Merge remote-tracking branch 'origin/topic/seth/zeek_init'

* origin/topic/seth/zeek_init: Some more testing fixes. Update docs and tests for bro_(init|done) -> zeek_(init|done) Implement the zeek_init handler.
2025-10-10 02:28:21 +00:00 · 2019-04-19 11:16:35 -07:00 · 2019-04-19 11:16:35 -07:00 · a994be9eeb
commit a994be9eeb
parent 9421ee0293 9d676d368b
628 changed files with 868 additions and 1082 deletions
--- a/scripts/policy/files/x509/log-ocsp.zeek
+++ b/scripts/policy/files/x509/log-ocsp.zeek
@ -39,7 +39,7 @@ export {
 	global log_ocsp: event(rec: Info);
 }

-event bro_init()
+event zeek_init()
 	{
 	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
--- a/scripts/policy/frameworks/control/controllee.zeek
+++ b/scripts/policy/frameworks/control/controllee.zeek
@ -12,7 +12,7 @@

 module Control;

-event bro_init() &priority=-10
+event zeek_init() &priority=-10
 	{
 	Broker::subscribe(Control::topic_prefix + "/" + Broker::node_id());
 	Broker::auto_publish(Control::topic_prefix + "/id_value_response",
--- a/scripts/policy/frameworks/control/controller.zeek
+++ b/scripts/policy/frameworks/control/controller.zeek
@ -12,7 +12,7 @@
 module Control;

 # Do some sanity checking and rework the communication nodes.
-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	# We know that some command was given because this script wouldn't be
 	# loaded if there wasn't so we can feel free to throw an error here and
--- a/scripts/policy/frameworks/packet-filter/shunt.zeek
+++ b/scripts/policy/frameworks/packet-filter/shunt.zeek
@ -76,7 +76,7 @@ function shunt_filters()
 		PacketFilter::exclude("shunt_filters", filter);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	register_filter_plugin([
 		$func()={ return shunt_filters(); }
--- a/scripts/policy/frameworks/software/vulnerable.zeek
+++ b/scripts/policy/frameworks/software/vulnerable.zeek
@ -117,7 +117,7 @@ function update_vulnerable_sw()
 	event grab_vulnerable_versions(1);
 	}

-event bro_init() &priority=3
+event zeek_init() &priority=3
 	{
 	update_vulnerable_sw();
 	}
--- a/scripts/policy/integration/barnyard2/main.zeek
+++ b/scripts/policy/integration/barnyard2/main.zeek
@ -24,7 +24,7 @@ export {
 	global pid2cid: function(p: PacketID): conn_id;
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]);
 	}
--- a/scripts/policy/misc/capture-loss.zeek
+++ b/scripts/policy/misc/capture-loss.zeek
@ -74,7 +74,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
 	schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]);

--- a/scripts/policy/misc/detect-traceroute/main.zeek
+++ b/scripts/policy/misc/detect-traceroute/main.zeek
@ -53,7 +53,7 @@ export {
 	global log_traceroute: event(rec: Traceroute::Info);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]);

--- a/scripts/policy/misc/load-balancing.zeek
+++ b/scripts/policy/misc/load-balancing.zeek
@ -28,7 +28,7 @@ export {

@if ( Cluster::is_enabled() )

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	if ( method != AUTO_BPF )
 		return;
--- a/scripts/policy/misc/loaded-scripts.zeek
+++ b/scripts/policy/misc/loaded-scripts.zeek
@ -27,7 +27,7 @@ function get_indent(level: count): string
 	return out;
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]);
 	}
--- a/scripts/policy/misc/profiling.zeek
+++ b/scripts/policy/misc/profiling.zeek
@ -12,7 +12,7 @@ redef profiling_interval = 15 secs;
 ## :bro:id:`profiling_interval`).
 redef expensive_profiling_multiple = 20;

-event bro_init()
+event zeek_init()
 	{
 	set_buf(profiling_file, F);
 	}
--- a/scripts/policy/misc/scan.zeek
+++ b/scripts/policy/misc/scan.zeek
@ -51,7 +51,7 @@ export {
 	global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)];
 	SumStats::create([$name="addr-scan",
--- a/scripts/policy/misc/stats.zeek
+++ b/scripts/policy/misc/stats.zeek
@ -82,7 +82,7 @@ export {
 	global log_stats: event(rec: Info);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
 	}
@ -149,7 +149,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
 	}

-event bro_init()
+event zeek_init()
 	{
 	schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) };
 	}
--- a/scripts/policy/misc/trim-trace-file.zeek
+++ b/scripts/policy/misc/trim-trace-file.zeek
@ -30,7 +30,7 @@ event TrimTraceFile::go(first_trim: bool)
 	schedule trim_interval { TrimTraceFile::go(F) };
 	}

-event bro_init()
+event zeek_init()
 	{
 	if ( trim_interval > 0 secs )
 		schedule trim_interval { TrimTraceFile::go(T) };
--- a/scripts/policy/misc/weird-stats.zeek
+++ b/scripts/policy/misc/weird-stats.zeek
@ -51,7 +51,7 @@ function weird_epoch_finished(ts: time)
 	this_epoch_weirds = table();
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(WeirdStats::LOG,
 	                   [$columns = Info, $ev = log_weird_stats,
--- a/scripts/policy/protocols/conn/known-hosts.zeek
+++ b/scripts/policy/protocols/conn/known-hosts.zeek
@ -61,7 +61,7 @@ export {
 	global log_known_hosts: event(rec: HostsInfo);
 }

-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_host_store )
 		return;
@ -145,7 +145,7 @@ event Known::host_found(info: HostsInfo)
 	event known_host_add(info);
 	}

-event bro_init()
+event zeek_init()
 	{
 	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
 	}
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@ -80,7 +80,7 @@ redef record connection += {
 };


-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_service_store )
 		return;
@ -216,7 +216,7 @@ event connection_state_remove(c: connection) &priority=-5
 	known_services_done(c);
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
 	                                         $ev=log_known_services,
--- a/scripts/policy/protocols/ftp/detect-bruteforcing.zeek
+++ b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek
@ -25,7 +25,7 @@ export {
 }


-event bro_init()
+event zeek_init()
 	{
 	local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
 	SumStats::create([$name="ftp-detect-bruteforcing",
--- a/scripts/policy/protocols/http/detect-sqli.zeek
+++ b/scripts/policy/protocols/http/detect-sqli.zeek
@ -67,7 +67,7 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string
 	return ret;
 	}

-event bro_init() &priority=3
+event zeek_init() &priority=3
 	{
 	# Add filters to the metrics so that the metrics framework knows how to
 	# determine when it looks like an actual attack and how to respond when
--- a/scripts/policy/protocols/modbus/known-masters-slaves.zeek
+++ b/scripts/policy/protocols/modbus/known-masters-slaves.zeek
@ -33,7 +33,7 @@ export {
 	global log_known_modbus: event(rec: ModbusInfo);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus"]);
 	}
--- a/scripts/policy/protocols/modbus/track-memmap.zeek
+++ b/scripts/policy/protocols/modbus/track-memmap.zeek
@ -52,7 +52,7 @@ redef record Modbus::Info += {
 	track_address: count &default=0;
 };

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change"]);
 	}
--- a/scripts/policy/protocols/smb/log-cmds.zeek
+++ b/scripts/policy/protocols/smb/log-cmds.zeek
@ -25,7 +25,7 @@ const deferred_logging_cmds: set[string] = {
 	"TREE_CONNECT_ANDX",
 };

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	}
--- a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek
@ -39,7 +39,7 @@ export {
 	const ignore_guessers: table[subnet] of subnet &redef;
 }

-event bro_init()
+event zeek_init()
 	{
 	local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5];
 	SumStats::create([$name="detect-ssh-bruteforcing",
--- a/scripts/policy/protocols/ssl/heartbleed.zeek
+++ b/scripts/policy/protocols/ssl/heartbleed.zeek
@ -45,7 +45,7 @@ type min_length: record {
 global min_lengths: vector of min_length = vector();
 global min_lengths_tls11: vector of min_length = vector();

-event bro_init()
+event zeek_init()
 	{
 	# Minimum length a heartbeat packet must have for different cipher suites.
 	# Note - tls 1.1f and 1.0 have different lengths :(
--- a/scripts/policy/protocols/ssl/known-certs.zeek
+++ b/scripts/policy/protocols/ssl/known-certs.zeek
@ -72,7 +72,7 @@ export {
 	global log_known_certs: event(rec: CertsInfo);
 }

-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_cert_store )
 		return;
@ -193,7 +193,7 @@ event ssl_established(c: connection) &priority=3
 	event Known::cert_found(info, hash);
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
 	}
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
@ -31,7 +31,7 @@ function host_certs_only(rec: X509::Info): bool
 	return rec$logcert;
 	}

-event bro_init() &priority=2
+event zeek_init() &priority=2
 	{
 	local f = Log::get_filter(X509::LOG, "default");
 	Log::remove_filter(X509::LOG, "default"); # disable default logging
--- a/scripts/policy/protocols/ssl/validate-certs.zeek
+++ b/scripts/policy/protocols/ssl/validate-certs.zeek
@ -62,7 +62,7 @@ export {
 global intermediate_cache: table[string] of vector of opaque of x509;

@if ( Cluster::is_enabled() )
-event bro_init()
+event zeek_init()
 	{
 	Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add);
 	Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate);
--- a/scripts/policy/protocols/ssl/validate-sct.zeek
+++ b/scripts/policy/protocols/ssl/validate-sct.zeek
@ -69,7 +69,7 @@ export {
 global recently_validated_scts: table[string] of bool = table()
 	&read_expire=5mins &redef;

-event bro_init()
+event zeek_init()
 	{
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
--- a/scripts/policy/tuning/defaults/warnings.zeek
+++ b/scripts/policy/tuning/defaults/warnings.zeek
@ -4,7 +4,7 @@

@load base/utils/site

-event bro_init() &priority=-10
+event zeek_init() &priority=-10
 	{
 	if ( |Site::local_nets| == 0 )
 		print "WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.";