mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Merge remote-tracking branch 'origin/topic/seth/zeek_init'
* origin/topic/seth/zeek_init: Some more testing fixes. Update docs and tests for bro_(init|done) -> zeek_(init|done) Implement the zeek_init handler.
This commit is contained in:
Jon Siwek
commit
a994be9eeb
628 changed files with 868 additions and 1082 deletions
|
|
@ -135,7 +135,7 @@ export {
|
|||
|
||||
global ports: table[Analyzer::Tag] of set[port];
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
if ( disable_all )
|
||||
__disable_all_analyzers();
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ export {
|
|||
};
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -298,7 +298,7 @@ export {
|
|||
|
||||
## Register interest in all peer event messages that use a certain topic
|
||||
## prefix. Note that subscriptions may not be altered immediately after
|
||||
## calling (except during :bro:see:`bro_init`).
|
||||
## calling (except during :bro:see:`zeek_init`).
|
||||
##
|
||||
## topic_prefix: a prefix to match against remote message topics.
|
||||
## e.g. an empty prefix matches everything and "a" matches
|
||||
|
|
@ -309,7 +309,7 @@ export {
|
|||
|
||||
## Unregister interest in all peer event messages that use a topic prefix.
|
||||
## Note that subscriptions may not be altered immediately after calling
|
||||
## (except during :bro:see:`bro_init`).
|
||||
## (except during :bro:see:`zeek_init`).
|
||||
##
|
||||
## topic_prefix: a prefix previously supplied to a successful call to
|
||||
## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`.
|
||||
|
|
|
|||
|
|
@ -359,7 +359,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1
|
|||
}
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
# If a node is given, but it's an unknown name we need to fail.
|
||||
if ( node != "" && node !in nodes )
|
||||
|
|
|
|||
|
|
@ -324,7 +324,7 @@ function mark_pool_node_dead(pool: Pool, name: string): bool
|
|||
return T;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
worker_pool = register_pool(worker_pool_spec);
|
||||
proxy_pool = register_pool(proxy_pool_spec);
|
||||
|
|
@ -344,8 +344,8 @@ function pool_sorter(a: Pool, b: Pool): int
|
|||
return strcmp(a$spec$topic, b$spec$topic);
|
||||
}
|
||||
|
||||
# Needs to execute before the bro_init in setup-connections
|
||||
event bro_init() &priority=-5
|
||||
# Needs to execute before the zeek_init in setup-connections
|
||||
event zeek_init() &priority=-5
|
||||
{
|
||||
if ( ! Cluster::is_enabled() )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ function connect_peers_with_type(node_type: NodeType)
|
|||
}
|
||||
}
|
||||
|
||||
event bro_init() &priority=-10
|
||||
event zeek_init() &priority=-10
|
||||
{
|
||||
if ( getenv("BROCTL_CHECK_CONFIG") != "" )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ event config_line(description: Input::EventDescription, tpe: Input::Event, p: Ev
|
|||
{
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -150,7 +150,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an
|
|||
return new_value;
|
||||
}
|
||||
|
||||
event bro_init() &priority=10
|
||||
event zeek_init() &priority=10
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
|
||||
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ function weird_option_change_interval(ID: string, new_value: interval, location:
|
|||
return new_value;
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5);
|
||||
Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ redef record connection += {
|
|||
dpd: Info &optional;
|
||||
};
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -324,7 +324,7 @@ global mime_type_to_analyzers: table[string] of set[Files::Tag];
|
|||
|
||||
global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table();
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ redef have_full_data = F;
|
|||
@endif
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::worker_topic, remove_indicator);
|
||||
}
|
||||
|
|
@ -67,7 +67,7 @@ event Intel::match_remote(s: Seen) &priority=5
|
|||
@endif
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::WORKER )
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::manager_topic, match_remote);
|
||||
Broker::auto_publish(Cluster::manager_topic, remove_item);
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item:
|
|||
Intel::insert(item);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
if ( ! Cluster::is_enabled() ||
|
||||
Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
|
|
|||
|
|
@ -223,7 +223,7 @@ type MinDataStore: record {
|
|||
global min_data_store: MinDataStore &redef;
|
||||
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
##! to a logging filter in order to automatically SCP (secure copy)
|
||||
##! a log stream (or a subset of it) to a remote host at configurable
|
||||
##! rotation time intervals. Generally, to use this functionality
|
||||
##! you must handle the :bro:id:`bro_init` event and do the following
|
||||
##! you must handle the :bro:id:`zeek_init` event and do the following
|
||||
##! in your handler:
|
||||
##!
|
||||
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
##! to a logging filter in order to automatically SFTP
|
||||
##! a log stream (or a subset of it) to a remote host at configurable
|
||||
##! rotation time intervals. Generally, to use this functionality
|
||||
##! you must handle the :bro:id:`bro_init` event and do the following
|
||||
##! you must handle the :bro:id:`zeek_init` event and do the following
|
||||
##! in your handler:
|
||||
##!
|
||||
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ export {
|
|||
# Set that is used to only send seen notifications to the master every ~30 seconds.
|
||||
global catch_release_recently_notified: set[addr] &create_expire=30secs;
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]);
|
||||
}
|
||||
|
|
@ -227,13 +227,13 @@ global blocks: table[addr] of BlockInfo = {}
|
|||
@if ( Cluster::is_enabled() )
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new);
|
||||
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete);
|
||||
}
|
||||
@else
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add);
|
||||
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete);
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ export {
|
|||
}
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added);
|
||||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed);
|
||||
|
|
@ -28,7 +28,7 @@ event bro_init()
|
|||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed);
|
||||
}
|
||||
@else
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule);
|
||||
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule);
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ export {
|
|||
global log_netcontrol_drop: event(rec: DropInfo);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -262,7 +262,7 @@ export {
|
|||
##### Plugin functions
|
||||
|
||||
## Function called by plugins once they finished their activation. After all
|
||||
## plugins defined in bro_init finished to activate, rules will start to be sent
|
||||
## plugins defined in zeek_init finished to activate, rules will start to be sent
|
||||
## to the plugins. Rules that scripts try to set before the backends are ready
|
||||
## will be discarded.
|
||||
global plugin_activated: function(p: PluginState);
|
||||
|
|
@ -338,13 +338,13 @@ redef record Rule += {
|
|||
};
|
||||
|
||||
# Variable tracking the state of plugin activation. Once all plugins that
|
||||
# have been added in bro_init are activated, this will switch to T and
|
||||
# have been added in zeek_init are activated, this will switch to T and
|
||||
# the event NetControl::init_done will be raised.
|
||||
global plugins_active: bool = F;
|
||||
|
||||
# Set to true at the end of bro_init (with very low priority).
|
||||
# Set to true at the end of zeek_init (with very low priority).
|
||||
# Used to track when plugin activation could potentially be finished
|
||||
global bro_init_done: bool = F;
|
||||
global zeek_init_done: bool = F;
|
||||
|
||||
# The counters that are used to generate the rule and plugin IDs
|
||||
global rule_counter: count = 1;
|
||||
|
|
@ -364,7 +364,7 @@ global rules_by_subnets: table[subnet] of set[string];
|
|||
# There always only can be one rule of each type for one entity.
|
||||
global rule_entities: table[Entity, RuleType] of Rule;
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]);
|
||||
}
|
||||
|
|
@ -613,18 +613,18 @@ function plugin_activated(p: PluginState)
|
|||
plugin_ids[id]$_activated = T;
|
||||
log_msg("activation finished", p);
|
||||
|
||||
if ( bro_init_done )
|
||||
if ( zeek_init_done )
|
||||
check_plugins();
|
||||
}
|
||||
|
||||
event bro_init() &priority=-5
|
||||
event zeek_init() &priority=-5
|
||||
{
|
||||
event NetControl::init();
|
||||
}
|
||||
|
||||
event NetControl::init() &priority=-20
|
||||
{
|
||||
bro_init_done = T;
|
||||
zeek_init_done = T;
|
||||
|
||||
check_plugins();
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ export {
|
|||
global log_netcontrol_shunt: event(rec: ShuntInfo);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ function pp_postprocessor(info: Log::RotationInfo): bool
|
|||
return T;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
if ( ! want_pp() )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -385,7 +385,7 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool
|
|||
return T;
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
|
||||
|
||||
|
|
@ -531,7 +531,7 @@ event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type,
|
|||
suppressing[note, identifier] = suppress_until;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
if ( ! Cluster::is_enabled() )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@ const notice_actions = {
|
|||
ACTION_NOTICE_ONCE,
|
||||
};
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ export {
|
|||
|
||||
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
||||
# Workers need ability to forward commands to manager.
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod);
|
||||
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear);
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ export {
|
|||
global log_openflow: event(rec: Info);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -157,7 +157,7 @@ event filter_change_tracking()
|
|||
schedule 5min { filter_change_tracking() };
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]);
|
||||
|
||||
|
|
@ -175,7 +175,7 @@ event bro_init() &priority=5
|
|||
}
|
||||
}
|
||||
|
||||
event bro_init() &priority=-5
|
||||
event zeek_init() &priority=-5
|
||||
{
|
||||
install();
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ event net_stats_update(last_stat: NetStats)
|
|||
schedule stats_collection_interval { net_stats_update(ns) };
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
# Since this currently only calculates packet drops, let's skip the stats
|
||||
# collection if reading traces.
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ export {
|
|||
};
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ global count_per_orig: table[addr, string] of count
|
|||
global did_sig_log: set[string] &read_expire = 1 hr;
|
||||
|
||||
|
||||
event bro_init()
|
||||
event zeek_init()
|
||||
{
|
||||
Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -121,7 +121,7 @@ export {
|
|||
global register: event(info: Info);
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ global recent_global_view_keys: set[string, Key] &create_expire=1min;
|
|||
|
||||
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
||||
|
||||
event bro_init() &priority=100
|
||||
event zeek_init() &priority=100
|
||||
{
|
||||
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result);
|
||||
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response);
|
||||
|
|
@ -209,7 +209,7 @@ function request_key(ss_name: string, key: Key): Result
|
|||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
||||
event bro_init() &priority=100
|
||||
event zeek_init() &priority=100
|
||||
{
|
||||
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request);
|
||||
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result);
|
||||
|
|
|
|||
|
|
@ -270,7 +270,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio
|
|||
calc_deps[calc] += depends_on;
|
||||
}
|
||||
|
||||
event bro_init() &priority=100000
|
||||
event zeek_init() &priority=100000
|
||||
{
|
||||
# Call all of the plugin registration hooks
|
||||
hook register_observe_plugins();
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ const teredo_ports = { 3544/udp };
|
|||
const gtpv1_ports = { 2152/udp, 2123/udp };
|
||||
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue