mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/seth/zeek_init'
* origin/topic/seth/zeek_init: Some more testing fixes. Update docs and tests for bro_(init|done) -> zeek_(init|done) Implement the zeek_init handler.
This commit is contained in:
Jon Siwek
commit
a994be9eeb
628 changed files with 868 additions and 1082 deletions
8
CHANGES
8
CHANGES
|
|
@ -1,4 +1,12 @@
|
||||||
|
|
||||||
|
2.6-236 | 2019-04-19 11:16:35 -0700
|
||||||
|
|
||||||
|
* Add zeek_init/zeek_done events and deprecate bro_init/bro_done (Seth Hall, Corelight)
|
||||||
|
|
||||||
|
Any existing handlers for bro_init and bro_done will automatically alias
|
||||||
|
to the new zeek_init and zeek_done events such that code will not break,
|
||||||
|
but will emit a deprecation warning.
|
||||||
|
|
||||||
2.6-232 | 2019-04-18 09:34:13 +0200
|
2.6-232 | 2019-04-18 09:34:13 +0200
|
||||||
|
|
||||||
* Prevent topk_merge from crashing when second argument is empty set (Jeff Barber)
|
* Prevent topk_merge from crashing when second argument is empty set (Jeff Barber)
|
||||||
|
|
|
||||||
6
NEWS
6
NEWS
|
|
@ -176,6 +176,12 @@ Deprecated Functionality
|
||||||
instead. The later will automatically return a value that is enclosed
|
instead. The later will automatically return a value that is enclosed
|
||||||
in double-quotes.
|
in double-quotes.
|
||||||
|
|
||||||
|
- The ``bro_init`` and ``bro_done`` events are now deprecated, use
|
||||||
|
``zeek_init`` and ``zeek_done`` instead. Any existing handlers for
|
||||||
|
``bro_init`` and ``bro_done`` will automatically alias to the new
|
||||||
|
``zeek_init`` and ``zeek_done`` events such that existing code will
|
||||||
|
not break, but will emit a deprecation warning.
|
||||||
|
|
||||||
Bro 2.6
|
Bro 2.6
|
||||||
=======
|
=======
|
||||||
|
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
2.6-232
|
2.6-236
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit 65f213ff3573314ac8f7b33ff4b121d93fc883dc
|
Subproject commit 5698525ae41c397c18eba1d5350cca18fa081665
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit e8f6d7fa952c7d0bb9cb5f54e82806a17a9b85f3
|
Subproject commit 1ab04b7bd893f65c1339b2ac92596dca6ed66412
|
||||||
2
doc
2
doc
|
|
@ -1 +1 @@
|
||||||
Subproject commit 9b556e5e71d0d8a5c2e7a1d4be4b308d887310f1
|
Subproject commit 5e02a297eefe8740e8b84f7610fbf126af5c3475
|
||||||
|
|
@ -75,7 +75,7 @@ event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count,
|
||||||
f$info$extracted_size = limit;
|
f$info$extracted_size = limit;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=10
|
event zeek_init() &priority=10
|
||||||
{
|
{
|
||||||
Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
|
Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -55,7 +55,7 @@ redef record fa_file += {
|
||||||
|
|
||||||
const pe_mime_types = { "application/x-dosexec" };
|
const pe_mime_types = { "application/x-dosexec" };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
|
Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
|
||||||
Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
|
Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
|
||||||
|
|
|
||||||
|
|
@ -193,7 +193,7 @@ event Input::end_of_data(name: string, source: string)
|
||||||
start_watching();
|
start_watching();
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2"]);
|
Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ export {
|
||||||
global log_x509: event(rec: Info);
|
global log_x509: event(rec: Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
|
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -135,7 +135,7 @@ export {
|
||||||
|
|
||||||
global ports: table[Analyzer::Tag] of set[port];
|
global ports: table[Analyzer::Tag] of set[port];
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
if ( disable_all )
|
if ( disable_all )
|
||||||
__disable_all_analyzers();
|
__disable_all_analyzers();
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ export {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
|
Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -298,7 +298,7 @@ export {
|
||||||
|
|
||||||
## Register interest in all peer event messages that use a certain topic
|
## Register interest in all peer event messages that use a certain topic
|
||||||
## prefix. Note that subscriptions may not be altered immediately after
|
## prefix. Note that subscriptions may not be altered immediately after
|
||||||
## calling (except during :bro:see:`bro_init`).
|
## calling (except during :bro:see:`zeek_init`).
|
||||||
##
|
##
|
||||||
## topic_prefix: a prefix to match against remote message topics.
|
## topic_prefix: a prefix to match against remote message topics.
|
||||||
## e.g. an empty prefix matches everything and "a" matches
|
## e.g. an empty prefix matches everything and "a" matches
|
||||||
|
|
@ -309,7 +309,7 @@ export {
|
||||||
|
|
||||||
## Unregister interest in all peer event messages that use a topic prefix.
|
## Unregister interest in all peer event messages that use a topic prefix.
|
||||||
## Note that subscriptions may not be altered immediately after calling
|
## Note that subscriptions may not be altered immediately after calling
|
||||||
## (except during :bro:see:`bro_init`).
|
## (except during :bro:see:`zeek_init`).
|
||||||
##
|
##
|
||||||
## topic_prefix: a prefix previously supplied to a successful call to
|
## topic_prefix: a prefix previously supplied to a successful call to
|
||||||
## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`.
|
## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`.
|
||||||
|
|
|
||||||
|
|
@ -359,7 +359,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
# If a node is given, but it's an unknown name we need to fail.
|
# If a node is given, but it's an unknown name we need to fail.
|
||||||
if ( node != "" && node !in nodes )
|
if ( node != "" && node !in nodes )
|
||||||
|
|
|
||||||
|
|
@ -324,7 +324,7 @@ function mark_pool_node_dead(pool: Pool, name: string): bool
|
||||||
return T;
|
return T;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
worker_pool = register_pool(worker_pool_spec);
|
worker_pool = register_pool(worker_pool_spec);
|
||||||
proxy_pool = register_pool(proxy_pool_spec);
|
proxy_pool = register_pool(proxy_pool_spec);
|
||||||
|
|
@ -344,8 +344,8 @@ function pool_sorter(a: Pool, b: Pool): int
|
||||||
return strcmp(a$spec$topic, b$spec$topic);
|
return strcmp(a$spec$topic, b$spec$topic);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Needs to execute before the bro_init in setup-connections
|
# Needs to execute before the zeek_init in setup-connections
|
||||||
event bro_init() &priority=-5
|
event zeek_init() &priority=-5
|
||||||
{
|
{
|
||||||
if ( ! Cluster::is_enabled() )
|
if ( ! Cluster::is_enabled() )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ function connect_peers_with_type(node_type: NodeType)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=-10
|
event zeek_init() &priority=-10
|
||||||
{
|
{
|
||||||
if ( getenv("BROCTL_CHECK_CONFIG") != "" )
|
if ( getenv("BROCTL_CHECK_CONFIG") != "" )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ event config_line(description: Input::EventDescription, tpe: Input::Event, p: Ev
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
|
if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -150,7 +150,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an
|
||||||
return new_value;
|
return new_value;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=10
|
event zeek_init() &priority=10
|
||||||
{
|
{
|
||||||
Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
|
Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ function weird_option_change_interval(ID: string, new_value: interval, location:
|
||||||
return new_value;
|
return new_value;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5);
|
Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5);
|
||||||
Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5);
|
Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5);
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ redef record connection += {
|
||||||
dpd: Info &optional;
|
dpd: Info &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]);
|
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -324,7 +324,7 @@ global mime_type_to_analyzers: table[string] of set[Files::Tag];
|
||||||
|
|
||||||
global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table();
|
global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table();
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]);
|
Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ redef have_full_data = F;
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::worker_topic, remove_indicator);
|
Broker::auto_publish(Cluster::worker_topic, remove_indicator);
|
||||||
}
|
}
|
||||||
|
|
@ -67,7 +67,7 @@ event Intel::match_remote(s: Seen) &priority=5
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() == Cluster::WORKER )
|
@if ( Cluster::local_node_type() == Cluster::WORKER )
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, match_remote);
|
Broker::auto_publish(Cluster::manager_topic, match_remote);
|
||||||
Broker::auto_publish(Cluster::manager_topic, remove_item);
|
Broker::auto_publish(Cluster::manager_topic, remove_item);
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item:
|
||||||
Intel::insert(item);
|
Intel::insert(item);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
if ( ! Cluster::is_enabled() ||
|
if ( ! Cluster::is_enabled() ||
|
||||||
Cluster::local_node_type() == Cluster::MANAGER )
|
Cluster::local_node_type() == Cluster::MANAGER )
|
||||||
|
|
|
||||||
|
|
@ -223,7 +223,7 @@ type MinDataStore: record {
|
||||||
global min_data_store: MinDataStore &redef;
|
global min_data_store: MinDataStore &redef;
|
||||||
|
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]);
|
Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
##! to a logging filter in order to automatically SCP (secure copy)
|
##! to a logging filter in order to automatically SCP (secure copy)
|
||||||
##! a log stream (or a subset of it) to a remote host at configurable
|
##! a log stream (or a subset of it) to a remote host at configurable
|
||||||
##! rotation time intervals. Generally, to use this functionality
|
##! rotation time intervals. Generally, to use this functionality
|
||||||
##! you must handle the :bro:id:`bro_init` event and do the following
|
##! you must handle the :bro:id:`zeek_init` event and do the following
|
||||||
##! in your handler:
|
##! in your handler:
|
||||||
##!
|
##!
|
||||||
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
##! to a logging filter in order to automatically SFTP
|
##! to a logging filter in order to automatically SFTP
|
||||||
##! a log stream (or a subset of it) to a remote host at configurable
|
##! a log stream (or a subset of it) to a remote host at configurable
|
||||||
##! rotation time intervals. Generally, to use this functionality
|
##! rotation time intervals. Generally, to use this functionality
|
||||||
##! you must handle the :bro:id:`bro_init` event and do the following
|
##! you must handle the :bro:id:`zeek_init` event and do the following
|
||||||
##! in your handler:
|
##! in your handler:
|
||||||
##!
|
##!
|
||||||
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
|
||||||
|
|
|
||||||
|
|
@ -163,7 +163,7 @@ export {
|
||||||
# Set that is used to only send seen notifications to the master every ~30 seconds.
|
# Set that is used to only send seen notifications to the master every ~30 seconds.
|
||||||
global catch_release_recently_notified: set[addr] &create_expire=30secs;
|
global catch_release_recently_notified: set[addr] &create_expire=30secs;
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]);
|
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]);
|
||||||
}
|
}
|
||||||
|
|
@ -227,13 +227,13 @@ global blocks: table[addr] of BlockInfo = {}
|
||||||
@if ( Cluster::is_enabled() )
|
@if ( Cluster::is_enabled() )
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new);
|
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new);
|
||||||
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete);
|
Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete);
|
||||||
}
|
}
|
||||||
@else
|
@else
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add);
|
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add);
|
||||||
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete);
|
Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete);
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ export {
|
||||||
}
|
}
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added);
|
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added);
|
||||||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed);
|
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed);
|
||||||
|
|
@ -28,7 +28,7 @@ event bro_init()
|
||||||
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed);
|
Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed);
|
||||||
}
|
}
|
||||||
@else
|
@else
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule);
|
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule);
|
||||||
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule);
|
Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule);
|
||||||
|
|
|
||||||
|
|
@ -55,7 +55,7 @@ export {
|
||||||
global log_netcontrol_drop: event(rec: DropInfo);
|
global log_netcontrol_drop: event(rec: DropInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
|
Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -262,7 +262,7 @@ export {
|
||||||
##### Plugin functions
|
##### Plugin functions
|
||||||
|
|
||||||
## Function called by plugins once they finished their activation. After all
|
## Function called by plugins once they finished their activation. After all
|
||||||
## plugins defined in bro_init finished to activate, rules will start to be sent
|
## plugins defined in zeek_init finished to activate, rules will start to be sent
|
||||||
## to the plugins. Rules that scripts try to set before the backends are ready
|
## to the plugins. Rules that scripts try to set before the backends are ready
|
||||||
## will be discarded.
|
## will be discarded.
|
||||||
global plugin_activated: function(p: PluginState);
|
global plugin_activated: function(p: PluginState);
|
||||||
|
|
@ -338,13 +338,13 @@ redef record Rule += {
|
||||||
};
|
};
|
||||||
|
|
||||||
# Variable tracking the state of plugin activation. Once all plugins that
|
# Variable tracking the state of plugin activation. Once all plugins that
|
||||||
# have been added in bro_init are activated, this will switch to T and
|
# have been added in zeek_init are activated, this will switch to T and
|
||||||
# the event NetControl::init_done will be raised.
|
# the event NetControl::init_done will be raised.
|
||||||
global plugins_active: bool = F;
|
global plugins_active: bool = F;
|
||||||
|
|
||||||
# Set to true at the end of bro_init (with very low priority).
|
# Set to true at the end of zeek_init (with very low priority).
|
||||||
# Used to track when plugin activation could potentially be finished
|
# Used to track when plugin activation could potentially be finished
|
||||||
global bro_init_done: bool = F;
|
global zeek_init_done: bool = F;
|
||||||
|
|
||||||
# The counters that are used to generate the rule and plugin IDs
|
# The counters that are used to generate the rule and plugin IDs
|
||||||
global rule_counter: count = 1;
|
global rule_counter: count = 1;
|
||||||
|
|
@ -364,7 +364,7 @@ global rules_by_subnets: table[subnet] of set[string];
|
||||||
# There always only can be one rule of each type for one entity.
|
# There always only can be one rule of each type for one entity.
|
||||||
global rule_entities: table[Entity, RuleType] of Rule;
|
global rule_entities: table[Entity, RuleType] of Rule;
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]);
|
Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]);
|
||||||
}
|
}
|
||||||
|
|
@ -613,18 +613,18 @@ function plugin_activated(p: PluginState)
|
||||||
plugin_ids[id]$_activated = T;
|
plugin_ids[id]$_activated = T;
|
||||||
log_msg("activation finished", p);
|
log_msg("activation finished", p);
|
||||||
|
|
||||||
if ( bro_init_done )
|
if ( zeek_init_done )
|
||||||
check_plugins();
|
check_plugins();
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=-5
|
event zeek_init() &priority=-5
|
||||||
{
|
{
|
||||||
event NetControl::init();
|
event NetControl::init();
|
||||||
}
|
}
|
||||||
|
|
||||||
event NetControl::init() &priority=-20
|
event NetControl::init() &priority=-20
|
||||||
{
|
{
|
||||||
bro_init_done = T;
|
zeek_init_done = T;
|
||||||
|
|
||||||
check_plugins();
|
check_plugins();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ export {
|
||||||
global log_netcontrol_shunt: event(rec: ShuntInfo);
|
global log_netcontrol_shunt: event(rec: ShuntInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
|
Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,7 @@ function pp_postprocessor(info: Log::RotationInfo): bool
|
||||||
return T;
|
return T;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
if ( ! want_pp() )
|
if ( ! want_pp() )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -385,7 +385,7 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool
|
||||||
return T;
|
return T;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
|
Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
|
||||||
|
|
||||||
|
|
@ -531,7 +531,7 @@ event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type,
|
||||||
suppressing[note, identifier] = suppress_until;
|
suppressing[note, identifier] = suppress_until;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
if ( ! Cluster::is_enabled() )
|
if ( ! Cluster::is_enabled() )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -296,7 +296,7 @@ const notice_actions = {
|
||||||
ACTION_NOTICE_ONCE,
|
ACTION_NOTICE_ONCE,
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]);
|
Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ export {
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
||||||
# Workers need ability to forward commands to manager.
|
# Workers need ability to forward commands to manager.
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod);
|
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod);
|
||||||
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear);
|
Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear);
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ export {
|
||||||
global log_openflow: event(rec: Info);
|
global log_openflow: event(rec: Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]);
|
Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -157,7 +157,7 @@ event filter_change_tracking()
|
||||||
schedule 5min { filter_change_tracking() };
|
schedule 5min { filter_change_tracking() };
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]);
|
Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]);
|
||||||
|
|
||||||
|
|
@ -175,7 +175,7 @@ event bro_init() &priority=5
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=-5
|
event zeek_init() &priority=-5
|
||||||
{
|
{
|
||||||
install();
|
install();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ event net_stats_update(last_stat: NetStats)
|
||||||
schedule stats_collection_interval { net_stats_update(ns) };
|
schedule stats_collection_interval { net_stats_update(ns) };
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
# Since this currently only calculates packet drops, let's skip the stats
|
# Since this currently only calculates packet drops, let's skip the stats
|
||||||
# collection if reading traces.
|
# collection if reading traces.
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ export {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]);
|
Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -140,7 +140,7 @@ global count_per_orig: table[addr, string] of count
|
||||||
global did_sig_log: set[string] &read_expire = 1 hr;
|
global did_sig_log: set[string] &read_expire = 1 hr;
|
||||||
|
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]);
|
Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -121,7 +121,7 @@ export {
|
||||||
global register: event(info: Info);
|
global register: event(info: Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]);
|
Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -61,7 +61,7 @@ global recent_global_view_keys: set[string, Key] &create_expire=1min;
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
||||||
|
|
||||||
event bro_init() &priority=100
|
event zeek_init() &priority=100
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result);
|
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result);
|
||||||
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response);
|
Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response);
|
||||||
|
|
@ -209,7 +209,7 @@ function request_key(ss_name: string, key: Key): Result
|
||||||
|
|
||||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||||
|
|
||||||
event bro_init() &priority=100
|
event zeek_init() &priority=100
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request);
|
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request);
|
||||||
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result);
|
Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result);
|
||||||
|
|
|
||||||
|
|
@ -270,7 +270,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio
|
||||||
calc_deps[calc] += depends_on;
|
calc_deps[calc] += depends_on;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=100000
|
event zeek_init() &priority=100000
|
||||||
{
|
{
|
||||||
# Call all of the plugin registration hooks
|
# Call all of the plugin registration hooks
|
||||||
hook register_observe_plugins();
|
hook register_observe_plugins();
|
||||||
|
|
|
||||||
|
|
@ -87,7 +87,7 @@ const teredo_ports = { 3544/udp };
|
||||||
const gtpv1_ports = { 2152/udp, 2123/udp };
|
const gtpv1_ports = { 2152/udp, 2123/udp };
|
||||||
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
|
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]);
|
Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,7 @@ event ChecksumOffloading::check()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
schedule check_interval { ChecksumOffloading::check() };
|
schedule check_interval { ChecksumOffloading::check() };
|
||||||
}
|
}
|
||||||
|
|
@ -81,7 +81,7 @@ event conn_weird(name: string, c: connection, addl: string)
|
||||||
++bad_udp_checksums;
|
++bad_udp_checksums;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_done()
|
event zeek_done()
|
||||||
{
|
{
|
||||||
event ChecksumOffloading::check();
|
event ChecksumOffloading::check();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ event connection_state_remove(c: connection)
|
||||||
saw_tcp_conn_with_data = T;
|
saw_tcp_conn_with_data = T;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_done()
|
event zeek_done()
|
||||||
{
|
{
|
||||||
if ( ! enable )
|
if ( ! enable )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -155,7 +155,7 @@ redef record connection += {
|
||||||
conn: Info &optional;
|
conn: Info &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn"]);
|
Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ redef record connection += {
|
||||||
const ports = { 135/tcp };
|
const ports = { 135/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]);
|
Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
|
||||||
|
|
|
||||||
|
|
@ -117,14 +117,14 @@ redef record Info += {
|
||||||
const ports = { 67/udp, 68/udp, 4011/udp };
|
const ports = { 67/udp, 68/udp, 4011/udp };
|
||||||
redef likely_server_ports += { 67/udp };
|
redef likely_server_ports += { 67/udp };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
|
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
|
||||||
}
|
}
|
||||||
|
|
||||||
@if ( Cluster::is_enabled() )
|
@if ( Cluster::is_enabled() )
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs);
|
Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs);
|
||||||
}
|
}
|
||||||
|
|
@ -264,7 +264,7 @@ event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::
|
||||||
event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options);
|
event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_done() &priority=-5
|
event zeek_done() &priority=-5
|
||||||
{
|
{
|
||||||
# Log any remaining data that hasn't already been logged!
|
# Log any remaining data that hasn't already been logged!
|
||||||
for ( i in DHCP::join_data )
|
for ( i in DHCP::join_data )
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ redef record connection += {
|
||||||
const ports = { 20000/tcp , 20000/udp };
|
const ports = { 20000/tcp , 20000/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3"]);
|
Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
|
||||||
|
|
|
||||||
|
|
@ -154,7 +154,7 @@ redef record connection += {
|
||||||
const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
|
const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns"]);
|
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ function describe_file(f: fa_file): string
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
|
Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
|
||||||
[$get_file_handle = FTP::get_file_handle,
|
[$get_file_handle = FTP::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,7 @@ redef record connection += {
|
||||||
const ports = { 21/tcp, 2811/tcp };
|
const ports = { 21/tcp, 2811/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp"]);
|
Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,7 @@ function describe_file(f: fa_file): string
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_HTTP,
|
Files::register_protocol(Analyzer::ANALYZER_HTTP,
|
||||||
[$get_file_handle = HTTP::get_file_handle,
|
[$get_file_handle = HTTP::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -139,7 +139,7 @@ const ports = {
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
# Initialize the HTTP logging stream and ports.
|
# Initialize the HTTP logging stream and ports.
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
|
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ module IMAP;
|
||||||
const ports = { 143/tcp };
|
const ports = { 143/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ function get_file_handle(c: connection, is_orig: bool): string
|
||||||
return cat(Analyzer::ANALYZER_IRC_DATA, c$start_time, c$id, is_orig);
|
return cat(Analyzer::ANALYZER_IRC_DATA, c$start_time, c$id, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA,
|
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA,
|
||||||
[$get_file_handle = IRC::get_file_handle]);
|
[$get_file_handle = IRC::get_file_handle]);
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ redef record connection += {
|
||||||
const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
|
const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc"]);
|
Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
|
||||||
|
|
|
||||||
|
|
@ -61,7 +61,7 @@ function describe_file(f: fa_file): string
|
||||||
f$info$x509$certificate$issuer);
|
f$info$x509$certificate$issuer);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_KRB_TCP,
|
Files::register_protocol(Analyzer::ANALYZER_KRB_TCP,
|
||||||
[$get_file_handle = KRB::get_file_handle,
|
[$get_file_handle = KRB::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@ const tcp_ports = { 88/tcp };
|
||||||
const udp_ports = { 88/udp };
|
const udp_ports = { 88/udp };
|
||||||
redef likely_server_ports += { tcp_ports, udp_ports };
|
redef likely_server_ports += { tcp_ports, udp_ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ redef record connection += {
|
||||||
const ports = { 502/tcp };
|
const ports = { 502/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus"]);
|
Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ redef record connection += {
|
||||||
|
|
||||||
const ports = { 1434/tcp, 3306/tcp };
|
const ports = { 1434/tcp, 3306/tcp };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql"]);
|
Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ redef record connection += {
|
||||||
ntlm: Info &optional;
|
ntlm: Info &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
|
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@ redef record connection += {
|
||||||
const ports = { 1812/udp };
|
const ports = { 1812/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius"]);
|
Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ redef record connection += {
|
||||||
const ports = { 3389/tcp };
|
const ports = { 3389/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp"]);
|
Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports);
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ redef record connection += {
|
||||||
rfb: Info &optional;
|
rfb: Info &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
|
Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -98,7 +98,7 @@ redef record connection += {
|
||||||
const ports = { 5060/udp };
|
const ports = { 5060/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip"]);
|
Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ function describe_file(f: fa_file): string
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_SMB,
|
Files::register_protocol(Analyzer::ANALYZER_SMB,
|
||||||
[$get_file_handle = SMB::get_file_handle,
|
[$get_file_handle = SMB::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -177,7 +177,7 @@ redef record FileInfo += {
|
||||||
const ports = { 139/tcp, 445/tcp };
|
const ports = { 139/tcp, 445/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
|
Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
|
||||||
Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
|
Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ function describe_file(f: fa_file): string
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_SMTP,
|
Files::register_protocol(Analyzer::ANALYZER_SMTP,
|
||||||
[$get_file_handle = SMTP::get_file_handle,
|
[$get_file_handle = SMTP::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ redef record connection += {
|
||||||
const ports = { 25/tcp, 587/tcp };
|
const ports = { 25/tcp, 587/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp"]);
|
Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
|
||||||
|
|
|
||||||
|
|
@ -63,7 +63,7 @@ redef record connection += {
|
||||||
const ports = { 161/udp, 162/udp };
|
const ports = { 161/udp, 162/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
|
||||||
Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp"]);
|
Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp"]);
|
||||||
|
|
|
||||||
|
|
@ -47,7 +47,7 @@ export {
|
||||||
const ports = { 1080/tcp };
|
const ports = { 1080/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks"]);
|
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
|
||||||
|
|
|
||||||
|
|
@ -136,7 +136,7 @@ redef record connection += {
|
||||||
const ports = { 22/tcp };
|
const ports = { 22/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
|
||||||
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
|
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,7 @@ function describe_file(f: fa_file): string
|
||||||
f$info$x509$certificate$issuer);
|
f$info$x509$certificate$issuer);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Files::register_protocol(Analyzer::ANALYZER_SSL,
|
Files::register_protocol(Analyzer::ANALYZER_SSL,
|
||||||
[$get_file_handle = SSL::get_file_handle,
|
[$get_file_handle = SSL::get_file_handle,
|
||||||
|
|
|
||||||
|
|
@ -137,7 +137,7 @@ const dtls_ports = { 443/udp };
|
||||||
|
|
||||||
redef likely_server_ports += { ssl_ports, dtls_ports };
|
redef likely_server_ports += { ssl_ports, dtls_ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl"]);
|
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ redef record connection += {
|
||||||
const ports = { 514/udp };
|
const ports = { 514/udp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
|
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ module XMPP;
|
||||||
const ports = { 5222/tcp, 5269/tcp };
|
const ports = { 5222/tcp, 5269/tcp };
|
||||||
redef likely_server_ports += { ports };
|
redef likely_server_ports += { ports };
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports);
|
Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -186,7 +186,7 @@ function run(cmd: Command): Result
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_done()
|
event zeek_done()
|
||||||
{
|
{
|
||||||
# We are punting here and just deleting any unprocessed files.
|
# We are punting here and just deleting any unprocessed files.
|
||||||
for ( uid in pending_files )
|
for ( uid in pending_files )
|
||||||
|
|
|
||||||
|
|
@ -148,7 +148,7 @@ function get_emails(a: addr): string
|
||||||
return fmt_email_string(find_all_emails(a));
|
return fmt_email_string(find_all_emails(a));
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=10
|
event zeek_init() &priority=10
|
||||||
{
|
{
|
||||||
# Double backslashes are needed due to string parsing.
|
# Double backslashes are needed due to string parsing.
|
||||||
local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$");
|
local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$");
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
@load ./example.zeek
|
@load ./example.zeek
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
terminate();
|
terminate();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -189,6 +189,6 @@ type PrivateRecord: record {
|
||||||
|
|
||||||
# Event handlers are also an implementation detail of a script, so they
|
# Event handlers are also an implementation detail of a script, so they
|
||||||
# don't show up anywhere in the generated documentation.
|
# don't show up anywhere in the generated documentation.
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ export {
|
||||||
global log_ocsp: event(rec: Info);
|
global log_ocsp: event(rec: Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
|
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
|
||||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
module Control;
|
module Control;
|
||||||
|
|
||||||
event bro_init() &priority=-10
|
event zeek_init() &priority=-10
|
||||||
{
|
{
|
||||||
Broker::subscribe(Control::topic_prefix + "/" + Broker::node_id());
|
Broker::subscribe(Control::topic_prefix + "/" + Broker::node_id());
|
||||||
Broker::auto_publish(Control::topic_prefix + "/id_value_response",
|
Broker::auto_publish(Control::topic_prefix + "/id_value_response",
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
module Control;
|
module Control;
|
||||||
|
|
||||||
# Do some sanity checking and rework the communication nodes.
|
# Do some sanity checking and rework the communication nodes.
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
# We know that some command was given because this script wouldn't be
|
# We know that some command was given because this script wouldn't be
|
||||||
# loaded if there wasn't so we can feel free to throw an error here and
|
# loaded if there wasn't so we can feel free to throw an error here and
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ function shunt_filters()
|
||||||
PacketFilter::exclude("shunt_filters", filter);
|
PacketFilter::exclude("shunt_filters", filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
register_filter_plugin([
|
register_filter_plugin([
|
||||||
$func()={ return shunt_filters(); }
|
$func()={ return shunt_filters(); }
|
||||||
|
|
|
||||||
|
|
@ -117,7 +117,7 @@ function update_vulnerable_sw()
|
||||||
event grab_vulnerable_versions(1);
|
event grab_vulnerable_versions(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=3
|
event zeek_init() &priority=3
|
||||||
{
|
{
|
||||||
update_vulnerable_sw();
|
update_vulnerable_sw();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ export {
|
||||||
global pid2cid: function(p: PacketID): conn_id;
|
global pid2cid: function(p: PacketID): conn_id;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]);
|
Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -74,7 +74,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
|
||||||
schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
|
schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]);
|
Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ export {
|
||||||
global log_traceroute: event(rec: Traceroute::Info);
|
global log_traceroute: event(rec: Traceroute::Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]);
|
Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ export {
|
||||||
|
|
||||||
@if ( Cluster::is_enabled() )
|
@if ( Cluster::is_enabled() )
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
if ( method != AUTO_BPF )
|
if ( method != AUTO_BPF )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ function get_indent(level: count): string
|
||||||
return out;
|
return out;
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]);
|
Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ redef profiling_interval = 15 secs;
|
||||||
## :bro:id:`profiling_interval`).
|
## :bro:id:`profiling_interval`).
|
||||||
redef expensive_profiling_multiple = 20;
|
redef expensive_profiling_multiple = 20;
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
set_buf(profiling_file, F);
|
set_buf(profiling_file, F);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ export {
|
||||||
global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
|
global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)];
|
local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)];
|
||||||
SumStats::create([$name="addr-scan",
|
SumStats::create([$name="addr-scan",
|
||||||
|
|
|
||||||
|
|
@ -82,7 +82,7 @@ export {
|
||||||
global log_stats: event(rec: Info);
|
global log_stats: event(rec: Info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
|
Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
|
||||||
}
|
}
|
||||||
|
|
@ -149,7 +149,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
|
||||||
schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
|
schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) };
|
schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ event TrimTraceFile::go(first_trim: bool)
|
||||||
schedule trim_interval { TrimTraceFile::go(F) };
|
schedule trim_interval { TrimTraceFile::go(F) };
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
if ( trim_interval > 0 secs )
|
if ( trim_interval > 0 secs )
|
||||||
schedule trim_interval { TrimTraceFile::go(T) };
|
schedule trim_interval { TrimTraceFile::go(T) };
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ function weird_epoch_finished(ts: time)
|
||||||
this_epoch_weirds = table();
|
this_epoch_weirds = table();
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(WeirdStats::LOG,
|
Log::create_stream(WeirdStats::LOG,
|
||||||
[$columns = Info, $ev = log_weird_stats,
|
[$columns = Info, $ev = log_weird_stats,
|
||||||
|
|
|
||||||
|
|
@ -61,7 +61,7 @@ export {
|
||||||
global log_known_hosts: event(rec: HostsInfo);
|
global log_known_hosts: event(rec: HostsInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
if ( ! Known::use_host_store )
|
if ( ! Known::use_host_store )
|
||||||
return;
|
return;
|
||||||
|
|
@ -145,7 +145,7 @@ event Known::host_found(info: HostsInfo)
|
||||||
event known_host_add(info);
|
event known_host_add(info);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
|
Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -80,7 +80,7 @@ redef record connection += {
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
if ( ! Known::use_service_store )
|
if ( ! Known::use_service_store )
|
||||||
return;
|
return;
|
||||||
|
|
@ -216,7 +216,7 @@ event connection_state_remove(c: connection) &priority=-5
|
||||||
known_services_done(c);
|
known_services_done(c);
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
|
Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
|
||||||
$ev=log_known_services,
|
$ev=log_known_services,
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ export {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
event bro_init()
|
event zeek_init()
|
||||||
{
|
{
|
||||||
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
|
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
|
||||||
SumStats::create([$name="ftp-detect-bruteforcing",
|
SumStats::create([$name="ftp-detect-bruteforcing",
|
||||||
|
|
|
||||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue