Syslog script level support.

- Only does logging for now.

policy/all.bro

@@ -1,17 +1,19 @@
+##! This script only aims at loading all of the base analysis scripts.
 
-# This script only aims at loading all of the base analysis scripts.
+@load conn
-@load conn 
+@load dns
-@load dns 
 @load ftp
-@load http 
+@load http
-@load irc 
+@load irc
-@load smtp 
+@load smtp
-@load ssl 
+#@load ssl
-@load ssh 
+@load ssh
+@load syslog
 
 @load mime 
 @load software
 @load metrics
+#@load communication
 @load weird 
 
 @load tuning/defaults

policy/protocols/syslog/__load__.bro

@@ -0,0 +1 @@
+@load syslog/base

policy/protocols/syslog/base.bro

@@ -0,0 +1,52 @@
+##! Core script support for logging syslog messages.
+
+@load syslog/consts 
+
+module Syslog;
+
+export {
+	redef enum Log::ID += { SYSLOG };
+	
+	type Info: record {
+		ts:        time            &log;
+		uid:       string          &log;
+		id:        conn_id         &log;
+		proto:     transport_proto &log;
+		facility:  string          &log;
+		severity:  string          &log;
+		message:   string          &log;
+	};
+	
+	const ports = { 514/udp } &redef;
+}
+
+redef capture_filters += { ["syslog"] = "port 514" };
+redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
+
+redef record connection += {
+	syslog: Info &optional;
+};
+
+event bro_init()
+	{
+	Log::create_stream(SYSLOG, [$columns=Info]);
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
+	{
+	local info: Info;
+	info$ts=network_time();
+	info$uid=c$uid;
+	info$id=c$id;
+	info$proto=get_port_transport_proto(c$id$resp_p);
+	info$facility=facility_codes[facility];
+	info$severity=severity_codes[severity];
+	info$message=msg;
+	
+	c$syslog = info;
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
+	{
+	Log::write(SYSLOG, c$syslog);
+	}

policy/protocols/syslog/consts.bro

@@ -0,0 +1,41 @@
+module Syslog;
+
+export {
+	const facility_codes: table[count] of string = {
+		[0]  = "KERN",
+		[1]  = "USER",
+		[2]  = "MAIL",
+		[3]  = "DAEMON",
+		[4]  = "AUTH",
+		[5]  = "SYSLOG",
+		[6]  = "LPR",
+		[7]  = "NEWS",
+		[8]  = "UUCP",
+		[9]  = "CRON",
+		[10] =  "AUTHPRIV",
+		[11] =  "FTP",
+		[12] =  "NTP",
+		[13] =  "AUDIT",
+		[14] =  "ALERT",
+		[15] =  "CLOCK",
+		[16] =  "LOCAL0",
+		[17] =  "LOCAL1",
+		[18] =  "LOCAL2",
+		[19] =  "LOCAL3",
+		[20] =  "LOCAL4",
+		[21] =  "LOCAL5",
+		[22] =  "LOCAL6",
+		[23] =  "LOCAL7",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+
+	const severity_codes: table[count] of string = {
+		[0] = "EMERG",
+		[1] = "ALERT",
+		[2] = "CRIT",
+		[3] = "ERR",
+		[4] = "WARNING",
+		[5] = "NOTICE",
+		[6] = "INFO",
+		[7] = "DEBUG",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+}