Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updates for the notices framework.

Browse source 
- Moved the Notice::notice event and Notice::policy table to both be hooks.

 - Renamed the old Notice::policy to Notice::policy_table and documented it as deprecated.
This commit is contained in:
Seth Hall 2013-02-11 14:36:14 -05:00
parent a2556642e6
commit 9f8ba408ba
19 changed files with 129 additions and 159 deletions
Download patch file Download diff file Expand all files Collapse all files

1
doc/scripts/DocSourcesList.cmake
View file

@ -57,6 +57,7 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
rest_target(${psd} base/frameworks/notice/cluster.bro) rest_target(${psd} base/frameworks/notice/cluster.bro)
rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro) rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
rest_target(${psd} base/frameworks/notice/main.bro) rest_target(${psd} base/frameworks/notice/main.bro)
rest_target(${psd} base/frameworks/notice/non-cluster.bro)
rest_target(${psd} base/frameworks/notice/weird.bro) rest_target(${psd} base/frameworks/notice/weird.bro)
rest_target(${psd} base/frameworks/packet-filter/main.bro) rest_target(${psd} base/frameworks/packet-filter/main.bro)
rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/packet-filter/netstats.bro)

4
scripts/base/frameworks/notice/__load__.bro
View file

@ -17,7 +17,9 @@
@if ( Cluster::is_enabled() ) @if ( Cluster::is_enabled() )
@load ./cluster @load ./cluster
@else
@load ./non-cluster
@endif @endif
# Load here so that it can check whether clustering is enabled. # Load here so that it can check whether clustering is enabled.
@load ./actions/pp-alarms @load ./actions/pp-alarms

15
scripts/base/frameworks/notice/actions/add-geodata.bro
View file

@ -27,18 +27,17 @@ export {
## Notice types which should have the "remote" location looked up. ## Notice types which should have the "remote" location looked up.
## If GeoIP support is not built in, this does nothing. ## If GeoIP support is not built in, this does nothing.
const lookup_location_types: set[Notice::Type] = {} &redef; const lookup_location_types: set[Notice::Type] = {} &redef;
## Add a helper to the notice policy for looking up GeoIP data.
redef Notice::policy += {
[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
$action = ACTION_ADD_GEODATA,
$priority = 10],
};
} }
hook policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::lookup_location_types )
add n$actions[ACTION_ADD_GEODATA];
}
# This is handled at a high priority in case other notice handlers # This is handled at a high priority in case other notice handlers
# want to use the data. # want to use the data.
event notice(n: Notice::Info) &priority=10 hook notice(n: Notice::Info) &priority=10
{ {
if ( ACTION_ADD_GEODATA in n$actions && if ( ACTION_ADD_GEODATA in n$actions &&
|Site::local_nets| > 0 && |Site::local_nets| > 0 &&

21
scripts/base/frameworks/notice/actions/drop.bro
View file

@ -17,20 +17,13 @@ export {
}; };
} }
# This is a little awkward because we want to inject drop along with the hook notice(n: Notice::Info)
# synchronous functions.
event bro_init()
{ {
local drop_func = function(n: Notice::Info) if ( ACTION_DROP in n$actions )
{ {
if ( ACTION_DROP in n$actions ) #local drop = React::drop_address(n$src, "");
{ #local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
#local drop = React::drop_address(n$src, ""); #n$dropped = drop$note != Drop::AddressDropIgnored;
#local addl = drop?$sub ? fmt(" %s", drop$sub) : ""; #n$msg += fmt(" [%s%s]", drop$note, addl);
#n$dropped = drop$note != Drop::AddressDropIgnored; }
#n$msg += fmt(" [%s%s]", drop$note, addl);
}
};
add Notice::sync_functions[drop_func];
} }

2
scripts/base/frameworks/notice/actions/email_admin.bro
View file

@ -18,7 +18,7 @@ export {
}; };
} }
event notice(n: Notice::Info) &priority=-5 hook notice(n: Notice::Info) &priority=-5
{ {
if ( |Site::local_admins| > 0 && if ( |Site::local_admins| > 0 &&
ACTION_EMAIL_ADMIN in n$actions ) ACTION_EMAIL_ADMIN in n$actions )

2
scripts/base/frameworks/notice/actions/page.bro
View file

@ -15,7 +15,7 @@ export {
const mail_page_dest = "" &redef; const mail_page_dest = "" &redef;
} }
event notice(n: Notice::Info) &priority=-5 hook notice(n: Notice::Info) &priority=-5
{ {
if ( ACTION_PAGE in n$actions ) if ( ACTION_PAGE in n$actions )
email_notice_to(n, mail_page_dest, F); email_notice_to(n, mail_page_dest, F);

2
scripts/base/frameworks/notice/actions/pp-alarms.bro
View file

@ -105,7 +105,7 @@ event bro_init()
$postprocessor=pp_postprocessor]); $postprocessor=pp_postprocessor]);
} }
event notice(n: Notice::Info) &priority=-5 hook notice(n: Notice::Info) &priority=-5
{ {
if ( ! want_pp() ) if ( ! want_pp() )
return; return;

28
scripts/base/frameworks/notice/cluster.bro
View file

@ -21,22 +21,11 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
redef Cluster::worker2manager_events += /Notice::cluster_notice/; redef Cluster::worker2manager_events += /Notice::cluster_notice/;
@if ( Cluster::local_node_type() != Cluster::MANAGER ) @if ( Cluster::local_node_type() != Cluster::MANAGER )
# The notice policy is completely handled by the manager and shouldn't be
# done by workers or proxies to save time for packet processing.
redef Notice::policy = table();
event Notice::begin_suppression(n: Notice::Info) event Notice::begin_suppression(n: Notice::Info)
{ {
suppressing[n$note, n$identifier] = n; suppressing[n$note, n$identifier] = n;
} }
event Notice::notice(n: Notice::Info)
{
# Send the locally generated notice on to the manager.
event Notice::cluster_notice(n);
}
event bro_init() &priority=-3 event bro_init() &priority=-3
{ {
# Workers and proxies need to disable the notice streams because notice # Workers and proxies need to disable the notice streams because notice
@ -54,3 +43,20 @@ event Notice::cluster_notice(n: Notice::Info)
NOTICE(n); NOTICE(n);
} }
@endif @endif
module GLOBAL;
## This is the entry point in the global namespace for notice framework.
function NOTICE(n: Notice::Info)
{
# Suppress this notice if necessary.
if ( Notice::is_being_suppressed(n) )
return;
@if ( Cluster::local_node_type() == Cluster::MANAGER )
Notice::internal_NOTICE(n);
@else
# For non-managers, send the notice on to the manager.
event Notice::cluster_notice(n);
@endif
}

2
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -13,7 +13,7 @@ module Notice;
# reference to the original notice) # reference to the original notice)
global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs; global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
event Notice::notice(n: Notice::Info) &priority=10 hook notice(n: Notice::Info) &priority=10
{ {
if ( ! n?$src && ! n?$dst ) if ( ! n?$src && ! n?$dst )
return; return;

112
scripts/base/frameworks/notice/main.bro
View file

@ -102,10 +102,6 @@ export {
## The actions which have been applied to this notice. ## The actions which have been applied to this notice.
actions: set[Notice::Action] &log &optional; actions: set[Notice::Action] &log &optional;
## These are policy items that returned T and applied their action
## to the notice.
policy_items: set[count] &log &optional;
## By adding chunks of text into this element, other scripts can ## By adding chunks of text into this element, other scripts can
## expand on notices that are being emailed. The normal way to add text ## expand on notices that are being emailed. The normal way to add text
## is to extend the vector by handling the :bro:id:`Notice::notice` ## is to extend the vector by handling the :bro:id:`Notice::notice`
@ -185,32 +181,15 @@ export {
}; };
## Defines a notice policy that is extensible on a per-site basis. ## Defines a notice policy that is extensible on a per-site basis.
## All notice processing is done through this variable. ## All notice processing is done through this variable. This variable
const policy: set[PolicyItem] = { ## is the former 'policy' variable, and
[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); }, ## this variable is deprecated and will be removed in a future version.
$halt=T, $priority = 9], ## All notice policy decisions are going to be done through the
[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); }, ## 'policy' hook now.
$action = ACTION_NO_SUPPRESS, const policy_table: set[PolicyItem] = {} &redef;
$priority = 9],
[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); }, ## The hook to modify notice handling.
$action = ACTION_ALARM, global policy: hook(n: Notice::Info);
$priority = 8],
[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
$action = ACTION_EMAIL,
$priority = 8],
[$pred(n: Notice::Info) = {
if (n$note in Notice::type_suppression_intervals)
{
n$suppress_for=Notice::type_suppression_intervals[n$note];
return T;
}
return F;
},
$action = ACTION_NONE,
$priority = 8],
[$action = ACTION_LOG,
$priority = 0],
} &redef;
## Local system sendmail program. ## Local system sendmail program.
const sendmail = "/usr/sbin/sendmail" &redef; const sendmail = "/usr/sbin/sendmail" &redef;
@ -240,25 +219,11 @@ export {
## This is the event that is called as the entry point to the ## This is the event that is called as the entry point to the
## notice framework by the global :bro:id:`NOTICE` function. By the time ## notice framework by the global :bro:id:`NOTICE` function. By the time
## this event is generated, default values have already been filled out in ## this event is generated, default values have already been filled out in
## the :bro:type:`Notice::Info` record and synchronous functions in the ## the :bro:type:`Notice::Info` record and the notice
## :bro:id:`Notice::sync_functions` have already been called. The notice
## policy has also been applied. ## policy has also been applied.
## ##
## n: The record containing notice data. ## n: The record containing notice data.
global notice: event(n: Info); global notice: hook(n: Info);
## This is a set of functions that provide a synchronous way for scripts
## extending the notice framework to run before the normal event based
## notice pathway that most of the notice framework takes. This is helpful
## in cases where an action against a notice needs to happen immediately
## and can't wait the short time for the event to bubble up to the top of
## the event queue. An example is the IP address dropping script that
## can block IP addresses that have notices generated because it
## needs to operate closer to real time than the event queue allows it to.
## Normally the event based extension model using the
## :bro:id:`Notice::notice` event will work fine if there aren't harder
## real time constraints.
const sync_functions: set[function(n: Notice::Info)] = set() &redef;
## This event is generated when a notice begins to be suppressed. ## This event is generated when a notice begins to be suppressed.
## ##
@ -266,6 +231,11 @@ export {
## about to be suppressed. ## about to be suppressed.
global begin_suppression: event(n: Notice::Info); global begin_suppression: event(n: Notice::Info);
## A function to determine if an event is supposed to be suppressed.
##
## n: The record containing the notice in question.
global is_being_suppressed: function(n: Notice::Info): bool;
## This event is generated on each occurence of an event being suppressed. ## This event is generated on each occurence of an event being suppressed.
## ##
## n: The record containing notice data regarding the notice type ## n: The record containing notice data regarding the notice type
@ -424,9 +394,7 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
} }
else else
{ {
event reporter_info(network_time(), Reporter::info(fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens));
fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
"");
} }
} }
} }
@ -468,7 +436,26 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
piped_exec(fmt("%s -t -oi", sendmail), email_text); piped_exec(fmt("%s -t -oi", sendmail), email_text);
} }
event notice(n: Notice::Info) &priority=-5 hook Notice::policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::ignored_types )
break;
if ( n$note in Notice::not_suppressed_types )
add n$actions[ACTION_NO_SUPPRESS];
if ( n$note in Notice::alarmed_types )
add n$actions[ACTION_ALARM];
if ( n$note in Notice::emailed_types )
add n$actions[ACTION_EMAIL];
if ( n$note in Notice::type_suppression_intervals )
n$suppress_for=Notice::type_suppression_intervals[n$note];
# Logging is a default action. It can be removed in a later hook if desired.
add n$actions[ACTION_LOG];
}
hook Notice::notice(n: Notice::Info) &priority=-5
{ {
if ( ACTION_EMAIL in n$actions ) if ( ACTION_EMAIL in n$actions )
email_notice_to(n, mail_dest, T); email_notice_to(n, mail_dest, T);
@ -565,16 +552,12 @@ function apply_policy(n: Notice::Info)
if ( ! n?$email_delay_tokens ) if ( ! n?$email_delay_tokens )
n$email_delay_tokens = set(); n$email_delay_tokens = set();
if ( ! n?$policy_items )
n$policy_items = set();
for ( i in ordered_policy ) for ( i in ordered_policy )
{ {
# If there's no predicate or the predicate returns F. # If there's no predicate or the predicate returns F.
if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) ) if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
{ {
add n$actions[ordered_policy[i]$action]; add n$actions[ordered_policy[i]$action];
add n$policy_items[int_to_count(i)];
# If the predicate matched and there was a suppression interval, # If the predicate matched and there was a suppression interval,
# apply it to the notice now. # apply it to the notice now.
@ -587,6 +570,9 @@ function apply_policy(n: Notice::Info)
} }
} }
# Apply the hook based policy.
hook Notice::policy(n);
# Apply the suppression time after applying the policy so that policy # Apply the suppression time after applying the policy so that policy
# items can give custom suppression intervals. If there is no # items can give custom suppression intervals. If there is no
# suppression interval given yet, the default is applied. # suppression interval given yet, the default is applied.
@ -610,7 +596,7 @@ event bro_init() &priority=10
Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]); Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]);
local tmp: table[count] of set[PolicyItem] = table(); local tmp: table[count] of set[PolicyItem] = table();
for ( pi in policy ) for ( pi in policy_table )
{ {
if ( pi$priority < 0 || pi$priority > 10 ) if ( pi$priority < 0 || pi$priority > 10 )
Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10"); Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10");
@ -638,25 +624,13 @@ event bro_init() &priority=10
function internal_NOTICE(n: Notice::Info) function internal_NOTICE(n: Notice::Info)
{ {
# Suppress this notice if necessary.
if ( is_being_suppressed(n) )
return;
# Fill out fields that might be empty and do the policy processing. # Fill out fields that might be empty and do the policy processing.
apply_policy(n); apply_policy(n);
# Run the synchronous functions with the notice.
for ( func in sync_functions )
func(n);
# Generate the notice event with the notice. # Generate the notice event with the notice.
event Notice::notice(n); hook Notice::notice(n);
} }
module GLOBAL; module GLOBAL;
## This is the entry point in the global namespace for notice framework. global NOTICE: function(n: Notice::Info);
function NOTICE(n: Notice::Info)
{
Notice::internal_NOTICE(n);
}

14
scripts/base/frameworks/notice/non-cluster.bro Normal file
View file

@ -0,0 +1,14 @@
@load ./main
module GLOBAL;
## This is the entry point in the global namespace for notice framework.
function NOTICE(n: Notice::Info)
{
# Suppress this notice if necessary.
if ( Notice::is_being_suppressed(n) )
return;
Notice::internal_NOTICE(n);
}

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path loaded_scripts #path loaded_scripts
#open 2012-11-05-23-29-45 #open 2013-02-11-18-44-43
#fields name #fields name
#types string #types string
scripts/base/init-bare.bro scripts/base/init-bare.bro
@ -53,6 +53,7 @@ scripts/base/init-default.bro
scripts/base/frameworks/cluster/./main.bro scripts/base/frameworks/cluster/./main.bro
scripts/base/frameworks/control/__load__.bro scripts/base/frameworks/control/__load__.bro
scripts/base/frameworks/control/./main.bro scripts/base/frameworks/control/./main.bro
scripts/base/frameworks/notice/./non-cluster.bro
scripts/base/frameworks/notice/./actions/pp-alarms.bro scripts/base/frameworks/notice/./actions/pp-alarms.bro
scripts/base/frameworks/dpd/__load__.bro scripts/base/frameworks/dpd/__load__.bro
scripts/base/frameworks/dpd/./main.bro scripts/base/frameworks/dpd/./main.bro
@ -118,4 +119,4 @@ scripts/base/init-default.bro
scripts/base/protocols/syslog/./main.bro scripts/base/protocols/syslog/./main.bro
scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-checksum-offloading.bro
scripts/policy/misc/loaded-scripts.bro scripts/policy/misc/loaded-scripts.bro
#close 2012-11-05-23-29-45 #close 2013-02-11-18-44-43

10
testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-50-59 #open 2013-02-11-18-41-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1342749059.978651 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - 1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - -
#close 2012-07-20-01-51-08 #close 2013-02-11-18-41-03

10
testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-51-18 #open 2013-02-11-18-45-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1342749078.270791 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2012-07-20-01-51-27 #close 2013-02-11-18-45-43

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-51-36 #open 2013-02-11-18-45-14
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1342749096.545663 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2012-07-20-01-51-45 #close 2013-02-11-18-45-17

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-49-23 #open 2013-02-11-18-32-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double #types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double
1342748963.685754 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 1360607559.193954 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2012-07-20-01-49-23 #close 2013-02-11-18-32-39

10
testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-10-05-21-45-15 #open 2013-02-11-18-33-41
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2012-10-05-21-45-15 #close 2013-02-11-18-33-41

24
testing/btest/scripts/base/frameworks/metrics/notice.bro
View file

@ -1,24 +0,0 @@
# @TEST-EXEC: bro %INPUT
# @TEST-EXEC: btest-diff notice.log
redef enum Notice::Type += {
Test_Notice,
};
redef enum Metrics::ID += {
TEST_METRIC,
};
event bro_init() &priority=5
{
Metrics::add_filter(TEST_METRIC,
[$name="foo-bar",
$break_interval=3secs,
$note=Test_Notice,
$notice_threshold=2,
$log=F]);
Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
}

6
testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
View file

@ -1,7 +1,11 @@
# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
# @TEST-EXEC: btest-diff alarm-mail.txt # @TEST-EXEC: btest-diff alarm-mail.txt
redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 1 ] }; hook Notice::policy(n: Notice::Info) &priority=1
{
add n$actions[Notice::ACTION_ALARM];
}
redef Notice::force_email_summaries = T; redef Notice::force_email_summaries = T;
redef enum Notice::Type += { redef enum Notice::Type += {