diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 6ed14ca943..117430223e 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -57,6 +57,7 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro) rest_target(${psd} base/frameworks/notice/cluster.bro) rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro) rest_target(${psd} base/frameworks/notice/main.bro) +rest_target(${psd} base/frameworks/notice/non-cluster.bro) rest_target(${psd} base/frameworks/notice/weird.bro) rest_target(${psd} base/frameworks/packet-filter/main.bro) rest_target(${psd} base/frameworks/packet-filter/netstats.bro) diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro index 4548e98dc2..bcf3cd6898 100644 --- a/scripts/base/frameworks/notice/__load__.bro +++ b/scripts/base/frameworks/notice/__load__.bro @@ -17,7 +17,9 @@ @if ( Cluster::is_enabled() ) @load ./cluster +@else +@load ./non-cluster @endif # Load here so that it can check whether clustering is enabled. -@load ./actions/pp-alarms +@load ./actions/pp-alarms \ No newline at end of file diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.bro index 9f6909595c..c762be3b86 100644 --- a/scripts/base/frameworks/notice/actions/add-geodata.bro +++ b/scripts/base/frameworks/notice/actions/add-geodata.bro @@ -27,18 +27,17 @@ export { ## Notice types which should have the "remote" location looked up. ## If GeoIP support is not built in, this does nothing. const lookup_location_types: set[Notice::Type] = {} &redef; - - ## Add a helper to the notice policy for looking up GeoIP data. - redef Notice::policy += { - [$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); }, - $action = ACTION_ADD_GEODATA, - $priority = 10], - }; } +hook policy(n: Notice::Info) &priority=10 + { + if ( n$note in Notice::lookup_location_types ) + add n$actions[ACTION_ADD_GEODATA]; + } + # This is handled at a high priority in case other notice handlers # want to use the data. -event notice(n: Notice::Info) &priority=10 +hook notice(n: Notice::Info) &priority=10 { if ( ACTION_ADD_GEODATA in n$actions && |Site::local_nets| > 0 && diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.bro index 0116dd4ed4..1befd8644f 100644 --- a/scripts/base/frameworks/notice/actions/drop.bro +++ b/scripts/base/frameworks/notice/actions/drop.bro @@ -17,20 +17,13 @@ export { }; } -# This is a little awkward because we want to inject drop along with the -# synchronous functions. -event bro_init() +hook notice(n: Notice::Info) { - local drop_func = function(n: Notice::Info) + if ( ACTION_DROP in n$actions ) { - if ( ACTION_DROP in n$actions ) - { - #local drop = React::drop_address(n$src, ""); - #local addl = drop?$sub ? fmt(" %s", drop$sub) : ""; - #n$dropped = drop$note != Drop::AddressDropIgnored; - #n$msg += fmt(" [%s%s]", drop$note, addl); - } - }; - - add Notice::sync_functions[drop_func]; + #local drop = React::drop_address(n$src, ""); + #local addl = drop?$sub ? fmt(" %s", drop$sub) : ""; + #n$dropped = drop$note != Drop::AddressDropIgnored; + #n$msg += fmt(" [%s%s]", drop$note, addl); + } } diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.bro index 7484a1c606..fb82f2b960 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.bro +++ b/scripts/base/frameworks/notice/actions/email_admin.bro @@ -18,7 +18,7 @@ export { }; } -event notice(n: Notice::Info) &priority=-5 +hook notice(n: Notice::Info) &priority=-5 { if ( |Site::local_admins| > 0 && ACTION_EMAIL_ADMIN in n$actions ) diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.bro index 16a3463126..e29b2bf0ee 100644 --- a/scripts/base/frameworks/notice/actions/page.bro +++ b/scripts/base/frameworks/notice/actions/page.bro @@ -15,7 +15,7 @@ export { const mail_page_dest = "" &redef; } -event notice(n: Notice::Info) &priority=-5 +hook notice(n: Notice::Info) &priority=-5 { if ( ACTION_PAGE in n$actions ) email_notice_to(n, mail_page_dest, F); diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index 0f19d3da8f..52312c2624 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -105,7 +105,7 @@ event bro_init() $postprocessor=pp_postprocessor]); } -event notice(n: Notice::Info) &priority=-5 +hook notice(n: Notice::Info) &priority=-5 { if ( ! want_pp() ) return; diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro index e812c3fdca..02f11533fa 100644 --- a/scripts/base/frameworks/notice/cluster.bro +++ b/scripts/base/frameworks/notice/cluster.bro @@ -21,22 +21,11 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/; redef Cluster::worker2manager_events += /Notice::cluster_notice/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) - -# The notice policy is completely handled by the manager and shouldn't be -# done by workers or proxies to save time for packet processing. -redef Notice::policy = table(); - event Notice::begin_suppression(n: Notice::Info) { suppressing[n$note, n$identifier] = n; } -event Notice::notice(n: Notice::Info) - { - # Send the locally generated notice on to the manager. - event Notice::cluster_notice(n); - } - event bro_init() &priority=-3 { # Workers and proxies need to disable the notice streams because notice @@ -54,3 +43,20 @@ event Notice::cluster_notice(n: Notice::Info) NOTICE(n); } @endif + +module GLOBAL; + +## This is the entry point in the global namespace for notice framework. +function NOTICE(n: Notice::Info) + { + # Suppress this notice if necessary. + if ( Notice::is_being_suppressed(n) ) + return; + +@if ( Cluster::local_node_type() == Cluster::MANAGER ) + Notice::internal_NOTICE(n); +@else + # For non-managers, send the notice on to the manager. + event Notice::cluster_notice(n); +@endif + } diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/base/frameworks/notice/extend-email/hostnames.bro index 2ec6dbb23f..18442f453d 100644 --- a/scripts/base/frameworks/notice/extend-email/hostnames.bro +++ b/scripts/base/frameworks/notice/extend-email/hostnames.bro @@ -13,7 +13,7 @@ module Notice; # reference to the original notice) global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs; -event Notice::notice(n: Notice::Info) &priority=10 +hook notice(n: Notice::Info) &priority=10 { if ( ! n?$src && ! n?$dst ) return; diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index e9b29e7392..5d3cc48091 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -102,10 +102,6 @@ export { ## The actions which have been applied to this notice. actions: set[Notice::Action] &log &optional; - ## These are policy items that returned T and applied their action - ## to the notice. - policy_items: set[count] &log &optional; - ## By adding chunks of text into this element, other scripts can ## expand on notices that are being emailed. The normal way to add text ## is to extend the vector by handling the :bro:id:`Notice::notice` @@ -185,32 +181,15 @@ export { }; ## Defines a notice policy that is extensible on a per-site basis. - ## All notice processing is done through this variable. - const policy: set[PolicyItem] = { - [$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); }, - $halt=T, $priority = 9], - [$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); }, - $action = ACTION_NO_SUPPRESS, - $priority = 9], - [$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); }, - $action = ACTION_ALARM, - $priority = 8], - [$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); }, - $action = ACTION_EMAIL, - $priority = 8], - [$pred(n: Notice::Info) = { - if (n$note in Notice::type_suppression_intervals) - { - n$suppress_for=Notice::type_suppression_intervals[n$note]; - return T; - } - return F; - }, - $action = ACTION_NONE, - $priority = 8], - [$action = ACTION_LOG, - $priority = 0], - } &redef; + ## All notice processing is done through this variable. This variable + ## is the former 'policy' variable, and + ## this variable is deprecated and will be removed in a future version. + ## All notice policy decisions are going to be done through the + ## 'policy' hook now. + const policy_table: set[PolicyItem] = {} &redef; + + ## The hook to modify notice handling. + global policy: hook(n: Notice::Info); ## Local system sendmail program. const sendmail = "/usr/sbin/sendmail" &redef; @@ -240,25 +219,11 @@ export { ## This is the event that is called as the entry point to the ## notice framework by the global :bro:id:`NOTICE` function. By the time ## this event is generated, default values have already been filled out in - ## the :bro:type:`Notice::Info` record and synchronous functions in the - ## :bro:id:`Notice::sync_functions` have already been called. The notice + ## the :bro:type:`Notice::Info` record and the notice ## policy has also been applied. ## ## n: The record containing notice data. - global notice: event(n: Info); - - ## This is a set of functions that provide a synchronous way for scripts - ## extending the notice framework to run before the normal event based - ## notice pathway that most of the notice framework takes. This is helpful - ## in cases where an action against a notice needs to happen immediately - ## and can't wait the short time for the event to bubble up to the top of - ## the event queue. An example is the IP address dropping script that - ## can block IP addresses that have notices generated because it - ## needs to operate closer to real time than the event queue allows it to. - ## Normally the event based extension model using the - ## :bro:id:`Notice::notice` event will work fine if there aren't harder - ## real time constraints. - const sync_functions: set[function(n: Notice::Info)] = set() &redef; + global notice: hook(n: Info); ## This event is generated when a notice begins to be suppressed. ## @@ -266,6 +231,11 @@ export { ## about to be suppressed. global begin_suppression: event(n: Notice::Info); + ## A function to determine if an event is supposed to be suppressed. + ## + ## n: The record containing the notice in question. + global is_being_suppressed: function(n: Notice::Info): bool; + ## This event is generated on each occurence of an event being suppressed. ## ## n: The record containing notice data regarding the notice type @@ -424,9 +394,7 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool) } else { - event reporter_info(network_time(), - fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens), - ""); + Reporter::info(fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens)); } } } @@ -468,7 +436,26 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool) piped_exec(fmt("%s -t -oi", sendmail), email_text); } -event notice(n: Notice::Info) &priority=-5 +hook Notice::policy(n: Notice::Info) &priority=10 + { + if ( n$note in Notice::ignored_types ) + break; + + if ( n$note in Notice::not_suppressed_types ) + add n$actions[ACTION_NO_SUPPRESS]; + if ( n$note in Notice::alarmed_types ) + add n$actions[ACTION_ALARM]; + if ( n$note in Notice::emailed_types ) + add n$actions[ACTION_EMAIL]; + + if ( n$note in Notice::type_suppression_intervals ) + n$suppress_for=Notice::type_suppression_intervals[n$note]; + + # Logging is a default action. It can be removed in a later hook if desired. + add n$actions[ACTION_LOG]; + } + +hook Notice::notice(n: Notice::Info) &priority=-5 { if ( ACTION_EMAIL in n$actions ) email_notice_to(n, mail_dest, T); @@ -565,16 +552,12 @@ function apply_policy(n: Notice::Info) if ( ! n?$email_delay_tokens ) n$email_delay_tokens = set(); - if ( ! n?$policy_items ) - n$policy_items = set(); - for ( i in ordered_policy ) { # If there's no predicate or the predicate returns F. if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) ) { add n$actions[ordered_policy[i]$action]; - add n$policy_items[int_to_count(i)]; # If the predicate matched and there was a suppression interval, # apply it to the notice now. @@ -587,6 +570,9 @@ function apply_policy(n: Notice::Info) } } + # Apply the hook based policy. + hook Notice::policy(n); + # Apply the suppression time after applying the policy so that policy # items can give custom suppression intervals. If there is no # suppression interval given yet, the default is applied. @@ -610,7 +596,7 @@ event bro_init() &priority=10 Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]); local tmp: table[count] of set[PolicyItem] = table(); - for ( pi in policy ) + for ( pi in policy_table ) { if ( pi$priority < 0 || pi$priority > 10 ) Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10"); @@ -638,25 +624,13 @@ event bro_init() &priority=10 function internal_NOTICE(n: Notice::Info) { - # Suppress this notice if necessary. - if ( is_being_suppressed(n) ) - return; - # Fill out fields that might be empty and do the policy processing. apply_policy(n); - # Run the synchronous functions with the notice. - for ( func in sync_functions ) - func(n); - # Generate the notice event with the notice. - event Notice::notice(n); + hook Notice::notice(n); } module GLOBAL; -## This is the entry point in the global namespace for notice framework. -function NOTICE(n: Notice::Info) - { - Notice::internal_NOTICE(n); - } +global NOTICE: function(n: Notice::Info); \ No newline at end of file diff --git a/scripts/base/frameworks/notice/non-cluster.bro b/scripts/base/frameworks/notice/non-cluster.bro new file mode 100644 index 0000000000..002ec0da34 --- /dev/null +++ b/scripts/base/frameworks/notice/non-cluster.bro @@ -0,0 +1,14 @@ + +@load ./main + +module GLOBAL; + +## This is the entry point in the global namespace for notice framework. +function NOTICE(n: Notice::Info) + { + # Suppress this notice if necessary. + if ( Notice::is_being_suppressed(n) ) + return; + + Notice::internal_NOTICE(n); + } diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 7fd3a1bdc8..d9e8ee0703 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-11-05-23-29-45 +#open 2013-02-11-18-44-43 #fields name #types string scripts/base/init-bare.bro @@ -53,6 +53,7 @@ scripts/base/init-default.bro scripts/base/frameworks/cluster/./main.bro scripts/base/frameworks/control/__load__.bro scripts/base/frameworks/control/./main.bro + scripts/base/frameworks/notice/./non-cluster.bro scripts/base/frameworks/notice/./actions/pp-alarms.bro scripts/base/frameworks/dpd/__load__.bro scripts/base/frameworks/dpd/./main.bro @@ -118,4 +119,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-11-05-23-29-45 +#close 2013-02-11-18-44-43 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log index 217b3ed49b..c87853e2b4 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-50-59 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342749059.978651 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - -#close 2012-07-20-01-51-08 +#open 2013-02-11-18-41-03 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet +1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - - +#close 2013-02-11-18-41-03 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log index 6c93cb875e..ddbb59c565 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-51-18 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342749078.270791 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-07-20-01-51-27 +#open 2013-02-11-18-45-43 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet +1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - - +#close 2013-02-11-18-45-43 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log index 88f25b066f..2f163a5491 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-51-36 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342749096.545663 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-07-20-01-51-45 +#open 2013-02-11-18-45-14 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet +1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - - +#close 2013-02-11-18-45-17 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log index 7c7254f87e..f7f4148548 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-07-20-01-49-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double -1342748963.685754 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - -#close 2012-07-20-01-49-23 +#open 2013-02-11-18-32-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1360607559.193954 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-02-11-18-32-39 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log index f9292344a8..da5489e0b7 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2012-10-05-21-45-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - -#close 2012-10-05-21-45-15 +#open 2013-02-11-18-33-41 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet +1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - +#close 2013-02-11-18-33-41 diff --git a/testing/btest/scripts/base/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro deleted file mode 100644 index 0ac9faa956..0000000000 --- a/testing/btest/scripts/base/frameworks/metrics/notice.bro +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff notice.log - - -redef enum Notice::Type += { - Test_Notice, -}; - -redef enum Metrics::ID += { - TEST_METRIC, -}; - -event bro_init() &priority=5 - { - Metrics::add_filter(TEST_METRIC, - [$name="foo-bar", - $break_interval=3secs, - $note=Test_Notice, - $notice_threshold=2, - $log=F]); - Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3); - Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2); - Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); - } diff --git a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro b/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro index 3116b1025a..0970ec0c76 100644 --- a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro +++ b/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro @@ -1,7 +1,11 @@ # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: btest-diff alarm-mail.txt -redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 1 ] }; +hook Notice::policy(n: Notice::Info) &priority=1 + { + add n$actions[Notice::ACTION_ALARM]; + } + redef Notice::force_email_summaries = T; redef enum Notice::Type += {