Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data

scripts/policy/protocols/dhcp/deprecated_events.bro

@@ -0,0 +1,272 @@
+##! Bro 2.6 removed certain DHCP events, but scripts in the Bro
+##! ecosystem are still relying on those events. As a transition, this
+##! script will handle the new event, and generate the old events,
+##! which are marked as deprecated.  Note: This script should be
+##! removed in the next Bro version after 2.6.
+
+@load base/protocols/dhcp
+
+## A DHCP message.
+##
+## .. note:: This type is included to support the deprecated events dhcp_ack,
+##           dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer,
+##           dhcp_release and dhcp_request and is thus similarly deprecated
+##           itself. Use :bro:see:`dhcp_message` instead.
+##
+## .. bro:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
+##              dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request
+type dhcp_msg: record {
+	op: count;      ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+	m_type: count;  ##< The type of DHCP message.
+	xid: count;     ##< Transaction ID of a DHCP session.
+	h_addr: string; ##< Hardware address of the client.
+	ciaddr: addr;   ##< Original IP address of the client.
+	yiaddr: addr;   ##< IP address assigned to the client.
+};
+
+## A list of router addresses offered by a DHCP server.
+##
+## .. note:: This type is included to support the deprecated events dhcp_ack
+##           and dhcp_offer and is thus similarly deprecated
+##           itself. Use :bro:see:`dhcp_message` instead.
+##
+## .. bro:see:: dhcp_message dhcp_ack dhcp_offer
+type dhcp_router_list: table[count] of addr;
+
+## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
+## available servers).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## req_addr: The specific address requested by the client.
+##
+## host_name: The value of the host name option, if specified by the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
+## to DHCPDISCOVER with offer of configuration parameters).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## mask: The subnet mask specified by the message.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## host_name: Optional host name value. May differ from the host name requested
+##            from the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
+##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
+## (a) requesting offered parameters from one server and implicitly declining offers
+## from all others, (b) confirming correctness of previously allocated address after,
+## e.g., system reboot, or (c) extending the lease on a particular network address.)
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## req_addr: The client address specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## host_name: The value of the host name option, if specified by the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
+##    	       dhcp_ack dhcp_nak dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
+## network address is already in use).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## host_name: Optional host name value.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
+## parameters, including committed network address).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## mask: The subnet mask specified by the message.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## host_name: Optional host name value. May differ from the host name requested
+##            from the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_decline dhcp_nak dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
+## notion of network address is incorrect (e.g., client has moved to new subnet) or
+## client's lease has expired).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## host_name: Optional host name value.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_decline dhcp_ack dhcp_release dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
+## network address and cancelling remaining lease).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## host_name: The value of the host name option, if specified by the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_decline dhcp_ack dhcp_nak dhcp_inform
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
+
+## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
+## local configuration parameters; client already has externally configured network
+## address).
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## host_name: The value of the host name option, if specified by the client.
+##
+## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+##              dhcp_decline dhcp_ack dhcp_nak dhcp_release
+##
+## .. note:: This event has been deprecated, and will be removed in the next version.
+##    Use dhcp_message instead.
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+global dhcp_inform: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
+
+event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
+	{
+	local old_msg: dhcp_msg = [$op=msg$op, $m_type=msg$m_type, $xid=msg$xid,
+	                           $h_addr=msg$chaddr, $ciaddr=msg$ciaddr, $yiaddr=msg$yiaddr];
+
+	local routers = dhcp_router_list();
+
+	if ( options?$routers )
+		for ( i in options$routers )
+			routers[|routers|] = options$routers[i];
+
+	# These fields are technically optional, but aren't listed as such in the event.
+	# We give it some defaults in order to suppress errors.
+	local ar = ( options?$addr_request ) ? options$addr_request : 0.0.0.0;
+	local hn = ( options?$host_name ) ? options$host_name : "";
+	local le = ( options?$lease ) ? options$lease : 0 secs;
+	local sm = ( options?$subnet_mask ) ? options$subnet_mask : 255.255.255.255;
+	local sa = ( options?$serv_addr ) ? options$serv_addr : 0.0.0.0;
+
+	switch ( DHCP::message_types[msg$m_type] ) {
+	case "DISCOVER":
+		event dhcp_discover(c, old_msg, ar, hn);
+		break;
+	case "OFFER":
+		event dhcp_offer(c, old_msg, sm, routers, le, sa, hn);
+		break;
+	case "REQUEST":
+		event dhcp_request(c, old_msg, ar, sa, hn);
+		break;
+	case "DECLINE":
+		event dhcp_decline(c, old_msg, hn);
+		break;
+	case "ACK":
+		event dhcp_ack(c, old_msg, sm, routers, le, sa, hn);
+		break;
+	case "NAK":
+		event dhcp_nak(c, old_msg, hn);
+		break;
+	case "RELEASE":
+		event dhcp_release(c, old_msg, hn);
+		break;
+	case "INFORM":
+		event dhcp_inform(c, old_msg, hn);
+		break;
+	default:
+		# This isn't a weird, it's just a DHCP message type the old scripts don't handle
+		break;
+		}
+	}

scripts/policy/protocols/http/header-names.bro

@@ -18,10 +18,10 @@ export {
 	};
 	
 	## A boolean value to determine if client header names are to be logged.
-	const log_client_header_names = T &redef;
+	option log_client_header_names = T;
 	
 	## A boolean value to determine if server header names are to be logged.
-	const log_server_header_names = F &redef;
+	option log_server_header_names = F;
 }
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3

scripts/policy/protocols/smb/log-cmds.bro

@@ -11,9 +11,9 @@ export {
 	};
 
 	## The server response statuses which are *not* logged.
-	const ignored_command_statuses: set[string] = {
+	option ignored_command_statuses: set[string] = {
 		"MORE_PROCESSING_REQUIRED",
-	} &redef;
+	};
 }
 
 ## Internal use only.

scripts/policy/protocols/smtp/detect-suspicious-orig.bro

@@ -9,10 +9,10 @@ export {
 	};
 
 	## Places where it's suspicious for mail to originate from represented
-	## as all-capital, two character country codes (e.g., US).  It requires 
-	## libGeoIP support built in.
-	const suspicious_origination_countries: set[string] = {} &redef;
-	const suspicious_origination_networks: set[subnet] = {} &redef;
+	## as all-capital, two character country codes (e.g., US).  It requires
+	## Bro to be built with GeoIP support.
+	option suspicious_origination_countries: set[string] = {};
+	option suspicious_origination_networks: set[subnet] = {};
 
 }
 

scripts/policy/protocols/smtp/entities-excerpt.bro

@@ -14,7 +14,7 @@ export {
 	## This is the default value for how much of the entity body should be
 	## included for all MIME entities.  The lesser of this value and
 	## :bro:see:`default_file_bof_buffer_size` will be used.
-	const default_entity_excerpt_len = 0 &redef;
+	option default_entity_excerpt_len = 0;
 }
 
 event file_new(f: fa_file) &priority=5

scripts/policy/protocols/ssh/geo-data.bro

@@ -21,7 +21,7 @@ export {
 
 	## The set of countries for which you'd like to generate notices upon
 	## successful login.
-	const watched_countries: set[string] = {"RO"} &redef;
+	option watched_countries: set[string] = {"RO"};
 }
 
 function get_location(c: connection): geo_location

scripts/policy/protocols/ssl/expiring-certs.bro

@@ -27,11 +27,11 @@ export {
 	## notices will be suppressed by the notice framework for 1 day after 
 	## a particular certificate has had a notice generated.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
-	const notify_certs_expiration = LOCAL_HOSTS &redef;
+	option notify_certs_expiration = LOCAL_HOSTS;
 	
 	## The time before a certificate is going to expire that you would like
 	## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
-	const notify_when_cert_expiring_in = 30days &redef;
+	option notify_when_cert_expiring_in = 30days;
 }
 
 event ssl_established(c: connection) &priority=3

scripts/policy/protocols/ssl/weak-keys.bro

@@ -21,24 +21,24 @@ export {
 	## keys/ciphers/protocol_versions.  By default, these notices will be suppressed
 	## by the notice framework for 1 day after a particular host has had a notice
 	## generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
-	const notify_weak_keys = LOCAL_HOSTS &redef;
+	option notify_weak_keys = LOCAL_HOSTS;
 
 	## The minimal key length in bits that is considered to be safe. Any shorter
 	## (non-EC) key lengths will trigger a notice.
-	const notify_minimal_key_length = 2048 &redef;
+	option notify_minimal_key_length = 2048;
 
 	## Warn if the DH key length is smaller than the certificate key length. This is
 	## potentially unsafe because it gives a wrong impression of safety due to the
 	## certificate key length. However, it is very common and cannot be avoided in some
 	## settings (e.g. with old jave clients).
-	const notify_dh_length_shorter_cert_length = T &redef;
+	option notify_dh_length_shorter_cert_length = T;
 
 	## Warn if a server negotiates a SSL session with a protocol version smaller than
 	## the specified version. By default, the minimal version is TLSv10 because SSLv2
 	## and v3 have serious security issued.
 	## See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
 	## To disable, set to SSLv20
-	const tls_minimum_version = TLSv10 &redef;
+	option tls_minimum_version = TLSv10;
 
 	## Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
 	## encountering old export cipher suites, or RC4 (see RFC7465).