From 47500ceef4b913ef3f923c6dd98291ea01fec5f2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 15:03:14 -0500 Subject: [PATCH 01/21] Add a test that checks each individual script can be loaded in bare-mode. Fixed most @load dependency issues in the process. The test is still failing in a "known" way due to hot.conn.bro and scan.bro. Adressess #545 --- scripts/base/frameworks/cluster/main.bro | 3 ++- scripts/base/frameworks/cluster/nodes/manager.bro | 2 ++ scripts/base/frameworks/cluster/nodes/worker.bro | 1 + scripts/base/frameworks/cluster/setup-connections.bro | 3 +++ scripts/base/frameworks/communication/main.bro | 2 ++ scripts/base/frameworks/intel/main.bro | 2 ++ scripts/base/frameworks/metrics/main.bro | 2 ++ scripts/base/frameworks/notice/actions/drop.bro | 4 +++- scripts/base/frameworks/notice/actions/email_admin.bro | 4 +++- scripts/base/frameworks/notice/actions/page.bro | 3 ++- .../base/frameworks/notice/extend-email/hostnames.bro | 5 +++-- scripts/base/frameworks/notice/weird.bro | 3 +++ scripts/base/frameworks/packet-filter/main.bro | 2 ++ scripts/base/frameworks/packet-filter/netstats.bro | 2 ++ scripts/base/frameworks/signatures/main.bro | 2 ++ scripts/base/frameworks/software/main.bro | 3 +++ scripts/base/protocols/conn/contents.bro | 2 ++ scripts/base/protocols/conn/main.bro | 1 + scripts/base/protocols/dns/main.bro | 1 + scripts/base/protocols/ftp/file-extract.bro | 5 ++++- scripts/base/protocols/ftp/main.bro | 4 ++++ scripts/base/protocols/http/file-extract.bro | 4 ++++ scripts/base/protocols/http/file-hash.bro | 2 ++ scripts/base/protocols/http/file-ident.bro | 5 +++++ scripts/base/protocols/http/main.bro | 1 + scripts/base/protocols/http/partial-content.bro | 4 ++++ scripts/base/protocols/http/utils.bro | 2 ++ scripts/base/protocols/irc/dcc-send.bro | 3 +++ scripts/base/protocols/mime/__load__.bro | 8 ++++---- scripts/base/protocols/mime/base.bro | 2 +- scripts/base/protocols/mime/file-extract.bro | 6 +++--- scripts/base/protocols/mime/file-hash.bro | 5 +++-- scripts/base/protocols/mime/file-ident.bro | 2 +- scripts/base/protocols/rpc/base.bro | 2 ++ scripts/base/protocols/smtp/main.bro | 3 +++ scripts/base/protocols/ssh/main.bro | 4 ++++ scripts/base/protocols/ssl/main.bro | 2 ++ scripts/base/protocols/ssl/mozilla-ca-list.bro | 2 +- scripts/base/utils/directions-and-hosts.bro | 1 + scripts/policy/frameworks/communication/listen-clear.bro | 2 ++ scripts/policy/frameworks/communication/listen-ssl.bro | 2 ++ scripts/policy/frameworks/control/controllee.bro | 2 +- scripts/policy/frameworks/control/controller.bro | 4 +++- scripts/policy/frameworks/dpd/detect-protocols.bro | 4 ++++ scripts/policy/frameworks/dpd/packet-segment-logging.bro | 2 ++ scripts/policy/frameworks/metrics/conn-example.bro | 4 +++- scripts/policy/frameworks/metrics/http-example.bro | 6 ++++-- scripts/policy/frameworks/metrics/ssl-example.bro | 5 +++-- scripts/policy/frameworks/software/version-changes.bro | 2 ++ scripts/policy/frameworks/software/vulnerable.bro | 4 +++- scripts/policy/integration/barnyard2/__load__.bro | 5 ++--- scripts/policy/integration/barnyard2/base.bro | 2 +- scripts/policy/integration/barnyard2/event.bro | 3 --- scripts/policy/integration/barnyard2/types.bro | 9 ++++++++- scripts/policy/protocols/conn/known-hosts.bro | 2 ++ scripts/policy/protocols/conn/known-services.bro | 2 ++ scripts/policy/protocols/conn/scan.bro | 2 +- scripts/policy/protocols/dns/auth-addl.bro | 1 + scripts/policy/protocols/dns/detect-external-names.bro | 3 +++ scripts/policy/protocols/ftp/detect.bro | 4 +++- scripts/policy/protocols/ftp/software.bro | 2 ++ scripts/policy/protocols/http/detect-MHR.bro | 5 +++++ scripts/policy/protocols/http/detect-intel.bro | 6 +++++- scripts/policy/protocols/http/detect-sqli.bro | 6 +++++- scripts/policy/protocols/http/detect-webapps.bro | 4 ++++ scripts/policy/protocols/http/headers.bro | 2 ++ scripts/policy/protocols/http/software.bro | 4 +++- scripts/policy/protocols/http/var-extraction-cookies.bro | 3 +++ scripts/policy/protocols/http/var-extraction-uri.bro | 3 +++ scripts/policy/protocols/smtp/detect-suspicious-orig.bro | 2 ++ scripts/policy/protocols/smtp/software.bro | 3 +++ scripts/policy/protocols/ssh/software.bro | 1 + scripts/policy/protocols/ssl/known-certs.bro | 1 + scripts/policy/protocols/ssl/validate-certs.bro | 2 ++ .../tuning/defaults/remove-high-volume-notices.bro | 3 +++ scripts/policy/tuning/defaults/warnings.bro | 4 +++- scripts/policy/tuning/track-all-assets.bro | 2 +- scripts/test-all-policy.bro | 1 - .../policy.misc.bare-mode-coverage/unique_errors | 0 testing/btest/policy/misc/bare-mode-coverage.test | 8 ++++++++ testing/btest/policy/misc/check-bare-test-all-policy.bro | 7 ------- 81 files changed, 203 insertions(+), 50 deletions(-) delete mode 100644 scripts/policy/integration/barnyard2/event.bro create mode 100644 testing/btest/Baseline/policy.misc.bare-mode-coverage/unique_errors create mode 100644 testing/btest/policy/misc/bare-mode-coverage.test delete mode 100644 testing/btest/policy/misc/check-bare-test-all-policy.bro diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index 0fc793e7f5..7b277769fb 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -1,3 +1,4 @@ +@load base/frameworks/control/main module Cluster; @@ -65,4 +66,4 @@ event bro_init() } Log::create_stream(CLUSTER, [$columns=Info]); - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/cluster/nodes/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.bro index c9ce8c2d1a..d52078cc7c 100644 --- a/scripts/base/frameworks/cluster/nodes/manager.bro +++ b/scripts/base/frameworks/cluster/nodes/manager.bro @@ -8,6 +8,8 @@ ##! This is where the cluster manager sets it's specific settings for other ##! frameworks and in the core. +@load base/frameworks/notice/main + @prefixes += cluster-manager ## Turn off remote logging since this is the manager and should only log here. diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.bro index cf8620c5d7..eb0c271a17 100644 --- a/scripts/base/frameworks/cluster/nodes/worker.bro +++ b/scripts/base/frameworks/cluster/nodes/worker.bro @@ -1,3 +1,4 @@ +@load base/frameworks/notice/main @prefixes += cluster-worker diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro index 04d474e604..956a6194f4 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -1,3 +1,6 @@ +@load ./main +@load base/frameworks/communication/main + module Cluster; event bro_init() &priority=9 diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index 73e6086f97..270c3102e2 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -1,6 +1,8 @@ ##! Connect to remote Bro or Broccoli instances to share state and/or transfer ##! events. +@load base/frameworks/packet-filter/main + module Communication; export { diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 9849d4df42..886d5f2f16 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -20,6 +20,8 @@ # canary # friend +@load base/frameworks/notice/main + module Intel; export { diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 29f18ab824..a8fa805a31 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -1,5 +1,7 @@ ##! This is the implementation of the metrics framework. +@load base/frameworks/notice/main + module Metrics; export { diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.bro index fc1f608f9f..0116dd4ed4 100644 --- a/scripts/base/frameworks/notice/actions/drop.bro +++ b/scripts/base/frameworks/notice/actions/drop.bro @@ -1,6 +1,8 @@ ##! This script extends the built in notice code to implement the IP address ##! dropping functionality. +@load ../main + module Notice; export { @@ -31,4 +33,4 @@ event bro_init() }; add Notice::sync_functions[drop_func]; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.bro index 07a6568327..56c0d5853d 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.bro +++ b/scripts/base/frameworks/notice/actions/email_admin.bro @@ -1,3 +1,5 @@ +@load ../main +@load base/utils/site module Notice; @@ -25,4 +27,4 @@ event notice(n: Notice::Info) &priority=-5 if ( email != "" ) email_notice_to(n, email, T); } - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.bro index 059a92c0c9..f88064ac47 100644 --- a/scripts/base/frameworks/notice/actions/page.bro +++ b/scripts/base/frameworks/notice/actions/page.bro @@ -1,3 +1,4 @@ +@load ../main module Notice; @@ -16,4 +17,4 @@ event notice(n: Notice::Info) &priority=-5 { if ( ACTION_PAGE in n$actions ) email_notice_to(n, mail_page_dest, F); - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/base/frameworks/notice/extend-email/hostnames.bro index 83cdc4807d..b7be601db0 100644 --- a/scripts/base/frameworks/notice/extend-email/hostnames.bro +++ b/scripts/base/frameworks/notice/extend-email/hostnames.bro @@ -1,3 +1,4 @@ +@load ../main module Notice; @@ -8,7 +9,7 @@ event Notice::notice(n: Notice::Info) &priority=10 return; # This should only be done for notices that are being sent to email. - if ( ACTION_EMAIL !in n$action ) + if ( ACTION_EMAIL !in n$actions ) return; local output = ""; @@ -37,4 +38,4 @@ event Notice::notice(n: Notice::Info) &priority=10 if ( output != "" ) n$email_body_sections[|n$email_body_sections|] = output; - } \ No newline at end of file + } diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 4718dc204a..556b34432a 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -1,3 +1,6 @@ +@load base/utils/conn-ids +@load base/utils/site +@load ./main module Weird; diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index b030e763f0..74ea4bc6de 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -4,6 +4,8 @@ ##! open filter and all filters defined in Bro scripts with the ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. +@load base/frameworks/notice/main + module PacketFilter; export { diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro index 887c7222e0..081b2d753e 100644 --- a/scripts/base/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.bro @@ -1,5 +1,7 @@ ##! This script reports on packet loss from the various packet sources. +@load base/frameworks/notice/main + module PacketFilter; export { diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro index 9f218ab144..d84223af13 100644 --- a/scripts/base/frameworks/signatures/main.bro +++ b/scripts/base/frameworks/signatures/main.bro @@ -1,5 +1,7 @@ ##! Script level signature support. +@load base/frameworks/notice/main + module Signatures; export { diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index e35902aff1..7f9a55673b 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -4,6 +4,9 @@ ##! that they analyze. The entry point for providing new software detections ##! to this framework is through the :bro:id:`Software::found` function. +@load base/utils/directions-and-hosts +@load base/utils/numbers + module Software; export { diff --git a/scripts/base/protocols/conn/contents.bro b/scripts/base/protocols/conn/contents.bro index 21945beed5..feabb1303c 100644 --- a/scripts/base/protocols/conn/contents.bro +++ b/scripts/base/protocols/conn/contents.bro @@ -8,6 +8,8 @@ ##! This script does not work well in a cluster context unless it has a ##! remotely mounted disk to write the content files to. +@load base/utils/files + module Conn; export { diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 69c4cde64b..1af80bc18d 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -1,3 +1,4 @@ +@load base/utils/site module Conn; diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 59ade654d4..eff1b4c4f0 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,3 +1,4 @@ +@load ./consts module DNS; diff --git a/scripts/base/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro index 5ebe0ec63c..c638e90a65 100644 --- a/scripts/base/protocols/ftp/file-extract.bro +++ b/scripts/base/protocols/ftp/file-extract.bro @@ -1,5 +1,8 @@ ##! File extraction for FTP. +@load ./main +@load base/utils/files + module FTP; export { @@ -62,4 +65,4 @@ event log_ftp(rec: Info) &priority=-10 { delete rec$extraction_file; delete rec$extract_file; - } \ No newline at end of file + } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index bf32ba3114..9dd6a4b6d2 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -7,6 +7,10 @@ ##! ##! * Handle encrypted sessions correctly (get an example?) +@load ./utils-commands +@load base/utils/paths +@load base/utils/numbers + module FTP; export { diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro index 24ee1d8b93..d36d95e475 100644 --- a/scripts/base/protocols/http/file-extract.bro +++ b/scripts/base/protocols/http/file-extract.bro @@ -1,6 +1,10 @@ ##! Extracts the items from HTTP traffic, one per file. At this time only ##! the message body from the server can be extracted with this script. +@load ./main +@load ./file-ident +@load base/utils/files + module HTTP; export { diff --git a/scripts/base/protocols/http/file-hash.bro b/scripts/base/protocols/http/file-hash.bro index 26f8abf51a..6da624728d 100644 --- a/scripts/base/protocols/http/file-hash.bro +++ b/scripts/base/protocols/http/file-hash.bro @@ -1,5 +1,7 @@ ##! Calculate hashes for HTTP body transfers. +@load ./file-ident + module HTTP; export { diff --git a/scripts/base/protocols/http/file-ident.bro b/scripts/base/protocols/http/file-ident.bro index 082adf75d3..0803d8680d 100644 --- a/scripts/base/protocols/http/file-ident.bro +++ b/scripts/base/protocols/http/file-ident.bro @@ -1,6 +1,11 @@ ##! This script is involved in the identification of file types in HTTP ##! response bodies. +@load base/frameworks/signatures/main +@load base/frameworks/notice/main +@load base/protocols/http/main +@load base/protocols/http/utils + # Add the magic number signatures to the core signature set. redef signature_files += "base/protocols/http/file-ident.sig"; # Ignore the signatures used to match files diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 172fb2bd1c..f51b49b93c 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -1,3 +1,4 @@ +@load base/utils/numbers module HTTP; diff --git a/scripts/base/protocols/http/partial-content.bro b/scripts/base/protocols/http/partial-content.bro index 130cc0db28..cc34dd6df6 100644 --- a/scripts/base/protocols/http/partial-content.bro +++ b/scripts/base/protocols/http/partial-content.bro @@ -3,6 +3,10 @@ ##! ##! This script doesn't work yet and isn't loaded by default. +@load base/frameworks/notice/main +@load ./main +@load ./utils + module HTTP; export { diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro index 716b1c608b..6e2583bc75 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -1,5 +1,7 @@ ##! Utilities specific for HTTP processing. +@load ./main + module HTTP; export { diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 1b8dc67c25..92d73e70bf 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -8,6 +8,9 @@ ##! Example line from IRC server indicating that the DCC SEND is about to start: ##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A +@load ./main +@load base/utils/files + module IRC; export { diff --git a/scripts/base/protocols/mime/__load__.bro b/scripts/base/protocols/mime/__load__.bro index 36e9f16426..86098bb598 100644 --- a/scripts/base/protocols/mime/__load__.bro +++ b/scripts/base/protocols/mime/__load__.bro @@ -1,4 +1,4 @@ -@load protocols/mime/base -@load protocols/mime/file-ident -@load protocols/mime/file-extract -@load protocols/mime/file-hash +@load ./base +@load ./file-ident +@load ./file-extract +@load ./file-hash diff --git a/scripts/base/protocols/mime/base.bro b/scripts/base/protocols/mime/base.bro index d0212870a4..df495387d7 100644 --- a/scripts/base/protocols/mime/base.bro +++ b/scripts/base/protocols/mime/base.bro @@ -1,7 +1,7 @@ ##! The mime script does analysis of MIME encoded messages seen in certain ##! protocols (only SMTP and POP3 at the moment). -@load utils/strings +@load base/utils/strings module MIME; diff --git a/scripts/base/protocols/mime/file-extract.bro b/scripts/base/protocols/mime/file-extract.bro index d6989ad809..33d2c70513 100644 --- a/scripts/base/protocols/mime/file-extract.bro +++ b/scripts/base/protocols/mime/file-extract.bro @@ -1,5 +1,5 @@ -@load protocols/mime/file-ident -@load utils/files +@load ./file-ident +@load base/utils/files module MIME; @@ -57,4 +57,4 @@ event mime_end_entity(c: connection) &priority=-3 if ( c$mime?$extraction_file ) close(c$mime$extraction_file); } - \ No newline at end of file + diff --git a/scripts/base/protocols/mime/file-hash.bro b/scripts/base/protocols/mime/file-hash.bro index 3384928d58..4be2811e43 100644 --- a/scripts/base/protocols/mime/file-hash.bro +++ b/scripts/base/protocols/mime/file-hash.bro @@ -1,4 +1,5 @@ -@load protocols/mime/file-ident +@load ./file-ident +@load base/frameworks/notice/main module MIME; @@ -75,4 +76,4 @@ event mime_end_entity(c: connection) &priority=-3 NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h), $sub=c$mime$md5, $conn=c]); } - } \ No newline at end of file + } diff --git a/scripts/base/protocols/mime/file-ident.bro b/scripts/base/protocols/mime/file-ident.bro index ba5310d362..346fde1bba 100644 --- a/scripts/base/protocols/mime/file-ident.bro +++ b/scripts/base/protocols/mime/file-ident.bro @@ -1,4 +1,4 @@ -@load protocols/mime/base +@load ./base module MIME; diff --git a/scripts/base/protocols/rpc/base.bro b/scripts/base/protocols/rpc/base.bro index 936684a728..36a524c880 100644 --- a/scripts/base/protocols/rpc/base.bro +++ b/scripts/base/protocols/rpc/base.bro @@ -8,6 +8,8 @@ # programs for which we don't have an analyzer. # +@load base/utils/conn-ids + module RPC; export { diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index e034a459d4..bebd902ebc 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -1,3 +1,6 @@ +@load base/frameworks/notice/main +@load base/utils/addrs +@load base/utils/directions-and-hosts module SMTP; diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 7cc87b6684..1d1747a2fe 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -1,3 +1,7 @@ +@load base/frameworks/notice/main +@load base/utils/site +@load base/utils/thresholds +@load base/utils/conn-ids module SSH; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 775b59a6e5..696131d2fb 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -1,3 +1,5 @@ +@load ./consts +@load base/frameworks/notice/main module SSL; diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro index 0df3e0b9f2..2e89d83d6e 100644 --- a/scripts/base/protocols/ssl/mozilla-ca-list.bro +++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro @@ -1,6 +1,6 @@ # Don't edit! This file is automatically generated. # Generated at: Wed Jun 29 07:52:38 -0400 2011 - +@load base/protocols/ssl/main module SSL; redef root_certs += { ["GTE CyberTrust Global Root"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F", diff --git a/scripts/base/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.bro index 6b387ef980..a88c4827a6 100644 --- a/scripts/base/utils/directions-and-hosts.bro +++ b/scripts/base/utils/directions-and-hosts.bro @@ -1,3 +1,4 @@ +@load ./site type Direction: enum { ## The connection originator is not within the locally-monitored network, diff --git a/scripts/policy/frameworks/communication/listen-clear.bro b/scripts/policy/frameworks/communication/listen-clear.bro index 1854e12f56..44fa197570 100644 --- a/scripts/policy/frameworks/communication/listen-clear.bro +++ b/scripts/policy/frameworks/communication/listen-clear.bro @@ -1,5 +1,7 @@ ##! Listen for other Bro instances to make unencrypted connections. +@load base/frameworks/communication/main + module Communication; export { diff --git a/scripts/policy/frameworks/communication/listen-ssl.bro b/scripts/policy/frameworks/communication/listen-ssl.bro index fe6304206f..f4e7f955b7 100644 --- a/scripts/policy/frameworks/communication/listen-ssl.bro +++ b/scripts/policy/frameworks/communication/listen-ssl.bro @@ -1,5 +1,7 @@ ##! Listen for other Bro instances and encrypt the connection with SSL. +@load base/frameworks/communication/main + module Communication; export { diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro index 518336abd8..abddaec5b0 100644 --- a/scripts/policy/frameworks/control/controllee.bro +++ b/scripts/policy/frameworks/control/controllee.bro @@ -1,4 +1,4 @@ - +@load base/frameworks/control/main # If an instance is a controllee, it implicitly needs to listen for remote # connections. @load frameworks/communication/listen-clear diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro index 8c60ef457a..4f1021ffc6 100644 --- a/scripts/policy/frameworks/control/controller.bro +++ b/scripts/policy/frameworks/control/controller.bro @@ -1,3 +1,5 @@ +@load base/frameworks/control/main +@load base/frameworks/communication/main module Control; @@ -99,4 +101,4 @@ event remote_connection_handshake_done(p: event_peer) &priority=-10 # Signal configuration update to peer. event Control::configuration_update_request(); } - } \ No newline at end of file + } diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index cbe81df889..2d6f4a936a 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -1,5 +1,9 @@ ##! Finds connections with protocols on non-standard ports with DPD. +@load base/frameworks/notice/main +@load base/utils/site +@load base/utils/conn-ids + module ProtocolDetector; export { diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index 2276b49e64..96acf9c99a 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -4,6 +4,8 @@ ##! A caveat to logging packet data is that in some cases, the packet may ##! not be the packet that actually caused the protocol violation. +@load base/frameworks/dpd/main + module DPD; export { diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro index e67117a7e0..10ea0efc34 100644 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ b/scripts/policy/frameworks/metrics/conn-example.bro @@ -1,3 +1,5 @@ +@load base/frameworks/metrics/main +@load base/utils/site redef enum Metrics::ID += { CONNS_ORIGINATED, @@ -17,4 +19,4 @@ event connection_established(c: connection) Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h]); Metrics::add_data(CONNS_RESPONDED, [$host=c$id$resp_h]); } - \ No newline at end of file + diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index 904ec9a227..be3b3a66e7 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -1,4 +1,6 @@ - +@load base/frameworks/metrics/main +@load base/protocols/http/main +@load base/utils/site redef enum Metrics::ID += { HTTP_REQUESTS_BY_STATUS_CODE, @@ -19,4 +21,4 @@ event HTTP::log_http(rec: HTTP::Info) Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$index=rec$host]); if ( rec?$status_code ) Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $index=fmt("%d", rec$status_code)]); - } \ No newline at end of file + } diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro index e043690feb..0b544507dd 100644 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ b/scripts/policy/frameworks/metrics/ssl-example.bro @@ -1,4 +1,5 @@ - +@load base/frameworks/metrics/main +@load base/protocols/ssl/main redef enum Metrics::ID += { SSL_SERVERNAME, @@ -19,4 +20,4 @@ event SSL::log_ssl(rec: SSL::Info) { if ( rec?$server_name ) Metrics::add_data(SSL_SERVERNAME, [$index=rec$server_name]); - } \ No newline at end of file + } diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro index 3b562b5334..6837aa3140 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/frameworks/software/main module Software; diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index ec0348d563..1a046471ee 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/frameworks/software/main module Software; @@ -18,4 +20,4 @@ event log_software(rec: Info) { NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]); } - } \ No newline at end of file + } diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.bro index 9e870eb7aa..ce5bad3fe8 100644 --- a/scripts/policy/integration/barnyard2/__load__.bro +++ b/scripts/policy/integration/barnyard2/__load__.bro @@ -1,3 +1,2 @@ -@load integration/barnyard2/types -@load integration/barnyard2/event -@load integration/barnyard2/base +@load ./types +@load ./base diff --git a/scripts/policy/integration/barnyard2/base.bro b/scripts/policy/integration/barnyard2/base.bro index f05ad0e9bf..f8ba48dd99 100644 --- a/scripts/policy/integration/barnyard2/base.bro +++ b/scripts/policy/integration/barnyard2/base.bro @@ -2,7 +2,7 @@ ##! Barnyard2 and logs them. In the future it will do more correlation ##! and derive new notices from the alerts. -@load integration/barnyard2/types +@load ./types module Barnyard2; diff --git a/scripts/policy/integration/barnyard2/event.bro b/scripts/policy/integration/barnyard2/event.bro deleted file mode 100644 index 5fa2747a28..0000000000 --- a/scripts/policy/integration/barnyard2/event.bro +++ /dev/null @@ -1,3 +0,0 @@ -## This is the event that Barnyard2 instances will send if they're -## configured with the bro_alert output plugin. -global barnyard_alert: event(id: Barnyard2::PacketID, alert: Barnyard2::AlertData, msg: string, data: string); diff --git a/scripts/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.bro index 9bc56773ef..6cfcbb9535 100644 --- a/scripts/policy/integration/barnyard2/types.bro +++ b/scripts/policy/integration/barnyard2/types.bro @@ -22,4 +22,11 @@ export { dst_ip: addr; dst_p: port; } &log; -} \ No newline at end of file + + ## This is the event that Barnyard2 instances will send if they're + ## configured with the bro_alert output plugin. + global barnyard_alert: event(id: Barnyard2::PacketID, + alert: Barnyard2::AlertData, + msg: string, + data: string); +} diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro index 72bdaf01a4..6fc59d4d15 100644 --- a/scripts/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.bro @@ -3,6 +3,8 @@ ##! output provides an easy way to determine a count of the IP addresses in ##! use on a network per day. +@load base/utils/directions-and-hosts + module KnownHosts; export { diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index 35a19a14f0..3676cbb05b 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -3,6 +3,8 @@ ##! completed a TCP handshake with another host. If a protocol is detected ##! during the session, the protocol will also be logged. +@load base/utils/directions-and-hosts + module KnownServices; redef enum Log::ID += { KNOWN_SERVICES }; diff --git a/scripts/policy/protocols/conn/scan.bro b/scripts/policy/protocols/conn/scan.bro index fabb865093..a0e2408679 100644 --- a/scripts/policy/protocols/conn/scan.bro +++ b/scripts/policy/protocols/conn/scan.bro @@ -1,4 +1,4 @@ -@load frameworks/notice +@load base/frameworks/notice/main @load port-name module Scan; diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro index ba21131f7c..dd00e59c2e 100644 --- a/scripts/policy/protocols/dns/auth-addl.bro +++ b/scripts/policy/protocols/dns/auth-addl.bro @@ -1,3 +1,4 @@ +@load base/protocols/dns/main redef dns_skip_all_auth = F; redef dns_skip_all_addl = F; diff --git a/scripts/policy/protocols/dns/detect-external-names.bro b/scripts/policy/protocols/dns/detect-external-names.bro index fd49fee183..f6f0e596cc 100644 --- a/scripts/policy/protocols/dns/detect-external-names.bro +++ b/scripts/policy/protocols/dns/detect-external-names.bro @@ -8,6 +8,9 @@ ##! to be within a local zone. :bro:id:`local_zones` variable **must** ##! be set appropriately for this detection. +@load base/frameworks/notice/main +@load base/utils/site + module DNS; export { diff --git a/scripts/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.bro index 4e69dec655..cb89599a93 100644 --- a/scripts/policy/protocols/ftp/detect.bro +++ b/scripts/policy/protocols/ftp/detect.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/ftp/main module FTP; @@ -21,4 +23,4 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior NOTICE([$note=Site_Exec_Success, $conn=c, $msg=fmt("%s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg)]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.bro index 918123bb4c..7dfd54ddca 100644 --- a/scripts/policy/protocols/ftp/software.bro +++ b/scripts/policy/protocols/ftp/software.bro @@ -6,6 +6,8 @@ ##! * Detect client software with password given for anonymous users ##! (e.g. cyberduck@example.net) +@load base/frameworks/software/main + module FTP; export { diff --git a/scripts/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro index 11e1d9f87e..adf0707205 100644 --- a/scripts/policy/protocols/http/detect-MHR.bro +++ b/scripts/policy/protocols/http/detect-MHR.bro @@ -4,6 +4,11 @@ ##! documentation for the protocols/http/file-hash.bro script to see how to ##! configure which transfers will have hashes calculated. +@load base/frameworks/notice/main +@load base/protocols/http/main +@load base/protocols/http/utils +@load base/protocols/http/file-hash + export { redef enum Notice::Type += { ## If the MD5 sum of a file transferred over HTTP diff --git a/scripts/policy/protocols/http/detect-intel.bro b/scripts/policy/protocols/http/detect-intel.bro index ebe6713c03..6da4d8d1e1 100644 --- a/scripts/policy/protocols/http/detect-intel.bro +++ b/scripts/policy/protocols/http/detect-intel.bro @@ -1,5 +1,9 @@ ##! Intelligence based HTTP detections. +@load base/protocols/http/main +@load base/protocols/http/utils +@load base/frameworks/intel/main + module HTTP; event log_http(rec: Info) @@ -14,4 +18,4 @@ event log_http(rec: Info) $sub=HTTP::build_url_http(rec), $id=rec$id]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index 45a2bdb205..c1e6281c6b 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -1,5 +1,9 @@ ##! SQL injection detection in HTTP. +@load base/frameworks/notice/main +@load base/frameworks/metrics/main +@load base/protocols/http/main + module HTTP; export { @@ -54,4 +58,4 @@ event http_request(c: connection, method: string, original_URI: string, Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h]); Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro index 350f0def98..493ea9b44b 100644 --- a/scripts/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -1,3 +1,7 @@ +@load base/frameworks/signatures/main +@load base/frameworks/software/main +@load base/protocols/http/main +@load base/protocols/http/utils module HTTP; diff --git a/scripts/policy/protocols/http/headers.bro b/scripts/policy/protocols/http/headers.bro index 4451e876ec..dc3eddcbc0 100644 --- a/scripts/policy/protocols/http/headers.bro +++ b/scripts/policy/protocols/http/headers.bro @@ -1,5 +1,7 @@ ##! Extract and include the header keys used for each request in the log. +@load base/protocols/http/main + module HTTP; export { diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.bro index 5a16b862a6..a7948d6a5b 100644 --- a/scripts/policy/protocols/http/software.bro +++ b/scripts/policy/protocols/http/software.bro @@ -1,5 +1,7 @@ ##! Software identification and extraction for HTTP traffic. +@load base/frameworks/software/main + module HTTP; export { @@ -52,4 +54,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr Software::found(c$id, Software::parse(value, c$id$resp_h, WEB_APPSERVER)); } } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.bro index b30be9d2c1..2b3f282b03 100644 --- a/scripts/policy/protocols/http/var-extraction-cookies.bro +++ b/scripts/policy/protocols/http/var-extraction-cookies.bro @@ -1,5 +1,8 @@ ##! This script extracts and logs variables from cookies sent by clients +@load base/protocols/http/main +@load base/protocols/http/utils + module HTTP; redef record Info += { diff --git a/scripts/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.bro index a6e6b1d971..32ea147961 100644 --- a/scripts/policy/protocols/http/var-extraction-uri.bro +++ b/scripts/policy/protocols/http/var-extraction-uri.bro @@ -1,5 +1,8 @@ ##! This script extracts and logs variables from the requested URI +@load base/protocols/http/main +@load base/protocols/http/utils + module HTTP; redef record Info += { diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro index 26f667cfd6..8e85b8db97 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/smtp/main module SMTP; diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.bro index 09bc59c636..2099c89dc6 100644 --- a/scripts/policy/protocols/smtp/software.bro +++ b/scripts/policy/protocols/smtp/software.bro @@ -7,6 +7,9 @@ ##! * Find some heuristic to determine if email was sent through ##! a MS Exhange webmail interface as opposed to a desktop client. +@load base/frameworks/software/main +@load base/protocols/smtp/main + module SMTP; export { diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.bro index d40ad513c8..ea04d44370 100644 --- a/scripts/policy/protocols/ssh/software.bro +++ b/scripts/policy/protocols/ssh/software.bro @@ -1,3 +1,4 @@ +@load base/frameworks/software/main module SSH; diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro index a8815dca07..7bff4bbf38 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -1,3 +1,4 @@ +@load base/utils/directions-and-hosts module KnownCerts; diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 43920557f4..3e457c72ea 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/protocols/ssl/main module SSL; diff --git a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro index 1133bf952b..68c22aeb3f 100644 --- a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro +++ b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro @@ -1,6 +1,9 @@ ##! This strives to tune out high volume and less useful data ##! from the notice log. +@load base/frameworks/notice/main +@load base/frameworks/notice/weird + # Remove these notices from logging since they can be too noisy. redef Notice::ignored_types += { Weird::Content_Gap, diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.bro index ea8f18c3bc..cedc3d62ad 100644 --- a/scripts/policy/tuning/defaults/warnings.bro +++ b/scripts/policy/tuning/defaults/warnings.bro @@ -2,8 +2,10 @@ ##! good to set in most cases or other things that could be done to achieve ##! better detection. +@load base/utils/site + event bro_init() &priority=-10 { if ( |Site::local_nets| == 0 ) print "WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks."; - } \ No newline at end of file + } diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.bro index fe61ff93b6..40fa6913df 100644 --- a/scripts/policy/tuning/track-all-assets.bro +++ b/scripts/policy/tuning/track-all-assets.bro @@ -1,4 +1,4 @@ - +@load base/frameworks/software/main @load protocols/conn/known-hosts @load protocols/conn/known-services @load protocols/ssl/known-certs diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a42ef893fc..49f123f880 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -19,7 +19,6 @@ @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro @load integration/barnyard2/base.bro -@load integration/barnyard2/event.bro @load integration/barnyard2/types.bro @load misc/analysis-groups.bro @load misc/loaded-scripts.bro diff --git a/testing/btest/Baseline/policy.misc.bare-mode-coverage/unique_errors b/testing/btest/Baseline/policy.misc.bare-mode-coverage/unique_errors new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/policy/misc/bare-mode-coverage.test b/testing/btest/policy/misc/bare-mode-coverage.test new file mode 100644 index 0000000000..40cd5ab76e --- /dev/null +++ b/testing/btest/policy/misc/bare-mode-coverage.test @@ -0,0 +1,8 @@ +# Makes sure any given policy script in the scripts/ tree can be loaded in +# bare mode. btest-bg-run/btest-bg-wait are used to kill off scripts that +# block after loading, e.g. start listening on a socket. +# +# @TEST-EXEC: test -e $DIST/scripts +# @TEST-EXEC: for script in `find $DIST/scripts -name \*\.bro`; do echo $script;if [[ "$script" =~ listen-clear|listen-ssl|controllee ]]; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 +# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors +# @TEST-EXEC: btest-diff unique_errors diff --git a/testing/btest/policy/misc/check-bare-test-all-policy.bro b/testing/btest/policy/misc/check-bare-test-all-policy.bro deleted file mode 100644 index a3474942e3..0000000000 --- a/testing/btest/policy/misc/check-bare-test-all-policy.bro +++ /dev/null @@ -1,7 +0,0 @@ -# Makes sures test-all-policy.bro (which loads *all* other policy scripts) -# compiles correctly even in bare mode. -# -# @TEST-EXEC: bro -b %INPUT >output -# @TEST-EXEC: btest-diff output - -@load test-all-policy From fae54dc8f0a2e9cea7c2a4239744942afe4023a9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 15:39:16 -0500 Subject: [PATCH 02/21] Normalizing base.bro script naming as main.bro --- scripts/base/protocols/mime/__load__.bro | 2 +- scripts/base/protocols/mime/file-ident.bro | 2 +- scripts/base/protocols/mime/{base.bro => main.bro} | 0 scripts/base/protocols/rpc/{base.bro => main.bro} | 0 scripts/policy/integration/barnyard2/__load__.bro | 2 +- scripts/policy/integration/barnyard2/{base.bro => main.bro} | 0 scripts/test-all-policy.bro | 2 +- 7 files changed, 4 insertions(+), 4 deletions(-) rename scripts/base/protocols/mime/{base.bro => main.bro} (100%) rename scripts/base/protocols/rpc/{base.bro => main.bro} (100%) rename scripts/policy/integration/barnyard2/{base.bro => main.bro} (100%) diff --git a/scripts/base/protocols/mime/__load__.bro b/scripts/base/protocols/mime/__load__.bro index 86098bb598..6c3f1804ec 100644 --- a/scripts/base/protocols/mime/__load__.bro +++ b/scripts/base/protocols/mime/__load__.bro @@ -1,4 +1,4 @@ -@load ./base +@load ./main @load ./file-ident @load ./file-extract @load ./file-hash diff --git a/scripts/base/protocols/mime/file-ident.bro b/scripts/base/protocols/mime/file-ident.bro index 346fde1bba..932085cd1a 100644 --- a/scripts/base/protocols/mime/file-ident.bro +++ b/scripts/base/protocols/mime/file-ident.bro @@ -1,4 +1,4 @@ -@load ./base +@load ./main module MIME; diff --git a/scripts/base/protocols/mime/base.bro b/scripts/base/protocols/mime/main.bro similarity index 100% rename from scripts/base/protocols/mime/base.bro rename to scripts/base/protocols/mime/main.bro diff --git a/scripts/base/protocols/rpc/base.bro b/scripts/base/protocols/rpc/main.bro similarity index 100% rename from scripts/base/protocols/rpc/base.bro rename to scripts/base/protocols/rpc/main.bro diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.bro index ce5bad3fe8..c4790c6b32 100644 --- a/scripts/policy/integration/barnyard2/__load__.bro +++ b/scripts/policy/integration/barnyard2/__load__.bro @@ -1,2 +1,2 @@ @load ./types -@load ./base +@load ./main diff --git a/scripts/policy/integration/barnyard2/base.bro b/scripts/policy/integration/barnyard2/main.bro similarity index 100% rename from scripts/policy/integration/barnyard2/base.bro rename to scripts/policy/integration/barnyard2/main.bro diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 49f123f880..4039fe2732 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -18,7 +18,7 @@ @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro -@load integration/barnyard2/base.bro +@load integration/barnyard2/main.bro @load integration/barnyard2/types.bro @load misc/analysis-groups.bro @load misc/loaded-scripts.bro From 9e7934dc32f136430c64d3f500fa47cfa402df37 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 16:06:05 -0500 Subject: [PATCH 03/21] Normalize some intra-package @loads --- scripts/base/protocols/http/file-ident.bro | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/http/file-ident.bro b/scripts/base/protocols/http/file-ident.bro index 0803d8680d..489267e6f1 100644 --- a/scripts/base/protocols/http/file-ident.bro +++ b/scripts/base/protocols/http/file-ident.bro @@ -3,8 +3,8 @@ @load base/frameworks/signatures/main @load base/frameworks/notice/main -@load base/protocols/http/main -@load base/protocols/http/utils +@load ./main +@load ./utils # Add the magic number signatures to the core signature set. redef signature_files += "base/protocols/http/file-ident.sig"; From ac257c7a6d48ecd67cacc48e89f0105c89dcbe11 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 16:29:52 -0500 Subject: [PATCH 04/21] Change/fix some cluster script error reporting. The main script now uses the Reporter::error BIF instead of scheduling a reporter_error event to report an invalid node name. The later only works if the reporter framework is loaded, but the BIF will do the right thing and use stderr if there's no event handler. I also @if'd out most of the setup-connections script when the node is invalid because that's what the cluster/__load__.bro would normally do. --- scripts/base/frameworks/cluster/main.bro | 3 +-- scripts/base/frameworks/cluster/setup-connections.bro | 4 ++++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index 7b277769fb..4817db0ea7 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -60,8 +60,7 @@ event bro_init() # If a node is given, but it's an unknown name we need to fail. if ( node != "" && node !in nodes ) { - local msg = "You didn't supply a valid node in the Cluster::nodes configuration."; - event reporter_error(current_time(), msg, ""); + Reporter::error(fmt("'%s' is not a valid node in the Cluster::nodes configuration", node)); terminate(); } diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro index 956a6194f4..b0d833d362 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -1,6 +1,8 @@ @load ./main @load base/frameworks/communication/main +@if ( Cluster::node in Cluster::nodes ) + module Cluster; event bro_init() &priority=9 @@ -80,3 +82,5 @@ event bro_init() &priority=9 } } } + +@endif From 7b07a19cd6a0267ce889b22646ce013848fa8528 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 17:16:26 -0500 Subject: [PATCH 05/21] bro scripts generated from bifs now install to $prefix/share/bro/base/ Addresses #545 --- scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/init-bare.bro | 12 ++++++------ src/CMakeLists.txt | 9 ++++++++- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index e31f931de9..be575247ec 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -149,7 +149,7 @@ export { # We keep a script-level copy of all filters so that we can manipulate them. global filters: table[ID, string] of Filter; -@load logging.bif.bro # Needs Filter and Stream defined. +@load base/logging.bif # Needs Filter and Stream defined. module Log; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 30674fafc7..42580e95e7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1,5 +1,5 @@ -@load const.bif.bro -@load types.bif.bro +@load base/const.bif +@load base/types.bif # Type declarations type string_array: table[count] of string; @@ -298,9 +298,9 @@ type entropy_test_result: record { }; # Prototypes of Bro built-in functions. -@load strings.bif.bro -@load bro.bif.bro -@load reporter.bif.bro +@load base/strings.bif +@load base/bro.bif +@load base/reporter.bif global log_file_name: function(tag: string): string &redef; global open_log_file: function(tag: string): file &redef; @@ -1264,7 +1264,7 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value; # The header table type used by the bittorrenttracker analyzer. type bt_tracker_headers: table[string] of string; -@load event.bif.bro +@load base/event.bif # The filter the user has set via the -f command line options, or # empty if none. diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1a5f096f70..db6a139e58 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -107,6 +107,12 @@ macro(BIF_TARGET bifInput) add_custom_command(OUTPUT ${bifOutputs} COMMAND bifcl ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) + # in order be able to run bro from the build directory, + # a copy of the generated bro script needs to be copied + # to a directory tree named the same way it will be + # referenced from an @load + COMMAND "${CMAKE_COMMAND}" + ARGS -E copy ${bifInput}.bro base/${bifInput}.bro DEPENDS ${bifInput} DEPENDS bifcl COMMENT "[BIFCL] Processing ${bifInput}" @@ -121,6 +127,7 @@ endmacro(BIF_TARGET) macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) set(${outputFileVar} ${inputFile}.bro + base/${inputFile}.bro ${inputFile}.func_def ${inputFile}.func_h ${inputFile}.func_init @@ -423,7 +430,7 @@ set(brolibs target_link_libraries(bro ${brolibs}) install(TARGETS bro DESTINATION bin) -install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${POLICYDIR}) +install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${POLICYDIR}/base) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) From 2eea193d79ddcccca6d32fd4208e7cd54c9893af Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Aug 2011 20:34:49 -0500 Subject: [PATCH 06/21] Update default/bare loaded scripts test and test-all-policy coverage. --- scripts/test-all-policy.bro | 3 +++ .../canonified_loaded_scripts.log | 14 +++++++------- .../canonified_loaded_scripts.log | 17 ++++++++++------- ...overage.bro => test-all-policy-coverage.bro} | 0 4 files changed, 20 insertions(+), 14 deletions(-) rename testing/btest/policy/misc/{test-all-default-coverage.bro => test-all-policy-coverage.bro} (100%) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 4039fe2732..0e47543404 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -15,6 +15,9 @@ # @load frameworks/control/controller.bro @load frameworks/dpd/detect-protocols.bro @load frameworks/dpd/packet-segment-logging.bro +@load frameworks/metrics/conn-example.bro +@load frameworks/metrics/http-example.bro +@load frameworks/metrics/ssl-example.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro diff --git a/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log index 7d40d728da..8386089200 100644 --- a/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log @@ -1,13 +1,13 @@ # depth name 0 scripts/base/init-bare.bro -1 build/src/const.bif.bro -1 build/src/types.bif.bro -1 build/src/strings.bif.bro -1 build/src/bro.bif.bro -1 build/src/reporter.bif.bro -1 build/src/event.bif.bro +1 build/src/base/const.bif.bro +1 build/src/base/types.bif.bro +1 build/src/base/strings.bif.bro +1 build/src/base/bro.bif.bro +1 build/src/base/reporter.bif.bro +1 build/src/base/event.bif.bro 1 scripts/base/frameworks/logging/__load__.bro 2 scripts/base/frameworks/logging/./main.bro -3 build/src/logging.bif.bro +3 build/src/base/logging.bif.bro 2 scripts/base/frameworks/logging/./writers/ascii.bro 0 scripts/policy/misc/loaded-scripts.bro diff --git a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log index 73ef868313..4a5f570e81 100644 --- a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log @@ -1,14 +1,14 @@ # depth name 0 scripts/base/init-bare.bro -1 build/src/const.bif.bro -1 build/src/types.bif.bro -1 build/src/strings.bif.bro -1 build/src/bro.bif.bro -1 build/src/reporter.bif.bro -1 build/src/event.bif.bro +1 build/src/base/const.bif.bro +1 build/src/base/types.bif.bro +1 build/src/base/strings.bif.bro +1 build/src/base/bro.bif.bro +1 build/src/base/reporter.bif.bro +1 build/src/base/event.bif.bro 1 scripts/base/frameworks/logging/__load__.bro 2 scripts/base/frameworks/logging/./main.bro -3 build/src/logging.bif.bro +3 build/src/base/logging.bif.bro 2 scripts/base/frameworks/logging/./writers/ascii.bro 0 scripts/base/init-default.bro 1 scripts/base/utils/site.bro @@ -41,6 +41,7 @@ 1 scripts/base/frameworks/metrics/__load__.bro 2 scripts/base/frameworks/metrics/./main.bro 1 scripts/base/frameworks/communication/__load__.bro +2 scripts/base/frameworks/communication/./main.bro 1 scripts/base/frameworks/control/__load__.bro 2 scripts/base/frameworks/control/./main.bro 1 scripts/base/frameworks/cluster/__load__.bro @@ -69,6 +70,8 @@ 2 scripts/base/protocols/irc/./dcc-send.bro 1 scripts/base/protocols/smtp/__load__.bro 2 scripts/base/protocols/smtp/./main.bro +2 scripts/base/protocols/smtp/./entities.bro +2 scripts/base/protocols/smtp/./entities-excerpt.bro 1 scripts/base/protocols/ssh/__load__.bro 2 scripts/base/protocols/ssh/./main.bro 1 scripts/base/protocols/ssl/__load__.bro diff --git a/testing/btest/policy/misc/test-all-default-coverage.bro b/testing/btest/policy/misc/test-all-policy-coverage.bro similarity index 100% rename from testing/btest/policy/misc/test-all-default-coverage.bro rename to testing/btest/policy/misc/test-all-policy-coverage.bro From c3fb0ea03567c7b82fb008fb42be2206eb1ed657 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 11 Aug 2011 10:43:11 -0500 Subject: [PATCH 07/21] Reorganizing btest/policy directory to match new scripts/ organization Addresses #545 --- .../unique_errors | 0 .../manager-1..stdout | 0 .../proxy-1..stdout | 0 .../proxy-2..stdout | 0 .../worker-1..stdout | 0 .../worker-2..stdout | 0 .../controllee..stdout | 0 .../controller..stdout | 0 .../out | 0 .../ssh-new-default.log | 0 .../ssh.log | Bin .../ssh.log | 0 .../ssh.log | Bin .../ssh.log | 0 .../test.log | 0 .../ssh.log | 0 .../ssh.log | 0 .../ssh.log | 0 .../output | 0 .../ssh.log | 0 .../ssh.log | 0 .../ssh.log | 0 .../output | 0 .../ssh.failure.log | 0 .../ssh.success.log | 0 .../receiver.test.log | 0 .../sender.test.failure.log | 0 .../sender.test.log | 0 .../sender.test.success.log | 0 .../ssh.failure.log | 0 .../ssh.log | 0 .../out | 0 .../out | 0 .../output | 0 .../ssh.log | 0 .../ssh.log | 0 .../testing.log | 0 .../ssh.log | 0 .../output | 0 .../http.log | 0 .../http.log | 0 .../irc.log | 0 ...em_192.168.1.77:57655-209.197.168.151:1024_1.dat | Bin .../irc.log | 0 .../smtp.log | 0 ...mtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat | 0 ...mtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat | 0 .../smtp_entities.log | 0 .../smtp_entities.log | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../canonified_loaded_scripts.log | 0 .../canonified_loaded_scripts.log | 0 .../knownhosts-all.log | 0 .../knownhosts-local.log | 0 .../knownhosts-remote.log | 0 .../knownservices-all.log | 0 .../knownservices-local.log | 0 .../knownservices-remote.log | 0 .../dns.log | 0 .../output | 0 testing/btest/btest.cfg | 2 +- .../misc => scripts}/bare-mode-coverage.test | 2 +- .../base}/frameworks/cluster/start-it-up.bro | 0 .../frameworks/control/configuration_update.bro | 0 .../base}/frameworks/control/id_value.bro | 0 .../base}/frameworks/control/shutdown.bro | 0 .../base}/frameworks/intel/insert-and-matcher.bro | 0 .../base}/frameworks/logging/adapt-filter.bro | 0 .../base}/frameworks/logging/ascii-binary.bro | 0 .../base}/frameworks/logging/ascii-empty.bro | 0 .../base}/frameworks/logging/ascii-escape.bro | 0 .../base}/frameworks/logging/ascii-options.bro | 0 .../base}/frameworks/logging/ascii-timestamps.bro | 0 .../base}/frameworks/logging/attr-extend.bro | 0 .../base}/frameworks/logging/attr.bro | 0 .../base}/frameworks/logging/disable-stream.bro | 0 .../base}/frameworks/logging/empty-event.bro | 0 .../base}/frameworks/logging/events.bro | 0 .../base}/frameworks/logging/exclude.bro | 0 .../base}/frameworks/logging/file.bro | 0 .../base}/frameworks/logging/include.bro | 0 .../base}/frameworks/logging/no-local.bro | 0 .../base}/frameworks/logging/path-func.bro | 0 .../base}/frameworks/logging/pred.bro | 0 .../base}/frameworks/logging/remote-types.bro | 0 .../base}/frameworks/logging/remote.bro | 0 .../base}/frameworks/logging/remove.bro | 0 .../base}/frameworks/logging/rotate-custom.bro | 0 .../base}/frameworks/logging/rotate.bro | 0 .../base}/frameworks/logging/rotation.trace | Bin .../base}/frameworks/logging/stdout.bro | 0 .../base}/frameworks/logging/test-logging.bro | 0 .../base}/frameworks/logging/types.bro | 0 .../base}/frameworks/logging/unset-record.bro | 0 .../base}/frameworks/logging/vec.bro | 0 .../base}/frameworks/software/version-parsing.bro | 0 .../misc => scripts/base}/init-default-coverage.bro | 0 .../base}/protocols/http/http-header-crlf.bro | 0 .../base}/protocols/http/http-mime-and-md5.bro | 0 .../base}/protocols/http/http-pipelining.bro | 0 .../base}/protocols/irc/basic.test | 0 .../base}/protocols/irc/dcc-extract.test | 0 .../base}/protocols/smtp/basic.test | 0 .../base}/protocols/smtp/mime-extract.test | 0 .../base}/protocols/smtp/mime.test | 0 .../btest/{policy => scripts/base}/utils/addrs.test | 0 .../{policy => scripts/base}/utils/conn-ids.test | 0 .../base}/utils/directions-and-hosts.test | 0 .../btest/{policy => scripts/base}/utils/files.test | 0 .../{policy => scripts/base}/utils/numbers.test | 0 .../btest/{policy => scripts/base}/utils/paths.test | 0 .../{policy => scripts/base}/utils/pattern.test | 0 .../btest/{policy => scripts/base}/utils/site.test | 0 .../{policy => scripts/base}/utils/strings.test | 0 .../{policy => scripts/base}/utils/thresholds.test | 0 .../misc => scripts}/check-test-all-policy.bro | 0 .../policy/misc/bare-loaded-scripts.test | 0 .../policy/misc/default-loaded-scripts.test | 0 .../policy/protocols/conn/known-hosts.bro | 0 .../policy/protocols/conn/known-services.bro | 0 .../policy/protocols/dns/event-priority.bro | 0 .../protocols/http/test-sql-injection-regex.bro | 0 .../testing-local.bro => scripts/site/local.test} | 0 .../misc => scripts}/test-all-policy-coverage.bro | 0 134 files changed, 2 insertions(+), 2 deletions(-) rename testing/btest/Baseline/{policy.misc.bare-mode-coverage => scripts.bare-mode-coverage}/unique_errors (100%) rename testing/btest/Baseline/{policy.frameworks.cluster.start-it-up => scripts.base.frameworks.cluster.start-it-up}/manager-1..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.cluster.start-it-up => scripts.base.frameworks.cluster.start-it-up}/proxy-1..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.cluster.start-it-up => scripts.base.frameworks.cluster.start-it-up}/proxy-2..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.cluster.start-it-up => scripts.base.frameworks.cluster.start-it-up}/worker-1..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.cluster.start-it-up => scripts.base.frameworks.cluster.start-it-up}/worker-2..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.control.configuration_update => scripts.base.frameworks.control.configuration_update}/controllee..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.control.id_value => scripts.base.frameworks.control.id_value}/controller..stdout (100%) rename testing/btest/Baseline/{policy.frameworks.intel.insert-and-matcher => scripts.base.frameworks.intel.insert-and-matcher}/out (100%) rename testing/btest/Baseline/{policy.frameworks.logging.adapt-filter => scripts.base.frameworks.logging.adapt-filter}/ssh-new-default.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.ascii-binary => scripts.base.frameworks.logging.ascii-binary}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.ascii-empty => scripts.base.frameworks.logging.ascii-empty}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.ascii-escape => scripts.base.frameworks.logging.ascii-escape}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.ascii-options => scripts.base.frameworks.logging.ascii-options}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.ascii-timestamps => scripts.base.frameworks.logging.ascii-timestamps}/test.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.attr-extend => scripts.base.frameworks.logging.attr-extend}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.attr => scripts.base.frameworks.logging.attr}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.empty-event => scripts.base.frameworks.logging.empty-event}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.events => scripts.base.frameworks.logging.events}/output (100%) rename testing/btest/Baseline/{policy.frameworks.logging.exclude => scripts.base.frameworks.logging.exclude}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.file => scripts.base.frameworks.logging.file}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.include => scripts.base.frameworks.logging.include}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.path-func => scripts.base.frameworks.logging.path-func}/output (100%) rename testing/btest/Baseline/{policy.frameworks.logging.pred => scripts.base.frameworks.logging.pred}/ssh.failure.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.pred => scripts.base.frameworks.logging.pred}/ssh.success.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remote-types => scripts.base.frameworks.logging.remote-types}/receiver.test.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remote => scripts.base.frameworks.logging.remote}/sender.test.failure.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remote => scripts.base.frameworks.logging.remote}/sender.test.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remote => scripts.base.frameworks.logging.remote}/sender.test.success.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remove => scripts.base.frameworks.logging.remove}/ssh.failure.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.remove => scripts.base.frameworks.logging.remove}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.rotate-custom => scripts.base.frameworks.logging.rotate-custom}/out (100%) rename testing/btest/Baseline/{policy.frameworks.logging.rotate => scripts.base.frameworks.logging.rotate}/out (100%) rename testing/btest/Baseline/{policy.frameworks.logging.stdout => scripts.base.frameworks.logging.stdout}/output (100%) rename testing/btest/Baseline/{policy.frameworks.logging.test-logging => scripts.base.frameworks.logging.test-logging}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.types => scripts.base.frameworks.logging.types}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.unset-record => scripts.base.frameworks.logging.unset-record}/testing.log (100%) rename testing/btest/Baseline/{policy.frameworks.logging.vec => scripts.base.frameworks.logging.vec}/ssh.log (100%) rename testing/btest/Baseline/{policy.frameworks.software.version-parsing => scripts.base.frameworks.software.version-parsing}/output (100%) rename testing/btest/Baseline/{policy.protocols.http.http-mime-and-md5 => scripts.base.protocols.http.http-mime-and-md5}/http.log (100%) rename testing/btest/Baseline/{policy.protocols.http.http-pipelining => scripts.base.protocols.http.http-pipelining}/http.log (100%) rename testing/btest/Baseline/{policy.protocols.irc.basic => scripts.base.protocols.irc.basic}/irc.log (100%) rename testing/btest/Baseline/{policy.protocols.irc.dcc-extract => scripts.base.protocols.irc.dcc-extract}/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat (100%) rename testing/btest/Baseline/{policy.protocols.irc.dcc-extract => scripts.base.protocols.irc.dcc-extract}/irc.log (100%) rename testing/btest/Baseline/{policy.protocols.smtp.basic => scripts.base.protocols.smtp.basic}/smtp.log (100%) rename testing/btest/Baseline/{policy.protocols.smtp.mime-extract => scripts.base.protocols.smtp.mime-extract}/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat (100%) rename testing/btest/Baseline/{policy.protocols.smtp.mime-extract => scripts.base.protocols.smtp.mime-extract}/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat (100%) rename testing/btest/Baseline/{policy.protocols.smtp.mime-extract => scripts.base.protocols.smtp.mime-extract}/smtp_entities.log (100%) rename testing/btest/Baseline/{policy.protocols.smtp.mime => scripts.base.protocols.smtp.mime}/smtp_entities.log (100%) rename testing/btest/Baseline/{policy.utils.addrs => scripts.base.utils.addrs}/output (100%) rename testing/btest/Baseline/{policy.utils.conn-ids => scripts.base.utils.conn-ids}/output (100%) rename testing/btest/Baseline/{policy.utils.directions-and-hosts => scripts.base.utils.directions-and-hosts}/output (100%) rename testing/btest/Baseline/{policy.utils.files => scripts.base.utils.files}/output (100%) rename testing/btest/Baseline/{policy.utils.numbers => scripts.base.utils.numbers}/output (100%) rename testing/btest/Baseline/{policy.utils.paths => scripts.base.utils.paths}/output (100%) rename testing/btest/Baseline/{policy.utils.pattern => scripts.base.utils.pattern}/output (100%) rename testing/btest/Baseline/{policy.utils.site => scripts.base.utils.site}/output (100%) rename testing/btest/Baseline/{policy.utils.strings => scripts.base.utils.strings}/output (100%) rename testing/btest/Baseline/{policy.utils.thresholds => scripts.base.utils.thresholds}/output (100%) rename testing/btest/Baseline/{policy.misc.check-test-all-policy => scripts.check-test-all-policy}/output (100%) rename testing/btest/Baseline/{policy.misc.bare-loaded-scripts => scripts.policy.misc.bare-loaded-scripts}/canonified_loaded_scripts.log (100%) rename testing/btest/Baseline/{policy.misc.default-loaded-scripts => scripts.policy.misc.default-loaded-scripts}/canonified_loaded_scripts.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-hosts => scripts.policy.protocols.conn.known-hosts}/knownhosts-all.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-hosts => scripts.policy.protocols.conn.known-hosts}/knownhosts-local.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-hosts => scripts.policy.protocols.conn.known-hosts}/knownhosts-remote.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-services => scripts.policy.protocols.conn.known-services}/knownservices-all.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-services => scripts.policy.protocols.conn.known-services}/knownservices-local.log (100%) rename testing/btest/Baseline/{policy.protocols.conn.known-services => scripts.policy.protocols.conn.known-services}/knownservices-remote.log (100%) rename testing/btest/Baseline/{policy.protocols.dns.event-priority => scripts.policy.protocols.dns.event-priority}/dns.log (100%) rename testing/btest/Baseline/{policy.protocols.http.test-sql-injection-regex => scripts.policy.protocols.http.test-sql-injection-regex}/output (100%) rename testing/btest/{policy/misc => scripts}/bare-mode-coverage.test (94%) rename testing/btest/{policy => scripts/base}/frameworks/cluster/start-it-up.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/control/configuration_update.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/control/id_value.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/control/shutdown.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/intel/insert-and-matcher.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/adapt-filter.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/ascii-binary.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/ascii-empty.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/ascii-escape.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/ascii-options.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/ascii-timestamps.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/attr-extend.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/attr.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/disable-stream.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/empty-event.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/events.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/exclude.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/file.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/include.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/no-local.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/path-func.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/pred.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/remote-types.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/remote.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/remove.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/rotate-custom.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/rotate.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/rotation.trace (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/stdout.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/test-logging.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/types.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/unset-record.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/logging/vec.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/software/version-parsing.bro (100%) rename testing/btest/{policy/misc => scripts/base}/init-default-coverage.bro (100%) rename testing/btest/{policy => scripts/base}/protocols/http/http-header-crlf.bro (100%) rename testing/btest/{policy => scripts/base}/protocols/http/http-mime-and-md5.bro (100%) rename testing/btest/{policy => scripts/base}/protocols/http/http-pipelining.bro (100%) rename testing/btest/{policy => scripts/base}/protocols/irc/basic.test (100%) rename testing/btest/{policy => scripts/base}/protocols/irc/dcc-extract.test (100%) rename testing/btest/{policy => scripts/base}/protocols/smtp/basic.test (100%) rename testing/btest/{policy => scripts/base}/protocols/smtp/mime-extract.test (100%) rename testing/btest/{policy => scripts/base}/protocols/smtp/mime.test (100%) rename testing/btest/{policy => scripts/base}/utils/addrs.test (100%) rename testing/btest/{policy => scripts/base}/utils/conn-ids.test (100%) rename testing/btest/{policy => scripts/base}/utils/directions-and-hosts.test (100%) rename testing/btest/{policy => scripts/base}/utils/files.test (100%) rename testing/btest/{policy => scripts/base}/utils/numbers.test (100%) rename testing/btest/{policy => scripts/base}/utils/paths.test (100%) rename testing/btest/{policy => scripts/base}/utils/pattern.test (100%) rename testing/btest/{policy => scripts/base}/utils/site.test (100%) rename testing/btest/{policy => scripts/base}/utils/strings.test (100%) rename testing/btest/{policy => scripts/base}/utils/thresholds.test (100%) rename testing/btest/{policy/misc => scripts}/check-test-all-policy.bro (100%) rename testing/btest/{ => scripts}/policy/misc/bare-loaded-scripts.test (100%) rename testing/btest/{ => scripts}/policy/misc/default-loaded-scripts.test (100%) rename testing/btest/{ => scripts}/policy/protocols/conn/known-hosts.bro (100%) rename testing/btest/{ => scripts}/policy/protocols/conn/known-services.bro (100%) rename testing/btest/{ => scripts}/policy/protocols/dns/event-priority.bro (100%) rename testing/btest/{ => scripts}/policy/protocols/http/test-sql-injection-regex.bro (100%) rename testing/btest/{policy/site/testing-local.bro => scripts/site/local.test} (100%) rename testing/btest/{policy/misc => scripts}/test-all-policy-coverage.bro (100%) diff --git a/testing/btest/Baseline/policy.misc.bare-mode-coverage/unique_errors b/testing/btest/Baseline/scripts.bare-mode-coverage/unique_errors similarity index 100% rename from testing/btest/Baseline/policy.misc.bare-mode-coverage/unique_errors rename to testing/btest/Baseline/scripts.bare-mode-coverage/unique_errors diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/manager-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-2..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-1..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout diff --git a/testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-2..stdout rename to testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout diff --git a/testing/btest/Baseline/policy.frameworks.control.configuration_update/controllee..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.control.configuration_update/controllee..stdout rename to testing/btest/Baseline/scripts.base.frameworks.control.configuration_update/controllee..stdout diff --git a/testing/btest/Baseline/policy.frameworks.control.id_value/controller..stdout b/testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout similarity index 100% rename from testing/btest/Baseline/policy.frameworks.control.id_value/controller..stdout rename to testing/btest/Baseline/scripts.base.frameworks.control.id_value/controller..stdout diff --git a/testing/btest/Baseline/policy.frameworks.intel.insert-and-matcher/out b/testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.intel.insert-and-matcher/out rename to testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-options/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-options/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.events/output b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.events/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.events/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.file/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.include/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.path-func/output b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.path-func/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out rename to testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.rotate/out rename to testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out diff --git a/testing/btest/Baseline/policy.frameworks.logging.stdout/output b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.stdout/output rename to testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output diff --git a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.types/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log diff --git a/testing/btest/Baseline/policy.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output similarity index 100% rename from testing/btest/Baseline/policy.frameworks.software.version-parsing/output rename to testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output diff --git a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log rename to testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log diff --git a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log rename to testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log diff --git a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.basic/irc.log rename to testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime/smtp_entities.log diff --git a/testing/btest/Baseline/policy.utils.addrs/output b/testing/btest/Baseline/scripts.base.utils.addrs/output similarity index 100% rename from testing/btest/Baseline/policy.utils.addrs/output rename to testing/btest/Baseline/scripts.base.utils.addrs/output diff --git a/testing/btest/Baseline/policy.utils.conn-ids/output b/testing/btest/Baseline/scripts.base.utils.conn-ids/output similarity index 100% rename from testing/btest/Baseline/policy.utils.conn-ids/output rename to testing/btest/Baseline/scripts.base.utils.conn-ids/output diff --git a/testing/btest/Baseline/policy.utils.directions-and-hosts/output b/testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output similarity index 100% rename from testing/btest/Baseline/policy.utils.directions-and-hosts/output rename to testing/btest/Baseline/scripts.base.utils.directions-and-hosts/output diff --git a/testing/btest/Baseline/policy.utils.files/output b/testing/btest/Baseline/scripts.base.utils.files/output similarity index 100% rename from testing/btest/Baseline/policy.utils.files/output rename to testing/btest/Baseline/scripts.base.utils.files/output diff --git a/testing/btest/Baseline/policy.utils.numbers/output b/testing/btest/Baseline/scripts.base.utils.numbers/output similarity index 100% rename from testing/btest/Baseline/policy.utils.numbers/output rename to testing/btest/Baseline/scripts.base.utils.numbers/output diff --git a/testing/btest/Baseline/policy.utils.paths/output b/testing/btest/Baseline/scripts.base.utils.paths/output similarity index 100% rename from testing/btest/Baseline/policy.utils.paths/output rename to testing/btest/Baseline/scripts.base.utils.paths/output diff --git a/testing/btest/Baseline/policy.utils.pattern/output b/testing/btest/Baseline/scripts.base.utils.pattern/output similarity index 100% rename from testing/btest/Baseline/policy.utils.pattern/output rename to testing/btest/Baseline/scripts.base.utils.pattern/output diff --git a/testing/btest/Baseline/policy.utils.site/output b/testing/btest/Baseline/scripts.base.utils.site/output similarity index 100% rename from testing/btest/Baseline/policy.utils.site/output rename to testing/btest/Baseline/scripts.base.utils.site/output diff --git a/testing/btest/Baseline/policy.utils.strings/output b/testing/btest/Baseline/scripts.base.utils.strings/output similarity index 100% rename from testing/btest/Baseline/policy.utils.strings/output rename to testing/btest/Baseline/scripts.base.utils.strings/output diff --git a/testing/btest/Baseline/policy.utils.thresholds/output b/testing/btest/Baseline/scripts.base.utils.thresholds/output similarity index 100% rename from testing/btest/Baseline/policy.utils.thresholds/output rename to testing/btest/Baseline/scripts.base.utils.thresholds/output diff --git a/testing/btest/Baseline/policy.misc.check-test-all-policy/output b/testing/btest/Baseline/scripts.check-test-all-policy/output similarity index 100% rename from testing/btest/Baseline/policy.misc.check-test-all-policy/output rename to testing/btest/Baseline/scripts.check-test-all-policy/output diff --git a/testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/scripts.policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log similarity index 100% rename from testing/btest/Baseline/policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log rename to testing/btest/Baseline/scripts.policy.misc.bare-loaded-scripts/canonified_loaded_scripts.log diff --git a/testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log b/testing/btest/Baseline/scripts.policy.misc.default-loaded-scripts/canonified_loaded_scripts.log similarity index 100% rename from testing/btest/Baseline/policy.misc.default-loaded-scripts/canonified_loaded_scripts.log rename to testing/btest/Baseline/scripts.policy.misc.default-loaded-scripts/canonified_loaded_scripts.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log rename to testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log diff --git a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log similarity index 100% rename from testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log rename to testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log diff --git a/testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output b/testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output similarity index 100% rename from testing/btest/Baseline/policy.protocols.http.test-sql-injection-regex/output rename to testing/btest/Baseline/scripts.policy.protocols.http.test-sql-injection-regex/output diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 1aa7b28f25..f674ae68c8 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -1,5 +1,5 @@ [btest] -TestDirs = doc bifs language core policy istate +TestDirs = doc bifs language core scripts istate TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline IgnoreDirs = .svn CVS .tmp diff --git a/testing/btest/policy/misc/bare-mode-coverage.test b/testing/btest/scripts/bare-mode-coverage.test similarity index 94% rename from testing/btest/policy/misc/bare-mode-coverage.test rename to testing/btest/scripts/bare-mode-coverage.test index 40cd5ab76e..12744023dc 100644 --- a/testing/btest/policy/misc/bare-mode-coverage.test +++ b/testing/btest/scripts/bare-mode-coverage.test @@ -2,7 +2,7 @@ # bare mode. btest-bg-run/btest-bg-wait are used to kill off scripts that # block after loading, e.g. start listening on a socket. # -# @TEST-EXEC: test -e $DIST/scripts +# @TEST-EXEC: test -d $DIST/scripts # @TEST-EXEC: for script in `find $DIST/scripts -name \*\.bro`; do echo $script;if [[ "$script" =~ listen-clear|listen-ssl|controllee ]]; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 # @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors # @TEST-EXEC: btest-diff unique_errors diff --git a/testing/btest/policy/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro similarity index 100% rename from testing/btest/policy/frameworks/cluster/start-it-up.bro rename to testing/btest/scripts/base/frameworks/cluster/start-it-up.bro diff --git a/testing/btest/policy/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro similarity index 100% rename from testing/btest/policy/frameworks/control/configuration_update.bro rename to testing/btest/scripts/base/frameworks/control/configuration_update.bro diff --git a/testing/btest/policy/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro similarity index 100% rename from testing/btest/policy/frameworks/control/id_value.bro rename to testing/btest/scripts/base/frameworks/control/id_value.bro diff --git a/testing/btest/policy/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro similarity index 100% rename from testing/btest/policy/frameworks/control/shutdown.bro rename to testing/btest/scripts/base/frameworks/control/shutdown.bro diff --git a/testing/btest/policy/frameworks/intel/insert-and-matcher.bro b/testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro similarity index 100% rename from testing/btest/policy/frameworks/intel/insert-and-matcher.bro rename to testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro diff --git a/testing/btest/policy/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/adapt-filter.bro rename to testing/btest/scripts/base/frameworks/logging/adapt-filter.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-binary.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-empty.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-empty.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-escape.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-options.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-options.bro diff --git a/testing/btest/policy/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/ascii-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro diff --git a/testing/btest/policy/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/attr-extend.bro rename to testing/btest/scripts/base/frameworks/logging/attr-extend.bro diff --git a/testing/btest/policy/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/attr.bro rename to testing/btest/scripts/base/frameworks/logging/attr.bro diff --git a/testing/btest/policy/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/disable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/disable-stream.bro diff --git a/testing/btest/policy/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/empty-event.bro rename to testing/btest/scripts/base/frameworks/logging/empty-event.bro diff --git a/testing/btest/policy/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/events.bro rename to testing/btest/scripts/base/frameworks/logging/events.bro diff --git a/testing/btest/policy/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/exclude.bro rename to testing/btest/scripts/base/frameworks/logging/exclude.bro diff --git a/testing/btest/policy/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/file.bro rename to testing/btest/scripts/base/frameworks/logging/file.bro diff --git a/testing/btest/policy/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/include.bro rename to testing/btest/scripts/base/frameworks/logging/include.bro diff --git a/testing/btest/policy/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/no-local.bro rename to testing/btest/scripts/base/frameworks/logging/no-local.bro diff --git a/testing/btest/policy/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/path-func.bro rename to testing/btest/scripts/base/frameworks/logging/path-func.bro diff --git a/testing/btest/policy/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/pred.bro rename to testing/btest/scripts/base/frameworks/logging/pred.bro diff --git a/testing/btest/policy/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remote-types.bro rename to testing/btest/scripts/base/frameworks/logging/remote-types.bro diff --git a/testing/btest/policy/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remote.bro rename to testing/btest/scripts/base/frameworks/logging/remote.bro diff --git a/testing/btest/policy/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/remove.bro rename to testing/btest/scripts/base/frameworks/logging/remove.bro diff --git a/testing/btest/policy/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/rotate-custom.bro rename to testing/btest/scripts/base/frameworks/logging/rotate-custom.bro diff --git a/testing/btest/policy/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/rotate.bro rename to testing/btest/scripts/base/frameworks/logging/rotate.bro diff --git a/testing/btest/policy/frameworks/logging/rotation.trace b/testing/btest/scripts/base/frameworks/logging/rotation.trace similarity index 100% rename from testing/btest/policy/frameworks/logging/rotation.trace rename to testing/btest/scripts/base/frameworks/logging/rotation.trace diff --git a/testing/btest/policy/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/stdout.bro rename to testing/btest/scripts/base/frameworks/logging/stdout.bro diff --git a/testing/btest/policy/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/test-logging.bro rename to testing/btest/scripts/base/frameworks/logging/test-logging.bro diff --git a/testing/btest/policy/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/types.bro rename to testing/btest/scripts/base/frameworks/logging/types.bro diff --git a/testing/btest/policy/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/unset-record.bro rename to testing/btest/scripts/base/frameworks/logging/unset-record.bro diff --git a/testing/btest/policy/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.bro similarity index 100% rename from testing/btest/policy/frameworks/logging/vec.bro rename to testing/btest/scripts/base/frameworks/logging/vec.bro diff --git a/testing/btest/policy/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro similarity index 100% rename from testing/btest/policy/frameworks/software/version-parsing.bro rename to testing/btest/scripts/base/frameworks/software/version-parsing.bro diff --git a/testing/btest/policy/misc/init-default-coverage.bro b/testing/btest/scripts/base/init-default-coverage.bro similarity index 100% rename from testing/btest/policy/misc/init-default-coverage.bro rename to testing/btest/scripts/base/init-default-coverage.bro diff --git a/testing/btest/policy/protocols/http/http-header-crlf.bro b/testing/btest/scripts/base/protocols/http/http-header-crlf.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-header-crlf.bro rename to testing/btest/scripts/base/protocols/http/http-header-crlf.bro diff --git a/testing/btest/policy/protocols/http/http-mime-and-md5.bro b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-mime-and-md5.bro rename to testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro diff --git a/testing/btest/policy/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.bro similarity index 100% rename from testing/btest/policy/protocols/http/http-pipelining.bro rename to testing/btest/scripts/base/protocols/http/http-pipelining.bro diff --git a/testing/btest/policy/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test similarity index 100% rename from testing/btest/policy/protocols/irc/basic.test rename to testing/btest/scripts/base/protocols/irc/basic.test diff --git a/testing/btest/policy/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test similarity index 100% rename from testing/btest/policy/protocols/irc/dcc-extract.test rename to testing/btest/scripts/base/protocols/irc/dcc-extract.test diff --git a/testing/btest/policy/protocols/smtp/basic.test b/testing/btest/scripts/base/protocols/smtp/basic.test similarity index 100% rename from testing/btest/policy/protocols/smtp/basic.test rename to testing/btest/scripts/base/protocols/smtp/basic.test diff --git a/testing/btest/policy/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test similarity index 100% rename from testing/btest/policy/protocols/smtp/mime-extract.test rename to testing/btest/scripts/base/protocols/smtp/mime-extract.test diff --git a/testing/btest/policy/protocols/smtp/mime.test b/testing/btest/scripts/base/protocols/smtp/mime.test similarity index 100% rename from testing/btest/policy/protocols/smtp/mime.test rename to testing/btest/scripts/base/protocols/smtp/mime.test diff --git a/testing/btest/policy/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test similarity index 100% rename from testing/btest/policy/utils/addrs.test rename to testing/btest/scripts/base/utils/addrs.test diff --git a/testing/btest/policy/utils/conn-ids.test b/testing/btest/scripts/base/utils/conn-ids.test similarity index 100% rename from testing/btest/policy/utils/conn-ids.test rename to testing/btest/scripts/base/utils/conn-ids.test diff --git a/testing/btest/policy/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test similarity index 100% rename from testing/btest/policy/utils/directions-and-hosts.test rename to testing/btest/scripts/base/utils/directions-and-hosts.test diff --git a/testing/btest/policy/utils/files.test b/testing/btest/scripts/base/utils/files.test similarity index 100% rename from testing/btest/policy/utils/files.test rename to testing/btest/scripts/base/utils/files.test diff --git a/testing/btest/policy/utils/numbers.test b/testing/btest/scripts/base/utils/numbers.test similarity index 100% rename from testing/btest/policy/utils/numbers.test rename to testing/btest/scripts/base/utils/numbers.test diff --git a/testing/btest/policy/utils/paths.test b/testing/btest/scripts/base/utils/paths.test similarity index 100% rename from testing/btest/policy/utils/paths.test rename to testing/btest/scripts/base/utils/paths.test diff --git a/testing/btest/policy/utils/pattern.test b/testing/btest/scripts/base/utils/pattern.test similarity index 100% rename from testing/btest/policy/utils/pattern.test rename to testing/btest/scripts/base/utils/pattern.test diff --git a/testing/btest/policy/utils/site.test b/testing/btest/scripts/base/utils/site.test similarity index 100% rename from testing/btest/policy/utils/site.test rename to testing/btest/scripts/base/utils/site.test diff --git a/testing/btest/policy/utils/strings.test b/testing/btest/scripts/base/utils/strings.test similarity index 100% rename from testing/btest/policy/utils/strings.test rename to testing/btest/scripts/base/utils/strings.test diff --git a/testing/btest/policy/utils/thresholds.test b/testing/btest/scripts/base/utils/thresholds.test similarity index 100% rename from testing/btest/policy/utils/thresholds.test rename to testing/btest/scripts/base/utils/thresholds.test diff --git a/testing/btest/policy/misc/check-test-all-policy.bro b/testing/btest/scripts/check-test-all-policy.bro similarity index 100% rename from testing/btest/policy/misc/check-test-all-policy.bro rename to testing/btest/scripts/check-test-all-policy.bro diff --git a/testing/btest/policy/misc/bare-loaded-scripts.test b/testing/btest/scripts/policy/misc/bare-loaded-scripts.test similarity index 100% rename from testing/btest/policy/misc/bare-loaded-scripts.test rename to testing/btest/scripts/policy/misc/bare-loaded-scripts.test diff --git a/testing/btest/policy/misc/default-loaded-scripts.test b/testing/btest/scripts/policy/misc/default-loaded-scripts.test similarity index 100% rename from testing/btest/policy/misc/default-loaded-scripts.test rename to testing/btest/scripts/policy/misc/default-loaded-scripts.test diff --git a/testing/btest/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro similarity index 100% rename from testing/btest/policy/protocols/conn/known-hosts.bro rename to testing/btest/scripts/policy/protocols/conn/known-hosts.bro diff --git a/testing/btest/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.bro similarity index 100% rename from testing/btest/policy/protocols/conn/known-services.bro rename to testing/btest/scripts/policy/protocols/conn/known-services.bro diff --git a/testing/btest/policy/protocols/dns/event-priority.bro b/testing/btest/scripts/policy/protocols/dns/event-priority.bro similarity index 100% rename from testing/btest/policy/protocols/dns/event-priority.bro rename to testing/btest/scripts/policy/protocols/dns/event-priority.bro diff --git a/testing/btest/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro similarity index 100% rename from testing/btest/policy/protocols/http/test-sql-injection-regex.bro rename to testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro diff --git a/testing/btest/policy/site/testing-local.bro b/testing/btest/scripts/site/local.test similarity index 100% rename from testing/btest/policy/site/testing-local.bro rename to testing/btest/scripts/site/local.test diff --git a/testing/btest/policy/misc/test-all-policy-coverage.bro b/testing/btest/scripts/test-all-policy-coverage.bro similarity index 100% rename from testing/btest/policy/misc/test-all-policy-coverage.bro rename to testing/btest/scripts/test-all-policy-coverage.bro From ed281fb634a3f2959c8969e9f2ca3925b00c37c3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 11 Aug 2011 10:49:41 -0500 Subject: [PATCH 08/21] Fixing some more bare-mode @load dependency issues --- scripts/base/protocols/http/main.bro | 1 + scripts/site/local.bro | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 35e3874e6d..ec54b1f428 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -1,4 +1,5 @@ @load base/utils/numbers +@load base/utils/files module HTTP; diff --git a/scripts/site/local.bro b/scripts/site/local.bro index cd0d6634b2..7165757eab 100644 --- a/scripts/site/local.bro +++ b/scripts/site/local.bro @@ -48,6 +48,7 @@ redef signature_files += "frameworks/signatures/detect-windows-shells.sig"; # Uncomment this redef if you want to extract SMTP MIME entities for # some file types. The numbers given indicate how many bytes to extract for # the various mime types. +@load base/protocols/smtp/entities-excerpt redef SMTP::entity_excerpt_len += { # ["text/plain"] = 1024, # ["text/html"] = 1024, From 521f54c4f0f7770e120bcbd9841efa8ed84328f6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 11 Aug 2011 11:34:42 -0500 Subject: [PATCH 09/21] Fix check_for_unused_event_handlers option. The format string given to the reporter warning call wasn't printing the handler names. Also changed it so that each warning message has the full context of the warning. --- src/main.cc | 3 +-- .../Baseline/core.check-unused-event-handlers/.stderr | 1 + testing/btest/core/check-unused-event-handlers.test | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/core.check-unused-event-handlers/.stderr create mode 100644 testing/btest/core/check-unused-event-handlers.test diff --git a/src/main.cc b/src/main.cc index f1b393310b..c2d61e7c60 100644 --- a/src/main.cc +++ b/src/main.cc @@ -931,9 +931,8 @@ int main(int argc, char** argv) if ( dead_handlers->length() > 0 && check_for_unused_event_handlers ) { - reporter->Warning("event handlers never invoked:"); for ( int i = 0; i < dead_handlers->length(); ++i ) - reporter->Warning("\t", (*dead_handlers)[i]); + reporter->Warning("event handler never invoked: %s", (*dead_handlers)[i]); } delete dead_handlers; diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr new file mode 100644 index 0000000000..8d8bf1a85b --- /dev/null +++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr @@ -0,0 +1 @@ +warning in , line 1: event handler never invoked: this_is_never_used diff --git a/testing/btest/core/check-unused-event-handlers.test b/testing/btest/core/check-unused-event-handlers.test new file mode 100644 index 0000000000..f9ad105ff6 --- /dev/null +++ b/testing/btest/core/check-unused-event-handlers.test @@ -0,0 +1,8 @@ +# This test should print a warning that the event handler is never invoked. +# @TEST-EXEC: bro -b %INPUT check_for_unused_event_handlers=T +# @TEST-EXEC: btest-diff .stderr + +event this_is_never_used() + { + print "not even once"; + } From 351b13d1c81e4a776dbc3961e0492c2471acda7e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 11 Aug 2011 11:47:12 -0500 Subject: [PATCH 10/21] Fix more bare-mode @load dependency problems --- scripts/base/protocols/ssh/main.bro | 1 + scripts/policy/protocols/ssh/detect-bruteforcing.bro | 4 +++- scripts/policy/protocols/ssh/geo-data.bro | 3 +++ scripts/policy/protocols/ssh/interesting-hostnames.bro | 1 + scripts/site/local-manager.bro | 2 ++ 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 4c2af3ee42..836676af37 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -9,6 +9,7 @@ @load base/utils/site @load base/utils/thresholds @load base/utils/conn-ids +@load base/utils/directions-and-hosts module SSH; diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.bro index 36e73bfa59..10c5019f27 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro @@ -1,3 +1,5 @@ +@load base/frameworks/notice/main +@load base/utils/thresholds module SSH; @@ -76,4 +78,4 @@ event SSH::heuristic_failed_login(c: connection) $sub=fmt("%d apparently failed logins", password_rejections[id$orig_h]$n), $n=password_rejections[id$orig_h]$n]); } - } \ No newline at end of file + } diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index 97bd0a5803..4dfd8bbae4 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -1,6 +1,9 @@ ##! This implements all of the additional information and geodata detections ##! for SSH analysis. +@load base/frameworks/notice/main +@load base/protocols/ssh/main + module SSH; export { diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.bro index cf6ab7e40a..c0c6262be1 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.bro +++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro @@ -1,3 +1,4 @@ +@load base/frameworks/notice/main module SSH; diff --git a/scripts/site/local-manager.bro b/scripts/site/local-manager.bro index aa28bd79da..e1e7e83a5e 100644 --- a/scripts/site/local-manager.bro +++ b/scripts/site/local-manager.bro @@ -1,5 +1,7 @@ ##! Local site policy loaded only by the manager in a cluster. +@load base/frameworks/notice/main + # If you are running a cluster you should define your Notice::policy here # so that notice processing occurs on the manager. redef Notice::policy += { From 7ea0646f302cad8a84f60332e9638e67f60a7bc3 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Thu, 11 Aug 2011 10:31:36 -0700 Subject: [PATCH 11/21] Make reference to the other script a link --- scripts/policy/protocols/http/detect-MHR.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/http/detect-MHR.bro b/scripts/policy/protocols/http/detect-MHR.bro index fd54a62aeb..2f7a01f208 100644 --- a/scripts/policy/protocols/http/detect-MHR.bro +++ b/scripts/policy/protocols/http/detect-MHR.bro @@ -1,7 +1,7 @@ ##! This script takes MD5 sums of files transferred over HTTP and checks them with ##! Team Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/). ##! By default, not all file transfers will have MD5 sums calculated. Read the -##! documentation for the base/protocols/http/file-hash.bro script to see how to +##! documentation for the :doc:base/protocols/http/file-hash.bro script to see how to ##! configure which transfers will have hashes calculated. export { From 88f7db927e1cdff61e96ea45b1f8bf81ff7f2468 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Thu, 11 Aug 2011 12:20:38 -0700 Subject: [PATCH 12/21] SSH base scripts: make sure ConnSizeAnalyzer variables are available before using them. --- scripts/base/protocols/ssh/main.bro | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 5233c6da97..f094f78d21 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -88,6 +88,11 @@ function check_ssh_connection(c: connection, done: bool) if ( c$ssh$done ) return; + # Make sure conn_size_analyzer is active by checking + # resp$num_bytes_ip + if ( !c$resp?$num_bytes_ip ) + return; + # If this is still a live connection and the byte count has not # crossed the threshold, just return and let the resheduled check happen later. if ( !done && c$resp$num_bytes_ip < authentication_data_size ) From fe5624fb06d16e8d16f27cace627fcef4e731d96 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Thu, 11 Aug 2011 12:21:42 -0700 Subject: [PATCH 13/21] Add ConnSize_Analyzer's fields to conn.log --- scripts/base/protocols/conn/main.bro | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 69c4cde64b..8425e59640 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -12,7 +12,11 @@ export { proto: transport_proto &log; service: string &log &optional; duration: interval &log &optional; + ## The number of payload bytes the originator sent. For TCP + ## this is taken from sequence numbers and might be inaccurate + ## (e.g., due to large connections) orig_bytes: count &log &optional; + ## The number of payload bytes the responder sent. See ``orig_bytes``. resp_bytes: count &log &optional; ## ========== =============================================== @@ -68,6 +72,17 @@ export { ## for instance. I.e., we just record that data went in that direction. ## This history is not meant to encode how much data that happened to be. history: string &log &optional; + ## Number of packets the originator sent. + ## Only set if :bro:id:`use_conn_size_analyzer`=T + orig_pkts: count &log &optional; + ## Number IP level bytes the originator sent (as seen on the wire, + ## taken from IP total_length header field). + ## Only set if :bro:id:`use_conn_size_analyzer`=T + orig_ip_bytes: count &log &optional; + ## Number of packets the responder sent. See ``orig_pkts``. + resp_pkts: count &log &optional; + ## Number IP level bytes the responder sent. See ``orig_pkts``. + resp_ip_bytes: count &log &optional; }; global log_conn: event(rec: Info); @@ -163,11 +178,18 @@ function set_conn(c: connection, eoc: bool) if ( c$duration > 0secs ) { c$conn$duration=c$duration; - # TODO: these should optionally use Gregor's new - # actual byte counting code if it's enabled. c$conn$orig_bytes=c$orig$size; c$conn$resp_bytes=c$resp$size; } + if ( c$orig?$num_pkts ) + { + # these are set if use_conn_size_analyzer=T + # we can have counts in here even without duration>0 + c$conn$orig_pkts = c$orig$num_pkts; + c$conn$orig_ip_bytes = c$orig$num_bytes_ip; + c$conn$resp_pkts = c$resp$num_pkts; + c$conn$resp_ip_bytes = c$resp$num_bytes_ip; + } local service = determine_service(c); if ( service != "" ) c$conn$service=service; From eacfbea3fece6c7f28434af32f7780cdd1944e66 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Thu, 11 Aug 2011 14:25:34 -0700 Subject: [PATCH 14/21] (Semiautomatically) convert the comments in bare-init.bro into autodoc ones. With manual tuning were it made sense. --- scripts/base/init-bare.bro | 796 +++++++++++++++++++------------------ 1 file changed, 413 insertions(+), 383 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f1468cea6b..6e71f2ba88 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -29,7 +29,7 @@ type icmp_conn: record { }; type icmp_hdr: record { - icmp_type: count; # type of message + icmp_type: count; ##< type of message }; type icmp_context: record { @@ -57,16 +57,19 @@ type dns_mapping: record { type ftp_port: record { h: addr; p: port; - valid: bool; # true if format was right + valid: bool; ##< true if format was right }; type endpoint: record { - size: count; # logical size (for TCP: from seq numbers) + size: count; ##< logical size (for TCP: from seq numbers) state: count; - # The following are set if use_conn_size_analyzer is T. - num_pkts: count &optional; # number of packets on the wire - num_bytes_ip: count &optional; # actual number of IP-level bytes on the wire + ## Number of packets on the wire + ## Set if :bro:id:`use_conn_size_analyzer` is true. + num_pkts: count &optional; + ## Number of IP-level bytes on the wire + ## Set if :bro:id:`use_conn_size_analyzer` is true. + num_bytes_ip: count &optional; }; type endpoint_stats: record { @@ -87,9 +90,9 @@ type connection: record { resp: endpoint; start_time: time; duration: interval; - service: string_set; # if empty, service hasn't been determined + service: string_set; ##< if empty, service hasn't been determined addl: string; - hot: count; # how hot; 0 = don't know or not hot + hot: count; ##< how hot; 0 = don't know or not hot history: string; uid: string; }; @@ -114,30 +117,30 @@ type NetStats: record { }; type bro_resources: record { - version: string; # Bro version string - debug: bool; # true if compiled with --enable-debug - start_time: time; # start time of process - real_time: interval; # elapsed real time since Bro started running - user_time: interval; # user CPU seconds - system_time: interval; # system CPU seconds - mem: count; # maximum memory consumed, in KB - minor_faults: count; # page faults not requiring actual I/O - major_faults: count; # page faults requiring actual I/O - num_swap: count; # times swapped out - blocking_input: count; # blocking input operations - blocking_output: count; # blocking output operations - num_context: count; # number of involuntary context switches + version: string; ##< Bro version string + debug: bool; ##< true if compiled with --enable-debug + start_time: time; ##< start time of process + real_time: interval; ##< elapsed real time since Bro started running + user_time: interval; ##< user CPU seconds + system_time: interval; ##< system CPU seconds + mem: count; ##< maximum memory consumed, in KB + minor_faults: count; ##< page faults not requiring actual I/O + major_faults: count; ##< page faults requiring actual I/O + num_swap: count; ##< times swapped out + blocking_input: count; ##< blocking input operations + blocking_output: count; ##< blocking output operations + num_context: count; ##< number of involuntary context switches - num_TCP_conns: count; # current number of TCP connections + num_TCP_conns: count; ##< current number of TCP connections num_UDP_conns: count; num_ICMP_conns: count; - num_fragments: count; # current number of fragments pending reassembly - num_packets: count; # total number packets processed to date - num_timers: count; # current number of pending timers - num_events_queued: count; # total number of events queued so far - num_events_dispatched: count; # same for events dispatched + num_fragments: count; ##< current number of fragments pending reassembly + num_packets: count; ##< total number packets processed to date + num_timers: count; ##< current number of pending timers + num_events_queued: count; ##< total number of events queued so far + num_events_dispatched: count; ##< same for events dispatched - max_TCP_conns: count; # maximum number of TCP connections, etc. + max_TCP_conns: count; ##< maximum number of TCP connections, etc. max_UDP_conns: count; max_ICMP_conns: count; max_fragments: count; @@ -145,34 +148,34 @@ type bro_resources: record { }; -# Summary statistics of all DFA_State_Caches. +## Summary statistics of all DFA_State_Caches. type matcher_stats: record { - matchers: count; # number of distinct RE matchers - dfa_states: count; # number of DFA states across all matchers - computed: count; # number of computed DFA state transitions - mem: count; # number of bytes used by DFA states - hits: count; # number of cache hits - misses: count; # number of cache misses - avg_nfa_states: count; # average # NFA states across all matchers + matchers: count; ##< number of distinct RE matchers + dfa_states: count; ##< number of DFA states across all matchers + computed: count; ##< number of computed DFA state transitions + mem: count; ##< number of bytes used by DFA states + hits: count; ##< number of cache hits + misses: count; ##< number of cache misses + avg_nfa_states: count; ##< average # NFA states across all matchers }; -# Info provided to gap_report, and also available by get_gap_summary(). +## Info provided to gap_report, and also available by get_gap_summary(). type gap_info: record { - ack_events: count; # how many ack events *could* have had gaps - ack_bytes: count; # how many bytes those covered - gap_events: count; # how many *did* have gaps - gap_bytes: count; # how many bytes were missing in the gaps: + ack_events: count; ##< how many ack events *could* have had gaps + ack_bytes: count; ##< how many bytes those covered + gap_events: count; ##< how many *did* have gaps + gap_bytes: count; ##< how many bytes were missing in the gaps: }; # This record should be read-only. type packet: record { conn: connection; is_orig: bool; - seq: count; # seq=k => it is the kth *packet* of the connection + seq: count; ##< seq=k => it is the kth *packet* of the connection timestamp: time; }; -type var_sizes: table[string] of count; # indexed by var's name, returns size +type var_sizes: table[string] of count; ##< indexed by var's name, returns size type script_id: record { type_name: string; @@ -213,30 +216,30 @@ type IPAddrAnonymization: enum { }; type IPAddrAnonymizationClass: enum { - ORIG_ADDR, # client address - RESP_ADDR, # server address + ORIG_ADDR, ##< client address + RESP_ADDR, ##< server address OTHER_ADDR, }; -# Events are generated by event_peer's (which may be either ourselves, or -# some remote process). +## Events are generated by event_peer's (which may be either ourselves, or +## some remote process). type peer_id: count; type event_peer: record { - id: peer_id; # locally unique ID of peer (returned by connect()) + id: peer_id; ##< locally unique ID of peer (returned by connect()) host: addr; p: port; - is_local: bool; # true if this peer describes the current process. - descr: string; # source's external_source_description + is_local: bool; ##< true if this peer describes the current process. + descr: string; ##< source's external_source_description class: string &optional; # self-assigned class of the peer }; type rotate_info: record { - old_name: string; # original filename - new_name: string; # file name after rotation - open: time; # time when opened - close: time; # time when closed + old_name: string; ##< original filename + new_name: string; ##< file name after rotation + open: time; ##< time when opened + close: time; ##< time when closed }; @@ -249,29 +252,29 @@ type rotate_info: record { # }; type sw_params: record { - # Minimum size of a substring, minimum "granularity". + ## Minimum size of a substring, minimum "granularity". min_strlen: count &default = 3; - # Smith-Waterman flavor to use. + ## Smith-Waterman flavor to use. sw_variant: count &default = 0; }; type sw_align: record { - str: string; # string a substring is part of - index: count; # at which offset + str: string; ##< string a substring is part of + index: count; ##< at which offset }; type sw_align_vec: vector of sw_align; type sw_substring: record { - str: string; # a substring - aligns: sw_align_vec; # all strings of which it's a substring - new: bool; # true if start of new alignment + str: string; ##< a substring + aligns: sw_align_vec; ##< all strings of which it's a substring + new: bool; ##< true if start of new alignment }; type sw_substring_vec: vector of sw_substring; -# Policy-level handling of pcap packets. +## Policy-level handling of pcap packets. type pcap_packet: record { ts_sec: count; ts_usec: count; @@ -280,7 +283,7 @@ type pcap_packet: record { data: string; }; -# GeoIP support. +## GeoIP support. type geo_location: record { country_code: string &optional; region: string &optional; @@ -305,10 +308,10 @@ type entropy_test_result: record { global log_file_name: function(tag: string): string &redef; global open_log_file: function(tag: string): file &redef; -# Where to store the persistent state. +## Where to store the persistent state. const state_dir = ".state" &redef; -# Length of the delays added when storing state incrementally. +## Length of the delays added when storing state incrementally. const state_write_delay = 0.01 secs &redef; global done_with_network = F; @@ -366,149 +369,158 @@ const TCP_ESTABLISHED = 4; const TCP_CLOSED = 5; const TCP_RESET = 6; -# If true, don't verify checksums. Useful for running on altered trace -# files, and for saving a few cycles, but of course dangerous, too ... -# Note that the -C command-line option overrides the setting of this -# variable. +## If true, don't verify checksums. Useful for running on altered trace +## files, and for saving a few cycles, but of course dangerous, too ... +## Note that the -C command-line option overrides the setting of this +## variable. const ignore_checksums = F &redef; -# If true, instantiate connection state when a partial connection -# (one missing its initial establishment negotiation) is seen. +## If true, instantiate connection state when a partial connection +## (one missing its initial establishment negotiation) is seen. const partial_connection_ok = T &redef; -# If true, instantiate connection state when a SYN ack is seen -# but not the initial SYN (even if partial_connection_ok is false). +## If true, instantiate connection state when a SYN ack is seen +## but not the initial SYN (even if partial_connection_ok is false). const tcp_SYN_ack_ok = T &redef; -# If a connection state is removed there may still be some undelivered -# data waiting in the reassembler. If true, pass this to the signature -# engine before flushing the state. +## If a connection state is removed there may still be some undelivered +## data waiting in the reassembler. If true, pass this to the signature +## engine before flushing the state. const tcp_match_undelivered = T &redef; -# Check up on the result of an initial SYN after this much time. +## Check up on the result of an initial SYN after this much time. const tcp_SYN_timeout = 5 secs &redef; -# After a connection has closed, wait this long for further activity -# before checking whether to time out its state. +## After a connection has closed, wait this long for further activity +## before checking whether to time out its state. const tcp_session_timer = 6 secs &redef; -# When checking a closed connection for further activity, consider it -# inactive if there hasn't been any for this long. Complain if the -# connection is reused before this much time has elapsed. +## When checking a closed connection for further activity, consider it +## inactive if there hasn't been any for this long. Complain if the +## connection is reused before this much time has elapsed. const tcp_connection_linger = 5 secs &redef; -# Wait this long upon seeing an initial SYN before timing out the -# connection attempt. +## Wait this long upon seeing an initial SYN before timing out the +## connection attempt. const tcp_attempt_delay = 5 secs &redef; -# Upon seeing a normal connection close, flush state after this much time. +## Upon seeing a normal connection close, flush state after this much time. const tcp_close_delay = 5 secs &redef; -# Upon seeing a RST, flush state after this much time. +## Upon seeing a RST, flush state after this much time. const tcp_reset_delay = 5 secs &redef; -# Generate a connection_partial_close event this much time after one half -# of a partial connection closes, assuming there has been no subsequent -# activity. +## Generate a :bro:id:`connection_partial_close` event this much time after one half +## of a partial connection closes, assuming there has been no subsequent +## activity. const tcp_partial_close_delay = 3 secs &redef; -# If a connection belongs to an application that we don't analyze, -# time it out after this interval. If 0 secs, then don't time it out. +## If a connection belongs to an application that we don't analyze, +## time it out after this interval. If 0 secs, then don't time it out. const non_analyzed_lifetime = 0 secs &redef; -# If a connection is inactive, time it out after this interval. -# If 0 secs, then don't time it out. +## If a connection is inactive, time it out after this interval. +## If 0 secs, then don't time it out. const tcp_inactivity_timeout = 5 min &redef; +## See :bro:id:`tcp_inactivity_timeout` const udp_inactivity_timeout = 1 min &redef; +## See :bro:id:`tcp_inactivity_timeout` const icmp_inactivity_timeout = 1 min &redef; -# This many FINs/RSTs in a row constitutes a "storm". +## This many FINs/RSTs in a row constitutes a "storm". const tcp_storm_thresh = 1000 &redef; -# The FINs/RSTs must come with this much time or less between them. +## The FINs/RSTs must come with this much time or less between them. const tcp_storm_interarrival_thresh = 1 sec &redef; -# Maximum amount of data that might plausibly be sent in an initial -# flight (prior to receiving any acks). Used to determine whether we -# must not be seeing our peer's acks. Set to zero to turn off this -# determination. +## Maximum amount of data that might plausibly be sent in an initial +## flight (prior to receiving any acks). Used to determine whether we +## must not be seeing our peer's acks. Set to zero to turn off this +## determination. const tcp_max_initial_window = 4096; -# If we're not seeing our peer's acks, the maximum volume of data above -# a sequence hole that we'll tolerate before assuming that there's -# been a packet drop and we should give up on tracking a connection. -# If set to zero, then we don't ever give up. +## If we're not seeing our peer's acks, the maximum volume of data above +## a sequence hole that we'll tolerate before assuming that there's +## been a packet drop and we should give up on tracking a connection. +## If set to zero, then we don't ever give up. const tcp_max_above_hole_without_any_acks = 4096; -# If we've seen this much data without any of it being acked, we give up -# on that connection to avoid memory exhaustion due to buffering all that -# stuff. If set to zero, then we don't ever give up. Ideally, Bro would -# track the current window on a connection and use it to infer that data -# has in fact gone too far, but for now we just make this quite beefy. +## If we've seen this much data without any of it being acked, we give up +## on that connection to avoid memory exhaustion due to buffering all that +## stuff. If set to zero, then we don't ever give up. Ideally, Bro would +## track the current window on a connection and use it to infer that data +## has in fact gone too far, but for now we just make this quite beefy. const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024; -# For services without a handler, these sets define which -# side of a connection is to be reassembled. +## For services without a handler, these sets define which +## side of a connection is to be reassembled. const tcp_reassembler_ports_orig: set[port] = {} &redef; +## See :bro:id:`tcp_reassembler_ports_orig` const tcp_reassembler_ports_resp: set[port] = {} &redef; -# These sets define destination ports for which the contents -# of the originator (responder, respectively) stream should -# be delivered via tcp_contents. +## These sets define destination ports for which the contents +## of the originator (responder, respectively) stream should +## be delivered via tcp_contents. const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef; +## See :bro:id:`tcp_content_delivery_ports_orig` const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef; # To have all TCP orig->resp/resp->orig traffic reported via tcp_contents, # redef these to T. const tcp_content_deliver_all_orig = F &redef; +## See :bro:id:`tcp_content_deliver_all_orig` const tcp_content_deliver_all_resp = F &redef; -# These sets define destination ports for which the contents -# of the originator (responder, respectively) stream should -# be delivered via udp_contents. +## These sets define destination ports for which the contents +## of the originator (responder, respectively) stream should +## be delivered via udp_contents. const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; +## See :bro:id:`udp_content_delivery_ports_orig` const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; -# To have all UDP orig->resp/resp->orig traffic reported via udp_contents, -# redef these to T. +## To have all UDP orig->resp/resp->orig traffic reported via udp_contents, +## redef these to T. const udp_content_deliver_all_orig = F &redef; +## See :bro:id:`udp_content_deliver_all_orig` const udp_content_deliver_all_resp = F &redef; -# Check for expired table entries after this amount of time +## Check for expired table entries after this amount of time const table_expire_interval = 10 secs &redef; -# When expiring/serializing, don't work on more than this many table -# entries at a time. +## When expiring/serializing, don't work on more than this many table +## entries at a time. const table_incremental_step = 5000 &redef; -# When expiring, wait this amount of time before checking the next chunk -# of entries. +## When expiring, wait this amount of time before checking the next chunk +## of entries. const table_expire_delay = 0.01 secs &redef; -# Time to wait before timing out a DNS/NTP/RPC request. +## Time to wait before timing out a DNS request. const dns_session_timeout = 10 sec &redef; +## Time to wait before timing out a NTP request. const ntp_session_timeout = 300 sec &redef; +## Time to wait before timing out a RPC request. const rpc_timeout = 24 sec &redef; -# Time window for reordering packets (to deal with timestamp -# discrepency between multiple packet sources). +## Time window for reordering packets (to deal with timestamp +## discrepency between multiple packet sources). const packet_sort_window = 0 usecs &redef; -# How long to hold onto fragments for possible reassembly. A value -# of 0.0 means "forever", which resists evasion, but can lead to -# state accrual. +## How long to hold onto fragments for possible reassembly. A value +## of 0.0 means "forever", which resists evasion, but can lead to +## state accrual. const frag_timeout = 0.0 sec &redef; -# If positive, indicates the encapsulation header size that should -# be skipped over for each captured packet .... +## If positive, indicates the encapsulation header size that should +## be skipped over for each captured packet .... const encap_hdr_size = 0 &redef; -# ... or just for the following UDP port. +## ... or just for the following UDP port. const tunnel_port = 0/udp &redef; -# Whether to use the ConnSize analyzer to count the number of -# packets and IP-level bytes transfered by each endpoint. If -# true, these values are returned in the connection's endpoint -# record val. +## Whether to use the ConnSize analyzer to count the number of +## packets and IP-level bytes transfered by each endpoint. If +## true, these values are returned in the connection's endpoint +## record val. const use_conn_size_analyzer = T &redef; const UDP_INACTIVE = 0; @@ -539,6 +551,7 @@ function append_addl_marker(c: connection, addl: string, marker: string) # Values for set_contents_file's "direction" argument. +# TODO: these should go into an enum to make them autodoc'able const CONTENTS_NONE = 0; # turn off recording of contents const CONTENTS_ORIG = 1; # record originator contents const CONTENTS_RESP = 2; # record responder contents @@ -564,44 +577,44 @@ const IPPROTO_UDP = 17; # user datagram protocol const IPPROTO_RAW = 255; # raw IP packet type ip_hdr: record { - hl: count; # header length (in bytes) - tos: count; # type of service - len: count; # total length - id: count; # identification - ttl: count; # time to live - p: count; # protocol - src: addr; # source address - dst: addr; # dest address + hl: count; ##< header length (in bytes) + tos: count; ##< type of service + len: count; ##< total length + id: count; ##< identification + ttl: count; ##< time to live + p: count; ##< protocol + src: addr; ##< source address + dst: addr; ##< dest address }; -# TCP flags. +## TCP flags. const TH_FIN = 1; const TH_SYN = 2; const TH_RST = 4; const TH_PUSH = 8; const TH_ACK = 16; const TH_URG = 32; -const TH_FLAGS = 63; # (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) +const TH_FLAGS = 63; ##< (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) type tcp_hdr: record { - sport: port; # source port - dport: port; # destination port - seq: count; # sequence number - ack: count; # acknowledgement number - hl: count; # header length (in bytes) - dl: count; # data length (xxx: not in original tcphdr!) - flags: count; # flags - win: count; # window + sport: port; ##< source port + dport: port; ##< destination port + seq: count; ##< sequence number + ack: count; ##< acknowledgement number + hl: count; ##< header length (in bytes) + dl: count; ##< data length (xxx: not in original tcphdr!) + flags: count; ##< flags + win: count; ##< window }; type udp_hdr: record { - sport: port; # source port - dport: port; # destination port - ulen: count; # udp length + sport: port; ##< source port + dport: port; ##< destination port + ulen: count; ##< udp length }; -# Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr. +## Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr. type pkt_hdr: record { ip: ip_hdr; tcp: tcp_hdr &optional; @@ -610,13 +623,13 @@ type pkt_hdr: record { }; -# If you add elements here, then for a given BPF filter as index, when -# a packet matching that filter is captured, the corresponding event handler -# will be invoked. +## If you add elements here, then for a given BPF filter as index, when +## a packet matching that filter is captured, the corresponding event handler +## will be invoked. global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr) &redef; -global discarder_maxlen = 128 &redef; # maximum amount of data passed to fnc +global discarder_maxlen = 128 &redef; ##< maximum amount of data passed to fnc global discarder_check_ip: function(i: ip_hdr): bool; global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool; @@ -626,17 +639,18 @@ global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool; const watchdog_interval = 10 sec &redef; -# The maximum number of timers to expire after processing each new -# packet. The value trades off spreading out the timer expiration load -# with possibly having to hold state longer. A value of 0 means -# "process all expired timers with each new packet". +## The maximum number of timers to expire after processing each new +## packet. The value trades off spreading out the timer expiration load +## with possibly having to hold state longer. A value of 0 means +## "process all expired timers with each new packet". const max_timer_expires = 300 &redef; -# With a similar trade-off, this gives the number of remote events -# to process in a batch before interleaving other activity. +## With a similar trade-off, this gives the number of remote events +## to process in a batch before interleaving other activity. const max_remote_events_processed = 10 &redef; # These need to match the definitions in Login.h. +# TODO: use enum to make them autodoc'able const LOGIN_STATE_AUTHENTICATE = 0; # trying to authenticate const LOGIN_STATE_LOGGED_IN = 1; # successful authentication const LOGIN_STATE_SKIP = 2; # skip any further processing @@ -714,37 +728,42 @@ const RPC_status = { module NFS3; export { - # Should the read and write events return the file data that has been - # read/written? + ## Should the read and write events return the file data that has been + ## read/written? const return_data = F &redef; - # If nfs_return_data is true, how much data should be returned at most. + ## If bro:id:`nfs_return_data` is true, how much data should be returned at most. const return_data_max = 512 &redef; - # If nfs_return_data is true, whether to *only* return data if the read or write - # offset is 0, i.e., only return data for the beginning of the file. + ## If nfs_return_data is true, whether to *only* return data if the read or write + ## offset is 0, i.e., only return data for the beginning of the file. const return_data_first_only = T &redef; - # This record summarizes the general results and status of NFSv3 request/reply - # pairs. It's part of every NFSv3 event. + ## This record summarizes the general results and status of NFSv3 request/reply + ## pairs. It's part of every NFSv3 event. type info_t: record { - rpc_stat: rpc_status; # If this indicates not successful, the reply record in the - # events will be empty and contain uninitialized fields, so - # don't use it. + ## If this indicates not successful, the reply record in the + ## events will be empty and contain uninitialized fields, so + ## don't use it. + rpc_stat: rpc_status; nfs_stat: status_t; - # The start time, duration, and length in bytes of the request (call). Note that - # the start and end time might not be accurate. For TCP, we record the - # time when a chunk of data is delivered to the analyzer. Depending on the - # Reassembler, this might be well after the first packet of the request - # was received. + ## The start time, duration, and length in bytes of the request (call). Note that + ## the start and end time might not be accurate. For TCP, we record the + ## time when a chunk of data is delivered to the analyzer. Depending on the + ## Reassembler, this might be well after the first packet of the request + ## was received. req_start: time; + ## See :bro:id:`req_start` req_dur: interval; + ## See :bro:id:`req_start` req_len: count; - # Same for the reply. + ## Like :bro:id:`req_start` but for reply. rep_start: time; + ## Like :bro:id:`req_dur` but for reply. rep_dur: interval; + ## Like :bro:id:`req_len` but for reply. rep_len: count; }; @@ -767,49 +786,49 @@ export { }; type diropargs_t : record { - dirfh: string; # the file handle of the directory - fname: string; # the name of the file we are interested in + dirfh: string; ##< the file handle of the directory + fname: string; ##< the name of the file we are interested in }; # Note, we don't need a "post_op_attr" type. We use an "fattr_t &optional" # instead. + ## If the lookup failed, dir_attr may be set. + ## If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set. type lookup_reply_t: record { - # If the lookup failed, dir_attr may be set. - # If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set. - fh: string &optional; # file handle of object looked up - obj_attr: fattr_t &optional; # optional attributes associated w/ file - dir_attr: fattr_t &optional; # optional attributes associated w/ dir. + fh: string &optional; ##< file handle of object looked up + obj_attr: fattr_t &optional; ##< optional attributes associated w/ file + dir_attr: fattr_t &optional; ##< optional attributes associated w/ dir. }; type readargs_t: record { - fh: string; # file handle to read from - offset: count; # offset in file - size: count; # number of bytes to read + fh: string; ##< file handle to read from + offset: count; ##< offset in file + size: count; ##< number of bytes to read }; + ## If the lookup fails, attr may be set. If the lookup succeeds, attr may be set + ## and all other fields are set. type read_reply_t: record { - # If the lookup fails, attr may be set. If the lookup succeeds, attr may be set - # and all other fields are set. - attr: fattr_t &optional; # attributes - size: count &optional; # number of bytes read - eof: bool &optional; # did the read end at EOF - data: string &optional; # the actual data; not yet implemented. + attr: fattr_t &optional; ##< attributes + size: count &optional; ##< number of bytes read + eof: bool &optional; ##< did the read end at EOF + data: string &optional; ##< the actual data; not yet implemented. }; + ## If the request fails, attr may be set. If the request succeeds, attr may be + ## set and all other fields are set. type readlink_reply_t: record { - # If the request fails, attr may be set. If the request succeeds, attr may be - # set and all other fields are set. - attr: fattr_t &optional; # attributes - nfspath: string &optional; # the contents of the symlink; in general a pathname as text + attr: fattr_t &optional; ##< attributes + nfspath: string &optional; ##< the contents of the symlink; in general a pathname as text }; type writeargs_t: record { - fh: string; # file handle to write to - offset: count; # offset in file - size: count; # number of bytes to write - stable: stable_how_t; # how and when data is commited - data: string &optional; # the actual data; not implemented yet + fh: string; ##< file handle to write to + offset: count; ##< offset in file + size: count; ##< number of bytes to write + stable: stable_how_t; ##< how and when data is commited + data: string &optional; ##< the actual data; not implemented yet }; type wcc_attr_t: record { @@ -818,65 +837,65 @@ export { mtime: time; }; + ## If the request fails, pre|post attr may be set. If the request succeeds, + ## pre|post attr may be set and all other fields are set. type write_reply_t: record { - # If the request fails, pre|post attr may be set. If the request succeeds, - # pre|post attr may be set and all other fields are set. - preattr: wcc_attr_t &optional; # pre operation attributes - postattr: fattr_t &optional; # post operation attributes + preattr: wcc_attr_t &optional; ##< pre operation attributes + postattr: fattr_t &optional; ##< post operation attributes size: count &optional; commited: stable_how_t &optional; - verf: count &optional; # write verifier cookue + verf: count &optional; ##< write verifier cookue }; - # reply for create, mkdir, symlink + ## reply for create, mkdir, symlink + ## If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and + ## the attr's may be set. Note: no guarantee that fh is set after + ## success. type newobj_reply_t: record { - # If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and - # the attr's may be set. Note: no guarantee that fh is set after - # success. - fh: string &optional; # file handle of object created - obj_attr: fattr_t &optional; # optional attributes associated w/ new object - dir_pre_attr: wcc_attr_t &optional; # optional attributes associated w/ dir - dir_post_attr: fattr_t &optional; # optional attributes associated w/ dir + fh: string &optional; ##< file handle of object created + obj_attr: fattr_t &optional; ##< optional attributes associated w/ new object + dir_pre_attr: wcc_attr_t &optional; ##< optional attributes associated w/ dir + dir_post_attr: fattr_t &optional; ##< optional attributes associated w/ dir }; - # reply for remove, rmdir - # Corresponds to "wcc_data" in the spec. + ## reply for remove, rmdir + ## Corresponds to "wcc_data" in the spec. type delobj_reply_t: record { - dir_pre_attr: wcc_attr_t &optional; # optional attributes associated w/ dir - dir_post_attr: fattr_t &optional; # optional attributes associated w/ dir + dir_pre_attr: wcc_attr_t &optional; ##< optional attributes associated w/ dir + dir_post_attr: fattr_t &optional; ##< optional attributes associated w/ dir }; - # This record is used for both readdir and readdirplus. + ## This record is used for both readdir and readdirplus. type readdirargs_t: record { - isplus: bool; # is this a readdirplus request? - dirfh: string; # the directory filehandle - cookie: count; # cookie / pos in dir; 0 for first call - cookieverf: count; # the cookie verifier - dircount: count; # "count" field for readdir; maxcount otherwise (in bytes) - maxcount: count &optional; # only used for readdirplus. in bytes + isplus: bool; ##< is this a readdirplus request? + dirfh: string; ##< the directory filehandle + cookie: count; ##< cookie / pos in dir; 0 for first call + cookieverf: count; ##< the cookie verifier + dircount: count; ##< "count" field for readdir; maxcount otherwise (in bytes) + maxcount: count &optional; ##< only used for readdirplus. in bytes }; + ## fh and attr are used for readdirplus. However, even for readdirplus they may + ## not be filled out. type direntry_t: record { - # fh and attr are used for readdirplus. However, even for readdirplus they may - # not be filled out. - fileid: count; # e.g., inode number - fname: string; # filename + fileid: count; ##< e.g., inode number + fname: string; ##< filename cookie: count; - attr: fattr_t &optional; # readdirplus: the FH attributes for the entry - fh: string &optional; # readdirplus: the FH for the entry + attr: fattr_t &optional; ##< readdirplus: the FH attributes for the entry + fh: string &optional; ##< readdirplus: the FH for the entry }; type direntry_vec_t: vector of direntry_t; - # Used for readdir and readdirplus. + ## Used for readdir and readdirplus. + ## If error: dir_attr might be set. If success: dir_attr may be set, all others + ## must be set. type readdir_reply_t: record { - # If error: dir_attr might be set. If success: dir_attr may be set, all others - # must be set. - isplus: bool; # is the reply for a readdirplus request + isplus: bool; ##< is the reply for a readdirplus request dir_attr: fattr_t &optional; cookieverf: count &optional; entries: direntry_vec_t &optional; - eof: bool; # if true, no more entries in dir. + eof: bool; ##< if true, no more entries in dir. }; type fsstat_t: record { @@ -908,7 +927,7 @@ type ntp_msg: record { }; -# Maps Samba command numbers to descriptive names. +## Maps Samba command numbers to descriptive names. global samba_cmds: table[count] of string &redef &default = function(c: count): string { return fmt("samba-unknown-%d", c); }; @@ -959,16 +978,16 @@ type smb_tree_connect : record { type smb_negotiate : table[count] of string; -# A list of router addresses offered by the server. +## A list of router addresses offered by the server. type dhcp_router_list: table[count] of addr; type dhcp_msg: record { - op: count; # message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY - m_type: count; # the type of DHCP message - xid: count; # transaction ID of a DHCP session - h_addr: string; # hardware address of the client - ciaddr: addr; # original IP address of the client - yiaddr: addr; # IP address assigned to the client + op: count; ##< message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY + m_type: count; ##< the type of DHCP message + xid: count; ##< transaction ID of a DHCP session + h_addr: string; ##< hardware address of the client + ciaddr: addr; ##< original IP address of the client + yiaddr: addr; ##< IP address assigned to the client }; type dns_msg: record { @@ -991,13 +1010,13 @@ type dns_msg: record { }; type dns_soa: record { - mname: string; # primary source of data for zone - rname: string; # mailbox for responsible person - serial: count; # version number of zone - refresh: interval; # seconds before refreshing - retry: interval; # how long before retrying failed refresh - expire: interval; # when zone no longer authoritative - minimum: interval; # minimum TTL to use when exporting + mname: string; ##< primary source of data for zone + rname: string; ##< mailbox for responsible person + serial: count; ##< version number of zone + refresh: interval; ##< seconds before refreshing + retry: interval; ##< how long before retrying failed refresh + expire: interval; ##< when zone no longer authoritative + minimum: interval; ##< minimum TTL to use when exporting }; type dns_edns_additional: record { @@ -1026,6 +1045,7 @@ type dns_tsig_additional: record { # Different values for "answer_type" in the following. DNS_QUERY # shouldn't occur, it's just for completeness. +# TODO: use enums to help autodoc const DNS_QUERY = 0; const DNS_ANS = 1; const DNS_AUTH = 2; @@ -1039,22 +1059,25 @@ type dns_answer: record { TTL: interval; }; -# For servers in these sets, omit processing the AUTH or ADDL records -# they include in their replies. +## For servers in these sets, omit processing the AUTH records +## they include in their replies. global dns_skip_auth: set[addr] &redef; +## For servers in these sets, omit processing the ADDL records +## they include in their replies. global dns_skip_addl: set[addr] &redef; -# If the following are true, then all AUTH or ADDL records are skipped. +## If the following are true, then all AUTH records are skipped. global dns_skip_all_auth = T &redef; +## If the following are true, then all ADDL records are skipped. global dns_skip_all_addl = T &redef; -# If a DNS request includes more than this many queries, assume it's -# non-DNS traffic and do not process it. Set to 0 to turn off this -# functionality. +## If a DNS request includes more than this many queries, assume it's +## non-DNS traffic and do not process it. Set to 0 to turn off this +## functionality. global dns_max_queries = 5; -# The maxiumum size in bytes for an SSL cipherspec. If we see a packet that -# has bigger cipherspecs, we won't do a comparisons of cipherspecs. +## The maxiumum size in bytes for an SSL cipherspec. If we see a packet that +## has bigger cipherspecs, we won't do a comparisons of cipherspecs. const ssl_max_cipherspec_size = 68 &redef; type X509_extensions: table[count] of string; @@ -1068,7 +1091,7 @@ type X509: record { not_valid_after: time; }; -# This is indexed with the CA's name and yields a DER (binary) encoded certificate. +## This is indexed with the CA's name and yields a DER (binary) encoded certificate. const root_ca_certs: table[string] of string = {} &redef; type http_stats_rec: record { @@ -1079,25 +1102,28 @@ type http_stats_rec: record { }; type http_message_stat: record { - start: time; # when the request/reply line was complete - interrupted: bool; # whether the message is interrupted - finish_msg: string; # reason phrase if interrupted - body_length: count; # length of body processed - # (before finished/interrupted) - content_gap_length: count; # total len of gaps within body_length - header_length: count; # length of headers - # (including the req/reply line, - # but not CR/LF's) + ## when the request/reply line was complete + start: time; + ## whether the message is interrupted + interrupted: bool; + ## reason phrase if interrupted + finish_msg: string; + ## length of body processed (before finished/interrupted) + body_length: count; + ## total len of gaps within body_length + content_gap_length: count; + ## length of headers (including the req/reply line, but not CR/LF's) + header_length: count; }; global http_entity_data_delivery_size = 1500 &redef; -# Truncate URIs longer than this to prevent over-long URIs (usually sent -# by worms) from slowing down event processing. A value of -1 means "do -# not truncate". +## Truncate URIs longer than this to prevent over-long URIs (usually sent +## by worms) from slowing down event processing. A value of -1 means "do +## not truncate". const truncate_http_URI = -1 &redef; -# IRC-related globals to which the event engine is sensitive. +## IRC-related globals to which the event engine is sensitive. type irc_join_info: record { nick: string; channel: string; @@ -1107,11 +1133,11 @@ type irc_join_info: record { type irc_join_list: set[irc_join_info]; global irc_servers : set[addr] &redef; -# Stepping-stone globals. +## Stepping-stone globals. const stp_delta: interval &redef; const stp_idle_min: interval &redef; -# Don't do analysis on these sources. Used to avoid overload from scanners. +## Don't do analysis on these sources. Used to avoid overload from scanners. global stp_skip_src: set[addr] &redef; const interconn_min_interarrival: interval &redef; @@ -1149,10 +1175,10 @@ type backdoor_endp_stats: record { }; type signature_state: record { - sig_id: string; # ID of the signature - conn: connection; # Current connection - is_orig: bool; # True if current endpoint is originator - payload_size: count; # Payload size of the first pkt of curr. endpoint + sig_id: string; ##< ID of the signature + conn: connection; ##< Current connection + is_orig: bool; ##< True if current endpoint is originator + payload_size: count; ##< Payload size of the first pkt of curr. endpoint }; @@ -1195,21 +1221,21 @@ type load_sample_info: set[string]; # NetFlow-related data structures. -# The following provides a mean to sort together flow headers and flow -# records at the script level. rcvr_id equals the name of the file -# (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555), -# or an explicit name if specified to -y or -Y; pdu_id is just a serial -# number, ignoring any overflows. +## The following provides a mean to sort together NetFlow headers and flow +## records at the script level. rcvr_id equals the name of the file +## (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555), +## or an explicit name if specified to -y or -Y; pdu_id is just a serial +## number, ignoring any overflows. type nfheader_id: record { rcvr_id: string; pdu_id: count; }; type nf_v5_header: record { - h_id: nfheader_id; # ID for sorting, per the above + h_id: nfheader_id; ##< ID for sorting, per the above cnt: count; - sysuptime: interval; # router's uptime - exporttime: time; # when the data was exported + sysuptime: interval; ##< router's uptime + exporttime: time; ##< when the data was exported flow_seq: count; eng_type: count; eng_id: count; @@ -1227,7 +1253,7 @@ type nf_v5_record: record { octets: count; first: time; last: time; - tcpflag_fin: bool; # Taken from tcpflags in NF V5; or directly. + tcpflag_fin: bool; ##< Taken from tcpflags in NF V5; or directly. tcpflag_syn: bool; tcpflag_rst: bool; tcpflag_psh: bool; @@ -1242,17 +1268,17 @@ type nf_v5_record: record { }; -# The peer record and the corresponding set type used by the -# BitTorrent analyzer. +## The peer record and the corresponding set type used by the +## BitTorrent analyzer. type bittorrent_peer: record { h: addr; p: port; }; type bittorrent_peer_set: set[bittorrent_peer]; -# The benc value record and the corresponding table type used by the -# BitTorrenttracker analyzer. Note that "benc" = Bencode ("Bee-Encode"), -# per http://en.wikipedia.org/wiki/Bencode. +## The benc value record and the corresponding table type used by the +## BitTorrenttracker analyzer. Note that "benc" = Bencode ("Bee-Encode"), +## per http://en.wikipedia.org/wiki/Bencode. type bittorrent_benc_value: record { i: int &optional; s: string &optional; @@ -1261,7 +1287,7 @@ type bittorrent_benc_value: record { }; type bittorrent_benc_dir: table[string] of bittorrent_benc_value; -# The header table type used by the bittorrenttracker analyzer. +## The header table type used by the bittorrenttracker analyzer. type bt_tracker_headers: table[string] of string; @load event.bif.bro @@ -1270,38 +1296,38 @@ type bt_tracker_headers: table[string] of string; # empty if none. const cmd_line_bpf_filter = "" &redef; -# Rotate logs every x interval. +## Rotate logs every x interval. const log_rotate_interval = 0 sec &redef; -# If set, rotate logs at given time + i * log_rotate_interval. -# (string is time in 24h format, e.g., "18:00"). +## If set, rotate logs at given time + i * log_rotate_interval. +## (string is time in 24h format, e.g., "18:00"). const log_rotate_base_time = "0:00" &redef; -# Rotate logs when they reach this size (in bytes). Note, the -# parameter is a double rather than a count to enable easy expression -# of large values such as 1e7 or exceeding 2^32. +## Rotate logs when they reach this size (in bytes). Note, the +## parameter is a double rather than a count to enable easy expression +## of large values such as 1e7 or exceeding 2^32. const log_max_size = 0.0 &redef; -# Default public key for encrypting log files. +## Default public key for encrypting log files. const log_encryption_key = "" &redef; -# Write profiling info into this file. +## Write profiling info into this file. global profiling_file: file &redef; -# Update interval for profiling (0 disables). +## Update interval for profiling (0 disables). const profiling_interval = 0 secs &redef; -# Multiples of profiling_interval at which (expensive) memory -# profiling is done (0 disables). +## Multiples of profiling_interval at which (expensive) memory +## profiling is done (0 disables). const expensive_profiling_multiple = 0 &redef; -# If true, then write segment profiling information (very high volume!) -# in addition to statistics. +## If true, then write segment profiling information (very high volume!) +## in addition to statistics. const segment_profiling = F &redef; -# Output packet profiling information every secs (mode 1), -# every packets (mode 2), or every bytes (mode 3). -# Mode 0 disables. +## Output packet profiling information every secs (mode 1), +## every packets (mode 2), or every bytes (mode 3). +## Mode 0 disables. type pkt_profile_modes: enum { PKT_PROFILE_MODE_NONE, PKT_PROFILE_MODE_SECS, @@ -1310,74 +1336,76 @@ type pkt_profile_modes: enum { }; const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; -# Frequency associated with packet profiling. +## Frequency associated with packet profiling. const pkt_profile_freq = 0.0 &redef; -# File where packet profiles are logged. +## File where packet profiles are logged. global pkt_profile_file: file &redef; -# Rate at which to generate load_sample events, *if* you've also -# defined a load_sample handler. Units are inverse number of packets; -# e.g., a value of 20 means "roughly one in every 20 packets". +## Rate at which to generate load_sample events, *if* you've also +## defined a load_sample handler. Units are inverse number of packets; +## e.g., a value of 20 means "roughly one in every 20 packets". global load_sample_freq = 20 &redef; -# Rate at which to generate gap_report events assessing to what -# degree the measurement process appears to exhibit loss. +## Rate at which to generate gap_report events assessing to what +## degree the measurement process appears to exhibit loss. const gap_report_freq = 1.0 sec &redef; -# Whether we want content_gap and drop reports for partial connections -# (a connection is partial if it is missing a full handshake). Note that -# gap reports for partial connections might not be reliable. +## Whether we want content_gap and drop reports for partial connections +## (a connection is partial if it is missing a full handshake). Note that +## gap reports for partial connections might not be reliable. const report_gaps_for_partial = F &redef; -# Globals associated with entire-run statistics on gaps (useful -# for final summaries). +## Globals associated with entire-run statistics on gaps (useful +## for final summaries). -# The CA certificate file to authorize remote Bros. +## The CA certificate file to authorize remote Bros. const ssl_ca_certificate = "" &redef; -# File containing our private key and our certificate. +## File containing our private key and our certificate. const ssl_private_key = "" &redef; -# The passphrase for our private key. Keeping this undefined -# causes Bro to prompt for the passphrase. +## The passphrase for our private key. Keeping this undefined +## causes Bro to prompt for the passphrase. const ssl_passphrase = "" &redef; -# Whether the Bro-level packet filter drops packets per default or not. +## Whether the Bro-level packet filter drops packets per default or not. const packet_filter_default = F &redef; -# Maximum size of regular expression groups for signature matching. +## Maximum size of regular expression groups for signature matching. const sig_max_group_size = 50 &redef; -# If true, send logger messages to syslog. +## If true, send logger messages to syslog. const enable_syslog = F &redef; -# This is transmitted to peers receiving our events. +## This is transmitted to peers receiving our events. const peer_description = "bro" &redef; -# If true, broadcast events/state received from one peer to other peers. -# NOTE: These options are only temporary. They will disappear when we get a -# more sophisticated script-level communication framework. +## If true, broadcast events/state received from one peer to other peers. +## NOTE: These options are only temporary. They will disappear when we get a +## more sophisticated script-level communication framework. const forward_remote_events = F &redef; +## See :bro:id:`forward_remote_events` const forward_remote_state_changes = F &redef; const PEER_ID_NONE = 0; -# Whether to use the connection tracker. +## Whether to use the connection tracker. const use_connection_compressor = T &redef; -# Whether compressor should handle refused connections itself. +## Whether compressor should handle refused connections itself. const cc_handle_resets = F &redef; -# Whether compressor should only take care of initial SYNs. -# (By default on, this is basically "connection compressor lite".) +## Whether compressor should only take care of initial SYNs. +## (By default on, this is basically "connection compressor lite".) const cc_handle_only_syns = T &redef; -# Whether compressor instantiates full state when originator sends a -# non-control packet. +## Whether compressor instantiates full state when originator sends a +## non-control packet. const cc_instantiate_on_data = F &redef; # Signature payload pattern types +# TODO: use enum to help autodoc const SIG_PATTERN_PAYLOAD = 0; const SIG_PATTERN_HTTP = 1; const SIG_PATTERN_FTP = 2; @@ -1385,24 +1413,26 @@ const SIG_PATTERN_FINGER = 3; # Log-levels for remote_log. # Eventually we should create a general logging framework and merge these in. +# TODO: use enum to help autodoc const REMOTE_LOG_INFO = 1; const REMOTE_LOG_ERROR = 2; # Sources for remote_log. +# TODO: use enum to help autodoc const REMOTE_SRC_CHILD = 1; const REMOTE_SRC_PARENT = 2; const REMOTE_SRC_SCRIPT = 3; -# Synchronize trace processing at a regular basis in pseudo-realtime mode. +## Synchronize trace processing at a regular basis in pseudo-realtime mode. const remote_trace_sync_interval = 0 secs &redef; -# Number of peers across which to synchronize trace processing. +## Number of peers across which to synchronize trace processing. const remote_trace_sync_peers = 0 &redef; -# Whether for &synchronized state to send the old value as a consistency check. +## Whether for &synchronized state to send the old value as a consistency check. const remote_check_sync_consistency = F &redef; -# Prepend the peer description, if set. +## Prepend the peer description, if set. function prefixed_id(id: count): string { if ( peer_description == "" ) @@ -1411,8 +1441,8 @@ function prefixed_id(id: count): string return cat(peer_description, "-", id); } -# Analyzer tags. The core automatically defines constants -# ANALYZER_*, e.g., ANALYZER_HTTP. +## Analyzer tags. The core automatically defines constants +## ANALYZER_*, e.g., ANALYZER_HTTP. type AnalyzerTag: count; # DPD configuration. @@ -1423,66 +1453,66 @@ type dpd_protocol_config: record { const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef; -# Reassemble the beginning of all TCP connections before doing -# signature-matching for protocol detection. +## Reassemble the beginning of all TCP connections before doing +## signature-matching for protocol detection. const dpd_reassemble_first_packets = T &redef; -# Size of per-connection buffer in bytes. If the buffer is full, data is -# deleted and lost to analyzers that are activated afterwards. +## Size of per-connection buffer in bytes. If the buffer is full, data is +## deleted and lost to analyzers that are activated afterwards. const dpd_buffer_size = 1024 &redef; -# If true, stops signature matching if dpd_buffer_size has been reached. +## If true, stops signature matching if dpd_buffer_size has been reached. const dpd_match_only_beginning = T &redef; -# If true, don't consider any ports for deciding which analyzer to use. +## If true, don't consider any ports for deciding which analyzer to use. const dpd_ignore_ports = F &redef; -# Ports which the core considers being likely used by servers. +## Ports which the core considers being likely used by servers. const likely_server_ports: set[port] &redef; -# Set of all ports for which we know an analyzer. +## Set of all ports for which we know an analyzer. global dpd_analyzer_ports: table[port] of set[AnalyzerTag]; -# Per-incident timer managers are drained after this amount of inactivity. +## Per-incident timer managers are drained after this amount of inactivity. const timer_mgr_inactivity_timeout = 1 min &redef; -# If true, output profiling for time-machine queries. +## If true, output profiling for time-machine queries. const time_machine_profiling = F &redef; -# If true, warns about unused event handlers at startup. +## If true, warns about unused event handlers at startup. const check_for_unused_event_handlers = F &redef; -# If true, dumps all invoked event handlers at startup. +## If true, dumps all invoked event handlers at startup. const dump_used_event_handlers = F &redef; -# If true, we suppress prints to local files if we have a receiver for -# print_hook events. Ignored for files with a &disable_print_hook attribute. +## If true, we suppress prints to local files if we have a receiver for +## print_hook events. Ignored for files with a &disable_print_hook attribute. const suppress_local_output = F &redef; -# Holds the filename of the trace file given with -w (empty if none). +## Holds the filename of the trace file given with -w (empty if none). const trace_output_file = ""; -# If a trace file is given, dump *all* packets seen by Bro into it. -# By default, Bro applies (very few) heuristics to reduce the volume. -# A side effect of setting this to true is that we can write the -# packets out before we actually process them, which can be helpful -# for debugging in case the analysis triggers a crash. +## If a trace file is given, dump *all* packets seen by Bro into it. +## By default, Bro applies (very few) heuristics to reduce the volume. +## A side effect of setting this to true is that we can write the +## packets out before we actually process them, which can be helpful +## for debugging in case the analysis triggers a crash. const record_all_packets = F &redef; -# Some connections (e.g., SSH) retransmit the acknowledged last -# byte to keep the connection alive. If ignore_keep_alive_rexmit -# is set to T, such retransmissions will be excluded in the rexmit -# counter in conn_stats. +## Some connections (e.g., SSH) retransmit the acknowledged last +## byte to keep the connection alive. If ignore_keep_alive_rexmit +## is set to T, such retransmissions will be excluded in the rexmit +## counter in conn_stats. const ignore_keep_alive_rexmit = F &redef; -# Skip HTTP data portions for performance considerations (the skipped -# portion will not go through TCP reassembly). +## Skip HTTP data portions for performance considerations (the skipped +## portion will not go through TCP reassembly). const skip_http_data = F &redef; -# Whether the analysis engine parses IP packets encapsulated in -# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. +## Whether the analysis engine parses IP packets encapsulated in +## UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro. const parse_udp_tunnels = F &redef; -# Load the logging framework here because it uses fairly deep integration with -# BiFs and script-land defined types. +## Load the logging framework here because it uses fairly deep integration with +## BiFs and script-land defined types. @load base/frameworks/logging From 95d84da1b00f246a901944650df1be034dbb2b6d Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Thu, 11 Aug 2011 15:29:54 -0700 Subject: [PATCH 15/21] Set c$conn (for logging) in new_connection() event. c$conn was originally set in connection_established(), which is only used by TCP connections, and in connection_state_remove(). Using new_connection() allows us to have c$conn available for any connection and for any script that wants to extend logging to conn.log. --- scripts/base/protocols/conn/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 8425e59640..b413947d41 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -200,7 +200,7 @@ function set_conn(c: connection, eoc: bool) } } -event connection_established(c: connection) &priority=5 +event new_connection(c: connection) &priority=5 { set_conn(c, F); } From 33fce8a71d384e569284fdf09d0a5d999a7009e6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 15 Aug 2011 17:29:41 -0500 Subject: [PATCH 16/21] Misc. doc/script/test cleanup. - fixing some Metrics::add_data() call signatures - slight refactors to cluster framework @if and adding a NONE NodeType for so local_node_type() will return that instead of just emitting an error when cluster mode isn't enabled - `make restdoc` target now uses bro's bare-mode - bro scripts generated from bifs now really only live in the build/src/base/ directory and changed the DocSourcesList.cmake to dynamically figure out what bifs exist by looking in src/ instead of build/src/ - add some missing @load dependencies --- doc/scripts/CMakeLists.txt | 2 +- doc/scripts/DocSourcesList.cmake | 23 ++++++++++--------- doc/scripts/genDocSourcesList.sh | 6 ++--- scripts/base/frameworks/cluster/__load__.bro | 10 ++++---- scripts/base/frameworks/cluster/main.bro | 7 +++--- scripts/base/frameworks/metrics/cluster.bro | 3 ++- .../base/frameworks/metrics/non-cluster.bro | 1 + .../frameworks/notice/actions/add-geodata.bro | 5 +++- .../frameworks/metrics/http-example.bro | 9 ++------ scripts/policy/protocols/http/detect-sqli.bro | 4 ++-- src/BroDoc.cc | 2 +- src/CMakeLists.txt | 9 ++++---- .../manager-1.metrics.log | 0 .../metrics.log | 0 .../notice.log | 0 .../frameworks/metrics/basic-cluster.bro | 0 .../base}/frameworks/metrics/basic.bro | 0 .../base}/frameworks/metrics/notice.bro | 0 18 files changed, 42 insertions(+), 39 deletions(-) rename testing/btest/Baseline/{policy.frameworks.metrics.basic-cluster => scripts.base.frameworks.metrics.basic-cluster}/manager-1.metrics.log (100%) rename testing/btest/Baseline/{policy.frameworks.metrics.basic => scripts.base.frameworks.metrics.basic}/metrics.log (100%) rename testing/btest/Baseline/{policy.frameworks.metrics.notice => scripts.base.frameworks.metrics.notice}/notice.log (100%) rename testing/btest/{policy => scripts/base}/frameworks/metrics/basic-cluster.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/metrics/basic.bro (100%) rename testing/btest/{policy => scripts/base}/frameworks/metrics/notice.bro (100%) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index cb7a42929c..b82605d533 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -119,7 +119,7 @@ macro(REST_TARGET srcDir broInput) ARGS -E remove_directory .state # generate the reST documentation using bro COMMAND BROPATH=${BROPATH}:${srcDir} ${CMAKE_BINARY_DIR}/src/bro - ARGS --doc-scripts ${broInput} || (rm -rf .state *.log *.rst && exit 1) + ARGS -b -Z ${broInput} || (rm -rf .state *.log *.rst && exit 1) # move generated doc into a new directory tree that # defines the final structure of documents COMMAND "${CMAKE_COMMAND}" diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 8290d3d102..e071de47e5 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,13 +16,13 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src/base types.bif.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) @@ -34,7 +34,9 @@ rest_target(${psd} base/frameworks/dpd/main.bro) rest_target(${psd} base/frameworks/intel/main.bro) rest_target(${psd} base/frameworks/logging/main.bro) rest_target(${psd} base/frameworks/logging/writers/ascii.bro) +rest_target(${psd} base/frameworks/metrics/cluster.bro) rest_target(${psd} base/frameworks/metrics/main.bro) +rest_target(${psd} base/frameworks/metrics/non-cluster.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -64,11 +66,11 @@ rest_target(${psd} base/protocols/http/partial-content.bro) rest_target(${psd} base/protocols/http/utils.bro) rest_target(${psd} base/protocols/irc/dcc-send.bro) rest_target(${psd} base/protocols/irc/main.bro) -rest_target(${psd} base/protocols/mime/base.bro) rest_target(${psd} base/protocols/mime/file-extract.bro) rest_target(${psd} base/protocols/mime/file-hash.bro) rest_target(${psd} base/protocols/mime/file-ident.bro) -rest_target(${psd} base/protocols/rpc/base.bro) +rest_target(${psd} base/protocols/mime/main.bro) +rest_target(${psd} base/protocols/rpc/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) rest_target(${psd} base/protocols/smtp/main.bro) @@ -99,8 +101,7 @@ rest_target(${psd} policy/frameworks/metrics/http-example.bro) rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) -rest_target(${psd} policy/integration/barnyard2/base.bro) -rest_target(${psd} policy/integration/barnyard2/event.bro) +rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) diff --git a/doc/scripts/genDocSourcesList.sh b/doc/scripts/genDocSourcesList.sh index 8ef4ff9c14..1f56843f5f 100755 --- a/doc/scripts/genDocSourcesList.sh +++ b/doc/scripts/genDocSourcesList.sh @@ -68,12 +68,12 @@ sourcedir=${thisdir}/../.. echo "$statictext" > $outfile -bifs=`( cd ${sourcedir}/build/src && find . -name \*\.bro | sort )` +bifs=`( cd ${sourcedir}/src && find . -name \*\.bif | sort )` for file in $bifs do - f=${file:2} - echo "rest_target(\${CMAKE_BINARY_DIR}/src $f)" >> $outfile + f=${file:2}.bro + echo "rest_target(\${CMAKE_BINARY_DIR}/src/base $f)" >> $outfile done scriptfiles=`( cd ${sourcedir}/scripts && find . -name \*\.bro | sort )` diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro index 03262d3d75..d0b72dad4f 100644 --- a/scripts/base/frameworks/cluster/__load__.bro +++ b/scripts/base/frameworks/cluster/__load__.bro @@ -1,7 +1,7 @@ # Load the core cluster support. @load ./main -@if ( Cluster::node != "" ) +@if ( Cluster::is_enabled() ) # Give the node being started up it's peer name. redef peer_description = Cluster::node; @@ -26,17 +26,17 @@ redef peer_description = Cluster::node; ## Set the port that this node is supposed to listen on. redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p; -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::MANAGER ) +@if ( Cluster::local_node_type() == Cluster::MANAGER ) @load ./nodes/manager @endif -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::PROXY ) +@if ( Cluster::local_node_type() == Cluster::PROXY ) @load ./nodes/proxy @endif -@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::WORKER ) +@if ( Cluster::local_node_type() == Cluster::WORKER ) @load ./nodes/worker @endif @endif -@endif \ No newline at end of file +@endif diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index caf8c48bff..c8e42ec5ea 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -10,6 +10,7 @@ export { } &log; type NodeType: enum { + NONE, CONTROL, MANAGER, PROXY, @@ -54,8 +55,8 @@ export { ## This function can be called at any time to determine what type of ## cluster node the current Bro instance is going to be acting as. - ## :bro:id:`is_enabled` should be called first to find out if this is - ## actually going to be a cluster node. + ## If :bro:id:`Cluster::is_enabled` returns false, then + ## :bro:enum:`Cluster::NONE` is returned. global local_node_type: function(): NodeType; ## This gives the value for the number of workers currently connected to, @@ -81,7 +82,7 @@ function is_enabled(): bool function local_node_type(): NodeType { - return nodes[node]$node_type; + return is_enabled() ? nodes[node]$node_type : NONE; } diff --git a/scripts/base/frameworks/metrics/cluster.bro b/scripts/base/frameworks/metrics/cluster.bro index 94281eb883..41cf1e55cf 100644 --- a/scripts/base/frameworks/metrics/cluster.bro +++ b/scripts/base/frameworks/metrics/cluster.bro @@ -5,6 +5,7 @@ ##! transparently automated when running on a cluster. @load base/frameworks/cluster +@load ./main module Metrics; @@ -143,4 +144,4 @@ event Metrics::cluster_results(uid: string, id: ID, filter_name: string, data: M } } -@endif \ No newline at end of file +@endif diff --git a/scripts/base/frameworks/metrics/non-cluster.bro b/scripts/base/frameworks/metrics/non-cluster.bro index a96210649e..b3dbf029ca 100644 --- a/scripts/base/frameworks/metrics/non-cluster.bro +++ b/scripts/base/frameworks/metrics/non-cluster.bro @@ -1,3 +1,4 @@ +@load ./main module Metrics; diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.bro index 71e9c6b490..423d93a8c1 100644 --- a/scripts/base/frameworks/notice/actions/add-geodata.bro +++ b/scripts/base/frameworks/notice/actions/add-geodata.bro @@ -4,6 +4,9 @@ ##! probably a safe assumption to make in most cases. If both addresses ##! are remote, it will use the $src address. +@load base/frameworks/notice/main +@load base/utils/site + module Notice; export { @@ -44,4 +47,4 @@ event notice(n: Notice::Info) &priority=10 else if ( n?$dst && ! Site::is_local_addr(n$dst) ) n$remote_location = lookup_location(n$dst); } - } \ No newline at end of file + } diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro index fb71fb9013..117923185a 100644 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ b/scripts/policy/frameworks/metrics/http-example.bro @@ -23,12 +23,7 @@ event bro_init() event HTTP::log_http(rec: HTTP::Info) { if ( rec?$host ) - Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host]); + Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1); if ( rec?$status_code ) -<<<<<<< HEAD - Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $index=fmt("%d", rec$status_code)]); + Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1); } -======= - Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)]); - } ->>>>>>> master diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index c1e6281c6b..4dde93f6bf 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -55,7 +55,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h]); - Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h]); + Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h], 1); + Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1); } } diff --git a/src/BroDoc.cc b/src/BroDoc.cc index 302bd04c88..d3406ad113 100644 --- a/src/BroDoc.cc +++ b/src/BroDoc.cc @@ -60,7 +60,7 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs) if ( ! reST_file ) fprintf(stderr, "Failed to open %s\n", reST_filename.c_str()); -#ifdef DEBUG +#ifdef DOCDEBUG fprintf(stdout, "Documenting absolute source: %s\n", abs.c_str()); fprintf(stdout, "\trelative dir: %s\n", rel.c_str()); fprintf(stdout, "\tdoc title: %s\n", doc_title.c_str()); diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c7e99c2e21..0bbced32db 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -108,25 +108,26 @@ macro(BIF_TARGET bifInput) COMMAND bifcl ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) # in order be able to run bro from the build directory, - # a copy of the generated bro script needs to be copied - # to a directory tree named the same way it will be + # the generated bro script needs to be inside a + # a directory tree named the same way it will be # referenced from an @load COMMAND "${CMAKE_COMMAND}" ARGS -E copy ${bifInput}.bro base/${bifInput}.bro + COMMAND "${CMAKE_COMMAND}" + ARGS -E remove -f ${bifInput}.bro DEPENDS ${bifInput} DEPENDS bifcl COMMENT "[BIFCL] Processing ${bifInput}" ) list(APPEND ALL_BIF_OUTPUTS ${bifOutputs}) list(APPEND INSTALL_BIF_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/${bifInput}.bro) + ${CMAKE_CURRENT_BINARY_DIR}/base/${bifInput}.bro) endmacro(BIF_TARGET) # returns a list of output files that bifcl will produce # for given input file in ${outputFileVar} macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) set(${outputFileVar} - ${inputFile}.bro base/${inputFile}.bro ${inputFile}.func_def ${inputFile}.func_h diff --git a/testing/btest/Baseline/policy.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.basic-cluster/manager-1.metrics.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.basic/metrics.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log diff --git a/testing/btest/Baseline/policy.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.notice/notice.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log diff --git a/testing/btest/policy/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro diff --git a/testing/btest/policy/frameworks/metrics/basic.bro b/testing/btest/scripts/base/frameworks/metrics/basic.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/basic.bro rename to testing/btest/scripts/base/frameworks/metrics/basic.bro diff --git a/testing/btest/policy/frameworks/metrics/notice.bro b/testing/btest/scripts/base/frameworks/metrics/notice.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/notice.bro rename to testing/btest/scripts/base/frameworks/metrics/notice.bro From 89d5e01d3858e25e44fd8abe5c7b251baf5c0940 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Fri, 19 Aug 2011 14:42:48 -0700 Subject: [PATCH 17/21] Tune when c$conn is set. After discussion with Seth we now set c$conn in connection_state_remove() with priority 5, and log it with priority -5. If users want to extend c$conn before connection_state_remove, they can just create c$conn and add custom fields. Addresses: #554 --- scripts/base/protocols/conn/main.bro | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index b413947d41..4184e12c5b 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -158,20 +158,21 @@ function determine_service(c: connection): string return to_lower(service); } +## Fill out the c$conn record for logging function set_conn(c: connection, eoc: bool) { if ( ! c?$conn ) { - local id = c$id; local tmp: Info; - tmp$ts=c$start_time; - tmp$uid=c$uid; - tmp$id=id; - tmp$proto=get_port_transport_proto(id$resp_p); - if( |Site::local_nets| > 0 ) - tmp$local_orig=Site::is_local_addr(id$orig_h); c$conn = tmp; } + + c$conn$ts=c$start_time; + c$conn$uid=c$uid; + c$conn$id=c$id; + c$conn$proto=get_port_transport_proto(c$id$resp_p); + if( |Site::local_nets| > 0 ) + c$conn$local_orig=Site::is_local_addr(c$id$orig_h); if ( eoc ) { @@ -200,11 +201,6 @@ function set_conn(c: connection, eoc: bool) } } -event new_connection(c: connection) &priority=5 - { - set_conn(c, F); - } - event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 { set_conn(c, F); @@ -212,9 +208,13 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio c$conn$missed_bytes = c$conn$missed_bytes + length; } -event connection_state_remove(c: connection) &priority=-5 +event connection_state_remove(c: connection) &priority=5 { set_conn(c, T); + } + +event connection_state_remove(c: connection) &priority=-5 + { Log::write(CONN, c$conn); } From bdf4b1cbcb497a0a50d4e27606a1fd570e6b8458 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Tue, 23 Aug 2011 20:03:12 -0700 Subject: [PATCH 18/21] Hotfix: Excessive memory usage of SSL analyzer on connections with gaps. The SSL analyzer used excessive amounts of memory after a gap. We fix this by tracking whether there was gap and not delivering any more data if there was. --- src/SSL-binpac.cc | 15 ++++++++++++++- src/SSL-binpac.h | 1 + 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc index ec1fd206f6..c44ae5fb70 100644 --- a/src/SSL-binpac.cc +++ b/src/SSL-binpac.cc @@ -7,6 +7,7 @@ SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c) : TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) { interp = new binpac::SSL::SSL_Conn(this); + had_gap = false; } SSL_Analyzer_binpac::~SSL_Analyzer_binpac() @@ -36,12 +37,24 @@ void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) if ( TCP()->IsPartial() ) return; + if ( had_gap ) + // XXX: If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; - interp->NewData(orig, data, data + len); + try + { + interp->NewData(orig, data, data + len); + } + catch ( binpac::Exception const &e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig) { TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; interp->NewGap(orig, len); } diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h index 7d0c8d3939..8dab19d00c 100644 --- a/src/SSL-binpac.h +++ b/src/SSL-binpac.h @@ -30,6 +30,7 @@ public: protected: binpac::SSL::SSL_Conn* interp; + bool had_gap; }; From 8c9c6f3f000af77df0e01be594ab9958dbf4f922 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 25 Aug 2011 09:41:05 -0500 Subject: [PATCH 19/21] Finish capability of emailing bulk alarm logs at a configurable interval. Also added a BiF for getting the current Bro version string. --- scripts/base/frameworks/notice/main.bro | 85 +++++++++++++++++++------ src/bro.bif | 6 ++ 2 files changed, 71 insertions(+), 20 deletions(-) diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index ea7a472031..8f80961d45 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -41,7 +41,9 @@ export { ## Indicates that the notice should be sent to the email address(es) ## configured in the :bro:id:`Notice::mail_dest` variable. ACTION_EMAIL, - ## Indicates that the notice should be alarmed. + ## Indicates that the notice should be alarmed. A readable ASCII + ## version of the alarm log is emailed in bulk to the address(es) + ## configured in :bro:id:`Notice::mail_dest`. ACTION_ALARM, }; @@ -136,7 +138,8 @@ export { ## Local system sendmail program. const sendmail = "/usr/sbin/sendmail" &redef; - ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action. + ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action + ## or to send bulk alarm logs on rotation with :bro:enum:`ACTION_ALARM`. const mail_dest = "" &redef; ## Address that emails will be from. @@ -146,6 +149,11 @@ export { ## Text string prefixed to the subject of all emails sent out. const mail_subject_prefix = "[Bro]" &redef; + ## A log postprocessing function that implements emailing the contents + ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. + ## The rotated log is removed upon being sent. + global log_mailing_postprocessor: function(info: Log::RotationInfo): bool; + ## This is the event that is called as the entry point to the ## notice framework by the global :bro:id:`NOTICE` function. By the time ## this event is generated, default values have already been filled out in @@ -171,7 +179,14 @@ export { ## by default with the built in :bro:enum:`ACTION_EMAIL` and ## :bro:enum:`ACTION_PAGE` actions. global email_notice_to: function(n: Info, dest: string, extend: bool); - + + ## Constructs mail headers to which an email body can be appended for + ## sending with sendmail. + ## subject_desc: a subject string to use for the mail + ## dest: recipient string to use for the mail + ## Returns: a string of mail headers to which an email body can be appended + global email_headers: function(subject_desc: string, dest: string): string; + ## This is an internally used function, please ignore it. It's only used ## for filling out missing details of :bro:type:`Notice:Info` records ## before the synchronous and asynchronous event pathways have begun. @@ -186,21 +201,47 @@ export { # priority. global ordered_policy: vector of PolicyItem = vector(); +function log_mailing_postprocessor(info: Log::RotationInfo): bool + { + if ( ! reading_traces() && mail_dest != "" ) + { + local headers = email_headers(fmt("Log Contents: %s", info$fname), + mail_dest); + local tmpfilename = fmt("%s.mailheaders.tmp", info$fname); + local tmpfile = open(tmpfilename); + write_file(tmpfile, headers); + close(tmpfile); + system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm %s %s", + tmpfilename, info$fname, sendmail, tmpfilename, info$fname)); + } + return T; + } + +# This extra export section here is just because this redefinition should +# be documented as part of the "public API" of this script, but the redef +# needs to occur after the postprocessor function implementation. +export { + ## By default, an ASCII version of the the alarm log is emailed daily to any + ## configured :bro:id:`Notice::mail_dest` if not operating on trace files. + redef Log::rotation_control += { + [Log::WRITER_ASCII, "alarm-mail"] = + [$interv=24hrs, $postprocessor=log_mailing_postprocessor] + }; +} + event bro_init() { Log::create_stream(NOTICE_POLICY, [$columns=PolicyItem]); Log::create_stream(Notice::NOTICE, [$columns=Info, $ev=log_notice]); Log::create_stream(ALARM, [$columns=Notice::Info]); - # Make sure that this log is output as text so that it can be packaged - # up and emailed later. - Log::add_filter(ALARM, [$name="default", $writer=Log::WRITER_ASCII]); + # If Bro is configured for mailing notices, set up mailing for alarms. + # Make sure that this alarm log is also output as text so that it can + # be packaged up and emailed later. + if ( ! reading_traces() && mail_dest != "" ) + Log::add_filter(ALARM, [$name="alarm-mail", $path="alarm-mail", + $writer=Log::WRITER_ASCII]); } - # TODO: need a way to call a Bro script level callback during file rotation. - # we need more than a just $postprocessor. - #redef Log::rotation_control += { - # [Log::WRITER_ASCII, "alarm"] = [$postprocessor="mail-alarms"]; - #}; # TODO: fix this. #function notice_tags(n: Notice::Info) : table[string] of string @@ -220,20 +261,24 @@ event bro_init() # return tgs; # } +function email_headers(subject_desc: string, dest: string): string + { + local header_text = string_cat( + "From: ", mail_from, "\n", + "Subject: ", mail_subject_prefix, " ", subject_desc, "\n", + "To: ", dest, "\n", + "User-Agent: Bro-IDS/", bro_version(), "\n"); + if ( reply_to != "" ) + header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n"); + return header_text; + } + function email_notice_to(n: Notice::Info, dest: string, extend: bool) { if ( reading_traces() || dest == "" ) return; - local email_text = string_cat( - "From: ", mail_from, "\n", - "Subject: ", mail_subject_prefix, " ", fmt("%s", n$note), "\n", - "To: ", dest, "\n", - # TODO: BiF to get version (the resource_usage Bif seems like overkill). - "User-Agent: Bro-IDS/?.?.?\n"); - - if ( reply_to != "" ) - email_text = string_cat(email_text, "Reply-To: ", reply_to, "\n"); + local email_text = email_headers(fmt("%s", n$note), dest); # The notice emails always start off with the human readable message. email_text = string_cat(email_text, "\n", n$msg, "\n"); diff --git a/src/bro.bif b/src/bro.bif index e4d0f2092b..e31ac52b0c 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3607,3 +3607,9 @@ function enable_communication%(%): any remote_serializer->Init(); return 0; %} + +## Returns the Bro version string +function bro_version%(%): string + %{ + return new StringVal(bro_version()); + %} From 005b1505b846fc7ff8c1c727f6ff2688050ad5bf Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 25 Aug 2011 16:53:39 -0400 Subject: [PATCH 20/21] Fixing an accidently abandoned test. --- .../manager-1.notice.log | 0 .../base}/frameworks/metrics/cluster-intermediate-update.bro | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename testing/btest/Baseline/{policy.frameworks.metrics.cluster-intermediate-update => scripts.base.frameworks.metrics.cluster-intermediate-update}/manager-1.notice.log (100%) rename testing/btest/{policy => scripts/base}/frameworks/metrics/cluster-intermediate-update.bro (100%) diff --git a/testing/btest/Baseline/policy.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log similarity index 100% rename from testing/btest/Baseline/policy.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log rename to testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log diff --git a/testing/btest/policy/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro similarity index 100% rename from testing/btest/policy/frameworks/metrics/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro From c8b2698754002c8d8b59d6ea60fa4350ca793102 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 29 Aug 2011 12:28:38 -0500 Subject: [PATCH 21/21] Add a log postprocessing function that can SCP rotated logs to remote hosts. --- .../frameworks/logging/postprocessors/scp.bro | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 scripts/base/frameworks/logging/postprocessors/scp.bro diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.bro new file mode 100644 index 0000000000..f27e748ae5 --- /dev/null +++ b/scripts/base/frameworks/logging/postprocessors/scp.bro @@ -0,0 +1,42 @@ +##! This script defines a postprocessing function that can be applied +##! to a logging filter in order to automatically SCP (secure copy) +##! a log stream (or a subset of it) to a remote host at configurable +##! rotation time intervals. + +module Log; + +export { + ## This postprocessor SCP's the rotated-log to all the remote hosts + ## defined in :bro:id:`Log::scp_destinations` and then deletes + ## the local copy of the rotated-log. It's not active when + ## reading from trace files. + global scp_postprocessor: function(info: Log::RotationInfo): bool; + + ## A container that describes the remote destination for the SCP command + ## argument as ``user@host:path``. + type SCPDestination: record { + user: string; + host: string; + path: string; + }; + + ## A table indexed by a particular log writer and filter path, that yields + ## a set remote destinations. The :bro:id:`Log::scp_postprocessor` + ## function queries this table upon log rotation and performs a secure + ## copy of the rotated-log to each destination in the set. + global scp_destinations: table[Writer, string] of set[SCPDestination]; +} + +function scp_postprocessor(info: Log::RotationInfo): bool + { + if ( reading_traces() || [info$writer, info$path] !in scp_destinations ) + return T; + + local command = ""; + for ( d in scp_destinations[info$writer, info$path] ) + command += fmt("scp %s %s@%s:%s;", info$fname, d$user, d$host, d$path); + + command += fmt("/bin/rm %s", info$fname); + system(command); + return T; + }