Merge remote-tracking branch 'origin/topic/christian/364-logfilter-hooks' into master

(Adding a NEWS entry.)

* origin/topic/christian/364-logfilter-hooks:
  Update testing/btest/scripts/base/frameworks/logging/hooks.zeek
  Btests for log filter policy hooks
  Btest baseline updates to reflect new logging policy hooks
  Migrate existing use of filter predicates to policy hooks
  Support for log filter policy hooks

NEWS

@@ -19,6 +19,21 @@ New Functionality
 - Add ``dce_rpc_request_stub`` and ``dce_rpc_response_stub`` events for
   accessing the contents of DCE-RPC request/response stub data.
 
+- Add support for log filter policy hooks, which supersede the current
+  log predicates. The hook signature is as follows:
+
+        hook(rec: any, id: Log::ID, filter: Log::Filter);
+
+  The logging manager invokes hooks on each log record. Hooks can veto
+  log records via a break, and modify them if necessary. Log filters
+  inherit the stream-level hook, but can override or remove the hook
+  as needed. The distribution's existing log streams now come with
+  pre-defined hooks that users can add handlers to. The existing
+  predicates are deprecated for removal in 4.1 but continue to work.
+
+  See https://docs.zeek.org/en/master/frameworks/logging.html#filter-log-records
+  for more details.
+
 Changed Functionality
 ---------------------
 

doc

@@ -1 +1 @@
-Subproject commit c0d0365297b91f9100a0343f47462b6b0ec20c21
+Subproject commit 18e085874efebe7e13f93ff890c309dd0c55f203

scripts/base/files/pe/main.zeek

@@ -5,6 +5,8 @@ module PE;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Current timestamp.
 		ts:                  time              &log;
@@ -58,7 +60,7 @@ const pe_mime_types = { "application/x-dosexec" };
 event zeek_init() &priority=5
 	{
 	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
-	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
+	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]);
 	}
 
 hook set_file(f: fa_file) &priority=5

scripts/base/files/x509/main.zeek

@@ -1,3 +1,4 @@
+
 @load base/frameworks/files
 @load base/files/hash
 
@@ -6,6 +7,8 @@ module X509;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## How often do you have to encounter a certificate before
 	## caching it. Set to 0 to disable caching of certificates.
 	option caching_required_encounters : count = 10;
@@ -91,7 +94,7 @@ redef record Files::Info += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
+	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]);
 
 	# We use MIME types internally to distinguish between user and CA certificates.
 	# The first certificate in a connection always gets tagged as user-cert, all

scripts/base/frameworks/broker/log.zeek

@@ -6,6 +6,9 @@ export {
 	## The Broker logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The type of a Broker activity being logged.
 	type Type: enum {
 		## An informational status update.
@@ -32,7 +35,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
+	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker", $policy=log_policy]);
 	}
 
 function log_status(ev: string, endpoint: EndpointInfo, msg: string)

scripts/base/frameworks/cluster/main.zeek

@@ -115,6 +115,9 @@ export {
 	## The cluster logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the column fields of the cluster log.
 	type Info: record {
 		## The time at which a cluster message was generated.
@@ -374,7 +377,7 @@ event zeek_init() &priority=5
 		terminate();
 		}
 
-	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster"]);
+	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]);
 	}
 
 function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo

scripts/base/frameworks/config/main.zeek

@@ -10,6 +10,9 @@ export {
 	## The config logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## Represents the data in config.log.
 	type Info: record {
 		## Timestamp at which the configuration change occured.
@@ -152,7 +155,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an
 
 event zeek_init() &priority=10
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
+	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config", $policy=log_policy]);
 
 	# Limit logging to the manager - everyone else just feeds off it.
 @if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )

scripts/base/frameworks/dpd/main.zeek

@@ -7,6 +7,9 @@ export {
 	## Add the DPD logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type defining the columns to log in the DPD logging stream.
 	type Info: record {
 		## Timestamp for when protocol analysis failed.
@@ -47,7 +50,7 @@ redef record connection += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]);
+	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
 	}
 
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10

scripts/base/frameworks/files/main.zeek

@@ -14,6 +14,9 @@ export {
 		LOG
 	};
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## A structure which parameterizes a type of file analysis.
 	type AnalyzerArgs: record {
 		## An event which will be generated for all new file contents,
@@ -318,7 +321,7 @@ global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: A
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]);
+	Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files", $policy=log_policy]);
 	}
 
 function set_info(f: fa_file)

scripts/base/frameworks/intel/main.zeek

@@ -10,6 +10,8 @@ module Intel;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## Enum type to represent various types of intelligence data.
 	type Type: enum {
 		## An IP address.
@@ -225,7 +227,7 @@ global min_data_store: MinDataStore &redef;
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]);
+	Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel", $policy=log_policy]);
 	}
 
 # Function that abstracts expiration of different types.

scripts/base/frameworks/logging/main.zeek

@@ -43,21 +43,6 @@ export {
 	## Individual writers can use a different value.
 	const unset_field = "-" &redef;
 
-	## Type defining the content of a logging stream.
-	type Stream: record {
-		## A record type defining the log's columns.
-		columns: any;
-
-		## Event that will be raised once for each log entry.
-		## The event receives a single same parameter, an instance of
-		## type ``columns``.
-		ev: any &optional;
-
-		## A path that will be inherited by any filters added to the
-		## stream which do not already specify their own path.
-		path: string &optional;
-	};
-
 	## Builds the default path values for log filters if not otherwise
 	## specified by a filter. The default implementation uses *id*
 	## to derive a name.  Upon adding a filter to a stream, if neither
@@ -232,7 +217,8 @@ export {
 		##      fields set to the values to be logged.
 		##
 		## Returns: True if the entry is to be recorded.
-		pred: function(rec: any): bool &optional;
+		pred: function(rec: any): bool &optional
+			&deprecated="Remove in 4.1. PolicyHooks will replace the $pred function.";
 
 		## Output path for recording entries matching this
 		## filter.
@@ -322,6 +308,60 @@ export {
 		config: table[string] of string &default=table();
 	};
 
+	## A hook type to implement filtering policy. Hook handlers can
+	## veto the logging of a record or alter it prior to logging.
+	## You can pass arbitrary state into the hook via the
+	## filter argument and its config member.
+	##
+	## rec: An instance of the stream's ``columns`` type with its
+	##      fields set to the values to be logged.
+	##
+	## id: The ID associated with the logging stream the filter
+	##     belongs to.
+	##
+	## filter: The :zeek:type:`Log::Filter` instance that controls
+	##         the fate of the given log record.
+	type PolicyHook: hook(rec: any, id: ID, filter: Filter);
+
+	# To allow Filters to have a policy hook that refers to
+	# Filters, the Filter type must exist. So redef now to add the
+	# hook to the record.
+	redef record Filter += {
+		## Policy hooks can adjust log entry values and veto
+		## the writing of a log entry for the record passed
+		## into it. Any hook that breaks from its body signals
+		## that Zeek won't log the entry passed into it.
+		##
+		## When no policy hook is defined, the filter inherits
+		## the hook from the stream it's associated with.
+		policy: PolicyHook &optional;
+	};
+
+	## Type defining the content of a logging stream.
+	type Stream: record {
+		## A record type defining the log's columns.
+		columns: any;
+
+		## Event that will be raised once for each log entry.
+		## The event receives a single same parameter, an instance of
+		## type ``columns``.
+		ev: any &optional;
+
+		## A path that will be inherited by any filters added to the
+		## stream which do not already specify their own path.
+		path: string &optional;
+
+		## Policy hooks can adjust log records and veto their
+		## writing. Any hook handler that breaks from its body
+		## signals that Zeek won't log the entry passed into
+		## it. You can pass arbitrary state into the hook via
+		## the filter instance and its config table.
+		##
+		## New Filters created for this stream will inherit
+		## this policy hook, unless they provide their own.
+		policy: PolicyHook &optional;
+	};
+
 	## Sentinel value for indicating that a filter was not found when looked up.
 	const no_filter: Filter = [$name="<not found>"];
 

scripts/base/frameworks/netcontrol/drop.zeek

@@ -7,6 +7,8 @@ module NetControl;
 export {
 	redef enum Log::ID += { DROP_LOG };
 
+	global log_policy_drop: Log::PolicyHook;
+
 	## Stops all packets involving an IP address from being forwarded.
 	##
 	## a: The address to be dropped.
@@ -57,7 +59,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
+	Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop]);
 	}
 
 function drop_connection(c: conn_id, t: interval, location: string &default="") : string

scripts/base/frameworks/netcontrol/main.zeek

@@ -19,6 +19,9 @@ export {
 	## The framework's logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	# ###
 	# ###  Generic functions and events.
 	# ###
@@ -366,7 +369,7 @@ global rule_entities: table[Entity, RuleType] of Rule;
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]);
+	Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy]);
 	}
 
 function entity_to_info(info: Info, e: Entity)

scripts/base/frameworks/netcontrol/shunt.zeek

@@ -7,6 +7,8 @@ module NetControl;
 export {
 	redef enum Log::ID += { SHUNT };
 
+	global log_policy_shunt: Log::PolicyHook;
+
 	## Stops forwarding a uni-directional flow's packets to Zeek.
 	##
 	## f: The flow to shunt.
@@ -38,7 +40,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
+	Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt]);
 	}
 
 function shunt_flow(f: flow_id, t: interval, location: string &default="") : string

scripts/base/frameworks/notice/main.zeek

@@ -16,6 +16,10 @@ export {
 		ALARM_LOG,
 	};
 
+	## Default logging policy hooks for the streams.
+	global log_policy: Log::PolicyHook;
+	global log_policy_alarm: Log::PolicyHook;
+
 	## Scripts creating new notices need to redef this enum to add their
 	## own specific notice types which would then get used when they call
 	## the :zeek:id:`NOTICE` function.  The convention is to give a general
@@ -388,9 +392,9 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
+	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice", $policy=log_policy]);
 
-	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm"]);
+	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm]);
 	# If Zeek is configured for mailing notices, set up mailing for alarms.
 	# Make sure that this alarm log is also output as text so that it can
 	# be packaged up and emailed later.

scripts/base/frameworks/notice/weird.zeek

@@ -17,6 +17,9 @@ export {
 	## The weird logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	redef enum Notice::Type += {
 		## Generic unusual but notice-worthy weird activity.
 		Activity,
@@ -298,7 +301,7 @@ const notice_actions = {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]);
+	Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird", $policy=log_policy]);
 	}
 
 function flow_id_string(src: addr, dst: addr): string

scripts/base/frameworks/openflow/plugins/log.zeek

@@ -13,6 +13,8 @@ export {
 
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## Log controller constructor.
 	##
 	## dpid: OpenFlow switch datapath id.
@@ -48,7 +50,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]);
+	Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy]);
 	}
 
 function log_flow_mod(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool

scripts/base/frameworks/packet-filter/main.zeek

@@ -14,6 +14,9 @@ export {
 	## Add the packet filter logging stream.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## Add notice types related to packet filter errors.
 	redef enum Notice::Type += {
 		## This notice is generated if a packet filter cannot be compiled.
@@ -159,7 +162,7 @@ event filter_change_tracking()
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]);
+	Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter", $policy=log_policy]);
 
 	# Preverify the capture and restrict filters to give more granular failure messages.
 	for ( id, cf in capture_filters )

scripts/base/frameworks/reporter/main.zeek

@@ -17,6 +17,9 @@ export {
 	## The reporter logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the column fields of the reporter log.
 	type Info: record {
 		## The network time at which the reporter event was generated.
@@ -37,7 +40,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]);
+	Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter", $policy=log_policy]);
 	}
 
 event reporter_info(t: time, msg: string, location: string) &priority=-5

scripts/base/frameworks/signatures/main.zeek

@@ -35,6 +35,9 @@ export {
 	## The signature logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## These are the default actions you can apply to signature matches.
 	## All of them write the signature record to the logging stream unless
 	## declared otherwise.
@@ -142,7 +145,7 @@ global did_sig_log: set[string] &read_expire = 1 hr;
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]);
+	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
 	}
 		
 # Returns true if the given signature has already been triggered for the given

scripts/base/frameworks/software/main.zeek

@@ -14,6 +14,9 @@ export {
 	## The software logging stream identifier.
 	redef enum Log::ID += { LOG };
 	
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## Scripts detecting new types of software need to redef this enum to add
 	## their own specific software types which would then be used when they 
 	## create :zeek:type:`Software::Info` records.
@@ -123,7 +126,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]);
+	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]);
 	}
 	
 type Description: record {

scripts/base/frameworks/tunnels/main.zeek

@@ -13,6 +13,9 @@ export {
 	## The tunnel logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## Types of interesting activity that can occur with a tunnel.
 	type Action: enum {
 		## A new tunnel (encapsulating "connection") has been seen.
@@ -94,7 +97,7 @@ redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_por
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]);
+	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);

scripts/base/protocols/conn/main.zeek

@@ -13,6 +13,9 @@ export {
 	## The connection logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains column fields of the connection log.
 	type Info: record {
 		## This is the time of the first packet.
@@ -158,7 +161,7 @@ redef record connection += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn"]);
+	Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn", $policy=log_policy]);
 	}
 
 function conn_state(c: connection, trans: transport_proto): string

scripts/base/protocols/dce-rpc/main.zeek

@@ -7,6 +7,8 @@ module DCE_RPC;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts         : time     &log;
@@ -65,7 +67,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]);
+	Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
 	}
 

scripts/base/protocols/dhcp/main.zeek

@@ -12,6 +12,8 @@ module DHCP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the column fields of the DHCP log.
 	type Info: record {
 		## The earliest time at which a DHCP message over the
@@ -122,7 +124,7 @@ redef likely_server_ports += { 67/udp };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
+	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 

scripts/base/protocols/dnp3/main.zeek

@@ -8,6 +8,8 @@ module DNP3;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Time of the request.
 		ts:         time           &log;
@@ -40,7 +42,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3"]);
+	Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
 	}
 

scripts/base/protocols/dns/main.zeek

@@ -11,6 +11,9 @@ export {
 	## The DNS logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the column fields of the DNS log.
 	type Info: record {
 		## The earliest time at which a DNS protocol message over the
@@ -160,7 +163,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns"]);
+	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
 	}
 

scripts/base/protocols/ftp/main.zeek

@@ -18,6 +18,9 @@ export {
 	## The FTP protocol logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## List of commands that should have their command/response pairs logged.
 	option logged_commands = {
 		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT",
@@ -61,7 +64,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp"]);
+	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
 

scripts/base/protocols/http/main.zeek

@@ -12,6 +12,8 @@ module HTTP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## Indicate a type of attack or compromise in the record to be logged.
 	type Tags: enum {
 		## Placeholder.
@@ -145,7 +147,7 @@ redef likely_server_ports += { ports };
 # Initialize the HTTP logging stream and ports.
 event zeek_init() &priority=5
 	{
-	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
+	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
 	}
 

scripts/base/protocols/irc/main.zeek

@@ -8,6 +8,8 @@ export {
 	
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp when the command was seen.
 		ts:       time        &log;
@@ -43,7 +45,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc"]);
+	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
 	

scripts/base/protocols/krb/main.zeek

@@ -9,6 +9,8 @@ module KRB;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts:            time     &log;
@@ -81,7 +83,7 @@ event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
-	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]);
+	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy]);
 	}
 
 function set_session(c: connection): bool

scripts/base/protocols/modbus/main.zeek

@@ -7,6 +7,8 @@ module Modbus;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Time of the request.
 		ts:        time           &log;
@@ -34,7 +36,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus"]);
+	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
 	}
 

scripts/base/protocols/mysql/main.zeek

@@ -8,6 +8,8 @@ module MySQL;
 export {
 	redef enum Log::ID += { mysql::LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts:     time    &log;
@@ -43,7 +45,7 @@ const ports = { 1434/tcp, 3306/tcp };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql"]);
+	Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
 	}
 

scripts/base/protocols/ntlm/main.zeek

@@ -6,6 +6,8 @@ module NTLM;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts         : time     &log;
@@ -48,7 +50,7 @@ redef record connection += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
+	Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm", $policy=log_policy]);
 	}
 
 function set_session(c: connection)

scripts/base/protocols/ntp/main.zeek

@@ -3,6 +3,8 @@ module NTP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts:         time	&log;
@@ -59,7 +61,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp, $path="ntp"]);
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy]);
 	}
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5

scripts/base/protocols/radius/main.zeek

@@ -9,6 +9,8 @@ module RADIUS;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts           : time     &log;
@@ -63,7 +65,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius"]);
+	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
 

scripts/base/protocols/rdp/main.zeek

@@ -8,6 +8,8 @@ module RDP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts:                    time    &log;
@@ -95,7 +97,7 @@ redef likely_server_ports += { rdp_ports, rdpeudp_ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp"]);
+	Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, rdp_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RDPEUDP, rdpeudp_ports);
 	}

scripts/base/protocols/rfb/main.zeek

@@ -5,6 +5,8 @@ module RFB;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the RFB log.
 	type Info: record {
 		## Timestamp for when the event happened.
@@ -83,7 +85,7 @@ redef record connection += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy]);
 	}
 
 function write_log(c:connection)

scripts/base/protocols/sip/main.zeek

@@ -11,6 +11,8 @@ module SIP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the SIP log.
 	type Info: record {
 		## Timestamp for when the request happened.
@@ -104,7 +106,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip"]);
+	Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
 	}
 

scripts/base/protocols/smb/main.zeek

@@ -10,6 +10,9 @@ export {
 		MAPPING_LOG,
 		FILES_LOG
 	};
+
+	global log_policy_files: Log::PolicyHook;
+	global log_policy_mapping: Log::PolicyHook;
 	
 	## Abstracted actions for SMB file actions.
 	type Action: enum {
@@ -179,8 +182,8 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
-	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
+	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files]);
+	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping]);
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports);
 	}

scripts/base/protocols/smtp/main.zeek

@@ -8,6 +8,8 @@ module SMTP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Time when the message was first seen.
 		ts:                time            &log;
@@ -98,7 +100,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp"]);
+	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
 

scripts/base/protocols/snmp/main.zeek

@@ -7,6 +7,8 @@ module SNMP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## Information tracked per SNMP session.
 	type Info: record {
 		## Timestamp of first packet belonging to the SNMP session.
@@ -71,7 +73,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
-	Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp"]);
+	Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy]);
 	}
 
 function init_state(c: connection, h: SNMP::Header): Info

scripts/base/protocols/socks/main.zeek

@@ -7,6 +7,8 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## Whether passwords are captured or not.
 	option default_capture_password = F;
 
@@ -53,7 +55,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks"]);
+	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
 	}
 

scripts/base/protocols/ssh/main.zeek

@@ -9,6 +9,9 @@ export {
 	## The SSH protocol logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the SSH log.
 	type Info: record {
 		## Time when the SSH connection began.
@@ -143,7 +146,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
-	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
+	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy]);
 	}
 
 function set_session(c: connection)

scripts/base/protocols/ssl/main.zeek

@@ -10,6 +10,8 @@ module SSL;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the SSL log.
 	type Info: record {
 		## Time when the SSL connection was first detected.
@@ -147,7 +149,7 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl"]);
+	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
 	}

scripts/base/protocols/syslog/main.zeek

@@ -8,6 +8,8 @@ module Syslog;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the syslog log.
 	type Info: record {
 		## Timestamp when the syslog message was seen.
@@ -36,7 +38,7 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
+	Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
 	}
 

scripts/policy/files/unified2/main.zeek

@@ -7,6 +7,8 @@ module Unified2;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## File to watch for Unified2 files.
 	const watch_file = "" &redef;
 
@@ -195,7 +197,7 @@ event Input::end_of_data(name: string, source: string)
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2"]);
+	Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2", $policy=log_policy]);
 
 	if ( sid_msg == "" )
 		{

scripts/policy/files/x509/log-ocsp.zeek

@@ -8,6 +8,8 @@ module OCSP;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## The record type which contains the fields of the OCSP log.
 	type Info: record {
 		## Time when the OCSP reply was encountered.
@@ -41,7 +43,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
 

scripts/policy/frameworks/netcontrol/catch-and-release.zeek

@@ -9,6 +9,8 @@ export {
 
 	redef enum Log::ID += { CATCH_RELEASE };
 
+	global log_policy_catch_release: Log::PolicyHook;
+
 	## This record is used for storing information about current blocks that are
 	## part of catch and release.
 	type BlockInfo: record {
@@ -164,7 +166,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs;
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]);
+	Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]);
 	}
 
 function get_watch_interval(current_interval: count): interval

scripts/policy/integration/barnyard2/main.zeek

@@ -9,6 +9,8 @@ module Barnyard2;
 export {
 	redef enum Log::ID += { LOG };
 	
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Timestamp of the alert.
 		ts:                 time      &log;
@@ -26,7 +28,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]);
+	Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2", $policy=log_policy]);
 	}
 
 

scripts/policy/misc/capture-loss.zeek

@@ -14,6 +14,8 @@ module CaptureLoss;
 export {
 	redef enum Log::ID += { LOG };
 	
+	global log_policy: Log::PolicyHook;
+
 	redef enum Notice::Type += {
 		## Report if the detected capture loss exceeds the percentage
 		## threshold.
@@ -76,7 +78,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]);
+	Log::create_stream(LOG, [$columns=Info, $path="capture_loss", $policy=log_policy]);
 
 	# We only schedule the event if we are capturing packets.
 	if ( reading_live_traffic() || reading_traces() )

scripts/policy/misc/detect-traceroute/main.zeek

@@ -14,6 +14,8 @@ module Traceroute;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	redef enum Notice::Type += {
 		## Indicates that a host was seen running traceroutes.  For more
 		## detail about specific traceroutes that we run, refer to the
@@ -55,7 +57,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]);
+	Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute", $policy=log_policy]);
 
 	local r1: SumStats::Reducer = [$stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE)];
 	local r2: SumStats::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM)];

scripts/policy/misc/loaded-scripts.zeek

@@ -6,6 +6,8 @@ module LoadedScripts;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	type Info: record {
 		## Name of the script loaded potentially with spaces included
 		## before the file name to indicate load depth.  The convention
@@ -29,7 +31,7 @@ function get_indent(level: count): string
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]);
+	Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts", $policy=log_policy]);
 	}
 
 event zeek_script_loaded(path: string, level: count)

scripts/policy/misc/stats.zeek

@@ -7,6 +7,8 @@ module Stats;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## How often stats are reported.
 	option report_interval = 5min;
 
@@ -84,7 +86,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
+	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats", $policy=log_policy]);
 	}
 
 event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats, last_ts: TimerStats, last_fs: FileAnalysisStats, last_ds: DNSStats)

scripts/policy/misc/weird-stats.zeek

@@ -8,6 +8,8 @@ module WeirdStats;
 export {
 	redef enum Log::ID += { LOG };
 
+	global log_policy: Log::PolicyHook;
+
 	## How often stats are reported.
 	const weird_stat_interval = 15min &redef;
 
@@ -55,7 +57,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(WeirdStats::LOG,
 	                   [$columns = Info, $ev = log_weird_stats,
-	                    $path="weird_stats"]);
+	                    $path="weird_stats", $policy=log_policy]);
 	local r1 = SumStats::Reducer($stream = "weirds.encountered",
 	                             $apply = set(SumStats::SUM));
 	SumStats::create([$name = "weirds.statistics",

scripts/policy/protocols/conn/known-hosts.zeek

@@ -12,6 +12,9 @@ export {
 	## The known-hosts logging stream identifier.
 	redef enum Log::ID += { HOSTS_LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy_hosts: Log::PolicyHook;
+
 	## The record type which contains the column fields of the known-hosts log.
 	type HostsInfo: record {
 		## The timestamp at which the host was detected.
@@ -147,7 +150,7 @@ event Known::host_found(info: HostsInfo)
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
+	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts]);
 	}
 
 event connection_established(c: connection) &priority=5

scripts/policy/protocols/conn/known-services.zeek

@@ -15,6 +15,9 @@ export {
 	## The known-services logging stream identifier.
 	redef enum Log::ID += { SERVICES_LOG };
 
+	## A default logging policy hook for the stream.
+	global log_policy_services: Log::PolicyHook;
+
 	## The record type which contains the column fields of the known-services
 	## log.
 	type ServicesInfo: record {
@@ -308,6 +311,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
 	                                         $ev=log_known_services,
-	                                         $path="known_services"]);
+	                                         $path="known_services",
+						 $policy=log_policy_services]);
 	}
 

scripts/policy/protocols/modbus/known-masters-slaves.zeek

@@ -11,6 +11,8 @@ module Known;
 export {
 	redef enum Log::ID += { MODBUS_LOG };
 
+	global log_policy_modbus: Log::PolicyHook;
+
 	type ModbusDeviceType: enum {
 		MODBUS_MASTER,
 		MODBUS_SLAVE,
@@ -35,7 +37,7 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus"]);
+	Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus]);
 	}
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)

scripts/policy/protocols/modbus/track-memmap.zeek

@@ -11,6 +11,8 @@ module Modbus;
 export {
 	redef enum Log::ID += { Modbus::REGISTER_CHANGE_LOG };
 
+	global log_policy_register_change: Log::PolicyHook;
+
 	## The hosts that should have memory mapping enabled.
 	option track_memmap: Host = ALL_HOSTS;
 
@@ -54,7 +56,7 @@ redef record Modbus::Info += {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change"]);
+	Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change]);
 	}
 
 event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

scripts/policy/protocols/mqtt/main.zeek

@@ -12,6 +12,10 @@ export {
 		PUBLISH_LOG,
 	};
 
+	global log_policy_connect: Log::PolicyHook;
+	global log_policy_subscribe: Log::PolicyHook;
+	global log_policy_publish: Log::PolicyHook;
+
 	type MQTT::SubUnsub: enum {
 		MQTT::SUBSCRIBE,
 		MQTT::UNSUBSCRIBE,
@@ -146,9 +150,9 @@ redef likely_server_ports += { ports };
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(MQTT::CONNECT_LOG, [$columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect"]);
-	Log::create_stream(MQTT::SUBSCRIBE_LOG, [$columns=SubscribeInfo, $path="mqtt_subscribe"]);
-	Log::create_stream(MQTT::PUBLISH_LOG, [$columns=PublishInfo, $path="mqtt_publish"]);
+	Log::create_stream(MQTT::CONNECT_LOG, [$columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect]);
+	Log::create_stream(MQTT::SUBSCRIBE_LOG, [$columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe]);
+	Log::create_stream(MQTT::PUBLISH_LOG, [$columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish]);
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MQTT, ports);
 	}

scripts/policy/protocols/smb/log-cmds.zeek

@@ -10,6 +10,8 @@ export {
 		CMD_LOG,
 	};
 
+	global log_policy: Log::PolicyHook;
+
 	## The server response statuses which are *not* logged.
 	option ignored_command_statuses: set[string] = {
 		"MORE_PROCESSING_REQUIRED",
@@ -27,7 +29,7 @@ const deferred_logging_cmds: set[string] = {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy]);
 	}
 
 event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5

scripts/policy/protocols/ssl/known-certs.zeek

@@ -10,6 +10,8 @@ module Known;
 
 export {
 	redef enum Log::ID += { CERTS_LOG };
+
+	global log_policy_certs: Log::PolicyHook;
 	
 	type CertsInfo: record {
 		## The timestamp when the certificate was detected.
@@ -195,5 +197,5 @@ event ssl_established(c: connection) &priority=3
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
+	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs]);
 	}

scripts/policy/protocols/ssl/log-hostcerts-only.zeek

@@ -26,17 +26,10 @@ redef record fa_file += {
 	logcert: bool &default=T;
 };
 
-function host_certs_only(rec: X509::Info): bool
+hook X509::log_policy(rec: X509::Info, id: Log::ID, filter: Log::Filter)
 	{
-	return rec$logcert;
-	}
-
-event zeek_init() &priority=2
-	{
-	local f = Log::get_filter(X509::LOG, "default");
-	Log::remove_filter(X509::LOG, "default"); # disable default logging
-	f$pred=host_certs_only; # and add our predicate
-	Log::add_filter(X509::LOG, f);
+	if ( ! rec$logcert )
+		break;
 	}
 
 event file_sniff(f: fa_file, meta: fa_metadata) &priority=4

src/logging/Manager.cc

@@ -35,6 +35,7 @@ struct Manager::Filter {
 	Val* fval;
 	string name;
 	EnumVal* id;
+	Func* policy;
 	Func* pred;
 	Func* path_func;
 	string path;
@@ -81,6 +82,7 @@ struct Manager::Stream {
 	string name;
 	RecordType* columns;
 	EventHandlerPtr event;
+	Func* policy;
 	list<Filter*> filters;
 
 	typedef pair<int, string> WriterPathPair;
@@ -272,6 +274,9 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	const auto& event_val = sval->GetField("ev");
 	Func* event = event_val ? event_val->AsFunc() : nullptr;
 
+	const auto& policy_val = sval->GetField("policy");
+	Func* policy = policy_val ? policy_val->AsFunc() : nullptr;
+
 	if ( event )
 		{
 		// Make sure the event is prototyped as expected.
@@ -316,6 +321,7 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	streams[idx]->enabled = true;
 	streams[idx]->name = id->GetType()->AsEnumType()->Lookup(idx);
 	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : nullptr;
+	streams[idx]->policy = policy;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
 	streams[idx]->enable_remote = id::find_val("Log::enable_remote_logging")->AsBool();
@@ -550,6 +556,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
 	// Create a new Filter instance.
 
 	auto name = fval->GetFieldOrDefault("name");
+	auto policy = fval->GetFieldOrDefault("policy");
 	auto pred = fval->GetFieldOrDefault("pred");
 	auto path_func = fval->GetFieldOrDefault("path_func");
 	auto log_local = fval->GetFieldOrDefault("log_local");
@@ -566,6 +573,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
 	filter->fval = fval->Ref();
 	filter->name = name->AsString()->CheckString();
 	filter->id = id->Ref()->AsEnumVal();
+	filter->policy = policy ? policy->AsFunc() : stream->policy;
 	filter->pred = pred ? pred->AsFunc() : nullptr;
 	filter->path_func = path_func ? path_func->AsFunc() : nullptr;
 	filter->writer = writer->Ref()->AsEnumVal();
@@ -648,6 +656,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
 	DBG_LOG(DBG_LOGGING, "   writer    : %s", desc.Description());
 	DBG_LOG(DBG_LOGGING, "   path      : %s", filter->path.c_str());
 	DBG_LOG(DBG_LOGGING, "   path_func : %s", (filter->path_func ? "set" : "not set"));
+	DBG_LOG(DBG_LOGGING, "   policy    : %s", (filter->policy ? "set" : "not set"));
 	DBG_LOG(DBG_LOGGING, "   pred      : %s", (filter->pred ? "set" : "not set"));
 
 	for ( int i = 0; i < filter->num_fields; i++ )
@@ -721,17 +730,29 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 		Filter* filter = *i;
 		string path = filter->path;
 
+		// Policy hooks may veto the logging or alter the log
+		// record if really necessary. Potential optimization:
+		// don't invoke the hook at all when it has no
+		// handlers/bodies. Doing this skips sampling and
+		// plugin hooks, though, so for now we do invoke.
+		if ( filter->policy )
+			{
+			auto v = filter->policy->Invoke(columns,
+							IntrusivePtr{NewRef{}, id},
+							IntrusivePtr{NewRef{}, filter->fval});
+			if ( v  && ! v->AsBool() )
+				continue;
+			}
+
+		// $pred is deprecated and will get removed in 4.1.
+		// This block can go when that time comes.
 		if ( filter->pred )
 			{
-			// See whether the predicates indicates that we want
+			// See whether the predicate indicates that we want
 			// to log this record.
-			int result = 1;
 			auto v = filter->pred->Invoke(columns);
 
-			if ( v )
-				result = v->AsBool();
-
-			if ( ! result )
+			if ( v && ! v->AsBool() )
 				continue;
 			}
 

testing/btest/Baseline/core.pcap.filter-error/output

@@ -1,3 +1,3 @@
-fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.zeek, line 282: Bad pcap filter 'kaputt'
+fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.zeek, line 285: Bad pcap filter 'kaputt'
 ----
 error, cannot compile BPF filter "kaputt, too"

testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	reporter
-#open	2019-03-24-20-20-10
+#open	2020-09-24-00-19-13
 #fields	ts	level	message	location
 #types	time	enum	string	string
-0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/zeek/scripts/base/frameworks/intel/./main.zeek, lines 563-564
-0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2019-03-24-20-20-10
+1600906753.185591	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/christian/devel/zeek/zeek/scripts/base/frameworks/intel/./main.zeek, lines 565-566
+1600906753.185591	Reporter::INFO	received termination signal	(empty)
+#close	2020-09-24-00-19-13

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-2/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-04-38
+#fields	t	status
+#types	time	string
+1600927478.316159	bar
+#close	2020-09-24-06-04-38

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-3/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-04-38
+#fields	t	status
+#types	time	string
+1600927478.528919	bar
+#close	2020-09-24-06-04-38

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-4/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-04-38
+#fields	t	status
+#types	time	string
+1600927478.733541	bar
+#close	2020-09-24-06-04-38

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-5/other.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	other
+#open	2020-09-24-06-42-48
+#fields	t	status
+#types	time	string
+1600929768.810574	baz
+#close	2020-09-24-06-42-48

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-5/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-42-48
+#fields	t	status
+#types	time	string
+1600929768.810574	bar
+#close	2020-09-24-06-42-48

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-6/other.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	other
+#open	2020-09-24-06-45-34
+#fields	t	status
+#types	time	string
+1600929934.868883	foo
+1600929934.868883	bar
+#close	2020-09-24-06-45-34

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-6/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-45-34
+#fields	t	status
+#types	time	string
+1600929934.868883	bar
+#close	2020-09-24-06-45-34

testing/btest/Baseline/scripts.base.frameworks.logging.hooks-7/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-19-34-37
+#fields	t	status
+#types	time	string
+1600976077.343410	bar
+#close	2020-09-24-19-34-37

testing/btest/Baseline/scripts.base.frameworks.logging.hooks/test.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2020-09-24-06-04-38
+#fields	t	status
+#types	time	string
+1600927478.107907	foo
+#close	2020-09-24-06-04-38

testing/btest/scripts/base/frameworks/logging/hooks.zeek

@@ -0,0 +1,169 @@
+# Tests for policy hooks on log filters.
+#
+# @TEST-EXEC: zeek -b test.zeek %INPUT
+# @TEST-EXEC: btest-diff test.log
+# @TEST-EXEC: test -f other.log && btest-diff other.log || true
+
+@TEST-START-FILE test.zeek
+# This provides a simple test module harness, used by all of the individual tests below.
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { LOG, LOG_OTHER };
+
+	# Create a corresponding policy hook:
+	global log_policy: Log::PolicyHook;
+
+	# Make up a log format for our tests
+	type Info: record {
+		t: time;
+		status: string;
+	} &log;
+}
+
+event zeek_init() &priority=2
+	{
+	Log::create_stream(Test::LOG, [$columns=Info, $path="test", $policy=log_policy]);
+	Log::create_stream(Test::LOG_OTHER, [$columns=Info, $path="test_other"]);
+	}
+@TEST-END-FILE test.zeek
+
+# Verify basic argument passing -- id and filter should be accessible
+# and have expected values. The hook should not catch.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	if ( id != Test::LOG || filter$name != "default" )
+		break;
+	}
+
+event zeek_init()
+	{
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that a policy hook can veto select log records.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	if ( rec$status == "foo" )
+		break;
+	}
+
+event zeek_init()
+	{
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	Log::write(Test::LOG, [$t=network_time(), $status="bar"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that a policy hook can alter the log entry.
+#
+# NOTE: doing this is dangerous; the change survives into log writes
+# resulting on other filters that get processed after the current one,
+# and the order of filters is undefined. We just test here that the
+# modification doesn't cause unexpected errors.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	rec$status = "bar";
+	}
+
+event zeek_init()
+	{
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that multiple hook handlers can get registered and their
+# priorities work as expected. (More of a generic hook test than
+# logging-specific, really.)
+#
+# The higher-priority hook filters out the only log record; the
+# lower-priority one should not get an opportunity to change it.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter) &priority=10
+	{
+	if ( rec$status == "foo" )
+		rec$status = "baz";
+	}
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter) &priority=20
+	{
+	rec$status = "bar";
+	}
+
+event zeek_init()
+	{
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that the stream-level policy gets inherited into additional
+# filters.  The single hook handler should get invoked for both of the
+# log filters, and alters them depending on the filter.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	if ( filter$name == "default" )
+		rec$status = "bar";
+	if ( filter$name == "other" )
+		rec$status = "baz";
+	}
+
+event zeek_init()
+	{
+	Log::add_filter(Test::LOG, [$name="other", $path="other"]);
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that filters can override the stream-level policy. The
+# stream-level policy rejects select records; the overriding one is
+# permissive.
+
+hook Test::log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	if ( rec$status == "foo" )
+		break;
+	}
+
+hook log_policy_permissible(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	}
+
+event zeek_init()
+	{
+	Log::add_filter(Test::LOG, [$name="other", $path="other", $policy=log_policy_permissible]);
+	Log::write(Test::LOG, [$t=network_time(), $status="foo"]);
+	Log::write(Test::LOG, [$t=network_time(), $status="bar"]);
+	}
+
+@TEST-START-NEXT
+
+# Verify that filters can define their own policy hooks when the
+# stream doesn't provide any. The Test::LOG_OTHER stream does not.
+
+hook my_log_policy(rec: Test::Info, id: Log::ID, filter: Log::Filter)
+	{
+	if ( rec$status == "foo" )
+		break;
+	}
+
+event zeek_init()
+	{
+	local filter = Log::get_filter(Test::LOG_OTHER, "default");
+	filter$path = "test";
+	filter$policy = my_log_policy;
+	Log::add_filter(Test::LOG_OTHER, filter);
+
+	Log::write(Test::LOG_OTHER, [$t=network_time(), $status="foo"]);
+	Log::write(Test::LOG_OTHER, [$t=network_time(), $status="bar"]);
+	}

testing/btest/scripts/base/frameworks/logging/pred.zeek

@@ -31,7 +31,7 @@ event zeek_init()
 	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
 	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 	local r: Log = [$t=network_time(), $id=cid, $status="success"];
 	Log::write(Test::LOG, r);
 	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);