Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Clusterize pacf

Browse source 
This changes the type of user-exposed IDs from counts to strings.
Also makes the init functions work for the first time.
This commit is contained in:
Johanna Amann 2015-05-27 18:00:56 -07:00
parent ad2361b7ac
commit 99dcb40c67
16 changed files with 253 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/base/frameworks/pacf/__load__.bro
View file

@ -1,3 +1,12 @@
@load ./types @load ./types
@load ./main @load ./main
@load ./plugins @load ./plugins
# The cluster framework must be loaded first.
@load base/frameworks/cluster
@if ( Cluster::is_enabled() )
@load ./cluster
@else
@load ./non-cluster
@endif

66
scripts/base/frameworks/pacf/cluster.bro Normal file
View file

@ -0,0 +1,66 @@
@load ./main
@load base/frameworks/cluster
module Pacf;
export {
## This is the event used to transport add_rule calls to the manager.
global cluster_pacf_add_rule: event(r: Rule);
## This is the event used to transport remove_rule calls to the manager.
global cluster_pacf_remove_rule: event(id: string);
}
## Workers need ability to forward commands to manager.
redef Cluster::worker2manager_events += /Pacf::cluster_pacf_(add|remove)_rule/;
## Workers need to see the result events from the manager.
redef Cluster::manager2worker_events += /Pacf::rule_(added|removed|timeout|error)/;
function activate(p: PluginState, priority: int)
{
# we only run the activate function on the manager.
if ( Cluster::local_node_type() != Cluster::MANAGER )
return;
activate_impl(p, priority);
}
global local_rule_count: count = 1;
function add_rule(r: Rule) : string
{
if ( Cluster::local_node_type() == Cluster::MANAGER )
return add_rule_impl(r);
else
{
if ( r$id == "" )
r$id = cat(Cluster::node, ":", ++local_rule_count);
event Pacf::cluster_pacf_add_rule(r);
return r$id;
}
}
function remove_rule(id: string) : bool
{
if ( Cluster::local_node_type() == Cluster::MANAGER )
return remove_rule_impl(id);
else
{
event Pacf::cluster_pacf_remove_rule(id);
return T; # well, we can't know here. So - just hope...
}
}
@if ( Cluster::local_node_type() == Cluster::MANAGER )
event Pacf::cluster_pacf_add_rule(r: Rule)
{
add_rule_impl(r);
}
event Pacf::cluster_pacf_remove_rule(id: string)
{
remove_rule_impl(id);
}
@endif

59
scripts/base/frameworks/pacf/main.bro
View file

@ -44,7 +44,7 @@ export {
## location: An optional string describing where the drop was triggered. ## location: An optional string describing where the drop was triggered.
## ##
## Returns: The id of the inserted rule on succes and zero on failure. ## Returns: The id of the inserted rule on succes and zero on failure.
global drop_address: function(a: addr, t: interval, location: string &default="") : count; global drop_address: function(a: addr, t: interval, location: string &default="") : string;
## Stops forwarding a uni-directional flow's packets to Bro. ## Stops forwarding a uni-directional flow's packets to Bro.
## ##
@ -55,7 +55,7 @@ export {
## location: An optional string describing where the shunt was triggered. ## location: An optional string describing where the shunt was triggered.
## ##
## Returns: The id of the inserted rule on succes and zero on failure. ## Returns: The id of the inserted rule on succes and zero on failure.
global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : count; global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string;
## Removes all rules for an entity. ## Removes all rules for an entity.
## ##
@ -81,7 +81,7 @@ export {
## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle ## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle
## the rule", it doesn't necessarily mean that it was indeed successfully put in ## the rule", it doesn't necessarily mean that it was indeed successfully put in
## place, because that might happen asynchronously and thus fail only later. ## place, because that might happen asynchronously and thus fail only later.
global add_rule: function(r: Rule) : count; global add_rule: function(r: Rule) : string;
## Removes a rule. ## Removes a rule.
## ##
@ -91,7 +91,7 @@ export {
## to handle the removal. Note that again "success" means the plugin accepted the ## to handle the removal. Note that again "success" means the plugin accepted the
## removal. They might still fail to put it into effect, as that might happen ## removal. They might still fail to put it into effect, as that might happen
## asynchronously and thus go wrong at that point. ## asynchronously and thus go wrong at that point.
global remove_rule: function(id: count) : bool; global remove_rule: function(id: string) : bool;
###### Asynchronous feedback on rules. ###### Asynchronous feedback on rules.
@ -194,7 +194,7 @@ global plugins: vector of PluginState;
global plugin_ids: table[count] of PluginState; global plugin_ids: table[count] of PluginState;
global rule_counter: count = 1; global rule_counter: count = 1;
global plugin_counter: count = 1; global plugin_counter: count = 1;
global rules: table[count] of Rule; global rules: table[string] of Rule;
event bro_init() &priority=5 event bro_init() &priority=5
{ {
@ -285,20 +285,7 @@ function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
Log::write(LOG, info); Log::write(LOG, info);
} }
function activate(p: PluginState, priority: int) function drop_address(a: addr, t: interval, location: string &default="") : string
{
p$_priority = priority;
plugins[|plugins|] = p;
sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
plugin_ids[plugin_counter] = p;
p$_id = plugin_counter;
++plugin_counter;
log_msg(fmt("activated plugin with priority %d", priority), p);
}
function drop_address(a: addr, t: interval, location: string &default="") : count
{ {
local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)]; local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location]; local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
@ -306,7 +293,7 @@ function drop_address(a: addr, t: interval, location: string &default="") : coun
return add_rule(r); return add_rule(r);
} }
function shunt_flow(f: flow_id, t: interval, location: string &default="") : count function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
{ {
local flow = Pacf::Flow( local flow = Pacf::Flow(
$src_h=addr_to_subnet(f$src_h), $src_h=addr_to_subnet(f$src_h),
@ -330,9 +317,31 @@ function clear()
print "Pacf::clear not implemented yet"; print "Pacf::clear not implemented yet";
} }
function add_rule(r: Rule) : count # Low-level functions that only runs on the manager (or standalone) Bro node.
function activate_impl(p: PluginState, priority: int)
{ {
r$id = ++rule_counter; p$_priority = priority;
plugins[|plugins|] = p;
sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
plugin_ids[plugin_counter] = p;
p$_id = plugin_counter;
++plugin_counter;
# perform one-timi initialization
if ( p$plugin?$init )
p$plugin$init(p);
log_msg(fmt("activated plugin with priority %d", priority), p);
}
function add_rule_impl(r: Rule) : string
{
r$cid = ++rule_counter; # numeric id that can be used by plugins for their rules.
if ( ! r?$id )
r$id = cat(r$cid);
for ( i in plugins ) for ( i in plugins )
{ {
@ -349,14 +358,14 @@ function add_rule(r: Rule) : count
} }
log_rule_no_plugin(r, FAILED, "not supported"); log_rule_no_plugin(r, FAILED, "not supported");
return 0; return "";
} }
function remove_rule(id: count) : bool function remove_rule_impl(id: string) : bool
{ {
if ( id !in rules ) if ( id !in rules )
{ {
Reporter::error(fmt("Rule %d does not exist in Pacf::remove_rule", id)); Reporter::error(fmt("Rule %s does not exist in Pacf::remove_rule", id));
return F; return F;
} }

18
scripts/base/frameworks/pacf/non-cluster.bro Normal file
View file

@ -0,0 +1,18 @@
module Pacf;
@load ./main
function activate(p: PluginState, priority: int)
{
activate_impl(p, priority);
}
function add_rule(r: Rule) : string
{
return add_rule_impl(r);
}
function remove_rule(id: string) : bool
{
return remove_rule_impl(id);
}

17
scripts/base/frameworks/pacf/plugins/broker.bro
View file

@ -104,18 +104,27 @@ function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
return T; return T;
} }
function broker_init(p: PluginState)
{
BrokerComm::enable();
BrokerComm::connect(cat(p$broker_host), p$broker_port, 1sec);
BrokerComm::subscribe_to_events(p$broker_topic);
}
global broker_plugin = Plugin( global broker_plugin = Plugin(
$name=broker_name, $name=broker_name,
$can_expire = F, $can_expire = F,
$add_rule = broker_add_rule_fun, $add_rule = broker_add_rule_fun,
$remove_rule = broker_remove_rule_fun $remove_rule = broker_remove_rule_fun,
$init = broker_init
); );
global broker_plugin_can_expire = Plugin( global broker_plugin_can_expire = Plugin(
$name=broker_name, $name=broker_name,
$can_expire = T, $can_expire = T,
$add_rule = broker_add_rule_fun, $add_rule = broker_add_rule_fun,
$remove_rule = broker_remove_rule_fun $remove_rule = broker_remove_rule_fun,
$init = broker_init
); );
function create_broker(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState function create_broker(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState
@ -134,9 +143,5 @@ function create_broker(host: addr, host_port: port, topic: string, can_expire: b
pacf_broker_id[pacf_broker_current_id] = p; pacf_broker_id[pacf_broker_current_id] = p;
++pacf_broker_current_id; ++pacf_broker_current_id;
BrokerComm::enable();
BrokerComm::connect(cat(host), host_port, 1sec);
BrokerComm::subscribe_to_events(topic);
return p; return p;
} }

8
scripts/base/frameworks/pacf/plugins/openflow.bro
View file

@ -210,7 +210,7 @@ function openflow_rule_to_flow_mod(p: PluginState, r: Rule) : OpenFlow::ofp_flow
local c = p$of_config; local c = p$of_config;
local flow_mod = OpenFlow::ofp_flow_mod( local flow_mod = OpenFlow::ofp_flow_mod(
$cookie=OpenFlow::generate_cookie(r$id*2), # leave one space for the cases in which we need two rules. $cookie=OpenFlow::generate_cookie(r$cid*2), # leave one space for the cases in which we need two rules.
$command=OpenFlow::OFPFC_ADD, $command=OpenFlow::OFPFC_ADD,
$idle_timeout=c$idle_timeout, $idle_timeout=c$idle_timeout,
$priority=int_to_count(r$priority + c$priority_offset), $priority=int_to_count(r$priority + c$priority_offset),
@ -278,7 +278,7 @@ function openflow_add_rule(p: PluginState, r: Rule) : bool
{ {
if ( OpenFlow::flow_mod(p$of_controller, matches[i], flow_mod) ) if ( OpenFlow::flow_mod(p$of_controller, matches[i], flow_mod) )
{ {
of_messages[r$id, flow_mod$command] = OfTable($p=p, $r=r); of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
flow_mod = copy(flow_mod); flow_mod = copy(flow_mod);
++flow_mod$cookie; ++flow_mod$cookie;
} }
@ -295,12 +295,12 @@ function openflow_remove_rule(p: PluginState, r: Rule) : bool
return F; return F;
local flow_mod: OpenFlow::ofp_flow_mod = [ local flow_mod: OpenFlow::ofp_flow_mod = [
$cookie=OpenFlow::generate_cookie(r$id), $cookie=OpenFlow::generate_cookie(r$cid),
$command=OpenFlow::OFPFC_DELETE $command=OpenFlow::OFPFC_DELETE
]; ];
if ( OpenFlow::flow_mod(p$of_controller, [], flow_mod) ) if ( OpenFlow::flow_mod(p$of_controller, [], flow_mod) )
of_messages[r$id, flow_mod$command] = OfTable($p=p, $r=r); of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
else else
{ {
event rule_error(r, p, "Error while executing OpenFlow::flow_mod"); event rule_error(r, p, "Error while executing OpenFlow::flow_mod");

3
scripts/base/frameworks/pacf/types.bro
View file

@ -102,7 +102,8 @@ export {
s: string &optional; ##< Argument for rule types requiring a string argument. s: string &optional; ##< Argument for rule types requiring a string argument.
mod: FlowMod &optional; ##< Argument for :bro:id:`MODIFY` rules. mod: FlowMod &optional; ##< Argument for :bro:id:`MODIFY` rules.
id: count &default=0; ##< Internally determined unique ID for this rule. Will be set when added. id: string &default=""; ##< Internally determined unique ID for this rule. Will be set when added.
cid: count &default=0; ##< Internally determined unique numeric ID for this rule. Set when added.
}; };
## Information of a flow that can be provided by switches when the flow times out. ## Information of a flow that can be provided by switches when the flow times out.

32
testing/btest/Baseline/scripts.base.frameworks.pacf.basic-cluster/manager-1.pacf.log Normal file
View file

@ -0,0 +1,32 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path pacf
#open 2015-05-28-00-59-14
#fields ts category cmd state action target entity_type entity msg location plugin
#types time enum string enum string enum string string string string string
1432774754.087659 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All
1432774756.519062 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774756.519062 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774756.519062 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774756.519062 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774758.581184 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774758.581184 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774758.581184 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774758.581184 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774756.036263 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774756.036263 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774757.774649 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774757.774649 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774758.070948 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774758.070948 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1432774766.388890 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
#close 2015-05-28-00-59-26

4
testing/btest/Baseline/scripts.base.frameworks.pacf.basic-cluster/worker-1..stdout Normal file
View file

@ -0,0 +1,4 @@
Rule added, worker-1:2, 2
Rule added, worker-1:3, 3
Rule added, worker-2:2, 4
Rule added, worker-2:3, 5

2
testing/btest/Baseline/scripts.base.frameworks.pacf.basic-cluster/worker-2..stdout Normal file
View file

@ -0,0 +1,2 @@
Rule added, worker-2:2, 4
Rule added, worker-2:3, 5

9
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
View file

@ -1,4 +1,5 @@
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] pacf debug (Debug-All): init
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]

8
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log
View file

@ -3,7 +3,7 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path pacf #path pacf
#open 2015-05-12-20-36-36 #open 2015-05-28-00-27-54
#fields ts category cmd state action target entity_type entity msg location plugin #fields ts category cmd state action target entity_type entity msg location plugin
#types time enum string enum string enum string string string string string #types time enum string enum string enum string string string string string
0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All 0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All
@ -12,7 +12,7 @@
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All
1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All
#close 2015-05-12-20-36-36 #close 2015-05-28-00-27-54

8
testing/btest/Baseline/scripts.base.frameworks.pacf.broker/recv.recv.out
View file

@ -1,5 +1,5 @@
BrokerComm::incoming_connection_established BrokerComm::incoming_connection_established
add_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] add_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1]
add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]
remove_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] remove_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1]
remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]

12
testing/btest/Baseline/scripts.base.frameworks.pacf.broker/send.send.out
View file

@ -1,7 +1,7 @@
BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
rule added, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] rule added, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1]
rule added, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] rule added, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]
ruke timeout, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>] rule timeout, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
rule removed, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] rule removed, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=2, _plugin_id=1]
ruke timeout, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>] rule timeout, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
rule removed, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] rule removed, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=, cid=3, _plugin_id=1]

50
testing/btest/scripts/base/frameworks/pacf/basic-cluster.bro Normal file
View file

@ -0,0 +1,50 @@
# @TEST-SERIALIZE: comm
#
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
# @TEST-EXEC: sleep 1
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
# @TEST-EXEC: sleep 1
# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
# @TEST-EXEC: btest-bg-wait 20
# @TEST-EXEC: btest-diff manager-1/pacf.log
# @TEST-EXEC: btest-diff worker-1/.stdout
# @TEST-EXEC: btest-diff worker-2/.stdout
@TEST-START-FILE cluster-layout.bro
redef Cluster::nodes = {
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
};
@TEST-END-FILE
redef Log::default_rotation_interval = 0secs;
#redef exit_only_after_terminate = T;
@load base/frameworks/pacf
event bro_init()
{
local pacf_debug = Pacf::create_debug(T);
Pacf::activate(pacf_debug, 0);
}
event connection_established(c: connection)
{
local id = c$id;
Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
Pacf::drop_address(id$orig_h, 15sec);
}
event terminate_me() {
terminate();
}
event remote_connection_closed(p: event_peer) {
schedule 1sec { terminate_me() };
}
event Pacf::rule_added(r: Pacf::Rule, p: Pacf::PluginState, msg: string &default="")
{
print "Rule added", r$id, r$cid;
}

4
testing/btest/scripts/base/frameworks/pacf/broker.bro
View file

@ -55,7 +55,7 @@ event Pacf::rule_removed(r: Pacf::Rule, p: Pacf::PluginState, msg: string)
event Pacf::rule_timeout(r: Pacf::Rule, i: Pacf::FlowInfo, p: Pacf::PluginState) event Pacf::rule_timeout(r: Pacf::Rule, i: Pacf::FlowInfo, p: Pacf::PluginState)
{ {
print "ruke timeout", r, i; print "rule timeout", r, i;
} }
@TEST-END-FILE @TEST-END-FILE
@ -94,7 +94,7 @@ event Pacf::broker_remove_rule(id: count, r: Pacf::Rule)
BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_timeout, id, r, Pacf::FlowInfo())); BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_timeout, id, r, Pacf::FlowInfo()));
BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_removed, id, r, "")); BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_removed, id, r, ""));
if ( r$id == 3 ) if ( r$cid == 3 )
terminate(); terminate();
} }