated with that page, or a NULL pointer. +** The pBuf element of the returned sqlite3_pcache_page object will be a +** pointer to a buffer of szPage bytes used to store the content of a +** single database page. The pExtra element of sqlite3_pcache_page will be +** a pointer to the szExtra bytes of extra storage that SQLite has requested +** for each entry in the page cache. +** +** The page to be fetched is determined by the key. ^The minimum key value +** is 1. After it has been retrieved using xFetch, the page is considered +** to be "pinned". +** +** If the requested page is already in the page cache, then the page cache +** implementation must return a pointer to the page buffer with its content +** intact. If the requested page is not already in the cache, then the +** cache implementation should use the value of the createFlag +** parameter to help it determined what action to take: +** +** +**
createFlag Behavior when page is not already in cache +**
0 Do not allocate a new page. Return NULL. +**
1 Allocate a new page if it easy and convenient to do so. +** Otherwise return NULL. +**
2 Make every effort to allocate a new page. Only return +** NULL if allocating a new page is effectively impossible. +**
+** +** ^(SQLite will normally invoke xFetch() with a createFlag of 0 or 1. SQLite +** will only use a createFlag of 2 after a prior call with a createFlag of 1 +** failed.)^ In between the to xFetch() calls, SQLite may +** attempt to unpin one or more cache pages by spilling the content of +** pinned pages to disk and synching the operating system disk cache. +** +** [[the xUnpin() page cache method]] +** ^xUnpin() is called by SQLite with a pointer to a currently pinned page +** as its second argument. If the third parameter, discard, is non-zero, +** then the page must be evicted from the cache. +** ^If the discard parameter is +** zero, then the page may be discarded or retained at the discretion of +** page cache implementation. ^The page cache implementation +** may choose to evict unpinned pages at any time. +** +** The cache must not perform any reference counting. A single +** call to xUnpin() unpins the page regardless of the number of prior calls +** to xFetch(). +** +** [[the xRekey() page cache methods]] +** The xRekey() method is used to change the key value associated with the +** page passed as the second argument. If the cache +** previously contains an entry associated with newKey, it must be +** discarded. ^Any prior cache entry associated with newKey is guaranteed not +** to be pinned. +** +** When SQLite calls the xTruncate() method, the cache must discard all +** existing cache entries with page numbers (keys) greater than or equal +** to the value of the iLimit parameter passed to xTruncate(). If any +** of these pages are pinned, they are implicitly unpinned, meaning that +** they can be safely discarded. +** +** [[the xDestroy() page cache method]] +** ^The xDestroy() method is used to delete a cache allocated by xCreate(). +** All resources associated with the specified cache should be freed. ^After +** calling the xDestroy() method, SQLite considers the [sqlite3_pcache*] +** handle invalid, and will not use it with any other sqlite3_pcache_methods2 +** functions. +** +** [[the xShrink() page cache method]] +** ^SQLite invokes the xShrink() method when it wants the page cache to +** free up as much of heap memory as possible. The page cache implementation +** is not obligated to free any memory, but well-behaved implementations should +** do their best. +*/ +typedef struct sqlite3_pcache_methods2 sqlite3_pcache_methods2; +struct sqlite3_pcache_methods2 { + int iVersion; + void *pArg; + int (*xInit)(void*); + void (*xShutdown)(void*); + sqlite3_pcache *(*xCreate)(int szPage, int szExtra, int bPurgeable); + void (*xCachesize)(sqlite3_pcache*, int nCachesize); + int (*xPagecount)(sqlite3_pcache*); + sqlite3_pcache_page *(*xFetch)(sqlite3_pcache*, unsigned key, int createFlag); + void (*xUnpin)(sqlite3_pcache*, sqlite3_pcache_page*, int discard); + void (*xRekey)(sqlite3_pcache*, sqlite3_pcache_page*, + unsigned oldKey, unsigned newKey); + void (*xTruncate)(sqlite3_pcache*, unsigned iLimit); + void (*xDestroy)(sqlite3_pcache*); + void (*xShrink)(sqlite3_pcache*); +}; + +/* +** This is the obsolete pcache_methods object that has now been replaced +** by sqlite3_pcache_methods2. This object is not used by SQLite. It is +** retained in the header file for backwards compatibility only. +*/ +typedef struct sqlite3_pcache_methods sqlite3_pcache_methods; +struct sqlite3_pcache_methods { + void *pArg; + int (*xInit)(void*); + void (*xShutdown)(void*); + sqlite3_pcache *(*xCreate)(int szPage, int bPurgeable); + void (*xCachesize)(sqlite3_pcache*, int nCachesize); + int (*xPagecount)(sqlite3_pcache*); + void *(*xFetch)(sqlite3_pcache*, unsigned key, int createFlag); + void (*xUnpin)(sqlite3_pcache*, void*, int discard); + void (*xRekey)(sqlite3_pcache*, void*, unsigned oldKey, unsigned newKey); + void (*xTruncate)(sqlite3_pcache*, unsigned iLimit); + void (*xDestroy)(sqlite3_pcache*); +}; + + +/* +** CAPI3REF: Online Backup Object +** +** The sqlite3_backup object records state information about an ongoing +** online backup operation. ^The sqlite3_backup object is created by +** a call to [sqlite3_backup_init()] and is destroyed by a call to +** [sqlite3_backup_finish()]. +** +** See Also: [Using the SQLite Online Backup API] +*/ +typedef struct sqlite3_backup sqlite3_backup; + +/* +** CAPI3REF: Online Backup API. +** +** The backup API copies the content of one database into another. +** It is useful either for creating backups of databases or +** for copying in-memory databases to or from persistent files. +** +** See Also: [Using the SQLite Online Backup API] +** +** ^SQLite holds a write transaction open on the destination database file +** for the duration of the backup operation. +** ^The source database is read-locked only while it is being read; +** it is not locked continuously for the entire backup operation. +** ^Thus, the backup may be performed on a live source database without +** preventing other database connections from +** reading or writing to the source database while the backup is underway. +** +** ^(To perform a backup operation: +**
    +**
  1. sqlite3_backup_init() is called once to initialize the +** backup, +**
  2. sqlite3_backup_step() is called one or more times to transfer +** the data between the two databases, and finally +**
  3. sqlite3_backup_finish() is called to release all resources +** associated with the backup operation. +**
)^ +** There should be exactly one call to sqlite3_backup_finish() for each +** successful call to sqlite3_backup_init(). +** +** [[sqlite3_backup_init()]] sqlite3_backup_init() +** +** ^The D and N arguments to sqlite3_backup_init(D,N,S,M) are the +** [database connection] associated with the destination database +** and the database name, respectively. +** ^The database name is "main" for the main database, "temp" for the +** temporary database, or the name specified after the AS keyword in +** an [ATTACH] statement for an attached database. +** ^The S and M arguments passed to +** sqlite3_backup_init(D,N,S,M) identify the [database connection] +** and database name of the source database, respectively. +** ^The source and destination [database connections] (parameters S and D) +** must be different or else sqlite3_backup_init(D,N,S,M) will fail with +** an error. +** +** ^If an error occurs within sqlite3_backup_init(D,N,S,M), then NULL is +** returned and an error code and error message are stored in the +** destination [database connection] D. +** ^The error code and message for the failed call to sqlite3_backup_init() +** can be retrieved using the [sqlite3_errcode()], [sqlite3_errmsg()], and/or +** [sqlite3_errmsg16()] functions. +** ^A successful call to sqlite3_backup_init() returns a pointer to an +** [sqlite3_backup] object. +** ^The [sqlite3_backup] object may be used with the sqlite3_backup_step() and +** sqlite3_backup_finish() functions to perform the specified backup +** operation. +** +** [[sqlite3_backup_step()]] sqlite3_backup_step() +** +** ^Function sqlite3_backup_step(B,N) will copy up to N pages between +** the source and destination databases specified by [sqlite3_backup] object B. +** ^If N is negative, all remaining source pages are copied. +** ^If sqlite3_backup_step(B,N) successfully copies N pages and there +** are still more pages to be copied, then the function returns [SQLITE_OK]. +** ^If sqlite3_backup_step(B,N) successfully finishes copying all pages +** from source to destination, then it returns [SQLITE_DONE]. +** ^If an error occurs while running sqlite3_backup_step(B,N), +** then an [error code] is returned. ^As well as [SQLITE_OK] and +** [SQLITE_DONE], a call to sqlite3_backup_step() may return [SQLITE_READONLY], +** [SQLITE_NOMEM], [SQLITE_BUSY], [SQLITE_LOCKED], or an +** [SQLITE_IOERR_ACCESS | SQLITE_IOERR_XXX] extended error code. +** +** ^(The sqlite3_backup_step() might return [SQLITE_READONLY] if +**
    +**
  1. the destination database was opened read-only, or +**
  2. the destination database is using write-ahead-log journaling +** and the destination and source page sizes differ, or +**
  3. the destination database is an in-memory database and the +** destination and source page sizes differ. +**
)^ +** +** ^If sqlite3_backup_step() cannot obtain a required file-system lock, then +** the [sqlite3_busy_handler | busy-handler function] +** is invoked (if one is specified). ^If the +** busy-handler returns non-zero before the lock is available, then +** [SQLITE_BUSY] is returned to the caller. ^In this case the call to +** sqlite3_backup_step() can be retried later. ^If the source +** [database connection] +** is being used to write to the source database when sqlite3_backup_step() +** is called, then [SQLITE_LOCKED] is returned immediately. ^Again, in this +** case the call to sqlite3_backup_step() can be retried later on. ^(If +** [SQLITE_IOERR_ACCESS | SQLITE_IOERR_XXX], [SQLITE_NOMEM], or +** [SQLITE_READONLY] is returned, then +** there is no point in retrying the call to sqlite3_backup_step(). These +** errors are considered fatal.)^ The application must accept +** that the backup operation has failed and pass the backup operation handle +** to the sqlite3_backup_finish() to release associated resources. +** +** ^The first call to sqlite3_backup_step() obtains an exclusive lock +** on the destination file. ^The exclusive lock is not released until either +** sqlite3_backup_finish() is called or the backup operation is complete +** and sqlite3_backup_step() returns [SQLITE_DONE]. ^Every call to +** sqlite3_backup_step() obtains a [shared lock] on the source database that +** lasts for the duration of the sqlite3_backup_step() call. +** ^Because the source database is not locked between calls to +** sqlite3_backup_step(), the source database may be modified mid-way +** through the backup process. ^If the source database is modified by an +** external process or via a database connection other than the one being +** used by the backup operation, then the backup will be automatically +** restarted by the next call to sqlite3_backup_step(). ^If the source +** database is modified by the using the same database connection as is used +** by the backup operation, then the backup database is automatically +** updated at the same time. +** +** [[sqlite3_backup_finish()]] sqlite3_backup_finish() +** +** When sqlite3_backup_step() has returned [SQLITE_DONE], or when the +** application wishes to abandon the backup operation, the application +** should destroy the [sqlite3_backup] by passing it to sqlite3_backup_finish(). +** ^The sqlite3_backup_finish() interfaces releases all +** resources associated with the [sqlite3_backup] object. +** ^If sqlite3_backup_step() has not yet returned [SQLITE_DONE], then any +** active write-transaction on the destination database is rolled back. +** The [sqlite3_backup] object is invalid +** and may not be used following a call to sqlite3_backup_finish(). +** +** ^The value returned by sqlite3_backup_finish is [SQLITE_OK] if no +** sqlite3_backup_step() errors occurred, regardless or whether or not +** sqlite3_backup_step() completed. +** ^If an out-of-memory condition or IO error occurred during any prior +** sqlite3_backup_step() call on the same [sqlite3_backup] object, then +** sqlite3_backup_finish() returns the corresponding [error code]. +** +** ^A return of [SQLITE_BUSY] or [SQLITE_LOCKED] from sqlite3_backup_step() +** is not a permanent error and does not affect the return value of +** sqlite3_backup_finish(). +** +** [[sqlite3_backup__remaining()]] [[sqlite3_backup_pagecount()]] +** sqlite3_backup_remaining() and sqlite3_backup_pagecount() +** +** ^Each call to sqlite3_backup_step() sets two values inside +** the [sqlite3_backup] object: the number of pages still to be backed +** up and the total number of pages in the source database file. +** The sqlite3_backup_remaining() and sqlite3_backup_pagecount() interfaces +** retrieve these two values, respectively. +** +** ^The values returned by these functions are only updated by +** sqlite3_backup_step(). ^If the source database is modified during a backup +** operation, then the values are not updated to account for any extra +** pages that need to be updated or the size of the source database file +** changing. +** +** Concurrent Usage of Database Handles +** +** ^The source [database connection] may be used by the application for other +** purposes while a backup operation is underway or being initialized. +** ^If SQLite is compiled and configured to support threadsafe database +** connections, then the source database connection may be used concurrently +** from within other threads. +** +** However, the application must guarantee that the destination +** [database connection] is not passed to any other API (by any thread) after +** sqlite3_backup_init() is called and before the corresponding call to +** sqlite3_backup_finish(). SQLite does not currently check to see +** if the application incorrectly accesses the destination [database connection] +** and so no error code is reported, but the operations may malfunction +** nevertheless. Use of the destination database connection while a +** backup is in progress might also also cause a mutex deadlock. +** +** If running in [shared cache mode], the application must +** guarantee that the shared cache used by the destination database +** is not accessed while the backup is running. In practice this means +** that the application must guarantee that the disk file being +** backed up to is not accessed by any connection within the process, +** not just the specific connection that was passed to sqlite3_backup_init(). +** +** The [sqlite3_backup] object itself is partially threadsafe. Multiple +** threads may safely make multiple concurrent calls to sqlite3_backup_step(). +** However, the sqlite3_backup_remaining() and sqlite3_backup_pagecount() +** APIs are not strictly speaking threadsafe. If they are invoked at the +** same time as another thread is invoking sqlite3_backup_step() it is +** possible that they return invalid values. +*/ +SQLITE_API sqlite3_backup *sqlite3_backup_init( + sqlite3 *pDest, /* Destination database handle */ + const char *zDestName, /* Destination database name */ + sqlite3 *pSource, /* Source database handle */ + const char *zSourceName /* Source database name */ +); +SQLITE_API int sqlite3_backup_step(sqlite3_backup *p, int nPage); +SQLITE_API int sqlite3_backup_finish(sqlite3_backup *p); +SQLITE_API int sqlite3_backup_remaining(sqlite3_backup *p); +SQLITE_API int sqlite3_backup_pagecount(sqlite3_backup *p); + +/* +** CAPI3REF: Unlock Notification +** +** ^When running in shared-cache mode, a database operation may fail with +** an [SQLITE_LOCKED] error if the required locks on the shared-cache or +** individual tables within the shared-cache cannot be obtained. See +** [SQLite Shared-Cache Mode] for a description of shared-cache locking. +** ^This API may be used to register a callback that SQLite will invoke +** when the connection currently holding the required lock relinquishes it. +** ^This API is only available if the library was compiled with the +** [SQLITE_ENABLE_UNLOCK_NOTIFY] C-preprocessor symbol defined. +** +** See Also: [Using the SQLite Unlock Notification Feature]. +** +** ^Shared-cache locks are released when a database connection concludes +** its current transaction, either by committing it or rolling it back. +** +** ^When a connection (known as the blocked connection) fails to obtain a +** shared-cache lock and SQLITE_LOCKED is returned to the caller, the +** identity of the database connection (the blocking connection) that +** has locked the required resource is stored internally. ^After an +** application receives an SQLITE_LOCKED error, it may call the +** sqlite3_unlock_notify() method with the blocked connection handle as +** the first argument to register for a callback that will be invoked +** when the blocking connections current transaction is concluded. ^The +** callback is invoked from within the [sqlite3_step] or [sqlite3_close] +** call that concludes the blocking connections transaction. +** +** ^(If sqlite3_unlock_notify() is called in a multi-threaded application, +** there is a chance that the blocking connection will have already +** concluded its transaction by the time sqlite3_unlock_notify() is invoked. +** If this happens, then the specified callback is invoked immediately, +** from within the call to sqlite3_unlock_notify().)^ +** +** ^If the blocked connection is attempting to obtain a write-lock on a +** shared-cache table, and more than one other connection currently holds +** a read-lock on the same table, then SQLite arbitrarily selects one of +** the other connections to use as the blocking connection. +** +** ^(There may be at most one unlock-notify callback registered by a +** blocked connection. If sqlite3_unlock_notify() is called when the +** blocked connection already has a registered unlock-notify callback, +** then the new callback replaces the old.)^ ^If sqlite3_unlock_notify() is +** called with a NULL pointer as its second argument, then any existing +** unlock-notify callback is canceled. ^The blocked connections +** unlock-notify callback may also be canceled by closing the blocked +** connection using [sqlite3_close()]. +** +** The unlock-notify callback is not reentrant. If an application invokes +** any sqlite3_xxx API functions from within an unlock-notify callback, a +** crash or deadlock may be the result. +** +** ^Unless deadlock is detected (see below), sqlite3_unlock_notify() always +** returns SQLITE_OK. +** +** Callback Invocation Details +** +** When an unlock-notify callback is registered, the application provides a +** single void* pointer that is passed to the callback when it is invoked. +** However, the signature of the callback function allows SQLite to pass +** it an array of void* context pointers. The first argument passed to +** an unlock-notify callback is a pointer to an array of void* pointers, +** and the second is the number of entries in the array. +** +** When a blocking connections transaction is concluded, there may be +** more than one blocked connection that has registered for an unlock-notify +** callback. ^If two or more such blocked connections have specified the +** same callback function, then instead of invoking the callback function +** multiple times, it is invoked once with the set of void* context pointers +** specified by the blocked connections bundled together into an array. +** This gives the application an opportunity to prioritize any actions +** related to the set of unblocked database connections. +** +** Deadlock Detection +** +** Assuming that after registering for an unlock-notify callback a +** database waits for the callback to be issued before taking any further +** action (a reasonable assumption), then using this API may cause the +** application to deadlock. For example, if connection X is waiting for +** connection Y's transaction to be concluded, and similarly connection +** Y is waiting on connection X's transaction, then neither connection +** will proceed and the system may remain deadlocked indefinitely. +** +** To avoid this scenario, the sqlite3_unlock_notify() performs deadlock +** detection. ^If a given call to sqlite3_unlock_notify() would put the +** system in a deadlocked state, then SQLITE_LOCKED is returned and no +** unlock-notify callback is registered. The system is said to be in +** a deadlocked state if connection A has registered for an unlock-notify +** callback on the conclusion of connection B's transaction, and connection +** B has itself registered for an unlock-notify callback when connection +** A's transaction is concluded. ^Indirect deadlock is also detected, so +** the system is also considered to be deadlocked if connection B has +** registered for an unlock-notify callback on the conclusion of connection +** C's transaction, where connection C is waiting on connection A. ^Any +** number of levels of indirection are allowed. +** +** The "DROP TABLE" Exception +** +** When a call to [sqlite3_step()] returns SQLITE_LOCKED, it is almost +** always appropriate to call sqlite3_unlock_notify(). There is however, +** one exception. When executing a "DROP TABLE" or "DROP INDEX" statement, +** SQLite checks if there are any currently executing SELECT statements +** that belong to the same connection. If there are, SQLITE_LOCKED is +** returned. In this case there is no "blocking connection", so invoking +** sqlite3_unlock_notify() results in the unlock-notify callback being +** invoked immediately. If the application then re-attempts the "DROP TABLE" +** or "DROP INDEX" query, an infinite loop might be the result. +** +** One way around this problem is to check the extended error code returned +** by an sqlite3_step() call. ^(If there is a blocking connection, then the +** extended error code is set to SQLITE_LOCKED_SHAREDCACHE. Otherwise, in +** the special "DROP TABLE/INDEX" case, the extended error code is just +** SQLITE_LOCKED.)^ +*/ +SQLITE_API int sqlite3_unlock_notify( + sqlite3 *pBlocked, /* Waiting connection */ + void (*xNotify)(void **apArg, int nArg), /* Callback function to invoke */ + void *pNotifyArg /* Argument to pass to xNotify */ +); + + +/* +** CAPI3REF: String Comparison +** +** ^The [sqlite3_stricmp()] and [sqlite3_strnicmp()] APIs allow applications +** and extensions to compare the contents of two buffers containing UTF-8 +** strings in a case-independent fashion, using the same definition of "case +** independence" that SQLite uses internally when comparing identifiers. +*/ +SQLITE_API int sqlite3_stricmp(const char *, const char *); +SQLITE_API int sqlite3_strnicmp(const char *, const char *, int); + +/* +** CAPI3REF: Error Logging Interface +** +** ^The [sqlite3_log()] interface writes a message into the error log +** established by the [SQLITE_CONFIG_LOG] option to [sqlite3_config()]. +** ^If logging is enabled, the zFormat string and subsequent arguments are +** used with [sqlite3_snprintf()] to generate the final output string. +** +** The sqlite3_log() interface is intended for use by extensions such as +** virtual tables, collating functions, and SQL functions. While there is +** nothing to prevent an application from calling sqlite3_log(), doing so +** is considered bad form. +** +** The zFormat string must not be NULL. +** +** To avoid deadlocks and other threading problems, the sqlite3_log() routine +** will not use dynamically allocated memory. The log message is stored in +** a fixed-length buffer on the stack. If the log message is longer than +** a few hundred characters, it will be truncated to the length of the +** buffer. +*/ +SQLITE_API void sqlite3_log(int iErrCode, const char *zFormat, ...); + +/* +** CAPI3REF: Write-Ahead Log Commit Hook +** +** ^The [sqlite3_wal_hook()] function is used to register a callback that +** will be invoked each time a database connection commits data to a +** [write-ahead log] (i.e. whenever a transaction is committed in +** [journal_mode | journal_mode=WAL mode]). +** +** ^The callback is invoked by SQLite after the commit has taken place and +** the associated write-lock on the database released, so the implementation +** may read, write or [checkpoint] the database as required. +** +** ^The first parameter passed to the callback function when it is invoked +** is a copy of the third parameter passed to sqlite3_wal_hook() when +** registering the callback. ^The second is a copy of the database handle. +** ^The third parameter is the name of the database that was written to - +** either "main" or the name of an [ATTACH]-ed database. ^The fourth parameter +** is the number of pages currently in the write-ahead log file, +** including those that were just committed. +** +** The callback function should normally return [SQLITE_OK]. ^If an error +** code is returned, that error will propagate back up through the +** SQLite code base to cause the statement that provoked the callback +** to report an error, though the commit will have still occurred. If the +** callback returns [SQLITE_ROW] or [SQLITE_DONE], or if it returns a value +** that does not correspond to any valid SQLite error code, the results +** are undefined. +** +** A single database handle may have at most a single write-ahead log callback +** registered at one time. ^Calling [sqlite3_wal_hook()] replaces any +** previously registered write-ahead log callback. ^Note that the +** [sqlite3_wal_autocheckpoint()] interface and the +** [wal_autocheckpoint pragma] both invoke [sqlite3_wal_hook()] and will +** those overwrite any prior [sqlite3_wal_hook()] settings. +*/ +SQLITE_API void *sqlite3_wal_hook( + sqlite3*, + int(*)(void *,sqlite3*,const char*,int), + void* +); + +/* +** CAPI3REF: Configure an auto-checkpoint +** +** ^The [sqlite3_wal_autocheckpoint(D,N)] is a wrapper around +** [sqlite3_wal_hook()] that causes any database on [database connection] D +** to automatically [checkpoint] +** after committing a transaction if there are N or +** more frames in the [write-ahead log] file. ^Passing zero or +** a negative value as the nFrame parameter disables automatic +** checkpoints entirely. +** +** ^The callback registered by this function replaces any existing callback +** registered using [sqlite3_wal_hook()]. ^Likewise, registering a callback +** using [sqlite3_wal_hook()] disables the automatic checkpoint mechanism +** configured by this function. +** +** ^The [wal_autocheckpoint pragma] can be used to invoke this interface +** from SQL. +** +** ^Every new [database connection] defaults to having the auto-checkpoint +** enabled with a threshold of 1000 or [SQLITE_DEFAULT_WAL_AUTOCHECKPOINT] +** pages. The use of this interface +** is only necessary if the default setting is found to be suboptimal +** for a particular application. +*/ +SQLITE_API int sqlite3_wal_autocheckpoint(sqlite3 *db, int N); + +/* +** CAPI3REF: Checkpoint a database +** +** ^The [sqlite3_wal_checkpoint(D,X)] interface causes database named X +** on [database connection] D to be [checkpointed]. ^If X is NULL or an +** empty string, then a checkpoint is run on all databases of +** connection D. ^If the database connection D is not in +** [WAL | write-ahead log mode] then this interface is a harmless no-op. +** +** ^The [wal_checkpoint pragma] can be used to invoke this interface +** from SQL. ^The [sqlite3_wal_autocheckpoint()] interface and the +** [wal_autocheckpoint pragma] can be used to cause this interface to be +** run whenever the WAL reaches a certain size threshold. +** +** See also: [sqlite3_wal_checkpoint_v2()] +*/ +SQLITE_API int sqlite3_wal_checkpoint(sqlite3 *db, const char *zDb); + +/* +** CAPI3REF: Checkpoint a database +** +** Run a checkpoint operation on WAL database zDb attached to database +** handle db. The specific operation is determined by the value of the +** eMode parameter: +** +**
+**
SQLITE_CHECKPOINT_PASSIVE
+** Checkpoint as many frames as possible without waiting for any database +** readers or writers to finish. Sync the db file if all frames in the log +** are checkpointed. This mode is the same as calling +** sqlite3_wal_checkpoint(). The busy-handler callback is never invoked. +** +**
SQLITE_CHECKPOINT_FULL
+** This mode blocks (calls the busy-handler callback) until there is no +** database writer and all readers are reading from the most recent database +** snapshot. It then checkpoints all frames in the log file and syncs the +** database file. This call blocks database writers while it is running, +** but not database readers. +** +**
SQLITE_CHECKPOINT_RESTART
+** This mode works the same way as SQLITE_CHECKPOINT_FULL, except after +** checkpointing the log file it blocks (calls the busy-handler callback) +** until all readers are reading from the database file only. This ensures +** that the next client to write to the database file restarts the log file +** from the beginning. This call blocks database writers while it is running, +** but not database readers. +**
+** +** If pnLog is not NULL, then *pnLog is set to the total number of frames in +** the log file before returning. If pnCkpt is not NULL, then *pnCkpt is set to +** the total number of checkpointed frames (including any that were already +** checkpointed when this function is called). *pnLog and *pnCkpt may be +** populated even if sqlite3_wal_checkpoint_v2() returns other than SQLITE_OK. +** If no values are available because of an error, they are both set to -1 +** before returning to communicate this to the caller. +** +** All calls obtain an exclusive "checkpoint" lock on the database file. If +** any other process is running a checkpoint operation at the same time, the +** lock cannot be obtained and SQLITE_BUSY is returned. Even if there is a +** busy-handler configured, it will not be invoked in this case. +** +** The SQLITE_CHECKPOINT_FULL and RESTART modes also obtain the exclusive +** "writer" lock on the database file. If the writer lock cannot be obtained +** immediately, and a busy-handler is configured, it is invoked and the writer +** lock retried until either the busy-handler returns 0 or the lock is +** successfully obtained. The busy-handler is also invoked while waiting for +** database readers as described above. If the busy-handler returns 0 before +** the writer lock is obtained or while waiting for database readers, the +** checkpoint operation proceeds from that point in the same way as +** SQLITE_CHECKPOINT_PASSIVE - checkpointing as many frames as possible +** without blocking any further. SQLITE_BUSY is returned in this case. +** +** If parameter zDb is NULL or points to a zero length string, then the +** specified operation is attempted on all WAL databases. In this case the +** values written to output parameters *pnLog and *pnCkpt are undefined. If +** an SQLITE_BUSY error is encountered when processing one or more of the +** attached WAL databases, the operation is still attempted on any remaining +** attached databases and SQLITE_BUSY is returned to the caller. If any other +** error occurs while processing an attached database, processing is abandoned +** and the error code returned to the caller immediately. If no error +** (SQLITE_BUSY or otherwise) is encountered while processing the attached +** databases, SQLITE_OK is returned. +** +** If database zDb is the name of an attached database that is not in WAL +** mode, SQLITE_OK is returned and both *pnLog and *pnCkpt set to -1. If +** zDb is not NULL (or a zero length string) and is not the name of any +** attached database, SQLITE_ERROR is returned to the caller. +*/ +SQLITE_API int sqlite3_wal_checkpoint_v2( + sqlite3 *db, /* Database handle */ + const char *zDb, /* Name of attached database (or NULL) */ + int eMode, /* SQLITE_CHECKPOINT_* value */ + int *pnLog, /* OUT: Size of WAL log in frames */ + int *pnCkpt /* OUT: Total number of frames checkpointed */ +); + +/* +** CAPI3REF: Checkpoint operation parameters +** +** These constants can be used as the 3rd parameter to +** [sqlite3_wal_checkpoint_v2()]. See the [sqlite3_wal_checkpoint_v2()] +** documentation for additional information about the meaning and use of +** each of these values. +*/ +#define SQLITE_CHECKPOINT_PASSIVE 0 +#define SQLITE_CHECKPOINT_FULL 1 +#define SQLITE_CHECKPOINT_RESTART 2 + +/* +** CAPI3REF: Virtual Table Interface Configuration +** +** This function may be called by either the [xConnect] or [xCreate] method +** of a [virtual table] implementation to configure +** various facets of the virtual table interface. +** +** If this interface is invoked outside the context of an xConnect or +** xCreate virtual table method then the behavior is undefined. +** +** At present, there is only one option that may be configured using +** this function. (See [SQLITE_VTAB_CONSTRAINT_SUPPORT].) Further options +** may be added in the future. +*/ +SQLITE_API int sqlite3_vtab_config(sqlite3*, int op, ...); + +/* +** CAPI3REF: Virtual Table Configuration Options +** +** These macros define the various options to the +** [sqlite3_vtab_config()] interface that [virtual table] implementations +** can use to customize and optimize their behavior. +** +**
+**
SQLITE_VTAB_CONSTRAINT_SUPPORT +**
Calls of the form +** [sqlite3_vtab_config](db,SQLITE_VTAB_CONSTRAINT_SUPPORT,X) are supported, +** where X is an integer. If X is zero, then the [virtual table] whose +** [xCreate] or [xConnect] method invoked [sqlite3_vtab_config()] does not +** support constraints. In this configuration (which is the default) if +** a call to the [xUpdate] method returns [SQLITE_CONSTRAINT], then the entire +** statement is rolled back as if [ON CONFLICT | OR ABORT] had been +** specified as part of the users SQL statement, regardless of the actual +** ON CONFLICT mode specified. +** +** If X is non-zero, then the virtual table implementation guarantees +** that if [xUpdate] returns [SQLITE_CONSTRAINT], it will do so before +** any modifications to internal or persistent data structures have been made. +** If the [ON CONFLICT] mode is ABORT, FAIL, IGNORE or ROLLBACK, SQLite +** is able to roll back a statement or database transaction, and abandon +** or continue processing the current SQL statement as appropriate. +** If the ON CONFLICT mode is REPLACE and the [xUpdate] method returns +** [SQLITE_CONSTRAINT], SQLite handles this as if the ON CONFLICT mode +** had been ABORT. +** +** Virtual table implementations that are required to handle OR REPLACE +** must do so within the [xUpdate] method. If a call to the +** [sqlite3_vtab_on_conflict()] function indicates that the current ON +** CONFLICT policy is REPLACE, the virtual table implementation should +** silently replace the appropriate rows within the xUpdate callback and +** return SQLITE_OK. Or, if this is not possible, it may return +** SQLITE_CONSTRAINT, in which case SQLite falls back to OR ABORT +** constraint handling. +**
+*/ +#define SQLITE_VTAB_CONSTRAINT_SUPPORT 1 + +/* +** CAPI3REF: Determine The Virtual Table Conflict Policy +** +** This function may only be called from within a call to the [xUpdate] method +** of a [virtual table] implementation for an INSERT or UPDATE operation. ^The +** value returned is one of [SQLITE_ROLLBACK], [SQLITE_IGNORE], [SQLITE_FAIL], +** [SQLITE_ABORT], or [SQLITE_REPLACE], according to the [ON CONFLICT] mode +** of the SQL statement that triggered the call to the [xUpdate] method of the +** [virtual table]. +*/ +SQLITE_API int sqlite3_vtab_on_conflict(sqlite3 *); + +/* +** CAPI3REF: Conflict resolution modes +** +** These constants are returned by [sqlite3_vtab_on_conflict()] to +** inform a [virtual table] implementation what the [ON CONFLICT] mode +** is for the SQL statement being evaluated. +** +** Note that the [SQLITE_IGNORE] constant is also used as a potential +** return value from the [sqlite3_set_authorizer()] callback and that +** [SQLITE_ABORT] is also a [result code]. +*/ +#define SQLITE_ROLLBACK 1 +/* #define SQLITE_IGNORE 2 // Also used by sqlite3_authorizer() callback */ +#define SQLITE_FAIL 3 +/* #define SQLITE_ABORT 4 // Also an error code */ +#define SQLITE_REPLACE 5 + + + +/* +** Undo the hack that converts floating point types to integer for +** builds on processors without floating point support. +*/ +#ifdef SQLITE_OMIT_FLOATING_POINT +# undef double +#endif + +#if 0 +} /* End of the 'extern "C"' block */ +#endif +#endif + +/* +** 2010 August 30 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +*/ + +#ifndef _SQLITE3RTREE_H_ +#define _SQLITE3RTREE_H_ + + +#if 0 +extern "C" { +#endif + +typedef struct sqlite3_rtree_geometry sqlite3_rtree_geometry; + +/* +** Register a geometry callback named zGeom that can be used as part of an +** R-Tree geometry query as follows: +** +** SELECT ... FROM WHERE MATCH $zGeom(... params ...) +*/ +SQLITE_API int sqlite3_rtree_geometry_callback( + sqlite3 *db, + const char *zGeom, +#ifdef SQLITE_RTREE_INT_ONLY + int (*xGeom)(sqlite3_rtree_geometry*, int n, sqlite3_int64 *a, int *pRes), +#else + int (*xGeom)(sqlite3_rtree_geometry*, int n, double *a, int *pRes), +#endif + void *pContext +); + + +/* +** A pointer to a structure of the following type is passed as the first +** argument to callbacks registered using rtree_geometry_callback(). +*/ +struct sqlite3_rtree_geometry { + void *pContext; /* Copy of pContext passed to s_r_g_c() */ + int nParam; /* Size of array aParam[] */ + double *aParam; /* Parameters passed to SQL geom function */ + void *pUser; /* Callback implementation user data */ + void (*xDelUser)(void *); /* Called by SQLite to clean up pUser */ +}; + + +#if 0 +} /* end of the 'extern "C"' block */ +#endif + +#endif /* ifndef _SQLITE3RTREE_H_ */ + + +/************** End of sqlite3.h *********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include hash.h in the middle of sqliteInt.h ******************/ +/************** Begin file hash.h ********************************************/ +/* +** 2001 September 22 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** This is the header file for the generic hash-table implementation +** used in SQLite. +*/ +#ifndef _SQLITE_HASH_H_ +#define _SQLITE_HASH_H_ + +/* Forward declarations of structures. */ +typedef struct Hash Hash; +typedef struct HashElem HashElem; + +/* A complete hash table is an instance of the following structure. +** The internals of this structure are intended to be opaque -- client +** code should not attempt to access or modify the fields of this structure +** directly. Change this structure only by using the routines below. +** However, some of the "procedures" and "functions" for modifying and +** accessing this structure are really macros, so we can't really make +** this structure opaque. +** +** All elements of the hash table are on a single doubly-linked list. +** Hash.first points to the head of this list. +** +** There are Hash.htsize buckets. Each bucket points to a spot in +** the global doubly-linked list. The contents of the bucket are the +** element pointed to plus the next _ht.count-1 elements in the list. +** +** Hash.htsize and Hash.ht may be zero. In that case lookup is done +** by a linear search of the global list. For small tables, the +** Hash.ht table is never allocated because if there are few elements +** in the table, it is faster to do a linear search than to manage +** the hash table. +*/ +struct Hash { + unsigned int htsize; /* Number of buckets in the hash table */ + unsigned int count; /* Number of entries in this table */ + HashElem *first; /* The first element of the array */ + struct _ht { /* the hash table */ + int count; /* Number of entries with this hash */ + HashElem *chain; /* Pointer to first entry with this hash */ + } *ht; +}; + +/* Each element in the hash table is an instance of the following +** structure. All elements are stored on a single doubly-linked list. +** +** Again, this structure is intended to be opaque, but it can't really +** be opaque because it is used by macros. +*/ +struct HashElem { + HashElem *next, *prev; /* Next and previous elements in the table */ + void *data; /* Data associated with this element */ + const char *pKey; int nKey; /* Key associated with this element */ +}; + +/* +** Access routines. To delete, insert a NULL pointer. +*/ +SQLITE_PRIVATE void sqlite3HashInit(Hash*); +SQLITE_PRIVATE void *sqlite3HashInsert(Hash*, const char *pKey, int nKey, void *pData); +SQLITE_PRIVATE void *sqlite3HashFind(const Hash*, const char *pKey, int nKey); +SQLITE_PRIVATE void sqlite3HashClear(Hash*); + +/* +** Macros for looping over all elements of a hash table. The idiom is +** like this: +** +** Hash h; +** HashElem *p; +** ... +** for(p=sqliteHashFirst(&h); p; p=sqliteHashNext(p)){ +** SomeStructure *pData = sqliteHashData(p); +** // do something with pData +** } +*/ +#define sqliteHashFirst(H) ((H)->first) +#define sqliteHashNext(E) ((E)->next) +#define sqliteHashData(E) ((E)->data) +/* #define sqliteHashKey(E) ((E)->pKey) // NOT USED */ +/* #define sqliteHashKeysize(E) ((E)->nKey) // NOT USED */ + +/* +** Number of entries in a hash table +*/ +/* #define sqliteHashCount(H) ((H)->count) // NOT USED */ + +#endif /* _SQLITE_HASH_H_ */ + +/************** End of hash.h ************************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include parse.h in the middle of sqliteInt.h *****************/ +/************** Begin file parse.h *******************************************/ +#define TK_SEMI 1 +#define TK_EXPLAIN 2 +#define TK_QUERY 3 +#define TK_PLAN 4 +#define TK_BEGIN 5 +#define TK_TRANSACTION 6 +#define TK_DEFERRED 7 +#define TK_IMMEDIATE 8 +#define TK_EXCLUSIVE 9 +#define TK_COMMIT 10 +#define TK_END 11 +#define TK_ROLLBACK 12 +#define TK_SAVEPOINT 13 +#define TK_RELEASE 14 +#define TK_TO 15 +#define TK_TABLE 16 +#define TK_CREATE 17 +#define TK_IF 18 +#define TK_NOT 19 +#define TK_EXISTS 20 +#define TK_TEMP 21 +#define TK_LP 22 +#define TK_RP 23 +#define TK_AS 24 +#define TK_COMMA 25 +#define TK_ID 26 +#define TK_INDEXED 27 +#define TK_ABORT 28 +#define TK_ACTION 29 +#define TK_AFTER 30 +#define TK_ANALYZE 31 +#define TK_ASC 32 +#define TK_ATTACH 33 +#define TK_BEFORE 34 +#define TK_BY 35 +#define TK_CASCADE 36 +#define TK_CAST 37 +#define TK_COLUMNKW 38 +#define TK_CONFLICT 39 +#define TK_DATABASE 40 +#define TK_DESC 41 +#define TK_DETACH 42 +#define TK_EACH 43 +#define TK_FAIL 44 +#define TK_FOR 45 +#define TK_IGNORE 46 +#define TK_INITIALLY 47 +#define TK_INSTEAD 48 +#define TK_LIKE_KW 49 +#define TK_MATCH 50 +#define TK_NO 51 +#define TK_KEY 52 +#define TK_OF 53 +#define TK_OFFSET 54 +#define TK_PRAGMA 55 +#define TK_RAISE 56 +#define TK_REPLACE 57 +#define TK_RESTRICT 58 +#define TK_ROW 59 +#define TK_TRIGGER 60 +#define TK_VACUUM 61 +#define TK_VIEW 62 +#define TK_VIRTUAL 63 +#define TK_REINDEX 64 +#define TK_RENAME 65 +#define TK_CTIME_KW 66 +#define TK_ANY 67 +#define TK_OR 68 +#define TK_AND 69 +#define TK_IS 70 +#define TK_BETWEEN 71 +#define TK_IN 72 +#define TK_ISNULL 73 +#define TK_NOTNULL 74 +#define TK_NE 75 +#define TK_EQ 76 +#define TK_GT 77 +#define TK_LE 78 +#define TK_LT 79 +#define TK_GE 80 +#define TK_ESCAPE 81 +#define TK_BITAND 82 +#define TK_BITOR 83 +#define TK_LSHIFT 84 +#define TK_RSHIFT 85 +#define TK_PLUS 86 +#define TK_MINUS 87 +#define TK_STAR 88 +#define TK_SLASH 89 +#define TK_REM 90 +#define TK_CONCAT 91 +#define TK_COLLATE 92 +#define TK_BITNOT 93 +#define TK_STRING 94 +#define TK_JOIN_KW 95 +#define TK_CONSTRAINT 96 +#define TK_DEFAULT 97 +#define TK_NULL 98 +#define TK_PRIMARY 99 +#define TK_UNIQUE 100 +#define TK_CHECK 101 +#define TK_REFERENCES 102 +#define TK_AUTOINCR 103 +#define TK_ON 104 +#define TK_INSERT 105 +#define TK_DELETE 106 +#define TK_UPDATE 107 +#define TK_SET 108 +#define TK_DEFERRABLE 109 +#define TK_FOREIGN 110 +#define TK_DROP 111 +#define TK_UNION 112 +#define TK_ALL 113 +#define TK_EXCEPT 114 +#define TK_INTERSECT 115 +#define TK_SELECT 116 +#define TK_DISTINCT 117 +#define TK_DOT 118 +#define TK_FROM 119 +#define TK_JOIN 120 +#define TK_USING 121 +#define TK_ORDER 122 +#define TK_GROUP 123 +#define TK_HAVING 124 +#define TK_LIMIT 125 +#define TK_WHERE 126 +#define TK_INTO 127 +#define TK_VALUES 128 +#define TK_INTEGER 129 +#define TK_FLOAT 130 +#define TK_BLOB 131 +#define TK_REGISTER 132 +#define TK_VARIABLE 133 +#define TK_CASE 134 +#define TK_WHEN 135 +#define TK_THEN 136 +#define TK_ELSE 137 +#define TK_INDEX 138 +#define TK_ALTER 139 +#define TK_ADD 140 +#define TK_TO_TEXT 141 +#define TK_TO_BLOB 142 +#define TK_TO_NUMERIC 143 +#define TK_TO_INT 144 +#define TK_TO_REAL 145 +#define TK_ISNOT 146 +#define TK_END_OF_FILE 147 +#define TK_ILLEGAL 148 +#define TK_SPACE 149 +#define TK_UNCLOSED_STRING 150 +#define TK_FUNCTION 151 +#define TK_COLUMN 152 +#define TK_AGG_FUNCTION 153 +#define TK_AGG_COLUMN 154 +#define TK_CONST_FUNC 155 +#define TK_UMINUS 156 +#define TK_UPLUS 157 + +/************** End of parse.h ***********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +#include +#include +#include +#include +#include + +/* +** If compiling for a processor that lacks floating point support, +** substitute integer for floating-point +*/ +#ifdef SQLITE_OMIT_FLOATING_POINT +# define double sqlite_int64 +# define float sqlite_int64 +# define LONGDOUBLE_TYPE sqlite_int64 +# ifndef SQLITE_BIG_DBL +# define SQLITE_BIG_DBL (((sqlite3_int64)1)<<50) +# endif +# define SQLITE_OMIT_DATETIME_FUNCS 1 +# define SQLITE_OMIT_TRACE 1 +# undef SQLITE_MIXED_ENDIAN_64BIT_FLOAT +# undef SQLITE_HAVE_ISNAN +#endif +#ifndef SQLITE_BIG_DBL +# define SQLITE_BIG_DBL (1e99) +#endif + +/* +** OMIT_TEMPDB is set to 1 if SQLITE_OMIT_TEMPDB is defined, or 0 +** afterward. Having this macro allows us to cause the C compiler +** to omit code used by TEMP tables without messy #ifndef statements. +*/ +#ifdef SQLITE_OMIT_TEMPDB +#define OMIT_TEMPDB 1 +#else +#define OMIT_TEMPDB 0 +#endif + +/* +** The "file format" number is an integer that is incremented whenever +** the VDBE-level file format changes. The following macros define the +** the default file format for new databases and the maximum file format +** that the library can read. +*/ +#define SQLITE_MAX_FILE_FORMAT 4 +#ifndef SQLITE_DEFAULT_FILE_FORMAT +# define SQLITE_DEFAULT_FILE_FORMAT 4 +#endif + +/* +** Determine whether triggers are recursive by default. This can be +** changed at run-time using a pragma. +*/ +#ifndef SQLITE_DEFAULT_RECURSIVE_TRIGGERS +# define SQLITE_DEFAULT_RECURSIVE_TRIGGERS 0 +#endif + +/* +** Provide a default value for SQLITE_TEMP_STORE in case it is not specified +** on the command-line +*/ +#ifndef SQLITE_TEMP_STORE +# define SQLITE_TEMP_STORE 1 +#endif + +/* +** GCC does not define the offsetof() macro so we'll have to do it +** ourselves. +*/ +#ifndef offsetof +#define offsetof(STRUCTURE,FIELD) ((int)((char*)&((STRUCTURE*)0)->FIELD)) +#endif + +/* +** Check to see if this machine uses EBCDIC. (Yes, believe it or +** not, there are still machines out there that use EBCDIC.) +*/ +#if 'A' == '\301' +# define SQLITE_EBCDIC 1 +#else +# define SQLITE_ASCII 1 +#endif + +/* +** Integers of known sizes. These typedefs might change for architectures +** where the sizes very. Preprocessor macros are available so that the +** types can be conveniently redefined at compile-type. Like this: +** +** cc '-DUINTPTR_TYPE=long long int' ... +*/ +#ifndef UINT32_TYPE +# ifdef HAVE_UINT32_T +# define UINT32_TYPE uint32_t +# else +# define UINT32_TYPE unsigned int +# endif +#endif +#ifndef UINT16_TYPE +# ifdef HAVE_UINT16_T +# define UINT16_TYPE uint16_t +# else +# define UINT16_TYPE unsigned short int +# endif +#endif +#ifndef INT16_TYPE +# ifdef HAVE_INT16_T +# define INT16_TYPE int16_t +# else +# define INT16_TYPE short int +# endif +#endif +#ifndef UINT8_TYPE +# ifdef HAVE_UINT8_T +# define UINT8_TYPE uint8_t +# else +# define UINT8_TYPE unsigned char +# endif +#endif +#ifndef INT8_TYPE +# ifdef HAVE_INT8_T +# define INT8_TYPE int8_t +# else +# define INT8_TYPE signed char +# endif +#endif +#ifndef LONGDOUBLE_TYPE +# define LONGDOUBLE_TYPE long double +#endif +typedef sqlite_int64 i64; /* 8-byte signed integer */ +typedef sqlite_uint64 u64; /* 8-byte unsigned integer */ +typedef UINT32_TYPE u32; /* 4-byte unsigned integer */ +typedef UINT16_TYPE u16; /* 2-byte unsigned integer */ +typedef INT16_TYPE i16; /* 2-byte signed integer */ +typedef UINT8_TYPE u8; /* 1-byte unsigned integer */ +typedef INT8_TYPE i8; /* 1-byte signed integer */ + +/* +** SQLITE_MAX_U32 is a u64 constant that is the maximum u64 value +** that can be stored in a u32 without loss of data. The value +** is 0x00000000ffffffff. But because of quirks of some compilers, we +** have to specify the value in the less intuitive manner shown: +*/ +#define SQLITE_MAX_U32 ((((u64)1)<<32)-1) + +/* +** The datatype used to store estimates of the number of rows in a +** table or index. This is an unsigned integer type. For 99.9% of +** the world, a 32-bit integer is sufficient. But a 64-bit integer +** can be used at compile-time if desired. +*/ +#ifdef SQLITE_64BIT_STATS + typedef u64 tRowcnt; /* 64-bit only if requested at compile-time */ +#else + typedef u32 tRowcnt; /* 32-bit is the default */ +#endif + +/* +** Macros to determine whether the machine is big or little endian, +** evaluated at runtime. +*/ +#ifdef SQLITE_AMALGAMATION +SQLITE_PRIVATE const int sqlite3one = 1; +#else +SQLITE_PRIVATE const int sqlite3one; +#endif +#if defined(i386) || defined(__i386__) || defined(_M_IX86)\ + || defined(__x86_64) || defined(__x86_64__) +# define SQLITE_BIGENDIAN 0 +# define SQLITE_LITTLEENDIAN 1 +# define SQLITE_UTF16NATIVE SQLITE_UTF16LE +#else +# define SQLITE_BIGENDIAN (*(char *)(&sqlite3one)==0) +# define SQLITE_LITTLEENDIAN (*(char *)(&sqlite3one)==1) +# define SQLITE_UTF16NATIVE (SQLITE_BIGENDIAN?SQLITE_UTF16BE:SQLITE_UTF16LE) +#endif + +/* +** Constants for the largest and smallest possible 64-bit signed integers. +** These macros are designed to work correctly on both 32-bit and 64-bit +** compilers. +*/ +#define LARGEST_INT64 (0xffffffff|(((i64)0x7fffffff)<<32)) +#define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + +/* +** Round up a number to the next larger multiple of 8. This is used +** to force 8-byte alignment on 64-bit architectures. +*/ +#define ROUND8(x) (((x)+7)&~7) + +/* +** Round down to the nearest multiple of 8 +*/ +#define ROUNDDOWN8(x) ((x)&~7) + +/* +** Assert that the pointer X is aligned to an 8-byte boundary. This +** macro is used only within assert() to verify that the code gets +** all alignment restrictions correct. +** +** Except, if SQLITE_4_BYTE_ALIGNED_MALLOC is defined, then the +** underlying malloc() implemention might return us 4-byte aligned +** pointers. In that case, only verify 4-byte alignment. +*/ +#ifdef SQLITE_4_BYTE_ALIGNED_MALLOC +# define EIGHT_BYTE_ALIGNMENT(X) ((((char*)(X) - (char*)0)&3)==0) +#else +# define EIGHT_BYTE_ALIGNMENT(X) ((((char*)(X) - (char*)0)&7)==0) +#endif + + +/* +** An instance of the following structure is used to store the busy-handler +** callback for a given sqlite handle. +** +** The sqlite.busyHandler member of the sqlite struct contains the busy +** callback for the database handle. Each pager opened via the sqlite +** handle is passed a pointer to sqlite.busyHandler. The busy-handler +** callback is currently invoked only from within pager.c. +*/ +typedef struct BusyHandler BusyHandler; +struct BusyHandler { + int (*xFunc)(void *,int); /* The busy callback */ + void *pArg; /* First arg to busy callback */ + int nBusy; /* Incremented with each busy call */ +}; + +/* +** Name of the master database table. The master database table +** is a special table that holds the names and attributes of all +** user tables and indices. +*/ +#define MASTER_NAME "sqlite_master" +#define TEMP_MASTER_NAME "sqlite_temp_master" + +/* +** The root-page of the master database table. +*/ +#define MASTER_ROOT 1 + +/* +** The name of the schema table. +*/ +#define SCHEMA_TABLE(x) ((!OMIT_TEMPDB)&&(x==1)?TEMP_MASTER_NAME:MASTER_NAME) + +/* +** A convenience macro that returns the number of elements in +** an array. +*/ +#define ArraySize(X) ((int)(sizeof(X)/sizeof(X[0]))) + +/* +** Determine if the argument is a power of two +*/ +#define IsPowerOfTwo(X) (((X)&((X)-1))==0) + +/* +** The following value as a destructor means to use sqlite3DbFree(). +** The sqlite3DbFree() routine requires two parameters instead of the +** one parameter that destructors normally want. So we have to introduce +** this magic value that the code knows to handle differently. Any +** pointer will work here as long as it is distinct from SQLITE_STATIC +** and SQLITE_TRANSIENT. +*/ +#define SQLITE_DYNAMIC ((sqlite3_destructor_type)sqlite3MallocSize) + +/* +** When SQLITE_OMIT_WSD is defined, it means that the target platform does +** not support Writable Static Data (WSD) such as global and static variables. +** All variables must either be on the stack or dynamically allocated from +** the heap. When WSD is unsupported, the variable declarations scattered +** throughout the SQLite code must become constants instead. The SQLITE_WSD +** macro is used for this purpose. And instead of referencing the variable +** directly, we use its constant as a key to lookup the run-time allocated +** buffer that holds real variable. The constant is also the initializer +** for the run-time allocated buffer. +** +** In the usual case where WSD is supported, the SQLITE_WSD and GLOBAL +** macros become no-ops and have zero performance impact. +*/ +#ifdef SQLITE_OMIT_WSD + #define SQLITE_WSD const + #define GLOBAL(t,v) (*(t*)sqlite3_wsd_find((void*)&(v), sizeof(v))) + #define sqlite3GlobalConfig GLOBAL(struct Sqlite3Config, sqlite3Config) +SQLITE_API int sqlite3_wsd_init(int N, int J); +SQLITE_API void *sqlite3_wsd_find(void *K, int L); +#else + #define SQLITE_WSD + #define GLOBAL(t,v) v + #define sqlite3GlobalConfig sqlite3Config +#endif + +/* +** The following macros are used to suppress compiler warnings and to +** make it clear to human readers when a function parameter is deliberately +** left unused within the body of a function. This usually happens when +** a function is called via a function pointer. For example the +** implementation of an SQL aggregate step callback may not use the +** parameter indicating the number of arguments passed to the aggregate, +** if it knows that this is enforced elsewhere. +** +** When a function parameter is not used at all within the body of a function, +** it is generally named "NotUsed" or "NotUsed2" to make things even clearer. +** However, these macros may also be used to suppress warnings related to +** parameters that may or may not be used depending on compilation options. +** For example those parameters only used in assert() statements. In these +** cases the parameters are named as per the usual conventions. +*/ +#define UNUSED_PARAMETER(x) (void)(x) +#define UNUSED_PARAMETER2(x,y) UNUSED_PARAMETER(x),UNUSED_PARAMETER(y) + +/* +** Forward references to structures +*/ +typedef struct AggInfo AggInfo; +typedef struct AuthContext AuthContext; +typedef struct AutoincInfo AutoincInfo; +typedef struct Bitvec Bitvec; +typedef struct CollSeq CollSeq; +typedef struct Column Column; +typedef struct Db Db; +typedef struct Schema Schema; +typedef struct Expr Expr; +typedef struct ExprList ExprList; +typedef struct ExprSpan ExprSpan; +typedef struct FKey FKey; +typedef struct FuncDestructor FuncDestructor; +typedef struct FuncDef FuncDef; +typedef struct FuncDefHash FuncDefHash; +typedef struct IdList IdList; +typedef struct Index Index; +typedef struct IndexSample IndexSample; +typedef struct KeyClass KeyClass; +typedef struct KeyInfo KeyInfo; +typedef struct Lookaside Lookaside; +typedef struct LookasideSlot LookasideSlot; +typedef struct Module Module; +typedef struct NameContext NameContext; +typedef struct Parse Parse; +typedef struct RowSet RowSet; +typedef struct Savepoint Savepoint; +typedef struct Select Select; +typedef struct SelectDest SelectDest; +typedef struct SrcList SrcList; +typedef struct StrAccum StrAccum; +typedef struct Table Table; +typedef struct TableLock TableLock; +typedef struct Token Token; +typedef struct Trigger Trigger; +typedef struct TriggerPrg TriggerPrg; +typedef struct TriggerStep TriggerStep; +typedef struct UnpackedRecord UnpackedRecord; +typedef struct VTable VTable; +typedef struct VtabCtx VtabCtx; +typedef struct Walker Walker; +typedef struct WherePlan WherePlan; +typedef struct WhereInfo WhereInfo; +typedef struct WhereLevel WhereLevel; + +/* +** Defer sourcing vdbe.h and btree.h until after the "u8" and +** "BusyHandler" typedefs. vdbe.h also requires a few of the opaque +** pointer types (i.e. FuncDef) defined above. +*/ +/************** Include btree.h in the middle of sqliteInt.h *****************/ +/************** Begin file btree.h *******************************************/ +/* +** 2001 September 15 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** This header file defines the interface that the sqlite B-Tree file +** subsystem. See comments in the source code for a detailed description +** of what each interface routine does. +*/ +#ifndef _BTREE_H_ +#define _BTREE_H_ + +/* TODO: This definition is just included so other modules compile. It +** needs to be revisited. +*/ +#define SQLITE_N_BTREE_META 10 + +/* +** If defined as non-zero, auto-vacuum is enabled by default. Otherwise +** it must be turned on for each database using "PRAGMA auto_vacuum = 1". +*/ +#ifndef SQLITE_DEFAULT_AUTOVACUUM + #define SQLITE_DEFAULT_AUTOVACUUM 0 +#endif + +#define BTREE_AUTOVACUUM_NONE 0 /* Do not do auto-vacuum */ +#define BTREE_AUTOVACUUM_FULL 1 /* Do full auto-vacuum */ +#define BTREE_AUTOVACUUM_INCR 2 /* Incremental vacuum */ + +/* +** Forward declarations of structure +*/ +typedef struct Btree Btree; +typedef struct BtCursor BtCursor; +typedef struct BtShared BtShared; + + +SQLITE_PRIVATE int sqlite3BtreeOpen( + sqlite3_vfs *pVfs, /* VFS to use with this b-tree */ + const char *zFilename, /* Name of database file to open */ + sqlite3 *db, /* Associated database connection */ + Btree **ppBtree, /* Return open Btree* here */ + int flags, /* Flags */ + int vfsFlags /* Flags passed through to VFS open */ +); + +/* The flags parameter to sqlite3BtreeOpen can be the bitwise or of the +** following values. +** +** NOTE: These values must match the corresponding PAGER_ values in +** pager.h. +*/ +#define BTREE_OMIT_JOURNAL 1 /* Do not create or use a rollback journal */ +#define BTREE_MEMORY 2 /* This is an in-memory DB */ +#define BTREE_SINGLE 4 /* The file contains at most 1 b-tree */ +#define BTREE_UNORDERED 8 /* Use of a hash implementation is OK */ + +SQLITE_PRIVATE int sqlite3BtreeClose(Btree*); +SQLITE_PRIVATE int sqlite3BtreeSetCacheSize(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeSetSafetyLevel(Btree*,int,int,int); +SQLITE_PRIVATE int sqlite3BtreeSyncDisabled(Btree*); +SQLITE_PRIVATE int sqlite3BtreeSetPageSize(Btree *p, int nPagesize, int nReserve, int eFix); +SQLITE_PRIVATE int sqlite3BtreeGetPageSize(Btree*); +SQLITE_PRIVATE int sqlite3BtreeMaxPageCount(Btree*,int); +SQLITE_PRIVATE u32 sqlite3BtreeLastPage(Btree*); +SQLITE_PRIVATE int sqlite3BtreeSecureDelete(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeGetReserve(Btree*); +#if defined(SQLITE_HAS_CODEC) || defined(SQLITE_DEBUG) +SQLITE_PRIVATE int sqlite3BtreeGetReserveNoMutex(Btree *p); +#endif +SQLITE_PRIVATE int sqlite3BtreeSetAutoVacuum(Btree *, int); +SQLITE_PRIVATE int sqlite3BtreeGetAutoVacuum(Btree *); +SQLITE_PRIVATE int sqlite3BtreeBeginTrans(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeCommitPhaseOne(Btree*, const char *zMaster); +SQLITE_PRIVATE int sqlite3BtreeCommitPhaseTwo(Btree*, int); +SQLITE_PRIVATE int sqlite3BtreeCommit(Btree*); +SQLITE_PRIVATE int sqlite3BtreeRollback(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeBeginStmt(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeCreateTable(Btree*, int*, int flags); +SQLITE_PRIVATE int sqlite3BtreeIsInTrans(Btree*); +SQLITE_PRIVATE int sqlite3BtreeIsInReadTrans(Btree*); +SQLITE_PRIVATE int sqlite3BtreeIsInBackup(Btree*); +SQLITE_PRIVATE void *sqlite3BtreeSchema(Btree *, int, void(*)(void *)); +SQLITE_PRIVATE int sqlite3BtreeSchemaLocked(Btree *pBtree); +SQLITE_PRIVATE int sqlite3BtreeLockTable(Btree *pBtree, int iTab, u8 isWriteLock); +SQLITE_PRIVATE int sqlite3BtreeSavepoint(Btree *, int, int); + +SQLITE_PRIVATE const char *sqlite3BtreeGetFilename(Btree *); +SQLITE_PRIVATE const char *sqlite3BtreeGetJournalname(Btree *); +SQLITE_PRIVATE int sqlite3BtreeCopyFile(Btree *, Btree *); + +SQLITE_PRIVATE int sqlite3BtreeIncrVacuum(Btree *); + +/* The flags parameter to sqlite3BtreeCreateTable can be the bitwise OR +** of the flags shown below. +** +** Every SQLite table must have either BTREE_INTKEY or BTREE_BLOBKEY set. +** With BTREE_INTKEY, the table key is a 64-bit integer and arbitrary data +** is stored in the leaves. (BTREE_INTKEY is used for SQL tables.) With +** BTREE_BLOBKEY, the key is an arbitrary BLOB and no content is stored +** anywhere - the key is the content. (BTREE_BLOBKEY is used for SQL +** indices.) +*/ +#define BTREE_INTKEY 1 /* Table has only 64-bit signed integer keys */ +#define BTREE_BLOBKEY 2 /* Table has keys only - no data */ + +SQLITE_PRIVATE int sqlite3BtreeDropTable(Btree*, int, int*); +SQLITE_PRIVATE int sqlite3BtreeClearTable(Btree*, int, int*); +SQLITE_PRIVATE void sqlite3BtreeTripAllCursors(Btree*, int); + +SQLITE_PRIVATE void sqlite3BtreeGetMeta(Btree *pBtree, int idx, u32 *pValue); +SQLITE_PRIVATE int sqlite3BtreeUpdateMeta(Btree*, int idx, u32 value); + +SQLITE_PRIVATE int sqlite3BtreeNewDb(Btree *p); + +/* +** The second parameter to sqlite3BtreeGetMeta or sqlite3BtreeUpdateMeta +** should be one of the following values. The integer values are assigned +** to constants so that the offset of the corresponding field in an +** SQLite database header may be found using the following formula: +** +** offset = 36 + (idx * 4) +** +** For example, the free-page-count field is located at byte offset 36 of +** the database file header. The incr-vacuum-flag field is located at +** byte offset 64 (== 36+4*7). +*/ +#define BTREE_FREE_PAGE_COUNT 0 +#define BTREE_SCHEMA_VERSION 1 +#define BTREE_FILE_FORMAT 2 +#define BTREE_DEFAULT_CACHE_SIZE 3 +#define BTREE_LARGEST_ROOT_PAGE 4 +#define BTREE_TEXT_ENCODING 5 +#define BTREE_USER_VERSION 6 +#define BTREE_INCR_VACUUM 7 + +/* +** Values that may be OR'd together to form the second argument of an +** sqlite3BtreeCursorHints() call. +*/ +#define BTREE_BULKLOAD 0x00000001 + +SQLITE_PRIVATE int sqlite3BtreeCursor( + Btree*, /* BTree containing table to open */ + int iTable, /* Index of root page */ + int wrFlag, /* 1 for writing. 0 for read-only */ + struct KeyInfo*, /* First argument to compare function */ + BtCursor *pCursor /* Space to write cursor structure */ +); +SQLITE_PRIVATE int sqlite3BtreeCursorSize(void); +SQLITE_PRIVATE void sqlite3BtreeCursorZero(BtCursor*); + +SQLITE_PRIVATE int sqlite3BtreeCloseCursor(BtCursor*); +SQLITE_PRIVATE int sqlite3BtreeMovetoUnpacked( + BtCursor*, + UnpackedRecord *pUnKey, + i64 intKey, + int bias, + int *pRes +); +SQLITE_PRIVATE int sqlite3BtreeCursorHasMoved(BtCursor*, int*); +SQLITE_PRIVATE int sqlite3BtreeDelete(BtCursor*); +SQLITE_PRIVATE int sqlite3BtreeInsert(BtCursor*, const void *pKey, i64 nKey, + const void *pData, int nData, + int nZero, int bias, int seekResult); +SQLITE_PRIVATE int sqlite3BtreeFirst(BtCursor*, int *pRes); +SQLITE_PRIVATE int sqlite3BtreeLast(BtCursor*, int *pRes); +SQLITE_PRIVATE int sqlite3BtreeNext(BtCursor*, int *pRes); +SQLITE_PRIVATE int sqlite3BtreeEof(BtCursor*); +SQLITE_PRIVATE int sqlite3BtreePrevious(BtCursor*, int *pRes); +SQLITE_PRIVATE int sqlite3BtreeKeySize(BtCursor*, i64 *pSize); +SQLITE_PRIVATE int sqlite3BtreeKey(BtCursor*, u32 offset, u32 amt, void*); +SQLITE_PRIVATE const void *sqlite3BtreeKeyFetch(BtCursor*, int *pAmt); +SQLITE_PRIVATE const void *sqlite3BtreeDataFetch(BtCursor*, int *pAmt); +SQLITE_PRIVATE int sqlite3BtreeDataSize(BtCursor*, u32 *pSize); +SQLITE_PRIVATE int sqlite3BtreeData(BtCursor*, u32 offset, u32 amt, void*); +SQLITE_PRIVATE void sqlite3BtreeSetCachedRowid(BtCursor*, sqlite3_int64); +SQLITE_PRIVATE sqlite3_int64 sqlite3BtreeGetCachedRowid(BtCursor*); + +SQLITE_PRIVATE char *sqlite3BtreeIntegrityCheck(Btree*, int *aRoot, int nRoot, int, int*); +SQLITE_PRIVATE struct Pager *sqlite3BtreePager(Btree*); + +SQLITE_PRIVATE int sqlite3BtreePutData(BtCursor*, u32 offset, u32 amt, void*); +SQLITE_PRIVATE void sqlite3BtreeCacheOverflow(BtCursor *); +SQLITE_PRIVATE void sqlite3BtreeClearCursor(BtCursor *); +SQLITE_PRIVATE int sqlite3BtreeSetVersion(Btree *pBt, int iVersion); +SQLITE_PRIVATE void sqlite3BtreeCursorHints(BtCursor *, unsigned int mask); + +#ifndef NDEBUG +SQLITE_PRIVATE int sqlite3BtreeCursorIsValid(BtCursor*); +#endif + +#ifndef SQLITE_OMIT_BTREECOUNT +SQLITE_PRIVATE int sqlite3BtreeCount(BtCursor *, i64 *); +#endif + +#ifdef SQLITE_TEST +SQLITE_PRIVATE int sqlite3BtreeCursorInfo(BtCursor*, int*, int); +SQLITE_PRIVATE void sqlite3BtreeCursorList(Btree*); +#endif + +#ifndef SQLITE_OMIT_WAL +SQLITE_PRIVATE int sqlite3BtreeCheckpoint(Btree*, int, int *, int *); +#endif + +/* +** If we are not using shared cache, then there is no need to +** use mutexes to access the BtShared structures. So make the +** Enter and Leave procedures no-ops. +*/ +#ifndef SQLITE_OMIT_SHARED_CACHE +SQLITE_PRIVATE void sqlite3BtreeEnter(Btree*); +SQLITE_PRIVATE void sqlite3BtreeEnterAll(sqlite3*); +#else +# define sqlite3BtreeEnter(X) +# define sqlite3BtreeEnterAll(X) +#endif + +#if !defined(SQLITE_OMIT_SHARED_CACHE) && SQLITE_THREADSAFE +SQLITE_PRIVATE int sqlite3BtreeSharable(Btree*); +SQLITE_PRIVATE void sqlite3BtreeLeave(Btree*); +SQLITE_PRIVATE void sqlite3BtreeEnterCursor(BtCursor*); +SQLITE_PRIVATE void sqlite3BtreeLeaveCursor(BtCursor*); +SQLITE_PRIVATE void sqlite3BtreeLeaveAll(sqlite3*); +#ifndef NDEBUG + /* These routines are used inside assert() statements only. */ +SQLITE_PRIVATE int sqlite3BtreeHoldsMutex(Btree*); +SQLITE_PRIVATE int sqlite3BtreeHoldsAllMutexes(sqlite3*); +SQLITE_PRIVATE int sqlite3SchemaMutexHeld(sqlite3*,int,Schema*); +#endif +#else + +# define sqlite3BtreeSharable(X) 0 +# define sqlite3BtreeLeave(X) +# define sqlite3BtreeEnterCursor(X) +# define sqlite3BtreeLeaveCursor(X) +# define sqlite3BtreeLeaveAll(X) + +# define sqlite3BtreeHoldsMutex(X) 1 +# define sqlite3BtreeHoldsAllMutexes(X) 1 +# define sqlite3SchemaMutexHeld(X,Y,Z) 1 +#endif + + +#endif /* _BTREE_H_ */ + +/************** End of btree.h ***********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include vdbe.h in the middle of sqliteInt.h ******************/ +/************** Begin file vdbe.h ********************************************/ +/* +** 2001 September 15 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** Header file for the Virtual DataBase Engine (VDBE) +** +** This header defines the interface to the virtual database engine +** or VDBE. The VDBE implements an abstract machine that runs a +** simple program to access and modify the underlying database. +*/ +#ifndef _SQLITE_VDBE_H_ +#define _SQLITE_VDBE_H_ +/* #include */ + +/* +** A single VDBE is an opaque structure named "Vdbe". Only routines +** in the source file sqliteVdbe.c are allowed to see the insides +** of this structure. +*/ +typedef struct Vdbe Vdbe; + +/* +** The names of the following types declared in vdbeInt.h are required +** for the VdbeOp definition. +*/ +typedef struct VdbeFunc VdbeFunc; +typedef struct Mem Mem; +typedef struct SubProgram SubProgram; + +/* +** A single instruction of the virtual machine has an opcode +** and as many as three operands. The instruction is recorded +** as an instance of the following structure: +*/ +struct VdbeOp { + u8 opcode; /* What operation to perform */ + signed char p4type; /* One of the P4_xxx constants for p4 */ + u8 opflags; /* Mask of the OPFLG_* flags in opcodes.h */ + u8 p5; /* Fifth parameter is an unsigned character */ + int p1; /* First operand */ + int p2; /* Second parameter (often the jump destination) */ + int p3; /* The third parameter */ + union { /* fourth parameter */ + int i; /* Integer value if p4type==P4_INT32 */ + void *p; /* Generic pointer */ + char *z; /* Pointer to data for string (char array) types */ + i64 *pI64; /* Used when p4type is P4_INT64 */ + double *pReal; /* Used when p4type is P4_REAL */ + FuncDef *pFunc; /* Used when p4type is P4_FUNCDEF */ + VdbeFunc *pVdbeFunc; /* Used when p4type is P4_VDBEFUNC */ + CollSeq *pColl; /* Used when p4type is P4_COLLSEQ */ + Mem *pMem; /* Used when p4type is P4_MEM */ + VTable *pVtab; /* Used when p4type is P4_VTAB */ + KeyInfo *pKeyInfo; /* Used when p4type is P4_KEYINFO */ + int *ai; /* Used when p4type is P4_INTARRAY */ + SubProgram *pProgram; /* Used when p4type is P4_SUBPROGRAM */ + int (*xAdvance)(BtCursor *, int *); + } p4; +#ifdef SQLITE_DEBUG + char *zComment; /* Comment to improve readability */ +#endif +#ifdef VDBE_PROFILE + int cnt; /* Number of times this instruction was executed */ + u64 cycles; /* Total time spent executing this instruction */ +#endif +}; +typedef struct VdbeOp VdbeOp; + + +/* +** A sub-routine used to implement a trigger program. +*/ +struct SubProgram { + VdbeOp *aOp; /* Array of opcodes for sub-program */ + int nOp; /* Elements in aOp[] */ + int nMem; /* Number of memory cells required */ + int nCsr; /* Number of cursors required */ + int nOnce; /* Number of OP_Once instructions */ + void *token; /* id that may be used to recursive triggers */ + SubProgram *pNext; /* Next sub-program already visited */ +}; + +/* +** A smaller version of VdbeOp used for the VdbeAddOpList() function because +** it takes up less space. +*/ +struct VdbeOpList { + u8 opcode; /* What operation to perform */ + signed char p1; /* First operand */ + signed char p2; /* Second parameter (often the jump destination) */ + signed char p3; /* Third parameter */ +}; +typedef struct VdbeOpList VdbeOpList; + +/* +** Allowed values of VdbeOp.p4type +*/ +#define P4_NOTUSED 0 /* The P4 parameter is not used */ +#define P4_DYNAMIC (-1) /* Pointer to a string obtained from sqliteMalloc() */ +#define P4_STATIC (-2) /* Pointer to a static string */ +#define P4_COLLSEQ (-4) /* P4 is a pointer to a CollSeq structure */ +#define P4_FUNCDEF (-5) /* P4 is a pointer to a FuncDef structure */ +#define P4_KEYINFO (-6) /* P4 is a pointer to a KeyInfo structure */ +#define P4_VDBEFUNC (-7) /* P4 is a pointer to a VdbeFunc structure */ +#define P4_MEM (-8) /* P4 is a pointer to a Mem* structure */ +#define P4_TRANSIENT 0 /* P4 is a pointer to a transient string */ +#define P4_VTAB (-10) /* P4 is a pointer to an sqlite3_vtab structure */ +#define P4_MPRINTF (-11) /* P4 is a string obtained from sqlite3_mprintf() */ +#define P4_REAL (-12) /* P4 is a 64-bit floating point value */ +#define P4_INT64 (-13) /* P4 is a 64-bit signed integer */ +#define P4_INT32 (-14) /* P4 is a 32-bit signed integer */ +#define P4_INTARRAY (-15) /* P4 is a vector of 32-bit integers */ +#define P4_SUBPROGRAM (-18) /* P4 is a pointer to a SubProgram structure */ +#define P4_ADVANCE (-19) /* P4 is a pointer to BtreeNext() or BtreePrev() */ + +/* When adding a P4 argument using P4_KEYINFO, a copy of the KeyInfo structure +** is made. That copy is freed when the Vdbe is finalized. But if the +** argument is P4_KEYINFO_HANDOFF, the passed in pointer is used. It still +** gets freed when the Vdbe is finalized so it still should be obtained +** from a single sqliteMalloc(). But no copy is made and the calling +** function should *not* try to free the KeyInfo. +*/ +#define P4_KEYINFO_HANDOFF (-16) +#define P4_KEYINFO_STATIC (-17) + +/* +** The Vdbe.aColName array contains 5n Mem structures, where n is the +** number of columns of data returned by the statement. +*/ +#define COLNAME_NAME 0 +#define COLNAME_DECLTYPE 1 +#define COLNAME_DATABASE 2 +#define COLNAME_TABLE 3 +#define COLNAME_COLUMN 4 +#ifdef SQLITE_ENABLE_COLUMN_METADATA +# define COLNAME_N 5 /* Number of COLNAME_xxx symbols */ +#else +# ifdef SQLITE_OMIT_DECLTYPE +# define COLNAME_N 1 /* Store only the name */ +# else +# define COLNAME_N 2 /* Store the name and decltype */ +# endif +#endif + +/* +** The following macro converts a relative address in the p2 field +** of a VdbeOp structure into a negative number so that +** sqlite3VdbeAddOpList() knows that the address is relative. Calling +** the macro again restores the address. +*/ +#define ADDR(X) (-1-(X)) + +/* +** The makefile scans the vdbe.c source file and creates the "opcodes.h" +** header file that defines a number for each opcode used by the VDBE. +*/ +/************** Include opcodes.h in the middle of vdbe.h ********************/ +/************** Begin file opcodes.h *****************************************/ +/* Automatically generated. Do not edit */ +/* See the mkopcodeh.awk script for details */ +#define OP_Goto 1 +#define OP_Gosub 2 +#define OP_Return 3 +#define OP_Yield 4 +#define OP_HaltIfNull 5 +#define OP_Halt 6 +#define OP_Integer 7 +#define OP_Int64 8 +#define OP_Real 130 /* same as TK_FLOAT */ +#define OP_String8 94 /* same as TK_STRING */ +#define OP_String 9 +#define OP_Null 10 +#define OP_Blob 11 +#define OP_Variable 12 +#define OP_Move 13 +#define OP_Copy 14 +#define OP_SCopy 15 +#define OP_ResultRow 16 +#define OP_Concat 91 /* same as TK_CONCAT */ +#define OP_Add 86 /* same as TK_PLUS */ +#define OP_Subtract 87 /* same as TK_MINUS */ +#define OP_Multiply 88 /* same as TK_STAR */ +#define OP_Divide 89 /* same as TK_SLASH */ +#define OP_Remainder 90 /* same as TK_REM */ +#define OP_CollSeq 17 +#define OP_Function 18 +#define OP_BitAnd 82 /* same as TK_BITAND */ +#define OP_BitOr 83 /* same as TK_BITOR */ +#define OP_ShiftLeft 84 /* same as TK_LSHIFT */ +#define OP_ShiftRight 85 /* same as TK_RSHIFT */ +#define OP_AddImm 20 +#define OP_MustBeInt 21 +#define OP_RealAffinity 22 +#define OP_ToText 141 /* same as TK_TO_TEXT */ +#define OP_ToBlob 142 /* same as TK_TO_BLOB */ +#define OP_ToNumeric 143 /* same as TK_TO_NUMERIC*/ +#define OP_ToInt 144 /* same as TK_TO_INT */ +#define OP_ToReal 145 /* same as TK_TO_REAL */ +#define OP_Eq 76 /* same as TK_EQ */ +#define OP_Ne 75 /* same as TK_NE */ +#define OP_Lt 79 /* same as TK_LT */ +#define OP_Le 78 /* same as TK_LE */ +#define OP_Gt 77 /* same as TK_GT */ +#define OP_Ge 80 /* same as TK_GE */ +#define OP_Permutation 23 +#define OP_Compare 24 +#define OP_Jump 25 +#define OP_And 69 /* same as TK_AND */ +#define OP_Or 68 /* same as TK_OR */ +#define OP_Not 19 /* same as TK_NOT */ +#define OP_BitNot 93 /* same as TK_BITNOT */ +#define OP_Once 26 +#define OP_If 27 +#define OP_IfNot 28 +#define OP_IsNull 73 /* same as TK_ISNULL */ +#define OP_NotNull 74 /* same as TK_NOTNULL */ +#define OP_Column 29 +#define OP_Affinity 30 +#define OP_MakeRecord 31 +#define OP_Count 32 +#define OP_Savepoint 33 +#define OP_AutoCommit 34 +#define OP_Transaction 35 +#define OP_ReadCookie 36 +#define OP_SetCookie 37 +#define OP_VerifyCookie 38 +#define OP_OpenRead 39 +#define OP_OpenWrite 40 +#define OP_OpenAutoindex 41 +#define OP_OpenEphemeral 42 +#define OP_SorterOpen 43 +#define OP_OpenPseudo 44 +#define OP_Close 45 +#define OP_SeekLt 46 +#define OP_SeekLe 47 +#define OP_SeekGe 48 +#define OP_SeekGt 49 +#define OP_Seek 50 +#define OP_NotFound 51 +#define OP_Found 52 +#define OP_IsUnique 53 +#define OP_NotExists 54 +#define OP_Sequence 55 +#define OP_NewRowid 56 +#define OP_Insert 57 +#define OP_InsertInt 58 +#define OP_Delete 59 +#define OP_ResetCount 60 +#define OP_SorterCompare 61 +#define OP_SorterData 62 +#define OP_RowKey 63 +#define OP_RowData 64 +#define OP_Rowid 65 +#define OP_NullRow 66 +#define OP_Last 67 +#define OP_SorterSort 70 +#define OP_Sort 71 +#define OP_Rewind 72 +#define OP_SorterNext 81 +#define OP_Prev 92 +#define OP_Next 95 +#define OP_SorterInsert 96 +#define OP_IdxInsert 97 +#define OP_IdxDelete 98 +#define OP_IdxRowid 99 +#define OP_IdxLT 100 +#define OP_IdxGE 101 +#define OP_Destroy 102 +#define OP_Clear 103 +#define OP_CreateIndex 104 +#define OP_CreateTable 105 +#define OP_ParseSchema 106 +#define OP_LoadAnalysis 107 +#define OP_DropTable 108 +#define OP_DropIndex 109 +#define OP_DropTrigger 110 +#define OP_IntegrityCk 111 +#define OP_RowSetAdd 112 +#define OP_RowSetRead 113 +#define OP_RowSetTest 114 +#define OP_Program 115 +#define OP_Param 116 +#define OP_FkCounter 117 +#define OP_FkIfZero 118 +#define OP_MemMax 119 +#define OP_IfPos 120 +#define OP_IfNeg 121 +#define OP_IfZero 122 +#define OP_AggStep 123 +#define OP_AggFinal 124 +#define OP_Checkpoint 125 +#define OP_JournalMode 126 +#define OP_Vacuum 127 +#define OP_IncrVacuum 128 +#define OP_Expire 129 +#define OP_TableLock 131 +#define OP_VBegin 132 +#define OP_VCreate 133 +#define OP_VDestroy 134 +#define OP_VOpen 135 +#define OP_VFilter 136 +#define OP_VColumn 137 +#define OP_VNext 138 +#define OP_VRename 139 +#define OP_VUpdate 140 +#define OP_Pagecount 146 +#define OP_MaxPgcnt 147 +#define OP_Trace 148 +#define OP_Noop 149 +#define OP_Explain 150 + + +/* Properties such as "out2" or "jump" that are specified in +** comments following the "case" for each opcode in the vdbe.c +** are encoded into bitvectors as follows: +*/ +#define OPFLG_JUMP 0x0001 /* jump: P2 holds jmp target */ +#define OPFLG_OUT2_PRERELEASE 0x0002 /* out2-prerelease: */ +#define OPFLG_IN1 0x0004 /* in1: P1 is an input */ +#define OPFLG_IN2 0x0008 /* in2: P2 is an input */ +#define OPFLG_IN3 0x0010 /* in3: P3 is an input */ +#define OPFLG_OUT2 0x0020 /* out2: P2 is an output */ +#define OPFLG_OUT3 0x0040 /* out3: P3 is an output */ +#define OPFLG_INITIALIZER {\ +/* 0 */ 0x00, 0x01, 0x01, 0x04, 0x04, 0x10, 0x00, 0x02,\ +/* 8 */ 0x02, 0x02, 0x02, 0x02, 0x02, 0x00, 0x00, 0x24,\ +/* 16 */ 0x00, 0x00, 0x00, 0x24, 0x04, 0x05, 0x04, 0x00,\ +/* 24 */ 0x00, 0x01, 0x01, 0x05, 0x05, 0x00, 0x00, 0x00,\ +/* 32 */ 0x02, 0x00, 0x00, 0x00, 0x02, 0x10, 0x00, 0x00,\ +/* 40 */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x11,\ +/* 48 */ 0x11, 0x11, 0x08, 0x11, 0x11, 0x11, 0x11, 0x02,\ +/* 56 */ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\ +/* 64 */ 0x00, 0x02, 0x00, 0x01, 0x4c, 0x4c, 0x01, 0x01,\ +/* 72 */ 0x01, 0x05, 0x05, 0x15, 0x15, 0x15, 0x15, 0x15,\ +/* 80 */ 0x15, 0x01, 0x4c, 0x4c, 0x4c, 0x4c, 0x4c, 0x4c,\ +/* 88 */ 0x4c, 0x4c, 0x4c, 0x4c, 0x01, 0x24, 0x02, 0x01,\ +/* 96 */ 0x08, 0x08, 0x00, 0x02, 0x01, 0x01, 0x02, 0x00,\ +/* 104 */ 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\ +/* 112 */ 0x0c, 0x45, 0x15, 0x01, 0x02, 0x00, 0x01, 0x08,\ +/* 120 */ 0x05, 0x05, 0x05, 0x00, 0x00, 0x00, 0x02, 0x00,\ +/* 128 */ 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,\ +/* 136 */ 0x01, 0x00, 0x01, 0x00, 0x00, 0x04, 0x04, 0x04,\ +/* 144 */ 0x04, 0x04, 0x02, 0x02, 0x00, 0x00, 0x00,} + +/************** End of opcodes.h *********************************************/ +/************** Continuing where we left off in vdbe.h ***********************/ + +/* +** Prototypes for the VDBE interface. See comments on the implementation +** for a description of what each of these routines does. +*/ +SQLITE_PRIVATE Vdbe *sqlite3VdbeCreate(sqlite3*); +SQLITE_PRIVATE int sqlite3VdbeAddOp0(Vdbe*,int); +SQLITE_PRIVATE int sqlite3VdbeAddOp1(Vdbe*,int,int); +SQLITE_PRIVATE int sqlite3VdbeAddOp2(Vdbe*,int,int,int); +SQLITE_PRIVATE int sqlite3VdbeAddOp3(Vdbe*,int,int,int,int); +SQLITE_PRIVATE int sqlite3VdbeAddOp4(Vdbe*,int,int,int,int,const char *zP4,int); +SQLITE_PRIVATE int sqlite3VdbeAddOp4Int(Vdbe*,int,int,int,int,int); +SQLITE_PRIVATE int sqlite3VdbeAddOpList(Vdbe*, int nOp, VdbeOpList const *aOp); +SQLITE_PRIVATE void sqlite3VdbeAddParseSchemaOp(Vdbe*,int,char*); +SQLITE_PRIVATE void sqlite3VdbeChangeP1(Vdbe*, u32 addr, int P1); +SQLITE_PRIVATE void sqlite3VdbeChangeP2(Vdbe*, u32 addr, int P2); +SQLITE_PRIVATE void sqlite3VdbeChangeP3(Vdbe*, u32 addr, int P3); +SQLITE_PRIVATE void sqlite3VdbeChangeP5(Vdbe*, u8 P5); +SQLITE_PRIVATE void sqlite3VdbeJumpHere(Vdbe*, int addr); +SQLITE_PRIVATE void sqlite3VdbeChangeToNoop(Vdbe*, int addr); +SQLITE_PRIVATE void sqlite3VdbeChangeP4(Vdbe*, int addr, const char *zP4, int N); +SQLITE_PRIVATE void sqlite3VdbeUsesBtree(Vdbe*, int); +SQLITE_PRIVATE VdbeOp *sqlite3VdbeGetOp(Vdbe*, int); +SQLITE_PRIVATE int sqlite3VdbeMakeLabel(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeRunOnlyOnce(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeDelete(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeClearObject(sqlite3*,Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeMakeReady(Vdbe*,Parse*); +SQLITE_PRIVATE int sqlite3VdbeFinalize(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeResolveLabel(Vdbe*, int); +SQLITE_PRIVATE int sqlite3VdbeCurrentAddr(Vdbe*); +#ifdef SQLITE_DEBUG +SQLITE_PRIVATE int sqlite3VdbeAssertMayAbort(Vdbe *, int); +SQLITE_PRIVATE void sqlite3VdbeTrace(Vdbe*,FILE*); +#endif +SQLITE_PRIVATE void sqlite3VdbeResetStepResult(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeRewind(Vdbe*); +SQLITE_PRIVATE int sqlite3VdbeReset(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeSetNumCols(Vdbe*,int); +SQLITE_PRIVATE int sqlite3VdbeSetColName(Vdbe*, int, int, const char *, void(*)(void*)); +SQLITE_PRIVATE void sqlite3VdbeCountChanges(Vdbe*); +SQLITE_PRIVATE sqlite3 *sqlite3VdbeDb(Vdbe*); +SQLITE_PRIVATE void sqlite3VdbeSetSql(Vdbe*, const char *z, int n, int); +SQLITE_PRIVATE void sqlite3VdbeSwap(Vdbe*,Vdbe*); +SQLITE_PRIVATE VdbeOp *sqlite3VdbeTakeOpArray(Vdbe*, int*, int*); +SQLITE_PRIVATE sqlite3_value *sqlite3VdbeGetValue(Vdbe*, int, u8); +SQLITE_PRIVATE void sqlite3VdbeSetVarmask(Vdbe*, int); +#ifndef SQLITE_OMIT_TRACE +SQLITE_PRIVATE char *sqlite3VdbeExpandSql(Vdbe*, const char*); +#endif + +SQLITE_PRIVATE void sqlite3VdbeRecordUnpack(KeyInfo*,int,const void*,UnpackedRecord*); +SQLITE_PRIVATE int sqlite3VdbeRecordCompare(int,const void*,UnpackedRecord*); +SQLITE_PRIVATE UnpackedRecord *sqlite3VdbeAllocUnpackedRecord(KeyInfo *, char *, int, char **); + +#ifndef SQLITE_OMIT_TRIGGER +SQLITE_PRIVATE void sqlite3VdbeLinkSubProgram(Vdbe *, SubProgram *); +#endif + + +#ifndef NDEBUG +SQLITE_PRIVATE void sqlite3VdbeComment(Vdbe*, const char*, ...); +# define VdbeComment(X) sqlite3VdbeComment X +SQLITE_PRIVATE void sqlite3VdbeNoopComment(Vdbe*, const char*, ...); +# define VdbeNoopComment(X) sqlite3VdbeNoopComment X +#else +# define VdbeComment(X) +# define VdbeNoopComment(X) +#endif + +#endif + +/************** End of vdbe.h ************************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include pager.h in the middle of sqliteInt.h *****************/ +/************** Begin file pager.h *******************************************/ +/* +** 2001 September 15 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** This header file defines the interface that the sqlite page cache +** subsystem. The page cache subsystem reads and writes a file a page +** at a time and provides a journal for rollback. +*/ + +#ifndef _PAGER_H_ +#define _PAGER_H_ + +/* +** Default maximum size for persistent journal files. A negative +** value means no limit. This value may be overridden using the +** sqlite3PagerJournalSizeLimit() API. See also "PRAGMA journal_size_limit". +*/ +#ifndef SQLITE_DEFAULT_JOURNAL_SIZE_LIMIT + #define SQLITE_DEFAULT_JOURNAL_SIZE_LIMIT -1 +#endif + +/* +** The type used to represent a page number. The first page in a file +** is called page 1. 0 is used to represent "not a page". +*/ +typedef u32 Pgno; + +/* +** Each open file is managed by a separate instance of the "Pager" structure. +*/ +typedef struct Pager Pager; + +/* +** Handle type for pages. +*/ +typedef struct PgHdr DbPage; + +/* +** Page number PAGER_MJ_PGNO is never used in an SQLite database (it is +** reserved for working around a windows/posix incompatibility). It is +** used in the journal to signify that the remainder of the journal file +** is devoted to storing a master journal name - there are no more pages to +** roll back. See comments for function writeMasterJournal() in pager.c +** for details. +*/ +#define PAGER_MJ_PGNO(x) ((Pgno)((PENDING_BYTE/((x)->pageSize))+1)) + +/* +** Allowed values for the flags parameter to sqlite3PagerOpen(). +** +** NOTE: These values must match the corresponding BTREE_ values in btree.h. +*/ +#define PAGER_OMIT_JOURNAL 0x0001 /* Do not use a rollback journal */ +#define PAGER_MEMORY 0x0002 /* In-memory database */ + +/* +** Valid values for the second argument to sqlite3PagerLockingMode(). +*/ +#define PAGER_LOCKINGMODE_QUERY -1 +#define PAGER_LOCKINGMODE_NORMAL 0 +#define PAGER_LOCKINGMODE_EXCLUSIVE 1 + +/* +** Numeric constants that encode the journalmode. +*/ +#define PAGER_JOURNALMODE_QUERY (-1) /* Query the value of journalmode */ +#define PAGER_JOURNALMODE_DELETE 0 /* Commit by deleting journal file */ +#define PAGER_JOURNALMODE_PERSIST 1 /* Commit by zeroing journal header */ +#define PAGER_JOURNALMODE_OFF 2 /* Journal omitted. */ +#define PAGER_JOURNALMODE_TRUNCATE 3 /* Commit by truncating journal */ +#define PAGER_JOURNALMODE_MEMORY 4 /* In-memory journal file */ +#define PAGER_JOURNALMODE_WAL 5 /* Use write-ahead logging */ + +/* +** The remainder of this file contains the declarations of the functions +** that make up the Pager sub-system API. See source code comments for +** a detailed description of each routine. +*/ + +/* Open and close a Pager connection. */ +SQLITE_PRIVATE int sqlite3PagerOpen( + sqlite3_vfs*, + Pager **ppPager, + const char*, + int, + int, + int, + void(*)(DbPage*) +); +SQLITE_PRIVATE int sqlite3PagerClose(Pager *pPager); +SQLITE_PRIVATE int sqlite3PagerReadFileheader(Pager*, int, unsigned char*); + +/* Functions used to configure a Pager object. */ +SQLITE_PRIVATE void sqlite3PagerSetBusyhandler(Pager*, int(*)(void *), void *); +SQLITE_PRIVATE int sqlite3PagerSetPagesize(Pager*, u32*, int); +SQLITE_PRIVATE int sqlite3PagerMaxPageCount(Pager*, int); +SQLITE_PRIVATE void sqlite3PagerSetCachesize(Pager*, int); +SQLITE_PRIVATE void sqlite3PagerShrink(Pager*); +SQLITE_PRIVATE void sqlite3PagerSetSafetyLevel(Pager*,int,int,int); +SQLITE_PRIVATE int sqlite3PagerLockingMode(Pager *, int); +SQLITE_PRIVATE int sqlite3PagerSetJournalMode(Pager *, int); +SQLITE_PRIVATE int sqlite3PagerGetJournalMode(Pager*); +SQLITE_PRIVATE int sqlite3PagerOkToChangeJournalMode(Pager*); +SQLITE_PRIVATE i64 sqlite3PagerJournalSizeLimit(Pager *, i64); +SQLITE_PRIVATE sqlite3_backup **sqlite3PagerBackupPtr(Pager*); + +/* Functions used to obtain and release page references. */ +SQLITE_PRIVATE int sqlite3PagerAcquire(Pager *pPager, Pgno pgno, DbPage **ppPage, int clrFlag); +#define sqlite3PagerGet(A,B,C) sqlite3PagerAcquire(A,B,C,0) +SQLITE_PRIVATE DbPage *sqlite3PagerLookup(Pager *pPager, Pgno pgno); +SQLITE_PRIVATE void sqlite3PagerRef(DbPage*); +SQLITE_PRIVATE void sqlite3PagerUnref(DbPage*); + +/* Operations on page references. */ +SQLITE_PRIVATE int sqlite3PagerWrite(DbPage*); +SQLITE_PRIVATE void sqlite3PagerDontWrite(DbPage*); +SQLITE_PRIVATE int sqlite3PagerMovepage(Pager*,DbPage*,Pgno,int); +SQLITE_PRIVATE int sqlite3PagerPageRefcount(DbPage*); +SQLITE_PRIVATE void *sqlite3PagerGetData(DbPage *); +SQLITE_PRIVATE void *sqlite3PagerGetExtra(DbPage *); + +/* Functions used to manage pager transactions and savepoints. */ +SQLITE_PRIVATE void sqlite3PagerPagecount(Pager*, int*); +SQLITE_PRIVATE int sqlite3PagerBegin(Pager*, int exFlag, int); +SQLITE_PRIVATE int sqlite3PagerCommitPhaseOne(Pager*,const char *zMaster, int); +SQLITE_PRIVATE int sqlite3PagerExclusiveLock(Pager*); +SQLITE_PRIVATE int sqlite3PagerSync(Pager *pPager); +SQLITE_PRIVATE int sqlite3PagerCommitPhaseTwo(Pager*); +SQLITE_PRIVATE int sqlite3PagerRollback(Pager*); +SQLITE_PRIVATE int sqlite3PagerOpenSavepoint(Pager *pPager, int n); +SQLITE_PRIVATE int sqlite3PagerSavepoint(Pager *pPager, int op, int iSavepoint); +SQLITE_PRIVATE int sqlite3PagerSharedLock(Pager *pPager); + +#ifndef SQLITE_OMIT_WAL +SQLITE_PRIVATE int sqlite3PagerCheckpoint(Pager *pPager, int, int*, int*); +SQLITE_PRIVATE int sqlite3PagerWalSupported(Pager *pPager); +SQLITE_PRIVATE int sqlite3PagerWalCallback(Pager *pPager); +SQLITE_PRIVATE int sqlite3PagerOpenWal(Pager *pPager, int *pisOpen); +SQLITE_PRIVATE int sqlite3PagerCloseWal(Pager *pPager); +#endif + +#ifdef SQLITE_ENABLE_ZIPVFS +SQLITE_PRIVATE int sqlite3PagerWalFramesize(Pager *pPager); +#endif + +/* Functions used to query pager state and configuration. */ +SQLITE_PRIVATE u8 sqlite3PagerIsreadonly(Pager*); +SQLITE_PRIVATE int sqlite3PagerRefcount(Pager*); +SQLITE_PRIVATE int sqlite3PagerMemUsed(Pager*); +SQLITE_PRIVATE const char *sqlite3PagerFilename(Pager*, int); +SQLITE_PRIVATE const sqlite3_vfs *sqlite3PagerVfs(Pager*); +SQLITE_PRIVATE sqlite3_file *sqlite3PagerFile(Pager*); +SQLITE_PRIVATE const char *sqlite3PagerJournalname(Pager*); +SQLITE_PRIVATE int sqlite3PagerNosync(Pager*); +SQLITE_PRIVATE void *sqlite3PagerTempSpace(Pager*); +SQLITE_PRIVATE int sqlite3PagerIsMemdb(Pager*); +SQLITE_PRIVATE void sqlite3PagerCacheStat(Pager *, int, int, int *); +SQLITE_PRIVATE void sqlite3PagerClearCache(Pager *); +SQLITE_PRIVATE int sqlite3SectorSize(sqlite3_file *); + +/* Functions used to truncate the database file. */ +SQLITE_PRIVATE void sqlite3PagerTruncateImage(Pager*,Pgno); + +#if defined(SQLITE_HAS_CODEC) && !defined(SQLITE_OMIT_WAL) +SQLITE_PRIVATE void *sqlite3PagerCodec(DbPage *); +#endif + +/* Functions to support testing and debugging. */ +#if !defined(NDEBUG) || defined(SQLITE_TEST) +SQLITE_PRIVATE Pgno sqlite3PagerPagenumber(DbPage*); +SQLITE_PRIVATE int sqlite3PagerIswriteable(DbPage*); +#endif +#ifdef SQLITE_TEST +SQLITE_PRIVATE int *sqlite3PagerStats(Pager*); +SQLITE_PRIVATE void sqlite3PagerRefdump(Pager*); + void disable_simulated_io_errors(void); + void enable_simulated_io_errors(void); +#else +# define disable_simulated_io_errors() +# define enable_simulated_io_errors() +#endif + +#endif /* _PAGER_H_ */ + +/************** End of pager.h ***********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include pcache.h in the middle of sqliteInt.h ****************/ +/************** Begin file pcache.h ******************************************/ +/* +** 2008 August 05 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** This header file defines the interface that the sqlite page cache +** subsystem. +*/ + +#ifndef _PCACHE_H_ + +typedef struct PgHdr PgHdr; +typedef struct PCache PCache; + +/* +** Every page in the cache is controlled by an instance of the following +** structure. +*/ +struct PgHdr { + sqlite3_pcache_page *pPage; /* Pcache object page handle */ + void *pData; /* Page data */ + void *pExtra; /* Extra content */ + PgHdr *pDirty; /* Transient list of dirty pages */ + Pager *pPager; /* The pager this page is part of */ + Pgno pgno; /* Page number for this page */ +#ifdef SQLITE_CHECK_PAGES + u32 pageHash; /* Hash of page content */ +#endif + u16 flags; /* PGHDR flags defined below */ + + /********************************************************************** + ** Elements above are public. All that follows is private to pcache.c + ** and should not be accessed by other modules. + */ + i16 nRef; /* Number of users of this page */ + PCache *pCache; /* Cache that owns this page */ + + PgHdr *pDirtyNext; /* Next element in list of dirty pages */ + PgHdr *pDirtyPrev; /* Previous element in list of dirty pages */ +}; + +/* Bit values for PgHdr.flags */ +#define PGHDR_DIRTY 0x002 /* Page has changed */ +#define PGHDR_NEED_SYNC 0x004 /* Fsync the rollback journal before + ** writing this page to the database */ +#define PGHDR_NEED_READ 0x008 /* Content is unread */ +#define PGHDR_REUSE_UNLIKELY 0x010 /* A hint that reuse is unlikely */ +#define PGHDR_DONT_WRITE 0x020 /* Do not write content to disk */ + +/* Initialize and shutdown the page cache subsystem */ +SQLITE_PRIVATE int sqlite3PcacheInitialize(void); +SQLITE_PRIVATE void sqlite3PcacheShutdown(void); + +/* Page cache buffer management: +** These routines implement SQLITE_CONFIG_PAGECACHE. +*/ +SQLITE_PRIVATE void sqlite3PCacheBufferSetup(void *, int sz, int n); + +/* Create a new pager cache. +** Under memory stress, invoke xStress to try to make pages clean. +** Only clean and unpinned pages can be reclaimed. +*/ +SQLITE_PRIVATE void sqlite3PcacheOpen( + int szPage, /* Size of every page */ + int szExtra, /* Extra space associated with each page */ + int bPurgeable, /* True if pages are on backing store */ + int (*xStress)(void*, PgHdr*), /* Call to try to make pages clean */ + void *pStress, /* Argument to xStress */ + PCache *pToInit /* Preallocated space for the PCache */ +); + +/* Modify the page-size after the cache has been created. */ +SQLITE_PRIVATE void sqlite3PcacheSetPageSize(PCache *, int); + +/* Return the size in bytes of a PCache object. Used to preallocate +** storage space. +*/ +SQLITE_PRIVATE int sqlite3PcacheSize(void); + +/* One release per successful fetch. Page is pinned until released. +** Reference counted. +*/ +SQLITE_PRIVATE int sqlite3PcacheFetch(PCache*, Pgno, int createFlag, PgHdr**); +SQLITE_PRIVATE void sqlite3PcacheRelease(PgHdr*); + +SQLITE_PRIVATE void sqlite3PcacheDrop(PgHdr*); /* Remove page from cache */ +SQLITE_PRIVATE void sqlite3PcacheMakeDirty(PgHdr*); /* Make sure page is marked dirty */ +SQLITE_PRIVATE void sqlite3PcacheMakeClean(PgHdr*); /* Mark a single page as clean */ +SQLITE_PRIVATE void sqlite3PcacheCleanAll(PCache*); /* Mark all dirty list pages as clean */ + +/* Change a page number. Used by incr-vacuum. */ +SQLITE_PRIVATE void sqlite3PcacheMove(PgHdr*, Pgno); + +/* Remove all pages with pgno>x. Reset the cache if x==0 */ +SQLITE_PRIVATE void sqlite3PcacheTruncate(PCache*, Pgno x); + +/* Get a list of all dirty pages in the cache, sorted by page number */ +SQLITE_PRIVATE PgHdr *sqlite3PcacheDirtyList(PCache*); + +/* Reset and close the cache object */ +SQLITE_PRIVATE void sqlite3PcacheClose(PCache*); + +/* Clear flags from pages of the page cache */ +SQLITE_PRIVATE void sqlite3PcacheClearSyncFlags(PCache *); + +/* Discard the contents of the cache */ +SQLITE_PRIVATE void sqlite3PcacheClear(PCache*); + +/* Return the total number of outstanding page references */ +SQLITE_PRIVATE int sqlite3PcacheRefCount(PCache*); + +/* Increment the reference count of an existing page */ +SQLITE_PRIVATE void sqlite3PcacheRef(PgHdr*); + +SQLITE_PRIVATE int sqlite3PcachePageRefcount(PgHdr*); + +/* Return the total number of pages stored in the cache */ +SQLITE_PRIVATE int sqlite3PcachePagecount(PCache*); + +#if defined(SQLITE_CHECK_PAGES) || defined(SQLITE_DEBUG) +/* Iterate through all dirty pages currently stored in the cache. This +** interface is only available if SQLITE_CHECK_PAGES is defined when the +** library is built. +*/ +SQLITE_PRIVATE void sqlite3PcacheIterateDirty(PCache *pCache, void (*xIter)(PgHdr *)); +#endif + +/* Set and get the suggested cache-size for the specified pager-cache. +** +** If no global maximum is configured, then the system attempts to limit +** the total number of pages cached by purgeable pager-caches to the sum +** of the suggested cache-sizes. +*/ +SQLITE_PRIVATE void sqlite3PcacheSetCachesize(PCache *, int); +#ifdef SQLITE_TEST +SQLITE_PRIVATE int sqlite3PcacheGetCachesize(PCache *); +#endif + +/* Free up as much memory as possible from the page cache */ +SQLITE_PRIVATE void sqlite3PcacheShrink(PCache*); + +#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT +/* Try to return memory used by the pcache module to the main memory heap */ +SQLITE_PRIVATE int sqlite3PcacheReleaseMemory(int); +#endif + +#ifdef SQLITE_TEST +SQLITE_PRIVATE void sqlite3PcacheStats(int*,int*,int*,int*); +#endif + +SQLITE_PRIVATE void sqlite3PCacheSetDefault(void); + +#endif /* _PCACHE_H_ */ + +/************** End of pcache.h **********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ + +/************** Include os.h in the middle of sqliteInt.h ********************/ +/************** Begin file os.h **********************************************/ +/* +** 2001 September 16 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +****************************************************************************** +** +** This header file (together with is companion C source-code file +** "os.c") attempt to abstract the underlying operating system so that +** the SQLite library will work on both POSIX and windows systems. +** +** This header file is #include-ed by sqliteInt.h and thus ends up +** being included by every source file. +*/ +#ifndef _SQLITE_OS_H_ +#define _SQLITE_OS_H_ + +/* +** Figure out if we are dealing with Unix, Windows, or some other +** operating system. After the following block of preprocess macros, +** all of SQLITE_OS_UNIX, SQLITE_OS_WIN, and SQLITE_OS_OTHER +** will defined to either 1 or 0. One of the four will be 1. The other +** three will be 0. +*/ +#if defined(SQLITE_OS_OTHER) +# if SQLITE_OS_OTHER==1 +# undef SQLITE_OS_UNIX +# define SQLITE_OS_UNIX 0 +# undef SQLITE_OS_WIN +# define SQLITE_OS_WIN 0 +# else +# undef SQLITE_OS_OTHER +# endif +#endif +#if !defined(SQLITE_OS_UNIX) && !defined(SQLITE_OS_OTHER) +# define SQLITE_OS_OTHER 0 +# ifndef SQLITE_OS_WIN +# if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || defined(__MINGW32__) || defined(__BORLANDC__) +# define SQLITE_OS_WIN 1 +# define SQLITE_OS_UNIX 0 +# else +# define SQLITE_OS_WIN 0 +# define SQLITE_OS_UNIX 1 +# endif +# else +# define SQLITE_OS_UNIX 0 +# endif +#else +# ifndef SQLITE_OS_WIN +# define SQLITE_OS_WIN 0 +# endif +#endif + +#if SQLITE_OS_WIN +# include +#endif + +/* +** Determine if we are dealing with Windows NT. +** +** We ought to be able to determine if we are compiling for win98 or winNT +** using the _WIN32_WINNT macro as follows: +** +** #if defined(_WIN32_WINNT) +** # define SQLITE_OS_WINNT 1 +** #else +** # define SQLITE_OS_WINNT 0 +** #endif +** +** However, vs2005 does not set _WIN32_WINNT by default, as it ought to, +** so the above test does not work. We'll just assume that everything is +** winNT unless the programmer explicitly says otherwise by setting +** SQLITE_OS_WINNT to 0. +*/ +#if SQLITE_OS_WIN && !defined(SQLITE_OS_WINNT) +# define SQLITE_OS_WINNT 1 +#endif + +/* +** Determine if we are dealing with WindowsCE - which has a much +** reduced API. +*/ +#if defined(_WIN32_WCE) +# define SQLITE_OS_WINCE 1 +#else +# define SQLITE_OS_WINCE 0 +#endif + +/* +** Determine if we are dealing with WinRT, which provides only a subset of +** the full Win32 API. +*/ +#if !defined(SQLITE_OS_WINRT) +# define SQLITE_OS_WINRT 0 +#endif + +/* +** When compiled for WinCE or WinRT, there is no concept of the current +** directory. + */ +#if !SQLITE_OS_WINCE && !SQLITE_OS_WINRT +# define SQLITE_CURDIR 1 +#endif + +/* If the SET_FULLSYNC macro is not defined above, then make it +** a no-op +*/ +#ifndef SET_FULLSYNC +# define SET_FULLSYNC(x,y) +#endif + +/* +** The default size of a disk sector +*/ +#ifndef SQLITE_DEFAULT_SECTOR_SIZE +# define SQLITE_DEFAULT_SECTOR_SIZE 4096 +#endif + +/* +** Temporary files are named starting with this prefix followed by 16 random +** alphanumeric characters, and no file extension. They are stored in the +** OS's standard temporary file directory, and are deleted prior to exit. +** If sqlite is being embedded in another program, you may wish to change the +** prefix to reflect your program's name, so that if your program exits +** prematurely, old temporary files can be easily identified. This can be done +** using -DSQLITE_TEMP_FILE_PREFIX=myprefix_ on the compiler command line. +** +** 2006-10-31: The default prefix used to be "sqlite_". But then +** Mcafee started using SQLite in their anti-virus product and it +** started putting files with the "sqlite" name in the c:/temp folder. +** This annoyed many windows users. Those users would then do a +** Google search for "sqlite", find the telephone numbers of the +** developers and call to wake them up at night and complain. +** For this reason, the default name prefix is changed to be "sqlite" +** spelled backwards. So the temp files are still identified, but +** anybody smart enough to figure out the code is also likely smart +** enough to know that calling the developer will not help get rid +** of the file. +*/ +#ifndef SQLITE_TEMP_FILE_PREFIX +# define SQLITE_TEMP_FILE_PREFIX "etilqs_" +#endif + +/* +** The following values may be passed as the second argument to +** sqlite3OsLock(). The various locks exhibit the following semantics: +** +** SHARED: Any number of processes may hold a SHARED lock simultaneously. +** RESERVED: A single process may hold a RESERVED lock on a file at +** any time. Other processes may hold and obtain new SHARED locks. +** PENDING: A single process may hold a PENDING lock on a file at +** any one time. Existing SHARED locks may persist, but no new +** SHARED locks may be obtained by other processes. +** EXCLUSIVE: An EXCLUSIVE lock precludes all other locks. +** +** PENDING_LOCK may not be passed directly to sqlite3OsLock(). Instead, a +** process that requests an EXCLUSIVE lock may actually obtain a PENDING +** lock. This can be upgraded to an EXCLUSIVE lock by a subsequent call to +** sqlite3OsLock(). +*/ +#define NO_LOCK 0 +#define SHARED_LOCK 1 +#define RESERVED_LOCK 2 +#define PENDING_LOCK 3 +#define EXCLUSIVE_LOCK 4 + +/* +** File Locking Notes: (Mostly about windows but also some info for Unix) +** +** We cannot use LockFileEx() or UnlockFileEx() on Win95/98/ME because +** those functions are not available. So we use only LockFile() and +** UnlockFile(). +** +** LockFile() prevents not just writing but also reading by other processes. +** A SHARED_LOCK is obtained by locking a single randomly-chosen +** byte out of a specific range of bytes. The lock byte is obtained at +** random so two separate readers can probably access the file at the +** same time, unless they are unlucky and choose the same lock byte. +** An EXCLUSIVE_LOCK is obtained by locking all bytes in the range. +** There can only be one writer. A RESERVED_LOCK is obtained by locking +** a single byte of the file that is designated as the reserved lock byte. +** A PENDING_LOCK is obtained by locking a designated byte different from +** the RESERVED_LOCK byte. +** +** On WinNT/2K/XP systems, LockFileEx() and UnlockFileEx() are available, +** which means we can use reader/writer locks. When reader/writer locks +** are used, the lock is placed on the same range of bytes that is used +** for probabilistic locking in Win95/98/ME. Hence, the locking scheme +** will support two or more Win95 readers or two or more WinNT readers. +** But a single Win95 reader will lock out all WinNT readers and a single +** WinNT reader will lock out all other Win95 readers. +** +** The following #defines specify the range of bytes used for locking. +** SHARED_SIZE is the number of bytes available in the pool from which +** a random byte is selected for a shared lock. The pool of bytes for +** shared locks begins at SHARED_FIRST. +** +** The same locking strategy and +** byte ranges are used for Unix. This leaves open the possiblity of having +** clients on win95, winNT, and unix all talking to the same shared file +** and all locking correctly. To do so would require that samba (or whatever +** tool is being used for file sharing) implements locks correctly between +** windows and unix. I'm guessing that isn't likely to happen, but by +** using the same locking range we are at least open to the possibility. +** +** Locking in windows is manditory. For this reason, we cannot store +** actual data in the bytes used for locking. The pager never allocates +** the pages involved in locking therefore. SHARED_SIZE is selected so +** that all locks will fit on a single page even at the minimum page size. +** PENDING_BYTE defines the beginning of the locks. By default PENDING_BYTE +** is set high so that we don't have to allocate an unused page except +** for very large databases. But one should test the page skipping logic +** by setting PENDING_BYTE low and running the entire regression suite. +** +** Changing the value of PENDING_BYTE results in a subtly incompatible +** file format. Depending on how it is changed, you might not notice +** the incompatibility right away, even running a full regression test. +** The default location of PENDING_BYTE is the first byte past the +** 1GB boundary. +** +*/ +#ifdef SQLITE_OMIT_WSD +# define PENDING_BYTE (0x40000000) +#else +# define PENDING_BYTE sqlite3PendingByte +#endif +#define RESERVED_BYTE (PENDING_BYTE+1) +#define SHARED_FIRST (PENDING_BYTE+2) +#define SHARED_SIZE 510 + +/* +** Wrapper around OS specific sqlite3_os_init() function. +*/ +SQLITE_PRIVATE int sqlite3OsInit(void); + +/* +** Functions for accessing sqlite3_file methods +*/ +SQLITE_PRIVATE int sqlite3OsClose(sqlite3_file*); +SQLITE_PRIVATE int sqlite3OsRead(sqlite3_file*, void*, int amt, i64 offset); +SQLITE_PRIVATE int sqlite3OsWrite(sqlite3_file*, const void*, int amt, i64 offset); +SQLITE_PRIVATE int sqlite3OsTruncate(sqlite3_file*, i64 size); +SQLITE_PRIVATE int sqlite3OsSync(sqlite3_file*, int); +SQLITE_PRIVATE int sqlite3OsFileSize(sqlite3_file*, i64 *pSize); +SQLITE_PRIVATE int sqlite3OsLock(sqlite3_file*, int); +SQLITE_PRIVATE int sqlite3OsUnlock(sqlite3_file*, int); +SQLITE_PRIVATE int sqlite3OsCheckReservedLock(sqlite3_file *id, int *pResOut); +SQLITE_PRIVATE int sqlite3OsFileControl(sqlite3_file*,int,void*); +SQLITE_PRIVATE void sqlite3OsFileControlHint(sqlite3_file*,int,void*); +#define SQLITE_FCNTL_DB_UNCHANGED 0xca093fa0 +SQLITE_PRIVATE int sqlite3OsSectorSize(sqlite3_file *id); +SQLITE_PRIVATE int sqlite3OsDeviceCharacteristics(sqlite3_file *id); +SQLITE_PRIVATE int sqlite3OsShmMap(sqlite3_file *,int,int,int,void volatile **); +SQLITE_PRIVATE int sqlite3OsShmLock(sqlite3_file *id, int, int, int); +SQLITE_PRIVATE void sqlite3OsShmBarrier(sqlite3_file *id); +SQLITE_PRIVATE int sqlite3OsShmUnmap(sqlite3_file *id, int); + + +/* +** Functions for accessing sqlite3_vfs methods +*/ +SQLITE_PRIVATE int sqlite3OsOpen(sqlite3_vfs *, const char *, sqlite3_file*, int, int *); +SQLITE_PRIVATE int sqlite3OsDelete(sqlite3_vfs *, const char *, int); +SQLITE_PRIVATE int sqlite3OsAccess(sqlite3_vfs *, const char *, int, int *pResOut); +SQLITE_PRIVATE int sqlite3OsFullPathname(sqlite3_vfs *, const char *, int, char *); +#ifndef SQLITE_OMIT_LOAD_EXTENSION +SQLITE_PRIVATE void *sqlite3OsDlOpen(sqlite3_vfs *, const char *); +SQLITE_PRIVATE void sqlite3OsDlError(sqlite3_vfs *, int, char *); +SQLITE_PRIVATE void (*sqlite3OsDlSym(sqlite3_vfs *, void *, const char *))(void); +SQLITE_PRIVATE void sqlite3OsDlClose(sqlite3_vfs *, void *); +#endif /* SQLITE_OMIT_LOAD_EXTENSION */ +SQLITE_PRIVATE int sqlite3OsRandomness(sqlite3_vfs *, int, char *); +SQLITE_PRIVATE int sqlite3OsSleep(sqlite3_vfs *, int); +SQLITE_PRIVATE int sqlite3OsCurrentTimeInt64(sqlite3_vfs *, sqlite3_int64*); + +/* +** Convenience functions for opening and closing files using +** sqlite3_malloc() to obtain space for the file-handle structure. +*/ +SQLITE_PRIVATE int sqlite3OsOpenMalloc(sqlite3_vfs *, const char *, sqlite3_file **, int,int*); +SQLITE_PRIVATE int sqlite3OsCloseFree(sqlite3_file *); + +#endif /* _SQLITE_OS_H_ */ + +/************** End of os.h **************************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ +/************** Include mutex.h in the middle of sqliteInt.h *****************/ +/************** Begin file mutex.h *******************************************/ +/* +** 2007 August 28 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** +** This file contains the common header for all mutex implementations. +** The sqliteInt.h header #includes this file so that it is available +** to all source files. We break it out in an effort to keep the code +** better organized. +** +** NOTE: source files should *not* #include this header file directly. +** Source files should #include the sqliteInt.h file and let that file +** include this one indirectly. +*/ + + +/* +** Figure out what version of the code to use. The choices are +** +** SQLITE_MUTEX_OMIT No mutex logic. Not even stubs. The +** mutexes implemention cannot be overridden +** at start-time. +** +** SQLITE_MUTEX_NOOP For single-threaded applications. No +** mutual exclusion is provided. But this +** implementation can be overridden at +** start-time. +** +** SQLITE_MUTEX_PTHREADS For multi-threaded applications on Unix. +** +** SQLITE_MUTEX_W32 For multi-threaded applications on Win32. +*/ +#if !SQLITE_THREADSAFE +# define SQLITE_MUTEX_OMIT +#endif +#if SQLITE_THREADSAFE && !defined(SQLITE_MUTEX_NOOP) +# if SQLITE_OS_UNIX +# define SQLITE_MUTEX_PTHREADS +# elif SQLITE_OS_WIN +# define SQLITE_MUTEX_W32 +# else +# define SQLITE_MUTEX_NOOP +# endif +#endif + +#ifdef SQLITE_MUTEX_OMIT +/* +** If this is a no-op implementation, implement everything as macros. +*/ +#define sqlite3_mutex_alloc(X) ((sqlite3_mutex*)8) +#define sqlite3_mutex_free(X) +#define sqlite3_mutex_enter(X) +#define sqlite3_mutex_try(X) SQLITE_OK +#define sqlite3_mutex_leave(X) +#define sqlite3_mutex_held(X) ((void)(X),1) +#define sqlite3_mutex_notheld(X) ((void)(X),1) +#define sqlite3MutexAlloc(X) ((sqlite3_mutex*)8) +#define sqlite3MutexInit() SQLITE_OK +#define sqlite3MutexEnd() +#define MUTEX_LOGIC(X) +#else +#define MUTEX_LOGIC(X) X +#endif /* defined(SQLITE_MUTEX_OMIT) */ + +/************** End of mutex.h ***********************************************/ +/************** Continuing where we left off in sqliteInt.h ******************/ + + +/* +** Each database file to be accessed by the system is an instance +** of the following structure. There are normally two of these structures +** in the sqlite.aDb[] array. aDb[0] is the main database file and +** aDb[1] is the database file used to hold temporary tables. Additional +** databases may be attached. +*/ +struct Db { + char *zName; /* Name of this database */ + Btree *pBt; /* The B*Tree structure for this database file */ + u8 inTrans; /* 0: not writable. 1: Transaction. 2: Checkpoint */ + u8 safety_level; /* How aggressive at syncing data to disk */ + Schema *pSchema; /* Pointer to database schema (possibly shared) */ +}; + +/* +** An instance of the following structure stores a database schema. +** +** Most Schema objects are associated with a Btree. The exception is +** the Schema for the TEMP databaes (sqlite3.aDb[1]) which is free-standing. +** In shared cache mode, a single Schema object can be shared by multiple +** Btrees that refer to the same underlying BtShared object. +** +** Schema objects are automatically deallocated when the last Btree that +** references them is destroyed. The TEMP Schema is manually freed by +** sqlite3_close(). +* +** A thread must be holding a mutex on the corresponding Btree in order +** to access Schema content. This implies that the thread must also be +** holding a mutex on the sqlite3 connection pointer that owns the Btree. +** For a TEMP Schema, only the connection mutex is required. +*/ +struct Schema { + int schema_cookie; /* Database schema version number for this file */ + int iGeneration; /* Generation counter. Incremented with each change */ + Hash tblHash; /* All tables indexed by name */ + Hash idxHash; /* All (named) indices indexed by name */ + Hash trigHash; /* All triggers indexed by name */ + Hash fkeyHash; /* All foreign keys by referenced table name */ + Table *pSeqTab; /* The sqlite_sequence table used by AUTOINCREMENT */ + u8 file_format; /* Schema format version for this file */ + u8 enc; /* Text encoding used by this database */ + u16 flags; /* Flags associated with this schema */ + int cache_size; /* Number of pages to use in the cache */ +}; + +/* +** These macros can be used to test, set, or clear bits in the +** Db.pSchema->flags field. +*/ +#define DbHasProperty(D,I,P) (((D)->aDb[I].pSchema->flags&(P))==(P)) +#define DbHasAnyProperty(D,I,P) (((D)->aDb[I].pSchema->flags&(P))!=0) +#define DbSetProperty(D,I,P) (D)->aDb[I].pSchema->flags|=(P) +#define DbClearProperty(D,I,P) (D)->aDb[I].pSchema->flags&=~(P) + +/* +** Allowed values for the DB.pSchema->flags field. +** +** The DB_SchemaLoaded flag is set after the database schema has been +** read into internal hash tables. +** +** DB_UnresetViews means that one or more views have column names that +** have been filled out. If the schema changes, these column names might +** changes and so the view will need to be reset. +*/ +#define DB_SchemaLoaded 0x0001 /* The schema has been loaded */ +#define DB_UnresetViews 0x0002 /* Some views have defined column names */ +#define DB_Empty 0x0004 /* The file is empty (length 0 bytes) */ + +/* +** The number of different kinds of things that can be limited +** using the sqlite3_limit() interface. +*/ +#define SQLITE_N_LIMIT (SQLITE_LIMIT_TRIGGER_DEPTH+1) + +/* +** Lookaside malloc is a set of fixed-size buffers that can be used +** to satisfy small transient memory allocation requests for objects +** associated with a particular database connection. The use of +** lookaside malloc provides a significant performance enhancement +** (approx 10%) by avoiding numerous malloc/free requests while parsing +** SQL statements. +** +** The Lookaside structure holds configuration information about the +** lookaside malloc subsystem. Each available memory allocation in +** the lookaside subsystem is stored on a linked list of LookasideSlot +** objects. +** +** Lookaside allocations are only allowed for objects that are associated +** with a particular database connection. Hence, schema information cannot +** be stored in lookaside because in shared cache mode the schema information +** is shared by multiple database connections. Therefore, while parsing +** schema information, the Lookaside.bEnabled flag is cleared so that +** lookaside allocations are not used to construct the schema objects. +*/ +struct Lookaside { + u16 sz; /* Size of each buffer in bytes */ + u8 bEnabled; /* False to disable new lookaside allocations */ + u8 bMalloced; /* True if pStart obtained from sqlite3_malloc() */ + int nOut; /* Number of buffers currently checked out */ + int mxOut; /* Highwater mark for nOut */ + int anStat[3]; /* 0: hits. 1: size misses. 2: full misses */ + LookasideSlot *pFree; /* List of available buffers */ + void *pStart; /* First byte of available memory space */ + void *pEnd; /* First byte past end of available space */ +}; +struct LookasideSlot { + LookasideSlot *pNext; /* Next buffer in the list of free buffers */ +}; + +/* +** A hash table for function definitions. +** +** Hash each FuncDef structure into one of the FuncDefHash.a[] slots. +** Collisions are on the FuncDef.pHash chain. +*/ +struct FuncDefHash { + FuncDef *a[23]; /* Hash table for functions */ +}; + +/* +** Each database connection is an instance of the following structure. +*/ +struct sqlite3 { + sqlite3_vfs *pVfs; /* OS Interface */ + struct Vdbe *pVdbe; /* List of active virtual machines */ + CollSeq *pDfltColl; /* The default collating sequence (BINARY) */ + sqlite3_mutex *mutex; /* Connection mutex */ + Db *aDb; /* All backends */ + int nDb; /* Number of backends currently in use */ + int flags; /* Miscellaneous flags. See below */ + i64 lastRowid; /* ROWID of most recent insert (see above) */ + unsigned int openFlags; /* Flags passed to sqlite3_vfs.xOpen() */ + int errCode; /* Most recent error code (SQLITE_*) */ + int errMask; /* & result codes with this before returning */ + u16 dbOptFlags; /* Flags to enable/disable optimizations */ + u8 autoCommit; /* The auto-commit flag. */ + u8 temp_store; /* 1: file 2: memory 0: default */ + u8 mallocFailed; /* True if we have seen a malloc failure */ + u8 dfltLockMode; /* Default locking-mode for attached dbs */ + signed char nextAutovac; /* Autovac setting after VACUUM if >=0 */ + u8 suppressErr; /* Do not issue error messages if true */ + u8 vtabOnConflict; /* Value to return for s3_vtab_on_conflict() */ + u8 isTransactionSavepoint; /* True if the outermost savepoint is a TS */ + int nextPagesize; /* Pagesize after VACUUM if >0 */ + u32 magic; /* Magic number for detect library misuse */ + int nChange; /* Value returned by sqlite3_changes() */ + int nTotalChange; /* Value returned by sqlite3_total_changes() */ + int aLimit[SQLITE_N_LIMIT]; /* Limits */ + struct sqlite3InitInfo { /* Information used during initialization */ + int newTnum; /* Rootpage of table being initialized */ + u8 iDb; /* Which db file is being initialized */ + u8 busy; /* TRUE if currently initializing */ + u8 orphanTrigger; /* Last statement is orphaned TEMP trigger */ + } init; + int activeVdbeCnt; /* Number of VDBEs currently executing */ + int writeVdbeCnt; /* Number of active VDBEs that are writing */ + int vdbeExecCnt; /* Number of nested calls to VdbeExec() */ + int nExtension; /* Number of loaded extensions */ + void **aExtension; /* Array of shared library handles */ + void (*xTrace)(void*,const char*); /* Trace function */ + void *pTraceArg; /* Argument to the trace function */ + void (*xProfile)(void*,const char*,u64); /* Profiling function */ + void *pProfileArg; /* Argument to profile function */ + void *pCommitArg; /* Argument to xCommitCallback() */ + int (*xCommitCallback)(void*); /* Invoked at every commit. */ + void *pRollbackArg; /* Argument to xRollbackCallback() */ + void (*xRollbackCallback)(void*); /* Invoked at every commit. */ + void *pUpdateArg; + void (*xUpdateCallback)(void*,int, const char*,const char*,sqlite_int64); +#ifndef SQLITE_OMIT_WAL + int (*xWalCallback)(void *, sqlite3 *, const char *, int); + void *pWalArg; +#endif + void(*xCollNeeded)(void*,sqlite3*,int eTextRep,const char*); + void(*xCollNeeded16)(void*,sqlite3*,int eTextRep,const void*); + void *pCollNeededArg; + sqlite3_value *pErr; /* Most recent error message */ + char *zErrMsg; /* Most recent error message (UTF-8 encoded) */ + char *zErrMsg16; /* Most recent error message (UTF-16 encoded) */ + union { + volatile int isInterrupted; /* True if sqlite3_interrupt has been called */ + double notUsed1; /* Spacer */ + } u1; + Lookaside lookaside; /* Lookaside malloc configuration */ +#ifndef SQLITE_OMIT_AUTHORIZATION + int (*xAuth)(void*,int,const char*,const char*,const char*,const char*); + /* Access authorization function */ + void *pAuthArg; /* 1st argument to the access auth function */ +#endif +#ifndef SQLITE_OMIT_PROGRESS_CALLBACK + int (*xProgress)(void *); /* The progress callback */ + void *pProgressArg; /* Argument to the progress callback */ + int nProgressOps; /* Number of opcodes for progress callback */ +#endif +#ifndef SQLITE_OMIT_VIRTUALTABLE + int nVTrans; /* Allocated size of aVTrans */ + Hash aModule; /* populated by sqlite3_create_module() */ + VtabCtx *pVtabCtx; /* Context for active vtab connect/create */ + VTable **aVTrans; /* Virtual tables with open transactions */ + VTable *pDisconnect; /* Disconnect these in next sqlite3_prepare() */ +#endif + FuncDefHash aFunc; /* Hash table of connection functions */ + Hash aCollSeq; /* All collating sequences */ + BusyHandler busyHandler; /* Busy callback */ + Db aDbStatic[2]; /* Static space for the 2 default backends */ + Savepoint *pSavepoint; /* List of active savepoints */ + int busyTimeout; /* Busy handler timeout, in msec */ + int nSavepoint; /* Number of non-transaction savepoints */ + int nStatement; /* Number of nested statement-transactions */ + i64 nDeferredCons; /* Net deferred constraints this transaction. */ + int *pnBytesFreed; /* If not NULL, increment this in DbFree() */ + +#ifdef SQLITE_ENABLE_UNLOCK_NOTIFY + /* The following variables are all protected by the STATIC_MASTER + ** mutex, not by sqlite3.mutex. They are used by code in notify.c. + ** + ** When X.pUnlockConnection==Y, that means that X is waiting for Y to + ** unlock so that it can proceed. + ** + ** When X.pBlockingConnection==Y, that means that something that X tried + ** tried to do recently failed with an SQLITE_LOCKED error due to locks + ** held by Y. + */ + sqlite3 *pBlockingConnection; /* Connection that caused SQLITE_LOCKED */ + sqlite3 *pUnlockConnection; /* Connection to watch for unlock */ + void *pUnlockArg; /* Argument to xUnlockNotify */ + void (*xUnlockNotify)(void **, int); /* Unlock notify callback */ + sqlite3 *pNextBlocked; /* Next in list of all blocked connections */ +#endif +}; + +/* +** A macro to discover the encoding of a database. +*/ +#define ENC(db) ((db)->aDb[0].pSchema->enc) + +/* +** Possible values for the sqlite3.flags. +*/ +#define SQLITE_VdbeTrace 0x00000001 /* True to trace VDBE execution */ +#define SQLITE_InternChanges 0x00000002 /* Uncommitted Hash table changes */ +#define SQLITE_FullColNames 0x00000004 /* Show full column names on SELECT */ +#define SQLITE_ShortColNames 0x00000008 /* Show short columns names */ +#define SQLITE_CountRows 0x00000010 /* Count rows changed by INSERT, */ + /* DELETE, or UPDATE and return */ + /* the count using a callback. */ +#define SQLITE_NullCallback 0x00000020 /* Invoke the callback once if the */ + /* result set is empty */ +#define SQLITE_SqlTrace 0x00000040 /* Debug print SQL as it executes */ +#define SQLITE_VdbeListing 0x00000080 /* Debug listings of VDBE programs */ +#define SQLITE_WriteSchema 0x00000100 /* OK to update SQLITE_MASTER */ +#define SQLITE_VdbeAddopTrace 0x00000200 /* Trace sqlite3VdbeAddOp() calls */ +#define SQLITE_IgnoreChecks 0x00000400 /* Do not enforce check constraints */ +#define SQLITE_ReadUncommitted 0x0000800 /* For shared-cache mode */ +#define SQLITE_LegacyFileFmt 0x00001000 /* Create new databases in format 1 */ +#define SQLITE_FullFSync 0x00002000 /* Use full fsync on the backend */ +#define SQLITE_CkptFullFSync 0x00004000 /* Use full fsync for checkpoint */ +#define SQLITE_RecoveryMode 0x00008000 /* Ignore schema errors */ +#define SQLITE_ReverseOrder 0x00010000 /* Reverse unordered SELECTs */ +#define SQLITE_RecTriggers 0x00020000 /* Enable recursive triggers */ +#define SQLITE_ForeignKeys 0x00040000 /* Enforce foreign key constraints */ +#define SQLITE_AutoIndex 0x00080000 /* Enable automatic indexes */ +#define SQLITE_PreferBuiltin 0x00100000 /* Preference to built-in funcs */ +#define SQLITE_LoadExtension 0x00200000 /* Enable load_extension */ +#define SQLITE_EnableTrigger 0x00400000 /* True to enable triggers */ + +/* +** Bits of the sqlite3.dbOptFlags field that are used by the +** sqlite3_test_control(SQLITE_TESTCTRL_OPTIMIZATIONS,...) interface to +** selectively disable various optimizations. +*/ +#define SQLITE_QueryFlattener 0x0001 /* Query flattening */ +#define SQLITE_ColumnCache 0x0002 /* Column cache */ +#define SQLITE_GroupByOrder 0x0004 /* GROUPBY cover of ORDERBY */ +#define SQLITE_FactorOutConst 0x0008 /* Constant factoring */ +#define SQLITE_IdxRealAsInt 0x0010 /* Store REAL as INT in indices */ +#define SQLITE_DistinctOpt 0x0020 /* DISTINCT using indexes */ +#define SQLITE_CoverIdxScan 0x0040 /* Covering index scans */ +#define SQLITE_OrderByIdxJoin 0x0080 /* ORDER BY of joins via index */ +#define SQLITE_SubqCoroutine 0x0100 /* Evaluate subqueries as coroutines */ +#define SQLITE_Transitive 0x0200 /* Transitive constraints */ +#define SQLITE_AllOpts 0xffff /* All optimizations */ + +/* +** Macros for testing whether or not optimizations are enabled or disabled. +*/ +#ifndef SQLITE_OMIT_BUILTIN_TEST +#define OptimizationDisabled(db, mask) (((db)->dbOptFlags&(mask))!=0) +#define OptimizationEnabled(db, mask) (((db)->dbOptFlags&(mask))==0) +#else +#define OptimizationDisabled(db, mask) 0 +#define OptimizationEnabled(db, mask) 1 +#endif + +/* +** Possible values for the sqlite.magic field. +** The numbers are obtained at random and have no special meaning, other +** than being distinct from one another. +*/ +#define SQLITE_MAGIC_OPEN 0xa029a697 /* Database is open */ +#define SQLITE_MAGIC_CLOSED 0x9f3c2d33 /* Database is closed */ +#define SQLITE_MAGIC_SICK 0x4b771290 /* Error and awaiting close */ +#define SQLITE_MAGIC_BUSY 0xf03b7906 /* Database currently in use */ +#define SQLITE_MAGIC_ERROR 0xb5357930 /* An SQLITE_MISUSE error occurred */ +#define SQLITE_MAGIC_ZOMBIE 0x64cffc7f /* Close with last statement close */ + +/* +** Each SQL function is defined by an instance of the following +** structure. A pointer to this structure is stored in the sqlite.aFunc +** hash table. When multiple functions have the same name, the hash table +** points to a linked list of these structures. +*/ +struct FuncDef { + i16 nArg; /* Number of arguments. -1 means unlimited */ + u8 iPrefEnc; /* Preferred text encoding (SQLITE_UTF8, 16LE, 16BE) */ + u8 flags; /* Some combination of SQLITE_FUNC_* */ + void *pUserData; /* User data parameter */ + FuncDef *pNext; /* Next function with same name */ + void (*xFunc)(sqlite3_context*,int,sqlite3_value**); /* Regular function */ + void (*xStep)(sqlite3_context*,int,sqlite3_value**); /* Aggregate step */ + void (*xFinalize)(sqlite3_context*); /* Aggregate finalizer */ + char *zName; /* SQL name of the function. */ + FuncDef *pHash; /* Next with a different name but the same hash */ + FuncDestructor *pDestructor; /* Reference counted destructor function */ +}; + +/* +** This structure encapsulates a user-function destructor callback (as +** configured using create_function_v2()) and a reference counter. When +** create_function_v2() is called to create a function with a destructor, +** a single object of this type is allocated. FuncDestructor.nRef is set to +** the number of FuncDef objects created (either 1 or 3, depending on whether +** or not the specified encoding is SQLITE_ANY). The FuncDef.pDestructor +** member of each of the new FuncDef objects is set to point to the allocated +** FuncDestructor. +** +** Thereafter, when one of the FuncDef objects is deleted, the reference +** count on this object is decremented. When it reaches 0, the destructor +** is invoked and the FuncDestructor structure freed. +*/ +struct FuncDestructor { + int nRef; + void (*xDestroy)(void *); + void *pUserData; +}; + +/* +** Possible values for FuncDef.flags. Note that the _LENGTH and _TYPEOF +** values must correspond to OPFLAG_LENGTHARG and OPFLAG_TYPEOFARG. There +** are assert() statements in the code to verify this. +*/ +#define SQLITE_FUNC_LIKE 0x01 /* Candidate for the LIKE optimization */ +#define SQLITE_FUNC_CASE 0x02 /* Case-sensitive LIKE-type function */ +#define SQLITE_FUNC_EPHEM 0x04 /* Ephemeral. Delete with VDBE */ +#define SQLITE_FUNC_NEEDCOLL 0x08 /* sqlite3GetFuncCollSeq() might be called */ +#define SQLITE_FUNC_COUNT 0x10 /* Built-in count(*) aggregate */ +#define SQLITE_FUNC_COALESCE 0x20 /* Built-in coalesce() or ifnull() function */ +#define SQLITE_FUNC_LENGTH 0x40 /* Built-in length() function */ +#define SQLITE_FUNC_TYPEOF 0x80 /* Built-in typeof() function */ + +/* +** The following three macros, FUNCTION(), LIKEFUNC() and AGGREGATE() are +** used to create the initializers for the FuncDef structures. +** +** FUNCTION(zName, nArg, iArg, bNC, xFunc) +** Used to create a scalar function definition of a function zName +** implemented by C function xFunc that accepts nArg arguments. The +** value passed as iArg is cast to a (void*) and made available +** as the user-data (sqlite3_user_data()) for the function. If +** argument bNC is true, then the SQLITE_FUNC_NEEDCOLL flag is set. +** +** AGGREGATE(zName, nArg, iArg, bNC, xStep, xFinal) +** Used to create an aggregate function definition implemented by +** the C functions xStep and xFinal. The first four parameters +** are interpreted in the same way as the first 4 parameters to +** FUNCTION(). +** +** LIKEFUNC(zName, nArg, pArg, flags) +** Used to create a scalar function definition of a function zName +** that accepts nArg arguments and is implemented by a call to C +** function likeFunc. Argument pArg is cast to a (void *) and made +** available as the function user-data (sqlite3_user_data()). The +** FuncDef.flags variable is set to the value passed as the flags +** parameter. +*/ +#define FUNCTION(zName, nArg, iArg, bNC, xFunc) \ + {nArg, SQLITE_UTF8, (bNC*SQLITE_FUNC_NEEDCOLL), \ + SQLITE_INT_TO_PTR(iArg), 0, xFunc, 0, 0, #zName, 0, 0} +#define FUNCTION2(zName, nArg, iArg, bNC, xFunc, extraFlags) \ + {nArg, SQLITE_UTF8, (bNC*SQLITE_FUNC_NEEDCOLL)|extraFlags, \ + SQLITE_INT_TO_PTR(iArg), 0, xFunc, 0, 0, #zName, 0, 0} +#define STR_FUNCTION(zName, nArg, pArg, bNC, xFunc) \ + {nArg, SQLITE_UTF8, bNC*SQLITE_FUNC_NEEDCOLL, \ + pArg, 0, xFunc, 0, 0, #zName, 0, 0} +#define LIKEFUNC(zName, nArg, arg, flags) \ + {nArg, SQLITE_UTF8, flags, (void *)arg, 0, likeFunc, 0, 0, #zName, 0, 0} +#define AGGREGATE(zName, nArg, arg, nc, xStep, xFinal) \ + {nArg, SQLITE_UTF8, nc*SQLITE_FUNC_NEEDCOLL, \ + SQLITE_INT_TO_PTR(arg), 0, 0, xStep,xFinal,#zName,0,0} + +/* +** All current savepoints are stored in a linked list starting at +** sqlite3.pSavepoint. The first element in the list is the most recently +** opened savepoint. Savepoints are added to the list by the vdbe +** OP_Savepoint instruction. +*/ +struct Savepoint { + char *zName; /* Savepoint name (nul-terminated) */ + i64 nDeferredCons; /* Number of deferred fk violations */ + Savepoint *pNext; /* Parent savepoint (if any) */ +}; + +/* +** The following are used as the second parameter to sqlite3Savepoint(), +** and as the P1 argument to the OP_Savepoint instruction. +*/ +#define SAVEPOINT_BEGIN 0 +#define SAVEPOINT_RELEASE 1 +#define SAVEPOINT_ROLLBACK 2 + + +/* +** Each SQLite module (virtual table definition) is defined by an +** instance of the following structure, stored in the sqlite3.aModule +** hash table. +*/ +struct Module { + const sqlite3_module *pModule; /* Callback pointers */ + const char *zName; /* Name passed to create_module() */ + void *pAux; /* pAux passed to create_module() */ + void (*xDestroy)(void *); /* Module destructor function */ +}; + +/* +** information about each column of an SQL table is held in an instance +** of this structure. +*/ +struct Column { + char *zName; /* Name of this column */ + Expr *pDflt; /* Default value of this column */ + char *zDflt; /* Original text of the default value */ + char *zType; /* Data type for this column */ + char *zColl; /* Collating sequence. If NULL, use the default */ + u8 notNull; /* An OE_ code for handling a NOT NULL constraint */ + char affinity; /* One of the SQLITE_AFF_... values */ + u16 colFlags; /* Boolean properties. See COLFLAG_ defines below */ +}; + +/* Allowed values for Column.colFlags: +*/ +#define COLFLAG_PRIMKEY 0x0001 /* Column is part of the primary key */ +#define COLFLAG_HIDDEN 0x0002 /* A hidden column in a virtual table */ + +/* +** A "Collating Sequence" is defined by an instance of the following +** structure. Conceptually, a collating sequence consists of a name and +** a comparison routine that defines the order of that sequence. +** +** If CollSeq.xCmp is NULL, it means that the +** collating sequence is undefined. Indices built on an undefined +** collating sequence may not be read or written. +*/ +struct CollSeq { + char *zName; /* Name of the collating sequence, UTF-8 encoded */ + u8 enc; /* Text encoding handled by xCmp() */ + void *pUser; /* First argument to xCmp() */ + int (*xCmp)(void*,int, const void*, int, const void*); + void (*xDel)(void*); /* Destructor for pUser */ +}; + +/* +** A sort order can be either ASC or DESC. +*/ +#define SQLITE_SO_ASC 0 /* Sort in ascending order */ +#define SQLITE_SO_DESC 1 /* Sort in ascending order */ + +/* +** Column affinity types. +** +** These used to have mnemonic name like 'i' for SQLITE_AFF_INTEGER and +** 't' for SQLITE_AFF_TEXT. But we can save a little space and improve +** the speed a little by numbering the values consecutively. +** +** But rather than start with 0 or 1, we begin with 'a'. That way, +** when multiple affinity types are concatenated into a string and +** used as the P4 operand, they will be more readable. +** +** Note also that the numeric types are grouped together so that testing +** for a numeric type is a single comparison. +*/ +#define SQLITE_AFF_TEXT 'a' +#define SQLITE_AFF_NONE 'b' +#define SQLITE_AFF_NUMERIC 'c' +#define SQLITE_AFF_INTEGER 'd' +#define SQLITE_AFF_REAL 'e' + +#define sqlite3IsNumericAffinity(X) ((X)>=SQLITE_AFF_NUMERIC) + +/* +** The SQLITE_AFF_MASK values masks off the significant bits of an +** affinity value. +*/ +#define SQLITE_AFF_MASK 0x67 + +/* +** Additional bit values that can be ORed with an affinity without +** changing the affinity. +*/ +#define SQLITE_JUMPIFNULL 0x08 /* jumps if either operand is NULL */ +#define SQLITE_STOREP2 0x10 /* Store result in reg[P2] rather than jump */ +#define SQLITE_NULLEQ 0x80 /* NULL=NULL */ + +/* +** An object of this type is created for each virtual table present in +** the database schema. +** +** If the database schema is shared, then there is one instance of this +** structure for each database connection (sqlite3*) that uses the shared +** schema. This is because each database connection requires its own unique +** instance of the sqlite3_vtab* handle used to access the virtual table +** implementation. sqlite3_vtab* handles can not be shared between +** database connections, even when the rest of the in-memory database +** schema is shared, as the implementation often stores the database +** connection handle passed to it via the xConnect() or xCreate() method +** during initialization internally. This database connection handle may +** then be used by the virtual table implementation to access real tables +** within the database. So that they appear as part of the callers +** transaction, these accesses need to be made via the same database +** connection as that used to execute SQL operations on the virtual table. +** +** All VTable objects that correspond to a single table in a shared +** database schema are initially stored in a linked-list pointed to by +** the Table.pVTable member variable of the corresponding Table object. +** When an sqlite3_prepare() operation is required to access the virtual +** table, it searches the list for the VTable that corresponds to the +** database connection doing the preparing so as to use the correct +** sqlite3_vtab* handle in the compiled query. +** +** When an in-memory Table object is deleted (for example when the +** schema is being reloaded for some reason), the VTable objects are not +** deleted and the sqlite3_vtab* handles are not xDisconnect()ed +** immediately. Instead, they are moved from the Table.pVTable list to +** another linked list headed by the sqlite3.pDisconnect member of the +** corresponding sqlite3 structure. They are then deleted/xDisconnected +** next time a statement is prepared using said sqlite3*. This is done +** to avoid deadlock issues involving multiple sqlite3.mutex mutexes. +** Refer to comments above function sqlite3VtabUnlockList() for an +** explanation as to why it is safe to add an entry to an sqlite3.pDisconnect +** list without holding the corresponding sqlite3.mutex mutex. +** +** The memory for objects of this type is always allocated by +** sqlite3DbMalloc(), using the connection handle stored in VTable.db as +** the first argument. +*/ +struct VTable { + sqlite3 *db; /* Database connection associated with this table */ + Module *pMod; /* Pointer to module implementation */ + sqlite3_vtab *pVtab; /* Pointer to vtab instance */ + int nRef; /* Number of pointers to this structure */ + u8 bConstraint; /* True if constraints are supported */ + int iSavepoint; /* Depth of the SAVEPOINT stack */ + VTable *pNext; /* Next in linked list (see above) */ +}; + +/* +** Each SQL table is represented in memory by an instance of the +** following structure. +** +** Table.zName is the name of the table. The case of the original +** CREATE TABLE statement is stored, but case is not significant for +** comparisons. +** +** Table.nCol is the number of columns in this table. Table.aCol is a +** pointer to an array of Column structures, one for each column. +** +** If the table has an INTEGER PRIMARY KEY, then Table.iPKey is the index of +** the column that is that key. Otherwise Table.iPKey is negative. Note +** that the datatype of the PRIMARY KEY must be INTEGER for this field to +** be set. An INTEGER PRIMARY KEY is used as the rowid for each row of +** the table. If a table has no INTEGER PRIMARY KEY, then a random rowid +** is generated for each row of the table. TF_HasPrimaryKey is set if +** the table has any PRIMARY KEY, INTEGER or otherwise. +** +** Table.tnum is the page number for the root BTree page of the table in the +** database file. If Table.iDb is the index of the database table backend +** in sqlite.aDb[]. 0 is for the main database and 1 is for the file that +** holds temporary tables and indices. If TF_Ephemeral is set +** then the table is stored in a file that is automatically deleted +** when the VDBE cursor to the table is closed. In this case Table.tnum +** refers VDBE cursor number that holds the table open, not to the root +** page number. Transient tables are used to hold the results of a +** sub-query that appears instead of a real table name in the FROM clause +** of a SELECT statement. +*/ +struct Table { + char *zName; /* Name of the table or view */ + Column *aCol; /* Information about each column */ + Index *pIndex; /* List of SQL indexes on this table. */ + Select *pSelect; /* NULL for tables. Points to definition if a view. */ + FKey *pFKey; /* Linked list of all foreign keys in this table */ + char *zColAff; /* String defining the affinity of each column */ +#ifndef SQLITE_OMIT_CHECK + ExprList *pCheck; /* All CHECK constraints */ +#endif + tRowcnt nRowEst; /* Estimated rows in table - from sqlite_stat1 table */ + int tnum; /* Root BTree node for this table (see note above) */ + i16 iPKey; /* If not negative, use aCol[iPKey] as the primary key */ + i16 nCol; /* Number of columns in this table */ + u16 nRef; /* Number of pointers to this Table */ + u8 tabFlags; /* Mask of TF_* values */ + u8 keyConf; /* What to do in case of uniqueness conflict on iPKey */ +#ifndef SQLITE_OMIT_ALTERTABLE + int addColOffset; /* Offset in CREATE TABLE stmt to add a new column */ +#endif +#ifndef SQLITE_OMIT_VIRTUALTABLE + int nModuleArg; /* Number of arguments to the module */ + char **azModuleArg; /* Text of all module args. [0] is module name */ + VTable *pVTable; /* List of VTable objects. */ +#endif + Trigger *pTrigger; /* List of triggers stored in pSchema */ + Schema *pSchema; /* Schema that contains this table */ + Table *pNextZombie; /* Next on the Parse.pZombieTab list */ +}; + +/* +** Allowed values for Tabe.tabFlags. +*/ +#define TF_Readonly 0x01 /* Read-only system table */ +#define TF_Ephemeral 0x02 /* An ephemeral table */ +#define TF_HasPrimaryKey 0x04 /* Table has a primary key */ +#define TF_Autoincrement 0x08 /* Integer primary key is autoincrement */ +#define TF_Virtual 0x10 /* Is a virtual table */ + + +/* +** Test to see whether or not a table is a virtual table. This is +** done as a macro so that it will be optimized out when virtual +** table support is omitted from the build. +*/ +#ifndef SQLITE_OMIT_VIRTUALTABLE +# define IsVirtual(X) (((X)->tabFlags & TF_Virtual)!=0) +# define IsHiddenColumn(X) (((X)->colFlags & COLFLAG_HIDDEN)!=0) +#else +# define IsVirtual(X) 0 +# define IsHiddenColumn(X) 0 +#endif + +/* +** Each foreign key constraint is an instance of the following structure. +** +** A foreign key is associated with two tables. The "from" table is +** the table that contains the REFERENCES clause that creates the foreign +** key. The "to" table is the table that is named in the REFERENCES clause. +** Consider this example: +** +** CREATE TABLE ex1( +** a INTEGER PRIMARY KEY, +** b INTEGER CONSTRAINT fk1 REFERENCES ex2(x) +** ); +** +** For foreign key "fk1", the from-table is "ex1" and the to-table is "ex2". +** +** Each REFERENCES clause generates an instance of the following structure +** which is attached to the from-table. The to-table need not exist when +** the from-table is created. The existence of the to-table is not checked. +*/ +struct FKey { + Table *pFrom; /* Table containing the REFERENCES clause (aka: Child) */ + FKey *pNextFrom; /* Next foreign key in pFrom */ + char *zTo; /* Name of table that the key points to (aka: Parent) */ + FKey *pNextTo; /* Next foreign key on table named zTo */ + FKey *pPrevTo; /* Previous foreign key on table named zTo */ + int nCol; /* Number of columns in this key */ + /* EV: R-30323-21917 */ + u8 isDeferred; /* True if constraint checking is deferred till COMMIT */ + u8 aAction[2]; /* ON DELETE and ON UPDATE actions, respectively */ + Trigger *apTrigger[2]; /* Triggers for aAction[] actions */ + struct sColMap { /* Mapping of columns in pFrom to columns in zTo */ + int iFrom; /* Index of column in pFrom */ + char *zCol; /* Name of column in zTo. If 0 use PRIMARY KEY */ + } aCol[1]; /* One entry for each of nCol column s */ +}; + +/* +** SQLite supports many different ways to resolve a constraint +** error. ROLLBACK processing means that a constraint violation +** causes the operation in process to fail and for the current transaction +** to be rolled back. ABORT processing means the operation in process +** fails and any prior changes from that one operation are backed out, +** but the transaction is not rolled back. FAIL processing means that +** the operation in progress stops and returns an error code. But prior +** changes due to the same operation are not backed out and no rollback +** occurs. IGNORE means that the particular row that caused the constraint +** error is not inserted or updated. Processing continues and no error +** is returned. REPLACE means that preexisting database rows that caused +** a UNIQUE constraint violation are removed so that the new insert or +** update can proceed. Processing continues and no error is reported. +** +** RESTRICT, SETNULL, and CASCADE actions apply only to foreign keys. +** RESTRICT is the same as ABORT for IMMEDIATE foreign keys and the +** same as ROLLBACK for DEFERRED keys. SETNULL means that the foreign +** key is set to NULL. CASCADE means that a DELETE or UPDATE of the +** referenced table row is propagated into the row that holds the +** foreign key. +** +** The following symbolic values are used to record which type +** of action to take. +*/ +#define OE_None 0 /* There is no constraint to check */ +#define OE_Rollback 1 /* Fail the operation and rollback the transaction */ +#define OE_Abort 2 /* Back out changes but do no rollback transaction */ +#define OE_Fail 3 /* Stop the operation but leave all prior changes */ +#define OE_Ignore 4 /* Ignore the error. Do not do the INSERT or UPDATE */ +#define OE_Replace 5 /* Delete existing record, then do INSERT or UPDATE */ + +#define OE_Restrict 6 /* OE_Abort for IMMEDIATE, OE_Rollback for DEFERRED */ +#define OE_SetNull 7 /* Set the foreign key value to NULL */ +#define OE_SetDflt 8 /* Set the foreign key value to its default */ +#define OE_Cascade 9 /* Cascade the changes */ + +#define OE_Default 99 /* Do whatever the default action is */ + + +/* +** An instance of the following structure is passed as the first +** argument to sqlite3VdbeKeyCompare and is used to control the +** comparison of the two index keys. +*/ +struct KeyInfo { + sqlite3 *db; /* The database connection */ + u8 enc; /* Text encoding - one of the SQLITE_UTF* values */ + u16 nField; /* Number of entries in aColl[] */ + u8 *aSortOrder; /* Sort order for each column. May be NULL */ + CollSeq *aColl[1]; /* Collating sequence for each term of the key */ +}; + +/* +** An instance of the following structure holds information about a +** single index record that has already been parsed out into individual +** values. +** +** A record is an object that contains one or more fields of data. +** Records are used to store the content of a table row and to store +** the key of an index. A blob encoding of a record is created by +** the OP_MakeRecord opcode of the VDBE and is disassembled by the +** OP_Column opcode. +** +** This structure holds a record that has already been disassembled +** into its constituent fields. +*/ +struct UnpackedRecord { + KeyInfo *pKeyInfo; /* Collation and sort-order information */ + u16 nField; /* Number of entries in apMem[] */ + u8 flags; /* Boolean settings. UNPACKED_... below */ + i64 rowid; /* Used by UNPACKED_PREFIX_SEARCH */ + Mem *aMem; /* Values */ +}; + +/* +** Allowed values of UnpackedRecord.flags +*/ +#define UNPACKED_INCRKEY 0x01 /* Make this key an epsilon larger */ +#define UNPACKED_PREFIX_MATCH 0x02 /* A prefix match is considered OK */ +#define UNPACKED_PREFIX_SEARCH 0x04 /* Ignore final (rowid) field */ + +/* +** Each SQL index is represented in memory by an +** instance of the following structure. +** +** The columns of the table that are to be indexed are described +** by the aiColumn[] field of this structure. For example, suppose +** we have the following table and index: +** +** CREATE TABLE Ex1(c1 int, c2 int, c3 text); +** CREATE INDEX Ex2 ON Ex1(c3,c1); +** +** In the Table structure describing Ex1, nCol==3 because there are +** three columns in the table. In the Index structure describing +** Ex2, nColumn==2 since 2 of the 3 columns of Ex1 are indexed. +** The value of aiColumn is {2, 0}. aiColumn[0]==2 because the +** first column to be indexed (c3) has an index of 2 in Ex1.aCol[]. +** The second column to be indexed (c1) has an index of 0 in +** Ex1.aCol[], hence Ex2.aiColumn[1]==0. +** +** The Index.onError field determines whether or not the indexed columns +** must be unique and what to do if they are not. When Index.onError=OE_None, +** it means this is not a unique index. Otherwise it is a unique index +** and the value of Index.onError indicate the which conflict resolution +** algorithm to employ whenever an attempt is made to insert a non-unique +** element. +*/ +struct Index { + char *zName; /* Name of this index */ + int *aiColumn; /* Which columns are used by this index. 1st is 0 */ + tRowcnt *aiRowEst; /* From ANALYZE: Est. rows selected by each column */ + Table *pTable; /* The SQL table being indexed */ + char *zColAff; /* String defining the affinity of each column */ + Index *pNext; /* The next index associated with the same table */ + Schema *pSchema; /* Schema containing this index */ + u8 *aSortOrder; /* for each column: True==DESC, False==ASC */ + char **azColl; /* Array of collation sequence names for index */ + int tnum; /* DB Page containing root of this index */ + u16 nColumn; /* Number of columns in table used by this index */ + u8 onError; /* OE_Abort, OE_Ignore, OE_Replace, or OE_None */ + unsigned autoIndex:2; /* 1==UNIQUE, 2==PRIMARY KEY, 0==CREATE INDEX */ + unsigned bUnordered:1; /* Use this index for == or IN queries only */ +#ifdef SQLITE_ENABLE_STAT3 + int nSample; /* Number of elements in aSample[] */ + tRowcnt avgEq; /* Average nEq value for key values not in aSample */ + IndexSample *aSample; /* Samples of the left-most key */ +#endif +}; + +/* +** Each sample stored in the sqlite_stat3 table is represented in memory +** using a structure of this type. See documentation at the top of the +** analyze.c source file for additional information. +*/ +struct IndexSample { + union { + char *z; /* Value if eType is SQLITE_TEXT or SQLITE_BLOB */ + double r; /* Value if eType is SQLITE_FLOAT */ + i64 i; /* Value if eType is SQLITE_INTEGER */ + } u; + u8 eType; /* SQLITE_NULL, SQLITE_INTEGER ... etc. */ + int nByte; /* Size in byte of text or blob. */ + tRowcnt nEq; /* Est. number of rows where the key equals this sample */ + tRowcnt nLt; /* Est. number of rows where key is less than this sample */ + tRowcnt nDLt; /* Est. number of distinct keys less than this sample */ +}; + +/* +** Each token coming out of the lexer is an instance of +** this structure. Tokens are also used as part of an expression. +** +** Note if Token.z==0 then Token.dyn and Token.n are undefined and +** may contain random values. Do not make any assumptions about Token.dyn +** and Token.n when Token.z==0. +*/ +struct Token { + const char *z; /* Text of the token. Not NULL-terminated! */ + unsigned int n; /* Number of characters in this token */ +}; + +/* +** An instance of this structure contains information needed to generate +** code for a SELECT that contains aggregate functions. +** +** If Expr.op==TK_AGG_COLUMN or TK_AGG_FUNCTION then Expr.pAggInfo is a +** pointer to this structure. The Expr.iColumn field is the index in +** AggInfo.aCol[] or AggInfo.aFunc[] of information needed to generate +** code for that node. +** +** AggInfo.pGroupBy and AggInfo.aFunc.pExpr point to fields within the +** original Select structure that describes the SELECT statement. These +** fields do not need to be freed when deallocating the AggInfo structure. +*/ +struct AggInfo { + u8 directMode; /* Direct rendering mode means take data directly + ** from source tables rather than from accumulators */ + u8 useSortingIdx; /* In direct mode, reference the sorting index rather + ** than the source table */ + int sortingIdx; /* Cursor number of the sorting index */ + int sortingIdxPTab; /* Cursor number of pseudo-table */ + int nSortingColumn; /* Number of columns in the sorting index */ + ExprList *pGroupBy; /* The group by clause */ + struct AggInfo_col { /* For each column used in source tables */ + Table *pTab; /* Source table */ + int iTable; /* Cursor number of the source table */ + int iColumn; /* Column number within the source table */ + int iSorterColumn; /* Column number in the sorting index */ + int iMem; /* Memory location that acts as accumulator */ + Expr *pExpr; /* The original expression */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. + ** Additional columns are used only as parameters to + ** aggregate functions */ + struct AggInfo_func { /* For each aggregate function */ + Expr *pExpr; /* Expression encoding the function */ + FuncDef *pFunc; /* The aggregate function implementation */ + int iMem; /* Memory location that acts as accumulator */ + int iDistinct; /* Ephemeral table used to enforce DISTINCT */ + } *aFunc; + int nFunc; /* Number of entries in aFunc[] */ +}; + +/* +** The datatype ynVar is a signed integer, either 16-bit or 32-bit. +** Usually it is 16-bits. But if SQLITE_MAX_VARIABLE_NUMBER is greater +** than 32767 we have to make it 32-bit. 16-bit is preferred because +** it uses less memory in the Expr object, which is a big memory user +** in systems with lots of prepared statements. And few applications +** need more than about 10 or 20 variables. But some extreme users want +** to have prepared statements with over 32767 variables, and for them +** the option is available (at compile-time). +*/ +#if SQLITE_MAX_VARIABLE_NUMBER<=32767 +typedef i16 ynVar; +#else +typedef int ynVar; +#endif + +/* +** Each node of an expression in the parse tree is an instance +** of this structure. +** +** Expr.op is the opcode. The integer parser token codes are reused +** as opcodes here. For example, the parser defines TK_GE to be an integer +** code representing the ">=" operator. This same integer code is reused +** to represent the greater-than-or-equal-to operator in the expression +** tree. +** +** If the expression is an SQL literal (TK_INTEGER, TK_FLOAT, TK_BLOB, +** or TK_STRING), then Expr.token contains the text of the SQL literal. If +** the expression is a variable (TK_VARIABLE), then Expr.token contains the +** variable name. Finally, if the expression is an SQL function (TK_FUNCTION), +** then Expr.token contains the name of the function. +** +** Expr.pRight and Expr.pLeft are the left and right subexpressions of a +** binary operator. Either or both may be NULL. +** +** Expr.x.pList is a list of arguments if the expression is an SQL function, +** a CASE expression or an IN expression of the form " IN (, ...)". +** Expr.x.pSelect is used if the expression is a sub-select or an expression of +** the form " IN (SELECT ...)". If the EP_xIsSelect bit is set in the +** Expr.flags mask, then Expr.x.pSelect is valid. Otherwise, Expr.x.pList is +** valid. +** +** An expression of the form ID or ID.ID refers to a column in a table. +** For such expressions, Expr.op is set to TK_COLUMN and Expr.iTable is +** the integer cursor number of a VDBE cursor pointing to that table and +** Expr.iColumn is the column number for the specific column. If the +** expression is used as a result in an aggregate SELECT, then the +** value is also stored in the Expr.iAgg column in the aggregate so that +** it can be accessed after all aggregates are computed. +** +** If the expression is an unbound variable marker (a question mark +** character '?' in the original SQL) then the Expr.iTable holds the index +** number for that variable. +** +** If the expression is a subquery then Expr.iColumn holds an integer +** register number containing the result of the subquery. If the +** subquery gives a constant result, then iTable is -1. If the subquery +** gives a different answer at different times during statement processing +** then iTable is the address of a subroutine that computes the subquery. +** +** If the Expr is of type OP_Column, and the table it is selecting from +** is a disk table or the "old.*" pseudo-table, then pTab points to the +** corresponding table definition. +** +** ALLOCATION NOTES: +** +** Expr objects can use a lot of memory space in database schema. To +** help reduce memory requirements, sometimes an Expr object will be +** truncated. And to reduce the number of memory allocations, sometimes +** two or more Expr objects will be stored in a single memory allocation, +** together with Expr.zToken strings. +** +** If the EP_Reduced and EP_TokenOnly flags are set when +** an Expr object is truncated. When EP_Reduced is set, then all +** the child Expr objects in the Expr.pLeft and Expr.pRight subtrees +** are contained within the same memory allocation. Note, however, that +** the subtrees in Expr.x.pList or Expr.x.pSelect are always separately +** allocated, regardless of whether or not EP_Reduced is set. +*/ +struct Expr { + u8 op; /* Operation performed by this node */ + char affinity; /* The affinity of the column or 0 if not a column */ + u16 flags; /* Various flags. EP_* See below */ + union { + char *zToken; /* Token value. Zero terminated and dequoted */ + int iValue; /* Non-negative integer value if EP_IntValue */ + } u; + + /* If the EP_TokenOnly flag is set in the Expr.flags mask, then no + ** space is allocated for the fields below this point. An attempt to + ** access them will result in a segfault or malfunction. + *********************************************************************/ + + Expr *pLeft; /* Left subnode */ + Expr *pRight; /* Right subnode */ + union { + ExprList *pList; /* Function arguments or in " IN ( IN (