Layout tweaks for the sumstats code, and preliminary updates for NEWS.

The layout changes are mostly whitespace and some comment rewrapping. No functional changes.
2025-10-10 10:38:20 +00:00 · 2013-04-28 15:34:20 -07:00 · 2013-04-28 15:34:20 -07:00 · b9249ecf9d
commit b9249ecf9d
parent 1e40a2f88c
21 changed files with 265 additions and 240 deletions
--- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@ -10,7 +10,7 @@ module SSH;

 export {
 	redef enum Notice::Type += {
-		## Indicates that a host has been identified as crossing the 
+		## Indicates that a host has been identified as crossing the
 		## :bro:id:`SSH::password_guesses_limit` threshold with heuristically
 		## determined failed logins.
 		Password_Guessing,
@ -24,7 +24,7 @@ export {
 		## An indicator of the login for the intel framework.
 		SSH::SUCCESSFUL_LOGIN,
 	};
-	
+
 	## The number of failed SSH connections before a host is designated as
 	## guessing passwords.
 	const password_guesses_limit = 30 &redef;
@ -33,9 +33,9 @@ export {
 	## model of a password guesser.
 	const guessing_timeout = 30 mins &redef;

-	## This value can be used to exclude hosts or entire networks from being 
+	## This value can be used to exclude hosts or entire networks from being
 	## tracked as potential "guessers".  There are cases where the success
-	## heuristic fails and this acts as the whitelist.  The index represents 
+	## heuristic fails and this acts as the whitelist.  The index represents
 	## client subnets and the yield value represents server subnets.
 	const ignore_guessers: table[subnet] of subnet &redef;
 }
@ -46,21 +46,21 @@ event bro_init()
 	SumStats::create([$epoch=guessing_timeout,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
-	                  	{ 
+	                  	{
 	                  	return double_to_count(result["ssh.login.failure"]$sum);
 	                  	},
 	                  $threshold=password_guesses_limit,
-	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = 
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["ssh.login.failure"];
 	                  	# Generate the notice.
-	                  	NOTICE([$note=Password_Guessing, 
+	                  	NOTICE([$note=Password_Guessing,
 	                  	        $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
 	                  	        $src=key$host,
 	                  	        $identifier=cat(key$host)]);
 	                  	# Insert the guesser into the intel framework.
 	                  	Intel::insert([$host=key$host,
-	                  	               $meta=[$source="local", 
+	                  	               $meta=[$source="local",
 	                  	                      $desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]);
 	                  	}]);
 	}
@ -68,7 +68,7 @@ event bro_init()
 event SSH::heuristic_successful_login(c: connection)
 	{
 	local id = c$id;
-	
+
 	Intel::seen([$host=id$orig_h,
 	             $conn=c,
 	             $where=SSH::SUCCESSFUL_LOGIN]);
@ -77,8 +77,8 @@ event SSH::heuristic_successful_login(c: connection)
 event SSH::heuristic_failed_login(c: connection)
 	{
 	local id = c$id;
-	
-	# Add data to the FAILED_LOGIN metric unless this connection should 
+
+	# Add data to the FAILED_LOGIN metric unless this connection should
 	# be ignored.
 	if ( ! (id$orig_h in ignore_guessers &&
 	        id$resp_h in ignore_guessers[id$orig_h]) )