policy: Import zeek-community-id scripts into protocols/conn frameworks/notice

Slightly adapted for indentation.

scripts/policy/frameworks/notice/community-id.zeek

@@ -0,0 +1,35 @@
+# Source this script in addition to protocols/conn/community-id
+# to add Community ID to notices.
+
+# Only support loading this if the main script is also loaded.
+@load base/protocols/conn
+@load base/frameworks/notice
+
+@ifdef ( CommunityID::seed )
+
+module CommunityID::Notice;
+
+export {
+	# Turn notice support on/off at runtime. When disabled,
+	# this still leaves the `community_id` string in the notice
+	# log, just unset.
+	option enabled: bool = T;
+
+	redef record Notice::Info += {
+		community_id: string &optional &log;
+	};
+}
+
+hook Notice::notice(n: Notice::Info)
+	{
+	if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn )
+		{
+		local info = n$conn$conn;
+		# This is set during new_connection(), so it should
+		# always be there, but better safe than sorry.
+		if ( info?$community_id )
+			n$community_id = info$community_id;
+		}
+	}
+
+@endif

scripts/policy/protocols/conn/community-id-logging.zeek

@@ -0,0 +1,26 @@
+##! Adds community hash IDs to conn.log.
+@load base/protocols/conn
+
+module CommunityID;
+
+export {
+	# An unsigned 16-bit number to seed our hashing
+	option seed: count = 0;
+
+	# Whether to add a base64 pass over the hash digest.
+	# Enabled by default, since it shortens the output.
+	option do_base64: bool = T;
+
+	# Add the ID string field to the connection log record.
+	redef record Conn::Info += {
+		community_id: string &optional &log;
+	};
+}
+
+module Conn;
+
+event new_connection(c: connection)
+	{
+	Conn::set_conn(c, F);  # likely first to access :-/
+	c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64);
+	}

scripts/site/local.zeek

@@ -90,6 +90,9 @@ redef digest_salt = "Please change this value.";
 # Extend email alerting to include hostnames
 @load policy/frameworks/notice/extend-email/hostnames
 
+# Extend the notice.log with Community ID hashes
+# @load policy/frameworks/notice/community-id
+
 # Enable logging of telemetry data into telemetry.log and
 # telemetry_histogram.log.
 @load frameworks/telemetry/log
@@ -98,6 +101,10 @@ redef digest_salt = "Please change this value.";
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
 
+# Uncomment the following line to enable logging of Community ID hashes in
+# the conn.log file.
+# @load policy/protocols/conn/community-id-logging
+
 # Uncomment the following line to enable logging of connection VLANs. Enabling
 # this adds two VLAN fields to the conn.log file.
 # @load policy/protocols/conn/vlan-logging

scripts/test-all-policy.zeek

@@ -64,6 +64,7 @@
 @load frameworks/files/hash-all-files.zeek
 @load frameworks/notice/__load__.zeek
 @load frameworks/notice/actions/drop.zeek
+@load frameworks/notice/community-id.zeek
 @load frameworks/notice/extend-email/hostnames.zeek
 @load files/x509/disable-certificate-events-known-certs.zeek
 @load frameworks/packet-filter/shunt.zeek
@@ -85,6 +86,7 @@
 @load misc/weird-stats.zeek
 @load misc/trim-trace-file.zeek
 @load misc/unknown-protocols.zeek
+@load protocols/conn/community-id-logging.zeek
 @load protocols/conn/known-hosts.zeek
 @load protocols/conn/known-services.zeek
 @load protocols/conn/mac-logging.zeek

testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+-	-	-	-	-	-	COMMUNITY_ID_INIT	Zeek initializing
+141.142.228.5	59856	192.150.187.43	80	tcp	1:yvyB8h+3dnggTZW0UEITWCst97w=	COMMUNITY_ID_CONN_ESTABLISHED	Connection establishment

testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging/conn.log.cut

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+141.142.228.5	59856	192.150.187.43	80	tcp	-	1:yvyB8h+3dnggTZW0UEITWCst97w=

testing/btest/scripts/policy/frameworks/notice/community-id.zeek

@@ -0,0 +1,31 @@
+# This test verifies Community ID presence in the notice log, when
+# that part of the package is loaded. The test creates one notice
+# without connection state and one with, and verifies that the latter
+# includes the Community ID value for it.
+
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto community_id note msg < notice.log > notice.log.cut
+# @TEST-EXEC: btest-diff notice.log.cut
+
+@load protocols/conn/community-id-logging
+@load frameworks/notice/community-id
+
+redef enum Notice::Type += {
+	COMMUNITY_ID_INIT,
+	COMMUNITY_ID_CONN_ESTABLISHED,
+};
+
+event zeek_init()
+	{
+	# A notice without connection context
+	NOTICE([$note=COMMUNITY_ID_INIT,
+	        $msg="Zeek initializing"]);
+	}
+
+event connection_established(c: connection)
+	{
+	# A notice with connection context
+	NOTICE([$note=COMMUNITY_ID_CONN_ESTABLISHED,
+	        $msg="Connection establishment",
+	        $conn=c]);
+	}

testing/btest/scripts/policy/protocols/conn/community-id-logging.zeek

@@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service community_id < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load protocols/conn/community-id-logging