Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

remove (disfunctional) notifications from pacf

Browse source
This commit is contained in:
Johanna Amann 2015-05-27 07:37:25 -07:00
parent f2be226a5a
commit ad2361b7ac
8 changed files with 7 additions and 173 deletions
Download patch file Download diff file Expand all files Collapse all files

95
scripts/base/frameworks/pacf/main.bro
View file

@ -57,10 +57,10 @@ export {
## Returns: The id of the inserted rule on succes and zero on failure. ## Returns: The id of the inserted rule on succes and zero on failure.
global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : count; global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : count;
## Removes all rules and notifications for an entity. ## Removes all rules for an entity.
## ##
## e: The entity. Note that this will be directly to entities of existing ## e: The entity. Note that this will be directly to entities of existing
## notifications and notifications, which must match exactly field by field. ## rules, which must match exactly field by field.
global reset: function(e: Entity); global reset: function(e: Entity);
## Flushes all state. ## Flushes all state.
@ -135,67 +135,6 @@ export {
## msg: An optional informational message by the plugin. ## msg: An optional informational message by the plugin.
global rule_error: event(r: Rule, p: PluginState, msg: string &default=""); global rule_error: event(r: Rule, p: PluginState, msg: string &default="");
## Installs a notification.
##
## n: The notification to install.
##
## Returns: If succesful, returns an ID string unique to the notification that can later
## be used to refer to it. If unsuccessful, returns an empty string. The ID is also
## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle
## the notification", it doesn't necessarily mean that it was indeed successfully put in
## place, because that might happen asynchronously and thus fail only later.
global add_notification: function(n: Notification) : string;
## Removes a notification.
##
## id: The notification to remove, specified as the ID returned by :bro:id:`add_notification` .
##
## Returns: True if succesful, the relevant plugin indicated that ity knew how
## to handle the removal. Note that again "success" means the plugin accepted the
## removal. They might still fail to put it into effect, as that might happen
## asynchronously and thus go wrong at that point.
global remove_notification: function(id: count) : bool;
###### Asynchronous feedback on notifications.
## Confirms that a notification was put in place.
##
## n: The notification now in place.
##
## plugin: The name of the plugin that put it into place.
##
## msg: An optional informational message by the plugin.
global notification_added: event(n: Notification, p: PluginState, msg: string &default="");
## Reports that a notification was removed due to a remove: function() call.
##
## n: The notification now removed.
##
## plugin: The name of the plugin that had the notification in place and now
## removed it.
##
## msg: An optional informational message by the plugin.
global notification_removed: event(n: Notification, p: PluginState, msg: string &default="");
## Reports that a notification was removed internally due to a timeout.
##
## n: The notification now removed.
##
## plugin: The name of the plugin that had the notification in place and now
## removed it.
##
## msg: An optional informational message by the plugin.
global notification_timeout: event(n: Notification, p: PluginState);
## Reports an error when operating on a notification.
##
## n: The notification that encountered an error.
##
## plugin: The name of the plugin that reported the error.
##
## msg: An optional informational message by the plugin.
global notification_error: event(n: Notification, p: PluginState, msg: string &default="");
## Type of an entry in the PACF log. ## Type of an entry in the PACF log.
type InfoCategory: enum { type InfoCategory: enum {
## A log entry reflecting a framework message. ## A log entry reflecting a framework message.
@ -203,9 +142,7 @@ export {
## A log entry reflecting a framework message. ## A log entry reflecting a framework message.
ERROR, ERROR,
## A log entry about about a rule. ## A log entry about about a rule.
RULE, RULE
## A log entry about about a notification.
NOTIFICATION
}; };
## State of an entry in the PACF log. ## State of an entry in the PACF log.
@ -472,29 +409,3 @@ event rule_error(r: Rule, p: PluginState, msg: string &default="")
{ {
log_rule_error(r, msg, p); log_rule_error(r, msg, p);
} }
function add_notification(n: Notification) : string
{
print "Pacf::add_notification not implemented yet";
}
function remove_notification(id: count) : bool
{
print "Pacf::remove_notification not implemented yet";
}
event notification_added(n: Notification, p: PluginState, msg: string &default="")
{
}
event notification_removed(n: Notification, p: PluginState, msg: string &default="")
{
}
event notification_timeout(n: Notification, p: PluginState)
{
}
event notification_error(n: Notification, p: PluginState, msg: string &default="")
{
}

18
scripts/base/frameworks/pacf/plugin.bro
View file

@ -28,14 +28,13 @@ export {
# events ``rule_{added,remove,error}`` to signal if it indeed worked out; # events ``rule_{added,remove,error}`` to signal if it indeed worked out;
# this is separate from accepting the operation because often a plugin # this is separate from accepting the operation because often a plugin
# will only know later (i.e., asynchrously) if that was an error for # will only know later (i.e., asynchrously) if that was an error for
# something it thought it could handle. The same applies to notifications, # something it thought it could handle.
# with the corresponding ``notification_*`` events.
type Plugin: record { type Plugin: record {
# Returns a descriptive name of the plugin instance, suitable for use in logging # Returns a descriptive name of the plugin instance, suitable for use in logging
# messages. Note that this function is not optional. # messages. Note that this function is not optional.
name: function(state: PluginState) : string; name: function(state: PluginState) : string;
## If true, plugin can expire rules/notifications itself. If false, ## If true, plugin can expire rules itself. If false,
## framework will manage rule expiration. ## framework will manage rule expiration.
can_expire: bool; can_expire: bool;
@ -60,19 +59,6 @@ export {
# remove_rule(). # remove_rule().
remove_rule: function(state: PluginState, r: Rule) : bool &optional; remove_rule: function(state: PluginState, r: Rule) : bool &optional;
# Implements the add_notification() operation. If the plugin accepts the notification,
# it returns true, false otherwise. The notification will already have its
# ``id`` field set, which the plugin may use for identification
# purposes.
add_notification: function(state: PluginState, r: Notification) : bool &optional;
# Implements the remove_notification() operation. This will only be called for
# notifications that the plugins has previously accepted with add_notification().
# The ``id`` field will match that of the add_notification() call. Generally,
# a plugin that accepts an add_notification() should also accept the
# remove_notification().
remove_notification: function(state: PluginState, r: Notification) : bool &optional;
# A transaction groups a number of operations. The plugin can add them internally # A transaction groups a number of operations. The plugin can add them internally
# and postpone putting them into effect until committed. This allows to build a # and postpone putting them into effect until committed. This allows to build a
# configuration of multiple rules at once, including replaying a previous state. # configuration of multiple rules at once, including replaying a previous state.

24
scripts/base/frameworks/pacf/plugins/debug.bro
View file

@ -60,28 +60,6 @@ function debug_remove_rule(p: PluginState, r: Rule) : bool
return T; return T;
} }
function debug_add_notification(p: PluginState, r: Notification) : bool
{
local s = fmt("add_notification: %s", r);
debug_log(p, s);
if ( do_something(p) )
{
event Pacf::notification_added(r, p);
return T;
}
return F;
}
function debug_remove_notification(p: PluginState, r: Notification) : bool
{
local s = fmt("remove_notification: %s", r);
debug_log(p, s);
return do_something(p);
}
function debug_transaction_begin(p: PluginState) function debug_transaction_begin(p: PluginState)
{ {
debug_log(p, "transaction_begin"); debug_log(p, "transaction_begin");
@ -99,8 +77,6 @@ global debug_plugin = Plugin(
$done = debug_done, $done = debug_done,
$add_rule = debug_add_rule, $add_rule = debug_add_rule,
$remove_rule = debug_remove_rule, $remove_rule = debug_remove_rule,
$add_notification = debug_add_notification,
$remove_notification = debug_remove_notification,
$transaction_begin = debug_transaction_begin, $transaction_begin = debug_transaction_begin,
$transaction_end = debug_transaction_end $transaction_end = debug_transaction_end
); );

2
scripts/base/frameworks/pacf/plugins/openflow.bro
View file

@ -390,8 +390,6 @@ global openflow_plugin = Plugin(
# $done = openflow_done, # $done = openflow_done,
$add_rule = openflow_add_rule, $add_rule = openflow_add_rule,
$remove_rule = openflow_remove_rule $remove_rule = openflow_remove_rule
# $add_notification = openflow_add_notification,
# $remove_notification = openflow_remove_notification,
# $transaction_begin = openflow_transaction_begin, # $transaction_begin = openflow_transaction_begin,
# $transaction_end = openflow_transaction_end # $transaction_end = openflow_transaction_end
); );

4
scripts/base/frameworks/pacf/plugins/packetfilter.bro
View file

@ -102,10 +102,6 @@ global packetfilter_plugin = Plugin(
# $done = packetfilter_done, # $done = packetfilter_done,
$add_rule = packetfilter_add_rule, $add_rule = packetfilter_add_rule,
$remove_rule = packetfilter_remove_rule $remove_rule = packetfilter_remove_rule
# $add_notification = packetfilter_add_notification,
# $remove_notification = packetfilter_remove_notification,
# $transaction_begin = packetfilter_transaction_begin,
# $transaction_end = packetfilter_transaction_end
); );
function create_packetfilter() : PluginState function create_packetfilter() : PluginState

32
scripts/base/frameworks/pacf/types.bro
View file

@ -115,37 +115,5 @@ export {
byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule
}; };
## Type of notifications that the framework supports. Each type lists the
## :bro:id:`Notification` argument(s) it uses, if any.
##
## Plugins may extend this type to define their own.
type NotificationType: enum {
## Notify if threshold of packets has been reached by entity.
##
## i: Number of packets.
NUM_PACKETS,
## Notify if threshold of bytes has been reached by entity.
##
## i: Number of bytes.
NUM_BYTES,
};
## A notification for the framework to raise when a condition has been reached.
## Different than with rules, all matching conditions will be reported, not only
## the first match.
type Notification: record {
ty: NotificationType; ##< Type of notification.
entity: Entity; ##< Entity to apply notification to.
expire: interval &optional; ##< Timeout after which to expire the notification.
src: string &optional; ##< Optional string describing where/what installed the notification.
i: int; ##< Argument for notification types requiring an integer argument.
d: double; ##< Argument for notification types requiring a double argument.
s: string; ##< Argument for notification types requiring a string argument.
id: count &default=0; ##< Internally determined unique ID for this notification. Will be set when added.
};
} }

4
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
View file

@ -1,4 +1,4 @@
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=<uninitialized>] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=<uninitialized>] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1] pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1] pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]

1
testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
View file

@ -24,7 +24,6 @@ global of_controller: OpenFlow::Controller;
event bro_init() event bro_init()
{ {
of_controller = OpenFlow::log_new(42); of_controller = OpenFlow::log_new(42);
#OpenFlow::flow_mod(of_controller, [], [$cookie=1, $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
} }
event connection_established(c: connection) event connection_established(c: connection)