Layout tweaks for the sumstats code, and preliminary updates for NEWS.

The layout changes are mostly whitespace and some comment rewrapping.
No functional changes.

scripts/policy/protocols/ftp/detect-bruteforcing.bro

@@ -1,3 +1,5 @@
+##! FTP brute-forcing detector, triggering when too  many rejected usernames or
+##! failed passwords have occured from a single address.
 
 @load base/protocols/ftp
 @load base/frameworks/sumstats
@@ -7,13 +9,13 @@
 module FTP;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## Indicates a host bruteforcing FTP logins by watching for too many
 		## rejected usernames or failed passwords.
 		Bruteforcing
 	};
 
-	## How many rejected usernames or passwords are required before being 
+	## How many rejected usernames or passwords are required before being
 	## considered to be bruteforcing.
 	const bruteforce_threshold = 20 &redef;
 
@@ -29,17 +31,17 @@ event bro_init()
 	SumStats::create([$epoch=bruteforce_measurement_interval,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{ 
+	                  	{
 	                  	return result["ftp.failed_auth"]$num;
 	                  	},
 	                  $threshold=bruteforce_threshold,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = 
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["ftp.failed_auth"];
 	                  	local dur = duration_to_mins_secs(r$end-r$begin);
 	                  	local plural = r$unique>1 ? "s" : "";
 	                  	local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
-	                  	NOTICE([$note=FTP::Bruteforcing, 
+	                  	NOTICE([$note=FTP::Bruteforcing,
 	                  	        $src=key$host,
 	                  	        $msg=message,
 	                  	        $identifier=cat(key$host)]);
@@ -54,4 +56,4 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
 		if ( FTP::parse_ftp_reply_code(code)$x == 5 )
 			SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
 		}
-	}
+	}

scripts/policy/protocols/http/detect-sqli.bro

@@ -14,22 +14,22 @@ export {
 		## it.  This is tracked by IP address as opposed to hostname.
 		SQL_Injection_Victim,
 	};
-	
+
 	redef enum Tags += {
 		## Indicator of a URI based SQL injection attack.
 		URI_SQLI,
-		## Indicator of client body based SQL injection attack.  This is 
+		## Indicator of client body based SQL injection attack.  This is
 		## typically the body content of a POST request. Not implemented yet.
 		POST_SQLI,
 		## Indicator of a cookie based SQL injection attack. Not implemented yet.
 		COOKIE_SQLI,
 	};
-	
+
 	## Defines the threshold that determines if an SQL injection attack
-	## is ongoing based on the number of requests that appear to be SQL 
+	## is ongoing based on the number of requests that appear to be SQL
 	## injection attacks.
 	const sqli_requests_threshold = 50 &redef;
-	
+
 	## Interval at which to watch for the
 	## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
 	## At the end of each interval the counter is reset.
@@ -41,7 +41,7 @@ export {
 	const collect_SQLi_samples = 5 &redef;
 
 	## Regular expression is used to match URI based SQL injections.
-	const match_sql_injection_uri = 
+	const match_sql_injection_uri =
 		  /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
 		| /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
 		| /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
@@ -60,18 +60,18 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string
 
 event bro_init() &priority=3
 	{
-	# Add filters to the metrics so that the metrics framework knows how to 
+	# Add filters to the metrics so that the metrics framework knows how to
 	# determine when it looks like an actual attack and how to respond when
 	# thresholds are crossed.
 	local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples];
 	SumStats::create([$epoch=sqli_requests_interval,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{ 
+	                  	{
 	                  	return double_to_count(result["http.sqli.attacker"]$sum);
 	                  	},
 	                  $threshold=sqli_requests_threshold,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = 
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["http.sqli.attacker"];
 	                  	NOTICE([$note=SQL_Injection_Attacker,
@@ -85,11 +85,11 @@ event bro_init() &priority=3
 	SumStats::create([$epoch=sqli_requests_interval,
 	                  $reducers=set(r2),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{ 
+	                  	{
 	                  	return double_to_count(result["http.sqli.victim"]$sum);
 	                  	},
 	                  $threshold=sqli_requests_threshold,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = 
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["http.sqli.victim"];
 	                  	NOTICE([$note=SQL_Injection_Victim,
@@ -106,7 +106,7 @@ event http_request(c: connection, method: string, original_URI: string,
 	if ( match_sql_injection_uri in unescaped_URI )
 		{
 		add c$http$tags[URI_SQLI];
-		
+
 		SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
 		SumStats::observe("http.sqli.victim",   [$host=c$id$resp_h], [$str=original_URI]);
 		}

scripts/policy/protocols/ssh/detect-bruteforcing.bro

@@ -10,7 +10,7 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a host has been identified as crossing the 
+		## Indicates that a host has been identified as crossing the
 		## :bro:id:`SSH::password_guesses_limit` threshold with heuristically
 		## determined failed logins.
 		Password_Guessing,
@@ -24,7 +24,7 @@ export {
 		## An indicator of the login for the intel framework.
 		SSH::SUCCESSFUL_LOGIN,
 	};
-	
+
 	## The number of failed SSH connections before a host is designated as
 	## guessing passwords.
 	const password_guesses_limit = 30 &redef;
@@ -33,9 +33,9 @@ export {
 	## model of a password guesser.
 	const guessing_timeout = 30 mins &redef;
 
-	## This value can be used to exclude hosts or entire networks from being 
+	## This value can be used to exclude hosts or entire networks from being
 	## tracked as potential "guessers".  There are cases where the success
-	## heuristic fails and this acts as the whitelist.  The index represents 
+	## heuristic fails and this acts as the whitelist.  The index represents
 	## client subnets and the yield value represents server subnets.
 	const ignore_guessers: table[subnet] of subnet &redef;
 }
@@ -46,21 +46,21 @@ event bro_init()
 	SumStats::create([$epoch=guessing_timeout,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{ 
+	                  	{
 	                  	return double_to_count(result["ssh.login.failure"]$sum);
 	                  	},
 	                  $threshold=password_guesses_limit,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = 
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["ssh.login.failure"];
 	                  	# Generate the notice.
-	                  	NOTICE([$note=Password_Guessing, 
+	                  	NOTICE([$note=Password_Guessing,
 	                  	        $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
 	                  	        $src=key$host,
 	                  	        $identifier=cat(key$host)]);
 	                  	# Insert the guesser into the intel framework.
 	                  	Intel::insert([$host=key$host,
-	                  	               $meta=[$source="local", 
+	                  	               $meta=[$source="local",
 	                  	                      $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]);
 	                  	}]);
 	}
@@ -68,7 +68,7 @@ event bro_init()
 event SSH::heuristic_successful_login(c: connection)
 	{
 	local id = c$id;
-	
+
 	Intel::seen([$host=id$orig_h,
 	             $conn=c,
 	             $where=SSH::SUCCESSFUL_LOGIN]);
@@ -77,8 +77,8 @@ event SSH::heuristic_successful_login(c: connection)
 event SSH::heuristic_failed_login(c: connection)
 	{
 	local id = c$id;
-	
-	# Add data to the FAILED_LOGIN metric unless this connection should 
+
+	# Add data to the FAILED_LOGIN metric unless this connection should
 	# be ignored.
 	if ( ! (id$orig_h in ignore_guessers &&
 	        id$resp_h in ignore_guessers[id$orig_h]) )