Merge remote-tracking branch 'origin/topic/seth/zeek_init'

* origin/topic/seth/zeek_init: Some more testing fixes. Update docs and tests for bro_(init|done) -> zeek_(init|done) Implement the zeek_init handler.
2025-10-05 08:08:19 +00:00 · 2019-04-19 11:16:35 -07:00 · 2019-04-19 11:16:35 -07:00 · a994be9eeb
commit a994be9eeb
parent 9421ee0293 9d676d368b
628 changed files with 868 additions and 1082 deletions
--- a/scripts/policy/protocols/conn/known-hosts.zeek
+++ b/scripts/policy/protocols/conn/known-hosts.zeek
@ -61,7 +61,7 @@ export {
 	global log_known_hosts: event(rec: HostsInfo);
 }

-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_host_store )
 		return;
@ -145,7 +145,7 @@ event Known::host_found(info: HostsInfo)
 	event known_host_add(info);
 	}

-event bro_init()
+event zeek_init()
 	{
 	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
 	}
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@ -80,7 +80,7 @@ redef record connection += {
 };


-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_service_store )
 		return;
@ -216,7 +216,7 @@ event connection_state_remove(c: connection) &priority=-5
 	known_services_done(c);
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
 	                                         $ev=log_known_services,
--- a/scripts/policy/protocols/ftp/detect-bruteforcing.zeek
+++ b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek
@ -25,7 +25,7 @@ export {
 }


-event bro_init()
+event zeek_init()
 	{
 	local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
 	SumStats::create([$name="ftp-detect-bruteforcing",
--- a/scripts/policy/protocols/http/detect-sqli.zeek
+++ b/scripts/policy/protocols/http/detect-sqli.zeek
@ -67,7 +67,7 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string
 	return ret;
 	}

-event bro_init() &priority=3
+event zeek_init() &priority=3
 	{
 	# Add filters to the metrics so that the metrics framework knows how to
 	# determine when it looks like an actual attack and how to respond when
--- a/scripts/policy/protocols/modbus/known-masters-slaves.zeek
+++ b/scripts/policy/protocols/modbus/known-masters-slaves.zeek
@ -33,7 +33,7 @@ export {
 	global log_known_modbus: event(rec: ModbusInfo);
 }

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus"]);
 	}
--- a/scripts/policy/protocols/modbus/track-memmap.zeek
+++ b/scripts/policy/protocols/modbus/track-memmap.zeek
@ -52,7 +52,7 @@ redef record Modbus::Info += {
 	track_address: count &default=0;
 };

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change"]);
 	}
--- a/scripts/policy/protocols/smb/log-cmds.zeek
+++ b/scripts/policy/protocols/smb/log-cmds.zeek
@ -25,7 +25,7 @@ const deferred_logging_cmds: set[string] = {
 	"TREE_CONNECT_ANDX",
 };

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	}
--- a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek
@ -39,7 +39,7 @@ export {
 	const ignore_guessers: table[subnet] of subnet &redef;
 }

-event bro_init()
+event zeek_init()
 	{
 	local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5];
 	SumStats::create([$name="detect-ssh-bruteforcing",
--- a/scripts/policy/protocols/ssl/heartbleed.zeek
+++ b/scripts/policy/protocols/ssl/heartbleed.zeek
@ -45,7 +45,7 @@ type min_length: record {
 global min_lengths: vector of min_length = vector();
 global min_lengths_tls11: vector of min_length = vector();

-event bro_init()
+event zeek_init()
 	{
 	# Minimum length a heartbeat packet must have for different cipher suites.
 	# Note - tls 1.1f and 1.0 have different lengths :(
--- a/scripts/policy/protocols/ssl/known-certs.zeek
+++ b/scripts/policy/protocols/ssl/known-certs.zeek
@ -72,7 +72,7 @@ export {
 	global log_known_certs: event(rec: CertsInfo);
 }

-event bro_init()
+event zeek_init()
 	{
 	if ( ! Known::use_cert_store )
 		return;
@ -193,7 +193,7 @@ event ssl_established(c: connection) &priority=3
 	event Known::cert_found(info, hash);
 	}

-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
 	}
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
@ -31,7 +31,7 @@ function host_certs_only(rec: X509::Info): bool
 	return rec$logcert;
 	}

-event bro_init() &priority=2
+event zeek_init() &priority=2
 	{
 	local f = Log::get_filter(X509::LOG, "default");
 	Log::remove_filter(X509::LOG, "default"); # disable default logging
--- a/scripts/policy/protocols/ssl/validate-certs.zeek
+++ b/scripts/policy/protocols/ssl/validate-certs.zeek
@ -62,7 +62,7 @@ export {
 global intermediate_cache: table[string] of vector of opaque of x509;

@if ( Cluster::is_enabled() )
-event bro_init()
+event zeek_init()
 	{
 	Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add);
 	Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate);
--- a/scripts/policy/protocols/ssl/validate-sct.zeek
+++ b/scripts/policy/protocols/ssl/validate-sct.zeek
@ -69,7 +69,7 @@ export {
 global recently_validated_scts: table[string] of bool = table()
 	&read_expire=5mins &redef;

-event bro_init()
+event zeek_init()
 	{
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}