diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index cb7a42929c..b82605d533 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -119,7 +119,7 @@ macro(REST_TARGET srcDir broInput) ARGS -E remove_directory .state # generate the reST documentation using bro COMMAND BROPATH=${BROPATH}:${srcDir} ${CMAKE_BINARY_DIR}/src/bro - ARGS --doc-scripts ${broInput} || (rm -rf .state *.log *.rst && exit 1) + ARGS -b -Z ${broInput} || (rm -rf .state *.log *.rst && exit 1) # move generated doc into a new directory tree that # defines the final structure of documents COMMAND "${CMAKE_COMMAND}" diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 8290d3d102..e071de47e5 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,13 +16,13 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base types.bif.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) @@ -34,7 +34,9 @@ rest_target(${psd} base/frameworks/dpd/main.bro) rest_target(${psd} base/frameworks/intel/main.bro) rest_target(${psd} base/frameworks/logging/main.bro) rest_target(${psd} base/frameworks/logging/writers/ascii.bro) +rest_target(${psd} base/frameworks/metrics/cluster.bro) rest_target(${psd} base/frameworks/metrics/main.bro) +rest_target(${psd} base/frameworks/metrics/non-cluster.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -64,11 +66,11 @@ rest_target(${psd} base/protocols/http/partial-content.bro) rest_target(${psd} base/protocols/http/utils.bro) rest_target(${psd} base/protocols/irc/dcc-send.bro) rest_target(${psd} base/protocols/irc/main.bro) -rest_target(${psd} base/protocols/mime/base.bro) rest_target(${psd} base/protocols/mime/file-extract.bro) rest_target(${psd} base/protocols/mime/file-hash.bro) rest_target(${psd} base/protocols/mime/file-ident.bro) -rest_target(${psd} base/protocols/rpc/base.bro) +rest_target(${psd} base/protocols/mime/main.bro) +rest_target(${psd} base/protocols/rpc/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) rest_target(${psd} base/protocols/smtp/main.bro) @@ -99,8 +101,7 @@ rest_target(${psd} policy/frameworks/metrics/http-example.bro) rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) -rest_target(${psd} policy/integration/barnyard2/base.bro) -rest_target(${psd} policy/integration/barnyard2/event.bro) +rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) diff --git a/doc/scripts/genDocSourcesList.sh b/doc/scripts/genDocSourcesList.sh index 8ef4ff9c14..1f56843f5f 100755 --- a/doc/scripts/genDocSourcesList.sh +++ b/doc/scripts/genDocSourcesList.sh @@ -68,12 +68,12 @@ sourcedir=${thisdir}/../.. echo "$statictext" > $outfile -bifs=`( cd ${sourcedir}/build/src && find . -name \*\.bro | sort )` +bifs=`( cd ${sourcedir}/src && find . -name \*\.bif | sort )` for file in $bifs do - f=${file:2} - echo "rest_target(\${CMAKE_BINARY_DIR}/src $f)" >> $outfile + f=${file:2}.bro + echo "rest_target(\${CMAKE_BINARY_DIR}/src/base $f)" >> $outfile done scriptfiles=`( cd ${sourcedir}/scripts && find . -name \*\.bro | sort )` diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro index 03262d3d75..d0b72dad4f 100644 --- a/scripts/base/frameworks/cluster/__load__.bro +++ b/scripts/base/frameworks/cluster/__load__.bro @@ -1,7 +1,7 @@ # Load the core cluster support. @load ./main -@if ( Cluster::node != "" ) +@if ( Cluster::is_enabled() ) # Give the node being started up it's peer name. redef peer_description = Cluster::node; @@ -26,17 +26,17 @@ redef peer_description = Cluster::node; ## Set the port that this node is supposed to listen on. redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p; -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::MANAGER ) +@if ( Cluster::local_node_type() == Cluster::MANAGER ) @load ./nodes/manager @endif -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::PROXY ) +@if ( Cluster::local_node_type() == Cluster::PROXY ) @load ./nodes/proxy @endif -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::WORKER ) +@if ( Cluster::local_node_type() == Cluster::WORKER ) @load ./nodes/worker @endif @endif -@endif \ No newline at end of file +@endif diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index f6066e5800..0b117d2603 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -1,3 +1,4 @@ +@load base/frameworks/control module Cluster; @@ -9,6 +10,7 @@ export { } &log; type NodeType: enum { + NONE, CONTROL, MANAGER, PROXY, @@ -53,8 +55,8 @@ export { ## This function can be called at any time to determine what type of ## cluster node the current Bro instance is going to be acting as. - ## :bro:id:`is_enabled` should be called first to find out if this is - ## actually going to be a cluster node. + ## If :bro:id:`Cluster::is_enabled` returns false, then + ## :bro:enum:`Cluster::NONE` is returned. global local_node_type: function(): NodeType; ## This gives the value for the number of workers currently connected to, @@ -80,15 +82,15 @@ function is_enabled(): bool function local_node_type(): NodeType { - return nodes[node]$node_type; + return is_enabled() ? nodes[node]$node_type : NONE; } - event remote_connection_handshake_done(p: event_peer) { if ( nodes[p$descr]$node_type == WORKER ) ++worker_count; } + event remote_connection_closed(p: event_peer) { if ( nodes[p$descr]$node_type == WORKER ) @@ -100,10 +102,9 @@ event bro_init() &priority=5 # If a node is given, but it's an unknown name we need to fail. if ( node != "" && node !in nodes ) { - local msg = "You didn't supply a valid node in the Cluster::nodes configuration."; - event reporter_error(current_time(), msg, ""); + Reporter::error(fmt("'%s' is not a valid node in the Cluster::nodes configuration", node)); terminate(); } Log::create_stream(CLUSTER, [$columns=Info]); - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/cluster/nodes/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.bro index 78b9fb7788..d0c30406bc 100644 --- a/scripts/base/frameworks/cluster/nodes/manager.bro +++ b/scripts/base/frameworks/cluster/nodes/manager.bro @@ -8,6 +8,8 @@ ##! This is where the cluster manager sets it's specific settings for other ##! frameworks and in the core. +@load base/frameworks/notice + @prefixes += cluster-manager # Load the script for local site configuration for the manager node. diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.bro index f534e0aecc..a19fa67485 100644 --- a/scripts/base/frameworks/cluster/nodes/worker.bro +++ b/scripts/base/frameworks/cluster/nodes/worker.bro @@ -1,3 +1,4 @@ +@load base/frameworks/notice @prefixes += cluster-worker diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro index 7928d0c6ec..5937271793 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -1,5 +1,7 @@ @load ./main -@load base/frameworks/communication/main +@load base/frameworks/communication + +@if ( Cluster::node in Cluster::nodes ) module Cluster; @@ -79,3 +81,5 @@ event bro_init() &priority=9 } } } + +@endif diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index 73e6086f97..f6e58be1fc 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -1,6 +1,8 @@ ##! Connect to remote Bro or Broccoli instances to share state and/or transfer ##! events. +@load base/frameworks/packet-filter + module Communication; export { diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 9849d4df42..f9ba388734 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -20,6 +20,8 @@ # canary # friend +@load base/frameworks/notice + module Intel; export { diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index a90dd21984..153663607d 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -159,7 +159,7 @@ export { # We keep a script-level copy of all filters so that we can manipulate them. global filters: table[ID, string] of Filter; -@load logging.bif.bro # Needs Filter and Stream defined. +@load base/logging.bif # Needs Filter and Stream defined. module Log; diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.bro new file mode 100644 index 0000000000..f27e748ae5 --- /dev/null +++ b/scripts/base/frameworks/logging/postprocessors/scp.bro @@ -0,0 +1,42 @@ +##! This script defines a postprocessing function that can be applied +##! to a logging filter in order to automatically SCP (secure copy) +##! a log stream (or a subset of it) to a remote host at configurable +##! rotation time intervals. + +module Log; + +export { + ## This postprocessor SCP's the rotated-log to all the remote hosts + ## defined in :bro:id:`Log::scp_destinations` and then deletes + ## the local copy of the rotated-log. It's not active when + ## reading from trace files. + global scp_postprocessor: function(info: Log::RotationInfo): bool; + + ## A container that describes the remote destination for the SCP command + ## argument as ``user@host:path``. + type SCPDestination: record { + user: string; + host: string; + path: string; + }; + + ## A table indexed by a particular log writer and filter path, that yields + ## a set remote destinations. The :bro:id:`Log::scp_postprocessor` + ## function queries this table upon log rotation and performs a secure + ## copy of the rotated-log to each destination in the set. + global scp_destinations: table[Writer, string] of set[SCPDestination]; +} + +function scp_postprocessor(info: Log::RotationInfo): bool + { + if ( reading_traces() || [info$writer, info$path] !in scp_destinations ) + return T; + + local command = ""; + for ( d in scp_destinations[info$writer, info$path] ) + command += fmt("scp %s %s@%s:%s;", info$fname, d$user, d$host, d$path); + + command += fmt("/bin/rm %s", info$fname); + system(command); + return T; + } diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 91efa98996..aaf1d43c56 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -8,6 +8,7 @@ ##! to be an internal implementation detail. @load base/frameworks/cluster +@load ./main module Metrics; @@ -258,4 +259,4 @@ event Metrics::cluster_filter_response(uid: string, id: ID, filter_name: string, } } -@endif \ No newline at end of file +@endif diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index a467ebf714..85c050fb25 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -1,3 +1,4 @@ +@load ./main module Metrics; @@ -17,4 +18,4 @@ function data_added(filter: Filter, index: Index, val: count) { if ( check_notice(filter, index, val) ) do_notice(filter, index, val); - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.bro index 71e9c6b490..bc4021abea 100644 --- a/scripts/base/frameworks/notice/actions/add-geodata.bro +++ b/scripts/base/frameworks/notice/actions/add-geodata.bro @@ -4,6 +4,10 @@ ##! probably a safe assumption to make in most cases. If both addresses ##! are remote, it will use the $src address. +@load ../main +@load base/frameworks/notice +@load base/utils/site + module Notice; export { @@ -44,4 +48,4 @@ event notice(n: Notice::Info) &priority=10 else if ( n?$dst && ! Site::is_local_addr(n$dst) ) n$remote_location = lookup_location(n$dst); } - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.bro index fc1f608f9f..0116dd4ed4 100644 --- a/scripts/base/frameworks/notice/actions/drop.bro +++ b/scripts/base/frameworks/notice/actions/drop.bro @@ -1,6 +1,8 @@ ##! This script extends the built in notice code to implement the IP address ##! dropping functionality. +@load ../main + module Notice; export { @@ -31,4 +33,4 @@ event bro_init() }; add Notice::sync_functions[drop_func]; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.bro index c03629d885..56c0d5853d 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.bro +++ b/scripts/base/frameworks/notice/actions/email_admin.bro @@ -1,3 +1,6 @@ +@load ../main +@load base/utils/site + module Notice; export { diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.bro index 059a92c0c9..f88064ac47 100644 --- a/scripts/base/frameworks/notice/actions/page.bro +++ b/scripts/base/frameworks/notice/actions/page.bro @@ -1,3 +1,4 @@ +@load ../main module Notice; @@ -16,4 +17,4 @@ event notice(n: Notice::Info) &priority=-5 { if ( ACTION_PAGE in n$actions ) email_notice_to(n, mail_page_dest, F); - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/base/frameworks/notice/extend-email/hostnames.bro index da2d0d5d0f..b7be601db0 100644 --- a/scripts/base/frameworks/notice/extend-email/hostnames.bro +++ b/scripts/base/frameworks/notice/extend-email/hostnames.bro @@ -1,3 +1,4 @@ +@load ../main module Notice; diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index ea7a472031..8f80961d45 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -41,7 +41,9 @@ export { ## Indicates that the notice should be sent to the email address(es) ## configured in the :bro:id:`Notice::mail_dest` variable. ACTION_EMAIL, - ## Indicates that the notice should be alarmed. + ## Indicates that the notice should be alarmed. A readable ASCII + ## version of the alarm log is emailed in bulk to the address(es) + ## configured in :bro:id:`Notice::mail_dest`. ACTION_ALARM, }; @@ -136,7 +138,8 @@ export { ## Local system sendmail program. const sendmail = "/usr/sbin/sendmail" &redef; - ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action. + ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action + ## or to send bulk alarm logs on rotation with :bro:enum:`ACTION_ALARM`. const mail_dest = "" &redef; ## Address that emails will be from. @@ -146,6 +149,11 @@ export { ## Text string prefixed to the subject of all emails sent out. const mail_subject_prefix = "[Bro]" &redef; + ## A log postprocessing function that implements emailing the contents + ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. + ## The rotated log is removed upon being sent. + global log_mailing_postprocessor: function(info: Log::RotationInfo): bool; + ## This is the event that is called as the entry point to the ## notice framework by the global :bro:id:`NOTICE` function. By the time ## this event is generated, default values have already been filled out in @@ -171,7 +179,14 @@ export { ## by default with the built in :bro:enum:`ACTION_EMAIL` and ## :bro:enum:`ACTION_PAGE` actions. global email_notice_to: function(n: Info, dest: string, extend: bool); - + + ## Constructs mail headers to which an email body can be appended for + ## sending with sendmail. + ## subject_desc: a subject string to use for the mail + ## dest: recipient string to use for the mail + ## Returns: a string of mail headers to which an email body can be appended + global email_headers: function(subject_desc: string, dest: string): string; + ## This is an internally used function, please ignore it. It's only used ## for filling out missing details of :bro:type:`Notice:Info` records ## before the synchronous and asynchronous event pathways have begun. @@ -186,21 +201,47 @@ export { # priority. global ordered_policy: vector of PolicyItem = vector(); +function log_mailing_postprocessor(info: Log::RotationInfo): bool + { + if ( ! reading_traces() && mail_dest != "" ) + { + local headers = email_headers(fmt("Log Contents: %s", info$fname), + mail_dest); + local tmpfilename = fmt("%s.mailheaders.tmp", info$fname); + local tmpfile = open(tmpfilename); + write_file(tmpfile, headers); + close(tmpfile); + system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm %s %s", + tmpfilename, info$fname, sendmail, tmpfilename, info$fname)); + } + return T; + } + +# This extra export section here is just because this redefinition should +# be documented as part of the "public API" of this script, but the redef +# needs to occur after the postprocessor function implementation. +export { + ## By default, an ASCII version of the the alarm log is emailed daily to any + ## configured :bro:id:`Notice::mail_dest` if not operating on trace files. + redef Log::rotation_control += { + [Log::WRITER_ASCII, "alarm-mail"] = + [$interv=24hrs, $postprocessor=log_mailing_postprocessor] + }; +} + event bro_init() { Log::create_stream(NOTICE_POLICY, [$columns=PolicyItem]); Log::create_stream(Notice::NOTICE, [$columns=Info, $ev=log_notice]); Log::create_stream(ALARM, [$columns=Notice::Info]); - # Make sure that this log is output as text so that it can be packaged - # up and emailed later. - Log::add_filter(ALARM, [$name="default", $writer=Log::WRITER_ASCII]); + # If Bro is configured for mailing notices, set up mailing for alarms. + # Make sure that this alarm log is also output as text so that it can + # be packaged up and emailed later. + if ( ! reading_traces() && mail_dest != "" ) + Log::add_filter(ALARM, [$name="alarm-mail", $path="alarm-mail", + $writer=Log::WRITER_ASCII]); } - # TODO: need a way to call a Bro script level callback during file rotation. - # we need more than a just $postprocessor. - #redef Log::rotation_control += { - # [Log::WRITER_ASCII, "alarm"] = [$postprocessor="mail-alarms"]; - #}; # TODO: fix this. #function notice_tags(n: Notice::Info) : table[string] of string @@ -220,20 +261,24 @@ event bro_init() # return tgs; # } +function email_headers(subject_desc: string, dest: string): string + { + local header_text = string_cat( + "From: ", mail_from, "\n", + "Subject: ", mail_subject_prefix, " ", subject_desc, "\n", + "To: ", dest, "\n", + "User-Agent: Bro-IDS/", bro_version(), "\n"); + if ( reply_to != "" ) + header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n"); + return header_text; + } + function email_notice_to(n: Notice::Info, dest: string, extend: bool) { if ( reading_traces() || dest == "" ) return; - local email_text = string_cat( - "From: ", mail_from, "\n", - "Subject: ", mail_subject_prefix, " ", fmt("%s", n$note), "\n", - "To: ", dest, "\n", - # TODO: BiF to get version (the resource_usage Bif seems like overkill). - "User-Agent: Bro-IDS/?.?.?\n"); - - if ( reply_to != "" ) - email_text = string_cat(email_text, "Reply-To: ", reply_to, "\n"); + local email_text = email_headers(fmt("%s", n$note), dest); # The notice emails always start off with the human readable message. email_text = string_cat(email_text, "\n", n$msg, "\n"); diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 31ecd484e9..556b34432a 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -1,3 +1,7 @@ +@load base/utils/conn-ids +@load base/utils/site +@load ./main + module Weird; export { diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index b030e763f0..5d5bd61106 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -4,6 +4,8 @@ ##! open filter and all filters defined in Bro scripts with the ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. +@load base/frameworks/notice + module PacketFilter; export { diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro index 887c7222e0..69b5026515 100644 --- a/scripts/base/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.bro @@ -1,5 +1,7 @@ ##! This script reports on packet loss from the various packet sources. +@load base/frameworks/notice + module PacketFilter; export { diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro index 9f218ab144..14aa3240c6 100644 --- a/scripts/base/frameworks/signatures/main.bro +++ b/scripts/base/frameworks/signatures/main.bro @@ -1,5 +1,7 @@ ##! Script level signature support. +@load base/frameworks/notice + module Signatures; export { diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index e35902aff1..7f9a55673b 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -4,6 +4,9 @@ ##! that they analyze. The entry point for providing new software detections ##! to this framework is through the :bro:id:`Software::found` function. +@load base/utils/directions-and-hosts +@load base/utils/numbers + module Software; export { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f1468cea6b..2a9f093385 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1,5 +1,5 @@ -@load const.bif.bro -@load types.bif.bro +@load base/const.bif +@load base/types.bif # Type declarations type string_array: table[count] of string; @@ -29,7 +29,7 @@ type icmp_conn: record { }; type icmp_hdr: record { - icmp_type: count; # type of message + icmp_type: count; ##< type of message }; type icmp_context: record { @@ -57,16 +57,19 @@ type dns_mapping: record { type ftp_port: record { h: addr; p: port; - valid: bool; # true if format was right + valid: bool; ##< true if format was right }; type endpoint: record { - size: count; # logical size (for TCP: from seq numbers) + size: count; ##< logical size (for TCP: from seq numbers) state: count; - # The following are set if use_conn_size_analyzer is T. - num_pkts: count &optional; # number of packets on the wire - num_bytes_ip: count &optional; # actual number of IP-level bytes on the wire + ## Number of packets on the wire + ## Set if :bro:id:`use_conn_size_analyzer` is true. + num_pkts: count &optional; + ## Number of IP-level bytes on the wire + ## Set if :bro:id:`use_conn_size_analyzer` is true. + num_bytes_ip: count &optional; }; type endpoint_stats: record { @@ -87,9 +90,9 @@ type connection: record { resp: endpoint; start_time: time; duration: interval; - service: string_set; # if empty, service hasn't been determined + service: string_set; ##< if empty, service hasn't been determined addl: string; - hot: count; # how hot; 0 = don't know or not hot + hot: count; ##< how hot; 0 = don't know or not hot history: string; uid: string; }; @@ -114,30 +117,30 @@ type NetStats: record { }; type bro_resources: record { - version: string; # Bro version string - debug: bool; # true if compiled with --enable-debug - start_time: time; # start time of process - real_time: interval; # elapsed real time since Bro started running - user_time: interval; # user CPU seconds - system_time: interval; # system CPU seconds - mem: count; # maximum memory consumed, in KB - minor_faults: count; # page faults not requiring actual I/O - major_faults: count; # page faults requiring actual I/O - num_swap: count; # times swapped out - blocking_input: count; # blocking input operations - blocking_output: count; # blocking output operations - num_context: count; # number of involuntary context switches + version: string; ##< Bro version string + debug: bool; ##< true if compiled with --enable-debug + start_time: time; ##< start time of process + real_time: interval; ##< elapsed real time since Bro started running + user_time: interval; ##< user CPU seconds + system_time: interval; ##< system CPU seconds + mem: count; ##< maximum memory consumed, in KB + minor_faults: count; ##< page faults not requiring actual I/O + major_faults: count; ##< page faults requiring actual I/O + num_swap: count; ##< times swapped out + blocking_input: count; ##< blocking input operations + blocking_output: count; ##< blocking output operations + num_context: count; ##< number of involuntary context switches - num_TCP_conns: count; # current number of TCP connections + num_TCP_conns: count; ##< current number of TCP connections num_UDP_conns: count; num_ICMP_conns: count; - num_fragments: count; # current number of fragments pending reassembly - num_packets: count; # total number packets processed to date - num_timers: count; # current number of pending timers - num_events_queued: count; # total number of events queued so far - num_events_dispatched: count; # same for events dispatched + num_fragments: count; ##< current number of fragments pending reassembly + num_packets: count; ##< total number packets processed to date + num_timers: count; ##< current number of pending timers + num_events_queued: count; ##< total number of events queued so far + num_events_dispatched: count; ##< same for events dispatched - max_TCP_conns: count; # maximum number of TCP connections, etc. + max_TCP_conns: count; ##< maximum number of TCP connections, etc. max_UDP_conns: count; max_ICMP_conns: count; max_fragments: count; @@ -145,34 +148,34 @@ type bro_resources: record { }; -# Summary statistics of all DFA_State_Caches. +## Summary statistics of all DFA_State_Caches. type matcher_stats: record { - matchers: count; # number of distinct RE matchers - dfa_states: count; # number of DFA states across all matchers - computed: count; # number of computed DFA state transitions - mem: count; # number of bytes used by DFA states - hits: count; # number of cache hits - misses: count; # number of cache misses - avg_nfa_states: count; # average # NFA states across all matchers + matchers: count; ##< number of distinct RE matchers + dfa_states: count; ##< number of DFA states across all matchers + computed: count; ##< number of computed DFA state transitions + mem: count; ##< number of bytes used by DFA states + hits: count; ##< number of cache hits + misses: count; ##< number of cache misses + avg_nfa_states: count; ##< average # NFA states across all matchers }; -# Info provided to gap_report, and also available by get_gap_summary(). +## Info provided to gap_report, and also available by get_gap_summary(). type gap_info: record { - ack_events: count; # how many ack events *could* have had gaps - ack_bytes: count; # how many bytes those covered - gap_events: count; # how many *did* have gaps - gap_bytes: count; # how many bytes were missing in the gaps: + ack_events: count; ##< how many ack events *could* have had gaps + ack_bytes: count; ##< how many bytes those covered + gap_events: count; ##< how many *did* have gaps + gap_bytes: count; ##< how many bytes were missing in the gaps: }; # This record should be read-only. type packet: record { conn: connection; is_orig: bool; - seq: count; # seq=k => it is the kth *packet* of the connection + seq: count; ##< seq=k => it is the kth *packet* of the connection timestamp: time; }; -type var_sizes: table[string] of count; # indexed by var's name, returns size +type var_sizes: table[string] of count; ##< indexed by var's name, returns size type script_id: record { type_name: string; @@ -213,30 +216,30 @@ type IPAddrAnonymization: enum { }; type IPAddrAnonymizationClass: enum { - ORIG_ADDR, # client address - RESP_ADDR, # server address + ORIG_ADDR, ##< client address + RESP_ADDR, ##< server address OTHER_ADDR, }; -# Events are generated by event_peer's (which may be either ourselves, or -# some remote process). +## Events are generated by event_peer's (which may be either ourselves, or +## some remote process). type peer_id: count; type event_peer: record { - id: peer_id; # locally unique ID of peer (returned by connect()) + id: peer_id; ##< locally unique ID of peer (returned by connect()) host: addr; p: port; - is_local: bool; # true if this peer describes the current process. - descr: string; # source's external_source_description + is_local: bool; ##< true if this peer describes the current process. + descr: string; ##< source's external_source_description class: string &optional; # self-assigned class of the peer }; type rotate_info: record { - old_name: string; # original filename - new_name: string; # file name after rotation - open: time; # time when opened - close: time; # time when closed + old_name: string; ##< original filename + new_name: string; ##< file name after rotation + open: time; ##< time when opened + close: time; ##< time when closed }; @@ -249,29 +252,29 @@ type rotate_info: record { # }; type sw_params: record { - # Minimum size of a substring, minimum "granularity". + ## Minimum size of a substring, minimum "granularity". min_strlen: count &default = 3; - # Smith-Waterman flavor to use. + ## Smith-Waterman flavor to use. sw_variant: count &default = 0; }; type sw_align: record { - str: string; # string a substring is part of - index: count; # at which offset + str: string; ##< string a substring is part of + index: count; ##< at which offset }; type sw_align_vec: vector of sw_align; type sw_substring: record { - str: string; # a substring - aligns: sw_align_vec; # all strings of which it's a substring - new: bool; # true if start of new alignment + str: string; ##< a substring + aligns: sw_align_vec; ##< all strings of which it's a substring + new: bool; ##< true if start of new alignment }; type sw_substring_vec: vector of sw_substring; -# Policy-level handling of pcap packets. +## Policy-level handling of pcap packets. type pcap_packet: record { ts_sec: count; ts_usec: count; @@ -280,7 +283,7 @@ type pcap_packet: record { data: string; }; -# GeoIP support. +## GeoIP support. type geo_location: record { country_code: string &optional; region: string &optional; @@ -298,17 +301,17 @@ type entropy_test_result: record { }; # Prototypes of Bro built-in functions. -@load strings.bif.bro -@load bro.bif.bro -@load reporter.bif.bro +@load base/strings.bif +@load base/bro.bif +@load base/reporter.bif global log_file_name: function(tag: string): string &redef; global open_log_file: function(tag: string): file &redef; -# Where to store the persistent state. +## Where to store the persistent state. const state_dir = ".state" &redef; -# Length of the delays added when storing state incrementally. +## Length of the delays added when storing state incrementally. const state_write_delay = 0.01 secs &redef; global done_with_network = F; @@ -366,149 +369,158 @@ const TCP_ESTABLISHED = 4; const TCP_CLOSED = 5; const TCP_RESET = 6; -# If true, don't verify checksums. Useful for running on altered trace -# files, and for saving a few cycles, but of course dangerous, too ... -# Note that the -C command-line option overrides the setting of this -# variable. +## If true, don't verify checksums. Useful for running on altered trace +## files, and for saving a few cycles, but of course dangerous, too ... +## Note that the -C command-line option overrides the setting of this +## variable. const ignore_checksums = F &redef; -# If true, instantiate connection state when a partial connection -# (one missing its initial establishment negotiation) is seen. +## If true, instantiate connection state when a partial connection +## (one missing its initial establishment negotiation) is seen. const partial_connection_ok = T &redef; -# If true, instantiate connection state when a SYN ack is seen -# but not the initial SYN (even if partial_connection_ok is false). +## If true, instantiate connection state when a SYN ack is seen +## but not the initial SYN (even if partial_connection_ok is false). const tcp_SYN_ack_ok = T &redef; -# If a connection state is removed there may still be some undelivered -# data waiting in the reassembler. If true, pass this to the signature -# engine before flushing the state. +## If a connection state is removed there may still be some undelivered +## data waiting in the reassembler. If true, pass this to the signature +## engine before flushing the state. const tcp_match_undelivered = T &redef; -# Check up on the result of an initial SYN after this much time. +## Check up on the result of an initial SYN after this much time. const tcp_SYN_timeout = 5 secs &redef; -# After a connection has closed, wait this long for further activity -# before checking whether to time out its state. +## After a connection has closed, wait this long for further activity +## before checking whether to time out its state. const tcp_session_timer = 6 secs &redef; -# When checking a closed connection for further activity, consider it -# inactive if there hasn't been any for this long. Complain if the -# connection is reused before this much time has elapsed. +## When checking a closed connection for further activity, consider it +## inactive if there hasn't been any for this long. Complain if the +## connection is reused before this much time has elapsed. const tcp_connection_linger = 5 secs &redef; -# Wait this long upon seeing an initial SYN before timing out the -# connection attempt. +## Wait this long upon seeing an initial SYN before timing out the +## connection attempt. const tcp_attempt_delay = 5 secs &redef; -# Upon seeing a normal connection close, flush state after this much time. +## Upon seeing a normal connection close, flush state after this much time. const tcp_close_delay = 5 secs &redef; -# Upon seeing a RST, flush state after this much time. +## Upon seeing a RST, flush state after this much time. const tcp_reset_delay = 5 secs &redef; -# Generate a connection_partial_close event this much time after one half -# of a partial connection closes, assuming there has been no subsequent -# activity. +## Generate a :bro:id:`connection_partial_close` event this much time after one half +## of a partial connection closes, assuming there has been no subsequent +## activity. const tcp_partial_close_delay = 3 secs &redef; -# If a connection belongs to an application that we don't analyze, -# time it out after this interval. If 0 secs, then don't time it out. +## If a connection belongs to an application that we don't analyze, +## time it out after this interval. If 0 secs, then don't time it out. const non_analyzed_lifetime = 0 secs &redef; -# If a connection is inactive, time it out after this interval. -# If 0 secs, then don't time it out. +## If a connection is inactive, time it out after this interval. +## If 0 secs, then don't time it out. const tcp_inactivity_timeout = 5 min &redef; +## See :bro:id:`tcp_inactivity_timeout` const udp_inactivity_timeout = 1 min &redef; +## See :bro:id:`tcp_inactivity_timeout` const icmp_inactivity_timeout = 1 min &redef; -# This many FINs/RSTs in a row constitutes a "storm". +## This many FINs/RSTs in a row constitutes a "storm". const tcp_storm_thresh = 1000 &redef; -# The FINs/RSTs must come with this much time or less between them. +## The FINs/RSTs must come with this much time or less between them. const tcp_storm_interarrival_thresh = 1 sec &redef; -# Maximum amount of data that might plausibly be sent in an initial -# flight (prior to receiving any acks). Used to determine whether we -# must not be seeing our peer's acks. Set to zero to turn off this -# determination. +## Maximum amount of data that might plausibly be sent in an initial +## flight (prior to receiving any acks). Used to determine whether we +## must not be seeing our peer's acks. Set to zero to turn off this +## determination. const tcp_max_initial_window = 4096; -# If we're not seeing our peer's acks, the maximum volume of data above -# a sequence hole that we'll tolerate before assuming that there's -# been a packet drop and we should give up on tracking a connection. -# If set to zero, then we don't ever give up. +## If we're not seeing our peer's acks, the maximum volume of data above +## a sequence hole that we'll tolerate before assuming that there's +## been a packet drop and we should give up on tracking a connection. +## If set to zero, then we don't ever give up. const tcp_max_above_hole_without_any_acks = 4096; -# If we've seen this much data without any of it being acked, we give up -# on that connection to avoid memory exhaustion due to buffering all that -# stuff. If set to zero, then we don't ever give up. Ideally, Bro would -# track the current window on a connection and use it to infer that data -# has in fact gone too far, but for now we just make this quite beefy. +## If we've seen this much data without any of it being acked, we give up +## on that connection to avoid memory exhaustion due to buffering all that +## stuff. If set to zero, then we don't ever give up. Ideally, Bro would +## track the current window on a connection and use it to infer that data +## has in fact gone too far, but for now we just make this quite beefy. const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024; -# For services without a handler, these sets define which -# side of a connection is to be reassembled. +## For services without a handler, these sets define which +## side of a connection is to be reassembled. const tcp_reassembler_ports_orig: set[port] = {} &redef; +## See :bro:id:`tcp_reassembler_ports_orig` const tcp_reassembler_ports_resp: set[port] = {} &redef; -# These sets define destination ports for which the contents -# of the originator (responder, respectively) stream should -# be delivered via tcp_contents. +## These sets define destination ports for which the contents +## of the originator (responder, respectively) stream should +## be delivered via tcp_contents. const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef; +## See :bro:id:`tcp_content_delivery_ports_orig` const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef; # To have all TCP orig->resp/resp->orig traffic reported via tcp_contents, # redef these to T. const tcp_content_deliver_all_orig = F &redef; +## See :bro:id:`tcp_content_deliver_all_orig` const tcp_content_deliver_all_resp = F &redef; -# These sets define destination ports for which the contents -# of the originator (responder, respectively) stream should -# be delivered via udp_contents. +## These sets define destination ports for which the contents +## of the originator (responder, respectively) stream should +## be delivered via udp_contents. const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; +## See :bro:id:`udp_content_delivery_ports_orig` const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; -# To have all UDP orig->resp/resp->orig traffic reported via udp_contents, -# redef these to T. +## To have all UDP orig->resp/resp->orig traffic reported via udp_contents, +## redef these to T. const udp_content_deliver_all_orig = F &redef; +## See :bro:id:`udp_content_deliver_all_orig` const udp_content_deliver_all_resp = F &redef; -# Check for expired table entries after this amount of time +## Check for expired table entries after this amount of time const table_expire_interval = 10 secs &redef; -# When expiring/serializing, don't work on more than this many table -# entries at a time. +## When expiring/serializing, don't work on more than this many table +## entries at a time. const table_incremental_step = 5000 &redef; -# When expiring, wait this amount of time before checking the next chunk -# of entries. +## When expiring, wait this amount of time before checking the next chunk +## of entries. const table_expire_delay = 0.01 secs &redef; -# Time to wait before timing out a DNS/NTP/RPC request. +## Time to wait before timing out a DNS request. const dns_session_timeout = 10 sec &redef; +## Time to wait before timing out a NTP request. const ntp_session_timeout = 300 sec &redef; +## Time to wait before timing out a RPC request. const rpc_timeout = 24 sec &redef; -# Time window for reordering packets (to deal with timestamp -# discrepency between multiple packet sources). +## Time window for reordering packets (to deal with timestamp +## discrepency between multiple packet sources). const packet_sort_window = 0 usecs &redef; -# How long to hold onto fragments for possible reassembly. A value -# of 0.0 means "forever", which resists evasion, but can lead to -# state accrual. +## How long to hold onto fragments for possible reassembly. A value +## of 0.0 means "forever", which resists evasion, but can lead to +## state accrual. const frag_timeout = 0.0 sec &redef; -# If positive, indicates the encapsulation header size that should -# be skipped over for each captured packet .... +## If positive, indicates the encapsulation header size that should +## be skipped over for each captured packet .... const encap_hdr_size = 0 &redef; -# ... or just for the following UDP port. +## ... or just for the following UDP port. const tunnel_port = 0/udp &redef; -# Whether to use the ConnSize analyzer to count the number of -# packets and IP-level bytes transfered by each endpoint. If -# true, these values are returned in the connection's endpoint -# record val. +## Whether to use the ConnSize analyzer to count the number of +## packets and IP-level bytes transfered by each endpoint. If +## true, these values are returned in the connection's endpoint +## record val. const use_conn_size_analyzer = T &redef; const UDP_INACTIVE = 0; @@ -539,6 +551,7 @@ function append_addl_marker(c: connection, addl: string, marker: string) # Values for set_contents_file's "direction" argument. +# TODO: these should go into an enum to make them autodoc'able const CONTENTS_NONE = 0; # turn off recording of contents const CONTENTS_ORIG = 1; # record originator contents const CONTENTS_RESP = 2; # record responder contents @@ -564,44 +577,44 @@ const IPPROTO_UDP = 17; # user datagram protocol const IPPROTO_RAW = 255; # raw IP packet type ip_hdr: record { - hl: count; # header length (in bytes) - tos: count; # type of service - len: count; # total length - id: count; # identification - ttl: count; # time to live - p: count; # protocol - src: addr; # source address - dst: addr; # dest address + hl: count; ##< header length (in bytes) + tos: count; ##< type of service + len: count; ##< total length + id: count; ##< identification + ttl: count; ##< time to live + p: count; ##< protocol + src: addr; ##< source address + dst: addr; ##< dest address }; -# TCP flags. +## TCP flags. const TH_FIN = 1; const TH_SYN = 2; const TH_RST = 4; const TH_PUSH = 8; const TH_ACK = 16; const TH_URG = 32; -const TH_FLAGS = 63; # (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) +const TH_FLAGS = 63; ##< (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) type tcp_hdr: record { - sport: port; # source port - dport: port; # destination port - seq: count; # sequence number - ack: count; # acknowledgement number - hl: count; # header length (in bytes) - dl: count; # data length (xxx: not in original tcphdr!) - flags: count; # flags - win: count; # window + sport: port; ##< source port + dport: port; ##< destination port + seq: count; ##< sequence number + ack: count; ##< acknowledgement number + hl: count; ##< header length (in bytes) + dl: count; ##< data length (xxx: not in original tcphdr!) + flags: count; ##< flags + win: count; ##< window }; type udp_hdr: record { - sport: port; # source port - dport: port; # destination port - ulen: count; # udp length + sport: port; ##< source port + dport: port; ##< destination port + ulen: count; ##< udp length }; -# Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr. +## Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr. type pkt_hdr: record { ip: ip_hdr; tcp: tcp_hdr &optional; @@ -610,13 +623,13 @@ type pkt_hdr: record { }; -# If you add elements here, then for a given BPF filter as index, when -# a packet matching that filter is captured, the corresponding event handler -# will be invoked. +## If you add elements here, then for a given BPF filter as index, when +## a packet matching that filter is captured, the corresponding event handler +## will be invoked. global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr) &redef; -global discarder_maxlen = 128 &redef; # maximum amount of data passed to fnc +global discarder_maxlen = 128 &redef; ##< maximum amount of data passed to fnc global discarder_check_ip: function(i: ip_hdr): bool; global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool; @@ -626,17 +639,18 @@ global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool; const watchdog_interval = 10 sec &redef; -# The maximum number of timers to expire after processing each new -# packet. The value trades off spreading out the timer expiration load -# with possibly having to hold state longer. A value of 0 means -# "process all expired timers with each new packet". +## The maximum number of timers to expire after processing each new +## packet. The value trades off spreading out the timer expiration load +## with possibly having to hold state longer. A value of 0 means +## "process all expired timers with each new packet". const max_timer_expires = 300 &redef; -# With a similar trade-off, this gives the number of remote events -# to process in a batch before interleaving other activity. +## With a similar trade-off, this gives the number of remote events +## to process in a batch before interleaving other activity. const max_remote_events_processed = 10 &redef; # These need to match the definitions in Login.h. +# TODO: use enum to make them autodoc'able const LOGIN_STATE_AUTHENTICATE = 0; # trying to authenticate const LOGIN_STATE_LOGGED_IN = 1; # successful authentication const LOGIN_STATE_SKIP = 2; # skip any further processing @@ -714,37 +728,42 @@ const RPC_status = { module NFS3; export { - # Should the read and write events return the file data that has been - # read/written? + ## Should the read and write events return the file data that has been + ## read/written? const return_data = F &redef; - # If nfs_return_data is true, how much data should be returned at most. + ## If bro:id:`nfs_return_data` is true, how much data should be returned at most. const return_data_max = 512 &redef; - # If nfs_return_data is true, whether to *only* return data if the read or write - # offset is 0, i.e., only return data for the beginning of the file. + ## If nfs_return_data is true, whether to *only* return data if the read or write + ## offset is 0, i.e., only return data for the beginning of the file. const return_data_first_only = T &redef; - # This record summarizes the general results and status of NFSv3 request/reply - # pairs. It's part of every NFSv3 event. + ## This record summarizes the general results and status of NFSv3 request/reply + ## pairs. It's part of every NFSv3 event. type info_t: record { - rpc_stat: rpc_status; # If this indicates not successful, the reply record in the - # events will be empty and contain uninitialized fields, so - # don't use it. + ## If this indicates not successful, the reply record in the + ## events will be empty and contain uninitialized fields, so + ## don't use it. + rpc_stat: rpc_status; nfs_stat: status_t; - # The start time, duration, and length in bytes of the request (call). Note that - # the start and end time might not be accurate. For TCP, we record the - # time when a chunk of data is delivered to the analyzer. Depending on the - # Reassembler, this might be well after the first packet of the request - # was received. + ## The start time, duration, and length in bytes of the request (call). Note that + ## the start and end time might not be accurate. For TCP, we record the + ## time when a chunk of data is delivered to the analyzer. Depending on the + ## Reassembler, this might be well after the first packet of the request + ## was received. req_start: time; + ## See :bro:id:`req_start` req_dur: interval; + ## See :bro:id:`req_start` req_len: count; - # Same for the reply. + ## Like :bro:id:`req_start` but for reply. rep_start: time; + ## Like :bro:id:`req_dur` but for reply. rep_dur: interval; + ## Like :bro:id:`req_len` but for reply. rep_len: count; }; @@ -767,49 +786,49 @@ export { }; type diropargs_t : record { - dirfh: string; # the file handle of the directory - fname: string; # the name of the file we are interested in + dirfh: string; ##< the file handle of the directory + fname: string; ##< the name of the file we are interested in }; # Note, we don't need a "post_op_attr" type. We use an "fattr_t &optional" # instead. + ## If the lookup failed, dir_attr may be set. + ## If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set. type lookup_reply_t: record { - # If the lookup failed, dir_attr may be set. - # If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set. - fh: string &optional; # file handle of object looked up - obj_attr: fattr_t &optional; # optional attributes associated w/ file - dir_attr: fattr_t &optional; # optional attributes associated w/ dir. + fh: string &optional; ##< file handle of object looked up + obj_attr: fattr_t &optional; ##< optional attributes associated w/ file + dir_attr: fattr_t &optional; ##< optional attributes associated w/ dir. }; type readargs_t: record { - fh: string; # file handle to read from - offset: count; # offset in file - size: count; # number of bytes to read + fh: string; ##< file handle to read from + offset: count; ##< offset in file + size: count; ##< number of bytes to read }; + ## If the lookup fails, attr may be set. If the lookup succeeds, attr may be set + ## and all other fields are set. type read_reply_t: record { - # If the lookup fails, attr may be set. If the lookup succeeds, attr may be set - # and all other fields are set. - attr: fattr_t &optional; # attributes - size: count &optional; # number of bytes read - eof: bool &optional; # did the read end at EOF - data: string &optional; # the actual data; not yet implemented. + attr: fattr_t &optional; ##< attributes + size: count &optional; ##< number of bytes read + eof: bool &optional; ##< did the read end at EOF + data: string &optional; ##< the actual data; not yet implemented. }; + ## If the request fails, attr may be set. If the request succeeds, attr may be + ## set and all other fields are set. type readlink_reply_t: record { - # If the request fails, attr may be set. If the request succeeds, attr may be - # set and all other fields are set. - attr: fattr_t &optional; # attributes - nfspath: string &optional; # the contents of the symlink; in general a pathname as text + attr: fattr_t &optional; ##< attributes + nfspath: string &optional; ##< the contents of the symlink; in general a pathname as text }; type writeargs_t: record { - fh: string; # file handle to write to - offset: count; # offset in file - size: count; # number of bytes to write - stable: stable_how_t; # how and when data is commited - data: string &optional; # the actual data; not implemented yet + fh: string; ##< file handle to write to + offset: count; ##< offset in file + size: count; ##< number of bytes to write + stable: stable_how_t; ##< how and when data is commited + data: string &optional; ##< the actual data; not implemented yet }; type wcc_attr_t: record { @@ -818,65 +837,65 @@ export { mtime: time; }; + ## If the request fails, pre|post attr may be set. If the request succeeds, + ## pre|post attr may be set and all other fields are set. type write_reply_t: record { - # If the request fails, pre|post attr may be set. If the request succeeds, - # pre|post attr may be set and all other fields are set. - preattr: wcc_attr_t &optional; # pre operation attributes - postattr: fattr_t &optional; # post operation attributes + preattr: wcc_attr_t &optional; ##< pre operation attributes + postattr: fattr_t &optional; ##< post operation attributes size: count &optional; commited: stable_how_t &optional; - verf: count &optional; # write verifier cookue + verf: count &optional; ##< write verifier cookue }; - # reply for create, mkdir, symlink + ## reply for create, mkdir, symlink + ## If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and + ## the attr's may be set. Note: no guarantee that fh is set after + ## success. type newobj_reply_t: record { - # If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and - # the attr's may be set. Note: no guarantee that fh is set after - # success. - fh: string &optional; # file handle of object created - obj_attr: fattr_t &optional; # optional attributes associated w/ new object - dir_pre_attr: wcc_attr_t &optional; # optional attributes associated w/ dir - dir_post_attr: fattr_t &optional; # optional attributes associated w/ dir + fh: string &optional; ##< file handle of object created + obj_attr: fattr_t &optional; ##< optional attributes associated w/ new object + dir_pre_attr: wcc_attr_t &optional; ##< optional attributes associated w/ dir + dir_post_attr: fattr_t &optional; ##< optional attributes associated w/ dir }; - # reply for remove, rmdir - # Corresponds to "wcc_data" in the spec. + ## reply for remove, rmdir + ## Corresponds to "wcc_data" in the spec. type delobj_reply_t: record { - dir_pre_attr: wcc_attr_t &optional; # optional attributes associated w/ dir - dir_post_attr: fattr_t &optional; # optional attributes associated w/ dir + dir_pre_attr: wcc_attr_t &optional; ##< optional attributes associated w/ dir + dir_post_attr: fattr_t &optional; ##< optional attributes associated w/ dir }; - # This record is used for both readdir and readdirplus. + ## This record is used for both readdir and readdirplus. type readdirargs_t: record { - isplus: bool; # is this a readdirplus request? - dirfh: string; # the directory filehandle - cookie: count; # cookie / pos in dir; 0 for first call - cookieverf: count; # the cookie verifier - dircount: count; # "count" field for readdir; maxcount otherwise (in bytes) - maxcount: count &optional; # only used for readdirplus. in bytes + isplus: bool; ##< is this a readdirplus request? + dirfh: string; ##< the directory filehandle + cookie: count; ##< cookie / pos in dir; 0 for first call + cookieverf: count; ##< the cookie verifier + dircount: count; ##< "count" field for readdir; maxcount otherwise (in bytes) + maxcount: count &optional; ##< only used for readdirplus. in bytes }; + ## fh and attr are used for readdirplus. However, even for readdirplus they may + ## not be filled out. type direntry_t: record { - # fh and attr are used for readdirplus. However, even for readdirplus they may - # not be filled out. - fileid: count; # e.g., inode number - fname: string; # filename + fileid: count; ##< e.g., inode number + fname: string; ##< filename cookie: count; - attr: fattr_t &optional; # readdirplus: the FH attributes for the entry - fh: string &optional; # readdirplus: the FH for the entry + attr: fattr_t &optional; ##< readdirplus: the FH attributes for the entry + fh: string &optional; ##< readdirplus: the FH for the entry }; type direntry_vec_t: vector of direntry_t; - # Used for readdir and readdirplus. + ## Used for readdir and readdirplus. + ## If error: dir_attr might be set. If success: dir_attr may be set, all others + ## must be set. type readdir_reply_t: record { - # If error: dir_attr might be set. If success: dir_attr may be set, all others - # must be set. - isplus: bool; # is the reply for a readdirplus request + isplus: bool; ##< is the reply for a readdirplus request dir_attr: fattr_t &optional; cookieverf: count &optional; entries: direntry_vec_t &optional; - eof: bool; # if true, no more entries in dir. + eof: bool; ##< if true, no more entries in dir. }; type fsstat_t: record { @@ -908,7 +927,7 @@ type ntp_msg: record { }; -# Maps Samba command numbers to descriptive names. +## Maps Samba command numbers to descriptive names. global samba_cmds: table[count] of string &redef &default = function(c: count): string { return fmt("samba-unknown-%d", c); }; @@ -959,16 +978,16 @@ type smb_tree_connect : record { type smb_negotiate : table[count] of string; -# A list of router addresses offered by the server. +## A list of router addresses offered by the server. type dhcp_router_list: table[count] of addr; type dhcp_msg: record { - op: count; # message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY - m_type: count; # the type of DHCP message - xid: count; # transaction ID of a DHCP session - h_addr: string; # hardware address of the client - ciaddr: addr; # original IP address of the client - yiaddr: addr; # IP address assigned to the client + op: count; ##< message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY + m_type: count; ##< the type of DHCP message + xid: count; ##< transaction ID of a DHCP session + h_addr: string; ##< hardware address of the client + ciaddr: addr; ##< original IP address of the client + yiaddr: addr; ##< IP address assigned to the client }; type dns_msg: record { @@ -991,13 +1010,13 @@ type dns_msg: record { }; type dns_soa: record { - mname: string; # primary source of data for zone - rname: string; # mailbox for responsible person - serial: count; # version number of zone - refresh: interval; # seconds before refreshing - retry: interval; # how long before retrying failed refresh - expire: interval; # when zone no longer authoritative - minimum: interval; # minimum TTL to use when exporting + mname: string; ##< primary source of data for zone + rname: string; ##< mailbox for responsible person + serial: count; ##< version number of zone + refresh: interval; ##< seconds before refreshing + retry: interval; ##< how long before retrying failed refresh + expire: interval; ##< when zone no longer authoritative + minimum: interval; ##< minimum TTL to use when exporting }; type dns_edns_additional: record { @@ -1026,6 +1045,7 @@ type dns_tsig_additional: record { # Different values for "answer_type" in the following. DNS_QUERY # shouldn't occur, it's just for completeness. +# TODO: use enums to help autodoc const DNS_QUERY = 0; const DNS_ANS = 1; const DNS_AUTH = 2; @@ -1039,22 +1059,25 @@ type dns_answer: record { TTL: interval; }; -# For servers in these sets, omit processing the AUTH or ADDL records -# they include in their replies. +## For servers in these sets, omit processing the AUTH records +## they include in their replies. global dns_skip_auth: set[addr] &redef; +## For servers in these sets, omit processing the ADDL records +## they include in their replies. global dns_skip_addl: set[addr] &redef; -# If the following are true, then all AUTH or ADDL records are skipped. +## If the following are true, then all AUTH records are skipped. global dns_skip_all_auth = T &redef; +## If the following are true, then all ADDL records are skipped. global dns_skip_all_addl = T &redef; -# If a DNS request includes more than this many queries, assume it's -# non-DNS traffic and do not process it. Set to 0 to turn off this -# functionality. +## If a DNS request includes more than this many queries, assume it's +## non-DNS traffic and do not process it. Set to 0 to turn off this +## functionality. global dns_max_queries = 5; -# The maxiumum size in bytes for an SSL cipherspec. If we see a packet that -# has bigger cipherspecs, we won't do a comparisons of cipherspecs. +## The maxiumum size in bytes for an SSL cipherspec. If we see a packet that +## has bigger cipherspecs, we won't do a comparisons of cipherspecs. const ssl_max_cipherspec_size = 68 &redef; type X509_extensions: table[count] of string; @@ -1068,7 +1091,7 @@ type X509: record { not_valid_after: time; }; -# This is indexed with the CA's name and yields a DER (binary) encoded certificate. +## This is indexed with the CA's name and yields a DER (binary) encoded certificate. const root_ca_certs: table[string] of string = {} &redef; type http_stats_rec: record { @@ -1079,25 +1102,28 @@ type http_stats_rec: record { }; type http_message_stat: record { - start: time; # when the request/reply line was complete - interrupted: bool; # whether the message is interrupted - finish_msg: string; # reason phrase if interrupted - body_length: count; # length of body processed - # (before finished/interrupted) - content_gap_length: count; # total len of gaps within body_length - header_length: count; # length of headers - # (including the req/reply line, - # but not CR/LF's) + ## when the request/reply line was complete + start: time; + ## whether the message is interrupted + interrupted: bool; + ## reason phrase if interrupted + finish_msg: string; + ## length of body processed (before finished/interrupted) + body_length: count; + ## total len of gaps within body_length + content_gap_length: count; + ## length of headers (including the req/reply line, but not CR/LF's) + header_length: count; }; global http_entity_data_delivery_size = 1500 &redef; -# Truncate URIs longer than this to prevent over-long URIs (usually sent -# by worms) from slowing down event processing. A value of -1 means "do -# not truncate". +## Truncate URIs longer than this to prevent over-long URIs (usually sent +## by worms) from slowing down event processing. A value of -1 means "do +## not truncate". const truncate_http_URI = -1 &redef; -# IRC-related globals to which the event engine is sensitive. +## IRC-related globals to which the event engine is sensitive. type irc_join_info: record { nick: string; channel: string; @@ -1107,11 +1133,11 @@ type irc_join_info: record { type irc_join_list: set[irc_join_info]; global irc_servers : set[addr] &redef; -# Stepping-stone globals. +## Stepping-stone globals. const stp_delta: interval &redef; const stp_idle_min: interval &redef; -# Don't do analysis on these sources. Used to avoid overload from scanners. +## Don't do analysis on these sources. Used to avoid overload from scanners. global stp_skip_src: set[addr] &redef; const interconn_min_interarrival: interval &redef; @@ -1149,10 +1175,10 @@ type backdoor_endp_stats: record { }; type signature_state: record { - sig_id: string; # ID of the signature - conn: connection; # Current connection - is_orig: bool; # True if current endpoint is originator - payload_size: count; # Payload size of the first pkt of curr. endpoint + sig_id: string; ##< ID of the signature + conn: connection; ##< Current connection + is_orig: bool; ##< True if current endpoint is originator + payload_size: count; ##< Payload size of the first pkt of curr. endpoint }; @@ -1195,21 +1221,21 @@ type load_sample_info: set[string]; # NetFlow-related data structures. -# The following provides a mean to sort together flow headers and flow -# records at the script level. rcvr_id equals the name of the file -# (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555), -# or an explicit name if specified to -y or -Y; pdu_id is just a serial -# number, ignoring any overflows. +## The following provides a mean to sort together NetFlow headers and flow +## records at the script level. rcvr_id equals the name of the file +## (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555), +## or an explicit name if specified to -y or -Y; pdu_id is just a serial +## number, ignoring any overflows. type nfheader_id: record { rcvr_id: string; pdu_id: count; }; type nf_v5_header: record { - h_id: nfheader_id; # ID for sorting, per the above + h_id: nfheader_id; ##< ID for sorting, per the above cnt: count; - sysuptime: interval; # router's uptime - exporttime: time; # when the data was exported + sysuptime: interval; ##< router's uptime + exporttime: time; ##< when the data was exported flow_seq: count; eng_type: count; eng_id: count; @@ -1227,7 +1253,7 @@ type nf_v5_record: record { octets: count; first: time; last: time; - tcpflag_fin: bool; # Taken from tcpflags in NF V5; or directly. + tcpflag_fin: bool; ##< Taken from tcpflags in NF V5; or directly. tcpflag_syn: bool; tcpflag_rst: bool; tcpflag_psh: bool; @@ -1242,17 +1268,17 @@ type nf_v5_record: record { }; -# The peer record and the corresponding set type used by the -# BitTorrent analyzer. +## The peer record and the corresponding set type used by the +## BitTorrent analyzer. type bittorrent_peer: record { h: addr; p: port; }; type bittorrent_peer_set: set[bittorrent_peer]; -# The benc value record and the corresponding table type used by the -# BitTorrenttracker analyzer. Note that "benc" = Bencode ("Bee-Encode"), -# per http://en.wikipedia.org/wiki/Bencode. +## The benc value record and the corresponding table type used by the +## BitTorrenttracker analyzer. Note that "benc" = Bencode ("Bee-Encode"), +## per http://en.wikipedia.org/wiki/Bencode. type bittorrent_benc_value: record { i: int &optional; s: string &optional; @@ -1261,47 +1287,47 @@ type bittorrent_benc_value: record { }; type bittorrent_benc_dir: table[string] of bittorrent_benc_value; -# The header table type used by the bittorrenttracker analyzer. +## The header table type used by the bittorrenttracker analyzer. type bt_tracker_headers: table[string] of string; -@load event.bif.bro +@load base/event.bif # The filter the user has set via the -f command line options, or # empty if none. const cmd_line_bpf_filter = "" &redef; -# Rotate logs every x interval. +## Rotate logs every x interval. const log_rotate_interval = 0 sec &redef; -# If set, rotate logs at given time + i * log_rotate_interval. -# (string is time in 24h format, e.g., "18:00"). +## If set, rotate logs at given time + i * log_rotate_interval. +## (string is time in 24h format, e.g., "18:00"). const log_rotate_base_time = "0:00" &redef; -# Rotate logs when they reach this size (in bytes). Note, the -# parameter is a double rather than a count to enable easy expression -# of large values such as 1e7 or exceeding 2^32. +## Rotate logs when they reach this size (in bytes). Note, the +## parameter is a double rather than a count to enable easy expression +## of large values such as 1e7 or exceeding 2^32. const log_max_size = 0.0 &redef; -# Default public key for encrypting log files. +## Default public key for encrypting log files. const log_encryption_key = "" &redef; -# Write profiling info into this file. +## Write profiling info into this file. global profiling_file: file &redef; -# Update interval for profiling (0 disables). +## Update interval for profiling (0 disables). const profiling_interval = 0 secs &redef; -# Multiples of profiling_interval at which (expensive) memory -# profiling is done (0 disables). +## Multiples of profiling_interval at which (expensive) memory +## profiling is done (0 disables). const expensive_profiling_multiple = 0 &redef; -# If true, then write segment profiling information (very high volume!) -# in addition to statistics. +## If true, then write segment profiling information (very high volume!) +## in addition to statistics. const segment_profiling = F &redef; -# Output packet profiling information every secs (mode 1), -# every packets (mode 2), or every bytes (mode 3). -# Mode 0 disables. +## Output packet profiling information every secs (mode 1), +## every packets (mode 2), or every bytes (mode 3). +## Mode 0 disables. type pkt_profile_modes: enum { PKT_PROFILE_MODE_NONE, PKT_PROFILE_MODE_SECS, @@ -1310,74 +1336,76 @@ type pkt_profile_modes: enum { }; const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; -# Frequency associated with packet profiling. +## Frequency associated with packet profiling. const pkt_profile_freq = 0.0 &redef; -# File where packet profiles are logged. +## File where packet profiles are logged. global pkt_profile_file: file &redef; -# Rate at which to generate load_sample events, *if* you've also -# defined a load_sample handler. Units are inverse number of packets; -# e.g., a value of 20 means "roughly one in every 20 packets". +## Rate at which to generate load_sample events, *if* you've also +## defined a load_sample handler. Units are inverse number of packets; +## e.g., a value of 20 means "roughly one in every 20 packets". global load_sample_freq = 20 &redef; -# Rate at which to generate gap_report events assessing to what -# degree the measurement process appears to exhibit loss. +## Rate at which to generate gap_report events assessing to what +## degree the measurement process appears to exhibit loss. const gap_report_freq = 1.0 sec &redef; -# Whether we want content_gap and drop reports for partial connections -# (a connection is partial if it is missing a full handshake). Note that -# gap reports for partial connections might not be reliable. +## Whether we want content_gap and drop reports for partial connections +## (a connection is partial if it is missing a full handshake). Note that +## gap reports for partial connections might not be reliable. const report_gaps_for_partial = F &redef; -# Globals associated with entire-run statistics on gaps (useful -# for final summaries). +## Globals associated with entire-run statistics on gaps (useful +## for final summaries). -# The CA certificate file to authorize remote Bros. +## The CA certificate file to authorize remote Bros. const ssl_ca_certificate = "" &redef; -# File containing our private key and our certificate. +## File containing our private key and our certificate. const ssl_private_key = "" &redef; -# The passphrase for our private key. Keeping this undefined -# causes Bro to prompt for the passphrase. +## The passphrase for our private key. Keeping this undefined +## causes Bro to prompt for the passphrase. const ssl_passphrase = "" &redef; -# Whether the Bro-level packet filter drops packets per default or not. +## Whether the Bro-level packet filter drops packets per default or not. const packet_filter_default = F &redef; -# Maximum size of regular expression groups for signature matching. +## Maximum size of regular expression groups for signature matching. const sig_max_group_size = 50 &redef; -# If true, send logger messages to syslog. +## If true, send logger messages to syslog. const enable_syslog = F &redef; -# This is transmitted to peers receiving our events. +## This is transmitted to peers receiving our events. const peer_description = "bro" &redef; -# If true, broadcast events/state received from one peer to other peers. -# NOTE: These options are only temporary. They will disappear when we get a -# more sophisticated script-level communication framework. +## If true, broadcast events/state received from one peer to other peers. +## NOTE: These options are only temporary. They will disappear when we get a +## more sophisticated script-level communication framework. const forward_remote_events = F &redef; +## See :bro:id:`forward_remote_events` const forward_remote_state_changes = F &redef; const PEER_ID_NONE = 0; -# Whether to use the connection tracker. +## Whether to use the connection tracker. const use_connection_compressor = T &redef; -# Whether compressor should handle refused connections itself. +## Whether compressor should handle refused connections itself. const cc_handle_resets = F &redef; -# Whether compressor should only take care of initial SYNs. -# (By default on, this is basically "connection compressor lite".) +## Whether compressor should only take care of initial SYNs. +## (By default on, this is basically "connection compressor lite".) const cc_handle_only_syns = T &redef; -# Whether compressor instantiates full state when originator sends a -# non-control packet. +## Whether compressor instantiates full state when originator sends a +## non-control packet. const cc_instantiate_on_data = F &redef; # Signature payload pattern types +# TODO: use enum to help autodoc const SIG_PATTERN_PAYLOAD = 0; const SIG_PATTERN_HTTP = 1; const SIG_PATTERN_FTP = 2; @@ -1385,24 +1413,26 @@ const SIG_PATTERN_FINGER = 3; # Log-levels for remote_log. # Eventually we should create a general logging framework and merge these in. +# TODO: use enum to help autodoc const REMOTE_LOG_INFO = 1; const REMOTE_LOG_ERROR = 2; # Sources for remote_log. +# TODO: use enum to help autodoc const REMOTE_SRC_CHILD = 1; const REMOTE_SRC_PARENT = 2; const REMOTE_SRC_SCRIPT = 3; -# Synchronize trace processing at a regular basis in pseudo-realtime mode. +## Synchronize trace processing at a regular basis in pseudo-realtime mode. const remote_trace_sync_interval = 0 secs &redef; -# Number of peers across which to synchronize trace processing. +## Number of peers across which to synchronize trace processing. const remote_trace_sync_peers = 0 &redef; -# Whether for &synchronized state to send the old value as a consistency check. +## Whether for &synchronized state to send the old value as a consistency check. const remote_check_sync_consistency = F &redef; -# Prepend the peer description, if set. +## Prepend the peer description, if set. function prefixed_id(id: count): string { if ( peer_description == "" ) @@ -1411,8 +1441,8 @@ function prefixed_id(id: count): string return cat(peer_description, "-", id); } -# Analyzer tags. The core automatically defines constants -# ANALYZER_*, e.g., ANALYZER_HTTP. +## Analyzer tags. The core automatically defines constants +## ANALYZER_*, e.g., ANALYZER_HTTP. type AnalyzerTag: count; # DPD configuration. @@ -1423,66 +1453,66 @@ type dpd_protocol_config: record { const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef; -# Reassemble the beginning of all TCP connections before doing -# signature-matching for protocol detection. +## Reassemble the beginning of all TCP connections before doing +## signature-matching for protocol detection. const dpd_reassemble_first_packets = T &redef; -# Size of per-connection buffer in bytes. If the buffer is full, data is -# deleted and lost to analyzers that are activated afterwards. +## Size of per-connection buffer in bytes. If the buffer is full, data is +## deleted and lost to analyzers that are activated afterwards. const dpd_buffer_size = 1024 &redef; -# If true, stops signature matching if dpd_buffer_size has been reached. +## If true, stops signature matching if dpd_buffer_size has been reached. const dpd_match_only_beginning = T &redef; -# If true, don't consider any ports for deciding which analyzer to use. +## If true, don't consider any ports for deciding which analyzer to use. const dpd_ignore_ports = F &redef; -# Ports which the core considers being likely used by servers. +## Ports which the core considers being likely used by servers. const likely_server_ports: set[port] &redef; -# Set of all ports for which we know an analyzer. +## Set of all ports for which we know an analyzer. global dpd_analyzer_ports: table[port] of set[AnalyzerTag]; -# Per-incident timer managers are drained after this amount of inactivity. +## Per-incident timer managers are drained after this amount of inactivity. const timer_mgr_inactivity_timeout = 1 min &redef; -# If true, output profiling for time-machine queries. +## If true, output profiling for time-machine queries. const time_machine_profiling = F &redef; -# If true, warns about unused event handlers at startup. +## If true, warns about unused event handlers at startup. const check_for_unused_event_handlers = F &redef; -# If true, dumps all invoked event handlers at startup. +## If true, dumps all invoked event handlers at startup. const dump_used_event_handlers = F &redef; -# If true, we suppress prints to local files if we have a receiver for -# print_hook events. Ignored for files with a &disable_print_hook attribute. +## If true, we suppress prints to local files if we have a receiver for +## print_hook events. Ignored for files with a &disable_print_hook attribute. const suppress_local_output = F &redef; -# Holds the filename of the trace file given with -w (empty if none). +## Holds the filename of the trace file given with -w (empty if none). const trace_output_file = ""; -# If a trace file is given, dump *all* packets seen by Bro into it. -# By default, Bro applies (very few) heuristics to reduce the volume. -# A side effect of setting this to true is that we can write the -# packets out before we actually process them, which can be helpful -# for debugging in case the analysis triggers a crash. +## If a trace file is given, dump *all* packets seen by Bro into it. +## By default, Bro applies (very few) heuristics to reduce the volume. +## A side effect of setting this to true is that we can write the +## packets out before we actually process them, which can be helpful +## for debugging in case the analysis triggers a crash. const record_all_packets = F &redef; -# Some connections (e.g., SSH) retransmit the acknowledged last -# byte to keep the connection alive. If ignore_keep_alive_rexmit -# is set to T, such retransmissions will be excluded in the rexmit -# counter in conn_stats. +## Some connections (e.g., SSH) retransmit the acknowledged last +## byte to keep the connection alive. If ignore_keep_alive_rexmit +## is set to T, such retransmissions will be excluded in the rexmit +## counter in conn_stats. const ignore_keep_alive_rexmit = F &redef; -# Skip HTTP data portions for performance considerations (the skipped -# portion will not go through TCP reassembly). +## Skip HTTP data portions for performance considerations (the skipped +## portion will not go through TCP reassembly). const skip_http_data = F &redef; -# Whether the analysis engine parses IP packets encapsulated in -# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. +## Whether the analysis engine parses IP packets encapsulated in +## UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. const parse_udp_tunnels = F &redef; -# Load the logging framework here because it uses fairly deep integration with -# BiFs and script-land defined types. +## Load the logging framework here because it uses fairly deep integration with +## BiFs and script-land defined types. @load base/frameworks/logging diff --git a/scripts/base/protocols/conn/contents.bro b/scripts/base/protocols/conn/contents.bro index 21945beed5..feabb1303c 100644 --- a/scripts/base/protocols/conn/contents.bro +++ b/scripts/base/protocols/conn/contents.bro @@ -8,6 +8,8 @@ ##! This script does not work well in a cluster context unless it has a ##! remotely mounted disk to write the content files to. +@load base/utils/files + module Conn; export { diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 69c4cde64b..82d5511436 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -1,3 +1,4 @@ +@load base/utils/site module Conn; @@ -12,7 +13,11 @@ export { proto: transport_proto &log; service: string &log &optional; duration: interval &log &optional; + ## The number of payload bytes the originator sent. For TCP + ## this is taken from sequence numbers and might be inaccurate + ## (e.g., due to large connections) orig_bytes: count &log &optional; + ## The number of payload bytes the responder sent. See ``orig_bytes``. resp_bytes: count &log &optional; ## ========== =============================================== @@ -68,6 +73,17 @@ export { ## for instance. I.e., we just record that data went in that direction. ## This history is not meant to encode how much data that happened to be. history: string &log &optional; + ## Number of packets the originator sent. + ## Only set if :bro:id:`use_conn_size_analyzer`=T + orig_pkts: count &log &optional; + ## Number IP level bytes the originator sent (as seen on the wire, + ## taken from IP total_length header field). + ## Only set if :bro:id:`use_conn_size_analyzer`=T + orig_ip_bytes: count &log &optional; + ## Number of packets the responder sent. See ``orig_pkts``. + resp_pkts: count &log &optional; + ## Number IP level bytes the responder sent. See ``orig_pkts``. + resp_ip_bytes: count &log &optional; }; global log_conn: event(rec: Info); @@ -143,31 +159,39 @@ function determine_service(c: connection): string return to_lower(service); } +## Fill out the c$conn record for logging function set_conn(c: connection, eoc: bool) { if ( ! c?$conn ) { - local id = c$id; local tmp: Info; - tmp$ts=c$start_time; - tmp$uid=c$uid; - tmp$id=id; - tmp$proto=get_port_transport_proto(id$resp_p); - if( |Site::local_nets| > 0 ) - tmp$local_orig=Site::is_local_addr(id$orig_h); c$conn = tmp; } + + c$conn$ts=c$start_time; + c$conn$uid=c$uid; + c$conn$id=c$id; + c$conn$proto=get_port_transport_proto(c$id$resp_p); + if( |Site::local_nets| > 0 ) + c$conn$local_orig=Site::is_local_addr(c$id$orig_h); if ( eoc ) { if ( c$duration > 0secs ) { c$conn$duration=c$duration; - # TODO: these should optionally use Gregor's new - # actual byte counting code if it's enabled. c$conn$orig_bytes=c$orig$size; c$conn$resp_bytes=c$resp$size; } + if ( c$orig?$num_pkts ) + { + # these are set if use_conn_size_analyzer=T + # we can have counts in here even without duration>0 + c$conn$orig_pkts = c$orig$num_pkts; + c$conn$orig_ip_bytes = c$orig$num_bytes_ip; + c$conn$resp_pkts = c$resp$num_pkts; + c$conn$resp_ip_bytes = c$resp$num_bytes_ip; + } local service = determine_service(c); if ( service != "" ) c$conn$service=service; @@ -178,11 +202,6 @@ function set_conn(c: connection, eoc: bool) } } -event connection_established(c: connection) &priority=5 - { - set_conn(c, F); - } - event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 { set_conn(c, F); @@ -190,9 +209,13 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio c$conn$missed_bytes = c$conn$missed_bytes + length; } -event connection_state_remove(c: connection) &priority=-5 +event connection_state_remove(c: connection) &priority=5 { set_conn(c, T); + } + +event connection_state_remove(c: connection) &priority=-5 + { Log::write(CONN, c$conn); } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 59ade654d4..eff1b4c4f0 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,3 +1,4 @@ +@load ./consts module DNS; diff --git a/scripts/base/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro index 5ebe0ec63c..c638e90a65 100644 --- a/scripts/base/protocols/ftp/file-extract.bro +++ b/scripts/base/protocols/ftp/file-extract.bro @@ -1,5 +1,8 @@ ##! File extraction for FTP. +@load ./main +@load base/utils/files + module FTP; export { @@ -62,4 +65,4 @@ event log_ftp(rec: Info) &priority=-10 { delete rec$extraction_file; delete rec$extract_file; - } \ No newline at end of file + } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index bf32ba3114..9dd6a4b6d2 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -7,6 +7,10 @@ ##! ##! * Handle encrypted sessions correctly (get an example?) +@load ./utils-commands +@load base/utils/paths +@load base/utils/numbers + module FTP; export { diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro index 24ee1d8b93..d36d95e475 100644 --- a/scripts/base/protocols/http/file-extract.bro +++ b/scripts/base/protocols/http/file-extract.bro @@ -1,6 +1,10 @@ ##! Extracts the items from HTTP traffic, one per file. At this time only ##! the message body from the server can be extracted with this script. +@load ./main +@load ./file-ident +@load base/utils/files + module HTTP; export { diff --git a/scripts/base/protocols/http/file-hash.bro b/scripts/base/protocols/http/file-hash.bro index 26f8abf51a..6da624728d 100644 --- a/scripts/base/protocols/http/file-hash.bro +++ b/scripts/base/protocols/http/file-hash.bro @@ -1,5 +1,7 @@ ##! Calculate hashes for HTTP body transfers. +@load ./file-ident + module HTTP; export { diff --git a/scripts/base/protocols/http/file-ident.bro b/scripts/base/protocols/http/file-ident.bro index 082adf75d3..c2d858852b 100644 --- a/scripts/base/protocols/http/file-ident.bro +++ b/scripts/base/protocols/http/file-ident.bro @@ -1,6 +1,11 @@ ##! This script is involved in the identification of file types in HTTP ##! response bodies. +@load base/frameworks/signatures +@load base/frameworks/notice +@load ./main +@load ./utils + # Add the magic number signatures to the core signature set. redef signature_files += "base/protocols/http/file-ident.sig"; # Ignore the signatures used to match files diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 8cd80bde5f..ec54b1f428 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -1,3 +1,5 @@ +@load base/utils/numbers +@load base/utils/files module HTTP; diff --git a/scripts/base/protocols/http/partial-content.bro b/scripts/base/protocols/http/partial-content.bro index 130cc0db28..92bda1b345 100644 --- a/scripts/base/protocols/http/partial-content.bro +++ b/scripts/base/protocols/http/partial-content.bro @@ -3,6 +3,10 @@ ##! ##! This script doesn't work yet and isn't loaded by default. +@load base/frameworks/notice +@load ./main +@load ./utils + module HTTP; export { diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro index 716b1c608b..6e2583bc75 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -1,5 +1,7 @@ ##! Utilities specific for HTTP processing. +@load ./main + module HTTP; export { diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 1b8dc67c25..92d73e70bf 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -8,6 +8,9 @@ ##! Example line from IRC server indicating that the DCC SEND is about to start: ##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A +@load ./main +@load base/utils/files + module IRC; export { diff --git a/scripts/base/protocols/mime/__load__.bro b/scripts/base/protocols/mime/__load__.bro index 36e9f16426..6c3f1804ec 100644 --- a/scripts/base/protocols/mime/__load__.bro +++ b/scripts/base/protocols/mime/__load__.bro @@ -1,4 +1,4 @@ -@load protocols/mime/base -@load protocols/mime/file-ident -@load protocols/mime/file-extract -@load protocols/mime/file-hash +@load ./main +@load ./file-ident +@load ./file-extract +@load ./file-hash diff --git a/scripts/base/protocols/mime/file-hash.bro b/scripts/base/protocols/mime/file-hash.bro index 5139810b8e..e50f16fed4 100644 --- a/scripts/base/protocols/mime/file-hash.bro +++ b/scripts/base/protocols/mime/file-hash.bro @@ -1,4 +1,5 @@ @load ./file-ident +@load base/frameworks/notice module MIME; diff --git a/scripts/base/protocols/mime/file-ident.bro b/scripts/base/protocols/mime/file-ident.bro index 346fde1bba..932085cd1a 100644 --- a/scripts/base/protocols/mime/file-ident.bro +++ b/scripts/base/protocols/mime/file-ident.bro @@ -1,4 +1,4 @@ -@load ./base +@load ./main module MIME; diff --git a/scripts/base/protocols/mime/base.bro b/scripts/base/protocols/mime/main.bro similarity index 100% rename from scripts/base/protocols/mime/base.bro rename to scripts/base/protocols/mime/main.bro diff --git a/scripts/base/protocols/rpc/base.bro b/scripts/base/protocols/rpc/main.bro similarity index 99% rename from scripts/base/protocols/rpc/base.bro rename to scripts/base/protocols/rpc/main.bro index 936684a728..36a524c880 100644 --- a/scripts/base/protocols/rpc/base.bro +++ b/scripts/base/protocols/rpc/main.bro @@ -8,6 +8,8 @@ # programs for which we don't have an analyzer. # +@load base/utils/conn-ids + module RPC; export { diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 02b282894c..20b9f63a94 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -1,3 +1,6 @@ +@load base/frameworks/notice +@load base/utils/addrs +@load base/utils/directions-and-hosts module SMTP; diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 1a625e266a..cfed7451ff 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -5,6 +5,12 @@ ##! Requires that :bro:id:`use_conn_size_analyzer` is set to T! The heuristic ##! is not attempted if the connection size analyzer isn't enabled. +@load base/frameworks/notice +@load base/utils/site +@load base/utils/thresholds +@load base/utils/conn-ids +@load base/utils/directions-and-hosts + module SSH; export { @@ -94,6 +100,11 @@ function check_ssh_connection(c: connection, done: bool) if ( c$ssh$done ) return; + # Make sure conn_size_analyzer is active by checking + # resp$num_bytes_ip + if ( !c$resp?$num_bytes_ip ) + return; + # If this is still a live connection and the byte count has not # crossed the threshold, just return and let the resheduled check happen later. if ( !done && c$resp$num_bytes_ip < authentication_data_size ) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 775b59a6e5..156d4dc62b 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -1,3 +1,5 @@ +@load ./consts +@load base/frameworks/notice module SSL; diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro index 0df3e0b9f2..dab8461806 100644 --- a/scripts/base/protocols/ssl/mozilla-ca-list.bro +++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro @@ -1,6 +1,6 @@ # Don't edit! This file is automatically generated. # Generated at: Wed Jun 29 07:52:38 -0400 2011 - +@load base/protocols/ssl module SSL; redef root_certs += { ["GTE CyberTrust Global Root"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F", diff --git a/scripts/base/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.bro index 6b387ef980..a88c4827a6 100644 --- a/scripts/base/utils/directions-and-hosts.bro +++ b/scripts/base/utils/directions-and-hosts.bro @@ -1,3 +1,4 @@ +@load ./site type Direction: enum { ## The connection originator is not within the locally-monitored network, diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro index 518336abd8..e055b8c8e4 100644 --- a/scripts/policy/frameworks/control/controllee.bro +++ b/scripts/policy/frameworks/control/controllee.bro @@ -1,4 +1,4 @@ - +@load base/frameworks/control # If an instance is a controllee, it implicitly needs to listen for remote # connections. @load frameworks/communication/listen-clear diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro index 83fd5e5451..6673fa2332 100644 --- a/scripts/policy/frameworks/control/controller.bro +++ b/scripts/policy/frameworks/control/controller.bro @@ -1,3 +1,4 @@ +@load base/frameworks/control @load base/frameworks/communication module Control; diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index cbe81df889..8e1ea1267f 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -1,5 +1,9 @@ ##! Finds connections with protocols on non-standard ports with DPD. +@load base/frameworks/notice +@load base/utils/site +@load base/utils/conn-ids + module ProtocolDetector; export { diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index 2276b49e64..3883cd1207 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -4,6 +4,8 @@ ##! A caveat to logging packet data is that in some cases, the packet may ##! not be the packet that actually caused the protocol violation. +@load base/frameworks/dpd + module DPD; export { diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index 61360496cf..b3800c3ed3 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -1,3 +1,5 @@ +@load base/frameworks/metrics +@load base/utils/site redef enum Metrics::ID += { CONNS_ORIGINATED, @@ -17,4 +19,4 @@ event connection_established(c: connection) Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1); Metrics::add_data(CONNS_RESPONDED, [$host=c$id$resp_h], 1); } - \ No newline at end of file + diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index 94592a852f..50b18b2a27 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -1,3 +1,6 @@ +@load base/frameworks/metrics +@load base/protocols/http +@load base/utils/site redef enum Metrics::ID += { HTTP_REQUESTS_BY_STATUS_CODE, @@ -20,7 +23,7 @@ event bro_init() event HTTP::log_http(rec: HTTP::Info) { if ( rec?$host ) - Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host]); + Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1); if ( rec?$status_code ) - Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)]); - } \ No newline at end of file + Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1); + } diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro index f3c5b8b902..46dd0e4741 100644 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ b/scripts/policy/frameworks/metrics/ssl-example.bro @@ -1,4 +1,5 @@ - +@load base/frameworks/metrics +@load base/protocols/ssl redef enum Metrics::ID += { SSL_SERVERNAME, @@ -19,4 +20,4 @@ event SSL::log_ssl(rec: SSL::Info) { if ( rec?$server_name ) Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1); - } \ No newline at end of file + } diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro index 3b562b5334..6d46151f0f 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice +@load base/frameworks/software module Software; diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index ec0348d563..0ce949b83d 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice +@load base/frameworks/software module Software; @@ -18,4 +20,4 @@ event log_software(rec: Info) { NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]); } - } \ No newline at end of file + } diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.bro index 9e870eb7aa..c4790c6b32 100644 --- a/scripts/policy/integration/barnyard2/__load__.bro +++ b/scripts/policy/integration/barnyard2/__load__.bro @@ -1,3 +1,2 @@ -@load integration/barnyard2/types -@load integration/barnyard2/event -@load integration/barnyard2/base +@load ./types +@load ./main diff --git a/scripts/policy/integration/barnyard2/event.bro b/scripts/policy/integration/barnyard2/event.bro deleted file mode 100644 index 5fa2747a28..0000000000 --- a/scripts/policy/integration/barnyard2/event.bro +++ /dev/null @@ -1,3 +0,0 @@ -## This is the event that Barnyard2 instances will send if they're -## configured with the bro_alert output plugin. -global barnyard_alert: event(id: Barnyard2::PacketID, alert: Barnyard2::AlertData, msg: string, data: string); diff --git a/scripts/policy/integration/barnyard2/base.bro b/scripts/policy/integration/barnyard2/main.bro similarity index 98% rename from scripts/policy/integration/barnyard2/base.bro rename to scripts/policy/integration/barnyard2/main.bro index f05ad0e9bf..f8ba48dd99 100644 --- a/scripts/policy/integration/barnyard2/base.bro +++ b/scripts/policy/integration/barnyard2/main.bro @@ -2,7 +2,7 @@ ##! Barnyard2 and logs them. In the future it will do more correlation ##! and derive new notices from the alerts. -@load integration/barnyard2/types +@load ./types module Barnyard2; diff --git a/scripts/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.bro index 9bc56773ef..6cfcbb9535 100644 --- a/scripts/policy/integration/barnyard2/types.bro +++ b/scripts/policy/integration/barnyard2/types.bro @@ -22,4 +22,11 @@ export { dst_ip: addr; dst_p: port; } &log; -} \ No newline at end of file + + ## This is the event that Barnyard2 instances will send if they're + ## configured with the bro_alert output plugin. + global barnyard_alert: event(id: Barnyard2::PacketID, + alert: Barnyard2::AlertData, + msg: string, + data: string); +} diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro index 72bdaf01a4..6fc59d4d15 100644 --- a/scripts/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.bro @@ -3,6 +3,8 @@ ##! output provides an easy way to determine a count of the IP addresses in ##! use on a network per day. +@load base/utils/directions-and-hosts + module KnownHosts; export { diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index 35a19a14f0..3676cbb05b 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -3,6 +3,8 @@ ##! completed a TCP handshake with another host. If a protocol is detected ##! during the session, the protocol will also be logged. +@load base/utils/directions-and-hosts + module KnownServices; redef enum Log::ID += { KNOWN_SERVICES }; diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index ab715cccb3..a0e2408679 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -1,4 +1,4 @@ -@load base/frameworks/notice +@load base/frameworks/notice/main @load port-name module Scan; diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro index ba21131f7c..dd00e59c2e 100644 --- a/scripts/policy/protocols/dns/auth-addl.bro +++ b/scripts/policy/protocols/dns/auth-addl.bro @@ -1,3 +1,4 @@ +@load base/protocols/dns/main redef dns_skip_all_auth = F; redef dns_skip_all_addl = F; diff --git a/scripts/policy/protocols/dns/detect-external-names.bro b/scripts/policy/protocols/dns/detect-external-names.bro index fd49fee183..f6f0e596cc 100644 --- a/scripts/policy/protocols/dns/detect-external-names.bro +++ b/scripts/policy/protocols/dns/detect-external-names.bro @@ -8,6 +8,9 @@ ##! to be within a local zone. :bro:id:`local_zones` variable **must** ##! be set appropriately for this detection. +@load base/frameworks/notice/main +@load base/utils/site + module DNS; export { diff --git a/scripts/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.bro index 4e69dec655..cb89599a93 100644 --- a/scripts/policy/protocols/ftp/detect.bro +++ b/scripts/policy/protocols/ftp/detect.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/ftp/main module FTP; @@ -21,4 +23,4 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior NOTICE([$note=Site_Exec_Success, $conn=c, $msg=fmt("%s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg)]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro index 918123bb4c..7dfd54ddca 100644 --- a/scripts/policy/protocols/ftp/software.bro +++ b/scripts/policy/protocols/ftp/software.bro @@ -6,6 +6,8 @@ ##! * Detect client software with password given for anonymous users ##! (e.g. cyberduck@example.net) +@load base/frameworks/software/main + module FTP; export { diff --git a/scripts/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro index fd54a62aeb..7b99184a9b 100644 --- a/scripts/policy/protocols/http/detect-MHR.bro +++ b/scripts/policy/protocols/http/detect-MHR.bro @@ -1,9 +1,14 @@ ##! This script takes MD5 sums of files transferred over HTTP and checks them with ##! Team Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/). ##! By default, not all file transfers will have MD5 sums calculated. Read the -##! documentation for the base/protocols/http/file-hash.bro script to see how to +##! documentation for the :doc:base/protocols/http/file-hash.bro script to see how to ##! configure which transfers will have hashes calculated. +@load base/frameworks/notice/main +@load base/protocols/http/main +@load base/protocols/http/utils +@load base/protocols/http/file-hash + export { redef enum Notice::Type += { ## If the MD5 sum of a file transferred over HTTP diff --git a/scripts/policy/protocols/http/detect-intel.bro b/scripts/policy/protocols/http/detect-intel.bro index ebe6713c03..6da4d8d1e1 100644 --- a/scripts/policy/protocols/http/detect-intel.bro +++ b/scripts/policy/protocols/http/detect-intel.bro @@ -1,5 +1,9 @@ ##! Intelligence based HTTP detections. +@load base/protocols/http/main +@load base/protocols/http/utils +@load base/frameworks/intel/main + module HTTP; event log_http(rec: Info) @@ -14,4 +18,4 @@ event log_http(rec: Info) $sub=HTTP::build_url_http(rec), $id=rec$id]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index e2933626f7..470615458e 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -1,5 +1,9 @@ ##! SQL injection detection in HTTP. +@load base/frameworks/notice/main +@load base/frameworks/metrics/main +@load base/protocols/http/main + module HTTP; export { @@ -54,4 +58,4 @@ event http_request(c: connection, method: string, original_URI: string, Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h], 1); Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro index 350f0def98..493ea9b44b 100644 --- a/scripts/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -1,3 +1,7 @@ +@load base/frameworks/signatures/main +@load base/frameworks/software/main +@load base/protocols/http/main +@load base/protocols/http/utils module HTTP; diff --git a/scripts/policy/protocols/http/headers.bro b/scripts/policy/protocols/http/headers.bro index 4451e876ec..dc3eddcbc0 100644 --- a/scripts/policy/protocols/http/headers.bro +++ b/scripts/policy/protocols/http/headers.bro @@ -1,5 +1,7 @@ ##! Extract and include the header keys used for each request in the log. +@load base/protocols/http/main + module HTTP; export { diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro index 5a16b862a6..a7948d6a5b 100644 --- a/scripts/policy/protocols/http/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -1,5 +1,7 @@ ##! Software identification and extraction for HTTP traffic. +@load base/frameworks/software/main + module HTTP; export { @@ -52,4 +54,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr Software::found(c$id, Software::parse(value, c$id$resp_h, WEB_APPSERVER)); } } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.bro index b30be9d2c1..2b3f282b03 100644 --- a/scripts/policy/protocols/http/var-extraction-cookies.bro +++ b/scripts/policy/protocols/http/var-extraction-cookies.bro @@ -1,5 +1,8 @@ ##! This script extracts and logs variables from cookies sent by clients +@load base/protocols/http/main +@load base/protocols/http/utils + module HTTP; redef record Info += { diff --git a/scripts/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.bro index a6e6b1d971..32ea147961 100644 --- a/scripts/policy/protocols/http/var-extraction-uri.bro +++ b/scripts/policy/protocols/http/var-extraction-uri.bro @@ -1,5 +1,8 @@ ##! This script extracts and logs variables from the requested URI +@load base/protocols/http/main +@load base/protocols/http/utils + module HTTP; redef record Info += { diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro index 26f667cfd6..8e85b8db97 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/smtp/main module SMTP; diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.bro index ccb7366a2a..3c4c870885 100644 --- a/scripts/policy/protocols/smtp/software.bro +++ b/scripts/policy/protocols/smtp/software.bro @@ -7,6 +7,9 @@ ##! * Find some heuristic to determine if email was sent through ##! a MS Exhange webmail interface as opposed to a desktop client. +@load base/frameworks/software/main +@load base/protocols/smtp/main + module SMTP; export { diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index fb1c075d86..ba38f342d4 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -1,4 +1,8 @@ +@load base/frameworks/metrics +@load base/frameworks/notice +@load base/frameworks/intel + module SSH; export { diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index 97bd0a5803..4dfd8bbae4 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -1,6 +1,9 @@ ##! This implements all of the additional information and geodata detections ##! for SSH analysis. +@load base/frameworks/notice/main +@load base/protocols/ssh/main + module SSH; export { diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.bro index 93767e5f54..0e48fb36d9 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.bro +++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro @@ -1,3 +1,4 @@ +@load base/frameworks/notice/main module SSH; diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro index 1aa3bce1a2..d9bfdffb3c 100644 --- a/scripts/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -1,3 +1,4 @@ +@load base/frameworks/software/main module SSH; diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro index a8815dca07..7bff4bbf38 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -1,3 +1,4 @@ +@load base/utils/directions-and-hosts module KnownCerts; diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 43920557f4..3e457c72ea 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/ssl/main module SSL; diff --git a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro index 1133bf952b..bf3f73c741 100644 --- a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro +++ b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro @@ -1,6 +1,9 @@ ##! This strives to tune out high volume and less useful data ##! from the notice log. +@load base/frameworks/notice +@load base/frameworks/notice/weird + # Remove these notices from logging since they can be too noisy. redef Notice::ignored_types += { Weird::Content_Gap, diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.bro index ea8f18c3bc..cedc3d62ad 100644 --- a/scripts/policy/tuning/defaults/warnings.bro +++ b/scripts/policy/tuning/defaults/warnings.bro @@ -2,8 +2,10 @@ ##! good to set in most cases or other things that could be done to achieve ##! better detection. +@load base/utils/site + event bro_init() &priority=-10 { if ( |Site::local_nets| == 0 ) print "WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks."; - } \ No newline at end of file + } diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.bro index fe61ff93b6..082f40d4d8 100644 --- a/scripts/policy/tuning/track-all-assets.bro +++ b/scripts/policy/tuning/track-all-assets.bro @@ -1,4 +1,4 @@ - +@load base/frameworks/software @load protocols/conn/known-hosts @load protocols/conn/known-services @load protocols/ssl/known-certs diff --git a/scripts/site/local-manager.bro b/scripts/site/local-manager.bro index aa28bd79da..c933207603 100644 --- a/scripts/site/local-manager.bro +++ b/scripts/site/local-manager.bro @@ -1,5 +1,7 @@ ##! Local site policy loaded only by the manager in a cluster. +@load base/frameworks/notice + # If you are running a cluster you should define your Notice::policy here # so that notice processing occurs on the manager. redef Notice::policy += { diff --git a/scripts/site/local.bro b/scripts/site/local.bro index f894a30432..224ef278a0 100644 --- a/scripts/site/local.bro +++ b/scripts/site/local.bro @@ -62,6 +62,7 @@ redef signature_files += "frameworks/signatures/detect-windows-shells.sig"; # Uncomment this redef if you want to extract SMTP MIME entities for # some file types. The numbers given indicate how many bytes to extract for # the various mime types. +@load base/protocols/smtp/entities-excerpt redef SMTP::entity_excerpt_len += { # ["text/plain"] = 1024, # ["text/html"] = 1024, diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a42ef893fc..0e47543404 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -15,11 +15,13 @@ # @load frameworks/control/controller.bro @load frameworks/dpd/detect-protocols.bro @load frameworks/dpd/packet-segment-logging.bro +@load frameworks/metrics/conn-example.bro +@load frameworks/metrics/http-example.bro +@load frameworks/metrics/ssl-example.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro -@load integration/barnyard2/base.bro -@load integration/barnyard2/event.bro +@load integration/barnyard2/main.bro @load integration/barnyard2/types.bro @load misc/analysis-groups.bro @load misc/loaded-scripts.bro diff --git a/src/BroDoc.cc b/src/BroDoc.cc index 302bd04c88..d3406ad113 100644 --- a/src/BroDoc.cc +++ b/src/BroDoc.cc @@ -60,7 +60,7 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs) if ( ! reST_file ) fprintf(stderr, "Failed to open %s\n", reST_filename.c_str()); -#ifdef DEBUG +#ifdef DOCDEBUG fprintf(stdout, "Documenting absolute source: %s\n", abs.c_str()); fprintf(stdout, "\trelative dir: %s\n", rel.c_str()); fprintf(stdout, "\tdoc title: %s\n", doc_title.c_str()); diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 6bc82ebb91..0bbced32db 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -107,20 +107,28 @@ macro(BIF_TARGET bifInput) add_custom_command(OUTPUT ${bifOutputs} COMMAND bifcl ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) + # in order be able to run bro from the build directory, + # the generated bro script needs to be inside a + # a directory tree named the same way it will be + # referenced from an @load + COMMAND "${CMAKE_COMMAND}" + ARGS -E copy ${bifInput}.bro base/${bifInput}.bro + COMMAND "${CMAKE_COMMAND}" + ARGS -E remove -f ${bifInput}.bro DEPENDS ${bifInput} DEPENDS bifcl COMMENT "[BIFCL] Processing ${bifInput}" ) list(APPEND ALL_BIF_OUTPUTS ${bifOutputs}) list(APPEND INSTALL_BIF_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/${bifInput}.bro) + ${CMAKE_CURRENT_BINARY_DIR}/base/${bifInput}.bro) endmacro(BIF_TARGET) # returns a list of output files that bifcl will produce # for given input file in ${outputFileVar} macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) set(${outputFileVar} - ${inputFile}.bro + base/${inputFile}.bro ${inputFile}.func_def ${inputFile}.func_h ${inputFile}.func_init @@ -424,7 +432,7 @@ set(brolibs target_link_libraries(bro ${brolibs}) install(TARGETS bro DESTINATION bin) -install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}) +install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc index ec1fd206f6..c44ae5fb70 100644 --- a/src/SSL-binpac.cc +++ b/src/SSL-binpac.cc @@ -7,6 +7,7 @@ SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c) : TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) { interp = new binpac::SSL::SSL_Conn(this); + had_gap = false; } SSL_Analyzer_binpac::~SSL_Analyzer_binpac() @@ -36,12 +37,24 @@ void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) if ( TCP()->IsPartial() ) return; + if ( had_gap ) + // XXX: If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; - interp->NewData(orig, data, data + len); + try + { + interp->NewData(orig, data, data + len); + } + catch ( binpac::Exception const &e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig) { TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; interp->NewGap(orig, len); } diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h index 7d0c8d3939..8dab19d00c 100644 --- a/src/SSL-binpac.h +++ b/src/SSL-binpac.h @@ -30,6 +30,7 @@ public: protected: binpac::SSL::SSL_Conn* interp; + bool had_gap; }; diff --git a/src/bro.bif b/src/bro.bif index e4d0f2092b..e31ac52b0c 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3607,3 +3607,9 @@ function enable_communication%(%): any remote_serializer->Init(); return 0; %} + +## Returns the Bro version string +function bro_version%(%): string + %{ + return new StringVal(bro_version()); + %} diff --git a/src/main.cc b/src/main.cc index 100305d811..a6e493f0c8 100644 --- a/src/main.cc +++ b/src/main.cc @@ -932,9 +932,8 @@ int main(int argc, char** argv) if ( dead_handlers->length() > 0 && check_for_unused_event_handlers ) { - reporter->Warning("event handlers never invoked:"); for ( int i = 0; i < dead_handlers->length(); ++i ) - reporter->Warning("\t", (*dead_handlers)[i]); + reporter->Warning("event handler never invoked: %s", (*dead_handlers)[i]); } delete dead_handlers; diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr new file mode 100644 index 0000000000..8d8bf1a85b --- /dev/null +++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr @@ -0,0 +1 @@ +warning in , line 1: event handler never invoked: this_is_never_used diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index a744346519..f8f3d41108 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,2 +1,2 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf +# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index 1d46bd7ab1..1ac7ab0cf4 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,4 +1,4 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - -1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf -1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF +# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 11 280 0 0 +1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 +1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF 7 361 7 3801 diff --git a/testing/btest/Baseline/scripts.bare-mode-coverage/unique_errors b/testing/btest/Baseline/scripts.bare-mode-coverage/unique_errors new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/manager-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-2..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-2..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout diff --git a/testing/btest/Baseline/policy.frameworks.control.configuration_update/controllee..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.control.configuration_update/controllee..stdout rename to testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout diff --git a/testing/btest/Baseline/policy.frameworks.control.id_value/controller..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.control.id_value/controller..stdout rename to testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout diff --git a/testing/btest/Baseline/policy.frameworks.intel.insert-and-matcher/out b/testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.intel.insert-and-matcher/out rename to testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-options/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-options/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.events/output b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.events/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.events/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.file/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.include/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.path-func/output b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.path-func/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out rename to testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.rotate/out rename to testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.stdout/output b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.stdout/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.types/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.basic-cluster/manager-1.metrics.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.basic/metrics.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.notice/notice.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log diff --git a/testing/btest/Baseline/policy.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.software.version-parsing/output rename to testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output diff --git a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log rename to testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log diff --git a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log rename to testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log diff --git a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.basic/irc.log rename to testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log diff --git a/testing/btest/Baseline/policy.utils.addrs/output b/testing/btest/Baseline/scripts.base.utils.addrs/output similarity index 100% rename from testing/btest/Baseline/policy.utils.addrs/output rename to testing/btest/Baseline/scripts.base.utils.addrs/output diff --git a/testing/btest/Baseline/policy.utils.conn-ids/output b/testing/btest/Baseline/scripts.base.utils.conn-ids/output similarity index 100% rename from testing/btest/Baseline/policy.utils.conn-ids/output rename to testing/btest/Baseline/scripts.base.utils.conn-ids/output diff --git a/testing/btest/Baseline/policy.utils.directions-and-hosts/output b/testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output similarity index 100% rename from testing/btest/Baseline/policy.utils.directions-and-hosts/output rename to testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output diff --git a/testing/btest/Baseline/policy.utils.files/output b/testing/btest/Baseline/scripts.base.utils.files/output similarity index 100% rename from testing/btest/Baseline/policy.utils.files/output rename to testing/btest/Baseline/scripts.base.utils.files/output diff --git a/testing/btest/Baseline/policy.utils.numbers/output b/testing/btest/Baseline/scripts.base.utils.numbers/output similarity index 100% rename from testing/btest/Baseline/policy.utils.numbers/output rename to testing/btest/Baseline/scripts.base.utils.numbers/output diff --git a/testing/btest/Baseline/policy.utils.paths/output b/testing/btest/Baseline/scripts.base.utils.paths/output similarity index 100% rename from testing/btest/Baseline/policy.utils.paths/output rename to testing/btest/Baseline/scripts.base.utils.paths/output diff --git a/testing/btest/Baseline/policy.utils.pattern/output b/testing/btest/Baseline/scripts.base.utils.pattern/output similarity index 100% rename from testing/btest/Baseline/policy.utils.pattern/output rename to testing/btest/Baseline/scripts.base.utils.pattern/output diff --git a/testing/btest/Baseline/policy.utils.site/output b/testing/btest/Baseline/scripts.base.utils.site/output similarity index 100% rename from testing/btest/Baseline/policy.utils.site/output rename to testing/btest/Baseline/scripts.base.utils.site/output diff --git a/testing/btest/Baseline/policy.utils.strings/output b/testing/btest/Baseline/scripts.base.utils.strings/output similarity index 100% rename from testing/btest/Baseline/policy.utils.strings/output rename to testing/btest/Baseline/scripts.base.utils.strings/output diff --git a/testing/btest/Baseline/policy.utils.thresholds/output b/testing/btest/Baseline/scripts.base.utils.thresholds/output similarity index 100% rename from testing/btest/Baseline/policy.utils.thresholds/output rename to testing/btest/Baseline/scripts.base.utils.thresholds/output diff --git a/testing/btest/Baseline/policy.misc.check-test-all-policy/output b/testing/btest/Baseline/scripts.check-test-all-policy/output similarity index 100% rename from testing/btest/Baseline/policy.misc.check-test-all-policy/output rename to testing/btest/Baseline/scripts.check-test-all-policy/output diff --git a/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/scripts.policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log similarity index 50% rename from testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log rename to testing/btest/Baseline/scripts.policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log index 7d40d728da..8386089200 100644 --- a/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/scripts.policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log @@ -1,13 +1,13 @@ # depth name 0 scripts/base/init-bare.bro -1 build/src/const.bif.bro -1 build/src/types.bif.bro -1 build/src/strings.bif.bro -1 build/src/bro.bif.bro -1 build/src/reporter.bif.bro -1 build/src/event.bif.bro +1 build/src/base/const.bif.bro +1 build/src/base/types.bif.bro +1 build/src/base/strings.bif.bro +1 build/src/base/bro.bif.bro +1 build/src/base/reporter.bif.bro +1 build/src/base/event.bif.bro 1 scripts/base/frameworks/logging/__load__.bro 2 scripts/base/frameworks/logging/./main.bro -3 build/src/logging.bif.bro +3 build/src/base/logging.bif.bro 2 scripts/base/frameworks/logging/./writers/ascii.bro 0 scripts/policy/misc/loaded-scripts.bro diff --git a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/scripts.policy.misc.default-loaded-scripts/canonified_loaded_scripts.log similarity index 92% rename from testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log rename to testing/btest/Baseline/scripts.policy.misc.default-loaded-scripts/canonified_loaded_scripts.log index 825be4fbb5..be836e1fee 100644 --- a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/scripts.policy.misc.default-loaded-scripts/canonified_loaded_scripts.log @@ -1,14 +1,14 @@ # depth name 0 scripts/base/init-bare.bro -1 build/src/const.bif.bro -1 build/src/types.bif.bro -1 build/src/strings.bif.bro -1 build/src/bro.bif.bro -1 build/src/reporter.bif.bro -1 build/src/event.bif.bro +1 build/src/base/const.bif.bro +1 build/src/base/types.bif.bro +1 build/src/base/strings.bif.bro +1 build/src/base/bro.bif.bro +1 build/src/base/reporter.bif.bro +1 build/src/base/event.bif.bro 1 scripts/base/frameworks/logging/__load__.bro 2 scripts/base/frameworks/logging/./main.bro -3 build/src/logging.bif.bro +3 build/src/base/logging.bif.bro 2 scripts/base/frameworks/logging/./writers/ascii.bro 0 scripts/base/init-default.bro 1 scripts/base/utils/site.bro @@ -38,16 +38,17 @@ 2 scripts/base/frameworks/packet-filter/./netstats.bro 1 scripts/base/frameworks/software/__load__.bro 2 scripts/base/frameworks/software/./main.bro -1 scripts/base/frameworks/intel/__load__.bro -2 scripts/base/frameworks/intel/./main.bro -1 scripts/base/frameworks/metrics/__load__.bro -2 scripts/base/frameworks/metrics/./main.bro 1 scripts/base/frameworks/communication/__load__.bro 2 scripts/base/frameworks/communication/./main.bro 1 scripts/base/frameworks/control/__load__.bro 2 scripts/base/frameworks/control/./main.bro 1 scripts/base/frameworks/cluster/__load__.bro 2 scripts/base/frameworks/cluster/./main.bro +1 scripts/base/frameworks/metrics/__load__.bro +2 scripts/base/frameworks/metrics/./main.bro +2 scripts/base/frameworks/metrics/./non-cluster.bro +1 scripts/base/frameworks/intel/__load__.bro +2 scripts/base/frameworks/intel/./main.bro 1 scripts/base/frameworks/reporter/__load__.bro 2 scripts/base/frameworks/reporter/./main.bro 1 scripts/base/protocols/conn/__load__.bro diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log diff --git a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log rename to testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log diff --git a/testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output b/testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output rename to testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 1aa7b28f25..f674ae68c8 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -1,5 +1,5 @@ [btest] -TestDirs = doc bifs language core policy istate +TestDirs = doc bifs language core scripts istate TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline IgnoreDirs = .svn CVS .tmp diff --git a/testing/btest/core/check-unused-event-handlers.test b/testing/btest/core/check-unused-event-handlers.test new file mode 100644 index 0000000000..f9ad105ff6 --- /dev/null +++ b/testing/btest/core/check-unused-event-handlers.test @@ -0,0 +1,8 @@ +# This test should print a warning that the event handler is never invoked. +# @TEST-EXEC: bro -b %INPUT check_for_unused_event_handlers=T +# @TEST-EXEC: btest-diff .stderr + +event this_is_never_used() + { + print "not even once"; + } diff --git a/testing/btest/policy/misc/check-bare-test-all-policy.bro b/testing/btest/policy/misc/check-bare-test-all-policy.bro deleted file mode 100644 index a3474942e3..0000000000 --- a/testing/btest/policy/misc/check-bare-test-all-policy.bro +++ /dev/null @@ -1,7 +0,0 @@ -# Makes sures test-all-policy.bro (which loads *all* other policy scripts) -# compiles correctly even in bare mode. -# -# @TEST-EXEC: bro -b %INPUT >output -# @TEST-EXEC: btest-diff output - -@load test-all-policy diff --git a/testing/btest/scripts/bare-mode-coverage.test b/testing/btest/scripts/bare-mode-coverage.test new file mode 100644 index 0000000000..12744023dc --- /dev/null +++ b/testing/btest/scripts/bare-mode-coverage.test @@ -0,0 +1,8 @@ +# Makes sure any given policy script in the scripts/ tree can be loaded in +# bare mode. btest-bg-run/btest-bg-wait are used to kill off scripts that +# block after loading, e.g. start listening on a socket. +# +# @TEST-EXEC: test -d $DIST/scripts +# @TEST-EXEC: for script in `find $DIST/scripts -name \*\.bro`; do echo $script;if [[ "$script" =~ listen-clear|listen-ssl|controllee ]]; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 +# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors +# @TEST-EXEC: btest-diff unique_errors diff --git a/testing/btest/policy/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro similarity index 100% rename from testing/btest/policy/frameworks/cluster/start-it-up.bro rename to testing/btest/scripts/base/frameworks/cluster/start-it-up.bro diff --git a/testing/btest/policy/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro similarity index 100% rename from testing/btest/policy/frameworks/control/configuration_update.bro rename to testing/btest/scripts/base/frameworks/control/configuration_update.bro diff --git a/testing/btest/policy/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro similarity index 100% rename from testing/btest/policy/frameworks/control/id_value.bro rename to testing/btest/scripts/base/frameworks/control/id_value.bro diff --git a/testing/btest/policy/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro similarity index 100% rename from testing/btest/policy/frameworks/control/shutdown.bro rename to testing/btest/scripts/base/frameworks/control/shutdown.bro diff --git a/testing/btest/policy/frameworks/intel/insert-and-matcher.bro b/testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro similarity index 100% rename from testing/btest/policy/frameworks/intel/insert-and-matcher.bro rename to testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro diff --git a/testing/btest/policy/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/adapt-filter.bro rename to testing/btest/scripts/base/frameworks/logging/adapt-filter.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-binary.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-empty.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-empty.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-escape.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-options.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-options.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro diff --git a/testing/btest/policy/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/attr-extend.bro rename to testing/btest/scripts/base/frameworks/logging/attr-extend.bro diff --git a/testing/btest/policy/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/attr.bro rename to testing/btest/scripts/base/frameworks/logging/attr.bro diff --git a/testing/btest/policy/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/disable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/disable-stream.bro diff --git a/testing/btest/policy/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/empty-event.bro rename to testing/btest/scripts/base/frameworks/logging/empty-event.bro diff --git a/testing/btest/policy/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/events.bro rename to testing/btest/scripts/base/frameworks/logging/events.bro diff --git a/testing/btest/policy/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/exclude.bro rename to testing/btest/scripts/base/frameworks/logging/exclude.bro diff --git a/testing/btest/policy/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/file.bro rename to testing/btest/scripts/base/frameworks/logging/file.bro diff --git a/testing/btest/policy/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/include.bro rename to testing/btest/scripts/base/frameworks/logging/include.bro diff --git a/testing/btest/policy/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/no-local.bro rename to testing/btest/scripts/base/frameworks/logging/no-local.bro diff --git a/testing/btest/policy/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/path-func.bro rename to testing/btest/scripts/base/frameworks/logging/path-func.bro diff --git a/testing/btest/policy/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/pred.bro rename to testing/btest/scripts/base/frameworks/logging/pred.bro diff --git a/testing/btest/policy/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remote-types.bro rename to testing/btest/scripts/base/frameworks/logging/remote-types.bro diff --git a/testing/btest/policy/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remote.bro rename to testing/btest/scripts/base/frameworks/logging/remote.bro diff --git a/testing/btest/policy/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remove.bro rename to testing/btest/scripts/base/frameworks/logging/remove.bro diff --git a/testing/btest/policy/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/rotate-custom.bro rename to testing/btest/scripts/base/frameworks/logging/rotate-custom.bro diff --git a/testing/btest/policy/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/rotate.bro rename to testing/btest/scripts/base/frameworks/logging/rotate.bro diff --git a/testing/btest/policy/frameworks/logging/rotation.trace b/testing/btest/scripts/base/frameworks/logging/rotation.trace similarity index 100% rename from testing/btest/policy/frameworks/logging/rotation.trace rename to testing/btest/scripts/base/frameworks/logging/rotation.trace diff --git a/testing/btest/policy/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/stdout.bro rename to testing/btest/scripts/base/frameworks/logging/stdout.bro diff --git a/testing/btest/policy/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/test-logging.bro rename to testing/btest/scripts/base/frameworks/logging/test-logging.bro diff --git a/testing/btest/policy/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/types.bro rename to testing/btest/scripts/base/frameworks/logging/types.bro diff --git a/testing/btest/policy/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/unset-record.bro rename to testing/btest/scripts/base/frameworks/logging/unset-record.bro diff --git a/testing/btest/policy/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/vec.bro rename to testing/btest/scripts/base/frameworks/logging/vec.bro diff --git a/testing/btest/policy/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro diff --git a/testing/btest/policy/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/basic.bro rename to testing/btest/scripts/base/frameworks/metrics/basic.bro diff --git a/testing/btest/policy/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro diff --git a/testing/btest/policy/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/notice.bro rename to testing/btest/scripts/base/frameworks/metrics/notice.bro diff --git a/testing/btest/policy/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro similarity index 100% rename from testing/btest/policy/frameworks/software/version-parsing.bro rename to testing/btest/scripts/base/frameworks/software/version-parsing.bro diff --git a/testing/btest/policy/misc/init-default-coverage.bro b/testing/btest/scripts/base/init-default-coverage.bro similarity index 100% rename from testing/btest/policy/misc/init-default-coverage.bro rename to testing/btest/scripts/base/init-default-coverage.bro diff --git a/testing/btest/policy/protocols/http/http-header-crlf.bro b/testing/btest/scripts/base/protocols/http/http-header-crlf.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-header-crlf.bro rename to testing/btest/scripts/base/protocols/http/http-header-crlf.bro diff --git a/testing/btest/policy/protocols/http/http-mime-and-md5.bro b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-mime-and-md5.bro rename to testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro diff --git a/testing/btest/policy/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-pipelining.bro rename to testing/btest/scripts/base/protocols/http/http-pipelining.bro diff --git a/testing/btest/policy/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test similarity index 100% rename from testing/btest/policy/protocols/irc/basic.test rename to testing/btest/scripts/base/protocols/irc/basic.test diff --git a/testing/btest/policy/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test similarity index 100% rename from testing/btest/policy/protocols/irc/dcc-extract.test rename to testing/btest/scripts/base/protocols/irc/dcc-extract.test diff --git a/testing/btest/policy/protocols/smtp/basic.test b/testing/btest/scripts/base/protocols/smtp/basic.test similarity index 100% rename from testing/btest/policy/protocols/smtp/basic.test rename to testing/btest/scripts/base/protocols/smtp/basic.test diff --git a/testing/btest/policy/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test similarity index 100% rename from testing/btest/policy/protocols/smtp/mime-extract.test rename to testing/btest/scripts/base/protocols/smtp/mime-extract.test diff --git a/testing/btest/policy/protocols/smtp/mime.test b/testing/btest/scripts/base/protocols/smtp/mime.test similarity index 100% rename from testing/btest/policy/protocols/smtp/mime.test rename to testing/btest/scripts/base/protocols/smtp/mime.test diff --git a/testing/btest/policy/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test similarity index 100% rename from testing/btest/policy/utils/addrs.test rename to testing/btest/scripts/base/utils/addrs.test diff --git a/testing/btest/policy/utils/conn-ids.test b/testing/btest/scripts/base/utils/conn-ids.test similarity index 100% rename from testing/btest/policy/utils/conn-ids.test rename to testing/btest/scripts/base/utils/conn-ids.test diff --git a/testing/btest/policy/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test similarity index 100% rename from testing/btest/policy/utils/directions-and-hosts.test rename to testing/btest/scripts/base/utils/directions-and-hosts.test diff --git a/testing/btest/policy/utils/files.test b/testing/btest/scripts/base/utils/files.test similarity index 100% rename from testing/btest/policy/utils/files.test rename to testing/btest/scripts/base/utils/files.test diff --git a/testing/btest/policy/utils/numbers.test b/testing/btest/scripts/base/utils/numbers.test similarity index 100% rename from testing/btest/policy/utils/numbers.test rename to testing/btest/scripts/base/utils/numbers.test diff --git a/testing/btest/policy/utils/paths.test b/testing/btest/scripts/base/utils/paths.test similarity index 100% rename from testing/btest/policy/utils/paths.test rename to testing/btest/scripts/base/utils/paths.test diff --git a/testing/btest/policy/utils/pattern.test b/testing/btest/scripts/base/utils/pattern.test similarity index 100% rename from testing/btest/policy/utils/pattern.test rename to testing/btest/scripts/base/utils/pattern.test diff --git a/testing/btest/policy/utils/site.test b/testing/btest/scripts/base/utils/site.test similarity index 100% rename from testing/btest/policy/utils/site.test rename to testing/btest/scripts/base/utils/site.test diff --git a/testing/btest/policy/utils/strings.test b/testing/btest/scripts/base/utils/strings.test similarity index 100% rename from testing/btest/policy/utils/strings.test rename to testing/btest/scripts/base/utils/strings.test diff --git a/testing/btest/policy/utils/thresholds.test b/testing/btest/scripts/base/utils/thresholds.test similarity index 100% rename from testing/btest/policy/utils/thresholds.test rename to testing/btest/scripts/base/utils/thresholds.test diff --git a/testing/btest/policy/misc/check-test-all-policy.bro b/testing/btest/scripts/check-test-all-policy.bro similarity index 100% rename from testing/btest/policy/misc/check-test-all-policy.bro rename to testing/btest/scripts/check-test-all-policy.bro diff --git a/testing/btest/policy/misc/bare-loaded-scripts.test b/testing/btest/scripts/policy/misc/bare-loaded-scripts.test similarity index 100% rename from testing/btest/policy/misc/bare-loaded-scripts.test rename to testing/btest/scripts/policy/misc/bare-loaded-scripts.test diff --git a/testing/btest/policy/misc/default-loaded-scripts.test b/testing/btest/scripts/policy/misc/default-loaded-scripts.test similarity index 100% rename from testing/btest/policy/misc/default-loaded-scripts.test rename to testing/btest/scripts/policy/misc/default-loaded-scripts.test diff --git a/testing/btest/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro similarity index 100% rename from testing/btest/policy/protocols/conn/known-hosts.bro rename to testing/btest/scripts/policy/protocols/conn/known-hosts.bro diff --git a/testing/btest/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.bro similarity index 100% rename from testing/btest/policy/protocols/conn/known-services.bro rename to testing/btest/scripts/policy/protocols/conn/known-services.bro diff --git a/testing/btest/policy/protocols/dns/event-priority.bro b/testing/btest/scripts/policy/protocols/dns/event-priority.bro similarity index 100% rename from testing/btest/policy/protocols/dns/event-priority.bro rename to testing/btest/scripts/policy/protocols/dns/event-priority.bro diff --git a/testing/btest/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro similarity index 100% rename from testing/btest/policy/protocols/http/test-sql-injection-regex.bro rename to testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro diff --git a/testing/btest/policy/site/testing-local.bro b/testing/btest/scripts/site/local.test similarity index 100% rename from testing/btest/policy/site/testing-local.bro rename to testing/btest/scripts/site/local.test diff --git a/testing/btest/policy/misc/test-all-default-coverage.bro b/testing/btest/scripts/test-all-policy-coverage.bro similarity index 100% rename from testing/btest/policy/misc/test-all-default-coverage.bro rename to testing/btest/scripts/test-all-policy-coverage.bro