Syslog script level support.

- Only does logging for now.
2025-10-05 16:18:19 +00:00 · 2011-06-09 13:14:43 -04:00 · 2011-06-09 13:14:43 -04:00 · ad41c575ef
commit ad41c575ef
parent 8c71e68c05
4 changed files with 104 additions and 8 deletions
--- a/policy/all.bro
+++ b/policy/all.bro
@ -1,17 +1,19 @@
+##! This script only aims at loading all of the base analysis scripts.

-# This script only aims at loading all of the base analysis scripts.
@load conn
@load dns
@load ftp
@load http
@load irc
@load smtp
-@load ssl 
+#@load ssl
@load ssh
+@load syslog

@load mime 
@load software
@load metrics
+#@load communication
@load weird 

@load tuning/defaults
--- a/policy/protocols/syslog/load.bro
+++ b/policy/protocols/syslog/load.bro
@ -0,0 +1 @@
+@load syslog/base
--- a/policy/protocols/syslog/base.bro
+++ b/policy/protocols/syslog/base.bro
@ -0,0 +1,52 @@
+##! Core script support for logging syslog messages.
+
+@load syslog/consts 
+
+module Syslog;
+
+export {
+	redef enum Log::ID += { SYSLOG };
+	
+	type Info: record {
+		ts:        time            &log;
+		uid:       string          &log;
+		id:        conn_id         &log;
+		proto:     transport_proto &log;
+		facility:  string          &log;
+		severity:  string          &log;
+		message:   string          &log;
+	};
+	
+	const ports = { 514/udp } &redef;
+}
+
+redef capture_filters += { ["syslog"] = "port 514" };
+redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
+
+redef record connection += {
+	syslog: Info &optional;
+};
+
+event bro_init()
+	{
+	Log::create_stream(SYSLOG, [$columns=Info]);
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
+	{
+	local info: Info;
+	info$ts=network_time();
+	info$uid=c$uid;
+	info$id=c$id;
+	info$proto=get_port_transport_proto(c$id$resp_p);
+	info$facility=facility_codes[facility];
+	info$severity=severity_codes[severity];
+	info$message=msg;
+	
+	c$syslog = info;
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
+	{
+	Log::write(SYSLOG, c$syslog);
+	}
--- a/policy/protocols/syslog/consts.bro
+++ b/policy/protocols/syslog/consts.bro
@ -0,0 +1,41 @@
+module Syslog;
+
+export {
+	const facility_codes: table[count] of string = {
+		[0]  = "KERN",
+		[1]  = "USER",
+		[2]  = "MAIL",
+		[3]  = "DAEMON",
+		[4]  = "AUTH",
+		[5]  = "SYSLOG",
+		[6]  = "LPR",
+		[7]  = "NEWS",
+		[8]  = "UUCP",
+		[9]  = "CRON",
+		[10] =  "AUTHPRIV",
+		[11] =  "FTP",
+		[12] =  "NTP",
+		[13] =  "AUDIT",
+		[14] =  "ALERT",
+		[15] =  "CLOCK",
+		[16] =  "LOCAL0",
+		[17] =  "LOCAL1",
+		[18] =  "LOCAL2",
+		[19] =  "LOCAL3",
+		[20] =  "LOCAL4",
+		[21] =  "LOCAL5",
+		[22] =  "LOCAL6",
+		[23] =  "LOCAL7",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+
+	const severity_codes: table[count] of string = {
+		[0] = "EMERG",
+		[1] = "ALERT",
+		[2] = "CRIT",
+		[3] = "ERR",
+		[4] = "WARNING",
+		[5] = "NOTICE",
+		[6] = "INFO",
+		[7] = "DEBUG",
+	} &default=function(c: count): string { return fmt("?-%d", c); };
+}