diff --git a/INSTALL b/INSTALL index 5f61d0d663..dc2653fa1a 100644 --- a/INSTALL +++ b/INSTALL @@ -62,7 +62,6 @@ Installation To build and install into /usr/local/bro: > ./configure - > cd build > make > make install @@ -89,17 +88,19 @@ Running Bro =========== Bro is a complex program and it takes a bit of time to get familiar -with it. In the following we give a few simple examples. See the -quickstart guide at http://www.bro-ids.org for more information; you -can the source that in doc/quick-start. +with it. A good place for newcomers to start is the quick start guide +available here: + + http://www.bro-ids.org/documentation/quickstart.html For developers that wish to run Bro from the the build/ directory after performing "make", but without performing "make install", they will have to first set BROPATH to look for scripts inside the build directory. Sourcing either build/bro-path-dev.sh or build/bro-path-dev.csh -as appropriate for the current shell accomplishes this. e.g.: +as appropriate for the current shell accomplishes this and also augments your +PATH so you can use Bro without qualifying the path to it. e.g.: > ./configure > make > source build/bro-path-dev.sh - > ./build/src/bro + > bro diff --git a/README b/README index 66a580fa19..387201d3c7 100644 --- a/README +++ b/README @@ -1,31 +1,23 @@ -This is release 1.6 of Bro, a system for detecting network intruders in -real-time using passive network monitoring. +============================ +Bro Network Security Monitor +============================ -Please see the file INSTALL for installation instructions and -pointers for getting started. For more documentation, see the -documentation on Bro's home page: +Bro is a powerful framework for network analysis and security +monitoring. - http://www.bro-ids.org/docs +Please see the INSTALL file for installation instructions and pointers +for getting started. For more documentation, research publications, or +community contact information see Bro's home page: -The main parts of Bro's documentation are also available in the doc/ -directory of the distribution. (Please note that the documentation -is still a work in progress; there will be more in future releases.) + http://www.bro-ids.org -Numerous other Bro-related publications, including a paper describing the -system, can be found at +Please see COPYING for licensing information. - http://www.bro-ids.org/publications.html - -Send comments, etc., to the Bro mailing list, bro@bro-ids.org. -However, please note that you must first subscribe to the list in -order to be able to post to it. - -- Vern Paxson & Robin Sommer, on behalf of the Bro development team +On behalf of the Bro Development Team, +Vern Paxson & Robin Sommer, +International Computer Science Institute & Lawrence Berkeley National Laboratory -University of California, Berkeley USA - -ICSI Center for Internet Research (ICIR) -International Computer Science Institute -Berkeley, CA USA vern@icir.org / robin@icir.org + + diff --git a/policy.old/OS-fingerprint.bro b/policy.old/OS-fingerprint.bro deleted file mode 100644 index 8f00fe93fd..0000000000 --- a/policy.old/OS-fingerprint.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: OS-fingerprint.bro 1071 2005-03-08 14:09:31Z vern $ -# -# Tracks operating system versioning using the "software" framework. - -@load software - -event OS_version_found(c: connection, host: addr, OS: OS_version) - { - local version: software_version; - version$major = version$minor = version$minor2 = -1; - version$addl = OS$detail; - - local sw: software; - sw$name = OS$genre; - sw$version = version; - - event software_version_found(c, host, sw, "OS"); - } diff --git a/policy.old/adu.bro b/policy.old/adu.bro deleted file mode 100644 index 3c2168784a..0000000000 --- a/policy.old/adu.bro +++ /dev/null @@ -1,278 +0,0 @@ -# $Id: adu.bro 5152 2007-12-04 21:48:56Z vern $ - -@load conn-id - -module adu; - -# This script parses application-layer data (ADU) units, or "messages", -# out of the packet streams. Since the analysis is generic, we define -# an ADU simply as all application-layer data in a 5-tuple flow going -# in one direction without any data going the other way. Once we see -# data in the other direction, we finish the current ADU and start -# a new one (going the other way). While this approach is only -# approximate, it can work well for both UDP and TCP. -# -# The script reports ADUs as strings, up to a configurable maximum size, and -# up to a configurable depth into the flow. -# -# Generated events: -# -# - adu_tx(c: connection, a: adu_state) reports an ADU seen from -# c's originator to its responder. -# -# - adu_rx(c: connection, a: adu_state) reports an ADU seen from -# c's responder to the originator. -# -# - adu_done(c: connection) indicates that no more ADUs will be seen -# on connection c. This is useful to know in case your statekeeping -# relies on event connection_state_remove(), which is also used by -# adu.bro. -# - -# --- Input configuration -- which ports to look at -------------------- - -# Right now: everything! -# -redef tcp_content_deliver_all_orig = T; -redef tcp_content_deliver_all_resp = T; -redef udp_content_deliver_all_orig = T; -redef udp_content_deliver_all_resp = T; - -# --- Debugging -- should really be a separate policy ------------------ - -# Comment out to disable debugging output: -#global adu_debug = T; - -# Uncomment to enable tests: -#global adu_test = T; - -@ifdef (adu_debug) -function DBG(msg: string) { print fmt("DBG[adu.bro]: %s", msg); } -@else -function DBG(msg: string) { } -@endif - -export { - -# --- Constants -------------------------------------------------------- - - # The maximum depth in bytes up to which we follow a flow. - # This is counting bytes seen in both directions. - const adu_conn_max_depth = 100000 &redef; - - # The maximum message depth that we report. - const adu_max_depth = 3 &redef; - - # The maximum message size in bytes that we report. - const adu_max_size = 1000 &redef; - - # Whether ADUs are reported beyond content gaps. - const adu_gaps_ok = F &redef; - -# --- Types ------------------------------------------------------------ - - # adu_state records contain the latest ADU and aditional flags to help - # the user identify the direction of the message, its depth in the flow, - # etc. - type adu_state: record { - adu: string &default = ""; # the current ADU - - # Message counter (>= 1), orig->resp and resp->orig. - depth_tx: count &default = 1; - depth_rx: count &default = 1; - - # TCP: seqno tracking to recognize gaps. - seen_tx: count &default = 0; - seen_rx: count &default = 0; - - size: count &default = 0; # total connection size in bytes - is_orig: bool &default = F; # whether ADU is orig->resp - ignore: bool &default = F; # ignore future activity on conn - }; - - # Tell the ADU policy that you do not wish to receive further - # adu_tx/adu_rx events for a given connection. Other policies - # may continue to process the connection. - # - global adu_skip_further_processing: function(cid: conn_id); -} - - -# --- Globals ---------------------------------------------------------- - -# A global table that tracks each flow's messages. -global adu_conns: table[conn_id] of adu_state; - -# Testing invokes the following events. -global adu_tx: event(c: connection, astate: adu_state); -global adu_rx: event(c: connection, astate: adu_state); -global adu_done: event(c: connection); - -# --- Functions -------------------------------------------------------- - -function adu_skip_further_processing(cid: conn_id) - { - if ( cid !in adu_conns ) - return; - - adu_conns[cid]$ignore = T; - } - -function flow_contents(c: connection, is_orig: bool, seq: count, contents: string) - { - local astate: adu_state; - - DBG(fmt("contents %s, %s: %s", id_string(c$id), is_orig, contents)); - - # Ensure we track the given connection. - if ( c$id !in adu_conns ) - adu_conns[c$id] = astate; - else - astate = adu_conns[c$id]; - - # Forget it if we've been asked to ignore. - # - if ( astate$ignore == T ) - return; - - # Don't report if flow is too big. - # - if ( astate$size >= adu_conn_max_depth ) - return; - - # If we have an assembled message, we may now have something - # to report. - if ( |astate$adu| > 0 ) - { - # If application-layer data flow is switching - # from resp->orig to orig->resp, report the assembled - # message as a received ADU. - if ( is_orig && ! astate$is_orig ) - { - event adu_rx(c, copy(astate)); - astate$adu = ""; - - if ( ++astate$depth_rx > adu_max_depth ) - adu_skip_further_processing(c$id); - } - - # If application-layer data flow is switching - # from orig->resp to resp->orig, report the assembled - # message as a transmitted ADU. - # - if ( !is_orig && astate$is_orig ) - { - event adu_tx(c, copy(astate)); - astate$adu = ""; - - if ( ++astate$depth_tx > adu_max_depth ) - adu_skip_further_processing(c$id); - } - } - - # Check for content gaps. If we identify one, only continue - # if user allowed it. - # - if ( !adu_gaps_ok && seq > 0 ) - { - if ( is_orig ) - { - if ( seq > astate$seen_tx + 1 ) - return; - else - astate$seen_tx += |contents|; - } - else - { - if ( seq > astate$seen_rx + 1 ) - return; - else - astate$seen_rx += |contents|; - } - } - - # Append the contents to the end of the currently - # assembled message, if the message hasn't already - # reached the maximum size. - # - if ( |astate$adu| < adu_max_size ) - { - astate$adu += contents; - - # As a precaution, clip the string to the maximum - # size. A long content string with astate$adu just - # below its maximum allowed size could exceed that - # limit by a lot. - ### str_clip(astate$adu, adu_max_size); - } - - - # Note that this counter is bumped up even if we have - # exceeded the maximum size of an individual message. - # - astate$size += |contents|; - - astate$is_orig = is_orig; - } - -# --- Event Handlers --------------------------------------------------- - -event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string) - { - flow_contents(c, is_orig, seq, contents); - } - -event udp_contents(u: connection, is_orig: bool, contents: string) - { - flow_contents(u, is_orig, 0, contents); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in adu_conns ) - return; - - local astate = adu_conns[c$id]; - - # Forget it if we've been asked to ignore. - # - if ( astate$ignore == T ) - return; - - # Report the remaining data now, if any. - # - if ( |astate$adu| > 0 ) { - if ( astate$is_orig ) - { - if ( astate$depth_tx <= adu_max_depth ) - event adu_tx(c, copy(astate)); - } - else - { - if ( astate$depth_rx <= adu_max_depth ) - event adu_rx(c, copy(astate)); - } - } - - delete adu_conns[c$id]; - event adu_done(c); -} - - -# --- Tests ------------------------------------------------------------ - -@ifdef (adu_test) - -event adu_tx(c: connection, astate: adu_state) - { - print fmt("%s ---- %s, %d -> ----", network_time(), id_string(c$id), astate$depth_tx); -# print astate$adu; - } - -event adu_rx(c: connection, astate: adu_state) - { - print fmt("%s ---- %s, %d <- ----", network_time(), id_string(c$id), astate$depth_rx); -# print astate$adu; - } - -@endif diff --git a/policy.old/alarm.bro b/policy.old/alarm.bro deleted file mode 100644 index 4c4943c948..0000000000 --- a/policy.old/alarm.bro +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: alarm.bro 340 2004-09-09 06:38:27Z vern $ - -redef bro_alarm_file = open_log_file("alarm"); diff --git a/policy.old/all.bro b/policy.old/all.bro deleted file mode 100644 index 4bbe3e8afe..0000000000 --- a/policy.old/all.bro +++ /dev/null @@ -1,141 +0,0 @@ -@load heavy-analysis -@load OS-fingerprint -@load adu -@load alarm -@load analy -@load anon -@load arp -@load backdoor -@load bittorrent -@load blaster -@load bt-tracker -@load brolite-backdoor -@load capture-events -@load capture-loss -@load capture-state-updates -@load checkpoint -@load clear-passwords -@load conn-flood -@load conn-id -@load conn -@load contents -@load cpu-adapt -@load dce -@load demux -@load detect-protocols-http -@load detect-protocols -@load dhcp -@load dns-info -@load dns-lookup -@load dns -@load dpd -@load drop-adapt -@load dyn-disable -@load file-flush -@load finger -@load firewall -@load flag-irc -@load flag-warez -@load frag -@load ftp -@load gnutella -@load hot-ids -@load hot -@load http-abstract -@load http-anon-server -@load http-anon-useragent -@load http-anon-utils -@load http-body -@load http-detect-passwd -@load http-entity -@load http-event -@load http-header -@load http-identified-files.bro -@load http-reply -@load http-request -@load http-rewriter -@load http -@load icmp -@load ident-rewriter -@load ident -@load inactivity -@load interconn -@load irc-bot-syslog -@load irc-bot -@load irc -@load large-conns -@load listen-clear -@load listen-ssl -@load load-level -@load load-sample -@load log-append -@load login -@load mime-pop -@load mime -@load mt -@load ncp -@load netflow -@load netstats -@load nfs -@load notice-action-filters -@load notice -@load ntp -@load passwords -@load pcap -@load pkt-profile -@load pop3 -@load port-name -@load portmapper -@load print-filter -@load print-globals -@load print-resources -@load print-sig-states -@load profiling -@load proxy -@load remote-pcap -@load remote-ping -@load remote-print-id-reply -@load remote-print-id -@load remote-print -@load remote-report-notices -@load remote-send-id -@load remote -@load rotate-logs -@load rsh -@load scan -@load secondary-filter -@load sensor-sshd -@load server-ports -@load service-probe -@load signatures -@load site -@load smb -@load smtp-relay -@load smtp-rewriter -@load smtp -@load snort -@load software -@load ssh -@load ssh-stepping -@load ssl-alerts -@load ssl-ciphers -@load ssl-errors -@load ssl-worm -@load ssl -@load stats -@load stepping -@load synflood -@load targeted-scan -@load tcp -@load tftp -@load trw-impl -@load trw -@load udp-common -@load udp -@load vlan -@load weird -@load worm -@load notice-policy - -# The following keeps us running after the bro_init event. -redef PrintFilter::terminate_bro = F; diff --git a/policy.old/analy.bro b/policy.old/analy.bro deleted file mode 100644 index 714c1deb41..0000000000 --- a/policy.old/analy.bro +++ /dev/null @@ -1,16 +0,0 @@ -# Statistical analysis of TCP connection in terms of the packet streams -# in each direction. - -@load dns-lookup -@load udp - - -event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats) - { - local id = c$id; - - print fmt("%.6f %s %s %s %s %s %s %s %s %s", - c$start_time, c$duration, id$orig_p, id$resp_p, - conn_size(c$orig, tcp), conn_size(c$resp, tcp), - id$orig_h, id$resp_h, os, rs); - } diff --git a/policy.old/anon.bro b/policy.old/anon.bro deleted file mode 100644 index f2532cb38e..0000000000 --- a/policy.old/anon.bro +++ /dev/null @@ -1,193 +0,0 @@ -# $Id: anon.bro 6889 2009-08-21 16:45:17Z vern $ - -redef anonymize_ip_addr = T; - -const orig_addr_anonymization = RANDOM_MD5 &redef; -const resp_addr_anonymization = RANDOM_MD5 &redef; -const other_addr_anonymization = SEQUENTIALLY_NUMBERED &redef; - -const preserve_orig_addr: set[addr] = {} &redef; -const preserve_resp_addr: set[addr] = {} &redef; -const preserve_other_addr: set[addr] = { - 0.0.0.0, -} &redef; - -const preserved_subnet: set[subnet] = { -# 192.150.186/23, -} &redef; - -const preserved_net: set[net] = { -# 192.150.186, 192.150.187, -} &redef; - -global anon_log = open_log_file("anon") &redef; - -global anonymized_args: table[string] of string; - -global ip_anon_mapping: set[addr, addr]; - -event bro_init() - { - for ( n in preserved_net ) - preserve_net(n); - } - -function anonymize_address(a: addr, id: conn_id): addr - { - if ( a == id$orig_h ) - return anonymize_addr(a, ORIG_ADDR); - else if ( a == id$resp_h ) - return anonymize_addr(a, RESP_ADDR); - else - return anonymize_addr(a, OTHER_ADDR); - } - -event anonymization_mapping(orig: addr, mapped: addr) - { - if ( [orig, mapped] !in ip_anon_mapping ) - { - add ip_anon_mapping[orig, mapped]; - print anon_log, fmt("%s -> %s", orig, mapped); - } - } - -function string_anonymized(from: string, to: string, seed: count) - { - print anon_log, fmt("\"%s\" %d=> \"%s\"", from, seed, to); - } - -global num_string_id: count = 0 &redef; -global anonymized_strings: table[string] of record { - s: string; - c: count; -} &redef; - -# Hopefully, the total number of strings to anonymize is much less than -# 36^unique_string_length. -const unique_string_length = 8 &redef; -# const anonymized_string_pattern = /U[0-9a-f]+U/; -global unique_string_set: set[string]; - -event bro_init() - { - for ( s in anonymized_strings ) - add unique_string_set[anonymized_strings[s]$s]; - } - -function unique_string(s: string, seed: count): string - { - local t = cat("U", sub_bytes(md5_hmac(seed, s), - 1, unique_string_length), "U"); - if ( t in unique_string_set ) - return unique_string(s, seed+1); - - anonymized_strings[s] = [$s = t, $c = 1]; - add unique_string_set[t]; - string_anonymized(s, t, seed); - - return t; - } - -function anonymize_string(from: string): string - { - if ( from in anonymized_strings ) - { - ++anonymized_strings[from]$c; - return anonymized_strings[from]$s; - } - - local t = unique_string(from, 0); - return t; - } - -function anonymize_arg(typ: string, arg: string): string - { - if ( arg == "" ) - return ""; # an empty argument is safe - - local arg_seed = string_cat(typ, arg); - - if ( arg_seed in anonymized_args ) - return anonymized_args[arg_seed]; - - local a = anonymize_string(arg_seed); - anonymized_args[arg_seed] = a; - - print anon_log, fmt("anonymize_arg: (%s) {%s} -> %s ", - typ, to_string_literal(arg), to_string_literal(a)); - return a; - } - - -# Does not contain ? and ends with an allowed suffix. -const path_to_file_pat = - /\/[^?]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/ - ; - -# Acceptable domain names. -const kosher_dom_pat = - /ar|au|biz|br|ca|cc|cl|cn|co|com|cx|cz|de|ec|es|edu|fi|fm|fr|gov|hn|il|is|it|jp|lv|mx|net|no|nz|org|pe|pl|ru|sk|tv|tw|uk|us|arpa/ - ; - -# Simple filename pattern. -const simple_filename = - /[0-9\-A-Za-z]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/ - ; - -function anonymize_path(path: string): string - { - local hashed_path = ""; - - if ( to_lower(path) != path_to_file_pat ) - { - hashed_path = anonymize_arg("path", path); - return hashed_path; - } - - local file_parts = split(path, /\./); - - local i = 1; - for ( part in file_parts ) - { - # This looks broken to me - VP. - hashed_path = fmt("%s.%s", hashed_path, file_parts[i]); - if ( ++i == length(file_parts) ) - break; - } - - return fmt("%s.%s", anonymize_arg("path", hashed_path), file_parts[i]); - } - -function anonymize_host(host: string): string - { - local hashed_host = ""; - local host_parts = split(host, /\./); - - local i = 1; - for ( hosty in host_parts ) - { - if ( i == length(host_parts) ) - break; - - # Check against "kosher" tld list. - hashed_host = fmt("%s%s.", hashed_host, - anonymize_arg("host", host_parts[i])); - - ++i; - } - - if ( host_parts[i] == kosher_dom_pat ) - return string_cat(hashed_host, host_parts[i]); - - print anon_log, fmt("anonymize_host: non-kosher domain %s", host); - return string_cat(hashed_host, anonymize_arg("host", host_parts[i])); - } - -event bro_done() - { - for ( s in anonymized_strings ) - { - print anon_log, fmt("appearance: %d: \"%s\" => \"%s\"", - anonymized_strings[s]$c, s, anonymized_strings[s]$s); - } - } diff --git a/policy.old/arp.bro b/policy.old/arp.bro deleted file mode 100644 index dfae133b38..0000000000 --- a/policy.old/arp.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: arp.bro 4909 2007-09-24 02:26:36Z vern $ - -@load notice - -module ARP; - -export { - redef enum Notice += { - ARPSourceMAC_Mismatch, # source MAC doesn't match mappings - ARPAddlMAC_Mapping, # another MAC->addr seen beyond just one - ARPUnsolicitedReply, # could be poisoning; or just gratuitous - # ARPRequestProvidesTargetAddr, # request includes non-triv addr - - # MAC/addr pair seen in request/reply different from - # that in the cache. - ARPCacheInconsistency, - - # ARP reply gives different value than previously seen. - ARPMappingChanged, - }; - - const arp_log = open_log_file("arp") &redef; -} - -redef capture_filters += { ["arp"] = "arp" }; - -# Abbreviations taken from RFC 826: -# -# SHA: source hardware address -# SPA: source protocol address (i.e., IP address) -# THA: target hardware address -# TPA: target protocol address - -# ARP requests indexed on SHA/SPA/TPA (no THA, as it's what it's being -# queried). -global arp_requests: set[string, addr, addr] &create_expire = 1 min; - -# ARP responses we've seen: indexed by IP address, yielding MAC address. -global ARP_cache: table[addr] of string; - - -# Bad ARPs can occur when: -# - type/size pairs are not OK for HW and L3 addresses (Ethernet=6, IP=4) -# - opcode is neither request (1) nor reply (2) -# - MAC src address != ARP sender MAC address -event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, - explanation: string) - { - print arp_log, fmt("%.06f bad-arp %s(%s) ? %s(%s): %s", - network_time(), SPA, SHA, TPA, THA, explanation); - } - - -# The first of these maps a MAC address to the last protocol address seen -# for it. The second tracks every protocol address seen. -global mac_addr_map: table[string] of addr; -global mac_addr_associations: table[string] of set[addr]; - -# A somewhat general notion of broadcast MAC/IP addresses. -const broadcast_mac_addrs = { "00:00:00:00:00:00", "ff:ff:ff:ff:ff:ff", }; -const broadcast_addrs = { 0.0.0.0, 255.255.255.255, }; - - -# Called to note that we've seen an association between a MAC address -# and an IP address. Note that this is *not* an association advertised -# in an ARP reply (those are tracked in ARP_cache), but instead the -# pairing of hardware address + protocol address as expressed in -# an ARP request or reply header. -function mac_addr_association(mac_addr: string, a: addr) - { - # Ignore placeholders. - if ( mac_addr in broadcast_mac_addrs || a in broadcast_addrs ) - return; - - local is_addl = F; - if ( mac_addr in mac_addr_associations ) - is_addl = a !in mac_addr_associations[mac_addr]; - else - mac_addr_associations[mac_addr] = set(); - - print arp_log, fmt("%.06f association %s -> %s%s", network_time(), - mac_addr, a, is_addl ? " " : ""); - - mac_addr_map[mac_addr] = a; - add mac_addr_associations[mac_addr][a]; - - if ( a in ARP_cache && ARP_cache[a] != mac_addr ) - NOTICE([$note=ARPCacheInconsistency, $src=a, - $msg=fmt("mapping for %s to %s doesn't match cache of %s", - mac_addr, a, ARP_cache[a])]); - } - -# Returns the IP address associated with a MAC address, if we've seen one. -# Otherwise just returns the MAC address. -function addr_from_mac(mac_addr: string): string - { - return mac_addr in mac_addr_map ? - fmt("%s", mac_addr_map[mac_addr]) : mac_addr; - } - -event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string) - { - mac_addr_association(SHA, SPA); - - local msg = fmt("%s -> %s who-has %s", - addr_from_mac(mac_src), addr_from_mac(mac_dst), TPA); - - local mismatch = SHA != mac_src; - if ( mismatch ) - NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]); - - # It turns out that some hosts fill in the THA field even though - # that doesn't make sense. (The RFC specifically allows this, - # however.) Perhaps there's an attack that can be launched - # doing so, but it's hard to see what it might be, so for now - # we don't bother notice'ing these. - # if ( THA !in broadcast_addrs ) - # NOTICE([$note=ARPRequestProvidesTargetAddr, $src=SPA, - # $msg=fmt("%s: %s", msg, THA)]); - - print arp_log, fmt("%.06f %s%s", network_time(), msg, - mismatch ? " " : ""); - - add arp_requests[SHA, SPA, TPA]; - } - -event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string) - { - mac_addr_association(SHA, SPA); - mac_addr_association(THA, TPA); - - local msg = fmt("%s -> %s: %s is-at %s", - addr_from_mac(mac_src), addr_from_mac(mac_dst), - SPA, SHA); - - local unsolicited = [THA, TPA, SPA] !in arp_requests; - delete arp_requests[THA, TPA, SPA]; - if ( unsolicited ) - NOTICE([$note=ARPUnsolicitedReply, $src=SPA, - $msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]); - - local mismatch = SHA != mac_src; - if ( mismatch ) - NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]); - - local mapping_changed = SPA in ARP_cache && ARP_cache[SPA] != SHA; - if ( mapping_changed ) - NOTICE([$note=ARPMappingChanged, $src=SPA, - $msg=fmt("%s: was %s", msg, ARP_cache[SPA])]); - - print arp_log, fmt("%.06f %s%s%s%s", network_time(), msg, - unsolicited ? " " : "", - mismatch ? " " : "", - mapping_changed ? - fmt(" ", ARP_cache[SPA]) : ""); - - ARP_cache[SPA] = SHA; - } diff --git a/policy.old/backdoor.bro b/policy.old/backdoor.bro deleted file mode 100644 index f611d424fa..0000000000 --- a/policy.old/backdoor.bro +++ /dev/null @@ -1,559 +0,0 @@ -# $Id: backdoor.bro 4909 2007-09-24 02:26:36Z vern $ - -# Looks for a variety of applications running on ports other than -# their usual ports. -# -# Note that this script by itself does *not* change capture_filters -# to add in the extra ports to look at. You need to specify that -# separately. - - -# Some tcpdump filters can be used to replace or work together with -# some detection algorithms. They could be used with the "secondary -# filter" for more efficient (but in some cases potentially less reliable) -# matching: -# -# - looking for "SSH-1." or "SSH-2." at the beginning of the packet; -# somewhat weaker than ssh-sig in that ssh-sig only looks for such -# pattern in the first packet of a connection: -# -# tcp[(tcp[12]>>2):4] = 0x5353482D and -# (tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e) -# -# - looking for pkts with 8k+4 (<=128) bytes of data (combined with ssh-len); -# only effective for ssh 1.x: -# -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) & 0xFF87 = 4 -# -# - looking for packets with <= 512 bytes of data that ends with a NUL -# (can be potentially combined with rlogin-sig or rlogin-sig-1byte): -# -# (tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512) -# -# - looking for telnet negotiation (can be combined with telnet-sig(-3byte)): -# -# (tcp[(tcp[12]>>2):2] > 0xfffa) and -# (tcp[(tcp[12]>>2):2] < 0xffff) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12] >> 2)) >= 3) -# -# - looking for packets with <= 20 bytes of data (combined with small-pkt): -# -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 -# -# - looking for FTP servers by the initial "220-" or "220 " sent by the server: -# -# tcp[(tcp[12]>>2):4] = 0x3232302d or tcp[(tcp[12]>>2):4] = 0x32323020 -# -# - looking for root backdoors by seeing a server payload of exactly "# ": -# -# tcp[(tcp[12]>>2):2] = 0x2320 and -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2 -# -# - looking for Napster by the initial "GET" or "SEND" sent by the originator: -# -# ((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=4 and -# tcp[(tcp[12]>>2):4]=0x53454e44) or -# ((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=3 and -# tcp[(tcp[12]>>2):2]=0x4745 and tcp[(tcp[12]>>2)+2]=0x54) -# -# - looking for Gnutella handshaking "GNUTELLA " -# -# tcp[(tcp[12]>>2):4] = 0x474e5554 and -# tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and -# tcp[8+(tcp[12]>>2)] = 0x20 -# -# - looking for KaZaA via "GIVE " (not present in all connections) -# -# tcp[(tcp[12]>>2):4] = 0x47495645 and -# tcp[(4+(tcp[12]>>2)):1] = 0x20 -# - -@load site -@load port-name -@load demux -@load notice - -redef enum Notice += { BackdoorFound, }; - -# Set to dump the packets that trigger the backdoor detector to a file. -const dump_backdoor_packets = F &redef; - -redef backdoor_stat_period = 60 sec; -redef backdoor_stat_backoff = 2.0; - -const ssh_min_num_pkts = 8 &redef; -const ssh_min_ssh_pkts_ratio = 0.6 &redef; - -const backdoor_min_num_lines = 2 &redef; -const backdoor_min_normal_line_ratio = 0.5 &redef; - -const backdoor_min_bytes = 10 &redef; -const backdoor_min_7bit_ascii_ratio = 0.75 &redef; - -type rlogin_conn_info : record { - o_num_null: count; - o_len: count; - r_num_null: count; - r_len: count; -}; - -const backdoor_demux_disabled = T &redef; -const backdoor_demux_skip_tags: set[string] &redef; - -const ftp_backdoor_sigs = "ftp-sig"; -const ssh_backdoor_sigs = { "ssh-sig", "ssh-len-v1.x", "ssh-len-v2.x" }; -const rlogin_backdoor_sigs = { "rlogin-sig", "rlogin-sig-1byte" }; -const root_backdoor_sigs = "root-bd-sig"; -const telnet_backdoor_sigs = { "telnet-sig", "telnet-sig-3byte" }; -const napster_backdoor_sigs = "napster-sig"; -const gnutella_backdoor_sigs = "gnutella-sig"; -const kazaa_backdoor_sigs = "kazaa-sig"; -const http_backdoor_sigs = "http-sig"; -const http_proxy_backdoor_sigs = "http-proxy-sig"; -const smtp_backdoor_sigs = "smtp-sig"; -const irc_backdoor_sigs = "irc-sig"; -const gaobot_backdoor_sigs = "gaobot-sig"; - -# List of backdoors, so you can use it when defining sets and tables -# with values over all of them. -const backdoor_sigs = { - ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs, - root_backdoor_sigs, telnet_backdoor_sigs, - napster_backdoor_sigs, gnutella_backdoor_sigs, kazaa_backdoor_sigs, - http_backdoor_sigs, http_proxy_backdoor_sigs, - smtp_backdoor_sigs, irc_backdoor_sigs, gaobot_backdoor_sigs, -}; - -# List of address-port pairs that if present in a backdoor are ignored. -# Note that these can be either the client and its source port (unusual) -# or the server and its service port (the common case). -const backdoor_ignore_host_port_pairs: set[addr, port] &redef; - -const backdoor_ignore_ports: table[string, port] of bool = { - # The following ignore backdoors that are detected on their - # usual ports. The definitions for ftp-sig, telnet-sig and - # telnet-sig-3byte are somehwat broad since those backdoors - # are also frequently triggered for other similar protocols. - - [ftp_backdoor_sigs, [ftp, smtp, 587/tcp ]] = T, - [ssh_backdoor_sigs, ssh] = T, - [rlogin_backdoor_sigs , [512/tcp, rlogin, 514/tcp]] = T, - [root_backdoor_sigs, [telnet, 512/tcp, rlogin, 514/tcp]] = T, - [telnet_backdoor_sigs, [telnet, ftp, smtp, 143/tcp, 110/tcp]] = T, - - # The following don't have well-known ports (well, Napster does - # somewhat, as shown below), hence the definitions are F rather - # than T. - [napster_backdoor_sigs, [6688/tcp, 6699/tcp]] = F, - [gnutella_backdoor_sigs, 6346/tcp] = F, - - [kazaa_backdoor_sigs, 1214/tcp] = F, - - [http_backdoor_sigs, [http, 8000/tcp, 8080/tcp]] = T, - - [smtp_backdoor_sigs, [smtp, 587/tcp]] = T, - - # Skip FTP, as "USER foo" generates false positives. There's - # also a lot of IRC on 7000/tcp. - [irc_backdoor_sigs, [ftp, 6666/tcp, 6667/tcp, 7000/tcp]] = T, - - # The following are examples of wildcards, and since they're defined - # to be F, they don't affect the policy unless redefined. - ["*", http] = F, # entry for "any backdoor, service http" - ["ssh-sig", 0/tcp] = F, # entry for "ssh-sig, any port" - -} &redef &default = F; - -# Indexed by the backdoor, indicates which backdoors residing on -# a local (remote) host should be ignored. -const backdoor_ignore_local: set[string] &redef; -const backdoor_ignore_remote: set[string] &redef; - -# Indexed by the source (destination) address and the backdoor. -# Also indexed by the /24 and /16 versions of the source address. -# backdoor "*" means "all backdoors". -const backdoor_ignore_src_addrs: table[string, addr] of bool &redef &default=F; -const backdoor_ignore_dst_addrs: table[string, addr] of bool &redef &default=F; - -const backdoor_standard_ports = { - telnet, rlogin, 512/tcp, 514/tcp, ftp, ssh, smtp, 143/tcp, - 110/tcp, 6667/tcp, -} &redef; -const backdoor_annotate_standard_ports = T &redef; - -const backdoor_ignore_hosts: set[addr] &redef; -const backdoor_ignore_src_nets: set[subnet] &redef; -const backdoor_ignore_dst_nets: set[subnet] &redef; - -# Most backdoors are enabled by default, but a few are disabled by -# default (T below) because they generated too many false positives -# (or, for HTTP, too many uninteresting true positives). -const ftp_sig_disabled = F &redef; -const gaobot_sig_disabled = F &redef; -const gnutella_sig_disabled = F &redef; -const http_proxy_sig_disabled = T &redef; -const http_sig_disabled = T &redef; -const irc_sig_disabled = F &redef; -const kazaa_sig_disabled = F &redef; -const napster_sig_disabled = F &redef; -const rlogin_sig_1byte_disabled = T &redef; -const rlogin_sig_disabled = T &redef; -const root_backdoor_sig_disabled = T &redef; -const smtp_sig_disabled = F &redef; - # Note, for the following there's a corresponding variable - # interconn_ssh_len_disabled in interconn.bro. -const ssh_len_disabled = T &redef; -const ssh_sig_disabled = F &redef; -const telnet_sig_3byte_disabled = T &redef; -const telnet_sig_disabled = T &redef; - -global ssh_len_conns: set[conn_id]; -global rlogin_conns: table[conn_id] of rlogin_conn_info; -global root_backdoor_sig_conns: set[conn_id]; - -global did_sig_conns: table[conn_id] of set[string]; - -const BACKDOOR_UNKNOWN = 0; -const BACKDOOR_YES = 1; -const BACKDOOR_NO = 2; -const BACKDOOR_SIG_FOUND = 3; - -global telnet_sig_conns: table[conn_id] of count; -global telnet_sig_3byte_conns: table[conn_id] of count; - -global smtp_sig_conns: table[conn_id] of count; -global irc_sig_conns: table[conn_id] of count; -global gaobot_sig_conns: table[conn_id] of count; - -const backdoor_log = open_log_file("backdoor") &redef; - -function ignore_backdoor_conn(c: connection, bd: string): bool - { - local oa = c$id$orig_h; - local ra = c$id$resp_h; - local op = c$id$orig_p; - local rp = c$id$resp_p; - - if ( backdoor_ignore_ports[bd, op] || - backdoor_ignore_ports[bd, rp] || - - # Check port wildcards. - backdoor_ignore_ports[bd, 0/tcp] || - - (ra in local_nets && bd in backdoor_ignore_local) || - (ra !in local_nets && bd in backdoor_ignore_remote) || - - backdoor_ignore_src_addrs[bd, oa] || - backdoor_ignore_src_addrs[bd, mask_addr(oa, 16)] || - backdoor_ignore_src_addrs[bd, mask_addr(oa, 24)] || - - backdoor_ignore_dst_addrs[bd, ra] || - backdoor_ignore_dst_addrs[bd, mask_addr(ra, 16)] || - backdoor_ignore_dst_addrs[bd, mask_addr(ra, 24)] ) - return T; - - if ( [oa, op] in backdoor_ignore_host_port_pairs || - [ra, rp] in backdoor_ignore_host_port_pairs ) - return T; - - if ( bd != "*" ) - # Evaluate again, but for wildcarding the backdoor. - return ignore_backdoor_conn(c, "*"); - else - return F; - } - -function log_backdoor(c: connection, tag: string): bool - { - if ( ignore_backdoor_conn(c, tag) ) - return F; - - local id = c$id; - - if ( backdoor_annotate_standard_ports && - (id$orig_p in backdoor_standard_ports || - id$resp_p in backdoor_standard_ports) ) - append_addl(c, fmt("[%s]", tag)); - - else if ( id$orig_h in backdoor_ignore_hosts || - id$resp_h in backdoor_ignore_hosts || - id$orig_h in backdoor_ignore_src_nets || - id$resp_h in backdoor_ignore_dst_nets ) - return F; - - else - { - print backdoor_log, fmt("%.6f %s > %s %s", - c$start_time, - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p), - tag); - - NOTICE([$note=BackdoorFound, $msg=tag, $conn=c]); - - if ( dump_backdoor_packets ) - { - mkdir("backdoor-packets"); - local fname = fmt("backdoor-packets/%s:%.2f", - tag, current_time()); - dump_current_packet(fname); - } - - if ( backdoor_demux_disabled || - tag in backdoor_demux_skip_tags ) - { - if ( active_connection(c$id) ) - skip_further_processing(c$id); - } - else - demux_conn(id, tag, "orig", "resp"); - } - - return T; - } - -event new_connection(c: connection) - { - local id = c$id; - - if ( ! rlogin_sig_disabled || ! rlogin_sig_1byte_disabled ) - { - local i: rlogin_conn_info; - i$o_num_null = i$o_len = i$r_num_null = i$r_len = 0; - - rlogin_conns[id] = i; - } - } - -event backdoor_remove_conn(c: connection) - { - local id = c$id; - - delete ssh_len_conns[id]; - delete telnet_sig_conns[id]; - delete telnet_sig_3byte_conns[id]; - delete rlogin_conns[id]; - delete root_backdoor_sig_conns[id]; - delete smtp_sig_conns[id]; - delete irc_sig_conns[id]; - delete gaobot_sig_conns[id]; - - delete did_sig_conns[id]; - } - -event root_backdoor_signature_found(c: connection) - { - if ( root_backdoor_sig_disabled || - ignore_backdoor_conn(c, "root-bd-sig") ) - return; - - local id = c$id; - - # For root backdoors, don't ignore standard ports. This is because - # we shouldn't see such a backdoor even 23/tcp or 513/tcp! - - if ( id !in root_backdoor_sig_conns ) - { - add root_backdoor_sig_conns[id]; - log_backdoor(c, "root-bd-sig"); - } - } - -function signature_found(c: connection, sig_disabled: bool, sig_name: string) - { - if ( sig_disabled ) - return; - - if ( ignore_backdoor_conn(c, sig_name) ) - return; - - if ( c$id !in did_sig_conns ) - did_sig_conns[c$id] = set(); - - if ( sig_name !in did_sig_conns[c$id] ) - { - add did_sig_conns[c$id][sig_name]; - log_backdoor(c, sig_name); - } - } - -event ftp_signature_found(c: connection) - { - signature_found(c, ftp_sig_disabled, "ftp-sig"); - } - -event napster_signature_found(c: connection) - { - signature_found(c, napster_sig_disabled, "napster-sig"); - } - -event gnutella_signature_found(c: connection) - { - signature_found(c, gnutella_sig_disabled, "gnutella-sig"); - } - -event kazaa_signature_found(c: connection) - { - signature_found(c, kazaa_sig_disabled, "kazaa-sig"); - } - -event http_signature_found(c: connection) - { - signature_found(c, http_sig_disabled, "http-sig"); - } - -event http_proxy_signature_found(c: connection) - { - signature_found(c, http_proxy_sig_disabled, "http-proxy-sig"); - } - -event ssh_signature_found(c: connection, is_orig: bool) - { - signature_found(c, ssh_sig_disabled, "ssh-sig"); - } - -event smtp_signature_found(c: connection) - { - signature_found(c, smtp_sig_disabled, "smtp-sig"); - } - -event irc_signature_found(c: connection) - { - signature_found(c, irc_sig_disabled, "irc-sig"); - } - -event gaobot_signature_found(c: connection) - { - signature_found(c, gaobot_sig_disabled, "gaobot-sig"); - } - -event telnet_signature_found(c: connection, is_orig: bool, len: count) - { - local id = c$id; - - if ( ignore_backdoor_conn(c, "telnet-sig") ) - return; - - if ( ! telnet_sig_disabled && id !in telnet_sig_conns ) - telnet_sig_conns[id] = BACKDOOR_SIG_FOUND; - - if ( ! telnet_sig_3byte_disabled && len == 3 && - id !in telnet_sig_3byte_conns ) - telnet_sig_3byte_conns[id] = BACKDOOR_SIG_FOUND; - } - -event rlogin_signature_found(c: connection, is_orig: bool, - num_null: count, len: count) - { - local id = c$id; - - if ( (rlogin_sig_disabled && rlogin_sig_1byte_disabled) || - ignore_backdoor_conn(c, "rlogin-sig") ) - return; - - local ri = rlogin_conns[id]; - if ( is_orig && ri$o_num_null == 0 ) - ri$o_num_null = num_null; - - else if ( ! is_orig && ri$r_num_null == 0 ) - { - ri$r_num_null = num_null; - ri$r_len = len; - } - else - return; - - if ( ri$o_num_null == 0 || ri$r_num_null == 0 ) - return; - - if ( ! rlogin_sig_1byte_disabled && ri$r_len == 1 ) - log_backdoor(c, "rlogin-sig-1byte"); - - if ( ! rlogin_sig_disabled ) - log_backdoor(c, "rlogin-sig"); - } - - -function ssh_len_stats(c: connection, os: backdoor_endp_stats, - rs: backdoor_endp_stats) : bool - { - if ( ssh_len_disabled || c$id in ssh_len_conns ) - return F; - - if ( os$num_pkts == 0 || rs$num_pkts == 0 ) - return F; - - # xxx: only use ssh-len for partial connection - - local is_partial = os$is_partial || rs$is_partial; - if ( ! is_partial ) - return F; - - local num_pkts = os$num_pkts + rs$num_pkts; - - if ( num_pkts < ssh_min_num_pkts ) - return F; - - local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts; - local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts; - - local id = c$id; - if ( num_8k0_pkts >= num_pkts * ssh_min_ssh_pkts_ratio ) - { - add ssh_len_conns[id]; - log_backdoor(c, "ssh-len-v2.x"); - } - - else if ( num_8k4_pkts >= num_pkts * ssh_min_ssh_pkts_ratio ) - { - add ssh_len_conns[id]; - log_backdoor(c, "ssh-len-v1.x"); - } - - return T; - } - -function telnet_stats(c: connection, os: backdoor_endp_stats, - rs: backdoor_endp_stats) : bool - { - local num_lines = os$num_lines + rs$num_lines; - local num_normal_lines = os$num_normal_lines + rs$num_normal_lines; - - if ( num_lines < backdoor_min_num_lines || - num_normal_lines < num_lines * backdoor_min_normal_line_ratio ) - return F; - - local num_bytes = os$num_bytes + rs$num_bytes; - local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii; - - if ( num_bytes < backdoor_min_bytes || - num_7bit_ascii < num_bytes * backdoor_min_7bit_ascii_ratio ) - return F; - - local id = c$id; - - if ( id in telnet_sig_conns && - telnet_sig_conns[id] != BACKDOOR_YES ) - { - telnet_sig_conns[id] = BACKDOOR_YES; - log_backdoor(c, "telnet-sig"); - } - - if ( id in telnet_sig_3byte_conns && - telnet_sig_3byte_conns[id] != BACKDOOR_YES ) - { - telnet_sig_3byte_conns[id] = BACKDOOR_YES; - log_backdoor(c, "telnet-sig-3byte"); - } - - return T; - } - -event backdoor_stats(c: connection, - os: backdoor_endp_stats, rs: backdoor_endp_stats) - { - telnet_stats(c, os, rs); - ssh_len_stats(c, os, rs); - } diff --git a/policy.old/bittorrent.bro b/policy.old/bittorrent.bro deleted file mode 100644 index 7a1576abf5..0000000000 --- a/policy.old/bittorrent.bro +++ /dev/null @@ -1,277 +0,0 @@ -# $Id:$ -# -# bittorrent.bro - policy script for analyzing BitTorrent traffic -# --------------------------------------------------------------- -# This code contributed by Nadi Sarrar. - -@load dpd -@load weird - -module BitTorrent; - -export { - # Whether to log the length of PDUs. - global log_pdu_length = T &redef; -} - -redef capture_filters += { ["bittorrent"] = "tcp" }; - -type bt_peer_state: enum { - choked, # peer won't receive any responses to requests (initial state) - unchoked # peer may do requests -}; - -type bt_peer_info: record { - # Total of pure peer wire protocol overhead data (w/o pieces). - protocol_total: count &default = 0; - - # State of the peer - choked or unchoked. - state: bt_peer_state &default = choked; - - # Total number of seconds the peer was unchoked. - unchoked: interval &default = 0 secs; - - # Time of the last received unchoke message. - time_last_unchoked: time; -}; - -type bt_peer_conn: record { - id: count; - orig: bt_peer_info; - resp: bt_peer_info; - weird: bool &default = F; -}; - -global bittorrent_log = open_log_file("bittorrent") &redef; -global bt_peer_conns : table[conn_id] of bt_peer_conn; -global peer_conn_count = 0; - -function record_peer_protocol_traffic(c: connection, is_orig: bool, - protocol_len: count): count - { - if ( c$id in bt_peer_conns ) - { - local pc = bt_peer_conns[c$id]; - - if ( is_orig ) - pc$orig$protocol_total += protocol_len; - else - pc$resp$protocol_total += protocol_len; - - return pc$id; - } - - return 0; - } - -function record_choke(pi: bt_peer_info, now: time) - { - if ( pi$state == unchoked ) - { - pi$state = choked; - pi$unchoked += now - pi$time_last_unchoked; - } - } - -function record_unchoke(pi: bt_peer_info, now: time) - { - if ( pi$state == choked ) - { - pi$state = unchoked; - pi$time_last_unchoked = now; - } - } - -function lookup_bt_peer(id: conn_id): bt_peer_conn - { - if ( id in bt_peer_conns ) - return bt_peer_conns[id]; - - local orig: bt_peer_info; - local resp: bt_peer_info; - local pc: bt_peer_conn; - pc$orig = orig; - pc$resp = resp; - pc$id = ++peer_conn_count; - bt_peer_conns[id] = pc; - - return pc; - } - -function bt_log_id(id: conn_id, cid: count, tag: string, is_orig: bool): string - { - return fmt("%.6f P%d %s %s:%d %s %s:%d", - network_time(), cid, tag, id$orig_h, id$orig_p, - is_orig ? ">" : "<", id$resp_h, id$resp_p); - } - -function pdu_log_len(len: count): string - { - return log_pdu_length ? fmt("[PDU-len:%d]", len) : ""; - } - -function log_pdu(c: connection, is_orig: bool, tag: string, len: count): count - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(len)); - - return cid; - } - -function log_pdu_str(c: connection, is_orig: bool, tag: string, len: count, - str: string) - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(len), str); - } - -function log_pdu_str_n(c: connection, is_orig: bool, tag: string, len: count, - n: count, str: string) - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(n), str); - } - -event bittorrent_peer_handshake(c: connection, is_orig: bool, reserved: string, - info_hash: string, peer_id: string) - { - local pc = lookup_bt_peer(c$id); - log_pdu_str(c, is_orig, "handshake", 68, - fmt("[peer_id:%s info_hash:%s reserved:%s]", - bytestring_to_hexstr(peer_id), - bytestring_to_hexstr(info_hash), - bytestring_to_hexstr(reserved))); - } - -event bittorrent_peer_keep_alive(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "keep-alive", 4); - } - -event bittorrent_peer_choke(c: connection, is_orig: bool) - { - local cid = log_pdu(c, is_orig, "choke", 5); - if ( cid > 0 ) - { - local pc = bt_peer_conns[c$id]; - record_choke(is_orig ? pc$resp : pc$orig, network_time()); - } - } - -event bittorrent_peer_unchoke(c: connection, is_orig: bool) - { - local cid = log_pdu(c, is_orig, "unchoke", 5); - if ( cid > 0 ) - { - local pc = bt_peer_conns[c$id]; - record_unchoke(is_orig ? pc$resp : pc$orig, network_time()); - } - } - -event bittorrent_peer_interested(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "interested", 5); - } - -event bittorrent_peer_not_interested(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "not-interested", 5); - } - -event bittorrent_peer_have(c: connection, is_orig: bool, piece_index: count) - { - log_pdu(c, is_orig, "have", 9); - } - -event bittorrent_peer_bitfield(c: connection, is_orig: bool, bitfield: string) - { - log_pdu_str(c, is_orig, "bitfield", 5 + byte_len(bitfield), - fmt("[bitfield:%s]", - bytestring_to_hexstr(bitfield))); - } - -event bittorrent_peer_request(c: connection, is_orig: bool, index: count, - begin: count, length: count) - { - log_pdu_str(c, is_orig, "request", 17, - fmt("[index:%d begin:%d length:%d]", index, begin, length)); - } - -event bittorrent_peer_piece(c: connection, is_orig: bool, index: count, - begin: count, piece_length: count) - { - log_pdu_str_n(c, is_orig, "piece", 13, 13 + piece_length, - fmt("[index:%d begin:%d piece_length:%d]", - index, begin, piece_length)); - } - -event bittorrent_peer_cancel(c: connection, is_orig: bool, index: count, - begin: count, length: count) - { - log_pdu_str(c, is_orig, "cancel", 7, - fmt("[index:%d begin:%d length:%d]", - index, begin, length)); - } - -event bittorrent_peer_port(c: connection, is_orig: bool, listen_port: port) - { - log_pdu_str(c, is_orig, "port", 5, - fmt("[listen_port:%s]", listen_port)); - } - -event bittorrent_peer_unknown(c: connection, is_orig: bool, message_id: count, - data: string) - { - log_pdu_str(c, is_orig, "", 5 + byte_len(data), - fmt("[message_id:%d]", message_id)); - } - -event bittorrent_peer_weird(c: connection, is_orig: bool, msg: string) - { - local pc = lookup_bt_peer(c$id); - pc$weird = T; - - print bittorrent_log, - fmt("%s [%s]", bt_log_id(c$id, pc$id, "", is_orig), msg); - - event conn_weird(msg, c); - } - -function log_close(c: connection, pc: bt_peer_conn, is_orig: bool) - { - local endp = is_orig ? c$orig : c$resp; - local peer_i = is_orig ? pc$orig : pc$resp; - - local status = - pc$weird ? - fmt("size:%d", endp$size) : - fmt("unchoked:%.06f size_protocol:%d size_pieces:%d", - peer_i$unchoked, peer_i$protocol_total, - endp$size - peer_i$protocol_total); - - print bittorrent_log, - fmt("%s [duration:%.06f %s]", - bt_log_id(c$id, pc$id, "", is_orig), - c$duration, status); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in bt_peer_conns ) - return; - - local pc = bt_peer_conns[c$id]; - delete bt_peer_conns[c$id]; - - record_choke(pc$orig, c$start_time + c$duration); - record_choke(pc$resp, c$start_time + c$duration); - - log_close(c, pc, T); - log_close(c, pc, F); - } diff --git a/policy.old/blaster.bro b/policy.old/blaster.bro deleted file mode 100644 index 07cc542199..0000000000 --- a/policy.old/blaster.bro +++ /dev/null @@ -1,52 +0,0 @@ -# $Id: blaster.bro 5952 2008-07-13 19:45:15Z vern $ -# -# Identifies W32.Blaster-infected hosts by observing their scanning -# activity. - -@load notice -@load site - -# Which hosts have scanned which addresses via 135/tcp. -global w32b_scanned: table[addr] of set[addr] &write_expire = 5min; -global w32b_reported: set[addr] &persistent; - -const W32B_port = 135/tcp; -const W32B_MIN_ATTEMPTS = 50 &redef; - -redef enum Notice += { - W32B_SourceLocal, - W32B_SourceRemote, -}; - -event connection_attempt(c: connection) - { - if ( c$id$resp_p != W32B_port ) - return; - - local ip = c$id$orig_h; - - if ( ip in w32b_reported ) - return; - - if ( ip in w32b_scanned ) - { - add (w32b_scanned[ip])[c$id$resp_h]; - - if ( length(w32b_scanned[ip]) >= W32B_MIN_ATTEMPTS ) - { - if ( is_local_addr(ip) ) - NOTICE([$note=W32B_SourceLocal, $conn=c, - $msg=fmt("W32.Blaster local source: %s", - ip)]); - else - NOTICE([$note=W32B_SourceRemote, $conn=c, - $msg=fmt("W32.Blaster remote source: %s", - ip)]); - - add w32b_reported[ip]; - } - } - - else - w32b_scanned[ip] = set(ip) &mergeable; - } diff --git a/policy.old/brolite-backdoor.bro b/policy.old/brolite-backdoor.bro deleted file mode 100644 index c2a378f907..0000000000 --- a/policy.old/brolite-backdoor.bro +++ /dev/null @@ -1,55 +0,0 @@ -# $Id: brolite-backdoor.bro 2956 2006-05-14 01:08:34Z vern $ - -# Sample file for running backdoor detector -# -# Note, this can consume significant processing resources when running -# on live traffic. -# -# To run bro with this script using a Bro Lite setup: -# -# rename this script to hostname.bro -# run: $BROHOME/etc/bro.rc start -# or bro -i interface brolite-backdoor.bro - -@load site - -@load backdoor -@load weird - -# By default, do backdoor detection on everything except standard HTTP -# and SMTP ports. -redef capture_filters += [ ["tcp"] = "tcp" ]; -redef restrict_filters += - [ ["not-http"] = "not (port 80 or port 8000 or port 8080)" ]; -redef restrict_filters += [ ["not-smtp"] = "not (port 25 or port 587)" ]; - -redef use_tagging = T; - -# Set if you want to dump packets that trigger the detections. -redef dump_backdoor_packets = T; - -# Disable (set to T) if you don't care about this traffic. -# redef gnutella_sig_disabled = T; -# redef kazaa_sig_disabled = T; - -redef napster_sig_disabled = T; # too many false positives - -# Ignore outgoing, only report incoming backdoors. -redef backdoor_ignore_remote += { - ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs, - http_backdoor_sigs, http_proxy_backdoor_sigs, smtp_backdoor_sigs, -}; - -# Set these to send mail on backdoor alarms. -# redef mail_dest = "youremail@yourhost.dom"; -# redef notice_action_filters += { -# [BackdoorFound] = send_email_notice, -#}; - -# Tuning: use more aggressive timeouts to reduce CPU and memory, as these -# have little effect on backdoor analysis. -redef tcp_SYN_timeout = 1 sec; -redef tcp_attempt_delay = 1 sec; -redef tcp_inactivity_timeout = 1 min; -redef udp_inactivity_timeout = 5 secs; -redef icmp_inactivity_timeout = 5 secs; diff --git a/policy.old/brolite-sigs.bro b/policy.old/brolite-sigs.bro deleted file mode 100644 index 33b5be7730..0000000000 --- a/policy.old/brolite-sigs.bro +++ /dev/null @@ -1,82 +0,0 @@ -# $Id: brolite-sigs.bro 3856 2006-12-02 00:18:57Z vern $ - -# Bro Lite signature configuration file - -# General policy - these scripts are more infrastructural than service -# oriented, so in general avoid changing anything here. - -# Set global constant. This can be used in ifdef statements to determine -# if signatures are enabled. -const use_signatures = T; - -@load snort # basic definitions for signatures -@load signatures # the signature policy engine -@load sig-functions # addl. functions added for signature accuracy -@load sig-action # actions related to particular signatures - -# Flag HTTP worm sources such as Code Red. -@load worm - -# Do worm processing -redef notice_action_filters += { [RemoteWorm] = file_notice }; - -# Ports that need to be captured for signatures to see a useful -# cross section of traffic. -redef capture_filters += { - ["sig-http"] = - "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001", - ["sig-ftp"] = "port ftp", - ["sig-telnet"] = "port telnet", - ["sig-portmapper"] = "port 111", - ["sig-smtp"] = "port smtp", - ["sig-imap"] = "port 143", - ["sig-snmp"] = "port 161 or port 162", - ["sig-dns"] = "port 53", - - # rsh/rlogin/rexec - ["sig-rfoo"] = "port 512 or port 513 or port 515", - - # Range of TCP ports for general RPC traffic. This can also - # occur on other ports, but these should catch a lot without - # a major performance hit. We skip ports assosciated with - # HTTP, SSH and M$. - ["sig-rpc"] = "tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139", -}; - -### Why is this called "tcp3"? -# Catch outbound M$ scanning. Returns filter listing local addresses -# along with the interesting ports. -function create_tcp3_filter(): string - { - local local_addrs = ""; - local firsttime = T; - - for ( l in local_nets ) - { - if ( firsttime ) - { - local_addrs = fmt("src net %s", l); - firsttime = F; - } - else - local_addrs = fmt("%s or src net %s", local_addrs, l); - } - - local MS_scan_ports = - "dst port 135 or dst port 137 or dst port 139 or dst port 445"; - - if ( local_addrs == "" ) - return MS_scan_ports; - else - return fmt("(%s) and (%s)", local_addrs, MS_scan_ports); - } - -# Create and apply the filter. -redef capture_filters += { ["tcp3"] = create_tcp3_filter()}; - -# Turn on ICMP analysis. -redef capture_filters += { ["icmp"] = "icmp"}; - -# Load the addendum signatures. These are utility signatures that do not -# produce event messages. -redef signature_files += "sig-addendum"; diff --git a/policy.old/brolite.bro b/policy.old/brolite.bro deleted file mode 100644 index 36d9ad3653..0000000000 --- a/policy.old/brolite.bro +++ /dev/null @@ -1,195 +0,0 @@ -# Bro Lite base configuration file. - -# General policy - these scripts are more infrastructural than service -# oriented, so in general avoid changing anything here. - -@load site # defines local and neighbor networks from static config -@load tcp # initialize BPF filter for SYN/FIN/RST TCP packets -@load weird # initialize generic mechanism for unusual events -@load conn # access and record connection events -@load hot # defines certain forms of sensitive access -@load frag # process TCP fragments -@load print-resources # on exit, print resource usage information - -# Scan detection policy. -@load scan # generic scan detection mechanism -@load trw # additional, more sensitive scan detection -#@load drop # include if installation has ability to drop hostile remotes - -# Application level policy - these scripts operate on the specific service. -@load http # general http analyzer, low level of detail -@load http-request # detailed analysis of http requests -@load http-reply # detailed analysis of http reply's - -# Track software versions; required for some signature matching. Also -# can be used by http and ftp policies. -@load software - -@load ftp # FTP analysis -@load portmapper # record and analyze RPC portmapper requests -@load tftp # identify and log TFTP sessions -@load login # rlogin/telnet analyzer -@load irc # IRC analyzer -@load blaster # blaster worm detection -@load stepping # "stepping stone" detection -@load synflood # synflood attacks detection -@load smtp # record and analyze email traffic - somewhat expensive - -@load notice-policy # tuning of notices to downgrade some alarms - -# off by default -#@load icmp # icmp analysis - -# Tuning of memory consumption. -@load inactivity # time out connections for certain services more quickly -# @load print-globals # on exit, print the size of global script variables - -# Record system statistics to the notice file -@load stats - -# udp analysis - potentially expensive, depending on a site's traffic profile -#@load udp.all -#@load remove-multicast - -# Prints the pcap filter and immediately exits. Not used during -# normal operation. -#@load print-filter - -## End policy script loading. - -## General configuration. - -@load rotate-logs -redef log_rotate_base_time = "0:00"; -redef log_rotate_interval = 24 hr; - - -# Set additional policy prefixes. -@prefixes += lite - -## End basic configuration. - - -## Scan configuration. -@ifdef ( Scan::analyze_all_services ) - redef Scan::analyze_all_services = T; - - # The following turns off scan detection. - #redef Scan::suppress_scan_checks = T; - - # Be a bit more aggressive than default (though the defaults - # themselves should be fixed). - redef Scan::report_outbound_peer_scan = { 100, 1000, }; - - # These services are skipped for scan detection due to excessive - # background noise. - redef Scan::skip_services += { - http, # Avoid Code Red etc. overload - 27374/tcp, # Massive scanning in Jan 2002 - 1214/tcp, # KaZaa scans - 12345/tcp, # Massive scanning in Apr 2002 - 445/tcp, # Massive distributed scanning Oct 2002 - 135/tcp, # These days, NetBIOS scanning is endemic - 137/udp, # NetBIOS - 139/tcp, # NetBIOS - 1025/tcp, - 6129/tcp, # Dameware - 3127/tcp, # MyDoom worms worms worms! - 2745/tcp, # Bagel worm - 1433/tcp, # Distributed scanning, April 2004 - 5000/tcp, # Distributed scanning, May 2004 - 5554/tcp, # More worm food, May 2004 - 9898/tcp, # Worms attacking worms. ugh - May 2004 - 3410/tcp, # More worm food, June 2004 - 3140/tcp, # Dyslexic worm food, June 2004 - 27347/tcp, # Can't kids type anymore? - 1023/tcp, # Massive scanning, July 2004 - 17300/tcp, # Massive scanning, July 2004 - }; - -@endif - -@ifdef ( ICMP::detect_scans ) - # Whether to detect ICMP scans. - redef ICMP::detect_scans = F; - redef ICMP::scan_threshold = 100; -@endif - -@ifdef ( TRW::TRWAddressScan ) - # remove logging TRW scan events - redef notice_action_filters += { - [TRW::TRWAddressScan] = ignore_notice, - }; -@endif - -# Note: default scan configuration is conservative in terms of memory use and -# might miss slow scans. Consider uncommenting these based on your sites scan -# traffic. -#redef distinct_peers &create_expire = 30 mins; -#redef distinct_ports &create_expire = 30 mins; -#redef distinct_low_ports &create_expire= 30 mins; - - -## End scan configuration. - -## additional IRC checks -redef IRC::hot_words += /.*exe/ ; - - -## Dynamic Protocol Detection configuration -# -# This is off by default, as it requires a more powerful Bro host. -# Uncomment next line to activate. -# const use_dpd = T; - -@ifdef ( use_dpd ) - @load dpd - @load irc-bot - @load dyn-disable - @load detect-protocols - @load detect-protocols-http - @load proxy - @load ssh - - # By default, DPD looks at all traffic except port 80. - # For lightly loaded networks, comment out the restrict_filters line. - # For heavily loaded networks, try adding addition ports (e.g., 25) to - # the restrict filters. - redef capture_filters += [ ["tcp"] = "tcp" ]; - redef restrict_filters += [ ["not-http"] = "not (port 80)" ]; -@endif - -@ifdef ( ProtocolDetector::ServerFound ) -# Report servers on non-standard ports only for local addresses. -redef notice_policy += { - [$pred(a: notice_info) = - { return a$note == ProtocolDetector::ServerFound && - ! is_local_addr(a$src); }, - $result = NOTICE_FILE, - $priority = 1], - - # Report protocols on non-standard ports only for local addresses - # (unless it's IRC). - [$pred(a: notice_info) = - { return a$note == ProtocolDetector::ProtocolFound && - ! is_local_addr(a$dst) && - a$sub != "IRC"; }, - $result = NOTICE_FILE, - $priority = 1], -}; -@endif - -# The following is used to transfer state between Bro's when one -# takes over from another. -# -# NOTE: not implemented in the production version, so ignored for now. -@ifdef ( remote_peers_clear ) - redef remote_peers_clear += { - [127.0.0.1, 55555/tcp] = [$hand_over = T], - [127.0.0.1, 0/tcp] = [$hand_over = T] - }; -@endif - -# Use tagged log files for notices. -redef use_tagging = T; - diff --git a/policy.old/bt-tracker.bro b/policy.old/bt-tracker.bro deleted file mode 100644 index dfc948a9e2..0000000000 --- a/policy.old/bt-tracker.bro +++ /dev/null @@ -1,190 +0,0 @@ -# $Id:$ -# -# bt-tracker.bro - analysis of BitTorrent tracker traffic -# ------------------------------------------------------------------------------ -# This code contributed by Nadi Sarrar. - -@load dpd -@load weird - -module BitTorrent; - -export { - # Whether to log tracker URIs. - global log_tracker_request_uri = F &redef; -} - -redef capture_filters += { ["bittorrent"] = "tcp", }; - -global bt_tracker_log = open_log_file("bt-tracker") &redef; - -global bt_tracker_conns: table[conn_id] of count; -global tracker_conn_count: count = 0; - - -function bt_log_tag(id: conn_id, cid: count, tag: string, is_orig: bool): string - { - return fmt("%.6f T%d %s %s:%d %s %s:%d", - network_time(), cid, tag, id$orig_h, id$orig_p, - is_orig ? ">" : "<", id$resp_h, id$resp_p); - } - -event bt_tracker_request(c: connection, uri: string, - headers: bt_tracker_headers) - { - # Parse and validate URI. - local pair = split1(uri, /\?/); - local keys = split(pair[2], /&/); - - local info_hash = ""; - local peer_ide = ""; - local peer_port = 0/udp; - local uploaded = -1; - local downloaded = -1; - local left = -1; - local compact = T; - local peer_event = "empty"; - - for ( idx in keys ) - { - local keyval = split1(keys[idx], /=/); - if ( length(keyval) != 2 ) - next; - - local key = to_lower(keyval[1]); - local val = keyval[2]; - - if ( key == "info_hash" ) - info_hash = unescape_URI(val); - else if ( key == "peer_id" ) - peer_ide = unescape_URI(val); - else if ( key == "port" ) - peer_port = to_port(to_count(val), tcp); - else if ( key == "uploaded" ) - uploaded = to_int(val); - else if ( key == "downloaded" ) - downloaded = to_int(val); - else if ( key == "left" ) - left = to_int(val); - else if ( key == "compact" ) - compact = (to_int(val) == 1); - - else if ( key == "event" ) - { - val = to_lower(val); - if ( val == /started|stopped|completed/ ) - peer_event = val; - } - } - - if ( info_hash == "" || peer_ide == "" || peer_port == 0/udp ) - { # Does not look like BitTorrent. - disable_analyzer(c$id, current_analyzer()); - delete bt_tracker_conns[c$id]; - return; - } - - if ( peer_port != 0/tcp ) - expect_connection(to_addr("0.0.0.0"), c$id$orig_h, - peer_port, ANALYZER_BITTORRENT, 1 min); - - local id: count; - if ( c$id in bt_tracker_conns ) - id = bt_tracker_conns[c$id]; - else - { - id = ++tracker_conn_count; - bt_tracker_conns[c$id] = id; - } - - print bt_tracker_log, - fmt("%s [peer_id:%s info_hash:%s port:%s event:%s up:%d down:%d left:%d compact:%s]%s", - bt_log_tag(c$id, id, "request", T), - bytestring_to_hexstr(peer_ide), - bytestring_to_hexstr(info_hash), - peer_port, peer_event, - uploaded, downloaded, left, - compact ? "yes" : "no", - log_tracker_request_uri ? fmt(" GET %s", uri) : ""); - } - -function benc_status(benc: bittorrent_benc_dir, tag: string): string - { - if ( tag !in benc || ! benc[tag]?$i ) - return ""; - - local fmt_tag = sub(tag, / /, "_"); - return fmt("%s:%d", fmt_tag, benc[tag]$i); - } - -event bt_tracker_response(c: connection, status: count, - headers: bt_tracker_headers, - peers: bittorrent_peer_set, - benc: bittorrent_benc_dir) - { - if ( c$id !in bt_tracker_conns ) - return; - - local id = bt_tracker_conns[c$id]; - - for ( peer in peers ) - expect_connection(c$id$orig_h, peer$h, peer$p, - ANALYZER_BITTORRENT, 1 min); - - if ( "failure reason" in benc ) - { - print bt_tracker_log, - fmt("%s [failure_reason:\"%s\"]", - bt_log_tag(c$id, id, "response", F), - benc["failure reason"]?$s ? - benc["failure reason"]$s : ""); - return; - } - - print bt_tracker_log, - fmt("%s [%s%s%s%s%speers:%d]", - bt_log_tag(c$id, id, "response", F), - benc_status(benc, "warning message"), - benc_status(benc, "complete"), - benc_status(benc, "incomplete"), - benc_status(benc, "interval"), - benc_status(benc, "min interval"), - length(peers)); - } - -event bt_tracker_response_not_ok(c: connection, status: count, - headers: bt_tracker_headers) - { - if ( c$id in bt_tracker_conns ) - { - local id = bt_tracker_conns[c$id]; - print bt_tracker_log, - fmt("%s [status:%d]", - bt_log_tag(c$id, id, "response", F), status); - } - } - -event bt_tracker_weird(c: connection, is_orig: bool, msg: string) - { - local id = (c$id in bt_tracker_conns) ? bt_tracker_conns[c$id] : 0; - print bt_tracker_log, - fmt("%s [%s]", bt_log_tag(c$id, id, "", is_orig), msg); - - event conn_weird(msg, c); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in bt_tracker_conns ) - return; - - local id = bt_tracker_conns[c$id]; - delete bt_tracker_conns[c$id]; - - print bt_tracker_log, - fmt("%s [duration:%.06f total:%d]", - # Ideally the direction here wouldn't be T or F - # but both, displayed as "<>". - bt_log_tag(c$id, id, "", T), c$duration, - c$orig$size + c$resp$size); - } diff --git a/policy.old/capture-events.bro b/policy.old/capture-events.bro deleted file mode 100644 index 2ba6eba7b7..0000000000 --- a/policy.old/capture-events.bro +++ /dev/null @@ -1,9 +0,0 @@ -#! $Id: capture-events.bro 4674 2007-07-30 22:00:43Z vern $ -# -# Captures all events to events.bst. -# - -event bro_init() - { - capture_events("events.bst"); - } diff --git a/policy.old/capture-loss.bro b/policy.old/capture-loss.bro deleted file mode 100644 index a641749bd4..0000000000 --- a/policy.old/capture-loss.bro +++ /dev/null @@ -1,74 +0,0 @@ -# $Id:$ - -# Logs evidence regarding the degree to which the packet capture process -# suffers from measurment loss. -# -# By default, only reports loss computed in terms of number of "gap events" -# (ACKs for a sequence number that's above a gap). You can also get an -# estimate in terms of number of bytes missing; this however is sometimes -# heavily affected by miscomputations due to broken packets with incorrect -# sequence numbers. (These packets also affect the first estimator, but -# only to a quite minor degree.) - -@load notice - -module CaptureLoss; - -export { - redef enum Notice += { - CaptureLossReport, # interval report - CaptureLossSummary, # end-of-run summary - }; - - # Whether to also report byte-weighted estimates. - global report_byte_based_estimates = F &redef; - - # Whether to generate per-interval reports even if there - # was no evidence of loss. - global report_if_none = F &redef; - - # Whether to generate a summary even if there was no - # evidence of loss. - global summary_if_none = F &redef; -} - - -# Redefine this to be non-zero to get per-interval reports. -redef gap_report_freq = 0 sec; - -event gap_report(dt: interval, info: gap_info) - { - if ( info$gap_events > 0 || report_if_none ) - { - local msg = report_byte_based_estimates ? - fmt("gap-dt=%.6f acks=%d bytes=%d gaps=%d gap-bytes=%d", - dt, info$ack_events, info$ack_bytes, - info$gap_events, info$gap_bytes) : - fmt("gap-dt=%.6f acks=%d gaps=%d", - dt, info$ack_events, info$gap_events); - - NOTICE([$note=CaptureLossReport, $msg=msg]); - } - } - -event bro_done() - { - local g = get_gap_summary(); - - local gap_rate = - g$ack_events == 0 ? 0.0 : - (1.0 * g$gap_events) / (1.0 * g$ack_events); - local gap_bytes = - g$ack_bytes == 0 ? 0.0 : - (1.0 * g$gap_bytes) / (1.0 * g$ack_bytes); - - if ( gap_rate == 0.0 && gap_bytes == 0.0 && ! summary_if_none ) - return; - - local msg = report_byte_based_estimates ? - fmt("estimated rate = %g / %g (events/bytes)", - gap_rate, gap_bytes) : - fmt("estimated rate = %g", gap_rate); - - NOTICE([$note=CaptureLossSummary, $msg=msg]); - } diff --git a/policy.old/capture-state-updates.bro b/policy.old/capture-state-updates.bro deleted file mode 100644 index 7630015365..0000000000 --- a/policy.old/capture-state-updates.bro +++ /dev/null @@ -1,9 +0,0 @@ -#! $Id: capture-events.bro 6 2004-04-30 00:31:26Z jason $ -# -# Captures all operations on &synchronized variables to state-updates.bst. -# - -event bro_init() - { - capture_state_updates("state-updates.bst"); - } diff --git a/policy.old/checkpoint.bro b/policy.old/checkpoint.bro deleted file mode 100644 index 2222d69c0c..0000000000 --- a/policy.old/checkpoint.bro +++ /dev/null @@ -1,54 +0,0 @@ -# $Id: checkpoint.bro 6724 2009-06-07 09:23:03Z vern $ -# -# Checkpoints Bro's persistent state at regular intervals and scans -# the state directory for external updates. - -const state_rescan_interval = 15 secs &redef; -const state_checkpoint_interval = 15 min &redef; - -# Services for which the internal connection state is stored. -const persistent_services = { - 21/tcp, # ftp - 22/tcp, # ssh - 23/tcp, # telnet - 513/tcp, # rlogin -} &redef; - -# The first timer fires immediately. This flags lets us ignore it. -global state_ignore_first = T; - -event state_checkpoint() - { - if ( state_ignore_first ) - state_ignore_first = F; - - else if ( ! bro_is_terminating() ) - checkpoint_state(); - - if ( state_checkpoint_interval > 0 secs ) - schedule state_checkpoint_interval { state_checkpoint() }; - } - -event state_rescan() - { - rescan_state(); - - if ( state_rescan_interval > 0 secs ) - schedule state_rescan_interval { state_rescan() }; - } - -event bro_init() - { - if ( state_checkpoint_interval > 0 secs ) - schedule state_checkpoint_interval { state_checkpoint() }; - - if ( state_rescan_interval > 0 secs ) - schedule state_rescan_interval { state_rescan() }; - } - -event connection_established(c: connection) - { - # Buggy? - # if ( c$id$resp_p in persistent_services ) - # make_connection_persistent(c); - } diff --git a/policy.old/clear-passwords.bro b/policy.old/clear-passwords.bro deleted file mode 100644 index 7607738dcc..0000000000 --- a/policy.old/clear-passwords.bro +++ /dev/null @@ -1,36 +0,0 @@ -# $Id: clear-passwords.bro 4758 2007-08-10 06:49:23Z vern $ - -# Monitoring for use of cleartext passwords. - -@load ftp -@load login -@load pop3 -@load irc - -const passwd_file = open_log_file("passwords") &redef; - -# ftp, login and pop3 call login_{success,failure}, which in turn -# calls account_tried(), so we can snarf all at once here: -event account_tried(c: connection, user: string, passwd: string) - { - print passwd_file, fmt("%s account name '%s', password '%s': %s", - is_local_addr(c$id$orig_h) ? "local" : "remote", - user, passwd, id_string(c$id)); - } - -# IRC raises a different event on login, so we hook into it here: -event irc_join_message(c: connection, info_list: irc_join_list) - { - for ( l in info_list) - { - print passwd_file, fmt("IRC JOIN name '%s', password '%s'", - l$nick, l$password); - } - } - -# Raised if IRC user tries to become operator: -event irc_oper_message(c: connection, user: string, password: string) - { - print passwd_file, fmt("IRC OPER name '%s', password '%s'", - user, password); - } diff --git a/policy.old/conn-flood.bro b/policy.old/conn-flood.bro deleted file mode 100644 index 7da1cccff4..0000000000 --- a/policy.old/conn-flood.bro +++ /dev/null @@ -1,71 +0,0 @@ -# $Id$ -# -# Script which alarms if the number of connections per time interval -# exceeds a threshold. -# -# This script is mainly meant as a demonstration; it hasn't been hardened -# with/for operational use. - -@load notice - -module ConnFlood; - -export { - redef enum Notice += { - ConnectionFloodStart, ConnectionFloodEnd, - }; - - # Thresholds to reports (conns/sec). - const thresholds: set[count] = - { 1000, 2000, 4000, 6000, 8000, 10000, 20000, 50000 } - &redef; - - # Average over this time interval. - const avg_interval = 10 sec &redef; -} - -global conn_counter = 0; -global last_thresh = 0; - -# Note: replace with connection_attempt if too expensive. -event new_connection(c: connection) - { - ++conn_counter; - } - -event check_flood() - { - local thresh = 0; - local rate = double_to_count(interval_to_double((conn_counter / avg_interval))); - - # Find the largest threshold reached this interval. - for ( i in thresholds ) - { - if ( rate >= i && rate > thresh ) - thresh = i; - } - - # Report if larger than last reported threshold. - if ( thresh > last_thresh ) - { - NOTICE([$note=ConnectionFloodStart, $n=thresh, - $msg=fmt("flood begins at rate %d conns/sec", rate)]); - last_thresh = thresh; - } - - # If no threshold was reached, the flood is over. - else if ( thresh == 0 && last_thresh > 0 ) - { - NOTICE([$note=ConnectionFloodEnd, $n=thresh, - $msg=fmt("flood ends at rate %d conns/sec", rate)]); - last_thresh = 0; - } - - conn_counter = 0; - schedule avg_interval { check_flood() }; - } - -event bro_init() - { - schedule avg_interval { check_flood() }; - } diff --git a/policy.old/conn-id.bro b/policy.old/conn-id.bro deleted file mode 100644 index 9a81e307c9..0000000000 --- a/policy.old/conn-id.bro +++ /dev/null @@ -1,24 +0,0 @@ -# $Id: conn-id.bro 45 2004-06-09 14:29:49Z vern $ - -# Simple functions for generating ASCII connection identifiers. - -@load port-name - -function id_string(id: conn_id): string - { - return fmt("%s > %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -function reverse_id_string(id: conn_id): string - { - return fmt("%s < %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -function directed_id_string(id: conn_id, is_orig: bool): string - { - return is_orig ? id_string(id) : reverse_id_string(id); - } diff --git a/policy.old/conn.bro b/policy.old/conn.bro deleted file mode 100644 index 6491c9b8e1..0000000000 --- a/policy.old/conn.bro +++ /dev/null @@ -1,425 +0,0 @@ -# $Id: conn.bro 6782 2009-06-28 02:19:03Z vern $ - -@load notice -@load hot -@load port-name -@load netstats -@load conn-id - -redef enum Notice += { - SensitiveConnection, # connection marked "hot" -}; - -const conn_closed = { TCP_CLOSED, TCP_RESET }; - -global have_FTP = F; # if true, we've loaded ftp.bro -global have_SMTP = F; # if true, we've loaded smtp.bro - -# TODO: Do we have a nicer way of doing this? -export { global FTP::is_ftp_data_conn: function(c: connection): bool; } - -# Whether to include connection state history in the logs generated -# by record_connection. -const record_state_history = F &redef; - -# Whether to translate the local address in SensitiveConnection notices -# to a hostname. Meant as a demonstration of the "when" construct. -const xlate_hot_local_addr = F &redef; - -# Whether to use DPD for generating the service field in the summaries. -# Default off, because it changes the format of conn.log in a way -# potentially incompatible with existing scripts. -const dpd_conn_logs = F &redef; - -# Maps a given port on a given server's address to an RPC service. -# If we haven't loaded portmapper.bro, then it will be empty -# (and, ideally, queries to it would be optimized away ...). -global RPC_server_map: table[addr, port] of string; - -const conn_file = open_log_file("conn") &redef; - -function conn_state(c: connection, trans: transport_proto): string - { - local os = c$orig$state; - local rs = c$resp$state; - - local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL; - local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL; - - if ( trans == tcp ) - { - if ( rs == TCP_RESET ) - { - if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT || - (os == TCP_RESET && - c$orig$size == 0 && c$resp$size == 0) ) - return "REJ"; - else if ( o_inactive ) - return "RSTRH"; - else - return "RSTR"; - } - else if ( os == TCP_RESET ) - return r_inactive ? "RSTOS0" : "RSTO"; - else if ( rs == TCP_CLOSED && os == TCP_CLOSED ) - return "SF"; - else if ( os == TCP_CLOSED ) - return r_inactive ? "SH" : "S2"; - else if ( rs == TCP_CLOSED ) - return o_inactive ? "SHR" : "S3"; - else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE ) - return "S0"; - else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - return "S1"; - else - return "OTH"; - } - - else if ( trans == udp ) - { - if ( os == UDP_ACTIVE ) - return rs == UDP_ACTIVE ? "SF" : "S0"; - else - return rs == UDP_ACTIVE ? "SHR" : "OTH"; - } - - else - return "OTH"; - } - -function conn_size(e: endpoint, trans: transport_proto): string - { - if ( e$size > 0 || (trans == tcp && e$state == TCP_CLOSED) ) - return fmt("%d", e$size); - else - ### should return 0 for TCP_RESET that went through TCP_CLOSED - return "?"; - } - -function service_name(c: connection): string - { - local p = c$id$resp_p; - - if ( p in port_names ) - return port_names[p]; - else - return "other"; - } - -const state_graphic = { - ["OTH"] = "?>?", ["REJ"] = "[", - ["RSTO"] = ">]", ["RSTOS0"] = "}]", ["RSTR"] = ">[", ["RSTRH"] = "<[", - ["S0"] = "}", ["S1"] = ">", ["S2"] = "}2", ["S3"] = "}3", - ["SF"] = ">", ["SH"] = ">h", ["SHR"] = " 0 ) - log_hot_conn(c); - - if ( trans == tcp ) - { - if ( c$orig$state in conn_closed || c$resp$state in conn_closed ) - duration = fmt("%.06f", c$duration); - else - duration = "?"; - } - else - duration = fmt("%.06f", c$duration); - - local addl = c$addl; - -@ifdef ( estimate_flow_size_and_remove ) - # Annotate connection with separately-estimated size, if present. - local orig_est = estimate_flow_size_and_remove(id, T); - local resp_est = estimate_flow_size_and_remove(id, F); - - if ( orig_est$have_est ) - addl = fmt("%s olower=%.0fMB oupper=%.0fMB oincon=%s", addl, - orig_est$lower / 1e6, orig_est$upper / 1e6, - orig_est$num_inconsistent); - - if ( resp_est$have_est ) - addl = fmt("%s rlower=%.0fMB rupper=%.0fMB rincon=%s", addl, - resp_est$lower / 1e6, resp_est$upper / 1e6, - resp_est$num_inconsistent); -@endif - - local service = determine_service(c); - - local log_msg = - fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s", - c$start_time, duration, id$orig_h, id$resp_h, service, - id$orig_p, id$resp_p, trans, - conn_size(c$orig, trans), conn_size(c$resp, trans), - conn_state(c, trans), flags); - - if ( record_state_history ) - log_msg = fmt("%s %s", log_msg, - c$history == "" ? "X" : c$history); - - if ( addl != "" ) - log_msg = fmt("%s %s", log_msg, addl); - - print f, log_msg; - } - -event connection_established(c: connection) - { - Hot::check_hot(c, Hot::CONN_ESTABLISHED); - - if ( c$hot > 0 ) - log_hot_conn(c); - } - -event partial_connection(c: connection) - { - if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE ) - # This appears to be a stealth scan. Don't do hot-checking - # as there wasn't an established connection. - ; - else - { - Hot::check_hot(c, Hot::CONN_ESTABLISHED); - Hot::check_hot(c, Hot::APPL_ESTABLISHED); # assume it's been established - } - - if ( c$hot > 0 ) - log_hot_conn(c); - } - -event connection_attempt(c: connection) - { - Hot::check_spoof(c); - Hot::check_hot(c, Hot::CONN_ATTEMPTED); - } - -event connection_finished(c: connection) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - # Hard to get excited about this - not worth logging again. - c$hot = 0; - else - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_partial_close(c: connection) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - # Hard to get excited about this - not worth logging again. - c$hot = 0; - else - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_half_finished(c: connection) - { - Hot::check_hot(c, Hot::CONN_ATTEMPTED); - } - -event connection_rejected(c: connection) - { - Hot::check_hot(c, Hot::CONN_REJECTED); - } - -event connection_reset(c: connection) - { - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_pending(c: connection) - { - if ( c$orig$state in conn_closed && - (c$resp$state == TCP_INACTIVE || c$resp$state == TCP_PARTIAL) ) - # This is a stray FIN or RST - don't bother reporting. - return; - - if ( c$orig$state == TCP_RESET || c$resp$state == TCP_RESET ) - # We already reported this connection when the RST - # occurred. - return; - - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -function connection_gone(c: connection, gone_type: string) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - { - if ( c$orig$state == TCP_RESET && c$resp$state == TCP_INACTIVE) - # A bare RST, no other context. Ignore it. - return; - - # Hard to get excited about this - not worth logging again, - # per connection_finished(). - c$hot = 0; - } - else - Hot::check_hot(c, Hot::CONN_TIMEOUT); - } - -event connection_state_remove(c: connection) &priority = -10 - { - local os = c$orig$state; - local rs = c$resp$state; - - if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - # It was still active, no summary generated. - connection_gone(c, "remove"); - - else if ( (os == TCP_CLOSED || rs == TCP_CLOSED) && - (os == TCP_ESTABLISHED || rs == TCP_ESTABLISHED) ) - # One side has closed, the other hasn't - it's in state S2 - # or S3, hasn't been reported yet. - connection_gone(c, "remove"); - - record_connection(conn_file, c); - - delete hot_conns_reported[c$id]; - } diff --git a/policy.old/contents.bro b/policy.old/contents.bro deleted file mode 100644 index 152b54ed3b..0000000000 --- a/policy.old/contents.bro +++ /dev/null @@ -1,40 +0,0 @@ -# $Id: contents.bro 47 2004-06-11 07:26:32Z vern $ - -redef capture_filters += { ["contents"] = "tcp" }; - -# Keeps track of to which given contents files we've written. -global contents_files: set[string]; - -event new_connection_contents(c: connection) - { - local id = c$id; - - local orig_file = - fmt("contents.%s.%d-%s.%d", - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - local resp_file = - fmt("contents.%s.%d-%s.%d", - id$resp_h, id$resp_p, id$orig_h, id$orig_p); - - local orig_f: file; - local resp_f: file; - - if ( orig_file !in contents_files ) - { - add contents_files[orig_file]; - orig_f = open(orig_file); - } - else - orig_f = open_for_append(orig_file); - - if ( resp_file !in contents_files ) - { - add contents_files[resp_file]; - resp_f = open(resp_file); - } - else - resp_f = open_for_append(resp_file); - - set_contents_file(id, CONTENTS_ORIG, orig_f); - set_contents_file(id, CONTENTS_RESP, resp_f); - } diff --git a/policy.old/cpu-adapt.bro b/policy.old/cpu-adapt.bro deleted file mode 100644 index 7376e0780a..0000000000 --- a/policy.old/cpu-adapt.bro +++ /dev/null @@ -1,62 +0,0 @@ -# $Id: cpu-adapt.bro 1904 2005-12-14 03:27:15Z vern $ -# -# Adjust load level based on cpu load. - -@load load-level - -# We increase the load-level if the average CPU load (percentage) is -# above this limit. -global cpu_upper_limit = 70.0 &redef; - -# We derease the load-level if the average CPU load is below this limit. -global cpu_lower_limit = 30.0 &redef; - -# Time interval over which we average the CPU load. -global cpu_interval = 1 min &redef; - -global cpu_last_proc_time = 0 secs; -global cpu_last_wall_time: time = 0; - -event cpu_measure_load() - { - local res = resource_usage(); - local proc_time = res$user_time + res$system_time; - local wall_time = current_time(); - - if ( cpu_last_proc_time > 0 secs ) - { - local dproc = proc_time - cpu_last_proc_time; - local dwall = wall_time - cpu_last_wall_time; - local load = dproc / dwall * 100.0; - - print ll_file, fmt("%.6f CPU load %.02f", network_time(), load); - - # Second test is for whether we have any room to change - # things. It shouldn't be hardwired to "xxx10" .... - if ( load > cpu_upper_limit && - current_load_level != LoadLevel10 ) - { - print ll_file, fmt("%.6f CPU load above limit: %.02f", - network_time(), load); - increase_load_level(); - } - - else if ( load < cpu_lower_limit && - current_load_level != LoadLevel1 ) - { - print ll_file, fmt("%.6f CPU load below limit: %.02f", - network_time(), load); - decrease_load_level(); - } - } - - cpu_last_proc_time = proc_time; - cpu_last_wall_time = wall_time; - - schedule cpu_interval { cpu_measure_load() }; - } - -event bro_init() - { - schedule cpu_interval { cpu_measure_load() }; - } diff --git a/policy.old/dce.bro b/policy.old/dce.bro deleted file mode 100644 index 51b82d3894..0000000000 --- a/policy.old/dce.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id:$ - -redef capture_filters += { ["dce"] = "port 135" }; - -global dce_ports = { 135/tcp } &redef; -redef dpd_config += { [ANALYZER_DCE_RPC] = [$ports = dce_ports] }; - -# No default implementation for events. diff --git a/policy.old/demux.bro b/policy.old/demux.bro deleted file mode 100644 index cfb70d6686..0000000000 --- a/policy.old/demux.bro +++ /dev/null @@ -1,41 +0,0 @@ -# $Id: demux.bro 4758 2007-08-10 06:49:23Z vern $ - -const demux_dir = log_file_name("xscript") &redef; -global created_demux_dir = F; - -# Table of which connections we're demuxing. -global demuxed_conn: set[conn_id]; - -# tag: identifier to use for the reason for demuxing -# otag: identifier to use for originator side of the connection -# rtag: identifier to use for responder side of the connection -function demux_conn(id: conn_id, tag: string, otag: string, rtag: string): bool - { - if ( id in demuxed_conn || ! active_connection(id) ) - return F; - - if ( ! created_demux_dir ) - { - mkdir(demux_dir); - created_demux_dir = T; - } - - local orig_file = - fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, otag, tag, - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - local resp_file = - fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, rtag, tag, - id$resp_h, id$resp_p, id$orig_h, id$orig_p); - - set_contents_file(id, CONTENTS_ORIG, open(orig_file)); - set_contents_file(id, CONTENTS_RESP, open(resp_file)); - - add demuxed_conn[id]; - - return T; - } - -event connection_finished(c: connection) - { - delete demuxed_conn[c$id]; - } diff --git a/policy.old/detect-protocols-http.bro b/policy.old/detect-protocols-http.bro deleted file mode 100644 index fb1fed33ac..0000000000 --- a/policy.old/detect-protocols-http.bro +++ /dev/null @@ -1,156 +0,0 @@ -# $Id: detect-protocols-http.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $ -# -# Identifies protocols that use HTTP. - -@load detect-protocols - -module DetectProtocolHTTP; - -export { - # Defines characteristics of a protocol. All attributes must match - # to trigger the detection. We match patterns against lower-case - # versions of the data. - type protocol : record { - url: pattern &optional; - client_header: pattern &optional; - client_header_content: pattern &optional; - server_header: pattern &optional; - server_header_content: pattern &optional; - }; - - const protocols: table[string] of protocol = { - ["Kazaa"] = [$url=/^\/\.hash=.*/, $server_header=/^x-kazaa.*/], - ["Gnutella"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^x-gnutella-.*/], - ["Gnutella_"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^x-(content-urn|features).*/], - ["Gnutella__"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^content-type/, - $server_header_content=/.*x-gnutella.*/], - ["BitTorrent"] = [$url=/^.*\/(scrape|announce)\?.*info_hash.*/], - ["SOAP"] = [$client_header=/^([:print:]+-)?(soapaction|methodname|messagetype).*/], - ["Squid"] = [$server_header=/^x-squid.*/], - } &redef; -} - -# Bit masks. -const url_found = 1; -const client_header_found = 2; -const server_header_found = 2; - -type index : record { - id: conn_id; - pid: string; -}; - -# Maps to characteristics found so far. -# FIXME: An integer would suffice for the bit-field -# if we had bit-operations ... -global conns: table[index] of set[count] &read_expire = 1hrs; - -function check_match(c: connection, pid: string, mask: set[count]) - { - conns[[$id=c$id, $pid=pid]] = mask; - - local p = protocols[pid]; - - if ( p?$url && url_found !in mask ) - return; - - if ( p?$client_header && client_header_found !in mask ) - return; - - if ( p?$server_header && server_header_found !in mask ) - return; - - # All found. - - ProtocolDetector::found_protocol(c, ANALYZER_HTTP, pid); - } - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - for ( pid in protocols ) - { - local p = protocols[pid]; - - if ( ! p?$url ) - next; - - local mask: set[count]; - local idx = [$id=c$id, $pid=pid]; - if ( idx in conns ) - mask = conns[idx]; - - if ( url_found in mask ) - # Already found a match. - next; - - # FIXME: There are people putting NULs into the URLs - # (BitTorrent), which to_lower() does not like. Not sure - # what the right fix is, though. - unescaped_URI = subst_string(unescaped_URI, "\x00", ""); - - if ( to_lower(unescaped_URI) == p$url ) - { - add mask[url_found]; - check_match(c, pid, mask); - } - } - } - -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - if ( name == /[sS][eE][rR][vV][eE][rR]/ ) - { - # Try to extract the server software. - local s = split1(strip(value), /[[:space:]\/]/); - if ( s[1] == /[-a-zA-Z0-9_]+/ ) - ProtocolDetector::found_protocol(c, ANALYZER_HTTP, s[1]); - } - - for ( pid in protocols ) - { - local p = protocols[pid]; - - local mask: set[count]; - local idx = [$id=c$id, $pid=pid]; - if ( idx in conns ) - mask = conns[idx]; - - if ( p?$client_header && is_orig ) - { - if ( client_header_found in mask ) - return; - - if ( to_lower(name) == p$client_header ) - { - if ( p?$client_header_content ) - if ( to_lower(value) != - p$client_header_content ) - return; - - add mask[client_header_found]; - check_match(c, pid, mask); - } - } - - if ( p?$server_header && ! is_orig ) - { - if ( server_header_found in mask ) - return; - - if ( to_lower(name) == p$server_header ) - { - if ( p?$server_header_content ) - if ( to_lower(value) != - p$server_header_content ) - return; - - add mask[server_header_found]; - check_match(c, pid, mask); - } - } - } - } diff --git a/policy.old/detect-protocols.bro b/policy.old/detect-protocols.bro deleted file mode 100644 index 49f02e60e9..0000000000 --- a/policy.old/detect-protocols.bro +++ /dev/null @@ -1,258 +0,0 @@ -# $Id: detect-protocols.bro,v 1.1.4.4 2006/05/31 18:07:27 sommer Exp $ -# -# Finds connections with protocols on non-standard ports using the DPM -# framework. - -@load site - -@load conn-id -@load notice - -module ProtocolDetector; - -export { - redef enum Notice += { - ProtocolFound, # raised for each connection found - ServerFound, # raised once per dst host/port/protocol tuple - }; - - # Table of (protocol, resp_h, resp_p) tuples known to be uninteresting - # in the given direction. For all other protocols detected on - # non-standard ports, we raise a ProtocolFound notice. (More specific - # filtering can then be done via notice_filters.) - # - # Use 0.0.0.0 for to wildcard-match any resp_h. - - type dir: enum { NONE, INCOMING, OUTGOING, BOTH }; - - const valids: table[count, addr, port] of dir = { - # A couple of ports commonly used for benign HTTP servers. - - # For now we want to see everything. - - # [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, - # - # [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella - } &redef; - - # Set of analyzers for which we suppress ServerFound notices - # (but not ProtocolFound). Along with avoiding clutter in the - # log files, this also saves memory because for these we don't - # need to remember which servers we already have reported, which - # for some can be a lot. - const suppress_servers: set [count] = { - # ANALYZER_HTTP - } &redef; - - # We consider a connection to use a protocol X if the analyzer for X - # is still active (i) after an interval of minimum_duration, or (ii) - # after a payload volume of minimum_volume, or (iii) at the end of the - # connection. - const minimum_duration = 30 secs &redef; - const minimum_volume = 4e3 &redef; # bytes - - # How often to check the size of the connection. - const check_interval = 5 secs; - - # Entry point for other analyzers to report that they recognized - # a certain (sub-)protocol. - global found_protocol: function(c: connection, analyzer: count, - protocol: string); - - # Table keeping reported (server, port, analyzer) tuples (and their - # reported sub-protocols). - global servers: table[addr, port, string] of set[string] - &read_expire = 14 days; -} - -# Table that tracks currently active dynamic analyzers per connection. -global conns: table[conn_id] of set[count]; - -# Table of reports by other analyzers about the protocol used in a connection. -global protocols: table[conn_id] of set[string]; - -type protocol : record { - a: string; # analyzer name - sub: string; # "sub-protocols" reported by other sources -}; - -function get_protocol(c: connection, a: count) : protocol - { - local str = ""; - if ( c$id in protocols ) - { - for ( p in protocols[c$id] ) - str = |str| > 0 ? fmt("%s/%s", str, p) : p; - } - - return [$a=analyzer_name(a), $sub=str]; - } - -function fmt_protocol(p: protocol) : string - { - return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a; - } - -function do_notice(c: connection, a: count, d: dir) - { - if ( d == BOTH ) - return; - - if ( d == INCOMING && is_local_addr(c$id$resp_h) ) - return; - - if ( d == OUTGOING && ! is_local_addr(c$id$resp_h) ) - return; - - local p = get_protocol(c, a); - local s = fmt_protocol(p); - - NOTICE([$note=ProtocolFound, - $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c, $n=a]); - - # We report multiple ServerFound's per host if we find a new - # sub-protocol. - local known = [c$id$resp_h, c$id$resp_p, p$a] in servers; - - local newsub = F; - if ( known ) - newsub = (p$sub != "" && - p$sub !in servers[c$id$resp_h, c$id$resp_p, p$a]); - - if ( (! known || newsub) && a !in suppress_servers ) - { - NOTICE([$note=ServerFound, - $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, - c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]); - - if ( ! known ) - servers[c$id$resp_h, c$id$resp_p, p$a] = set(); - - add servers[c$id$resp_h, c$id$resp_p, p$a][p$sub]; - } - } - -function report_protocols(c: connection) - { - # We only report the connection if both sides have transferred data. - if ( c$resp$size == 0 || c$orig$size == 0 ) - { - delete conns[c$id]; - delete protocols[c$id]; - return; - } - - local analyzers = conns[c$id]; - - for ( a in analyzers ) - { - if ( [a, c$id$resp_h, c$id$resp_p] in valids ) - do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]); - - else if ( [a, 0.0.0.0, c$id$resp_p] in valids ) - do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]); - else - do_notice(c, a, NONE); - - append_addl(c, analyzer_name(a)); - } - - delete conns[c$id]; - delete protocols[c$id]; - } - -event ProtocolDetector::check_connection(c: connection) - { - if ( c$id !in conns ) - return; - - local duration = network_time() - c$start_time; - local size = c$resp$size + c$orig$size; - - if ( duration >= minimum_duration || size >= minimum_volume ) - report_protocols(c); - else - { - local delay = min_interval(minimum_duration - duration, - check_interval); - schedule delay { ProtocolDetector::check_connection(c) }; - } - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - { - delete protocols[c$id]; - return; - } - - # Reports all analyzers that have remained to the end. - report_protocols(c); - } - -event protocol_confirmation(c: connection, atype: count, aid: count) - { - # Don't report anything running on a well-known port. - if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports ) - return; - - if ( c$id in conns ) - { - local analyzers = conns[c$id]; - add analyzers[atype]; - } - else - { - conns[c$id] = set(atype); - - local delay = min_interval(minimum_duration, check_interval); - schedule delay { ProtocolDetector::check_connection(c) }; - } - } - -# event connection_analyzer_disabled(c: connection, analyzer: count) -# { -# if ( c$id !in conns ) -# return; -# -# delete conns[c$id][analyzer]; -# } - -function append_proto_addl(c: connection) - { - for ( a in conns[c$id] ) - append_addl(c, fmt_protocol(get_protocol(c, a))); - } - -function found_protocol(c: connection, analyzer: count, protocol: string) - { - # Don't report anything running on a well-known port. - if ( analyzer in dpd_config && - c$id$resp_p in dpd_config[analyzer]$ports ) - return; - - if ( c$id !in protocols ) - protocols[c$id] = set(); - - add protocols[c$id][protocol]; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - return; - - append_proto_addl(c); - } - diff --git a/policy.old/dhcp.bro b/policy.old/dhcp.bro deleted file mode 100644 index 2c60f73fe4..0000000000 --- a/policy.old/dhcp.bro +++ /dev/null @@ -1,525 +0,0 @@ -# $Id: dhcp.bro 4054 2007-08-14 21:45:58Z pclin $ - -@load dpd -@load weird - -module DHCP; - -export { - # Set to false to disable printing to dhcp.log. - const logging = T &redef; -} - -# Type of states in DHCP client. See Figure 5 in RFC 2131. -# Each state name is prefixed with DHCP_ to avoid name conflicts. -type dhcp_state: enum { - - DHCP_INIT_REBOOT, - DHCP_INIT, - DHCP_SELECTING, - DHCP_REQUESTING, - DHCP_REBINDING, - DHCP_BOUND, - DHCP_RENEWING, - DHCP_REBOOTING, - - # This state is not in Figure 5. Client has been externally configured. - DHCP_INFORM, -}; - -global dhcp_log: file; - -# Source port 68: client -> server; source port 67: server -> client. -global dhcp_ports: set[port] = { 67/udp, 68/udp } &redef; - -redef dpd_config += { [ANALYZER_DHCP_BINPAC] = [$ports = dhcp_ports] }; - -# Default handling for peculiarities in DHCP analysis. -redef Weird::weird_action += { - ["DHCP_no_type_option"] = Weird::WEIRD_FILE, - ["DHCP_wrong_op_type"] = Weird::WEIRD_FILE, - ["DHCP_wrong_msg_type"] = Weird::WEIRD_FILE, -}; - -# Types of DHCP messages, identified from the 'options' field. See RFC 1533. -global dhcp_msgtype_name: table[count] of string = { - [1] = "DHCP_DISCOVER", - [2] = "DHCP_OFFER", - [3] = "DHCP_REQUEST", - [4] = "DHCP_DECLINE", - [5] = "DHCP_ACK", - [6] = "DHCP_NAK", - [7] = "DHCP_RELEASE", - [8] = "DHCP_INFORM", -}; - -# Type of DHCP client state, inferred from the messages. See RFC 2131, fig 5. -global dhcp_state_name: table[dhcp_state] of string = { - [DHCP_INIT_REBOOT] = "INIT-REBOOT", - [DHCP_INIT] = "INIT", - [DHCP_SELECTING] = "SELECTING", - [DHCP_REQUESTING] = "REQUESTING", - [DHCP_REBINDING] = "REBINDING", - [DHCP_BOUND] = "BOUND", - [DHCP_RENEWING] = "RENEWING", - [DHCP_REBOOTING] = "REBOOTING", - [DHCP_INFORM] = "INFORM", -}; - -type dhcp_session_info: record { - state: dhcp_state; # the state of a DHCP client - seq: count; # sequence of session in the trace - lease: interval; # lease time of an IP address - h_addr: string; # hardware/MAC address of the client -}; - -# Track the DHCP session info of each client, indexed by the transaction ID. -global dhcp_session: table[count] of dhcp_session_info - &default = record($state = DHCP_INIT_REBOOT, $seq = 0, $lease = 0 sec, - $h_addr = "") - &write_expire = 5 min -; - -# We need the following table to track some DHCPINFORM messages since they -# use xid = 0 (I do not know why), starting from the second pair of INFORM -# and ACK. Since the client address is ready before DHCPINFORM, we can use -# it as the index to find its corresponding xid. -global session_xid: table[addr] of count &read_expire = 30 sec; - -# Count how many DHCP sessions have been detected, for use in dhcp_session_seq. -global pkt_cnt: count = 0; -global session_cnt: count = 0; - -# Record the address of client that sends a DHCPINFORM message with xid = 0. -global recent_client: addr; - -global BROADCAST_ADDR = 255.255.255.255; -global NULL_ADDR = 0.0.0.0; - -# Used to detect if an ACK is duplicated. They are used only in dhcp_ack(). -# We put them here since Bro scripts lacks the equivalent of "static" variables. -global ack_from: addr; -global duplicated_ack: bool; - - -function warning_wrong_state(msg_type: count): string - { - return fmt("%s not sent in a correct state.", - dhcp_msgtype_name[msg_type]); - } - -function dhcp_message(c: connection, seq: count, show_conn: bool): string - { - local conn_info = fmt("%.06f #%d", network_time(), seq); - if ( show_conn ) - return fmt("%s %s > %s", conn_info, - endpoint_id(c$id$orig_h, c$id$orig_p), - endpoint_id(c$id$resp_h, c$id$resp_p)); - - return conn_info; - } - -function new_dhcp_session(xid: count, state: dhcp_state, h_addr: string) -: dhcp_session_info - { - local session: dhcp_session_info; - session$state = state; - session$seq = ++session_cnt; - session$lease = 0 sec; - session$h_addr = h_addr; - - dhcp_session[xid] = session; - - return session; - } - - -event bro_init() - { - if ( logging ) - dhcp_log = open_log_file("dhcp"); - } - -event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr) - { - local old_session = T; - - if ( msg$xid !in dhcp_session ) - { - local session = - new_dhcp_session(msg$xid, DHCP_SELECTING, msg$h_addr); - old_session = F; - } - - if ( logging ) - { - if ( old_session && - dhcp_session[msg$xid]$state == DHCP_SELECTING ) - print dhcp_log, fmt("%s DISCOVER (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - print dhcp_log, - fmt("%s DISCOVER (xid = %x, client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - msg$xid, dhcp_state_name[dhcp_session[msg$xid]$state]); - } - } - -event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, - router: dhcp_router_list, lease: interval, serv_addr: addr) - { - local standalone = msg$xid !in dhcp_session; - local err_state = - standalone && dhcp_session[msg$xid]$state != DHCP_SELECTING; - - if ( logging ) - { - # Note that no OFFER messages are considered duplicated, - # since they may come from multiple DHCP servers in a session. - if ( standalone ) - print dhcp_log, fmt("%s OFFER (standalone)", - dhcp_message(c, ++session_cnt, T)); - - else if ( err_state ) - print dhcp_log, fmt("%s OFFER (in error state %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[dhcp_session[msg$xid]$state]); - - else - print dhcp_log, fmt("%s OFFER (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[DHCP_SELECTING]); - } - } - -event dhcp_request(c: connection, msg: dhcp_msg, - req_addr: addr, serv_addr: addr) - { - local log_info: string; - - if ( msg$xid in dhcp_session ) - { - if ( ! logging ) - return; - - local state = dhcp_session[msg$xid]$state; - - if ( state == DHCP_REBOOTING ) - recent_client = req_addr; - else - recent_client = c$id$orig_h; - - session_xid[recent_client] = msg$xid; - - if ( state == DHCP_RENEWING || state == DHCP_REBINDING || - state == DHCP_REQUESTING || state == DHCP_REBOOTING ) - print dhcp_log, fmt("%s REQUEST (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - { - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T); - print dhcp_log, fmt("%s REQUEST (in error state %s)", - log_info, - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - } - else - { - local d_state = DHCP_REBOOTING; - - if ( c$id$resp_h != BROADCAST_ADDR ) - d_state = DHCP_RENEWING; - else if ( msg$ciaddr != NULL_ADDR ) - d_state = DHCP_REBINDING; - else if ( serv_addr != NULL_ADDR ) - d_state = DHCP_REQUESTING; - - local session = new_dhcp_session(msg$xid, d_state, msg$h_addr); - - if ( session$state == DHCP_REBOOTING ) - recent_client = req_addr; - else - recent_client = c$id$orig_h; - - session_xid[recent_client] = msg$xid; - - if ( logging ) - { - log_info = dhcp_message(c, session$seq, T); - if ( req_addr != NULL_ADDR ) - log_info = fmt("%s REQUEST %As", - log_info, req_addr); - else - log_info = fmt("%s REQUEST", log_info); - - print dhcp_log, fmt("%s (xid = %x, client state = %s)", - log_info, msg$xid, - dhcp_state_name[session$state]); - } - } - } - -event dhcp_decline(c: connection, msg: dhcp_msg) - { - local old_session = msg$xid in dhcp_session; - local err_state = F; - - if ( old_session ) - { - if ( dhcp_session[msg$xid]$state == DHCP_REQUESTING ) - dhcp_session[msg$xid]$state = DHCP_INIT; - else - err_state = T; - } - else - new_dhcp_session(msg$xid, DHCP_INIT, ""); - - if ( ! logging ) - return; - - if ( old_session ) - { - if ( err_state ) - print dhcp_log, fmt("%s DECLINE (in error state %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[dhcp_session[msg$xid]$state]); - else - print dhcp_log, fmt("%s DECLINE (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - } - else - print dhcp_log, fmt("%s DECLINE (xid = %x)", - dhcp_message(c, ++session_cnt, T), msg$xid); - } - -event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, - router: dhcp_router_list, lease: interval, serv_addr: addr) - { - local log_info: string; - - if ( msg$xid == 0 ) - { # An ACK for a DHCPINFORM message with xid = 0. - local xid = - c$id$orig_h in session_xid ? - # An ACK to the client. - session_xid[c$id$orig_h] - : - # Assume ACK from a relay agent to the server. - session_xid[recent_client]; - - local seq: count; - - if ( xid > 0 ) - { - duplicated_ack = dhcp_session[xid]$state != DHCP_INFORM; - dhcp_session[xid]$state = DHCP_BOUND; - seq = dhcp_session[xid]$seq; - } - else - { - # This is a weird situation. We arbitrarily set - # duplicated_ack to false to have more information - # shown. - duplicated_ack = F; - seq = session_cnt; - } - - if ( ! logging ) - return; - - log_info = dhcp_message(c, seq, F); - if ( c$id$orig_h in session_xid ) - { - if ( duplicated_ack ) - print dhcp_log, fmt("%s ACK (duplicated)", - log_info); - else - print dhcp_log, - fmt("%s ACK (client state = %s)", - log_info, - dhcp_state_name[DHCP_BOUND]); - } - else - print dhcp_log, - fmt("%s ACK (relay agent at = %As)", - log_info, c$id$orig_h); - return; - } - - if ( msg$xid in dhcp_session ) - { - local last_state = dhcp_session[msg$xid]$state; - local from_reboot_state = last_state == DHCP_REBOOTING; - - if ( last_state == DHCP_REQUESTING || - last_state == DHCP_REBOOTING || - last_state == DHCP_RENEWING || - last_state == DHCP_REBINDING || - last_state == DHCP_INFORM ) - { - dhcp_session[msg$xid]$state = DHCP_BOUND; - dhcp_session[msg$xid]$lease = lease; - } - - if ( ! logging ) - return; - - if ( last_state == DHCP_BOUND ) - { - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F); - if ( c$id$orig_h == ack_from ) - log_info = fmt("%s ACK (duplicated)", - log_info); - - else - # Not a duplicated ACK. - log_info = fmt("%s ACK (relay agent at = %As)", - log_info, c$id$orig_h); - } - else - { - ack_from = c$id$orig_h; - - # If in a reboot state, we had better - # explicitly show the original address - # and the destination address of ACK, - # because the client initally has a - # zero address. - if ( from_reboot_state ) - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T); - else - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F); - - if ( last_state != DHCP_INFORM && - lease > 0 sec ) - log_info = fmt("%s ACK (lease time = %s, ", - log_info, lease); - else - log_info = fmt("%s ACK (", log_info); - - log_info = fmt("%sclient state = %s)", - log_info, - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - print dhcp_log, log_info; - } - - else if ( logging ) - print dhcp_log, fmt("%s ACK (standalone)", - dhcp_message(c, ++session_cnt, T)); - } - -event dhcp_nak(c: connection, msg: dhcp_msg) - { - if ( msg$xid in dhcp_session ) - { - local last_state = dhcp_session[msg$xid]$state; - - if ( last_state == DHCP_REQUESTING || - last_state == DHCP_REBOOTING || - last_state == DHCP_RENEWING || - last_state == DHCP_REBINDING ) - dhcp_session[msg$xid]$state = DHCP_INIT; - - if ( logging ) - print dhcp_log, fmt("%s NAK (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - else if ( logging ) - print dhcp_log, fmt("%s NAK (standalone)", - dhcp_message(c, ++session_cnt, T)); - } - -event dhcp_release(c: connection, msg: dhcp_msg) - { - local old_session = msg$xid in dhcp_session; - - if ( ! old_session ) - # We assume the client goes back to DHCP_INIT - # because the RFC does not specify which state to go to. - new_dhcp_session(msg$xid, DHCP_INIT, ""); - - if ( ! logging ) - return; - - if ( old_session ) - { - if ( dhcp_session[msg$xid]$state == DHCP_INIT ) - print dhcp_log, fmt("%s RELEASE (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - print dhcp_log, fmt("%s RELEASE, (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - else - print dhcp_log, fmt("%s RELEASE (xid = %x, IP addr = %As)", - dhcp_message(c, session_cnt, T), msg$xid, c$id$orig_h); - } - -event dhcp_inform(c: connection, msg: dhcp_msg) - { - recent_client = c$id$orig_h; - - if ( msg$xid == 0 ) - { - # Oops! Try to associate message with transaction ID 0 with - # a previous session. - local xid: count; - local seq: count; - - if ( c$id$orig_h in session_xid ) - { - xid = session_xid[c$id$orig_h]; - dhcp_session[xid]$state = DHCP_INFORM; - seq = dhcp_session[xid]$seq; - } - else - { - # Weird: xid = 0 and no previous INFORM-ACK dialog. - xid = 0; - seq = ++session_cnt; - - # Just record that a INFORM message has appeared, - # although the xid is not useful. - session_xid[c$id$orig_h] = 0; - } - - if ( logging ) - print dhcp_log, - fmt("%s INFORM (xid = %x, client state = %s)", - dhcp_message(c, seq, T), - xid, dhcp_state_name[DHCP_INFORM]); - return; - } - - if ( msg$xid in dhcp_session ) - { - if ( logging ) - if ( dhcp_session[msg$xid]$state == DHCP_INFORM ) - print dhcp_log, fmt("%s INFORM (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else { - print dhcp_log, - fmt("%s INFORM (duplicated, client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - return; - } - - local session = new_dhcp_session(msg$xid, DHCP_INFORM, msg$h_addr); - - # Associate this transaction ID with the host so we can identify - # subsequent pairs of INFORM/ACK if client uses xid=0. - session_xid[c$id$orig_h] = msg$xid; - - if ( logging ) - print dhcp_log, fmt("%s INFORM (xid = %x, client state = %s)", - dhcp_message(c, session$seq, T), - msg$xid, dhcp_state_name[session$state]); - } diff --git a/policy.old/dns-info.bro b/policy.old/dns-info.bro deleted file mode 100644 index 3ad36d461e..0000000000 --- a/policy.old/dns-info.bro +++ /dev/null @@ -1,81 +0,0 @@ -# $Id: dns-info.bro 3919 2007-01-14 00:27:09Z vern $ - -# Types, errors, and fields for analyzing DNS data. A helper file -# for dns.bro. - -const PTR = 12; -const EDNS = 41; -const ANY = 255; - -const query_types = { - [1] = "A", [2] = "NS", [3] = "MD", [4] = "MF", - [5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG", - [9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR", - [13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT", - [17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN", - [21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG", - [25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA", - [29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB", - [33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX", - [37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK", - [EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK", - [45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY", - [49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID", - [102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG", - [251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA", - [32768] = "TA", [32769] = "DLV", - [ANY] = "*", -} &default = function(n: count): string { return fmt("query-%d", n); }; - -const DNS_code_types = { - [0] = "X0", - [1] = "Xfmt", - [2] = "Xsrv", - [3] = "Xnam", - [4] = "Ximp", - [5] = "X[", -} &default = function(n: count): string { return "?"; }; - -# Used for non-TSIG/EDNS types. -const base_error = { - [0] = "NOERROR", # No Error - [1] = "FORMERR", # Format Error - [2] = "SERVFAIL", # Server Failure - [3] = "NXDOMAIN", # Non-Existent Domain - [4] = "NOTIMP", # Not Implemented - [5] = "REFUSED", # Query Refused - [6] = "YXDOMAIN", # Name Exists when it should not - [7] = "YXRRSET", # RR Set Exists when it should not - [8] = "NXRRSet", # RR Set that should exist does not - [9] = "NOTAUTH", # Server Not Authoritative for zone - [10] = "NOTZONE", # Name not contained in zone - [11] = "unassigned-11", # available for assignment - [12] = "unassigned-12", # available for assignment - [13] = "unassigned-13", # available for assignment - [14] = "unassigned-14", # available for assignment - [15] = "unassigned-15", # available for assignment - [16] = "BADVERS", # for EDNS, collision w/ TSIG - [17] = "BADKEY", # Key not recognized - [18] = "BADTIME", # Signature out of time window - [19] = "BADMODE", # Bad TKEY Mode - [20] = "BADNAME", # Duplicate key name - [21] = "BADALG", # Algorithm not supported - [22] = "BADTRUNC", # draft-ietf-dnsext-tsig-sha-05.txt - [3842] = "BADSIG", # 16 <= number collision with EDNS(16); - # this is a translation from TSIG(16) -} &default = function(n: count): string { return "?"; }; - -# This deciphers EDNS Z field values. -const edns_zfield = { - [0] = "NOVALUE", # regular entry - [32768] = "DNS_SEC_OK", # accepts DNS Sec RRs -} &default = function(n: count): string { return "?"; }; - -const dns_class = { - [1] = "C_INTERNET", - [2] = "C_CSNET", - [3] = "C_CHAOS", - [4] = "C_HESOD", - [254] = "C_NONE", - [255] = "C_ANY", -} &default = function(n: count): string { return "?"; }; diff --git a/policy.old/dns-lookup.bro b/policy.old/dns-lookup.bro deleted file mode 100644 index 8ef1dd4f0a..0000000000 --- a/policy.old/dns-lookup.bro +++ /dev/null @@ -1,65 +0,0 @@ -# $Id: dns-lookup.bro 340 2004-09-09 06:38:27Z vern $ - -@load notice - -redef enum Notice += { - DNS_MappingChanged, # some sort of change WRT previous Bro lookup -}; - -const dns_interesting_changes = { - "unverified", "old name", "new name", "mapping", -} &redef; - -function dump_dns_mapping(msg: string, dm: dns_mapping): bool - { - if ( msg in dns_interesting_changes || - 127.0.0.1 in dm$addrs ) - { - local req = dm$req_host == "" ? - fmt("%As", dm$req_addr) : dm$req_host; - NOTICE([$note=DNS_MappingChanged, - $msg=fmt("DNS %s: %s/%s %s-> %As", msg, req, - dm$hostname, dm$valid ? - "" : "(invalid) ", dm$addrs), - $sub=msg]); - - return T; - } - else - return F; - } - -event dns_mapping_valid(dm: dns_mapping) - { - dump_dns_mapping("valid", dm); - } - -event dns_mapping_unverified(dm: dns_mapping) - { - dump_dns_mapping("unverified", dm); - } - -event dns_mapping_new_name(dm: dns_mapping) - { - dump_dns_mapping("new name", dm); - } - -event dns_mapping_lost_name(dm: dns_mapping) - { - dump_dns_mapping("lost name", dm); - } - -event dns_mapping_name_changed(old_dm: dns_mapping, new_dm: dns_mapping) - { - if ( dump_dns_mapping("old name", old_dm) ) - dump_dns_mapping("new name", new_dm); - } - -event dns_mapping_altered(dm: dns_mapping, - old_addrs: set[addr], new_addrs: set[addr]) - { - if ( dump_dns_mapping("mapping", dm) ) - NOTICE([$note=DNS_MappingChanged, - $msg=fmt("changed addresses: %As -> %As", old_addrs, new_addrs), - $sub="changed addresses"]); - } diff --git a/policy.old/dns.bro b/policy.old/dns.bro deleted file mode 100644 index 812e7245cc..0000000000 --- a/policy.old/dns.bro +++ /dev/null @@ -1,675 +0,0 @@ -# $Id: dns.bro 6724 2009-06-07 09:23:03Z vern $ - -@load notice -@load weird -@load udp-common -@load dns-info - -module DNS; - -export { - # Lookups of hosts in here are flagged ... - const sensitive_lookup_hosts: set[addr] &redef; - - # ... unless the lookup comes from one of these hosts. - const okay_to_lookup_sensitive_hosts: set[addr] &redef; - - # Start considering whether we're seeing PTR scanning if we've seen - # at least this many rejected PTR queries. - const report_rejected_PTR_thresh = 100 &redef; - - # Generate a PTR_scan event if at any point (once we're above - # report_rejected_PTR_thresh) we see this many more distinct - # rejected PTR requests than distinct answered PTR requests. - const report_rejected_PTR_factor = 2.0 &redef; - - # The following sources are allowed to do PTR scanning. - const allow_PTR_scans: set[addr] &redef; - - # Annotations that if returned for a PTR lookup actually indicate - # a rejected query; for example, "illegal-address.lbl.gov". - const actually_rejected_PTR_anno: set[string] &redef; - - # Hosts allowed to do zone transfers. - const zone_transfers_okay: set[addr] &redef; - - # Set to false to disable printing to dns.log. - const logging = T &redef; - - redef enum Notice += { - SensitiveDNS_Lookup, # DNS lookup of sensitive hostname/addr - DNS_PTR_Scan, # A set of PTR lookups - DNS_PTR_Scan_Summary, # Summary of a set of PTR lookups - ResolverInconsistency, # DNS answer changed - ZoneTransfer, # a DNS zone transfer request was seen - - }; - - # This is a list of domains that have a history of providing - # more RR's in response than they are supposed to. There is - # some danger here in that record inconsistancies will not be - # identified for these domains... - const bad_domain_resp: set[string] &redef; - - # Same idea, except that it applies to a list of host names. - const bad_host_resp: set[string] &redef; - - # Turn resolver consistancy checking on/off. - const resolver_consist_check = F &redef; - - # Should queries be checked against 'bad' domains? - const check_domain_list = T; - - # List of 'bad' domains. - const hostile_domain_list: set[string] &redef; - - # Used for PTR scan detection. Exported so their timeouts can be - # adjusted. - global distinct_PTR_requests: - table[addr, string] of count &default = 0 &write_expire = 5 min; - global distinct_rejected_PTR_requests: - table[addr] of count &default = 0 &write_expire = 5 min; - global distinct_answered_PTR_requests: - table[addr] of count &default = 0 &write_expire = 5 min; -} - -redef capture_filters += { - ["dns"] = "port 53", - ["netbios-ns"] = "udp port 137", -}; - -# DPM configuration. -global dns_ports = { 53/udp, 53/tcp, 137/udp } &redef; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - -global dns_udp_ports = { 53/udp, 137/udp } &redef; -global dns_tcp_ports = { 53/tcp } &redef; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; - -# Default handling for peculiarities in DNS analysis. You can redef these -# again in your site-specific script if you want different behavior. -redef Weird::weird_action += { - ["DNS_AAAA_neg_length"] = Weird::WEIRD_FILE, - ["DNS_Conn_count_too_large"] = Weird::WEIRD_FILE, - ["DNS_NAME_too_long"] = Weird::WEIRD_FILE, - ["DNS_RR_bad_length"] = Weird::WEIRD_FILE, - ["DNS_RR_length_mismatch"] = Weird::WEIRD_FILE, - ["DNS_RR_unknown_type"] = Weird::WEIRD_FILE, - ["DNS_label_forward_compress_offset"] = Weird::WEIRD_FILE, - ["DNS_label_len_gt_name_len"] = Weird::WEIRD_FILE, - ["DNS_label_len_gt_pkt"] = Weird::WEIRD_FILE, - ["DNS_label_too_long"] = Weird::WEIRD_FILE, - ["DNS_name_too_long"] = Weird::WEIRD_FILE, - ["DNS_truncated_RR_rdlength_lt_len"] = Weird::WEIRD_FILE, - ["DNS_truncated_ans_too_short"] = Weird::WEIRD_FILE, - ["DNS_truncated_len_lt_hdr_len"] = Weird::WEIRD_FILE, - ["DNS_truncated_quest_too_short"] = Weird::WEIRD_FILE, -}; - -type dns_session_info: record { - id: count; - is_zone_transfer: bool; - last_active: time; # when we last saw activity - - # Indexed by query id, returns string annotation corresponding to - # queries for which no answer seen yet. - pending_queries: table[count] of string; -}; - -# Indexed by client and server. -global dns_sessions: table[addr, addr, count] of dns_session_info; -global num_dns_sessions = 0; - -const PTR_pattern = /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa/; - -# Keeps track of for which addresses we processed a PTR_scan event. -global did_PTR_scan_event: table[addr] of count &default = 0; - -# The following definitions relate to tracking when DNS records -# change and whether they do so in a consistent fashion. -type dns_response_record: record { - dns_name: string; # domain name in question - dns_type: count; # type of query - num_resp: count; # number of responses - resp_count: count; # how many responses have been registered - addrs: set[addr]; # addresses in response -}; - -global dns_history: table[string, count, count] of dns_response_record; - -global did_zone_transfer_notice: table[addr] of count &default = 0; - -# Sample known irregular domains. -redef bad_domain_resp += { "instacontent.net", "mirror-image.net", }; - -# Sample hostile domains. -redef hostile_domain_list += { "undernet.org", "afraid.org", }; - -global dns_log : file; - -event bro_init() - { - if ( logging ) - dns_log = open_log_file("dns"); - } - -event remove_name(name: string, qtype: count, id: count) - { - if ( [name, qtype, id] in dns_history ) - { - # We need to remove the dns_history record and the assosciated - # dns_consistency_info records. - - local drr = dns_history[name, qtype, id]; - local a: addr; - - for ( a in drr$addrs ) - delete drr$addrs[a]; - - delete dns_history[name, qtype, id]; - } - else if ( logging ) - print dns_log, fmt("ERROR in history session removal: %s/%d doesn't exist", name, qtype); - } - -# Returns the second-level domain, so for example an argument of "a.b.c.d" -# returns "c.d". -function second_level_domain(name: string): string - { - local split_on_dots = split(name, /\./); - local num_dots = length(split_on_dots); - - if ( num_dots <= 1 ) - return name; - - return fmt("%s.%s", split_on_dots[num_dots-1], split_on_dots[num_dots]); - } - -function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr) - { - local drr: dns_response_record; - - if ( [ans$query, ans$qtype, msg$id] !in dns_history ) - { # add record - drr$dns_name = ans$query; - drr$dns_type = ans$qtype; - - # Here we modified the expected number of addresses to allow - # for the number of answer RR's along with the provided - # additional RR's. - drr$num_resp = msg$num_answers+msg$num_addl; - drr$resp_count = 0; - add drr$addrs[a]; - - dns_history[ans$query, ans$qtype, msg$id] = drr; - - if ( ans$TTL < 0 sec ) - # Strangely enough, the spec allows this, - # though it's hard to see why! But because - # of that, we don't generate a Weird, we - # just change the TTL to 0. - ans$TTL = 0 sec; - - # Check the TTL, but allow a smidgen of skew to avoid - # possible race conditions. - schedule ans$TTL + 1 sec - { remove_name(ans$query, ans$qtype, msg$id) }; - } - else - { # extract record and do some counting - drr = dns_history[ans$query, ans$qtype, msg$id]; - - # In some broken records, the number of reported records is 0. - # This makes the test below fail, to 'fix' set to 1 ... - if ( drr$num_resp == 0 ) - drr$num_resp = 1; - - # Check if we have filled in the expected number of responses - # already - it should be > current responder count to allow - # for resolver timeouts. Addresses are only added if they - # are not already prsent. This comes at a slight performance - # cost. - if ( a !in drr$addrs ) - { - add drr$addrs[a]; - ++drr$resp_count; - dns_history[ans$query, ans$qtype, msg$id]=drr; - } - - if ( drr$num_resp >= drr$resp_count ) - return; - - if ( second_level_domain(ans$query) in bad_domain_resp ) - return; - - if ( ans$query in bad_host_resp ) - return; - - # Too many responses to the request, or some other - # inconsistency has been introduced. - - NOTICE([$note=ResolverInconsistency, $conn=c, - $msg=fmt("address inconsistency for %s, %s", ans$query, a), - $dst=a]); - } - } - -event expire_DNS_session(orig: addr, resp: addr, trans_id: count) - { - if ( [orig, resp, trans_id] in dns_sessions ) - { - local session = dns_sessions[orig, resp, trans_id]; - local last_active = session$last_active; - if ( network_time() > last_active + dns_session_timeout || - done_with_network ) - { - # Flush out any pending requests. - if ( logging ) - { - for ( query in session$pending_queries ) - print dns_log, fmt("%0.6f #%d %s", - network_time(), session$id, - session$pending_queries[query]); - - print dns_log, fmt("%.06f #%d finish", - network_time(), session$id); - } - - delete dns_sessions[orig, resp, trans_id]; - } - - else - schedule dns_session_timeout { - expire_DNS_session(orig, resp, trans_id) - }; - } - } - -function lookup_DNS_session(c: connection, trans_id: count): dns_session_info - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - - if ( [orig, resp, trans_id] !in dns_sessions ) - { - local session: dns_session_info; - session$id = ++num_dns_sessions; - session$last_active = network_time(); - session$is_zone_transfer = F; - - if ( logging ) - print dns_log, fmt("%.06f #%d %s start", - c$start_time, session$id, id_string(id)); - - dns_sessions[orig, resp, trans_id] = session; - - schedule 15 sec { expire_DNS_session(orig, resp, trans_id) }; - - append_addl(c, fmt("#%d", session$id)); - - return session; - } - - else - return dns_sessions[orig, resp, trans_id]; - } - -event sensitive_addr_lookup(c: connection, a: addr, is_query: bool) - { - local orig = c$id$orig_h; - local resp = c$id$resp_h; - local holding = 0; - - if ( orig in okay_to_lookup_sensitive_hosts ) - return; - - local session_id: string; - if ( [orig, resp, holding] in dns_sessions ) - session_id = fmt("#%d", dns_sessions[orig, resp, holding]$id); - else - session_id = "#?"; - - local id = fmt("%s > %s (%s)", orig, resp, session_id); - - if ( is_query ) - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s PTR lookup of %s", id, a), - $sub="PTR lookup"]); - else - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s name lookup of %s", id, a), - $sub="name lookup"]); - } - -function DNS_query_annotation(c: connection, msg: dns_msg, query: string, - qtype: count, is_zone_xfer: bool): string - { - local anno: string; - - if ( (qtype == PTR || qtype == ANY) && query == PTR_pattern ) - { - # convert PTR text to more readable form. - local a = ptr_name_to_addr(query); - if ( a in sensitive_lookup_hosts && ! is_zone_xfer ) - event sensitive_addr_lookup(c, a, T); - - anno = fmt("?%s %As", query_types[qtype], a); - } - else - anno = fmt("%s %s", query_types[qtype], query); - - if ( ! is_zone_xfer && - (msg$num_answers > 0 || msg$num_auth > 0 || msg$num_addl > 0) ) - anno = fmt("%s ", anno, - msg$num_answers, msg$num_auth, msg$num_addl); - - return anno; - } - - -event dns_zone_transfer_request(c: connection, session: dns_session_info, - msg: dns_msg, query: string) - { - session$is_zone_transfer = T; - - if ( ! is_tcp_port(c$id$orig_p) ) - event conn_weird("UDP_zone_transfer", c); - - local src = c$id$orig_h; - if ( src !in zone_transfers_okay && - ++did_zone_transfer_notice[src] == 1 ) - { - NOTICE([$note=ZoneTransfer, $src=src, $conn=c, - $msg=fmt("transfer of %s requested by %s", query, src)]); - } - } - -event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local session = lookup_DNS_session(c, msg$id); - local anno = DNS_query_annotation(c, msg, query, qtype, F); - - local report = fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - local q: string; - - if ( query_types[qtype] == "AXFR" ) - { - event dns_zone_transfer_request(c, session, msg, query); - - q = DNS_query_annotation(c, msg, query, qtype, T); - report = fmt("%s ?%s", report, q); - } - else - report = fmt("%s %s Trunc:%s Recurs:%s", - report, query_types[qtype], query, msg$TC, msg$RD); - - if ( logging ) - print dns_log, fmt("%s", report); - - # Check to see if this is a host or MX lookup for a designated - # hostile domain. - if ( check_domain_list && - (query_types[qtype] == "A" || query_types[qtype] == "MX") && - second_level_domain(query) in hostile_domain_list ) - { - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s suspicious domain lookup: %s", id, query)]); - } - - session$pending_queries[msg$id] = anno; - session$last_active = network_time(); - } - -event dns_rejected(c: connection, msg: dns_msg, - query: string, qtype: count, qclass: count) - { - local session = lookup_DNS_session(c, msg$id); - local code = DNS_code_types[msg$rcode]; - local id = msg$id; - - if ( id in session$pending_queries ) - { - if ( logging ) - print dns_log, fmt("%.06f #%d %s %s", network_time(), - session$id, - session$pending_queries[id], - code); - - delete session$pending_queries[id]; - } - - else if ( logging ) - { - if ( c$start_time == network_time() ) - print dns_log, fmt("%.06f #%d [?%s] %s", network_time(), - session$id, query, code); - else - print dns_log, fmt("%.06f #%d %s", network_time(), - session$id, code); - } - } - -event PTR_scan_summary(src: addr) - { - NOTICE([$note=DNS_PTR_Scan_Summary, $src=src, - $msg=fmt("%s totaled %d/%d un/successful PTR lookups", src, - distinct_rejected_PTR_requests[src], - distinct_answered_PTR_requests[src]), - $sub="final summary"]); - } - -event PTR_scan(src: addr) - { - ++did_PTR_scan_event[src]; - - if ( src !in allow_PTR_scans && src !in okay_to_lookup_sensitive_hosts ) - { - NOTICE([$note=DNS_PTR_Scan, $src=src, - $msg=fmt("%s has made %d/%d un/successful PTR lookups", - src, distinct_rejected_PTR_requests[src], - distinct_answered_PTR_requests[src]), - $sub="scan detected"]); - - schedule 1 day { PTR_scan_summary(src) }; - } - } - -function check_PTR_scan(src: addr) - { - if ( src !in did_PTR_scan_event && - distinct_rejected_PTR_requests[src] >= - distinct_answered_PTR_requests[src] * report_rejected_PTR_factor ) - event PTR_scan(src); - } - -function DNS_answer(c: connection, msg: dns_msg, - ans: dns_answer, annotation: string) - { - local is_answer = ans$answer_type == DNS_ANS; - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - local id = msg$id; - local query: string; - - if ( id in session$pending_queries ) - { - query = fmt("%s = ", session$pending_queries[id], - query_types[ans$qtype]); - delete session$pending_queries[id]; - report = fmt("%s %s", report, query); - } - - else if ( session$is_zone_transfer ) - { # need to provide the query directly. - query = fmt("", query_types[ans$qtype]); - report = fmt("%s ?%s", report, query); - } - - else - { - # No corresponding query. This can happen if it's - # already been deleted because we've already processed - # an answer to it; or if the session itself was timed - # out prior to this answer being generated. In the - # first case, we don't want to provide the query again; - # in the second, we do. We can determine that we're - # likely in the second case if either (1) this session - # was just now created, or (2) we're now processing the - # sole answer to the original query. - # - # However, for now we punt. - # - # if ( c$start_time == network_time() || - # (is_answer && msg$num_answers == 1) ) - # { - # query = DNS_query_annotation(c, msg, ans$query, ans$qtype, F); - # report = fmt("%s [?%s]", report, query); - # } - # else - # query = ""; - - query = fmt("", query_types[ans$qtype]); - report = fmt("%s %s", report, query); - } - - # Append a bunch of additional annotation. - report = fmt("%s %s RCode:%s AA=%s TR=%s %s/%s/%s/%s", - report, annotation, base_error[msg$rcode], msg$AA, msg$TC, - msg$num_queries, msg$num_answers, msg$num_auth, msg$num_addl ); - - local src = c$id$orig_h; - - if ( msg$rcode != 0 ) - { - if ( /\?(PTR|\*.*in-addr).*/ in query ) - ##### should check for private address - { - if ( ++distinct_PTR_requests[src, query] == 1 && - ++distinct_rejected_PTR_requests[src] >= - report_rejected_PTR_thresh ) - check_PTR_scan(src); - } - - report = fmt("%s %s", report, DNS_code_types[msg$rcode]); - } - - else if ( is_answer ) - { - if ( /\?(PTR|\*.*in-addr).*/ in query ) - { - if ( annotation in actually_rejected_PTR_anno ) - { - if ( ++distinct_PTR_requests[src, query] == 1 && - ++distinct_rejected_PTR_requests[src] >= - report_rejected_PTR_thresh ) - check_PTR_scan(src); - } - else - { - if ( ++distinct_PTR_requests[src, query] == 1 ) - ++distinct_answered_PTR_requests[src]; - } - } - } - - if ( logging ) - print dns_log, fmt("%s TTL=%g", report, ans$TTL); - - ### Note, DNS_AUTH and DNS_ADDL not processed. - - session$last_active = network_time(); - } - -event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) - { - if ( a in sensitive_lookup_hosts ) - event sensitive_addr_lookup(c, a, F); - - DNS_answer(c, msg, ans, fmt("%As", a)); - - if ( resolver_consist_check ) - insert_name(c, msg, ans, a ); - - } - -event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s", name)); - } - -event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s %s", query_types[ans$qtype], name)); - } - -event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s", name)); - } - -event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa) - { - DNS_answer(c, msg, ans, fmt("%s", soa$mname)); - } - -event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string, - preference: count) - { - DNS_answer(c, msg, ans, fmt("%s/%d", name, preference)); - } - -event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer) - { - DNS_answer(c, msg, ans, "<---?--->"); - } - - -# From here on down we need to modify the way that data is recorded. The -# standard resource record format is no longer universally applicable in -# that we may see modified structs or some number of value pairs that may take -# more flexability in reporting. - -event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) - { - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - - if ( ans$is_query == 1 ) - report = fmt("%s ", report); - else - report = fmt("%s ", report); - - if ( logging ) - print dns_log, fmt("%s pldsize:%s RCode:%s VER:%s Z:%s", - report, ans$payload_size, - base_error[ans$extended_rcode], - ans$version, edns_zfield[ans$z_field]); - } - -event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional) - { - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - - # Error handling with this is a little odd: number collision with EDNS. - # We set the collided value to the first private space number. gross. - local trans_error_num = (ans$rr_error == 16) ? 3842 : ans$rr_error; - - if ( ans$is_query == 1 ) - report = fmt("%s ", report); - else - report = fmt("%s ", report); - - if ( logging ) - print dns_log, fmt("%s name:%s alg:%s origID:%s RCode:%s", - report, ans$query, ans$alg_name, - ans$orig_id, base_error[trans_error_num]); - } diff --git a/policy.old/drop-adapt.bro b/policy.old/drop-adapt.bro deleted file mode 100644 index b599770ded..0000000000 --- a/policy.old/drop-adapt.bro +++ /dev/null @@ -1,74 +0,0 @@ -# $Id: drop-adapt.bro 6940 2009-11-14 00:38:53Z robin $ -# -# Adjust load level based on packet drops. -# - -@load load-level - -# Increase load-level if packet drops are successively 'count' times -# above 'threshold' percent. -const drop_increase_count = 5 &redef; -const drop_increase_threshold = 5.0 &redef; - -# Same for decreasing load-level. -const drop_decrease_count = 15 &redef; -const drop_decrease_threshold = 0.0 &redef; - -# Minimum time to wait after a load-level increase before new decrease. -const drop_decrease_wait = 20 mins &redef; - -global drop_last_stat: net_stats; -global drop_have_stats = F; -global drop_above = 0; -global drop_below = 0; - -global drop_last_increase: time = 0; - -event net_stats_update(t: time, ns: net_stats) - { - if ( drop_have_stats ) - { - local new_recvd = ns$pkts_recvd - drop_last_stat$pkts_recvd; - local new_dropped = - ns$pkts_dropped - drop_last_stat$pkts_dropped; - - local p = new_dropped * 100.0 / new_recvd; - - drop_last_stat = ns; - - if ( p >= 0 ) - { - if ( p >= drop_increase_threshold ) - { - if ( ++drop_above >= drop_increase_count ) - { - increase_load_level(); - drop_above = 0; - drop_last_increase = t; - } - } - else - drop_above = 0; - - if ( t - drop_last_increase < drop_decrease_wait ) - return; - - if ( p <= drop_decrease_threshold ) - { - if ( ++drop_below >= drop_decrease_count ) - { - decrease_load_level(); - drop_below = 0; - } - } - else - drop_below = 0; - - } - } - else - { - drop_have_stats = T; - drop_last_stat = ns; - } - } diff --git a/policy.old/drop.bro b/policy.old/drop.bro deleted file mode 100644 index b2e75fa269..0000000000 --- a/policy.old/drop.bro +++ /dev/null @@ -1,340 +0,0 @@ -# $Id:$ -# -# drop.bro implements a drop/restore policy termed "catch-and-release" -# whereby the first time an address is dropped, it is restored a while after -# the last connection attempt seen. If a connection attempt is subsequently -# seen, however, then the system is blocked again, and for a longer time. -# -# This policy has significant benefits when using Bro to update router -# ACLs for which: -# - The router has a limited number of ACLs slots. -# - You care about possible reuse of IP addresses by now-benign hosts, -# so don't want blocks to last forever. -# -# Original code by Jim Mellander, LBNL. -# Updated by Brian Tierney, LBNL and by Robin Sommer, ICSI. - -@load site - -module Drop; - -export { - redef enum Notice += { - # Connectivity with given address has been dropped. - AddressDropped, - - # A request to drop connectivity has been ignored. - AddressDropIgnored, - - # Connectivity with given address has been restored. - AddressRestored, - - AddressAlreadyDropped, # host is already dropped - - # Previously dropped host connects again. - AddressSeenAgain, - - # Previous offenders re-dropped or re-restored. - RepeatAddressDropped, - RepeatAddressRestored, - }; - - # True if we have the capability to drop hosts at all. - const can_drop_connectivity = F &redef; - - # True if we never want to drop local addresses. - const dont_drop_locals = T &redef; - - # True if we should use the catch-and-release scheme. If not then - # we simply drop addresses via the drop_connectivity_script and - # never restore them (they must be restored out-of-band). - const use_catch_release = F &redef; - - # Catch-and-release parameters. - - # Interval to wait for release following inactivity after - # first offense. - global drop_time = 5 min &redef; - - # For repeat offenders: if the total time a host has already been - # dropped reaches persistent_offender_time, we drop the host for - # long_drop_time. Setting persistent_offender_time to zero disables - # this functionality. - const persistent_offender_time = 2 hr &redef; - global long_drop_time = 12 hr &redef; - - # Scripts to perform the actual dropping/restore. They get the - # IP address as their first argument. - const drop_connectivity_script = "drop-connectivity" &redef; - const restore_connectivity_script = "restore-connectivity" &redef; - - const root_servers = { - a.root-servers.net, b.root-servers.net, c.root-servers.net, - d.root-servers.net, e.root-servers.net, f.root-servers.net, - g.root-servers.net, h.root-servers.net, i.root-servers.net, - j.root-servers.net, k.root-servers.net, l.root-servers.net, - m.root-servers.net, - } &redef; - - const gtld_servers = { - a.gtld-servers.net, b.gtld-servers.net, c.gtld-servers.net, - d.gtld-servers.net, e.gtld-servers.net, f.gtld-servers.net, - g.gtld-servers.net, h.gtld-servers.net, i.gtld-servers.net, - j.gtld-servers.net, k.gtld-servers.net, l.gtld-servers.net, - m.gtld-servers.net, - } &redef; - - const never_shut_down = { - root_servers, gtld_servers, - } &redef; - - const never_drop_nets: set[subnet] &redef; - - # Drop the connectivity for the address. "msg" gives a reason. - # It returns a copy of the NOTICE generated for the drop, which - # gives more information about the kind of dropping performed. - # If the notice type is NoticeNone, the drop was not successful - # (e.g., because this Bro instance is not configured to do drops.) - global drop_address: function(a: addr, msg: string) : notice_info; - - # The following events are used to communicate information about the - # drops, in particular for C&R in the cluster setting. - - # Address has been dropped. - global address_dropped: event(a: addr); - - # Raised when an IP is restored. - global address_restored: event(a: addr); - - # Raised when an that was dropped in the past is no - # longer monitored specifically for new connections. - global address_cleared: event(a: addr); - - const debugging = F &redef; - global debug_log: function(msg: string); -} - -type drop_rec: record { - tot_drop_count: count &default=0; - tot_restore_count: count &default=0; - actual_restore_count: count &default=0; - tot_drop_time: interval &default=0secs; - last_timeout: interval &default=0secs; -}; - -global clear_host: function(t: table[addr] of drop_rec, a: addr): interval; - -global drop_info: table[addr] of drop_rec - &read_expire = 1 days &expire_func=clear_host &persistent; - -global last_notice: notice_info; - -function do_notice(n: notice_info) - { - last_notice = n; - NOTICE(n); - } - -function dont_drop(a: addr) : bool - { - return ! can_drop_connectivity || a in never_shut_down || - a in never_drop_nets || (dont_drop_locals && is_local_addr(a)); - } - -function is_dropped(a: addr) : bool - { - if ( a !in drop_info ) - return F; - - local di = drop_info[a]; - - if ( di$tot_drop_count < di$tot_restore_count ) - { # This shouldn't happen. - # FIXME: We need an assert(). - print "run-time error: more restores than drops!"; - return F; - } - - return di$tot_drop_count > di$tot_restore_count; - } - -global debug_log_file: file; - -function debug_log(msg: string) - { - if ( ! debugging ) - return; - - print debug_log_file, - fmt("%.6f [%s] %s", network_time(), peer_description, msg); - } - -event bro_init() - { - if ( debugging ) - { - debug_log_file = - open_log_file(fmt("drop-debug.%s", peer_description)); - set_buf(debug_log_file, F); - } - } - -function do_direct_drop(a: addr, msg: string) - { - if ( msg != "" ) - msg = fmt(" (%s)", msg); - - if ( a !in drop_info ) - { - local tmp: drop_rec; - drop_info[a] = tmp; - } - - local di = drop_info[a]; - - if ( is_dropped(a) ) - # Already dropped. Nothing to do. - do_notice([$note=Drop::AddressAlreadyDropped, $src=a, - $msg=fmt("%s%s", a, msg)]); - else - { - system(fmt("%s %s", Drop::drop_connectivity_script, a)); - - debug_log(fmt("sending drop for %s", a)); - event Drop::address_dropped(a); - - if ( di$tot_drop_count == 0 ) - do_notice([$note=Drop::AddressDropped, $src=a, - $msg=fmt("%s%s", a, msg)]); - else - { - local s = fmt("(%d times)", di$tot_drop_count + 1); - do_notice([$note=Drop::RepeatAddressDropped, - $src=a, $n=di$tot_drop_count+1, - $msg=fmt("%s%s %s", a, msg, s), $sub=s]); - } - } - - ++di$tot_drop_count; - debug_log(fmt("dropped %s: tot_drop_count=%d tot_restore_count=%d", - a, di$tot_drop_count, di$tot_restore_count)); - } - -# Restore a previously dropped address. -global do_restore: function(a: addr, force: bool); - -event restore_dropped_address(a: addr) - { - do_restore(a, F); - } - -function do_catch_release_drop(a: addr, msg: string) - { - do_direct_drop(a, msg); - - local di = drop_info[a]; - - local t = (persistent_offender_time != 0 sec && - di$tot_drop_time >= persistent_offender_time) ? - long_drop_time : drop_time; - - di$tot_drop_time += t; - di$last_timeout = t; - - schedule t { restore_dropped_address(a) }; - } - -function do_restore(a: addr, force: bool) - { - if ( a !in drop_info ) - return; - - local di = drop_info[a]; - ++drop_info[a]$tot_restore_count; - debug_log(fmt("restored %s: tot_drop_count=%d tot_restore_count=%d force=%s", a, drop_info[a]$tot_drop_count, drop_info[a]$tot_restore_count, force)); - - if ( di$tot_drop_count == di$tot_restore_count || force ) - { - ++di$actual_restore_count; - system(fmt("%s %s", Drop::restore_connectivity_script, a)); - - debug_log(fmt("sending restored for %s", a)); - event Drop::address_restored(a); - - local t = di$last_timeout; - - if ( di$actual_restore_count == 1 ) - { - local s1 = fmt("(timeout %.1f)", t); - do_notice([$note=Drop::AddressRestored, $src=a, - $msg=fmt("%s %s", a, s1), $sub=s1]); - } - - else - { - local s2 = fmt("(%d times, timeout %.1f)", - di$actual_restore_count, t); - do_notice([$note=Drop::RepeatAddressRestored, $src=a, - $n=di$tot_restore_count, - $msg=fmt("%s %s", a, s2), $sub=s2]); - } - } - } - -function clear_host(t: table[addr] of drop_rec, a: addr): interval - { - if ( is_dropped(a) ) - # Restore address. - do_restore(a, T); - - debug_log(fmt("sending cleared for %s", a)); - event Drop::address_cleared(a); - - return 0 secs; - } - -# Returns true if drop was successful (or IP was already dropped). -function drop_address(a: addr, msg: string) : notice_info - { - debug_log(fmt("drop_address(%s, %s)", a, msg)); - - last_notice = [$note=NoticeNone]; - - if ( dont_drop(a) ) - do_notice([$note=AddressDropIgnored, $src=a, - $msg=fmt("ignoring request to drop %s (%s)", a, msg)]); - else if ( use_catch_release ) - do_catch_release_drop(a, msg); - else - do_direct_drop(a, msg); - - if ( last_notice$note == NoticeNone ) - print "run-time error: drop_address did not raise a NOTICE"; - - return last_notice; - } - -event new_connection(c: connection) - { - if ( ! can_drop_connectivity ) - return; - - # With Catch & Release, 1 connection from a previously dropped system - # triggers an immediate redrop. - if ( ! use_catch_release ) - return; - - local a = c$id$orig_h; - - if ( a !in drop_info ) - # Never dropped. - return; - - local di = drop_info[a]; - if ( is_dropped(a) ) - # Still dropped. - return; - - NOTICE([$note=AddressSeenAgain, $src=a, - $msg=fmt("%s seen again after release", a)]); - } diff --git a/policy.old/dyn-disable.bro b/policy.old/dyn-disable.bro deleted file mode 100644 index b1b5bd937e..0000000000 --- a/policy.old/dyn-disable.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: dyn-disable.bro,v 1.1.4.3 2006/05/31 01:52:02 sommer Exp $ -# -# When this script is loaded, analyzers that raise protocol_violation events -# are disabled for the affected connection. - -# Note that this a first-shot solution. Eventually, we should make the -# disable-decision more fine-grained/sophisticated. - -@load conn -@load notice - -module DynDisable; - -export { - redef enum Notice += { - ProtocolViolation - }; - - # Ignore violations which go this many bytes into the connection. - const max_volume = 10 * 1024 &redef; -} - -global conns: table[conn_id] of set[count]; - -event protocol_violation(c: connection, atype: count, aid: count, - reason: string) - { - if ( c$id in conns && aid in conns[c$id] ) - return; - - local size = c$orig$size + c$resp$size; - - if ( max_volume > 0 && size > max_volume ) - return; - - # Disable the analyzer that raised the last core-generated event. - disable_analyzer(c$id, aid); - - NOTICE([$note=ProtocolViolation, $conn=c, - $msg=fmt("%s analyzer %s disabled due to protocol violation", - id_string(c$id), analyzer_name(atype)), - $sub=reason, $n=atype]); - - if ( c$id !in conns ) - conns[c$id] = set(); - - add conns[c$id][aid]; - } - -event connection_state_remove(c: connection) - { - delete conns[$id=c$id]; - } diff --git a/policy.old/file-flush.bro b/policy.old/file-flush.bro deleted file mode 100644 index 481d078e59..0000000000 --- a/policy.old/file-flush.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: file-flush.bro 786 2004-11-24 08:25:16Z vern $ - -# Causes all files to be flushed every file_flush_interval seconds. -# Useful if you want to poke through the log files in real time, -# particularly if network traffic is light. - -global file_flush_interval = 10 sec &redef; - -event file_flush_event() - { - flush_all(); - schedule file_flush_interval { file_flush_event() }; - } - -event bro_init() - { - schedule file_flush_interval { file_flush_event() }; - } diff --git a/policy.old/finger.bro b/policy.old/finger.bro deleted file mode 100644 index 7765ce45c6..0000000000 --- a/policy.old/finger.bro +++ /dev/null @@ -1,69 +0,0 @@ -# $Id: finger.bro 4758 2007-08-10 06:49:23Z vern $ - -module Finger; - -export { - const hot_names = { - "root", "lp", "uucp", "nuucp", "demos", "operator", "sync", - "r00t", "tutor", "tour", "admin", "system", "guest", "visitor", - "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", - } &redef; - - const max_finger_request_len = 80 &redef; -} - -redef capture_filters += { ["finger"] = "port finger" }; - -# DPM configuration. -global finger_ports = { 79/tcp } &redef; -redef dpd_config += { [ANALYZER_FINGER] = [$ports = finger_ports] }; - -function public_user(user: string): bool - { - return T; - } - -function authorized_client(host: addr): bool - { - return T; - } - -event finger_request(c: connection, full: bool, username: string, hostname: string) - { - local id = c$id; - local request: string; - - if ( hostname != "" ) - request = cat(username, "@", hostname); - else - request = username; - - if ( byte_len(request) > max_finger_request_len ) - { - request = fmt("%s...", sub_bytes(request, 1, max_finger_request_len)); - ++c$hot; - } - - if ( hostname != "" ) - ++c$hot; - - if ( username in hot_names ) - ++c$hot; - - local req = request == "" ? "ALL" : fmt("\"%s\"", request); - - if ( full ) - req = fmt("%s (/W)", req); - - if ( c$addl != "" ) - # This is an additional request. - req = fmt("(%s)", req); - - append_addl_marker(c, req, " *"); - } - -function is_finger_conn(c: connection): bool - { - return c$id$resp_p == finger; - } - diff --git a/policy.old/firewall.bro b/policy.old/firewall.bro deleted file mode 100644 index 59a92206b4..0000000000 --- a/policy.old/firewall.bro +++ /dev/null @@ -1,195 +0,0 @@ -# $Id: firewall.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Firewall-like rules. - -@load notice -@load conn -@load ftp - -module Firewall; - -export { - type action: enum { ALLOW, DENY }; - type cmp: enum { EQ, NE }; - - type rule: record { - label: string &default = ""; - orig: subnet &default = 0.0.0.0/0; - orig_set: set[addr] &optional; - orig_cmp: cmp &default = EQ; - orig_p: port &default = 0/tcp; - orig_p_cmp: cmp &default = EQ; - resp: subnet &default = 0.0.0.0/0; - resp_set: set[addr] &optional; - resp_cmp: cmp &default = EQ; - resp_p: port &default = 0/tcp; - resp_p_cmp: cmp &default = EQ; - prot: transport_proto &default = unknown_transport; - prot_cmp: cmp &default = EQ; - state: string &default = ""; - state_cmp: cmp &default = EQ; - is_ftp: bool &default = F; - - action: action &default = ALLOW; - }; - - redef enum Notice += { - DenyRuleMatched - }; - - global begin: function(c: connection); - global match_rule: function(c: connection, r: rule); -} - -const log_file = open_log_file("firewall") &redef; - -global stop_matching = F; - -function do_match(c: connection, r: rule): bool - { - if ( r$orig_cmp == EQ ) - { - if ( r?$orig_set ) - { - if ( c$id$orig_h !in r$orig_set && c$id$orig_h !in r$orig ) - return F; - } - else - { - if ( c$id$orig_h !in r$orig ) - return F; - } - } - else - { - if ( r?$orig_set ) - { - if ( c$id$orig_h in r$orig_set || c$id$orig_h in r$orig ) - return F; - } - else - { - if ( c$id$orig_h in r$orig ) - return F; - } - } - - if ( r$resp_cmp == EQ ) - { - if ( r?$resp_set ) - { - if ( c$id$resp_h !in r$resp_set && c$id$resp_h !in r$resp ) - return F; - } - else - { - if ( c$id$resp_h !in r$resp ) - return F; - } - } - else - { - if ( r?$resp_set ) - { - if ( c$id$resp_h in r$resp_set || c$id$resp_h in r$resp ) - return F; - } - else - { - if ( c$id$resp_h in r$resp ) - return F; - } - } - - if ( r$orig_p != 0/tcp ) - { - if ( r$orig_p_cmp == EQ ) - { - if ( c$id$orig_p != r$orig_p ) - return F; - } - else - if ( c$id$orig_p == r$orig_p ) - return F; - } - - if ( r$resp_p != 0/tcp ) - { - if ( r$resp_p_cmp == EQ ) - { - if ( c$id$resp_p != r$resp_p ) - return F; - } - else - if ( c$id$resp_p == r$resp_p ) - return F; - } - - if ( r$state != "" ) - { - local state = conn_state(c, get_port_transport_proto(c$id$orig_p)); - if ( r$state_cmp == EQ ) - { - if ( state != r$state ) - return F; - } - else - if ( state == r$state ) - return F; - } - - if ( r$prot != unknown_transport ) - { - local proto = get_port_transport_proto(c$id$orig_p); - if ( r$prot_cmp == EQ ) - { - if ( proto != r$prot ) - return F; - } - else - if ( proto == r$prot ) - return F; - } - - if ( r$is_ftp && ! FTP::is_ftp_data_conn(c) ) - return F; - - return T; - } - - -function report_violation(c: connection, r:rule) - { - local trans = get_port_transport_proto(c$id$orig_p); - local state = conn_state(c, trans); - - NOTICE([$note=DenyRuleMatched, - $msg=fmt("%s %s", - id_string(c$id), trans), $conn=c, $sub=r$label]); - append_addl(c, fmt("<%s>", r$label)); - record_connection(log_file, c); - } - -function begin(c: connection) - { - stop_matching = F; - } - -function match_rule(c: connection, r: rule) - { - if ( stop_matching ) - return; - - if ( do_match(c, r) ) - { - stop_matching = T; - - if ( r$action == DENY ) - report_violation(c, r); - } - } - -event bro_init() - { - set_buf(log_file, F); - } diff --git a/policy.old/flag-irc.bro b/policy.old/flag-irc.bro deleted file mode 100644 index 60d687bff7..0000000000 --- a/policy.old/flag-irc.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: flag-irc.bro 4758 2007-08-10 06:49:23Z vern $ -# -# include this module to flag various forms of IRC access. - -@load ftp - -redef FTP::hot_files += - /.*eggdrop.*/ - | /.*eggsun.*/ - ; - -redef Hot::flag_successful_inbound_service: table[port] of string += { - [[6666/tcp, 6667/tcp]] = "inbound IRC", -}; - -redef Hot::hot_dsts: table[addr] of string += { - [bitchx.com] = "IRC source sites", -}; diff --git a/policy.old/flag-warez.bro b/policy.old/flag-warez.bro deleted file mode 100644 index 6781252338..0000000000 --- a/policy.old/flag-warez.bro +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: flag-warez.bro 416 2004-09-17 03:52:28Z vern $ -# -# include this module to flag various forms of Warez access. - -@load hot-ids -@load ftp - -redef FTP::hot_files += /.*[wW][aA][rR][eE][zZ].*/ ; - -redef always_hot_ids += { "warez", "hanzwarez", "zeraw", }; -redef hot_ids += { "warez", "hanzwarez", "zeraw", }; diff --git a/policy.old/frag.bro b/policy.old/frag.bro deleted file mode 100644 index fcced8cd9a..0000000000 --- a/policy.old/frag.bro +++ /dev/null @@ -1,6 +0,0 @@ -# Capture TCP fragments, but not UDP (or ICMP), since those are a lot more -# common due to high-volume, fragmenting protocols such as NFS :-(. - -redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; - -redef frag_timeout = 5 min; diff --git a/policy.old/ftp-reply-pattern.bro b/policy.old/ftp-reply-pattern.bro deleted file mode 100644 index 59c507978e..0000000000 --- a/policy.old/ftp-reply-pattern.bro +++ /dev/null @@ -1,1317 +0,0 @@ -# $Id: ftp-reply-pattern.bro 6 2004-04-30 00:31:26Z jason $ - -@load ftp-anonymizer - -redef process_ftp_reply_by_message_pattern = T; - - -# A line of reply message is split into fields with the following -# regular expression. The regular expression defines the pattern of -# field separators. Basically a field separator is blank space -# enclosed by optional punctuations. - -const ftp_msg_field_separator = - /@@BOL@@ [[:space:][:punct:]]*( @@EOL@@)?/ - | /[[:space:][:punct:]]+/ - | /[[:space:][:punct:]]* @@EOL@@/ - ; - -# Type *msg_format_info* defines a message format extracted from -# messages. - -type msg_format_info: record { - parts: string_array; - code: count; - msg: string; # one of the original messages - hit: count; # number of messages that match the pattern -}; - -type msg_format_group: table[string] of msg_format_info; -global msg_format_groups: table[string] of msg_format_group; - - -# A pattern string (derived from one or more message formats) contains -# fields enclosed by '|': e.g. -# -# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@" -# -# Thus we the field separator can be defined by the following pattern: -# everything up to the first '|', after the last '|', or between two -# adjacent '|'s in the middle. - -const ftp_pattern_field_separator = - /@@BOL@@ @@EOL@@/ - | /@@BOL@@ [^|]*\|/ - | /\|[^|]+\|/ - | /\|[^|]* @@EOL@@/ - ; - -# A message pattern is very similar to a message format, except that -# the former is for message pattern matching and thus is used in a -# different phase than a message format, which is used in pattern -# extraction. - -type msg_pattern_info: record { - code: count; - str: string; - num_parts: count; - parts: string_array; - sep: string_array; - tok: string_array; - hit: count; -}; - -type msg_pattern_group: table[string] of msg_pattern_info; -global msg_pattern_groups: table[string] of msg_pattern_group; - - -# Here starts patterns of individual fields (numbers, ip address, domain -# name, etc.) in the reply message: - -# Numbers (including float numbers and negative numbers) -const ftp_number_pat = /[\-]?[0-9]+(\.[0-9]+)?/; - -# English words (including 's and 't) -# const ftp_word_pat = - /[[:alpha:]]*('m|'re|[[:alpha:]]'s|s'|n't|'d|'ve|'ll)|[[:alpha:]]+/ - ; - -# File modes in ls -l (seen in replies for STAT) -const ftp_file_mode_pat = /[ld\-]([r-][w-][xs-]){3}/; - -# FTP server version string -const ftp_server_version_pat = /[a-zA-Z0-9]+([\.\-_][a-zA-Z0-9]+)+/ &redef; - -# FTP path name -# -# As it is not clear how to define a pattern for path names, it is -# defined in two aspects: first, we define a pattern for strings that -# are path names *almost for sure*: - -const ftp_path_pat = /\/.+\/.*/ - | /README/ - | /.*\.(gz|tar|Z|ps|pdf)/ # TODO: add other extensions - | /[A-Z]:[\\\/].*/ # a path name almost for sure - ; - -# Second, we define a pattern for strings that can possibly be a path name: -# const ftp_file_name_pat = /[[:print:]]+/; -# -# Together, we assume that -# Set(ftp_path_pat) <= Set(path names) <= Set(ftp_file_name_pat) - -# DOS file names -const ftp_dos_path_pat = /[A-Z]:[\\\/].*/; - - -# Finally, a table of message field patterns -const ftp_msg_part_patterns = { - ["~ num"] = ftp_number_pat, - ["~ port"] = ftp_port_pat, - ["~ ip"] = ftp_ip_pat, - ["~ domain"] = ftp_domain_name_pat, - ["~ file_mode"] = ftp_file_mode_pat, - ["~ time"] = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/, - ["~ day"] = /Mon|Tue|Wed|Thu|Fri|Sat|Sun/, - ["~ month"] = /Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec/, - ["~ ip,port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3},[0-9]+/, - ["~ ip:port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3}:[0-9]+/, - ["~ email"] = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/, - ["~ path"] = ftp_path_pat, - ["~ url"] = /http:\/\/.+/, -} &redef; - - -# One critical issue in understanding an FTP reply message is to -# recognize the request arguments in messages. The argument of an FTP -# request may appear in various forms in the reply message, -# e.g. argument "/abc//def/" may appear as "/abc/def/" (eliminate -# duplicat /), "/abc/def" (w/o last /), or even "def" (base file name -# only). - -# Type *ftp_arg_variant* defines the set of variants of an argument, -# and function *expand_ftp_arg_variants* expands an argument to -# its variants. - -type ftp_arg_variants: record { - arg: string; # the argument - path: string; # after eliminating options - norm_path: string; # normalized path, after eliminating dup slashes - abs_path: string; # the absolute path - base_path: string; # the base file name only, without the directory part -}; - - -# Trace-specific anonymization of replies -# 1. Whether function anonymize_trace_specific_reply is defined: -const trace_specific_reply_anonymization = F &redef; - -# 2. Result of message anonymization -type ftp_reply_anon_result: record { - anonymized: bool; - msg: string; -}; - -# 3. The trace-specific function (to be defined externally) -global anonymize_trace_specific_reply: - function(session: ftp_session_info, code: count, msg: string, - cmd_arg: ftp_cmd_arg, - arg_var: ftp_arg_variants): ftp_reply_anon_result; - - -# Other global states: - -# Reply messages that are entirely stripped out (e.g. server banner message) -global msg_stripped_out: set[string]; - -# Remember wildcard matches to suppress the number of outputs -global all_wildcard_matches: set[string, string]; - - -# PART I. Message pattern extraction - -function init_msg_format_info(parts: string_array, code: count, msg: string, level: count): msg_format_info - { - return [$parts = parts, - $code = code, - $msg = msg, - $hit = 0]; - } - - -# Whether the pattern defined by *parts* is a sub-pattern of -# *fmt_parts*. - -function match_msg_format(fmt_parts: string_array, parts: string_array): bool - { - if ( length(fmt_parts) != length(parts) ) - return F; - - for ( i in fmt_parts ) - { - if ( i % 2 == 1 ) - { - local t1 = fmt_parts[i]; - local t2 = parts[i]; - - if ( t1 == t2 || t1 == "~ *" || - (t1 == "~ path" && - (t2 == ftp_file_name_pat || t2 == "~ num")) ) - ; # t2 matches t1 - else - return F; - } - } - - return T; - } - - -# Abstract msg_parts[k]. The whole msg_parts is passed because the -# function needs to look at the context to decide whether a pattern is -# applicable (in the case of version pattern). - -function abstract_msg_part(msg_parts: string_array, k: count, other_pat: table[string] of string): string - { - local part = msg_parts[k]; - local abs_part: string; - - if ( part in other_pat ) - abs_part = other_pat[part]; - else if ( k > 2 && - msg_parts[int_to_count(k-2)] == /[Vv]er(sion)?|[Rr]elease|.*ftpd.*|Server|Process/ && - part == ftp_server_version_pat && - part != ftp_domain_name_pat ) - abs_part = "~ version"; - else if ( part == ftp_msg_part_patterns["~ path"] && - part == ftp_file_name_pat ) - abs_part = "~ path"; - else - { - local known_pattern = 0; - - for ( pat_ty in ftp_msg_part_patterns ) - if ( part == ftp_msg_part_patterns[pat_ty] ) - { - ++known_pattern; - abs_part = pat_ty; - } - if ( known_pattern > 1 ) - print ftp_anon_log, - fmt("ERROR: ambiguous ftp msg part pattern: %s", part); - if ( known_pattern != 1 ) - abs_part = part; - } - - return abs_part; - } - - -# Transform a message format to a pattern string. - -function fmt_parts_to_string(parts: string_array): string - { - local p: string_array; - local num_parts = length(parts); - for ( i in parts ) - { - local s = parts[i]; - - if ( i == 1 || i == num_parts ) - p[i] = ""; - else if ( i % 2 == 1 ) - p[i] = string_cat("|", to_lower(s), "|"); - else - p[i] = " "; - } - return string_cat("@@BOL@@", cat_string_array(p), "@@EOL@@"); - } - - -# Extract the format of a message, if it does not match any known -# format. The message is already splitted into *msg_parts*, and the -# *act_msg* is only used for logging and debugging. Parameter -# *other_pat* defines an instance-specific mapping from strings to -# field types (e.g. "~ cmd", "~ arg"). For example, when "/fileA" is -# the argument of the corresponding FTP requests, other_pat["/fileA"] -# = "~ arg". - -function extract_ftp_reply_pattern(code: count, act_msg: string, msg_parts: string_array, - other_pat: table[string] of string, - session: ftp_session_info): bool - { - local num_parts = length(msg_parts); - - # Abstract each part of the message. - local abs_parts: string_array; - for ( i in msg_parts ) - { - if ( i % 2 == 1 ) - abs_parts[i] = abstract_msg_part(msg_parts, i, other_pat); - else - abs_parts[i] = msg_parts[i]; - } - - # Derive the abstract message format - local abs_msg = fmt_parts_to_string(abs_parts); - - # Locate the corresponding format group - local ind = fmt("%3d %3d", code, num_parts); - local fmt_group: msg_format_group; - - if ( ind in msg_format_groups ) - fmt_group = msg_format_groups[ind]; - else - msg_format_groups[ind] = fmt_group; - - # Check existing message formats - if ( abs_msg in fmt_group ) - { - ++fmt_group[abs_msg]$hit; - return F; - } - - local the_fmt = init_msg_format_info(abs_parts, code, - fmt("%s: %s", id_string(session$connection_id), act_msg), 1); - the_fmt$hit = 1; - - # Check whether it is a sub-format of a known format, or vice versa - - # Whether the_fmt is a sub-format of another format - local sub_format = F; - - # Which other formats are sub-formats of the_fmt - local sub_format_set: set[string]; - - for ( fm2 in fmt_group ) - { - local f2 = fmt_group[fm2]; - if ( match_msg_format(f2$parts, abs_parts) ) - { - sub_format = T; # abs_parts is a sub-format of f2 - ++f2$hit; - } - else if ( match_msg_format(abs_parts, f2$parts) ) - add sub_format_set[fm2]; - else - ; # do nothing - } - - # Do not add the format if it is a sub-format of another one. - if ( ! sub_format ) - { - fmt_group[abs_msg] = the_fmt; - - # remove sub-formats of this message - for ( fm3 in sub_format_set ) - { - the_fmt$hit = the_fmt$hit + fmt_group[fm3]$hit; - delete fmt_group[fm3]; - } - } - - return T; - } - -function print_msg_format(the_log: file, ind: string, m: string, f: msg_format_info) - { - local lm = to_string_literal(m); - if ( lm != m ) - print the_log, fmt("special_character_in_pattern: \"%s\"", lm); - local fm = fmt("%d %s", f$code, lm); - local pat_ind = fmt("%3d %3d", f$code, length(f$parts)); - - print the_log, fmt("reply_pattern: $%s$ \"%s\", # \"%s\"", - ind, fm, f$msg); - - if ( pat_ind in msg_pattern_groups && fm in msg_pattern_groups[pat_ind] ) - print the_log, fmt("ERROR: pattern_already_exists: \"%s\"", fm); - } - -event bro_done() - { - for ( ind in msg_format_groups ) - { - local fmt_group = msg_format_groups[ind]; - for ( m2 in fmt_group ) - print_msg_format(ftp_anon_log, ind, m2, fmt_group[m2]); - } - } - - -# PART II. Read and parse patterns - -type msg_pattern_result: record { - valid: bool, - msg_pat: msg_pattern_info, -}; - - -# Parse message pattern string -- put the separators in and -# tokens in . - -function parse_msg_format(fm: string): msg_pattern_result - { - local msg_pat: msg_pattern_info; - local ret = [$valid = F, $msg_pat = msg_pat]; - - # Separate the reply code from the rest of the pattern string - local code_fmt = split1(fm, / /); - local sep: string_array; - local tok: string_array; - - msg_pat$code = to_count(code_fmt[1]); - msg_pat$str = fm; - # print ftp_anon_log, fmt("msg_format: %d \"%s\"", msg_pat$code, msg_pat$str); - msg_pat$sep = sep; - msg_pat$tok = tok; - msg_pat$hit = 0; - - # Split the pattern string with the pattern field separator - local parts = split_all(code_fmt[2], ftp_pattern_field_separator); - local num_parts = length(parts); - msg_pat$parts = parts; - msg_pat$num_parts = num_parts; - - for ( i in parts ) - { - local s = parts[i]; - local j: count; - if ( i % 2 == 0 ) - { - j = int_to_count(i / 2); - sep[j] = s; - } - else if ( i > 1 && i < num_parts ) - { - j = int_to_count((i - 1) / 2); - tok[j] = s; - } - else - ; # do nothing - } - - ret$valid = T; - return ret; - } - - -# Parse the pattern string and insert the pattern into -# msg_pattern_groups. - -function process_predefined_msg_format(f: string): bool - { - local r: msg_pattern_result; - r = parse_msg_format(f); - if ( ! r$valid ) - return F; - local msg_pat = r$msg_pat; - - local pat_ind = fmt("%3d %3d", msg_pat$code, msg_pat$num_parts); - - local pat_group: msg_pattern_group; - if ( pat_ind !in msg_pattern_groups ) - msg_pattern_groups[pat_ind] = pat_group; - else - pat_group = msg_pattern_groups[pat_ind]; - - if ( msg_pat$str in pat_group ) - return F; # there should not be duplicates - pat_group[msg_pat$str] = msg_pat; - - return T; - } - -const ftp_msg_format_white_list: set[string] = {} &redef; - -event bro_init() - { - for ( f in ftp_msg_format_white_list ) - process_predefined_msg_format(f); - } - - -# PART III. Merge message patterns - -# moved to ftp-merge-pattern.bro - -# PART IV. Message pattern matching - -# Note that $parts is not redundant with $pat, because each field in -# $pat may contain multiple patterns, as in -# -# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@" -# -# $parts tells whether "~ domain" or "~ ip" is matched. - -type msg_pattern_match_result: record { - valid: bool; - pat: msg_pattern_info; # the pattern matched - parts: string_array; # the matched pattern of each part -}; - - -# Return -1 if t1 is more specific than t2, 1 if vice versa, and 0 if -# t1 equals to t2 or if t1 and t2 are incomparable. - -function cmp_pattern_part(t1: string, t2: string): int - { - if ( t1 == t2 ) return 0; - - local ret: int = 0; - - if ( t1 != /~ .*/ || t2 != /~ .*/ ) - { - if ( t2 == /~ .*/ ) ret = -1; # t1 < t2 - if ( t1 == /~ .*/ ) ret = 1; # t2 < t1 - } - else if ( t1 == /~ (arg|cmd)/ || t2 == /~ (arg|cmd)/ ) - { - if ( t2 != /~ (arg|cmd)/ ) ret = -1; # t1 < t2 - if ( t1 != /~ (arg|cmd)/ ) ret = 1; # t2 < t1 - } - else if ( t1 == "~ ip" && t2 == "~ domain" ) - ret = -1; - else if ( t1 == "~ domain" && t2 == "~ ip" ) - ret = 1; - else if ( t1 == "~ *" || t2 == "~ *" ) - { - if ( t1 != "~ *" ) ret = -1; - if ( t2 != "~ *" ) ret = 1; - } - - # print ftp_anon_log, - # fmt("compare pattern part: \"%s\" vs. \"%s\" = %d", t1, t2, ret); - - if ( ret == 0 ) - print ftp_anon_log, - fmt("ERROR: cannot compare pattern part: \"%s\" vs. \"%s\"", t1, t2); - return ret; - } - - -# Which pattern is more specific, returns -1 if m1 < m2, ... - -function cmp_msg_pattern_match(m1: msg_pattern_match_result, m2: msg_pattern_match_result): int - { - local b1 = F; # whether part of m1 is more specific - local b2 = F; # whether part of m2 is more specific - - for ( i in m1$parts ) - { - local c = cmp_pattern_part(m1$parts[i], m2$parts[i]); - if ( c < 0 ) b1 = T; - if ( c > 0 ) b2 = T; - } - if ( b1 && ! b2 ) return -1; - if ( ! b1 && b2 ) return 1; - - print ftp_anon_log, - fmt("ERROR: cannot compare pattern match: \"%s\" vs. \"%s\"", m1$pat$str, m2$pat$str); - return 0; - } - - -# Whether data matches pat. Parameter aux_pat contains a set of (data, -# pat) pairs in addition to the predefined patterns and usually -# contains pairs such as "~ cmd : USER", "~ arg : anonymous". - -function do_match_pattern_part(pat: string, data: string, aux_pat: set[string]): bool - { - if ( pat == /~ .+[-+]/ ) # with a flag - pat = cut_tail(pat, 1); # ignore the flag - - if ( string_cat(pat, " : ", data) in aux_pat ) - return T; - else if ( pat != /~ .*/ ) # not an abstract pattern - { - return ( to_lower(data) == pat ); - } - else if ( pat == "~ *" ) - return T; # always match - else if ( pat == "~ path" ) - { - return ( data == ftp_file_name_pat || - /\// in data || /\\ / in data ); - } - else if ( pat == "~ domain" ) - { - return ( data == /([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/ ); - } - else if ( pat == "~ version" ) - { - return ( data == /[A-Za-z0-9\-\.\_]+/ ); - } - else if ( pat in ftp_msg_part_patterns ) - { - return ( data == ftp_msg_part_patterns[pat] ); - } - else - return F; - } - - -# Return the most promising part of that matches , where -# = ", [, ...]". - -function match_pattern_part(pat: string, data: string, aux_pat: set[string]): string - { - # print ftp_anon_log, fmt("part_match: \"%s\" ~? \"%s\"", data, pat); - - local best = "~ none"; - local pp = split(pat, /, /); - for ( i in pp ) - { - local p = pp[i]; - if ( do_match_pattern_part(p, data, aux_pat) ) - { - if ( best == "~ none" || cmp_pattern_part(best, p) > 0 ) - best = p; - } - } - - # if ( best != "~ none" ) - # print ftp_anon_log, fmt("part_match: \"%s\" ~ \"%s\"", data, best); - - return best; - } - - -# Return T if the message (act_msg) matches the pattern; otherwise -# return F. - -function do_msg_pattern_match(act_msg: string, msg_parts: string_array, - msg_pat: msg_pattern_info, aux_pat: set[string]): msg_pattern_match_result - { - local ret: msg_pattern_match_result; - ret$valid = F; - - local num_parts = length(msg_parts); - local pat = msg_pat$tok; - - local data: string_array; - for ( i2 in msg_parts ) - if ( i2 % 2 == 1 && i2 > 1 && i2 < num_parts ) - data[int_to_count((i2-1)/2)] = msg_parts[i2]; - - if ( length(pat) != length(data) ) - return ret; - - local matched: string_array; - - for ( i in pat ) - { - local m = match_pattern_part(pat[i], data[i], aux_pat); - if ( m == "~ none" ) - return ret; - matched[i] = m; - } - - ret$valid = T; - ret$parts = matched; - ret$pat = msg_pat; - return ret; - } - - -# Anonymize a data field according to its pattern type. - -function anonymize_msg_part(data: string, pat: string, - cmd_arg: ftp_cmd_arg, session: ftp_session_info): string - { - if ( pat == /~ .+[-+]/ ) - { - local pat_len = byte_len(pat); - local annotation = sub_bytes(pat, pat_len, 1); # the last character - if ( annotation == "+" ) # to expose the data - return data; - else if ( annotation == "-" ) # to hide the data - return "<->"; - pat = cut_tail(pat, 1); # otherwise ignore the annotation - } - - if ( pat == "~ cmd" ) - return cmd_arg$anonymized_cmd; - else if ( pat == "~ arg" ) - return cmd_arg$anonymized_arg; - else if ( pat == "~ num" ) - return ""; # hide the number by default - else if ( pat == "~ port" ) - return anonymize_port_arg(session, "", data); - else if ( pat == "~ ip" ) - { - local a = parse_dotted_addr(data); - return cat(anonymize_address(a, session$connection_id)); - } - else if ( pat == "~ domain" ) - return ""; - else if ( pat == "~ file_mode" ) - return ""; - else if ( pat == "~ time" || pat == "~ day" || pat == "~ month" ) - return data; - else if ( pat == "~ email" ) - return ""; - else if ( pat == "~ url" ) - return ""; - else if ( pat == "~ ip,port" || pat == "~ ip:port" ) - { - local b = split_all(data, /[:,]/); - b[1] = cat(anonymize_address(parse_dotted_addr(b[1]), session$connection_id)); - return cat_string_array(b); - } - else if ( pat == "~ path" || pat == "~ dir" ) - return anonymize_file_name_arg(session, "", data, - (session$reply_code >= 100 && session$reply_code < 300)); - else if ( pat == "~ version" ) - return data; # keep version of the server - else if ( pat == "~ *" ) - return "<*>"; - else - { - return ""; - print ftp_anon_log, fmt("ERROR: do not know how to anonymize pattern: %s", pat); - } - } - - -# Compute a unique id that does not appear in . - -function get_unique_subst_id(context: string, seed: string): string - { - local id = string_cat("X", md5_hmac(seed), "X"); - if ( strstr(context, id) > 0 ) - return get_unique_subst_id(context, string_cat(seed, ".")); - return id; - } - - -# Substitute all occurances of in with a unique id, if -# the occurrance of is followed by (context-sensitive -# substitution), and add to the mapping -> -# . It returns the message after substitution. - -function subst_part(msg1: string, part: string, suffix: string, subst_map: table[string] of string): string - { - local ps = string_cat(part, suffix); - if ( strstr(msg1, ps) <= 0 ) return msg1; - local subst_id = get_unique_subst_id(msg1, part); - subst_map[subst_id] = part; - return subst_string(msg1, ps, string_cat(subst_id, suffix)); - } - - -# Expand argument variants (see comments of ftp_arg_variants). - -function expand_ftp_arg_variants(session: ftp_session_info, cmd_arg: ftp_cmd_arg): ftp_arg_variants - { - local var: ftp_arg_variants; - - var$arg = cmd_arg$arg; - var$path = "~ none"; - var$norm_path = "~ none"; - var$abs_path = "~ none"; - var$base_path = "~ none"; - - if ( cmd_arg$cmd in ftp_cmds_with_file_arg ) - { - local opt_fn = separate_option_str(cmd_arg$arg); - var$path = opt_fn$file_name; - - # eliminate duplicate slashes - local norm_path = subst(var$path, /\/+|\\+/, "/"); - # eliminate '/./' (as '/') - norm_path = subst(norm_path, /\/(\.\/)+/, "/"); - if ( norm_path == /.*\/\./ ) # end with '/.' - norm_path = cut_tail(norm_path, 1); - - # compress .. - norm_path = compress_path(norm_path); - - if ( var$path == ftp_dos_path_pat ) - { - norm_path = subst(norm_path, /\//, "\\"); - # cut the last '\' off if it is not "C:\" - if ( norm_path == /.*\\/ && norm_path != /[[:alpha:]]:\\/ ) - norm_path = cut_tail(norm_path, 1); - } - else - { - if ( norm_path == /.*\// && norm_path != /\//) # if it is not '/' - norm_path = cut_tail(norm_path, 1); - } - - var$norm_path = norm_path; - - var$abs_path = absolute_path(session, norm_path); - - var$base_path = subst(norm_path, /.*(\/+|\\+)/, ""); - # But ignore base path names that only contain whitespace and/or punctuations - # if ( var$base_path == ftp_msg_field_separator ) - if ( var$base_path == "" ) - var$base_path = "~ none"; - - # print ftp_anon_log, fmt("path=\"%s\", norm_path=\"%s\", abs_path = \"%s\", base_path=\"%s\"", - # var$path, var$norm_path, var$abs_path, var$base_path); - } - - return var; - } - - -function strstr_clean(big: string, little: string, clean_match: bool): count - { - local i = strstr(big, little); - - if ( i == 0 ) return i; - - if ( clean_match ) - { - local prefix = sub_bytes(big, 1, i - 1); - local suffix = sub_bytes(big, i + byte_len(little), -1); - - # print ftp_anon_log, fmt("prefix = \"%s\", suffix = \"%s\"", prefix, suffix); - # if little is not surrounded by blanks or punctuations - if ( prefix != /|.*[[:blank:][:punct:]]/ || - suffix != /|[[:blank:][:punct:]].*/ ) - return 0; - } - - return i; - } - - -# Search s for an argument variant. Note that variants are searched in -# the order of priorities -- the more specific the varient is, the -# higher priority it gets. - -type arg_in_msg: record { - arg: string; - arg_ind: count; - arg_len: count; - prefix: string; - suffix: string; -}; - -function check_arg_variant(s: string, arg: string, v: arg_in_msg, clean_match: bool): bool - { - if ( arg == "" || arg == "~ none" ) - return F; - - local i = strstr_clean(s, arg, clean_match); - if ( i <= 0 ) return F; - - local len = byte_len(arg); - if ( len <= v$arg_len ) return F; - - v$arg = arg; - v$arg_ind = i; - v$arg_len = len; - v$prefix = sub_bytes(s, 1, i - 1); - v$suffix = sub_bytes(s, i + len, -1); - return T; - } - -function expand_path_arg(v: arg_in_msg): bool - { - if ( v$prefix != /.*\// ) return F; - - local parts = split_all(v$prefix, /([^[:blank:][:punct:]]*\/)+/); - local num_parts = length(parts); - if ( parts[num_parts] != "" ) return F; - local last_part = int_to_count(num_parts - 1); - local s = parts[last_part]; - local s_len = byte_len(s); - - print ftp_anon_log, fmt("expand_path_arg: \"%s\" + \"%s\"", s, v$arg); - v$arg_len = v$arg_len + s_len; - v$arg_ind = int_to_count(v$arg_ind - s_len); - v$arg = string_cat(s, v$arg); - - parts[last_part] = ""; - v$prefix = cat_string_array(parts); - return T; - } - -function search_arg_variant(s: string, var: ftp_arg_variants, clean_match: bool): string - { - local v = [$arg = "", $arg_ind = 0, $arg_len = 0, $prefix = "", $suffix = ""]; - - check_arg_variant(s, var$arg, v, clean_match); - check_arg_variant(s, var$path, v, clean_match); - check_arg_variant(s, var$norm_path, v, clean_match); - check_arg_variant(s, var$abs_path, v, clean_match); - check_arg_variant(s, var$base_path, v, clean_match); - - if ( var$path != "~ none" ) - expand_path_arg(v); - - return ( v$arg != "" ) ? v$arg : "~ none"; - } - - -# Substitute with a unique id in , store the mapping from -# the id to in , and update and -# about the argument. -# -# It returns the message after substituion. - -function process_arg_in_reply(arg_var: ftp_arg_variants, msg: string, - other_pat: table[string] of string, aux_pat: set[string], - subst_map: table[string] of string): string - { - add aux_pat[string_cat("~ arg", " : ", arg_var$arg)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$abs_path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$norm_path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$base_path)]; - - local arg = search_arg_variant(msg, arg_var, T); - if ( arg != "~ none" ) - { - print ftp_anon_log, fmt("arg_variant_found: \"%s\" in \"%s\"", arg, msg); - - if ( arg != "" ) - { - other_pat[arg] = "~ arg"; - if ( ftp_msg_field_separator in arg && arg != ftp_msg_field_separator ) - msg = subst_part(msg, arg, "", subst_map); - } - } - - return msg; - } - - -# Record the message being stripped out - -function strip_out_message(session: ftp_session_info, code: count, msg: string): string - { - local ind = fmt("%d %s", code, msg); - if ( ind !in msg_stripped_out ) - { - print ftp_anon_log, - fmt("message_stripped_out: %s", msg); - add msg_stripped_out[ind]; - } - return ""; - } - - -type msg_component: record { - msg: pattern; - part: pattern; - context: pattern; -}; - -global msg_components_not_to_split: table[string] of msg_component; - -event bro_init() -{ - # quoted string - msg_components_not_to_split["quoted"] = - [$msg = /.*/, - $part = /([^"]|\"\")*/, - $context = /@@BOL@@ *\"([^"]|\"\")*\"/]; - - # port numbers in reply to PASV - msg_components_not_to_split["port"] = - [$msg = /227 .*/, - $part = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/, - $context = /\([0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}\)/]; - - # dotted IP address - msg_components_not_to_split["ip"] = - [$msg = /.*/, # any reply code - $part = /[0-9]{1,3}(\.[0-9]{1,3}){3}/, - $context = /[[:space:]\(\[][0-9]{1,3}(\.[0-9]{1,3}){3}[[:space:][:punct:]]/]; - - # email - msg_components_not_to_split["email"] = - [$msg = /.*/, # any reply code - $part = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/, - $context = /[[:space:]\(\[<][[:alnum:]\-\.\_]+@([\-[:alnum:]]+\.)*[\-[:alnum:]]+[[:space:][:punct:]]/]; - - # URL - msg_components_not_to_split["url"] = - [$msg = /.*/, # any reply code - $part = /(http|ftp):\/\/[[:alnum:][:punct:]]+/, - $context = /(http|ftp):\/\/[[:alnum:][:punct:]]+/]; - - # domain name - msg_components_not_to_split["domain-version-filename"] = - [$msg = /.*/, # any reply code - $part = /([[:alnum:]]+[\-\.\_])+[[:alnum:]]+/, - $context = /[^\@\.\-\_[:alnum:]]([[:alnum:]]+[\-\.\_])+[[:alnum:]]+[[:space:][:punct:]]/]; # not proceeded by '@' (as in email) - - # UNIX file mode string - msg_components_not_to_split["file_mode"] = - [$msg = /(211|213) .*/, - $part = /[ld\-]([r-][w-][xs-]){3}/, - $context = /@@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3}/]; - - # file name in `ls -l` - msg_components_not_to_split["ls_l_file_name"] = - [$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3} .*/, - $part = /[^[:blank:]]+/, - $context = /[[:blank:]][^[:blank:]]+ @@EOL@@/]; - - # symbolic links in `ls -l` - msg_components_not_to_split["ls_l_symbolic_link"] = - [$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r-][w-][xs-]){3} .*/, - $part = /[^[:blank:]]+/, - $context = /[[:blank:]][^[:blank:]]+ -> /]; - - # time - msg_components_not_to_split["time"] = - [$msg = /.*/, # any reply code - $part = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/, - $context = /[[:space:]\(\[][0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?[[:space:][:punct:]]/]; -} - -function subst_in_context(msg: string, orig_msg: string, c: msg_component, subst_map: table[string] of string): string - { - # print ftp_anon_log, fmt("msg = \"%s\", context = %s", msg, c$context); - - if ( orig_msg != c$msg || c$context !in msg ) - return msg; - - local parts = split_all(msg, c$context); - local msg0 = msg; - - for ( i in parts ) - { - # print ftp_anon_log, fmt("part[%d] = \"%s\"", i, parts[i]); - if ( i % 2 == 0 ) - { - local s = parts[i]; - local t = split_all(s, c$part); - - if ( length(t) > 1 && /X[[:alnum:]]{32}X/ !in t[2] ) - { - # print ftp_anon_log, fmt("\"%s\" -> \"%s\" + \"%s\" + \"%s\"", - # to_string_literal(parts[i]), t[1], t[2], t[3]); - # print ftp_anon_log, fmt("subst_in_context: \"%s\" [%s].[%s]", - # to_string_literal(s), c$part, c$context); - - local id = get_unique_subst_id(msg0, msg0); - msg0 = string_cat(msg0, id); - subst_map[id] = t[2]; - t[2] = id; - parts[i] = cat_string_array(t); - # print ftp_anon_log, fmt("subst_in_context: \"%s\"->\"%s\" in \"%s\"", - # subst_map[id], id, to_string_literal(parts[i])); - } - } - } - - return cat_string_array(parts); - } - - -# The main function for FTP reply anonymization. cmd_arg is the -# corresponding FTP request. - -function anonymize_ftp_reply_by_msg_pattern(code: count, act_msg: string, - cmd_arg: ftp_cmd_arg, session: ftp_session_info): string - { - local cmd = cmd_arg$cmd; - local arg = cmd_arg$arg; - local arg_var = expand_ftp_arg_variants(session, cmd_arg); - - # First check if trace-specific anonymization applies to the message - if ( trace_specific_reply_anonymization ) - { - local ret = anonymize_trace_specific_reply(session, code, act_msg, cmd_arg, arg_var); - if ( ret$anonymized ) - { - print ftp_anon_log, fmt("trace_specific_reply: %d \"%s\" ->\"%s\"", - code, to_string_literal(act_msg), to_string_literal(ret$msg)); - return ret$msg; - } - } - - # Extract any prefix of form "-" - local prefix = ""; - local msg0 = act_msg; - - if ( code > 0 ) - { - prefix = fmt("%d-", code); - if ( strstr(msg0, prefix) == 1 ) # msg0 starts with prefix like '220-' - msg0 = sub_bytes(msg0, byte_len(prefix) + 1, -1); - else - prefix = ""; - } - - - # Below we will split the message into fields. However, before - # the split we will first substitute certain substrings of the - # message with unique ID's and switch the ID's back to the - # corresponding strings after the split. - - # This is necessary to keep some part of the message from - # being splitted, for instance, we'd like to split the - # message: - # - # "'CWD /My Document/music/' command successful." - # - # with "/My Document/music/" as a single field instead two - # fields: "/My" and "Document/music/". - - # Mark the two ends of the message - msg0 = string_cat("@@BOL@@ ", msg0, " @@EOL@@"); - - # For pattern extraction -- used by extract_ftp_reply_pattern - local other_pat: table[string] of string; - - # For pattern matching -- used by match_pattern_part - local aux_pat: set[string]; - - local subst_map: table[string] of string; - - local orig_msg = fmt("%d %s", code, msg0); - local msg1 = msg0; - - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["file_mode"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_file_name"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_symbolic_link"], subst_map); - - # Process command in the reply message - if ( cmd != "" ) - { - other_pat[cmd] = "~ cmd"; - add aux_pat[string_cat("~ cmd", " : ", cmd)]; - add aux_pat[string_cat("~ cmd", " : ", to_lower(cmd))]; - if ( ftp_msg_field_separator in cmd ) - msg1 = subst_part(msg1, cmd, "", subst_map); - } - - # Process arguments in reply. Note that the order is - # critical: the argument variants are processed starting from - # the most specific one. - msg1 = process_arg_in_reply(arg_var, msg1, other_pat, aux_pat, subst_map); - - # Process directory in the reply - local dir = "~ none"; # any directory contained in the reply - if ( code == 257 || [cmd, code] in ftp_dir_operation ) - { - dir = extract_dir_from_reply(session, msg1, dir); - if ( dir != "~ none" ) - { - other_pat[dir] = "~ dir"; - add aux_pat[string_cat("~ dir", " : ", dir)]; - if ( ftp_msg_field_separator in dir ) - msg1 = subst_part(msg1, dir, "", subst_map); - } - } - - # msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["quoted"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["port"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["email"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["url"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ip"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["domain-version-filename"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["time"], subst_map); - - # Summarize all the substitution for debugging and verification - local subst_str = ""; - if ( length(subst_map) > 0 ) - { - for ( xx in subst_map ) - { - if ( subst_str != "" ) - subst_str = string_cat(subst_str, ", "); - subst_str = string_cat(subst_str, fmt("(\"%s\"->\"%s\")", to_string_literal(subst_map[xx]), xx)); - } - print ftp_anon_log, fmt("substitute: \"%d %s\" with {%s}", - code, act_msg, subst_str); - } - - # Split the message to parts - local msg_parts = split_all(msg1, ftp_msg_field_separator); - local num_parts = length(msg_parts); - - # According to subst_map, change substitution ID's back to the - # corresponding parts. Note that here we only look at whole - # fields to look for substitution ID's. - for ( i in msg_parts ) - { - local this_part = msg_parts[i]; - if ( this_part in subst_map ) - { - msg_parts[i] = subst_map[this_part]; - # print ftp_anon_log, fmt("substitute_part: \"%s\"", to_string_literal(msg_parts[i])); - } - } - - # Sanity check for string substitution - local msg2 = cat_string_array(msg_parts); - # msg2 != msg0 suggests that there is an improper substitution - if ( msg2 != msg0 ) - { - print ftp_anon_log, fmt("ERROR: substitution: \"%s\" -> \"%s\" with {%s} in [%s]", - to_string_literal(msg0), to_string_literal(msg2), - subst_str, id_string(session$connection_id)); - return strip_out_message(session, code, act_msg); - } - - # So far the message is successfully splitted. Now we will try - # to find a matching pattern. - - # Look it up in message patterns. - local ind = fmt("%3d %3d", code, num_parts); - - if ( ind !in msg_pattern_groups ) - { - print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]", - code, act_msg, id_string(session$connection_id)); - extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session); - return strip_out_message(session, code, act_msg); - } - - local pat_group = msg_pattern_groups[ind]; - - # There can be more than one matches ... record all of them - # and pick the most promising one. - local matches: table[string] of msg_pattern_match_result; - local the_pat: msg_pattern_match_result; # the best match - the_pat$valid = F; - - for ( pat_str in pat_group ) - { - local msg_pat = pat_group[pat_str]; - local tok: string_array; - local r = do_msg_pattern_match(act_msg, msg_parts, msg_pat, aux_pat); - if ( r$valid ) - { - if ( length(matches) == 0 || cmp_msg_pattern_match(r, the_pat) < 0 ) - the_pat = r; - matches[pat_str] = r; - } - } - - if ( length(matches) == 0 ) - { - print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]", - code, act_msg, id_string(session$connection_id)); - - extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session); - - return strip_out_message(session, code, act_msg); - } - - if ( length(matches) > 1 ) - print ftp_anon_log, fmt("multiple_patterns: \"%d %s\"", code, act_msg); - - print ftp_anon_log, fmt("message_matched: (%d) \"%d %s\" ~ \"%s\"", - length(matches), code, act_msg, the_pat$pat$str); - - ++the_pat$pat$hit; - - # Now we anonymize the message according to the_pat. During - # the process we log two kinds of anonymization for manual - # inspection: - # 1) when a field matches the wild card pattern ('~ *'): this - # will help us find information that is over-conservatively - # anonymized; - # 2) when a field matches a pattern with a 'to expose' flag (a - # '+' at the end): this will help us to verify that the - # exposed data is privacy-safe. - - local anon_parts: string_array; - local match_wildcard = ""; - local match_exposure = ""; - - for ( i in msg_parts ) - { - local data = msg_parts[i]; - if ( i <= 2 || i >= num_parts - 1 ) - anon_parts[i] = subst(data, /@@BOL@@ | @@EOL@@/, ""); - else if ( i % 2 == 0 ) - anon_parts[i] = data; - else - { - local p = the_pat$parts[int_to_count((i-1)/2)]; - anon_parts[i] = ( p != /~ .*/ ) ? data : - anonymize_msg_part(data, p, - cmd_arg, session); - - if ( p == /~ .+[+]/ ) - { - if ( match_exposure != "" ) match_exposure = string_cat(match_exposure, "; "); - match_exposure = string_cat(match_exposure, data); - } - - if ( p == "~ *" ) - { - if ( match_wildcard != "" ) match_wildcard = string_cat(match_wildcard, "; "); - match_wildcard = string_cat(match_wildcard, data); - } - } - } - - if ( match_wildcard != "" && [match_wildcard, the_pat$pat$str] !in all_wildcard_matches ) - { - add all_wildcard_matches[match_wildcard, the_pat$pat$str]; - print ftp_anon_log, fmt("wildcard_match: in pattern: \"%s\" data: [%s] in [%s]", - the_pat$pat$str, - match_wildcard, - id_string(session$connection_id)); - } - - if ( match_exposure != "" ) - { - print ftp_anon_log, fmt("data_exposure: in pattern: \"%s\" data: [%s] in [%s]", - the_pat$pat$str, - match_exposure, - id_string(session$connection_id)); - } - - local result = cat_string_array(anon_parts); - - # Stick the prefix back to the message. - if ( prefix != "" ) - result = string_cat(prefix, result); - - return result; - } diff --git a/policy.old/ftp-safe-words.bro b/policy.old/ftp-safe-words.bro deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/policy.old/gnutella.bro b/policy.old/gnutella.bro deleted file mode 100644 index 0fd4429f83..0000000000 --- a/policy.old/gnutella.bro +++ /dev/null @@ -1,61 +0,0 @@ -# $Id: gnutella.bro 4017 2007-02-28 07:11:54Z vern $ - -redef capture_filters += { ["gnutella"] = "port 6346 or port 8436" }; - -global gnutella_ports = { 6346/tcp, 8436/tcp } &redef; -redef dpd_config += { [ANALYZER_GNUTELLA] = [$ports = gnutella_ports] }; - -event gnutella_text_msg(c: connection, orig: bool, headers: string) - { - if ( orig ) - print fmt("gnu txt %s -> %s %s", c$id$orig_h, c$id$resp_h, headers); - else - print fmt("gnu txt %s -> %s %s", c$id$resp_h, c$id$orig_h, headers); - } - - -event gnutella_binary_msg(c: connection, orig: bool, msg_type: count, - ttl: count, hops: count, msg_len: count, - payload: string, payload_len: count, - trunc: bool, complete: bool) - { - local s = ""; - - if ( orig ) - s = fmt("gnu bin %s -> %s", c$id$orig_h, c$id$resp_h); - else - s = fmt("gnu bin %s -> %s", c$id$resp_h, c$id$orig_h); - - print fmt("%s %d %d %d %d %d %d %d %s", - s, msg_type, ttl, hops, msg_len, - trunc, complete, payload_len, payload); - } - - -event gnutella_partial_binary_msg(c: connection, orig: bool, - msg: string, len: count) - { - if ( orig ) - print fmt("gnu pbin %s -> %s", c$id$orig_h, c$id$resp_h); - else - print fmt("gnu pbin %s -> %s", c$id$resp_h, c$id$orig_h); - } - - -event gnutella_establish(c: connection) - { - print fmt("gnu est %s <-> %s", c$id$orig_h, c$id$resp_h); - } - - -event gnutella_not_establish(c: connection) - { - print fmt("gnu !est %s <-> %s", c$id$orig_h, c$id$resp_h); - } - - -event gnutella_http_notify(c: connection) - { - print fmt("gnu http %s/%s <-> %s/%s", c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } diff --git a/policy.old/hand-over.bro b/policy.old/hand-over.bro deleted file mode 100644 index 5c017c66b5..0000000000 --- a/policy.old/hand-over.bro +++ /dev/null @@ -1,144 +0,0 @@ -# $Id: hand-over.bro 617 2004-11-02 00:54:31Z scottc $ -# -# Hand-over between two instances of Bro. - -@load remote - -# The host from which we want to take over the state has to be -# added to remote_peers_{clear,ssl}, setting hand_over to T. -# -# The host which we want to allow to perform a hand-over with us -# has to be added to remote_peers with a port of 0/tcp and -# hand_over = T. - -function is_it_us(host: addr, p: port): bool - { -@ifdef ( listen_if_clear ) - if ( is_local_interface(host) && p == listen_port_clear ) - return T; -@endif - -@ifdef ( listen_if_ssl ) - if ( is_local_interface(host) && p == listen_port_ssl ) - return T; -@endif - return F; - } - -function is_handover_peer(p: event_peer): bool - { - local peer: Remote::Destination; - - if ( p$id in Remote::pending_peers ) - peer = Remote::pending_peers[p$id]; - else - return F; - - return peer$hand_over; - } - -function handover_start_processing() - { - uninstall_src_net_filter(0.0.0.0/0); - } - -event bro_init() - { - # Disable packet processing. - install_src_net_filter(0.0.0.0/0, 0, 100); - # Reporter::message("waiting for hand-over - packet processing disabled."); - } - -event remote_connection_error(p: event_peer, reason: string) - { - if ( is_remote_event() || ! ( p$id in Remote::connected_peers) ) - return; - - # Seems that the other side in not running. - # Reporter::error("can't connect for hand-over - starting processing ..."); - handover_start_processing(); - } - -event remote_connection_established(p: event_peer) - { - if ( is_remote_event() ) - return; - - # If [p$id] is defined in Remote::connected_peers and p != 0, we have connected - # to the host. - if ( p$p != 0/tcp && - ([p$id] in Remote::connected_peers ) ) - { - if ( ! is_handover_peer(p) ) - return; - - # Reporter::message(fmt("requesting hand-over from %s:%d", p$host, p$p)); - - request_remote_events(p, /handover_.*|finished_send_state/); - - # Give the remote side some time to register its handlers. - schedule 3 secs { handover_request(p$host, p$p) }; - return; - } - - # If the other side connected to us, we will allow the hand-over - # if the remote host is defined as a hand-over host in remote_peers. - if ( is_handover_peer(p) ) - { - # Reporter::message(fmt("allowing hand-over from %s:%d", p$host, p$p)); - request_remote_events(p, /handover_.*|finished_send_state/); - } - } - -event handover_send_state(p: event_peer) - { - if ( is_remote_event() ) - return; - - # There may be a serialization in progress in which case - # we will have to try again. - if ( ! send_state(p) ) - { - # Reporter::message("can't send state; serialization in progress"); - schedule 5 secs { handover_send_state(p$host, p$p) }; - } - } - -event handover_request(p: event_peer) - { - # Make sure the event is for us. - if ( ! (is_remote_event() && is_it_us(p$host, p$p)) ) - return; - - # Send state to other side. - schedule 1 sec { handover_send_state(p) }; - } - -event finished_send_state(p: event_peer) - { - # We will get this event from the remote side. - # Make sure it's indeed for us. - if ( ! is_remote_event() ) - return; - - if ( ! is_handover_peer(p) ) - return; - - #Reporter::message(fmt("full state received from %s:%d - starting processing ...", - # p$host, p$p)); - - event handover_got_state(p); - - # Start processing. - handover_start_processing(); - } - -event handover_got_state(p: event_peer) - { - # Make sure the event is for us. - if ( ! (is_remote_event() && is_it_us(p$host, p$p)) ) - return; - - # Reporter::message(fmt("%s:%d received our state - terminating", p$host, p$p)); - terminate(); - } diff --git a/policy.old/heavy-analysis.bro b/policy.old/heavy-analysis.bro deleted file mode 100644 index 6d3bf29a0c..0000000000 --- a/policy.old/heavy-analysis.bro +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: heavy-analysis.bro 2771 2006-04-18 23:53:09Z vern $ -# -# Loading this files enables somewhat more accurate, yet also significantly -# more expensive, analysis (in terms of memory as well as CPU time). -# -# This script only sets core-level options. Script-level timeouts are -# adjusted in heavy.*.bro, loaded via Bro's prefix mechanism. To make this -# work, the prefix has to be set *before* reading other scripts, either by -# loading this script first of all, or by manually putting a @prefix -# at the start of Bro's configuration. - -@prefixes += heavy - -redef tcp_SYN_timeout = 120 secs; -redef tcp_session_timer = 30 secs; -redef tcp_connection_linger = 30 secs; -redef tcp_attempt_delay = 300 secs; -redef tcp_close_delay = 15 secs; -redef tcp_reset_delay = 15 secs; -redef tcp_partial_close_delay = 10 secs; - -redef max_timer_expires = 32; - -redef tcp_inactivity_timeout = 2 hrs; -redef udp_inactivity_timeout = 1 hrs; -redef icmp_inactivity_timeout = 1 hrs; diff --git a/policy.old/heavy.irc.bro b/policy.old/heavy.irc.bro deleted file mode 100644 index 0e2cdf0dbb..0000000000 --- a/policy.old/heavy.irc.bro +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: heavy.irc.bro 4723 2007-08-07 18:14:35Z vern $ - -redef active_users &persistent &read_expire = 1 days; -redef active_channels &persistent &read_expire = 1 days; diff --git a/policy.old/heavy.scan.bro b/policy.old/heavy.scan.bro deleted file mode 100644 index 570e79bf6a..0000000000 --- a/policy.old/heavy.scan.bro +++ /dev/null @@ -1,6 +0,0 @@ -# $Id: heavy.scan.bro 4758 2007-08-10 06:49:23Z vern $ - -redef distinct_peers &create_expire = 10 hrs; -redef distinct_ports &create_expire = 10 hrs; -redef distinct_low_ports &create_expire = 10 hrs; -redef possible_scan_sources &create_expire = 10 hrs; diff --git a/policy.old/heavy.software.bro b/policy.old/heavy.software.bro deleted file mode 100644 index f9e8d0b694..0000000000 --- a/policy.old/heavy.software.bro +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: heavy.software.bro 2771 2006-04-18 23:53:09Z vern $ - -redef only_report_local = F; diff --git a/policy.old/heavy.trw.bro b/policy.old/heavy.trw.bro deleted file mode 100644 index 1bfce8f6b4..0000000000 --- a/policy.old/heavy.trw.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id: heavy.trw.bro 4723 2007-08-07 18:14:35Z vern $ - -redef TRW::scan_sources &write_expire = 1 day; -redef TRW::benign_sources &write_expire = 1 day; -redef TRW::failed_locals &write_expire = 12 hrs; -redef TRW::successful_locals &write_expire = 12 hrs; -redef TRW::lambda &write_expire = 12 hrs; -redef TRW::num_scanned_locals &write_expire = 12 hrs; diff --git a/policy.old/hot-ids.bro b/policy.old/hot-ids.bro deleted file mode 100644 index 64a6a7a71f..0000000000 --- a/policy.old/hot-ids.bro +++ /dev/null @@ -1,29 +0,0 @@ -# @(#) $Id: hot-ids.bro 785 2004-11-24 05:56:06Z rwinslow $ (LBL) - -# If these ids are seen, the corresponding connection is terminated. -const forbidden_ids = { - "uucp", "daemon", "rewt", "nuucp", - "EZsetup", "OutOfBox", "4Dgifts", - "ezsetup", "outofbox", "4dgifts", "sgiweb", - "r00t", "ruut", "bomb", "backdoor", - "bionic", "warhead", "check_mate", "checkmate", "check_made", - "themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack", -} &redef; - -const forbidden_ids_if_no_password = { "lp" } &redef; - -const forbidden_id_patterns = /(y[o0]u)(r|ar[e3])([o0]wn.*)/ &redef; - -const always_hot_ids = { - "sync", "tutor", "tour", - "retro", "milk", "moof", "own", "gdm", "anacnd", - "lp", "demos", forbidden_ids, -} &redef; - -# The ones here that aren't in always_hot_ids are only hot upon -# success. -const hot_ids = { - "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag", - "operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper", - "wank", always_hot_ids, -} &redef; diff --git a/policy.old/hot.bro b/policy.old/hot.bro deleted file mode 100644 index 5c4fd6a395..0000000000 --- a/policy.old/hot.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: hot.bro 7057 2010-07-19 23:22:19Z vern $ - -@load site -@load port-name -@load notice -@load terminate-connection - -module Hot; - -export { - # True if it should be considered a spoofing attack if a connection has - # the same local net for source and destination. - const same_local_net_is_spoof = F &redef; - - const allow_spoof_services = { - 110/tcp, # pop-3 - 139/tcp, # netbios-ssn - } &redef; - - # Indexed by source address and destination address. - const allow_pairs: set[addr, addr] &redef; - - const hot_srcs: table[addr] of string = { - # [ph33r.the.eleet.com] = "kidz", - } &redef; - - const hot_dsts: table[addr] of string = { - [206.101.197.226] = "ILOVEYOU worm destination", - } &redef; - - const allow_services = { - ssh, http, gopher, ident, smtp, 20/tcp, - 53/udp, # DNS queries - 123/udp, # NTP - } &redef; - - const allow_services_to: set[addr, port] &redef; - const allow_services_from: set[addr, port] &redef; - const allow_service_pairs: set[addr, addr, port] &redef; - - const flag_successful_service: table[port] of string = { - [[31337/tcp]] = "popular backdoors", - } &redef; - - const flag_successful_inbound_service: table[port] of string = { - [1524/tcp] = "popular backdoor, but with false hits outbound", - } &redef; - - const terminate_successful_inbound_service: table[port] of string &redef; - - const flag_rejected_service: table[port] of string &redef; - - # Different values to hand to check_hot() at different stages in - # a connection's lifetime. - const CONN_ATTEMPTED = 1; - const CONN_ESTABLISHED = 2; - const APPL_ESTABLISHED = 3; - const CONN_FINISHED = 4; - const CONN_REJECTED = 5; - const CONN_TIMEOUT = 6; - const CONN_REUSED = 7; - - global check_hot: function(c: connection, state: count): bool; - global check_spoof: function(c: connection): bool; -} - -# An internal function used by check_hot. -function do_hot_check(c: connection, a: addr, t: table[addr] of string) - { - if ( a in t ) - { - ++c$hot; - local hot_msg = fmt("<%s>", t[a]); - append_addl(c, hot_msg); - } - } - -function check_spoof(c: connection): bool - { - local orig = c$id$orig_h; - local resp = c$id$resp_h; - local service = c$id$resp_p; - - if ( is_local_addr(orig) && is_local_addr(resp) && - service !in allow_spoof_services ) - { - if ( c$id$orig_p == service && orig == resp ) - event conn_weird("Land_attack", c, ""); - - if ( same_local_net_is_spoof ) - ++c$hot; - } - - return c$hot != 0; - } - -function check_hot(c: connection, state: count): bool - { - local id = c$id; - local service = id$resp_p; - - if ( service in allow_services || "ftp-data" in c$service ) - return F; - - if ( state == CONN_ATTEMPTED ) - check_spoof(c); - - else if ( state == CONN_REJECTED ) - { - check_spoof(c); - - if ( service in flag_rejected_service ) - ++c$hot; - } - - else if ( state == CONN_ESTABLISHED ) - { - check_spoof(c); - - local inbound = is_local_addr(id$resp_h); - - if ( (service in flag_successful_service || - (inbound && - service in flag_successful_inbound_service)) && - ([id$resp_h, id$resp_p] !in allow_services_to || - [id$orig_h, id$resp_p] !in allow_services_from) ) - { - if ( inbound && - service in terminate_successful_inbound_service ) - TerminateConnection::terminate_connection(c); - - ++c$hot; - if ( service in flag_successful_service ) - append_addl(c, flag_successful_service[service]); - else - append_addl(c, flag_successful_inbound_service[service]); - } - } - - else if ( state == APPL_ESTABLISHED || - ((state == CONN_FINISHED || state == CONN_TIMEOUT || - state == CONN_REUSED) && - service != telnet && c$orig$size > 0 && c$resp$size > 0) ) - { - # Connection established and has a non-trivial size. - local orig = c$id$orig_h; - local resp = c$id$resp_h; - - if ( [resp, service] in allow_services_to || - [orig, service] in allow_services_from || - [orig, resp, service] in allow_service_pairs || - [orig, resp] in allow_pairs ) - return F; - - do_hot_check(c, resp, hot_srcs); - do_hot_check(c, resp, hot_dsts); - } - - return c$hot != 0; - } diff --git a/policy.old/http-abstract.bro b/policy.old/http-abstract.bro deleted file mode 100644 index 3eaeb273f0..0000000000 --- a/policy.old/http-abstract.bro +++ /dev/null @@ -1,54 +0,0 @@ -# $Id: http-abstract.bro 47 2004-06-11 07:26:32Z vern $ - -@load http -@load http-entity - -module HTTP; - -export { - const abstract_max_length = 512 &redef; -} - -redef http_entity_data_delivery_size = 4096; -redef include_HTTP_abstract = T; - -function skip_abstract(c: connection, is_orig: bool, msg: http_message) - { - msg$skip_abstract = T; - if ( ! process_HTTP_data ) - skip_http_entity_data(c, is_orig); - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$entity_level == 1 && ty == "TEXT" ) - # Do not skip the body in this case. - return; - - skip_abstract(c, is_orig, msg); - } - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$skip_abstract ) - return; - - local len = byte_len(data); - if ( len > abstract_max_length ) - msg$abstract = sub_bytes(data, 1, abstract_max_length); - else - msg$abstract = data; - - skip_abstract(c, is_orig, msg); - - # print http_log, fmt("%.6f %s %s %d bytes: \"%s\"", - # network_time(), s$id, - # is_orig ? "=>" : "<=", byte_len(msg$abstract), - # msg$abstract); - } diff --git a/policy.old/http-anon-server.bro b/policy.old/http-anon-server.bro deleted file mode 100644 index ecf755c39a..0000000000 --- a/policy.old/http-anon-server.bro +++ /dev/null @@ -1,209 +0,0 @@ -# $Id:$ - -# Anonymize values in Server: headers. -# -# TODO: -# -# - Zedo and IBM web servers can have Apache mods -- the parsing should -# be extended to support them -# - -@load anon -@load http-anon-utils - -# --------------------------------------------------------------------- -# Apache (and friends) -# - abandon all hope ye who enter here ..... -# --------------------------------------------------------------------- - -const apache_server = - /apache(-ish)?(\/([0-9]+\.)*[0-9]+)? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -const apache_mod_pat = - /mod_fastcgi\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /openssl\/([0-9]+\.)*[0-9a-z]{1,4}(-beta[0-9]{0,2})?/ - | /dav\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /php-cgi\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /ben-ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /embperl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_ruby\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /nexadesic\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /postgresql\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_tsunami\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_svn\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_mda\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /rus\/pl(([0-9]+\.)*[0-9]{1,4})/ - | /authmysql\/(([0-9]+\.)*[0-9]{1,4})/ - | /mod_auth_pgsql\/(([0-9]+\.)*[0-9]{1,4})/ - | /mod_ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /php\/(([0-9]+\.)*[0-9a-z]{1,4})(-[0-9]+)?/ - | /mod_perl\/(([0-9]+\.)*[0-9a-z]{1,4})(\_[0-9]+)?/ - | /mod_macro\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_pam\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_oas\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_cap\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /powweb\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_gzip\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /resin\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_jk\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /python\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /perl\/(v)?(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_python\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_log_bytes\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_passthrough\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_bwlimited\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_throttle\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_webapp\/(([0-9]+\.)*[0-9a-z]{1,4})(-dev)?/ - | /frontpage\/(([0-9]+\.)*[0-9a-z]{1,5})/ - | /mod_pubcookie\/[0-9a-z]{2}\/[0-9]+\.[0-9]+\-[0-9]+/ - | /(-)?coyote\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /svn\/(([0-9]+\.)*[0-9a-z]{1,4})/ - ; - -# Various Apache variants (e.g., stronghold). -const apache_misc = - /stronghold\/(([0-9]+\.)*[0-9]+) apache(\/([0-9]+\.)*[0-9]+)? (c2neteu\/[0-9])? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -const apache_basic = /apache?(\/([0-9]+\.)*[0-9]+)?/; -const apache_platforms = - /(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -# ibm_http_server/1.3.26.2, apache/1.3.26 (unix). -const IBM_server = - /ibm_http_server(\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)?( *apache\/[0-9]+\.[0-9]+\.[0-9]+ \(unix\))?/; - - -# --------------------------------------------------------------------- -# Servers values for which we don't retain all values. -# --------------------------------------------------------------------- - -const zope_server = - /zope\/\(zope ([0-9]+\.)*[0-9]+-[a-z0-9]{1,2}\, python ([0-9]+\.)*[0-9]+\, linux[0-9]\)/; - -const thttp_server = /thttpd\/[0-9]+\.[0-9]+(beta[0-9]+)?/; -const weblogic_server = /weblogic server [0-9]+\.[0-9]+/; -const zedo_server = /zedo 3g(\/([0-9]+\.)*[0-9]+)?/; -const jetty_server = /jetty\/[0-9]+\.[0-9]+/; - -# --------------------------------------------------------------------- -# Misc Servers -# --------------------------------------------------------------------- - -const misc_server = - /dclk creative/ - | /gws\/[0-9]+\.[0-9]+/ - | /nfe\/[0-9]+\.[0-9]+/ - | /gfe\/[0-9]+\.[0-9]+/ - | /dclk-adsvr/ - | /rsi/ - | /swcd\/([0-9]+\.)*[0-9]+/ - | /microsoft-iis\/[0-9]{1,2}\.[0-9]{1,2}/ - | /cafe\/[0-9]+\.[0-9]+/ - | /artblast\/([0-9]+\.)*[0-9]+/ - | /aolserver\/([0-9]+\.)*[0-9]+/ - | /resin\/([0-9]+\.)*s?[0-9]+/ - | /netscape-enterprise\/([0-9]+\.)*[0-9a-z]{1,2}+ *(aol)?/ - | /mapquest listener/ - | /miixpc\/[0-9]+\.[0-9]+/ - | /sun-one-web-server\/[0-9]+\.[0-9]+/ - | /appledotmacserver/ - | /cj\/[0-9]+\.[0-9]+/ - | /jigsaw\/([0-9]+\.)*[0-9]+/ - | /boa\/[0-9]+\.[0-9]+(\.[0-9]+(rc[0-9]+)?)?/ - | /tux\/[0-9]+\.[0-9]+ *\(linux\)/ - | /igfe/ - | /trafficmarketplace-jforce\/([0-9]+\.)*[0-9]+/ - | /lighttpd/ - | /hitbox gateway ([0-9]+\.)*[0-9]+ [a-z][0-9]/ - | /jbird\/[0-9]+\.[0-9a-z]{1,2}/ - | /perlbal/ - | /big-ip/ - | /konichiwa\/[0-9]+\.[0-9]+/ - | /footprint [0-9]+\.[0-9]+\/fpmc/ - | /iii [0-9]+/ - | /clickability web server\/([0-9]+\.)*[0-9]+ *\(unix\)/ - | /accipiter-directserver\/([0-9]+\.)*[0-9]+ \(nt; pentium\)/ - | /ibm-proxy-wte\/([0-9]+\.)*[0-9]+/ - | /netscape-commerce\/[0-9]+\.[0-9]+/ - | /nde/ - ; - -function do_apache_server(server: string): string - { - local apache_parts = split_all(server, apache_server); - if ( apache_parts[3] == "" ) - return apache_parts[2]; - - local apache_return_string = apache_parts[2]; - local mod_parts = split(apache_parts[3], / /); - - for ( part in mod_parts ) - { - if ( mod_parts[part] == apache_mod_pat ) - { - apache_return_string = - string_cat(apache_return_string, - " "); - apache_return_string = - string_cat(apache_return_string, - mod_parts[part]); - } - else - print http_anon_log, fmt("** unknown Apache mod: %s:%s", mod_parts[part], server); - } - - return apache_return_string; - } - -function check_server(server: string, server_pat: pattern): bool - { - return server_pat in server; - } - -function do_server(server: string, server_pat: pattern): string - { - return split_all(server, server_pat)[2]; - } - -function filter_in_http_server(server: string): string - { - # Vanilla Apache is a hard one and a special case. Let's get the - # nastiness over first. - - if ( apache_server in server ) - return do_apache_server(server); - - if ( check_server(server, apache_misc) ) - return do_server(server, apache_misc); - if ( check_server(server, IBM_server) ) - return do_server(server, IBM_server); - if ( check_server(server, zedo_server) ) - return do_server(server, zedo_server); - if ( check_server(server, zope_server) ) - return do_server(server, zope_server); - if ( check_server(server, jetty_server) ) - return do_server(server, jetty_server); - if ( check_server(server, thttp_server) ) - return do_server(server, thttp_server); - if ( check_server(server, weblogic_server) ) - return do_server(server, weblogic_server); - - # Grab bag. - if ( misc_server in server ) - return server; - - # Best guess - unknown Apache variant of some sort. - if ( apache_basic in server ) - { - print http_anon_log, - fmt("** unknown Apache variant: %s", server); - - return fmt("(bro: unknown) %s %s", - split_all(server, apache_basic)[2], - split_all(server, apache_platforms)[2]); - } - - print http_anon_log, fmt("** unknown server: %s", server); - - return fmt("(bro: unknown) %s", anonymize_arg("server", server)); - } diff --git a/policy.old/http-anon-useragent.bro b/policy.old/http-anon-useragent.bro deleted file mode 100644 index b8edd4a637..0000000000 --- a/policy.old/http-anon-useragent.bro +++ /dev/null @@ -1,111 +0,0 @@ -# $Id:$ - -# Filter-in known "USER-AGENT:" values. - -@load anon -@load http-anon-utils - -# --------------------------------------------------------------------- -# Mozilla (and friends) -# --------------------------------------------------------------------- - -const mozilla_full_pat = - /mozilla\/[0-9]\.[0-9] \(( *|;|iebar| freebsd i[0-9]{1,4}|fr|-|windows|windows 98|sunos sun4u|compatible|msie [0-9]\.[0-9]|windows nt [0-9]\.[0-9]|google-tr-1|sv1|\.net clr ([0-9]\.)*[0-9]+|x11|en|ppc mac os x|macintosh|u|linux i[0-9]{1,4}|en-us|rv\:([0-9]+\.)*[0-9]+|aol [0-9]\.[0-9]|gnotify ([0-9]+\.)*[0-9]+)*\) *(gecko\/[0-9]+)? *(firefox\/([0-9]+.)*[0-9]+)?/; - -const mozilla_head_pat = /mozilla\/[0-9]\.[0-9]/; - -const misc_user_pat = - /spiderman/ - | /w3m\/([0-9]+\.)*[0-9]+/ - | /java([0-9]+\.)*[0-9]+(_[0-9]+)?/ - | /java\/([0-9]+\.)*[0-9]+(_[0-9]+)?/ - | /freecorder/ - | /industry update control/ - | /microsoft-cryptoapi\/([0-9]+\.)*[0-9]+/ - | /ruriko\/([0-9]+\.)*[0-9]+/ - | /crawler[0-9]\.[0-9]/ - | /w3search/ - | /symantec liveupdate/ - | /davkit\/[0-9]\.[0-9]/ - | /windows-media-player\/([0-9]+\.)*[0-9]+/ - | /winamp\/([0-9]+\.)*[0-9]+/ - | /headdump/ - ; - -const misc_cmplx_user_pat = - /lynx\/([0-9]+\.)*[0-9]+.*/ - | /wget\/([0-9]+\.)*[0-9]+.*/ - | /yahooseeker\/([0-9]+\.)*[0-9]+.*/ - | /rma\/([0-9]+\.)*[0-9]+.*/ - | /aim\/[0-9]+.*/ - | /ichiro\/([0-9]+\.)*[0-9]+.*/ - | /unchaos.*/ - | /irlbot\/[0-9]\.[0-9]+.*/ - | /msnbot\/([0-9]+\.)*[0-9]+.*/ - | /opera\/([0-9]+\.)*[0-9]+.*/ - | /netnewswire\/([0-9]+\.)*[0-9]+.*/ - | /nsplayer\/([0-9]+\.)*[0-9]+.*/ - | /aipbot\/([0-9]+\.)*[0-9]+.*/ - | /mac os x; webservicescore\.framework.*/ - | /fast-webcrawler\/([0-9]+\.)*[0-9]+.*/ - | /skype.*/ - | /googlebot\/([0-9]+\.)*[0-9]+.*/ - ; - -const misc_cmplx_user_start = - /lynx\/([0-9]+\.)*[0-9]+/ - | /wget\/([0-9]+\.)*[0-9]+/ - | /yahooseeker\/([0-9]+\.)*[0-9]+/ - | /rma\/([0-9]+\.)*[0-9]+/ - | /aim\/[0-9]+/ - | /ichiro\/([0-9]+\.)*[0-9]+/ - | /unchaos/ - | /irlbot\/[0-9]\.[0-9]+/ - | /opera\/([0-9]+\.)*[0-9]+/ - | /msnbot\/([0-9]+\.)*[0-9]+/ - | /netnewswire\/([0-9]+\.)*[0-9]+/ - | /nsplayer\/([0-9]+\.)*[0-9]+/ - | /aipbot\/([0-9]+\.)*[0-9]+/ - | /mac os x; webservicescore\.framework/ - | /fast-webcrawler\/([0-9]+\.)*[0-9]+/ - | /skype/ - | /googlebot\/([0-9]+\.)*[0-9]+/ - ; - -function filter_in_http_useragent(user: string): string - { - # Check for an exact match for Mozilla. - if ( mozilla_full_pat in user ) - return split_all(user, mozilla_full_pat)[2]; - - # Look for popular Mozilla-compatible crawlers. - if ( mozilla_head_pat in user ) - { - local crawler = "(bro: unknown)"; - - if ( /.*yahoo\! slurp/ in user ) - crawler = "(yahoo! slurp)"; - - else if ( /.*ask jeeves/ in user ) - crawler = "(ask jeeves)"; - - else - print http_anon_log, - fmt("*** unknown Mozilla user-agent %s\n", user); - - return fmt("%s %s", split_all(user, mozilla_head_pat)[2], - crawler); - } - - # Some simple, common user names. - if ( misc_user_pat in user ) - return user; - - # Require some info removal. - if ( misc_cmplx_user_pat in user ) - return split_all(user, misc_cmplx_user_pat)[2]; - - print http_anon_log,fmt("*** unknown user agent %s\n", user); - - return fmt("(bro: unknown) %s", anonymize_arg("user-agent", user)); - } diff --git a/policy.old/http-anon-utils.bro b/policy.old/http-anon-utils.bro deleted file mode 100644 index 660452cc2f..0000000000 --- a/policy.old/http-anon-utils.bro +++ /dev/null @@ -1,164 +0,0 @@ -# $Id:$ - -@load anon - -global http_anon_log = open_log_file("http-anon") &redef; - -const URI_proto_pat = /^ *([a-zA-Z]+)\:\/\// ; -const known_URI_proto_pat = /^ *(http|https|ftp|ssh)\:\/\// ; - -const host_pat = / *^([\-0-9a-zA-Z]+\.)+([\_\-0-9a-zA-Z])*/ ; -const port_pat = /^ *(\:[0-9]+\.)/ ; - -const query_pat = /\?/ ; - -function anonymize_http_URI(URI: string): string - { - URI = to_lower(URI); - - # Strip off protocol. - local proto = ""; - if ( URI_proto_pat in URI ) - { - local proto_part = split(URI, /\:\/\//); - - # Check if we know the protocol. If not, flag it so we - # can update our protocol database. - - if ( known_URI_proto_pat !in URI ) - { - print http_anon_log, - fmt("*** protocol %s unknown ", proto_part[1]); - - proto_part[1] = - string_cat(" (bro: unknown) ", - anonymize_arg("proto", proto_part[1])); - } - - proto = string_cat(proto_part[1],"://"); - URI = proto_part[2]; - } - - # Strip off domain. - local host = ""; - if ( host_pat in URI ) - { - local base_parts = - split_all(URI, / *^([\-\_0-9a-z]+\.)+[\-\_0-9a-z]*/); - - if ( |base_parts| < 2 ) - { - print http_anon_log, - fmt (" XXXXXXXXXXXXXXXXXXXXXX BASE %s", URI); - return " XXXX processing error XXXX"; - } - - if ( |base_parts| == 2 ) - URI = ""; - - else if ( |base_parts| == 3) - URI = base_parts[3]; - - else if ( |base_parts| > 3) - { - local patch_me = ""; - local hack = base_parts[2]; - - local i = 1; - for ( part in base_parts ) - { - if ( i != 2 ) - patch_me = string_cat(patch_me, - base_parts[i]); - i += 1; - } - - URI = patch_me; - } - - if ( host == simple_filename ) - host = anonymize_path(host); - else - host = anonymize_host(base_parts[2]); - } - - # Strip off port (if it exists). - local pport = ""; - if ( port_pat in URI ) - { - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXX anon.bro doing nothing with port XXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - } - - # Handle query (if exists). - local tail = ""; - if ( URI == "/" ) - { - # -- pass - } - - else if ( query_pat in URI ) - { - local query_part = split(URI, /\?/); - - tail = fmt("%s?%s", - anonymize_path(query_part[1]), - anonymize_path(query_part[2])); - } - - else - tail = anonymize_path(URI); - - tail = string_cat("/", tail); - - return fmt("%s%s%s%s", proto, host, pport, tail); - } - - -const a_href_pat = /.*\< *a *href.*\>.*/ ; - #/.*\< *a *href *= *\"[[:print:]]+\" *\>.*/; - -# Doesn't get everything ... but works for most. -const a_href_split = - /\< *a *href *= *(\\)?(\"|\')?([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\\)?(\"|\')?/ ; - -# Elegant ... yeah ... really .. :-/ -const file_split = - /(\"|\')([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\"|\')/ ; -const file_strip_split = /([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+/ ; - -function http_doc_link_list(abstract: string): string - { - abstract = to_lower(abstract); - - if ( abstract == "" ) - return abstract; - - local concat_key = ""; - local href_parts = split_all(abstract, a_href_split); - - for ( part in href_parts ) - { - if ( href_parts[part] == a_href_split ) - { - local file_parts = - split_all(href_parts[part], file_split); - for ( a_part in file_parts ) - { - if ( file_parts[a_part] == file_split ) - { - local file_strip_parts = - split_all(file_parts[a_part], - file_strip_split); - concat_key = fmt("%s %s", concat_key, - anonymize_http_URI(file_strip_parts[2])); - } - } - } - } - - return concat_key; - } diff --git a/policy.old/http-body.bro b/policy.old/http-body.bro deleted file mode 100644 index 4990a37341..0000000000 --- a/policy.old/http-body.bro +++ /dev/null @@ -1,60 +0,0 @@ -# $Id: http-body.bro 5230 2008-01-14 01:38:18Z vern $ - -# Counts length of data. -# -# If log_HTTP_data = T, it also outputs an abstract of data. - -@load http - -module HTTP; - -redef process_HTTP_data = T; -redef log_HTTP_data = T; - -export { - # If the following is > 0, then when logging contents, they will be - # truncated beyond this many bytes. - global content_truncation_limit = 40 &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - local len = byte_len(data); - - msg$data_length = msg$data_length + length; - - if ( log_HTTP_data ) - { - local abstract: string; - if ( content_truncation_limit > 0 && - len > content_truncation_limit ) - abstract = cat(sub_bytes(data, 1, content_truncation_limit), "..."); - else - abstract = data; - - print http_log, fmt("%.6f %s %s %d bytes: \"%s\"", - network_time(), s$id, - is_orig ? "=>" : "<=", length, - abstract); - } - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - # This is for debugging purpose only - if ( msg$data_length > 0 && - stat$body_length != msg$data_length + stat$content_gap_length) - { - # This can happen for multipart messages with a - # 'content-length' header, which is not required for multipart - # messages. - # Log::warning(fmt("length mismatch: %s %d %d %d", - # id_string(c$id), stat$body_length, msg$data_length, - # stat$content_gap_length)); - } - } diff --git a/policy.old/http-detect-passwd.bro b/policy.old/http-detect-passwd.bro deleted file mode 100644 index 8ad71168c2..0000000000 --- a/policy.old/http-detect-passwd.bro +++ /dev/null @@ -1,45 +0,0 @@ -@load http - -module HTTP; - -export { - redef enum Notice += { - PasswordFullFetch, # they got back the whole thing - PasswordShadowFetch, # they got back a shadowed version - }; - - # Pattern to search for in replies indicating that a full password - # file was returned. - const full_fetch = - /[[:alnum:]]+\:[[:alnum:]]+\:[[:digit:]]+\:[[:digit:]]+\:/ - &redef; - - # Same, but indicating a shadow password file was returned. - const shadow_fetch = - /[[:alnum:]]+\:\*\:[[:digit:]]+\:[[:digit:]]+\:/ - &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local n = s$first_pending_request; - if ( n !in s$requests ) - return; - - local req = s$requests[n]; - local passwd_request = req$passwd_req; - if ( ! passwd_request ) - return; - - if ( full_fetch in data ) - NOTICE([$note=PasswordFullFetch, - $conn=c, $method=req$method, $URL=req$URI, - $msg=fmt("%s %s: %s %s", id_string(c$id), c$addl, - req$method, req$URI)]); - else if ( shadow_fetch in data ) - NOTICE([$note=PasswordShadowFetch, - $conn=c, $method=req$method, $URL=req$URI, - $msg=fmt("%s %s: %s %s", id_string(c$id), c$addl, - req$method, req$URI)]); - } diff --git a/policy.old/http-entity.bro b/policy.old/http-entity.bro deleted file mode 100644 index 9084b65661..0000000000 --- a/policy.old/http-entity.bro +++ /dev/null @@ -1,20 +0,0 @@ -# $Id: http-entity.bro 6 2004-04-30 00:31:26Z jason $ - -# Counts entity_level. - -module HTTP; - -event http_begin_entity(c: connection, is_orig: bool) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - ++msg$entity_level; - } - -event http_end_entity(c: connection, is_orig: bool) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - if ( msg$entity_level > 0 ) - --msg$entity_level; - } diff --git a/policy.old/http-event.bro b/policy.old/http-event.bro deleted file mode 100644 index 450be5cf1d..0000000000 --- a/policy.old/http-event.bro +++ /dev/null @@ -1,12 +0,0 @@ -# $Id: http-event.bro 6 2004-04-30 00:31:26Z jason $ - -@load http - -module HTTP; - -event http_event(c: connection, event_type: string, detail: string) - { - print http_log, fmt("%.6f %s HTTP event: [%s] \"%s\"", - network_time(), id_string(c$id), - event_type, detail); - } diff --git a/policy.old/http-extract-items.bro b/policy.old/http-extract-items.bro deleted file mode 100644 index 4c7b1a1c0d..0000000000 --- a/policy.old/http-extract-items.bro +++ /dev/null @@ -1,41 +0,0 @@ -# $Id:$ - -# Extracts the items from HTTP traffic, one per file. -# Files are named: -# -# .._._. -# -# where is a redef'able prefix (default: "http-item"), is -# a number uniquely identifying the item, the next four are describe -# the connection tuple, and is "orig" if the item was transferred -# from the originator to the responder, "resp" otherwise. - -@load http-reply - -module HTTP_extract_items; - -global prefix = "http-item" &redef; -global item_file: table[conn_id] of file; -global nitems = 0; - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local id = c$id; - if ( id !in item_file ) - { - # Create a new file for this one. - local fname = fmt("%s.%d.%s_%d.%s_%d.%s", - prefix, ++nitems, - id$orig_h, id$orig_p, - id$resp_h, id$resp_p, - is_orig ? "orig" : "resp"); - item_file[id] = open(fname); - } - - write_file(item_file[id], data); - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - delete item_file[c$id]; - } diff --git a/policy.old/http-header.bro b/policy.old/http-header.bro deleted file mode 100644 index 259031b024..0000000000 --- a/policy.old/http-header.bro +++ /dev/null @@ -1,36 +0,0 @@ -# $Id: http-header.bro 7073 2010-09-13 00:45:02Z vern $ - -# Prints out detailed HTTP headers. - -@load http - -module HTTP; - -export { - # The following lets you specify headers that you don't want - # to print out. - global skip_header: set[string] &redef; - - # If you add anything to the following table, *only* the headers - # included will be recorded. - global include_header: set[string] &redef; - - # For example: - # redef skip_header += { "COOKIE", "SET-COOKIE" }; - # will refrain from printing cookies. -} - -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - if ( name in skip_header ) - return; - - if ( |include_header| > 0 && name !in include_header ) - return; - - local s = lookup_http_request_stream(c); - - print http_log, fmt("%.6f %s %s %s: %s", - network_time(), s$id, - is_orig ? ">" : "<", name, value); - } diff --git a/policy.old/http-identified-files.bro b/policy.old/http-identified-files.bro deleted file mode 100644 index a4ecd2cf7f..0000000000 --- a/policy.old/http-identified-files.bro +++ /dev/null @@ -1,115 +0,0 @@ -# $Id:$ -# -# Analyze HTTP entities for sensitive types (e.g., executables). -# -# Contributed by Seth Hall. - -@load http-reply - -module HTTP; - -const http_identified_log = open_log_file("http-id"); - -export { - # Base the libmagic analysis on this many bytes. Currently, - # we will in fact use fewer (basically, just what's in the - # first data packet). - const magic_content_limit = 1024 &redef; - - # These MIME types are logged and generate a Notice. The patterns - # need to match the entire description as returned by libMagic. - # For example, for plain text it can return - # "text/plain charset=us-ascii", so you might want to use - # /text\/plain.*/. - const watched_mime_types = - /application\/x-dosexec/ # Windows and DOS executables - | /application\/x-executable/ # *NIX executable binary - &redef; - - const watched_descriptions = /PHP script text/ &redef; - - # URLs included here are not logged and notices are not generated. - # Take care when defining patterns to not be overly broad. - const ignored_urls = - /^http:\/\/www\.download\.windowsupdate\.com\// &redef; - - redef enum Notice += { - # Generated when we see a MIME type we flagged for watching. - HTTP_WatchedMIMEType, - - # Generated when the file extension doesn't match - # the file contents. - HTTP_IncorrectFileType, - }; - - # Create patterns that *should* be in the URLs for specific MIME types. - # Notices are generated if the pattern doesn't match. - const mime_types_extensions = { - ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/, - } &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - if ( is_orig ) - # For now we only inspect server responses. - return; - - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - -@ifndef ( content_truncation_limit ) - # This is only done if http-body.bro is not loaded. - msg$data_length = msg$data_length + length; -@endif - - # For the time being, we'll just use the data from the first packet. - # Don't continue until we have enough data. - # if ( msg$data_length < magic_content_limit ) - # return; - - # Right now, only try this for the first chunk of data - if ( msg$data_length > length ) - return; - - local abstract = sub_bytes(data, 1, magic_content_limit); - local magic_mime = identify_data(abstract, T); - local magic_descr = identify_data(abstract, F); - - if ( (magic_mime == watched_mime_types || - watched_descriptions in magic_descr) && - s$first_pending_request in s$requests ) - { - local r = s$requests[s$first_pending_request]; - local host = (s$next_request$host=="") ? - fmt("%s", c$id$resp_h) : s$next_request$host; - - event file_transferred(c, abstract, magic_descr, magic_mime); - - local url = fmt("http://%s%s", host, r$URI); - if ( ignored_urls in url ) - return; - - local file_type = ""; - if ( magic_mime == watched_mime_types ) - file_type = magic_mime; - else - file_type = magic_descr; - - local message = fmt("%s %s %s %s", - id_string(c$id), file_type, r$method, url); - - NOTICE([$note=HTTP_WatchedMIMEType, $msg=message, $conn=c, - $method=r$method, $URL=url]); - - print http_identified_log, fmt("%.06f %s %s", - network_time(), s$id, message); - - if ( (magic_mime in mime_types_extensions && - mime_types_extensions[magic_mime] !in url) || - (magic_descr in mime_types_extensions && - mime_types_extensions[magic_descr] !in url) ) - NOTICE([$note=HTTP_IncorrectFileType, $msg=message, - $conn=c, $method=r$method, $URL=url]); - } - } diff --git a/policy.old/http-reply.bro b/policy.old/http-reply.bro deleted file mode 100644 index e410b1fc34..0000000000 --- a/policy.old/http-reply.bro +++ /dev/null @@ -1,117 +0,0 @@ -# $Id: http-reply.bro 2694 2006-04-02 22:50:00Z vern $ - -@load http-request - -module HTTP; - -redef capture_filters += { - ["http-reply"] = "tcp src port 80 or tcp src port 8080 or tcp src port 8000" -}; - -redef process_HTTP_replies = T; - -event http_reply(c: connection, version: string, code: count, reason: string) - { - local s = lookup_http_request_stream(c); - local msg = s$next_reply; - - init_http_message(msg); - - msg$initiated = T; - msg$code = code; - msg$reason = reason; - } - -function http_request_done(c: connection, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local msg = s$next_request; - msg$initiated = F; - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local req_msg = s$next_request; - local msg = s$next_reply; - local req: string; - local have_request = F; - local log_it: bool; - - if ( s$num_pending_requests == 0 ) - { - # Weird - reply w/o request - perhaps due to cold start? - req = ""; - log_it = F; - } - else - { - local r = s$requests[s$first_pending_request]; - have_request = T; - - # Remove pending request. - delete s$requests[s$first_pending_request]; - --s$num_pending_requests; - ++s$first_pending_request; - - req = fmt("%s %s", r$method, r$URI); - log_it = r$log_it; - } - - local req_rep = - fmt("%s (%d \"%s\" [%d%s]%s)", - req, msg$code, string_escape(msg$reason, "\""), - stat$body_length, - stat$interrupted ? " (interrupted)" : "", - have_request ? fmt(" %s", req_msg$host) : ""); - - # The following is a more verbose form: -# local req_rep = -# fmt("%s (%d \"%s\" [\"%s\", %d%s%s])", -# req, msg$code, msg$reason, -# msg$content_length, stat$body_length, -# stat$interrupted ? " (interrupted)" : "", -# stat$content_gap_length > 0 ? -# fmt(" (gap = %d bytes)", stat$content_gap_length) : ""); - - if ( log_it ) - NOTICE([$note=HTTP_SensitiveURI, $conn=c, - $method = r$method, $URL = r$URI, - $n = msg$code, - $msg = fmt("%s %s: %s", - id_string(c$id), c$addl, req_rep)]); - - print http_log, fmt("%.6f %s %s", network_time(), s$id, req_rep); - - msg$initiated = F; - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -@load http-entity -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - # Only rewrite top-level headers. - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$entity_level == 1 ) - { - if ( name == "CONTENT-LENGTH" ) - msg$content_length = value; - - else if ( is_orig && name == "HOST" ) - { # suppress leading blank - if ( /^ / in value ) - msg$host = sub_bytes(value, 2, -1); - else - msg$host = value; - } - } - } diff --git a/policy.old/http-request.bro b/policy.old/http-request.bro deleted file mode 100644 index d5d647c977..0000000000 --- a/policy.old/http-request.bro +++ /dev/null @@ -1,104 +0,0 @@ -# $Id: http-request.bro 6726 2009-06-07 22:09:55Z vern $ - -# Analysis of HTTP requests. - -@load http - -module HTTP; - -export { - const sensitive_URIs = - /etc\/(passwd|shadow|netconfig)/ - | /IFS[ \t]*=/ - | /nph-test-cgi\?/ - | /(%0a|\.\.)\/(bin|etc|usr|tmp)/ - | /\/Admin_files\/order\.log/ - | /\/carbo\.dll/ - | /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ - | /\/cgi-dos\/args\.bat/ - | /\/cgi-win\/uploader\.exe/ - | /\/search97\.vts/ - | /tk\.tgz/ - | /ownz/ # somewhat prone to false positives - | /viewtopic\.php.*%.*\(.*\(/ # PHP attack, 26Nov04 - # a bunch of possible rootkits - | /sshd\.(tar|tgz).*/ - | /[aA][dD][oO][rR][eE][bB][sS][dD].*/ - # | /[tT][aA][gG][gG][eE][dD].*/ # prone to FPs - | /shv4\.(tar|tgz).*/ - | /lrk\.(tar|tgz).*/ - | /lyceum\.(tar|tgz).*/ - | /maxty\.(tar|tgz).*/ - | /rootII\.(tar|tgz).*/ - | /invader\.(tar|tgz).*/ - &redef; - - # Used to look for attempted password file fetches. - const passwd_URI = /passwd/ &redef; - - # URIs that match sensitive_URIs but can be generated by worms, - # and hence should not be flagged (because they're so common). - const worm_URIs = - /.*\/c\+dir/ - | /.*cool.dll.*/ - | /.*Admin.dll.*Admin.dll.*/ - &redef; - - # URIs that should not be considered sensitive if accessed by - # a local client. - const skip_remote_sensitive_URIs = - /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ - &redef; - - const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef; -} - -redef capture_filters += { - ["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000" -}; - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - local log_it = F; - local URI = unescaped_URI; - - if ( (sensitive_URIs in URI && URI != worm_URIs) || - (method == "POST" && sensitive_post_URIs in URI) ) - { - if ( is_local_addr(c$id$orig_h) && - skip_remote_sensitive_URIs in URI ) - ; # don't flag it after all - else - log_it = T; - } - - local s = lookup_http_request_stream(c); - - if ( process_HTTP_replies ) - { - # To process HTTP replies, we need to record the corresponding - # requests. - local n = s$first_pending_request + s$num_pending_requests; - - s$requests[n] = [$method=method, $URI=URI, $log_it=log_it, - $passwd_req=passwd_URI in URI]; - ++s$num_pending_requests; - - # if process_HTTP_messages - local msg = s$next_request; - - init_http_message(msg); - msg$initiated = T; - } - else - { - if ( log_it ) - NOTICE([$note=HTTP_SensitiveURI, $conn=c, - $method = method, $URL = URI, - $msg=fmt("%s %s: %s %s", - id_string(c$id), c$addl, method, URI)]); - print http_log, - fmt("%.6f %s %s %s", network_time(), s$id, method, URI); - } - } diff --git a/policy.old/http.bro b/policy.old/http.bro deleted file mode 100644 index 5a774b6e97..0000000000 --- a/policy.old/http.bro +++ /dev/null @@ -1,203 +0,0 @@ -# $Id: http.bro 6726 2009-06-07 22:09:55Z vern $ - -@load notice -@load site -@load conn-id - -module HTTP; - -export { - redef enum Notice += { - HTTP_SensitiveURI, # sensitive URI in GET/POST/HEAD - }; -} - -# DPM configuration. -global http_ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] }; -redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] }; - -# HTTP processing options. -export { - const process_HTTP_replies = F &redef; - const process_HTTP_data = F &redef; - const include_HTTP_abstract = F &redef; - const log_HTTP_data = F &redef; -} - -type http_pending_request: record { - method: string; - URI: string; - log_it: bool; - - # Whether we determined it's an attempted passwd file fetch. - passwd_req: bool; -}; - -# Eventually we will combine http_pending_request and http_message. - -type http_message: record { - initiated: bool; - code: count; # for HTTP reply message - reason: string; # for HTTP reply message - entity_level: count; # depth of enclosing MIME entities - data_length: count; # actual length of data delivered - content_length: string; # length specified in CONTENT-LENGTH header - header_slot: count; # rewrite slot at the end of headers - abstract: string; # data abstract - skip_abstract: bool; # to skip abstract for certain content types - host: string; # host indicated in Host header -}; - -type http_pending_request_stream: record { - # Number of first pending request. - first_pending_request: count &default = 0; - - # Total number of pending requests. - num_pending_requests: count &default = 0; - - # Indexed from [first_pending_request .. - # (first_pending_request + num_pending_requests - 1)] - requests: table[count] of http_pending_request; - - next_request: http_message; # the on-going request - next_reply: http_message; # the on-going reply - - # len_next_reply: count; # 0 means unspecified - # len_next_request: count; - - id: string; # repeated from http_session_info, for convenience -}; - -type http_session_info: record { - id: string; - request_stream: http_pending_request_stream; -}; - -const http_log = open_log_file("http") &redef; - -export { - global http_sessions: table[conn_id] of http_session_info; -} - -global http_session_id = 0; - -function init_http_message(msg: http_message) - { - msg$initiated = F; - msg$code = 0; - msg$reason = ""; - msg$entity_level = 0; - msg$data_length = 0; - msg$content_length = ""; - msg$header_slot = 0; - msg$abstract = ""; - msg$skip_abstract = F; - msg$host = ""; - } - -function new_http_message(): http_message - { - local msg: http_message; - init_http_message(msg); - return msg; - } - -function new_http_session(c: connection): http_session_info - { - local session = c$id; - local new_id = ++http_session_id; - - local info: http_session_info; - info$id = fmt("%%%s", prefixed_id(new_id)); - - local rs: http_pending_request_stream; - - rs$first_pending_request = 1; - rs$num_pending_requests = 0; - rs$id = info$id; - - rs$next_request = new_http_message(); - rs$next_reply = new_http_message(); - rs$requests = table(); - - info$request_stream = rs; - - http_sessions[session] = info; - - print http_log, fmt("%.6f %s start %s:%d > %s:%d", network_time(), - info$id, c$id$orig_h, - c$id$orig_p, c$id$resp_h, c$id$resp_p); - - return info; - } - -function lookup_http_session(c: connection): http_session_info - { - local s: http_session_info; - local id = c$id; - - s = id in http_sessions ? http_sessions[id] : new_http_session(c); - - append_addl(c, s$id); - - return s; - } - -function lookup_http_request_stream(c: connection): http_pending_request_stream - { - local s = lookup_http_session(c); - - return s$request_stream; - } - -function get_http_message(s: http_pending_request_stream, is_orig: bool): http_message - { - return is_orig ? s$next_request : s$next_reply; - } - -function finish_stream(session: conn_id, id: string, - rs: http_pending_request_stream) - { - ### We really want to do this in sequential order, not table order. - for ( i in rs$requests ) - { - local req = rs$requests[i]; - - if ( req$log_it ) - NOTICE([$note=HTTP_SensitiveURI, - $src=session$orig_h, $dst=session$resp_h, - $URL=req$URI, - $method=req$method, - $msg=fmt("%s:%d -> %s:%d %s: ", - session$orig_h, session$orig_p, - session$resp_h, session$resp_p, id)]); - - local msg = fmt("%s %s ", req$method, req$URI); - print http_log, fmt("%.6f %s %s", network_time(), rs$id, msg); - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - - if ( id !in http_sessions ) - return; - - local s = http_sessions[id]; - finish_stream(id, s$id, s$request_stream); - delete http_sessions[c$id]; - } - - -# event http_stats(c: connection, stats: http_stats_rec) -# { -# if ( stats$num_requests == 0 && stats$num_replies == 0 ) -# return; -# -# c$addl = fmt("%s (%d v%.1f v%.1f)", c$addl, stats$num_requests, stats$request_version, stats$reply_version); -# } diff --git a/policy.old/icmp.bro b/policy.old/icmp.bro deleted file mode 100644 index c6c3c87d44..0000000000 --- a/policy.old/icmp.bro +++ /dev/null @@ -1,306 +0,0 @@ -# $Id: icmp.bro 6883 2009-08-19 21:08:09Z vern $ - -@load hot -@load weird -@load conn -@load scan - -global icmp_file = open_log_file("icmp"); - -redef capture_filters += { ["icmp"] = "icmp" }; - -module ICMP; - -export { - - redef enum Notice += { - ICMPAsymPayload, # payload in echo req-resp not the same - ICMPConnectionPair, # too many ICMPs between hosts - ICMPAddressScan, - - # The following isn't presently sufficiently useful due - # to cold start and packet drops. - # ICMPUnpairedEchoReply, # no EchoRequest seen for EchoReply - }; - - # Whether to log detailed information icmp.log. - const log_details = T &redef; - - # ICMP scan detection. - const detect_scans = T &redef; - const scan_threshold = 25 &redef; - - # Analysis of connection pairs. - const detect_conn_pairs = F &redef; # switch for connection pair - const detect_payload_asym = F &redef; # switch for echo payload - const conn_pair_threshold = 200 &redef; -} - -global conn_pair:table[addr] of set[addr] &create_expire = 1 day; -global conn_pair_thresh_reached: table[addr] of bool &default=F; - - - -type flow_id: record { - orig_h: addr; - resp_h: addr; - id: count; -}; - -type flow_info: record { - start_time: time; - last_time: time; - orig_bytes: count; - resp_bytes: count; - payload: string; -}; - -const names: table[count] of string = { - [0] = "echo_reply", - [3] = "unreach", - [4] = "quench", - [5] = "redirect", - [8] = "echo_req", - [9] = "router_adv", - [10] = "router_sol", - [11] = "time_xcd", - [12] = "param_prob", - [13] = "tstamp_req", - [14] = "tstamp_reply", - [15] = "info_req", - [16] = "info_reply", - [17] = "mask_req", - [18] = "mask_reply", -} &default = function(n: count): string { return fmt("icmp-%d", n); }; - - -# Map IP protocol number to the protocol's name. -const IP_proto_name: table[count] of string = { - [1] = "ICMP", - [2] = "IGMP", - [6] = "TCP", - [17] = "UDP", - [41] = "IPV6", -} &default = function(n: count): string { return fmt("%s", n); } - &redef; - -# Print a report for the given ICMP flow. -function generate_flow_summary(flow: flow_id, fi: flow_info) - { - local local_init = is_local_addr(flow$orig_h); - local local_addr = local_init ? flow$orig_h : flow$resp_h; - local remote_addr = local_init ? flow$resp_h : flow$orig_h; - local flags = local_init ? "L" : ""; - - local state: string; - if ( fi$orig_bytes > 0 ) - { - if ( fi$resp_bytes > 0 ) - state = "SF"; - else - state = "SH"; - } - else if ( fi$resp_bytes > 0 ) - state = "SHR"; - else - state = "OTH"; - - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s", - fi$start_time, fi$last_time - fi$start_time, - flow$orig_h, flow$resp_h, "icmp_echo", - fi$orig_bytes, fi$resp_bytes, state, flags); - } - -# Called when a flow is expired in order to generate a report for it. -function flush_flow(ft: table[flow_id] of flow_info, fi: flow_id): interval - { - generate_flow_summary(fi, ft[fi]); - return 0 sec; - } - -# Table to track each active flow. -global flows: table[flow_id] of flow_info - &read_expire = 45 sec - &expire_func = flush_flow; - -event icmp_sent(c: connection, icmp: icmp_conn) - { - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s", - network_time(), 0.0, icmp$orig_h, icmp$resp_h, - names[icmp$itype], icmp$itype, icmp$icode, "icmp", - icmp$len, "0", "SH"); - } - -event flow_summary(flow: flow_id, last_time: time) - { - if ( flow !in flows ) - return; - - local fi = flows[flow]; - - if ( fi$last_time == last_time ) - { - generate_flow_summary(flow, fi); - delete flows[flow]; - } - } - -function update_flow(icmp: icmp_conn, id: count, is_orig: bool, payload: string) - { - local fid: flow_id; - fid$orig_h = is_orig ? icmp$orig_h : icmp$resp_h; - fid$resp_h = is_orig ? icmp$resp_h : icmp$orig_h; - fid$id = id; - - if ( fid !in flows ) - { - local info: flow_info; - info$start_time = network_time(); - info$orig_bytes = info$resp_bytes = 0; - info$payload = payload; # checked in icmp_echo_reply - flows[fid] = info; - } - - local fi = flows[fid]; - - fi$last_time = network_time(); - - if ( is_orig ) - fi$orig_bytes = fi$orig_bytes + byte_len(payload); - else - fi$resp_bytes = fi$resp_bytes + byte_len(payload); - - schedule +30sec { flow_summary(fid, fi$last_time) }; - } - -event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) - { - update_flow(icmp, id, T, payload); - - local orig = icmp$orig_h; - local resp = icmp$resp_h; - - # Simple ping scan detector. - if ( detect_scans && - (orig !in Scan::distinct_peers || - resp !in Scan::distinct_peers[orig]) ) - { - if ( orig !in Scan::distinct_peers ) - { - local empty_peer_set: set[addr] &mergeable; - Scan::distinct_peers[orig] = empty_peer_set; - } - - if ( resp !in Scan::distinct_peers[orig] ) - add Scan::distinct_peers[orig][resp]; - - if ( ! Scan::shut_down_thresh_reached[orig] && - orig !in Scan::skip_scan_sources && - orig !in Scan::skip_scan_nets && - |Scan::distinct_peers[orig]| >= scan_threshold ) - { - NOTICE([$note=ICMPAddressScan, $src=orig, - $n=scan_threshold, - $msg=fmt("%s has icmp echo scanned %s hosts", - orig, scan_threshold)]); - - Scan::shut_down_thresh_reached[orig] = T; - } - } - - if ( detect_conn_pairs ) - { - if ( orig !in conn_pair ) - { - local empty_peer_set2: set[addr] &mergeable; - conn_pair[orig] = empty_peer_set2; - } - - if ( resp !in conn_pair[orig] ) - add conn_pair[orig][resp]; - - if ( ! conn_pair_thresh_reached[orig] && - |conn_pair[orig]| >= conn_pair_threshold ) - { - NOTICE([$note=ICMPConnectionPair, - $msg=fmt("ICMP connection threshold exceeded : %s -> %s", - orig, resp)]); - conn_pair_thresh_reached[orig] = T; - } - } - } - -event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, - seq: count, payload: string) - { - # Check payload with the associated flow. - - local fid: flow_id; - fid$orig_h = icmp$resp_h; # We know the expected results since - fid$resp_h = icmp$orig_h; # it's an echo reply. - fid$id = id; - - if ( fid !in flows ) - { -# NOTICE([$note=ICMPUnpairedEchoReply, -# $msg=fmt("ICMP echo reply w/o request: %s -> %s", -# icmp$orig_h, icmp$resp_h)]); - } - else - { - if ( detect_payload_asym ) - { - local fi = flows[fid]; - local pl = fi$payload; - - if ( pl != payload ) - { - NOTICE([$note=ICMPAsymPayload, - $msg=fmt("ICMP payload inconsistancy: %s(%s) -> %s(%s)", - icmp$orig_h, byte_len(fi$payload), - icmp$resp_h, byte_len(payload))]); - } - } - } - - update_flow(icmp, id, F, payload); - } - -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, - context: icmp_context) - { - if ( active_connection(context$id) ) - { - # This section allows Bro to act on ICMP-unreachable packets - # that happen in the context of an active connection. It is - # not currently used. - local c2 = connection_record(context$id); - local os = c2$orig$state; - local rs = c2$resp$state; - local is_attempt = - is_tcp_port(c2$id$orig_p) ? - (os == TCP_SYN_SENT && rs == TCP_INACTIVE) : - (os == UDP_ACTIVE && rs == UDP_INACTIVE); - - # Insert action here. - } - - if ( log_details ) - { - # ICMP unreachable packets are the only ones currently - # logged. Due to the connection data contained *within* - # them, each log line will contain two connections' worth - # of data. The initial ICMP connection info is the same - # as logged for connections. - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s", - network_time(), 0.0, icmp$orig_h, icmp$resp_h, - names[icmp$itype], icmp$itype, icmp$icode, "icmp", - icmp$len, "0", "EncapPkt:", - # This is the encapsulated packet: - context$id$orig_h, context$id$orig_p, - context$id$resp_h, context$id$resp_p, - context$len, IP_proto_name[context$proto], - context$len, context$bad_hdr_len, - context$bad_checksum); - } - } diff --git a/policy.old/ident.bro b/policy.old/ident.bro deleted file mode 100644 index d52265db65..0000000000 --- a/policy.old/ident.bro +++ /dev/null @@ -1,68 +0,0 @@ -# $Id: ident.bro 5948 2008-07-11 22:29:49Z vern $ - -@load notice -@load hot-ids - -module Ident; - -export { - redef enum Notice += { - IdentSensitiveID, # sensitive username in Ident lookup - }; - - const hot_ident_ids = { always_hot_ids, } &redef; - const hot_ident_exceptions = { "uucp", "nuucp", "daemon", } &redef; -} - -redef capture_filters += { ["ident"] = "tcp port 113" }; - -global ident_ports = { 113/tcp } &redef; -redef dpd_config += { [ANALYZER_IDENT] = [$ports = ident_ports] }; - -global pending_ident_requests: set[addr, port, addr, port, port, port]; - -event ident_request(c: connection, lport: port, rport: port) - { - local id = c$id; - add pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport]; - } - -function add_ident_tag(c: connection, lport: port, rport: port, tag: string) -: connection - { - local id = c$id; - if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport] in - pending_ident_requests ) - delete pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport]; - else - tag = fmt("orphan-%s", tag); - - local c_orig_id = [$orig_h = id$resp_h, $orig_p = rport, - $resp_h = id$orig_h, $resp_p = lport]; - - local c_orig = active_connection(c_orig_id) ? - connection_record(c_orig_id) : c; - - append_addl(c_orig, tag); - - return c_orig; - } - -event ident_reply(c: connection, lport: port, rport: port, - user_id: string, system: string) - { - local c_orig = add_ident_tag(c, lport, rport, fmt("ident/%s", user_id)); - - if ( user_id in hot_ident_ids && user_id !in hot_ident_exceptions ) - { - ++c_orig$hot; - NOTICE([$note=IdentSensitiveID, $conn=c, - $msg=fmt("%s hot ident: %s", - $user=c_orig$addl, id_string(c_orig$id))]); - } - } - -event ident_error(c: connection, lport: port, rport: port, line: string) - { - add_ident_tag(c, lport, rport, fmt("iderr/%s", line)); - } diff --git a/policy.old/inactivity.bro b/policy.old/inactivity.bro deleted file mode 100644 index ea984a2fc2..0000000000 --- a/policy.old/inactivity.bro +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: inactivity.bro 7073 2010-09-13 00:45:02Z vern $ - -@load port-name - -const inactivity_timeouts: table[port] of interval = { - # For interactive services, allow longer periods of inactivity. - [[telnet, rlogin, ssh, ftp]] = 1 hrs, -} &redef; - -function determine_inactivity_timeout(c: connection) - { - local service = c$id$resp_p; - - # Determine service (adapted from hot.bro) - if ( c$orig$state == TCP_INACTIVE ) - { - # We're seeing a half-established connection. Use the - # service of the originator if it's well-known and the - # responder isn't. - if ( service !in port_names && c$id$orig_p in port_names ) - service = c$id$orig_p; - } - - if ( service in inactivity_timeouts ) - set_inactivity_timeout(c$id, inactivity_timeouts[service]); - } - -event connection_established(c: connection) - { - determine_inactivity_timeout(c); - } diff --git a/policy.old/interconn.bro b/policy.old/interconn.bro deleted file mode 100644 index ff545d4eef..0000000000 --- a/policy.old/interconn.bro +++ /dev/null @@ -1,318 +0,0 @@ -# $Id: interconn.bro 3997 2007-02-23 00:31:19Z vern $ -# -# interconn - generic detection of interactive connections. - -@load port-name -@load demux - -# The following must be defined for the event engine to generate -# interconn events. -redef interconn_min_interarrival = 0.01 sec; -redef interconn_max_interarrival = 2.0 sec; -redef interconn_max_keystroke_pkt_size = 20; -redef interconn_default_pkt_size = 512; -redef interconn_stat_period = 15.0 sec; -redef interconn_stat_backoff = 1.5; - -const interconn_min_num_pkts = 10 &redef; # min num of pkts sent -const interconn_min_duration = 2.0 sec &redef; # min duration for the connection - -const interconn_ssh_len_disabled = T &redef; -const interconn_min_ssh_pkts_ratio = 0.6 &redef; - -const interconn_min_bytes = 10 &redef; -const interconn_min_7bit_ascii_ratio = 0.75 &redef; - -const interconn_min_num_lines = 2 &redef; -const interconn_min_normal_line_ratio = 0.5 &redef; - -# alpha: portion of interarrival times within range -# [interconn_min_interarrival, interconn_max_interarrival] -# -# alpha should be >= interconn_min_alpha -# -# gamma: num_keystrokes_two_in_row / num_pkts -# gamma indicates the portion of keystrokes in the overall traffic -# -# gamma should be >= interconn_min_gamma - -const interconn_min_alpha = 0.2 &redef; # minimum required alpha -const interconn_min_gamma = 0.2 &redef; # minimum required gamma - -const interconn_standard_ports = { telnet, rlogin, ftp, ssh, smtp, 143/tcp, 110/tcp } &redef; -const interconn_ignore_standard_ports = F &redef; - -const interconn_demux_disabled = T &redef; - -const INTERCONN_UNKNOWN = 0; # direction/interactivity is unknown - -const INTERCONN_FORWARD = 1; # forward: a conn's orig is true originator -const INTERCONN_BACKWARD = 2; # backward: a conn's resp is true originator - -const INTERCONN_INTERACTIVE = 1; # a conn is interactive -const INTERCONN_STANDARD_PORT = 2; # conn involves a standard port to ignore - -type conn_info : record { - interactive: count; # interactivity: unknown/interactive/standard_port - dir: count; # direction: unknown/forward/backward -}; - -global interconn_conns: table [conn_id] of conn_info; # table for all connections - -# Table for resp_endp's of those established (non-partial) conn's. -# If a partial conn connects to one of such resp's, we can infer -# its direction. -global interconn_resps: table [addr, port] of count &default = 0; - -global interconn_log = open_log_file("interconn") &redef; - -global num_interconns = 0; - -function interconn_conn_string(c: connection): string - { - return fmt("%.6f %s.%d > %s.%d", - c$start_time, - c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } - -function interconn_weird(c: connection, s: string) - { - print fmt("%s interconn_weird: %s %s", network_time(), interconn_conn_string(c), s); - } - -function get_direction(c: connection): count - { - local id = c$id; - - if ( interconn_conns[id]$dir != INTERCONN_UNKNOWN ) - return interconn_conns[id]$dir; - - # The connection is not established yet, but one endpoint - # is a known resp_endp - if ( [id$resp_h, id$resp_p] in interconn_resps ) - { - interconn_conns[id]$dir = INTERCONN_FORWARD; - ++interconn_resps[id$resp_h, id$resp_p]; - - return INTERCONN_FORWARD; - } - - else if ( [id$orig_h, id$orig_p] in interconn_resps ) - { - interconn_conns[id]$dir = INTERCONN_BACKWARD; - ++interconn_resps[id$orig_h, id$orig_p]; - - return INTERCONN_BACKWARD; - } - - return INTERCONN_UNKNOWN; - } - -function comp_gamma(s: interconn_endp_stats): double - { - return s$num_pkts >= interconn_min_num_pkts ? - (1.0 * s$num_keystrokes_two_in_row) / s$num_pkts : 0.0; - } - -function comp_alpha(s: interconn_endp_stats) : double - { - return ( s$num_keystrokes_two_in_row > 0 ) ? - (1.0 * s$num_normal_interarrivals / s$num_keystrokes_two_in_row) : 0.0; - } - -function skip_further_interconn_processing(c: connection) - { - # This used to call skip_further_processing() - # (if active_connection(c$id) returned T). But that's - # clearly wrong *if* we're also doing additional analysis - # on the connection. So do nothing. - } - -function log_interconn(c: connection, tag: string) - { - print interconn_log, fmt("%s %s", interconn_conn_string(c), tag); - - local id = c$id; - - if ( interconn_demux_disabled ) - skip_further_interconn_processing(c); - else - demux_conn(id, tag, "orig", "resp"); - } - -function is_interactive_endp(s: interconn_endp_stats): bool - { - # Criteria 1: num_pkts >= interconn_min_num_pkts. - if ( s$num_pkts < interconn_min_num_pkts ) - return F; - - # Criteria 2: gamma >= interconn_min_gamma. - if ( comp_gamma(s) < interconn_min_gamma ) - return F; - - # Criteria 3: alpha >= interconn_min_alpha. - if ( comp_alpha(s) < interconn_min_alpha ) - return F; - - return T; - } - -event connection_established(c: connection) - { - local id = c$id; - local dir = interconn_conns[id]$dir; - - if ( dir == INTERCONN_FORWARD ) - return; - - if ( dir == INTERCONN_BACKWARD ) - { - interconn_weird(c, "inconsistent direction"); - return; - } - - interconn_conns[id]$dir = INTERCONN_FORWARD; - ++interconn_resps[id$resp_h, id$resp_p]; - } - -event new_connection(c: connection) - { - local id = c$id; - - local info: conn_info; - info$dir = INTERCONN_UNKNOWN; - - if ( interconn_ignore_standard_ports && - (id$orig_p in interconn_standard_ports || - id$resp_p in interconn_standard_ports) ) - { - info$interactive = INTERCONN_STANDARD_PORT; - skip_further_interconn_processing(c); - } - - else - info$interactive = INTERCONN_UNKNOWN; - - interconn_conns[id] = info; - } - -event interconn_remove_conn(c: connection) - { - local id = c$id; - - if ( id !in interconn_conns ) - # This can happen for weird connections such as those - # with an initial SYN+FIN packet. - return; - - local dir = interconn_conns[id]$dir; - - delete interconn_conns[id]; - delete demuxed_conn[c$id]; - - if ( dir == INTERCONN_FORWARD ) - { - if ( --interconn_resps[id$resp_h, id$resp_p] == 0 ) - delete interconn_resps[id$resp_h, id$resp_p]; - } - - else if ( dir == INTERCONN_BACKWARD ) - { - if ( --interconn_resps[id$orig_h, id$orig_p] == 0 ) - delete interconn_resps[id$orig_h, id$orig_p]; - } - } - -event interconn_stats(c: connection, - os: interconn_endp_stats, rs: interconn_endp_stats) - { - local id = c$id; - - if ( id !in interconn_conns ) - return; - - if ( interconn_conns[id]$interactive != INTERCONN_UNKNOWN ) - return; # already classified - - if ( c$duration < interconn_min_duration ) - # forget about excessively short connections - return; - - local dir = get_direction(c); - - # Criteria: - # - # if ( dir == FORWARD ) - # (os) is interactive - # else if ( dir == BACKWARD ) - # (rs) is interactive - # else - # either (os) or (rs) is interactive - if ( dir == INTERCONN_FORWARD ) - { - if ( ! is_interactive_endp(os) ) - return; - } - - else if ( dir == INTERCONN_BACKWARD ) - { - if ( ! is_interactive_endp(rs) ) - return; - } - - else - { - if ( ! is_interactive_endp(os) && ! is_interactive_endp(rs) ) - return; - } - - local tag: string; - - if ( ! interconn_ssh_len_disabled && (os$is_partial || rs$is_partial) ) - { - local num_pkts = os$num_pkts + rs$num_pkts; - local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts; - local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts; - - if ( num_8k0_pkts > num_pkts * interconn_min_ssh_pkts_ratio ) - { - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - tag = fmt("interconn.%d.ssh2", ++num_interconns); - } - else if ( num_8k4_pkts > num_pkts * interconn_min_ssh_pkts_ratio ) - { - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - tag = fmt("interconn.%d.ssh1", ++num_interconns); - } - } - - # Criteria 4: num_7bit_ascii / num_bytes is big enough; AND - # enough number of normal lines - if ( interconn_conns[id]$interactive != INTERCONN_INTERACTIVE ) - { - local num_bytes = os$num_bytes + rs$num_bytes; - local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii; - - if ( num_bytes < interconn_min_bytes || - num_7bit_ascii < num_bytes * interconn_min_7bit_ascii_ratio ) - return; - - local num_lines = os$num_lines + rs$num_lines; - local num_normal_lines = os$num_normal_lines + - rs$num_normal_lines; - - if ( num_lines < interconn_min_num_lines || - num_normal_lines < num_lines * interconn_min_normal_line_ratio ) - return; - - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - - tag = fmt("interconn.%d", ++num_interconns); - } - - log_interconn(c, tag); - } diff --git a/policy.old/irc-bot-syslog.bro b/policy.old/irc-bot-syslog.bro deleted file mode 100644 index 6ca1281db3..0000000000 --- a/policy.old/irc-bot-syslog.bro +++ /dev/null @@ -1,79 +0,0 @@ -# $Id: irc-bot-syslog.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $ -# -# Passes current bot-state to syslog. -# -# - When a new server/client is found, we syslog it immediately. -# - Every IrcBot::summary_interval we dump the current set. - -@load irc-bot - -module IrcBotSyslog; - -export { - # Prefix for all messages for easy grepping. - const prefix = "irc-bots" &redef; -} - -# For debugging, everything which goes to syslog also goes here. -global syslog_file = open_log_file("irc-bots.syslog"); - -function fmt_time(t: time) : string - { - return strftime("%Y-%m-%d-%H-%M-%S", t); - } - -function log_server(ip: addr, new: bool) - { - local s = IrcBot::servers[ip]; - local ports = IrcBot::portset_to_str(s$p); - - local msg = fmt("%s ip=%s new=%d local=%d server=1 first_seen=%s last_seen=%s ports=%s", - prefix, ip, new, is_local_addr(ip), - fmt_time(s$first_seen), fmt_time(s$last_seen), ports); - - syslog(msg); - print syslog_file, fmt("%.6f %s", network_time(), msg); - } - -function log_client(ip: addr, new: bool) - { - local c = IrcBot::clients[ip]; - local servers = IrcBot::addrset_to_str(c$servers); - - local msg = fmt("%s ip=%s new=%d local=%d server=0 first_seen=%s last_seen=%s user=%s nick=%s realname=%s servers=%s", - prefix, ip, new, is_local_addr(ip), - fmt_time(c$first_seen), fmt_time(c$last_seen), - c$user, c$nick, c$realname, servers); - - syslog(msg); - print syslog_file, fmt("%.6f %s", network_time(), msg); - } - -event print_bot_state() - { - for ( s in IrcBot::confirmed_bot_servers ) - log_server(s, F); - - for ( c in IrcBot::confirmed_bot_clients ) - log_client(c, F); - } - -event bro_init() - { - set_buf(syslog_file, F); - } - -redef notice_policy += { - [$pred(a: notice_info) = - { - if ( a$note == IrcBot::IrcBotServerFound ) - log_server(a$src, T); - - if ( a$note == IrcBot::IrcBotClientFound ) - log_client(a$src, T); - - return F; - }, - $result = NOTICE_FILE, - $priority = 1] -}; diff --git a/policy.old/irc-bot.bro b/policy.old/irc-bot.bro deleted file mode 100644 index 4bbe072b7d..0000000000 --- a/policy.old/irc-bot.bro +++ /dev/null @@ -1,566 +0,0 @@ -# $Id:$ - -@load conn -@load notice -@load weird - -module IrcBot; - -export { - global detailed_log = open_log_file("irc.detailed") &redef; - global bot_log = open_log_file("irc-bots") &redef; - - global summary_interval = 1 min &redef; - - global detailed_logging = T &redef; - global content_dir = "irc-bots" &redef; - - global bot_nicks = - /^\[([^\]]+\|)+[0-9]{2,}]/ # [DEU|XP|L|00] - | /^\[[^ ]+\]([^ ]+\|)+([0-9a-zA-Z-]+)/ # [0]CHN|3436036 [DEU][1]3G-QE - | /^DCOM[0-9]+$/ # DCOM7845 - | /^\{[A-Z]+\}-[0-9]+/ # {XP}-5021040 - | /^\[[0-9]+-[A-Z0-9]+\][a-z]+/ # [0058-X2]wpbnlgwf - | /^\[[a-zA-Z0-9]\]-[a-zA-Z0-9]+$/ # [SD]-743056826 - | /^[a-z]+[A-Z]+-[0-9]{5,}$/ - | /^[A-Z]{3}-[0-9]{4}/ # ITD-1119 - ; - - global bot_cmds = - /(^| *)[.?#!][^ ]{0,5}(scan|ndcass|download|cvar\.|execute|update|dcom|asc|scanall) / - | /(^| +\]\[ +)\* (ipscan|wormride)/ - | /(^| *)asn1/ - ; - - global skip_msgs = - /.*AUTH .*/ - | /.*\*\*\* Your host is .*/ - | /.*\*\*\* If you are having problems connecting .*/ - ; - - redef enum Notice += { - IrcBotServerFound, - IrcBotClientFound, - }; - - type channel: record { - name: string; - passwords: set[string]; - topic: string &default=""; - topic_history: vector of string; - }; - - type bot_client: record { - host: addr; - p: port; - nick: string &default=""; - user: string &default=""; - realname: string &default=""; - channels: table[string] of channel; - servers: set[addr] &optional; - first_seen: time; - last_seen: time; - }; - - type bot_server: record { - host: addr; - p: set[port]; - clients: table[addr] of bot_client; - global_users: string &default=""; - passwords: set[string]; - channels: table[string] of channel; - first_seen: time; - last_seen: time; - }; - - type bot_conn: record { - client: bot_client; - server: bot_server; - conn: connection; - fd: file; - ircx: bool &default=F; - }; - - # We keep three sets of clients/servers: - # (1) tables containing all IRC clients/servers - # (2) sets containing potential bot hosts - # (3) sets containing confirmend bot hosts - # - # Hosts are confirmed when a connection is established between - # potential bot hosts. - # - # FIXME: (1) should really be moved into the general IRC script. - - global expire_server: - function(t: table[addr] of bot_server, idx: addr): interval; - global expire_client: - function(t: table[addr] of bot_client, idx: addr): interval; - - global servers: table[addr] of bot_server &write_expire=24 hrs - &expire_func=expire_server &persistent; - global clients: table[addr] of bot_client &write_expire=24 hrs - &expire_func=expire_client &persistent; - - global potential_bot_clients: set[addr] &persistent; - global potential_bot_servers: set[addr] &persistent; - global confirmed_bot_clients: set[addr] &persistent; - global confirmed_bot_servers: set[addr] &persistent; - - # All IRC connections. - global conns: table[conn_id] of bot_conn &persistent; - - # Connections between confirmed hosts. - global bot_conns: set[conn_id] &persistent; - - # Helper functions for readable output. - global strset_to_str: function(s: set[string]) : string; - global portset_to_str: function(s: set[port]) : string; - global addrset_to_str: function(s: set[addr]) : string; -} - -function strset_to_str(s: set[string]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("\"%s\"", i)); - } - - return r; - } - -function portset_to_str(s: set[port]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("%d", i)); - } - - return r; - } - -function addrset_to_str(s: set[addr]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("%s", i)); - } - - return r; - } - -function fmt_time(t: time) : string - { - return strftime("%y-%m-%d-%H-%M-%S", t); - } - -event print_bot_state() - { - local bot_summary_log = open_log_file("irc-bots.summary"); - disable_print_hook(bot_summary_log); - - print bot_summary_log, "---------------------------"; - print bot_summary_log, strftime("%y-%m-%d-%H-%M-%S", network_time()); - print bot_summary_log, "---------------------------"; - print bot_summary_log; - print bot_summary_log, "Known servers"; - - for ( h in confirmed_bot_servers ) - { - local s = servers[h]; - - print bot_summary_log, - fmt(" %s %s - clients: %d ports %s password(s) %s last-seen %s first-seen %s global-users %s", - (is_local_addr(s$host) ? "L" : "R"), - s$host, length(s$clients), portset_to_str(s$p), - strset_to_str(s$passwords), - fmt_time(s$last_seen), fmt_time(s$first_seen), - s$global_users); - - for ( name in s$channels ) - { - local ch = s$channels[name]; - print bot_summary_log, - fmt(" channel %s: topic \"%s\", password(s) %s", - ch$name, ch$topic, - strset_to_str(ch$passwords)); - } - } - - print bot_summary_log, "\nKnown clients"; - - for ( h in confirmed_bot_clients ) - { - local c = clients[h]; - print bot_summary_log, - fmt(" %s %s - server(s) %s user %s nick %s realname %s last-seen %s first-seen %s", - (is_local_addr(h) ? "L" : "R"), h, - addrset_to_str(c$servers), - c$user, c$nick, c$realname, - fmt_time(c$last_seen), fmt_time(c$first_seen)); - } - - close(bot_summary_log); - - if ( summary_interval != 0 secs ) - schedule summary_interval { print_bot_state() }; - } - -event bro_init() - { - if ( summary_interval != 0 secs ) - schedule summary_interval { print_bot_state() }; - } - -function do_log_force(c: connection, msg: string) - { - local id = c$id; - print bot_log, fmt("%.6f %s:%d > %s:%d %s %s", - network_time(), id$orig_h, id$orig_p, - id$resp_h, id$resp_p, c$addl, msg); - } - -function do_log(c: connection, msg: string) - { - if ( c$id !in bot_conns ) - return; - - do_log_force(c, msg); - } - -function log_msg(c: connection, cmd: string, prefix: string, msg: string) - { - if ( skip_msgs in msg ) - return; - - do_log(c, fmt("MSG command=%s prefix=%s msg=\"%s\"", cmd, prefix, msg)); - } - -function update_timestamps(c: connection) : bot_conn - { - local conn = conns[c$id]; - - conn$client$last_seen = network_time(); - conn$server$last_seen = network_time(); - - # To prevent the set of entries from premature expiration, - # we need to make a write access (can't use read_expire as we - # iterate over the entries on a regular basis). - clients[c$id$orig_h] = conn$client; - servers[c$id$resp_h] = conn$server; - - return conn; - } - -function add_server(c: connection) : bot_server - { - local s_h = c$id$resp_h; - - if ( s_h in servers ) - return servers[s_h]; - - local empty_table1: table[addr] of bot_client; - local empty_table2: table[string] of channel; - local empty_set: set[string]; - local empty_set2: set[port]; - - local server = [$host=s_h, $p=empty_set2, $clients=empty_table1, - $channels=empty_table2, $passwords=empty_set, - $first_seen=network_time(), $last_seen=network_time()]; - servers[s_h] = server; - - return server; - } - -function add_client(c: connection) : bot_client - { - local c_h = c$id$orig_h; - - if ( c_h in clients ) - return clients[c_h]; - - local empty_table: table[string] of channel; - local empty_set: set[addr]; - local client = [$host=c_h, $p=c$id$resp_p, $servers=empty_set, - $channels=empty_table, $first_seen=network_time(), - $last_seen=network_time()]; - clients[c_h] = client; - - return client; - } - -function check_bot_conn(c: connection) - { - if ( c$id in bot_conns ) - return; - - local client = c$id$orig_h; - local server = c$id$resp_h; - - if ( client !in potential_bot_clients || server !in potential_bot_servers ) - return; - - # New confirmed bot_conn. - - add bot_conns[c$id]; - - if ( server !in confirmed_bot_servers ) - { - NOTICE([$note=IrcBotServerFound, $src=server, $p=c$id$resp_p, $conn=c, - $msg=fmt("ircbot server found: %s:%d", server, $p=c$id$resp_p)]); - add confirmed_bot_servers[server]; - } - - if ( client !in confirmed_bot_clients ) - { - NOTICE([$note=IrcBotClientFound, $src=client, $p=c$id$orig_p, $conn=c, - $msg=fmt("ircbot client found: %s:%d", client, $p=c$id$orig_p)]); - add confirmed_bot_clients[client]; - } - } - -function get_conn(c: connection) : bot_conn - { - local conn: bot_conn; - - if ( c$id in conns ) - { - check_bot_conn(c); - return update_timestamps(c); - } - - local c_h = c$id$orig_h; - local s_h = c$id$resp_h; - - local client : bot_client; - local server : bot_server; - - if ( c_h in clients ) - client = clients[c_h]; - else - client = add_client(c); - - if ( s_h in servers ) - server = servers[s_h]; - else - server = add_server(c); - - server$clients[c_h] = client; - add server$p[c$id$resp_p]; - add client$servers[s_h]; - - conn$server = server; - conn$client = client; - conn$conn = c; - conns[c$id] = conn; - update_timestamps(c); - - return conn; - } - -function expire_server(t: table[addr] of bot_server, idx: addr): interval - { - local server = t[idx]; - for ( c in server$clients ) - { - local client = server$clients[c]; - delete client$servers[idx]; - } - - delete potential_bot_servers[idx]; - delete confirmed_bot_servers[idx]; - return 0secs; - } - -function expire_client(t: table[addr] of bot_client, idx: addr): interval - { - local client = t[idx]; - for ( s in client$servers ) - if ( s in servers ) - delete servers[s]$clients[idx]; - delete potential_bot_clients[idx]; - delete confirmed_bot_clients[idx]; - return 0secs; - } - -function remove_connection(c: connection) - { - local conn = conns[c$id]; - delete conns[c$id]; - delete bot_conns[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - return; - - remove_connection(c); - } - -event bro_init() - { - set_buf(detailed_log, F); - set_buf(bot_log, F); - } - -event irc_client(c: connection, prefix: string, data: string) - { - if ( detailed_logging ) - print detailed_log, fmt("%.6f %s > (%s) %s", network_time(), id_string(c$id), prefix, data); - - local conn = get_conn(c); - - if ( data == /^ *[iI][rR][cC][xX] *$/ ) - conn$ircx = T; - } - -event irc_server(c: connection, prefix: string, data: string) - { - if ( detailed_logging ) - print detailed_log, fmt("%.6f %s < (%s) %s", network_time(), id_string(c$id), prefix, data); - - local conn = get_conn(c); - } - -event irc_user_message(c: connection, user: string, host: string, server: string, real_name: string) - { - local conn = get_conn(c); - conn$client$user = user; - conn$client$realname = real_name; - - do_log(c, fmt("USER user=%s host=%s server=%s real_name=%s", user, host, server, real_name)); - } - -function get_channel(conn: bot_conn, channel: string) : channel - { - if ( channel in conn$server$channels ) - return conn$server$channels[channel]; - else - { - local empty_set: set[string]; - local empty_vec: vector of string; - local ch = [$name=channel, $passwords=empty_set, $topic_history=empty_vec]; - conn$server$channels[ch$name] = ch; - return ch; - } - } - -event irc_join_message(c: connection, info_list: irc_join_list) - { - local conn = get_conn(c); - - for ( i in info_list ) - { - local ch = get_channel(conn, i$channel); - - if ( i$password != "" ) - add ch$passwords[i$password]; - - conn$client$channels[ch$name] = ch; - - do_log(c, fmt("JOIN channel=%s password=%s", i$channel, i$password)); - } - } - -global urls: set[string] &read_expire = 7 days &persistent; - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - if ( original_URI in urls ) - do_log_force(c, fmt("Request for URL %s", original_URI)); - } - -event irc_channel_topic(c: connection, channel: string, topic: string) - { - if ( bot_cmds in topic ) - { - do_log_force(c, fmt("Matching TOPIC %s", topic)); - add potential_bot_servers[c$id$resp_h]; - } - - local conn = get_conn(c); - - local ch = get_channel(conn, channel); - ch$topic_history[|ch$topic_history|] = ch$topic; - ch$topic = topic; - - if ( c$id in bot_conns ) - { - do_log(c, fmt("TOPIC channel=%s topic=\"%s\"", channel, topic)); - - local s = split(topic, / /); - for ( i in s ) - { - local w = s[i]; - if ( w == /[a-zA-Z]+:\/\/.*/ ) - { - add urls[w]; - do_log(c, fmt("URL channel=%s url=\"%s\"", - channel, w)); - } - } - } - } - -event irc_nick_message(c: connection, who: string, newnick: string) - { - if ( bot_nicks in newnick ) - { - do_log_force(c, fmt("Matching NICK %s", newnick)); - add potential_bot_clients[c$id$orig_h]; - } - - local conn = get_conn(c); - conn$client$nick = newnick; - - do_log(c, fmt("NICK who=%s nick=%s", who, newnick)); - } - -event irc_password_message(c: connection, password: string) - { - local conn = get_conn(c); - add conn$server$passwords[password]; - - do_log(c, fmt("PASS password=%s", password)); - } - -event irc_privmsg_message(c: connection, source: string, target: string, - message: string) - { - log_msg(c, "privmsg", source, fmt("->%s %s", target, message)); - } - -event irc_notice_message(c: connection, source: string, target: string, - message: string) - { - log_msg(c, "notice", source, fmt("->%s %s", target, message)); - } - -event irc_global_users(c: connection, prefix: string, msg: string) - { - local conn = get_conn(c); - - # Better would be to parse the message to extract the counts. - conn$server$global_users = msg; - - log_msg(c, "globalusers", prefix, msg); - } diff --git a/policy.old/irc.bro b/policy.old/irc.bro deleted file mode 100644 index 27b905528a..0000000000 --- a/policy.old/irc.bro +++ /dev/null @@ -1,689 +0,0 @@ -# $Id: irc.bro 4758 2007-08-10 06:49:23Z vern $ - -@load conn-id -@load notice -@load weird - -@load signatures - -module IRC; - -export { - const log_file = open_log_file("irc") &redef; - - type irc_user: record { - u_nick: string; # nick name - u_real: string; # real name - u_host: string; # client host - u_channels: set[string]; # channels the user is member of - u_is_operator: bool; # user is server operator - u_conn: connection; # connection handle - }; - - type irc_channel: record { - c_name: string; # channel name - c_users: set[string]; # users in channel - c_ops: set[string]; # channel operators - c_type: string; # channel type - c_modes: string; # channel modes - c_topic: string; # channel topic - }; - - global expired_user: - function(t: table[string] of irc_user, idx: string): interval; - global expired_channel: - function(t: table[string] of irc_channel, idx: string): interval; - - # Commands to ignore in irc_request/irc_message. - const ignore_in_other_msgs = { "PING", "PONG", "ISON" } &redef; - - # Return codes to ignore in irc_response - const ignore_in_other_responses: set[count] = { - 303 # RPL_ISON - } &redef; - - # Active users, indexed by nick. - global active_users: table[string] of irc_user &read_expire = 6 hrs - &expire_func = expired_user &redef; - - # Active channels, indexed by channel name. - global active_channels: table[string] of irc_channel - &read_expire = 6 hrs - &expire_func = expired_channel &redef; - - # Strings that generate a notice if found in session dialog. - const hot_words = - /.*etc\/shadow.*/ - | /.*etc\/ldap.secret.*/ - | /.*phatbot.*/ - | /.*botnet.*/ - &redef; - - redef enum Notice += { - IRC_HotWord, - }; -} - - -# IRC ports. This could be widened to 6660-6669, say. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; - -# DPM configuration. -global irc_ports = { 6666/tcp, 6667/tcp } &redef; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef Weird::weird_action += { - ["irc_invalid_dcc_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_invite_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_kick_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_line"] = Weird::WEIRD_FILE, - ["irc_invalid_mode_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_names_line"] = Weird::WEIRD_FILE, - ["irc_invalid_njoin_line"] = Weird::WEIRD_FILE, - ["irc_invalid_notice_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_oper_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_privmsg_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_reply_number"] = Weird::WEIRD_FILE, - ["irc_invalid_squery_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_who_line"] = Weird::WEIRD_FILE, - ["irc_invalid_who_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_channel_line"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_operator_line"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_user_line"] = Weird::WEIRD_FILE, - ["irc_line_size_exceeded"] = Weird::WEIRD_FILE, - ["irc_line_too_short"] = Weird::WEIRD_FILE, - ["irc_partial_request"] = Weird::WEIRD_FILE, - ["irc_too_many_invalid"] = Weird::WEIRD_FILE, -}; - -# # IRC servers to identify server-to-server connections. -# redef irc_servers = { -# # German IRCnet servers -# irc.leo.org, -# irc.fu-berlin.de, -# irc.uni-erlangen.de, -# irc.belwue.de, -# irc.freenet.de, -# irc.tu-ilmenau.de, -# irc.rz.uni-karlsruhe.de, -# }; - -global conn_list: table[conn_id] of count; -global conn_ID = 0; -global check_connection: function(c: connection); - -function irc_check_hot(c: connection, s: string, context: string) - { - if ( s == hot_words ) - NOTICE([$note=IRC_HotWord, $conn=c, - $msg=fmt("IRC hot word in: %s", context)]); - } - -function log_activity(c: connection, msg: string) - { - print log_file, fmt("%.6f #%s %s", - network_time(), conn_list[c$id], msg); - } - -event connection_state_remove(c: connection) - { - delete conn_list[c$id]; - } - -event irc_request(c: connection, prefix: string, - command: string, arguments: string) - { - check_connection(c); - - local context = fmt("%s %s", command, arguments); - irc_check_hot(c, command, context); - irc_check_hot(c, arguments, context); - - if ( command !in ignore_in_other_msgs ) - log_activity(c, fmt("other request%s%s: %s", - prefix == "" ? "" : " ", - prefix, context)); - } - -event irc_reply(c: connection, prefix: string, code: count, params: string) - { - check_connection(c); - - local context = fmt("%s %s", code, params); - irc_check_hot(c, params, context); - - if ( code !in ignore_in_other_responses ) - log_activity(c, fmt("other response from %s: %s", - prefix, context)); - } - -event irc_message(c: connection, prefix: string, - command: string, message: string) - { - check_connection(c); - - # Sanity checks whether this is indeed IRC. - # - # If we happen to parse an HTTP connection, the server "commands" will - # end with ":". - if ( command == /.*:$/ ) - { - local aid = current_analyzer(); - event protocol_violation(c, ANALYZER_IRC, aid, "broken server response"); - return; - } - - local context = fmt("%s %s", command, message); - irc_check_hot(c, command, context); - irc_check_hot(c, message, context); - - if ( command !in ignore_in_other_msgs ) - log_activity(c, fmt("other server message from %s: %s", - prefix, context)); - } - -event irc_user_message(c: connection, user: string, host: string, - server: string, real_name: string) - { - check_connection(c); - - log_activity(c, fmt("new user, user='%s', host='%s', server='%s', real = '%s'", - user, host, server, real_name)); - - if ( user in active_users ) - active_users[user]$u_conn = c; - else - { - local u: irc_user; - u$u_nick = user; - u$u_real = real_name; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = F; - active_users[user] = u; - } - } - -event irc_quit_message(c: connection, nick: string, message: string) - { - check_connection(c); - - log_activity(c, fmt("user '%s' leaving%s", nick, - message == "" ? "" : fmt(", \"%s\"", message))); - - # Remove from lists. - if ( nick in active_users ) - { - delete active_users[nick]; - for ( my_channel in active_channels ) - delete active_channels[my_channel]$c_users[nick]; - } - } - -function check_message(c: connection, source: string, target: string, - msg: string, msg_type: string) - { - check_connection(c); - irc_check_hot(c, msg, msg); - log_activity(c, fmt("%s%s to '%s': %s", msg_type, - source != "" ? fmt(" from '%s'", source) : "", - target, msg)); - } - -event irc_privmsg_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "message"); - } - -event irc_notice_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "notice"); - } - -event irc_squery_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "squery"); - } - -event irc_join_message(c: connection, info_list: irc_join_list) - { - check_connection(c); - - for ( l in info_list ) - { - log_activity(c, fmt("user '%s' joined '%s'%s", - l$nick, l$channel, - l$password != "" ? - fmt("with password '%s'", - l$password) : "")); - - if ( l$nick == "" ) - next; - - if ( l$nick in active_users ) - add (active_users[l$nick]$u_channels)[l$channel]; - else - { - local user: irc_user; - user$u_nick = l$nick; - user$u_real = ""; - user$u_conn = c; - user$u_host = ""; - user$u_is_operator = F; - add user$u_channels[l$channel]; - - active_users[l$nick] = user; - } - - # Add channel to lists. - if ( l$channel in active_channels ) - add (active_channels[l$channel]$c_users)[l$nick]; - else - { - local my_c: irc_channel; - my_c$c_name = l$channel; - add my_c$c_users[l$nick]; - - my_c$c_type = my_c$c_modes = ""; - - active_channels[l$channel] = my_c; - } - } - } - -event irc_part_message(c: connection, nick: string, - chans: string_set, message: string) - { - check_connection(c); - - local channel_str = ""; - for ( ch in chans ) - channel_str = channel_str == "" ? - ch : fmt("%s, %s", channel_str, ch); - - log_activity(c, fmt("%s channel '%s'%s", - nick == "" ? "leaving" : - fmt("user '%s' leaving", nick), - channel_str, - message == "" ? - "" : fmt("with message '%s'", message))); - - # Remove user from channel. - if ( nick == "" ) - return; - - for ( ch in active_channels ) - { - delete (active_channels[ch]$c_users)[nick]; - delete (active_channels[ch]$c_ops)[nick]; - if ( nick in active_users ) - delete (active_users[nick]$u_channels)[ch]; - } - } - -event irc_nick_message(c: connection, who: string, newnick: string) - { - check_connection(c); - - log_activity(c, fmt("%s nick name to '%s'", - who == "" ? "changing" : - fmt("user '%s' changing", who), - newnick)); - } - -event irc_invalid_nick(c: connection) - { - check_connection(c); - log_activity(c, "changing nick name failed"); - } - -event irc_network_info(c: connection, users: count, services: count, - servers: count) - { - check_connection(c); - log_activity(c, fmt("network includes %d users, %d services, %d servers", - users, services, servers)); - } - -event irc_server_info(c: connection, users: count, services: count, - servers: count) - { - check_connection(c); - log_activity(c, fmt("server includes %d users, %d services, %d peers", - users, services, servers)); - } - -event irc_channel_info(c: connection, chans: count) - { - check_connection(c); - log_activity(c, fmt("network includes %d channels", chans)); - } - -event irc_who_line(c: connection, target_nick: string, channel: string, - user: string, host: string, server: string, - nick: string, params: string, hops: count, - real_name: string) - { - check_connection(c); - - log_activity(c, fmt("channel '%s' includes '%s' on %s connected to %s with nick '%s', real name '%s', params %s", - channel, user, host, server, - nick, real_name, params)); - - if ( nick == "" || channel == "" ) - return; - - if ( nick in active_users ) - active_users[nick]$u_conn = c; - - else - { - local myuser: irc_user; - myuser$u_nick = nick; - myuser$u_real = real_name; - myuser$u_conn = c; - myuser$u_host = host; - myuser$u_is_operator = F; - add myuser$u_channels[channel]; - - active_users[nick] = myuser; - - if ( channel in active_channels ) - add (active_channels[channel]$c_users)[nick]; - else - { - local my_c: irc_channel; - my_c$c_name = channel; - add my_c$c_users[nick]; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[channel] = my_c; - } - } - } - -event irc_who_message(c: connection, mask: string, oper: bool) - { - check_connection(c); - - log_activity(c, fmt("WHO with mask %s%s", mask, - oper ? ", only operators" : "")); - } - -event irc_whois_message(c: connection, server: string, users: string) - { - check_connection(c); - - log_activity(c, fmt("WHOIS%s for user(s) %s", - server == "" ? - server : fmt(" to server %s", server), - users)); - } - -event irc_whois_user_line(c: connection, nick: string, - user: string, host: string, real_name: string) - { - check_connection(c); - - log_activity(c, fmt("user '%s' with nick '%s' on host %s has real name '%s'", - user, nick, host, real_name)); - - if ( nick in active_users ) - { - active_users[nick]$u_real = real_name; - active_users[nick]$u_host = host; - } - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = real_name; - u$u_conn = c; - u$u_host = host; - u$u_is_operator = F; - - active_users[nick] = u; - } - } - -event irc_whois_operator_line(c: connection, nick: string) - { - check_connection(c); - log_activity(c, fmt("user '%s' is an IRC operator", nick)); - - if ( nick in active_users ) - active_users[nick]$u_is_operator = T; - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = ""; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = T; - - active_users[nick] = u; - } - } - -event irc_whois_channel_line(c: connection, nick: string, chans: string_set) - { - check_connection(c); - - local message = fmt("user '%s' is on channels:", nick); - for ( channel in chans ) - message = fmt("%s %s", message, channel); - - log_activity(c, message); - - if ( nick in active_users ) - { - for ( ch in chans ) - add active_users[nick]$u_channels[ch]; - } - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = ""; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = F; - u$u_channels = chans; - - active_users[nick] = u; - } - - for ( ch in chans ) - { - if ( ch in active_channels ) - add (active_channels[ch]$c_users)[nick]; - else - { - local my_c: irc_channel; - my_c$c_name = ch; - add my_c$c_users[nick]; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[ch] = my_c; - } - } - } - -event irc_oper_message(c: connection, user: string, password: string) - { - check_connection(c); - log_activity(c, fmt("user requests operator status with name '%s', password '%s'", - user, password)); - } - -event irc_oper_response(c: connection, got_oper: bool) - { - check_connection(c); - log_activity(c, fmt("user %s operator status", - got_oper ? "received" : "did not receive")); - } - -event irc_kick_message(c: connection, prefix: string, chans: string, - users: string, comment: string) - { - check_connection(c); - log_activity(c, fmt("user '%s' requested to kick '%s' from channel(s) %s with comment %s", - prefix, users, chans, comment)); - } - -event irc_error_message(c: connection, prefix: string, message: string) - { - check_connection(c); - log_activity(c, fmt("error message%s: %s", - prefix == "" ? "" : fmt("from '%s'", prefix), - message)); - } - -event irc_invite_message(c: connection, prefix: string, - nickname: string, channel: string) - { - check_connection(c); - log_activity(c, fmt("'%s' invited to channel %s%s", - nickname, channel, - prefix == "" ? "" : fmt(" by %s", prefix))); - } - -event irc_mode_message(c: connection, prefix: string, params: string) - { - check_connection(c); - log_activity(c, fmt("mode command%s: %s", - prefix == "" ? "" : fmt(" from '%s'", prefix), - params)); - } - -event irc_squit_message(c: connection, prefix: string, - server: string, message: string) - { - check_connection(c); - - log_activity(c, fmt("server disconnect attempt%s for %s with comment %s", - prefix == "" ? "" : fmt(" from '%s'", prefix), - server, message)); - } - -event irc_names_info(c: connection, c_type: string, channel: string, - users: string_set) - { - check_connection(c); - - local chan_type = - c_type == "@" ? "secret" : - (c_type == "*" ? "private" : "public"); - - local message = fmt("channel '%s' (%s) contains users:", - channel, chan_type); - - for ( user in users ) - message = fmt("%s %s", message, user); - - log_activity(c, message); - - if ( channel in active_channels ) - { - for ( u in users ) - add (active_channels[channel]$c_users)[u]; - } - else - { - local my_c: irc_channel; - my_c$c_name = channel; - my_c$c_users = users; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[channel] = my_c; - } - - for ( nick in users ) - { - if ( nick in active_users ) - add (active_users[nick]$u_channels)[channel]; - else - { - local usr: irc_user; - usr$u_nick = nick; - usr$u_real = ""; - usr$u_conn = c; - usr$u_host = ""; - usr$u_is_operator = F; - add usr$u_channels[channel]; - - active_users[nick] = usr; - } - } - } - -event irc_dcc_message(c: connection, prefix: string, target: string, - dcc_type: string, argument: string, - address: addr, dest_port: count, size: count) - { - check_connection(c); - - log_activity(c, fmt("DCC %s invitation for '%s' to host %s on port %s%s", - dcc_type, target, address, dest_port, - dcc_type == "SEND" ? - fmt(" (%s: %s bytes)", argument, size) : - "")); - } - -event irc_channel_topic(c: connection, channel: string, topic: string) - { - check_connection(c); - log_activity(c, fmt("topic for %s is '%s'", channel, topic)); - } - -event irc_password_message(c: connection, password: string) - { - check_connection(c); - log_activity(c, fmt("password %s", password)); - } - -function expired_user(t: table[string] of irc_user, idx: string): interval - { - for ( my_c in active_users[idx]$u_channels ) - { - suspend_state_updates(); - delete active_channels[my_c]$c_users[idx]; - delete active_channels[my_c]$c_ops[idx]; - resume_state_updates(); - } - - return 0 secs; - } - -function expired_channel(t:table[string] of irc_channel, idx: string): interval - { - for ( my_u in active_channels[idx]$c_users ) - if ( my_u in active_users ) - delete active_users[my_u]$u_channels[idx]; - # Else is there a possible state leak? How could it not - # be in active_users? Yet sometimes it isn't, which - # is why we needed to add the above test. - - return 0 secs; - } - -function check_connection(c: connection) - { - if ( c$id !in conn_list ) - { - ++conn_ID; - append_addl(c, fmt("#%d", conn_ID)); - conn_list[c$id] = conn_ID; - - log_activity(c, fmt("new connection %s", id_string(c$id))); - } - } diff --git a/policy.old/large-conns.bro b/policy.old/large-conns.bro deleted file mode 100644 index 7c55c8ff1c..0000000000 --- a/policy.old/large-conns.bro +++ /dev/null @@ -1,336 +0,0 @@ -# $Id: large-conns.bro 1332 2005-09-07 17:39:17Z vern $ - -# Written by Chema Gonzalez. - - -# Estimates the size of large "flows" (i.e., each direction of a TCP -# connection) by noting when their sequence numbers cross a set of regions -# in the sequence space. This can be done using a static packet filter, -# so is very efficient. It works for (TCP) traffic that Bro otherwise doesn't -# see. - -# Usage -# -# 1) Set the appropriate number_of_regions and region_size: -# -# Modify the number_of_regions and (perhaps) region_size global -# variables. You do this *prior* to loading this script, so -# for example: -# -# const number_of_regions = 32; -# @load large-conns -# -# You do *not* redef them like you would with other script variables -# (this is because they need to be used directly in the initializations -# of other variables used by this script). -# -# Note that number_of_regions affects the granularity -# and definition of the script (see below). -# -# 2) To get an estimate of the true size of a flow, call: -# -# function estimate_flow_size_and_remove(cid: conn_id, orig: bool): -# flow_size_est -# -# If orig=T, then an estimate of the size of the forward (originator) -# direction is returned. If orig=F, then the reverse (responder) -# direction is returned. In both cases, what's returned is a -# flow_size_est, which includes a flag indicating whether there was -# any estimate formed, and, if the flag is T, a lower bound, an upper bound, -# and an inconsistency-count (which, if > 0, means that the estimates -# came from sequence numbers that were inconsistent, and thus something -# is wrong - perhaps packet drops by the secondary filter). Finally, -# calling this function causes the flow's record to be deleted. Perhaps -# at some point we'll need to add a version that just retrieves the -# estimate. - -type flow_size_est: record { - have_est: bool; - lower: double &optional; - upper: double &optional; - num_inconsistent: count &optional; -}; - -global estimate_flow_size_and_remove: - function(cid: conn_id, orig: bool): flow_size_est; - -module LargeConn; - - -# Rationale -# -# One of the mechanisms that Bro uses to detect large TCP flows is -# to calculate the difference in the sequence number (seq) field contents -# between the last packet (FIN or RST) and the first packet (SYN). This -# method may be wrong if a) the seq number is busted (which can happen -# frequently with RST termination), or b) the seq number wraps around -# the 4GB sequence number space (note that this is OK for TCP while -# there is no ambiguity on what a packet's sequence number means, -# due to its use of a window <= 2 GB in size). -# -# The purpose of this script is to resolve these ambiguities. In other -# words, help with differentiating truly large flows from flows with -# a busted seq, and detecting very large flows that wrap around the -# 4GB seq space. -# -# To do so, large-flow listens to a small group of thin regions in -# the sequence space, located at equal distances from each other. The idea -# is that a truly large flow will pass through the regions in -# an orderly fashion, maybe several times. This script keeps track of -# all packets that pass through any of the regions, counting the number -# of times a packet from a given flow passes through consecutive regions. -# -# Note that the exact number of regions, and the size of each region, can -# be controlled by redefining the global variables number_of_regions -# and region_size, respectively. Both should be powers of two (if not, -# they are rounded to be such), and default to 4 and 16KB, respectively. -# The effect of varying these parameters is the following: -# -# - Increasing number_of_regions will increase the granularity of the -# script, at the cost of elevating its cost in both processing (more -# packets will be seen) and memory (more flows will be seen). -# The granularity of the script is defined as the minimum variation -# in size the script can see. Its value is: -# -# granularity = (4GB / number_of_regions) -# -# For example, if we're using 4 regions, the minimum flow size difference -# that the script can see is 1GB. -# -# number_of_regions also affects the script definition, defined as the -# smallest size of a flow which ensures that the flow will be seen by -# the script. The script definition is: -# -# definition = (2 * granularity) -# -# The script sees no flow smaller than the granularity, some flows with -# size between granularity and definition, and all flows larger than -# definition. In our example, the script definition is 2GB (it will see -# for sure only flows bigger than 2GB). -# -# - Increasing region_size will only increase the resilience of the script -# to lost packets, at the cost of augmenting the cost in both processing -# and memory (see above). The default value of 16 KB is chosen to work -# in the presence of largish packets without too much additional work. - -# Set up defaults, unless the user has already specified these. Note that -# these variables are *not* redef'able, since they are used in initializations -# later in this script (so a redef wouldn't be "seen" in time). -@ifndef ( number_of_regions ) - const number_of_regions = 4; -@endif -@ifndef ( region_size ) - const region_size = 16 * 1024; # 16 KB -@endif - - -# Track the regions visited for each flow. -type t_info: record { - last_region: count; # last region visited - num_regions: count; # number of regions visited - num_inconsistent: count; # num. inconsistent region crossings -}; - -# The state expiration for this table needs to be generous, as it's -# for tracking very large flows, which could be quite long-lived. -global flow_region_info: table[conn_id] of t_info &write_expire = 6 hr; - - -# Returns the integer logarithm in base b. -function logarithm(base: count, x: count): count - { - if ( x < base ) - return 0; - else - return 1 + logarithm(base, x / base); - } - - -# Function used to get around Bro's lack of real ordered loop. -function do_while(i: count, max: count, total: count, - f: function(i: count, total: count): count): count - { - if ( i >= max ) - return total; - else - return do_while(++i, max, f(--i, total), f); - } - -function fn_mask_location(i: count, total: count): count - { - return total * 2 + 1; - } - -function fn_filter_location(i: count, total: count): count - { - # The location pattern is 1010101010... - return total * 2 + (i % 2 == 0 ? 1 : 0); - } - -function fn_common_region_size(i: count, total: count): count - { - return total * 2; - } - - -function get_interregion_distance(number_of_regions: count, - region_size: count): count - { - local bits_number_of_regions = logarithm(2, number_of_regions); - local bits_other = int_to_count(32 - bits_number_of_regions); - - return do_while(0, bits_other, 1, fn_common_region_size); - } - - -global interregion_distance = - get_interregion_distance(number_of_regions, region_size); - - -# Returns an estiamte of size of the flow (one direction of a TCP connection) -# that this script has seen. This is based on the number of consecutive -# regions a flow has visited, weighted with the distance between regions. -# -# We know that the full sequence number space accounts for 4GB. This -# space comprises number_of_regions regions, separated from each other -# a (4GB / number_of_regions) distance. If a flow has been seen -# in X consecutive regions, it means that the size of the flow is -# greater than ((X - 1) * distance_between_regions) GB. -# -# Note that seeing a flow in just one region is no different from -# not seeing it at all. -function estimate_flow_size_and_remove(cid: conn_id, orig: bool): flow_size_est - { - local id = orig ? cid : - [$orig_h = cid$resp_h, $orig_p = cid$resp_p, - $resp_h = cid$orig_h, $resp_p = cid$orig_p]; - - if ( id !in flow_region_info ) - return [$have_est = F]; - - local regions_crossed = - int_to_count(flow_region_info[id]$num_regions - 1); - - local lower = regions_crossed * interregion_distance * 1.0; - local upper = lower + interregion_distance * 2.0; - local num_inconsis = flow_region_info[id]$num_inconsistent; - - delete flow_region_info[id]; - - return [$have_est = T, $lower = lower, $upper = upper, - $num_inconsistent = num_inconsis]; - } - - -# Returns a tcpdump filter corresponding to the number of regions and -# region size requested by the user. -# -# How to calculate the tcpdump filter used to hook packet_event to the -# secondary filter system? We are interested only in TCP packets whose -# seq number belongs to any of the test slices. Let's focus on the case -# of 4 regions, 16KB per region. -# -# The mask should be: [ x x L L L ... L L L x x ... x ] -# <---><---------------><---------> -# | | | -# | | +-> suffix: region size -# | +-> location: remaining bits -# +-> prefix: number of equidistant regions -# -# The 32-bit seq number is masked as follows: -# -# - suffix: defines size of the regions (16KB implies log_2(16KB) = 14 bits) -# -# - location: defines the exact location of the 4 regions. Note that, to -# minimize the amount of data we keep, the location will be distinct from -# zero, so segments with seq == 0 are not in a valid region -# -# - prefix: defines number of regions (4 implies log_2(4) = 2 bits) -# -# E.g., the mask will be seq_number & 0011...1100..00_2 = 00LL..LL00..00_2, -# which, by setting the location to 1010101010101010, will finally be -# seq_number & 0011...1100..00_2 = 00101010101010101000..00_2, i.e., -# seq_number & 0x3fffc000 = 0x2aaa8000. -# -# For that particular parameterization, we'd like to wind up with a -# packet event filter of "(tcp[4:4] & 0x3fffc000) == 0x2aaa8000". - -function get_event_filter(number_of_regions: count, region_size: count): string - { - local bits_number_of_regions = logarithm(2, number_of_regions); - local bits_region_size = logarithm(2, region_size); - local bits_remaining = - int_to_count(32 - bits_number_of_regions - bits_region_size); - - # Set the bits corresponding to the location: - # i = 0; - # while ( i < bits_remaining ) - # { - # mask = (mask * 2) + 1; - # filter = (filter * 2) + (((i % 2) == 0) ? 1 : 0); - # ++i; - # } - local mask = do_while(0, bits_remaining, 0, fn_mask_location); - local filter = do_while(0, bits_remaining, 0, fn_filter_location); - - # Set the bits corrsponding to the region size - # i = 0; - # while ( i < bits_region_size ) - # { - # mask = mask * 2; - # filter = filter * 2; - # ++i; - # } - mask = do_while(0, bits_region_size, mask, fn_common_region_size); - filter = do_while(0, bits_region_size, filter, fn_common_region_size); - - return fmt("(tcp[4:4] & 0x%x) == 0x%x", mask, filter); - } - - -# packet_event -- -# -# This event is raised once per (TCP) packet falling into any of the regions. -# It updates the flow_region_info table. -event packet_event(filter: string, pkt: pkt_hdr) - { - # Distill the region from the seq number. - local region = pkt$tcp$seq / interregion_distance; - - # Get packet info and update global counters. - local cid = [$orig_h = pkt$ip$src, $orig_p = pkt$tcp$sport, - $resp_h = pkt$ip$dst, $resp_p = pkt$tcp$dport]; - - if ( cid !in flow_region_info ) - { - flow_region_info[cid] = - [$last_region = region, $num_regions = 1, - $num_inconsistent = 0]; - return; - } - - local info = flow_region_info[cid]; - local next_region = (info$last_region + 1) % number_of_regions; - - if ( region == next_region ) - { # flow seen in the next region - info$last_region = region; - ++info$num_regions; - } - - else if ( region == info$last_region ) - { # flow seen in the same region, ignore - } - else - { - # Flow seen in another region (not the next one). - info$last_region = region; - info$num_regions = 1; # restart accounting - ++info$num_inconsistent; - } - } - - -# Glue the filter into the secondary filter hookup. -global packet_event_filter = get_event_filter(number_of_regions, region_size); -redef secondary_filters += { [packet_event_filter] = packet_event }; diff --git a/policy.old/listen-clear.bro b/policy.old/listen-clear.bro deleted file mode 100644 index 0922bc053e..0000000000 --- a/policy.old/listen-clear.bro +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: listen-clear.bro 416 2004-09-17 03:52:28Z vern $ -# -# Listen for other Bros (non-SSL). - -@load remote - -# On which port to listen. -const listen_port_clear = Remote::default_port_clear &redef; - -# On which IP to bind (0.0.0.0 for any interface) -const listen_if_clear = 0.0.0.0 &redef; - -event bro_init() - { - listen(listen_if_clear, listen_port_clear, F); - } diff --git a/policy.old/listen-ssl.bro b/policy.old/listen-ssl.bro deleted file mode 100644 index fdf22a8e30..0000000000 --- a/policy.old/listen-ssl.bro +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: listen-ssl.bro 1015 2005-01-31 13:46:50Z kreibich $ -# -# Listen for other Bros (SSL). - -@load remote - -# On which port to listen. -const listen_port_ssl = Remote::default_port_ssl &redef; - -# On which IP to bind (0.0.0.0 for any interface) -const listen_if_ssl = 0.0.0.0 &redef; - -event bro_init() - { - listen(listen_if_ssl, listen_port_ssl, T); - } diff --git a/policy.old/load-level.bro b/policy.old/load-level.bro deleted file mode 100644 index b8f9730bde..0000000000 --- a/policy.old/load-level.bro +++ /dev/null @@ -1,194 +0,0 @@ -# $Id: load-level.bro 1904 2005-12-14 03:27:15Z vern $ -# -# Support for shedding/reinstating load. - -@load notice - -# If no load_level is given, a filter is always activated. -# -# If a level is given for a filter (using the same ID than in -# {capture,restrict}_filter), then: -# -# - a capture_filter is activated if current load_level is <= -# - a restrict_filter is activated if current load_level is >= - -global capture_load_levels: table[string] of PcapFilterID &redef; -global restrict_load_levels: table[string] of PcapFilterID &redef; - -redef enum PcapFilterID += { - LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5, - LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10, -}; - -const Levels = { - LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5, - LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10 -}; - -# The load-level cannot not leave this interval. -const MinLoad = LoadLevel1; -const MaxLoad = LoadLevel10; - -# The initial load-level. -global default_load_level = LoadLevel10 &redef; - -# Set to 0 to turn off any changes of the filter. -global can_adjust_filter = T &redef; - -global current_load_level = DefaultPcapFilter; - -global ll_file = open_log_file("load-level"); - -# Interface functions for switching load levels. - -function set_load_level(level: PcapFilterID): bool - { - if ( level == current_load_level ) - return T; - - if ( ! can_adjust_filter ) - { - print ll_file, fmt("%.6f can't set %s (load-levels are turned off)", network_time(), level); - return F; - } - - if ( ! install_pcap_filter(level) ) - { - print ll_file, fmt("%.6f can't set %s (install failed)", network_time(), level); - - # Don't try again. - can_adjust_filter = F; - return F; - } - - current_load_level = level; - - print ll_file, fmt("%.6f switched to %s", network_time(), level); - - return T; - } - -# Too bad that we can't use enums like integers... -const IncreaseLoadLevelTab = { - [LoadLevel1] = LoadLevel2, - [LoadLevel2] = LoadLevel3, - [LoadLevel3] = LoadLevel4, - [LoadLevel4] = LoadLevel5, - [LoadLevel5] = LoadLevel6, - [LoadLevel6] = LoadLevel7, - [LoadLevel7] = LoadLevel8, - [LoadLevel8] = LoadLevel9, - [LoadLevel9] = LoadLevel10, - [LoadLevel10] = LoadLevel10, -}; - -const DecreaseLoadLevelTab = { - [LoadLevel1] = LoadLevel1, - [LoadLevel2] = LoadLevel1, - [LoadLevel3] = LoadLevel2, - [LoadLevel4] = LoadLevel3, - [LoadLevel5] = LoadLevel4, - [LoadLevel6] = LoadLevel5, - [LoadLevel7] = LoadLevel6, - [LoadLevel8] = LoadLevel7, - [LoadLevel9] = LoadLevel8, - [LoadLevel10] = LoadLevel9, -}; - -const LoadLevelToInt = { - [DefaultPcapFilter] = 0, - [LoadLevel1] = 1, - [LoadLevel2] = 2, - [LoadLevel3] = 3, - [LoadLevel4] = 4, - [LoadLevel5] = 5, - [LoadLevel6] = 6, - [LoadLevel7] = 7, - [LoadLevel8] = 8, - [LoadLevel9] = 9, - [LoadLevel10] = 10, -}; - -function increase_load_level() - { - set_load_level(IncreaseLoadLevelTab[current_load_level]); - } - -function decrease_load_level() - { - set_load_level(DecreaseLoadLevelTab[current_load_level]); - } - - -# Internal functions. - -function load_level_error() - { - print ll_file, fmt("%.6f Error, switching back to DefaultPcapFilter", - network_time()); - - install_default_pcap_filter(); - - # Don't try changing the load level any more. - can_adjust_filter = F; - } - -function build_load_level_filter(level: PcapFilterID): string - { - # Build up capture_filter. - local cfilter = ""; - - for ( id in capture_filters ) - { - if ( id !in capture_load_levels || - LoadLevelToInt[level] <= LoadLevelToInt[capture_load_levels[id]] ) - cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or"); - } - - # Build up restrict_filter. - local rfilter = ""; - for ( id in restrict_filters ) - { - if ( id !in restrict_load_levels || - LoadLevelToInt[level] >= LoadLevelToInt[restrict_load_levels[id]] ) - rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and"); - } - - return join_filters(cfilter, rfilter); - } - -function precompile_load_level_filters(): bool - { - print ll_file, fmt("%.6f <<< Begin of precompilation", network_time() ); - - for ( i in Levels ) - { - local filter = build_load_level_filter(i); - - if ( ! precompile_pcap_filter(i, filter) ) - { - print ll_file, fmt("%.6f Level %d: %s", - network_time(), LoadLevelToInt[i], pcap_error()); - load_level_error(); - return F; - } - - print ll_file, fmt("%.6f Level %2d: %s", network_time(), LoadLevelToInt[i], filter); - } - - print ll_file, fmt("%.6f >>> End of precompilation", network_time() ); - - return T; - } - - -event bro_init() - { - set_buf(ll_file, F); - precompile_load_level_filters(); - set_load_level(default_load_level); - - # Don't adjust the filter when reading a trace. - if ( ! reading_live_traffic() ) - can_adjust_filter = F; - } diff --git a/policy.old/load-sample.bro b/policy.old/load-sample.bro deleted file mode 100644 index 16b26580ab..0000000000 --- a/policy.old/load-sample.bro +++ /dev/null @@ -1,43 +0,0 @@ -# $Id: load-sample.bro 1758 2005-11-22 00:58:10Z vern $ - -# A simple form of profiling based on sampling the work done per-packet. -# load_sample() is generated every load_sample_freq packets (roughly; -# it's randomized). For each sampled packet, "samples" contains a set -# of the functions, event handlers, and their source files that were accessed -# during the processing of that packet, along with an estimate of the -# CPU cost of processing the packet and (currently broken) memory allocated/ -# freed. - -global sampled_count: table[string] of count &default = 0; -global sampled_CPU: table[string] of interval &default = 0 sec; -global sampled_mem: table[string] of int &default = +0; - -global num_samples = 0; -global total_sampled_CPU = 0 sec; -global total_sampled_mem = +0; - -event load_sample(samples: load_sample_info, CPU: interval, dmem: int) - { - ++num_samples; - total_sampled_CPU += CPU; - total_sampled_mem += dmem; - - if ( |samples| == 0 ) - add samples[""]; - - for ( i in samples ) - { - ++sampled_count[i]; - sampled_CPU[i] += CPU; - sampled_mem[i] += dmem; - } - } - -event bro_done() - { - for ( i in sampled_CPU ) - print fmt("%s: %d%% pkts, %.1f%% CPU", - i, sampled_count[i] * 100 / num_samples, - sampled_CPU[i] * 100 / total_sampled_CPU); - # sampled_mem[i] / total_sampled_mem; - } diff --git a/policy.old/log-append.bro b/policy.old/log-append.bro deleted file mode 100644 index 440b78a894..0000000000 --- a/policy.old/log-append.bro +++ /dev/null @@ -1,10 +0,0 @@ -# $Id: log-append.bro 2797 2006-04-23 05:56:24Z vern $ - -# By default, logs are overwritten when opened, deleting the contents -# of any existing log of the same name. Loading this module changes the -# behavior to appending. - -function open_log_file(tag: string): file - { - return open_for_append(log_file_name(tag)); - } diff --git a/policy.old/login.bro b/policy.old/login.bro deleted file mode 100644 index 9d45249bb1..0000000000 --- a/policy.old/login.bro +++ /dev/null @@ -1,677 +0,0 @@ -# $Id: login.bro 6481 2008-12-15 00:47:57Z vern $ - -@load notice -@load weird -@load hot-ids -@load conn -# scan.bro is needed for "account_tried" event. -@load scan -@load demux -@load terminate-connection - -module Login; - -global telnet_ports = { 23/tcp } &redef; -redef dpd_config += { [ANALYZER_TELNET] = [$ports = telnet_ports] }; - -global rlogin_ports = { 513/tcp } &redef; -redef dpd_config += { [ANALYZER_RLOGIN] = [$ports = rlogin_ports] }; - -export { - redef enum Notice += { - SensitiveLogin, # interactive login using sensitive username - - # Interactive login seen using forbidden username, but the analyzer - # was confused in following the login dialog, so may be in error. - LoginForbiddenButConfused, - - # During a login dialog, a sensitive username (e.g., "rewt") was - # seen in the user's *password*. This is reported as a notice - # because it could be that the login analyzer didn't track the - # authentication dialog correctly, and in fact what it thinks is - # the user's password is instead the user's username. - SensitiveUsernameInPassword, - }; - - # If these patterns appear anywhere in the user's keystrokes, do a notice. - const input_trouble = - /rewt/ - | /eggdrop/ - | /\/bin\/eject/ - | /oir##t/ - | /ereeto/ - | /(shell|xploit)_?code/ - | /execshell/ - | /ff\.core/ - | /unset[ \t]+(histfile|history|HISTFILE|HISTORY)/ - | /neet\.tar/ - | /r0kk0/ - | /su[ \t]+(daemon|news|adm)/ - | /\.\/clean/ - | /rm[ \t]+-rf[ \t]+secure/ - | /cd[ \t]+\/dev\/[a-zA-Z]{3}/ - | /solsparc_lpset/ - | /\.\/[a-z]+[ \t]+passwd/ - | /\.\/bnc/ - | /bnc\.conf/ - | /\"\/bin\/ksh\"/ - | /LAST STAGE OF DELIRIUM/ - | /SNMPXDMID_PROG/ - | /snmpXdmid for solaris/ - | /\"\/bin\/uname/ - | /gcc[ \t]+1\.c/ - | />\/etc\/passwd/ - | /lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc)/ - | /gcc.*\/bin\/login/ - | /#define NOP.*0x/ - | /printf\(\"overflowing/ - | /exec[a-z]*\(\"\/usr\/openwin/ - | /perl[ \t]+.*x.*[0-9][0-9][0-9][0-9]/ - | /ping.*-s.*%d/ - &redef; - - # If this pattern appears anywhere in the user's input after applying - # / editing, do a notice ... - const edited_input_trouble = - /[ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t]))/ - &redef; - - # ... *unless* the corresponding output matches this: - const output_indicates_input_not_trouble = /No such file or directory/ &redef; - - # NOTICE on these, but only after waiting for the corresponding output, - # so it can be displayed at the same time. - const input_wait_for_output = edited_input_trouble &redef; - - # If the user's entire input matches this pattern, do a notice. Putting - # "loadmodule" here rather than in input_trouble is just to illustrate - # the idea, it could go in either. - const full_input_trouble = /.*loadmodule.*/ &redef; - - # If the following appears anywhere in the user's output, do a notice. - const output_trouble = - /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/ - | /Jumping to address/ - | /Jumping Address/ - | /smashdu\.c/ - | /PATH_UTMP/ - | /Log started at =/ - | /www\.anticode\.com/ - | /www\.uberhax0r\.net/ - | /smurf\.c by TFreak/ - | /Super Linux Xploit/ - | /^# \[root@/ - | /^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh)/ - | /invisibleX/ - | /PATH_(UTMP|WTMP|LASTLOG)/ - | /[0-9]{5,} bytes from/ - | /(PATH|STAT):\ .*=>/ - | /----- \[(FIN|RST|DATA LIMIT|Timed Out)\]/ - | /IDLE TIMEOUT/ - | /DATA LIMIT/ - | /-- TCP\/IP LOG --/ - | /STAT: (FIN|TIMED_OUT) / - | /(shell|xploit)_code/ - | /execshell/ - | /x86_bsd_compaexec/ - | /\\xbf\\xee\\xee\\xee\\x08\\xb8/ # from x.c worm - | /Coded by James Seter/ - | /Irc Proxy v/ - | /Daemon port\.\.\.\./ - | /BOT_VERSION/ - | /NICKCRYPT/ - | /\/etc\/\.core/ - | /exec.*\/bin\/newgrp/ - | /deadcafe/ - | /[ \/]snap\.sh/ - | /Secure atime,ctime,mtime/ - | /Can\'t fix checksum/ - | /Promisc Dectection/ - | /ADMsn0ofID/ - | /(cd \/; uname -a; pwd; id)/ - | /drw0rm/ - | /[Rr][Ee3][Ww][Tt][Ee3][Dd]/ - | /rpc\.sadmin/ - | /AbraxaS/ - | /\[target\]/ - | /ID_SENDSYN/ - | /ID_DISTROIT/ - | /by Mixter/ - | /rap(e?)ing.*using weapons/ - | /spsiod/ - | /[aA][dD][oO][rR][eE][bB][sS][dD]/ # rootkit - &redef; - - # Same, but must match entire output. - const full_output_trouble = /.*Trojaning in progress.*/ &redef; - - const backdoor_prompts = - /^[!-~]*( ?)[#%$] / - | /.*no job control/ - | /WinGate>/ - &redef; - - const non_backdoor_prompts = /^ *#.*#/ &redef; - const hot_terminal_types = /VT666|007/ &redef; - const hot_telnet_orig_ports = { 53982/tcp, } &redef; - const router_prompts: set[string] &redef; - const non_ASCII_hosts: set[addr] &redef; - const skip_logins_to = { non_ASCII_hosts, } &redef; - const always_hot_login_ids = { always_hot_ids } &redef; - const hot_login_ids = { hot_ids } &redef; - const rlogin_id_okay_if_no_password_exposed = { "root", } &redef; - - const BS = "\x08"; - const DEL = "\x7f"; - - global new_login_session: - function(c: connection, pid: peer_id, output_line: count); - global remove_login_session: function(c: connection, pid: peer_id); - global ext_set_login_state: - function(cid: conn_id, pid: peer_id, state: count); - global ext_get_login_state: - function(cid: conn_id, pid: peer_id): count; -} - -redef capture_filters += { ["login"] = "port telnet or tcp port 513" }; - -redef skip_authentication = { - "WELCOME TO THE BERKELEY PUBLIC LIBRARY", -}; - -redef direct_login_prompts = { "TERMINAL?", }; - -redef login_prompts = { - "Login:", "login:", "Name:", "Username:", "User:", "Member Name", - "User Access Verification", "Cisco Systems Console", - direct_login_prompts -}; - -redef login_non_failure_msgs = { - "Failures", "failures", # probably is " failures since last login" - "failure since last successful login", - "failures since last successful login", -}; - -redef login_non_failure_msgs = { - "Failures", "failures", # probably is " failures since last login" - "failure since last successful login", - "failures since last successful login", -} &redef; - -redef login_failure_msgs = { - "invalid", "Invalid", "incorrect", "Incorrect", "failure", "Failure", - # "Unable to authenticate", "unable to authenticate", - "User authorization failure", - "Login failed", - "INVALID", "Sorry.", "Sorry,", -}; - -redef login_success_msgs = { - "Last login", - "Last successful login", "Last successful login", - "checking for disk quotas", "unsuccessful login attempts", - "failure since last successful login", - "failures since last successful login", - router_prompts, -}; - -redef login_timeouts = { - "timeout", "timed out", "Timeout", "Timed out", - "Error reading command input", # VMS -}; - - -type check_info: record { - expanded_line: string; # line with all possible editing seqs - hot: bool; # whether any editing sequence was a hot user id - hot_id: string; # the ID considered hot - forbidden: bool; # same, but forbidden user id -}; - -type login_session_info: record { - user: string; - output_line: count; # number of lines seen - - # input string for which we want to match the output. - waiting_for_output: string; - waiting_for_output_line: count; # output line we want to match it to - state: count; # valid for external connections only -}; - -global login_sessions: table[peer_id, conn_id] of login_session_info; - - -# The next two functions are "external-to-the-event-engine", -# hence the ext_ prefix. They're used by the script to manage -# login state so that they can work with login sessions unknown -# to the event engine (such as those received from remote peers). - -function ext_get_login_state(cid: conn_id, pid: peer_id): count - { - if ( pid == PEER_ID_NONE ) - return get_login_state(cid); - - return login_sessions[pid, cid]$state; - } - -function ext_set_login_state(cid: conn_id, pid: peer_id, state: count) - { - if ( pid == PEER_ID_NONE ) - set_login_state(cid, state); - else - login_sessions[pid, cid]$state = state; - } - -function new_login_session(c: connection, pid: peer_id, output_line: count) - { - local s: login_session_info; - s$waiting_for_output = s$user = ""; - s$output_line = output_line; - s$state = LOGIN_STATE_AUTHENTICATE; - - login_sessions[pid, c$id] = s; - } - -function remove_login_session(c: connection, pid: peer_id) - { - delete login_sessions[pid, c$id]; - } - -function is_login_conn(c: connection): bool - { - return c$id$resp_p == telnet || c$id$resp_p == rlogin; - } - -function hot_login(c: connection, pid: peer_id, msg: string, tag: string) - { - if ( [pid, c$id] in login_sessions ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=login_sessions[pid, c$id]$user, $msg=msg]); - else - NOTICE([$note=SensitiveLogin, $conn=c, $msg=msg]); - - ++c$hot; - demux_conn(c$id, tag, "keys", service_name(c)); - } - -function is_hot_id(id: string, successful: bool, confused: bool): bool - { - return successful ? id in hot_login_ids : - (confused ? id in forbidden_ids : - id in always_hot_login_ids); - } - -function is_forbidden_id(id: string): bool - { - return id in forbidden_ids || id == forbidden_id_patterns; - } - -function edit_and_check_line(c: connection, pid: peer_id, line: string, - successful: bool): check_info - { - line = to_lower(line); - - local ctrl_H_edit = edit(line, BS); - local del_edit = edit(line, DEL); - - local confused = - (ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED); - local hot = is_hot_id(line, successful, confused); - local hot_id = hot ? line : ""; - local forbidden = is_forbidden_id(line); - - local eline = line; - - if ( ctrl_H_edit != line ) - { - eline = fmt("%s,%s", eline, ctrl_H_edit); - if ( ! hot && is_hot_id(ctrl_H_edit, successful, confused) ) - { - hot = T; - hot_id = ctrl_H_edit; - } - - forbidden = forbidden || is_forbidden_id(ctrl_H_edit); - } - - if ( del_edit != line ) - { - eline = fmt("%s,%s", eline, del_edit); - if ( ! hot && is_hot_id(del_edit, successful, confused) ) - { - hot = T; - hot_id = del_edit; - } - - forbidden = forbidden || is_forbidden_id(del_edit); - } - - local results: check_info; - results$expanded_line = eline; - results$hot = hot; - results$hot_id = hot_id; - results$forbidden = forbidden; - - return results; - } - -function edit_and_check_user(c: connection, pid: peer_id, user: string, - successful: bool, fmt_s: string): bool - { - local check = edit_and_check_line(c, pid, user, successful); - - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - login_sessions[pid, c$id]$user = check$expanded_line; - - c$addl = fmt(fmt_s, c$addl, check$expanded_line); - - if ( check$hot ) - { - ++c$hot; - demux_conn(c$id, check$hot_id, "keys", service_name(c)); - } - - if ( check$forbidden ) - { - if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED ) - NOTICE([$note=LoginForbiddenButConfused, $conn=c, - $user = user, - $msg=fmt("not terminating %s because confused about state", full_id_string(c))]); - else - TerminateConnection::terminate_connection(c); - } - - return c$hot > 0; - } - -function edit_and_check_password(c: connection, pid: peer_id, password: string) - { - local check = edit_and_check_line(c, pid, password, T); - if ( check$hot ) - { - ++c$hot; - NOTICE([$note=SensitiveUsernameInPassword, $conn=c, - $user=password, - $msg=fmt("%s password: \"%s\"", - id_string(c$id), check$expanded_line)]); - } - } - -event login_failure(c: connection, user: string, client_user: string, - password: string, line: string) - { - local pid = get_event_peer()$id; - - event account_tried(c, user, password); - edit_and_check_password(c, pid, password); - - if ( c$hot == 0 && password == "" && - ! edit_and_check_line(c, pid, user, F)$hot ) - # Don't both reporting it, this was clearly a half-hearted - # attempt and it's not a sensitive username. - return; - - local user_hot = edit_and_check_user(c, pid, user, F, "%sfail/%s "); - if ( client_user != "" && client_user != user && - edit_and_check_user(c, pid, client_user, F, "%s(%s) ") ) - user_hot = T; - - if ( user_hot || c$hot > 0 ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=user, $sub=client_user, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - } - -event login_success(c: connection, user: string, client_user: string, - password: string, line: string) - { - local pid = get_event_peer()$id; - - Hot::check_hot(c, Hot::APPL_ESTABLISHED); - event account_tried(c, user, password); - edit_and_check_password(c, pid, password); - - # Look for whether the user name is sensitive; but allow for - # some ids being okay if no password was exposed accessing them. - local user_hot = F; - if ( c$id$resp_p == rlogin && password == "" && - user in rlogin_id_okay_if_no_password_exposed ) - append_addl(c, fmt("\"%s\"", user)); - - else - user_hot = edit_and_check_user(c, pid, user, T, "%s\"%s\" "); - - if ( c$id$resp_p == rlogin && client_user in always_hot_login_ids ) - { - append_addl(c, fmt("(%s)", client_user)); - demux_conn(c$id, client_user, "keys", service_name(c)); - user_hot = T; - } - - if ( user_hot || c$hot > 0 ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=user, $sub=client_user, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - - # else if ( password == "" ) - # alarm fmt("%s %s ", id_string(c$id), c$addl); - -### use the following if no login_input_line/login_output_line -# else -# { -# set_record_packets(c$id, F); -# skip_further_processing(c$id); -# } - } - -event login_input_line(c: connection, line: string) - { - local pid = get_event_peer()$id; - local BS_line = edit(line, BS); - local DEL_line = edit(line, DEL); - if ( input_trouble in line || - ### need to merge input_trouble and edited_input_trouble here - ### ideally, match on input_trouble would tell whether we need - ### to invoke the edit functions, as an attribute of a .*(^H|DEL) - ### rule. - input_trouble in BS_line || input_trouble in DEL_line || - (edited_input_trouble in BS_line && - # If one is in but the other not, then the one that's not - # is presumably the correct edit, and the one that is, isn't - # in fact edited at all - edited_input_trouble in DEL_line) || - line == full_input_trouble ) - { - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - if ( edited_input_trouble in BS_line && - edited_input_trouble in DEL_line ) - { - login_sessions[pid, c$id]$waiting_for_output = line; - login_sessions[pid, c$id]$waiting_for_output_line = - # We don't want the *next* line, that's just - # the echo of this input. - login_sessions[pid, c$id]$output_line + 2; - } - - else if ( ++c$hot <= 2 ) - hot_login(c, pid, fmt("%s input \"%s\"", id_string(c$id), line), "trb"); - } - } - -event login_output_line(c: connection, line: string) - { - local pid = get_event_peer()$id; - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - local s = login_sessions[pid, c$id]; - - if ( line != "" && ++s$output_line == 1 ) - { - if ( byte_len(line) < 40 && - backdoor_prompts in line && non_backdoor_prompts !in line ) - hot_login(c, pid, fmt("%s possible backdoor \"%s\"", id_string(c$id), line), "trb"); - } - - if ( s$waiting_for_output != "" && - s$output_line >= s$waiting_for_output_line ) - { - if ( output_indicates_input_not_trouble !in line ) - hot_login(c, pid, - fmt("%s input \"%s\" yielded output \"%s\"", - id_string(c$id), - s$waiting_for_output, - line), - "trb"); - - s$waiting_for_output = ""; - } - - if ( byte_len(line) < 256 && - (output_trouble in line || line == full_output_trouble) && - ++c$hot <= 2 ) - hot_login(c, pid, fmt("%s output \"%s\"", id_string(c$id), line), "trb"); - } - -event login_confused(c: connection, msg: string, line: string) - { - Hot::check_hot(c, Hot::APPL_ESTABLISHED); - - append_addl(c, ""); - - event conn_weird_addl(msg, c, line); - - set_record_packets(c$id, T); - } - -event login_confused_text(c: connection, line: string) - { - local pid = get_event_peer()$id; - if ( c$hot == 0 && edit_and_check_line(c, pid, line, F)$hot ) - { - local ignore = - edit_and_check_user(c, pid, line, F, "%sconfused/%s "); - NOTICE([$note=SensitiveLogin, $conn=c, - $user=line, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - set_record_packets(c$id, T); - } - } - -event login_terminal(c: connection, terminal: string) - { - local pid = get_event_peer()$id; - if ( hot_terminal_types in terminal ) - hot_login(c, pid, - fmt("%s term %s", id_string(c$id), terminal), "trb"); - } - -event login_prompt(c: connection, prompt: string) - { - # Could check length >= 6, per Solaris exploit ... - local pid = get_event_peer()$id; - hot_login(c, pid, - fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb"); - } - -event excessive_line(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - - if ( ! c$hot && c$id$resp_h in non_ASCII_hosts ) - { - ext_set_login_state(c$id, pid, LOGIN_STATE_SKIP); - set_record_packets(c$id, F); - } - else if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_AUTHENTICATE ) - { - event login_confused(c, "excessive_line", ""); - ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED); - } - } - } - -event inconsistent_option(c: connection) - { - print Weird::weird_file, fmt("%.6f %s inconsistent option", network_time(), id_string(c$id)); - } - -event bad_option(c: connection) - { - print Weird::weird_file, fmt("%.6f %s bad option", network_time(), id_string(c$id)); - } - -event bad_option_termination(c: connection) - { - print Weird::weird_file, fmt("%.6f %s bad option termination", network_time(), id_string(c$id)); - } - -event authentication_accepted(name: string, c: connection) - { - local addl_msg = fmt("auth/%s", name); - append_addl(c, addl_msg); - } - -event authentication_rejected(name: string, c: connection) - { - append_addl(c, fmt("auth-failed/%s", name)); - } - -event authentication_skipped(c: connection) - { - append_addl(c, "(skipped)"); - skip_further_processing(c$id); - - if ( ! c$hot ) - set_record_packets(c$id, F); - } - -event connection_established(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - - new_login_session(c, pid, 0); - - if ( c$id$resp_h in skip_logins_to ) - event authentication_skipped(c); - - if ( c$id$resp_p == telnet && - c$id$orig_p in hot_telnet_orig_ports ) - hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig"); - } - } - -event partial_connection(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - new_login_session(c, pid, 9999); - ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED); - - if ( c$id$resp_p == telnet && - c$id$orig_p in hot_telnet_orig_ports ) - hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig"); - } - } - -event connection_finished(c: connection) - { - local pid = get_event_peer()$id; - remove_login_session(c, pid); - } - -event activating_encryption(c: connection) - { - if ( is_login_conn(c) ) - append_addl(c, "(encrypted)"); - } diff --git a/policy.old/mime-pop.bro b/policy.old/mime-pop.bro deleted file mode 100644 index eed2565036..0000000000 --- a/policy.old/mime-pop.bro +++ /dev/null @@ -1,180 +0,0 @@ -# $Id: mime-pop.bro 4758 2007-08-10 06:49:23Z vern $ -# -# A stripped-down version of mime.bro adapted to work on POP3 events. -# -# FIXME: What's the best way to merge mime.bro and mime-pop3.bro? - -@load pop3 - -module MIME_POP3; - -const mime_log = open_log_file("mime-pop") &redef; - -type mime_session_info: record { - id: count; - connection_id: conn_id; - level: count; - data_offset: count; -}; - -global mime_session_id = 0; -global mime_sessions: table[conn_id] of mime_session_info; - -function mime_session_string(session: mime_session_info): string - { - return fmt("#%s %s +%d", prefixed_id(session$id), - id_string(session$connection_id), session$level); - } - -function mime_log_warning(what: string) - { - print mime_log, fmt("%.6f warning: %s", network_time(), what); - } - -function mime_log_msg(session: mime_session_info, where: string, what: string) - { - print mime_log, fmt("%.6f %s: [%s] %s", - network_time(), - mime_session_string(session), - where, - what); - } - -function new_mime_session(c: connection) - { - local id = c$id; - local session_id = ++mime_session_id; - local info: mime_session_info; - - info$id = session_id; - info$connection_id = id; - info$level = 0; - info$data_offset = 0; - - mime_sessions[id] = info; - mime_log_msg(info, "start", ""); - } - -function get_mime_session(c: connection, new_session_ok: bool): mime_session_info - { - local id = c$id; - - if ( id !in mime_sessions ) - { - if ( ! new_session_ok ) - mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id))); - - new_mime_session(c); - } - - return mime_sessions[id]; - } - -function end_mime_session(session: mime_session_info) - { - mime_log_msg(session, "finish", ""); - delete mime_sessions[session$connection_id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local id = c$id; - - if ( id in mime_sessions ) - { - mime_log_msg(mime_sessions[id], "state remove", ""); - delete mime_sessions[id]; - } - } - -function do_mime_begin_entity(c: connection) - { - local session = get_mime_session(c, T); - - ++session$level; - session$data_offset = 0; - mime_log_msg(session, "begin entity", ""); - } - -event mime_begin_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_begin_entity(c); - } - -function do_mime_end_entity(c: connection) - { - local session = get_mime_session(c, T); - - mime_log_msg(session, "end entity", ""); - - if ( session$level > 0 ) - { - --session$level; - if ( session$level == 0 ) - end_mime_session(session); - } - else - mime_log_warning(fmt("unmatched end_entity for MIME session %s", - mime_session_string(session))); - } - -event mime_end_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_end_entity(c); - } - -event mime_next_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_end_entity(c); - do_mime_begin_entity(c); - } - -event mime_all_headers(c: connection, hlist: mime_header_list) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - local i = 0; - - for ( i in hlist ) - { - local h = hlist[i]; - mime_log_msg(session, "header", - fmt("%s: \"%s\"", h$name, h$value)); - } - } - -event mime_segment_data(c: connection, length: count, data: string) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - - if ( session$data_offset < 256 ) - mime_log_msg(session, "data", fmt("%d: %s", length, data)); - - session$data_offset = session$data_offset + length; - } - -event mime_event(c: connection, event_type: string, detail: string) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - mime_log_msg(session, "event", fmt("%s: %s", event_type, detail)); - } diff --git a/policy.old/mt.bro b/policy.old/mt.bro deleted file mode 100644 index 1a39bc1025..0000000000 --- a/policy.old/mt.bro +++ /dev/null @@ -1,15 +0,0 @@ -# $Id: mt.bro 340 2004-09-09 06:38:27Z vern $ - -@load dns-lookup -@load hot -@load frag -@load tcp -@load scan -@load weird -@load finger -@load ident -@load ftp -@load login -@load portmapper -@load ntp -@load tftp diff --git a/policy.old/ncp.bro b/policy.old/ncp.bro deleted file mode 100644 index 53a798eec3..0000000000 --- a/policy.old/ncp.bro +++ /dev/null @@ -1,101 +0,0 @@ -# $Id:$ - -@load conn-id - -module NCP; - -global ncp_log = open_log_file("ncp") &redef; - -redef capture_filters += {["ncp"] = "tcp port 524"}; - -export { - -const ncp_frame_type_name = { - [ 0x1111 ] = "NCP_ALLOC_SLOT", - [ 0x2222 ] = "NCP_REQUEST", - [ 0x3333 ] = "NCP_REPLY", - [ 0x5555 ] = "NCP_DEALLOC_SLOT", - [ 0x7777 ] = "NCP_BURST", - [ 0x9999 ] = "NCP_ACK", -} &default = function(code: count): string - { - return fmt("NCP_UNKNOWN_FRAME_TYPE(%x)", code); - }; - -const ncp_function_name = { - [ 0x01 ] = "NCP_FILE_SET_LOCK", - [ 0x02 ] = "NCP_FILE_RELEASE_LOCK", - [ 0x03 ] = "NCP_LOG_FILE", - [ 0x04 ] = "NCP_LOCK_FILE_SET", - [ 0x05 ] = "NCP_RELEASE_FILE", - [ 0x06 ] = "NCP_RELEASE_FILE_SET", - [ 0x07 ] = "NCP_CLEAR_FILE", - [ 0x08 ] = "NCP_CLEAR_FILE_SET", - [ 0x09 ] = "NCP_LOG_LOGICAL_RECORD", - [ 0x0a ] = "NCP_LOCK_LOGICAL_RECORD_SET", - [ 0x0b ] = "NCP_CLEAR_LOGICAL_RECORD", - [ 0x0c ] = "NCP_RELEASE_LOGICAL_RECORD", - [ 0x0d ] = "NCP_RELEASE_LOGICAL_RECORD_SET", - [ 0x0e ] = "NCP_CLEAR_LOGICAL_RECORD_SET", - [ 0x0f ] = "NCP_ALLOC_RESOURCE", - [ 0x10 ] = "NCP_DEALLOC_RESOURCE", - [ 0x11 ] = "NCP_PRINT", - [ 0x15 ] = "NCP_MESSAGE", - [ 0x16 ] = "NCP_DIRECTORY", - [ 0x17 ] = "NCP_BINDARY_AND_MISC", - [ 0x18 ] = "NCP_END_OF_JOB", - [ 0x19 ] = "NCP_LOGOUT", - [ 0x1a ] = "NCP_LOG_PHYSICAL_RECORD", - [ 0x1b ] = "NCP_LOCK_PHYSICAL_RECORD_SET", - [ 0x1c ] = "NCP_RELEASE_PHYSICAL_RECORD", - [ 0x1d ] = "NCP_RELEASE_PHYSICAL_RECORD_SET", - [ 0x1e ] = "NCP_CLEAR_PHYSICAL_RECORD", - [ 0x1f ] = "NCP_CLEAR_PHYSICAL_RECORD_SET", - [ 0x20 ] = "NCP_SEMAPHORE", - [ 0x22 ] = "NCP_TRANSACTION_TRACKING", - [ 0x23 ] = "NCP_AFP", - [ 0x42 ] = "NCP_CLOSE_FILE", - [ 0x47 ] = "NCP_GET_FILE_SIZE", - [ 0x48 ] = "NCP_READ_FILE", - [ 0x49 ] = "NCP_WRITE_FILE", - [ 0x56 ] = "NCP_EXT_ATTR", - [ 0x57 ] = "NCP_FILE_DIR", - [ 0x58 ] = "NCP_AUDITING", - [ 0x5a ] = "NCP_MIGRATION", - [ 0x60 ] = "NCP_PNW", - [ 0x61 ] = "NCP_GET_MAX_PACKET_SIZE", - [ 0x68 ] = "NCP_NDS", - [ 0x6f ] = "NCP_SEMAPHORE_NEW", - [ 0x7b ] = "NCP_7B", - - [ 0x5701 ] = "NCP_CREATE_FILE_DIR", - [ 0x5702 ] = "NCP_INIT_SEARCH", - [ 0x5703 ] = "NCP_SEARCH_FILE_DIR", - [ 0x5704 ] = "NCP_RENAME_FILE_DIR", - [ 0x5706 ] = "NCP_OBTAIN_FILE_DIR_INFO", - [ 0x5707 ] = "NCP_MODIFY_FILE_DIR_DOS_INFO", - [ 0x5708 ] = "NCP_DELETE_FILE_DIR", - [ 0x5709 ] = "NCP_SET_SHORT_DIR_HANDLE", - [ 0x5714 ] = "NCP_SEARCH_FOR_FILE_DIR_SET", - [ 0x5718 ] = "NCP_GET_NAME_SPACE_LOADED_LIST", - [ 0x5742 ] = "NCP_GET_CURRENT_SIZE_OF_FILE", - -} &default = function(code: count): string - { - return fmt("NCP_UNKNOWN_FUNCTION(%x)", code); - }; - -} # export - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - print ncp_log, fmt("%.6f %s NCP request type=%s function=%s", - network_time(), id_string(c$id), - ncp_frame_type_name[frame_type], - ncp_function_name[func]); - } - -event ncp_reply(c: connection, frame_type: count, length: count, - req_frame: count, req_func: count, completion_code: count) - { - } diff --git a/policy.old/netflow.bro b/policy.old/netflow.bro deleted file mode 100644 index 4fb1ac0fd0..0000000000 --- a/policy.old/netflow.bro +++ /dev/null @@ -1,106 +0,0 @@ -# $Id:$ -# -# Netflow data-dumper and proof-of-concept flow restitcher. -# Written by Bernhard Ager (2007). - -module NetFlow; - -export { - # Perform flow restitching? - global netflow_restitch = T &redef; - - # How long to wait for additional flow records after a RST or FIN, - # so we can compress multiple RST/FINs for the same flow rather than - # treating them as separate flows. It's not clear what's the best - # setting for this timer, but for now we use something larger - # than the NetFlow inactivity timeout (5 minutes). - global netflow_finished_conn_expire = 310 sec &redef; -} - -global netflow_log = open_log_file("netflow") &redef; - -# Should be larger than activity timeout. Setting only affects table -# declaration, therefore &redef useless. -const netflow_table_expire = 31 min; - -type flow: record { - cnt: count; - pkts: count; - octets: count; - syn: bool; - fin: bool; - first: time; - last: time; -}; - -function new_flow(r: nf_v5_record): flow - { - return [ $cnt = 1, - $pkts = r$pkts, - $octets = r$octets, - $syn = r$tcpflag_syn, - $fin = r$tcpflag_fin, - $first = r$first, - $last = r$last ]; - } - -function update_flow(f: flow, r: nf_v5_record) - { - f$pkts += r$pkts; - f$octets += r$octets; - ++f$cnt; - f$syn = f$syn || r$tcpflag_syn; - f$fin = f$fin || r$tcpflag_fin; - - if ( r$first < f$first ) - f$first = r$first; - if ( r$last > f$last ) - f$last = r$last; - } - -function print_flow(t: table[conn_id] of flow, idx: conn_id): interval - { - print netflow_log, fmt("%.6f flow %s: %s", network_time(), idx, t[idx]); - return -1 sec; - } - -event v5flow_finished(t: table[conn_id] of flow, idx: conn_id) - { - if ( idx in t ) - { - print_flow(t, idx); - delete t[idx]; - } - } - -global flows: table[conn_id] of flow &write_expire = netflow_table_expire - &expire_func = print_flow; - -event netflow_v5_header(h: nf_v5_header) - { - print netflow_log, fmt("%.6f header %s", network_time(), h); - } - -event netflow_v5_record (r: nf_v5_record) - { - if ( netflow_restitch ) - { - if ( r$id in flows ) - update_flow (flows[r$id], r); - else - flows[r$id] = new_flow (r); - - if ( r$tcpflag_fin || r$tcpflag_rst ) - schedule netflow_finished_conn_expire { - v5flow_finished (flows, r$id) - }; - } - - print netflow_log, fmt("%.6f record %s", network_time(), r); - } - -event bro_done () - { - for ( f_id in flows ) - print_flow(flows, f_id); - } diff --git a/policy.old/netstats.bro b/policy.old/netstats.bro deleted file mode 100644 index 606513bcd9..0000000000 --- a/policy.old/netstats.bro +++ /dev/null @@ -1,32 +0,0 @@ -# $Id: netstats.bro 564 2004-10-23 02:27:57Z vern $ - -@load notice - -redef enum Notice += { - DroppedPackets, # Bro reported packets dropped by the packet filter -}; - -const stats_collection_interval = 10secs; - -event net_stats_update(last_stat: NetStats) - { - local ns = net_stats(); - local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped; - if ( new_dropped > 0 ) - { - local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd; - local new_link = ns$pkts_link - last_stat$pkts_link; - NOTICE([$note=DroppedPackets, - $msg=fmt("%d packets dropped after filtering, %d received%s", - new_dropped, new_recvd + new_dropped, - new_link != 0 ? - fmt(", %d on link", new_link) : "")]); - } - - schedule stats_collection_interval { net_stats_update(ns) }; - } - -event bro_init() - { - schedule stats_collection_interval { net_stats_update(net_stats()) }; - } \ No newline at end of file diff --git a/policy.old/nfs.bro b/policy.old/nfs.bro deleted file mode 100644 index 0d572b52c7..0000000000 --- a/policy.old/nfs.bro +++ /dev/null @@ -1,408 +0,0 @@ - -@load udp - - -module NFS3; - -export { - global log_file = open_log_file("nfs") &redef; - global names_log_file = open_log_file("nfs-files") &redef; - global readdir_log = open_log_file("nfs-readdir") &redef; - - # We want to estimate how long it takes to lookup a chain of FH (directories) - # until we reach a FH that is used in a read or write operation. Whenever we - # get a new FH, we check how long ago we got the FH's parent. If this is less - # than fh_chain_maxtime, we assume that they belong to a lookup chain and set - # the dt value for the FH accordingly. - global fh_chain_maxtime = 100 msec; -} - - -redef capture_filters += { - ["nfs"] = "port 2049", - # NFS UDP packets are often fragmented. - ["nfs-frag"] = "(ip[6:2] & 0x3fff != 0) and udp", -}; - -global nfs_ports = { 2049/tcp, 2049/udp } &redef; -redef dpd_config += { [ANALYZER_NFS] = [$ports = nfs_ports] }; - -# Information about a filehandle -type fh_info : record { - id: count; # A unique ID (counter) for more readable representation of the FH - pathname: string &default="@"; # the path leading to this FH - basename: string &default=""; # the name of this FHs file or directory - mimetype: string &default=""; - t0: time &default=double_to_time(0); # time when we first saw this FH - dt: interval &default=0 sec; # time it took to get this FH (assuming a chain of - # procedures that ultimately yield the FH for the file - # a client is interested in - chainlen: count &default=0; - attr: fattr_t &optional; -}; - -# Maps opaque file handles to numbers for easier tracking. -global num_fhs = 0; -global fh_map: table[addr,string] of fh_info; - -# Maps connids to number for easier post processing -global num_nfs_conns = 0; -global nfs_conns: table[conn_id] of count; - - -# Get the FH info. Create a new info if it doesn't exists -function get_fh_info(c: connection, fh: string): fh_info - { - if ( [c$id$resp_h, fh] !in fh_map ) - { - # Don't have a mapping for this FH yet. E.g., a root FH - local newfhinfo: fh_info = [ $id=++num_fhs ]; - newfhinfo$pathname = fmt("@%d", newfhinfo$id); - newfhinfo$t0 = network_time(); - fh_map[c$id$resp_h, fh] = newfhinfo; - } - return fh_map[c$id$resp_h, fh]; - } - -function log_filename(proc: string, info: fh_info) - { - print names_log_file, fmt("%.6f %s path FH%d %s/%s", network_time(), proc, - info$id, info$pathname, info$basename); - ##print fmt("%.6f FH%d <%s> <%s>", network_time(), info$id, info$pathname, info$basename); - } - -function fmt_attr(a: fattr_t): string - { - local s = fmt("%s %s %d %d %d %d %d %d %d %d %d %.2f %.2f %.2f", - a$ftype, mode2string(a$mode), a$nlink, a$uid, a$gid, a$size, a$used, a$rdev1, a$rdev2, - a$fsid, a$fileid, a$atime, a$mtime, a$ctime); - return s; - } - -function log_attributes(c: connection, proc: string, fh: string, attr: fattr_t) - { - local info = get_fh_info(c,fh); - local did_change = F; - # check whether the attributes have changes - if (info?$attr) - { - # We can't compare records for equality :-(. So we use a hack. - # We add the two instance we want to compare to a set. If there - # are two elements in the set, the records are not equal... - local dummy: set[fattr_t]; - add dummy[info$attr]; - add dummy[attr]; - if (|dummy| > 1) - did_change = T; - } - else - did_change=T; - if (did_change) - { - info$attr = attr; - print names_log_file, fmt("%.6f %s attr FH%d %s", network_time(), proc, - info$id, fmt_attr(attr)); - } - } - -# Update (or add) a filehandle mapping. -# parentfh ... parent (directory) -# name ....... the name for this FH -# fh ......... the new FH -function add_update_fh(c: connection, proc: string, parentfh: string, name: string, fh: string) - { - local info = get_fh_info(c, fh); - - # TODO: we could/should check if we already have a pathname and/or basename - # for this FH and if so whether it matches the parent we just got! - if (name == ".") - return; - info$basename = name; - if (parentfh != "") - { - local parentinfo = get_fh_info(c, parentfh); - info$pathname = cat(parentinfo$pathname, "/", parentinfo$basename); - if ( (network_time() - parentinfo$t0) < fh_chain_maxtime - && info$dt < 0 sec ) - { - # The FH is part of lookup chain and it doesn't yet have a dt value - # TODO: this should probably be moved to get_fh_info(). But then get_fh_info() - # would need information about a FH's parent.... - # TODO: We are using network_time(), but we really should use request - # and reply time!!! - info$dt = parentinfo$dt + (network_time() - parentinfo$t0); - info$chainlen = parentinfo$chainlen + 1; - } - } - log_filename(proc, info); - } - -function set_fh_mimetype(c: connection, fh: string, proc:string, data: string) - { - local info = get_fh_info(c,fh); - local mimetype = identify_data(data, T); - if (info$mimetype != mimetype) - { - info$mimetype = mimetype; - print names_log_file, fmt("%.6f %s type FH%d %s/%s %s", network_time(), proc, - info$id, info$pathname, info$basename, (mimetype!="") ? mimetype : "X/X"); - } - } - -# Get the total time of the lookup chain for this FH to the -# current network time. Returns a negative interal if no -# lookup chain was found -function get_fh_chaintime_str(c:connection, fh:string): string - { - local info = get_fh_info(c, fh); - if ((network_time() - info$t0) < fh_chain_maxtime) - return fmt("%d %.6f", info$chainlen, info$dt + (network_time() - info$t0)); - else - return fmt("%d %.6f", 0, 0.0); - } - -# Get a FH ID -function get_fh_id(c:connection, fh: string): string - { - return cat("FH", get_fh_info(c, fh)$id); - } - -# Get the basename for the FH -function get_fh_basename(c:connection, fh: string): string - { - return get_fh_info(c, fh)$basename; - } - -# Get the fullname for the FH -function get_fh_fullname(c:connection, fh: string): string - { - local info = get_fh_info(c, fh); - return cat(info$pathname, "/", info$basename); - } - -function print_attr(attr: fattr_t): string - { - return fmt("%s", attr); - } - -function map_conn(cid: conn_id): count - { - if (cid !in nfs_conns) - nfs_conns[cid] = ++num_nfs_conns; - return nfs_conns[cid]; - } - - -function is_success(info: info_t): bool - { - return (info$rpc_stat == RPC_SUCCESS && info$nfs_stat == NFS3ERR_OK); - } - -function is_rpc_success(info: info_t): bool - { - return (info$rpc_stat == RPC_SUCCESS); - } - -function nfs_get_log_prefix(c: connection, info: info_t, proc: string): string - { - local nfs_stat_str = (info$rpc_stat == RPC_SUCCESS) ? fmt("%s", info$nfs_stat) : "X"; - return fmt("%.06f %.06f %d %.06f %.06f %d %s %s %d %s %s %s", - info$req_start, info$req_dur, info$req_len, - info$rep_start, info$rep_dur, info$rep_len, - id_string(c$id), get_port_transport_proto(c$id$orig_p), - map_conn(c$id), - proc, info$rpc_stat, nfs_stat_str); - } - - -event nfs_proc_not_implemented(c: connection, info: info_t, proc: proc_t) - { - local prefix = nfs_get_log_prefix(c, info, fmt("%s", proc)); - - print log_file, fmt("%s Not_implemented", prefix); - } - -event nfs_proc_null(c: connection, info: info_t) - { - local prefix = nfs_get_log_prefix(c, info, "null"); - - print log_file, prefix; - } - -event nfs_proc_getattr (c: connection, info: info_t, fh: string, attrs: fattr_t) - { - local prefix = nfs_get_log_prefix(c, info, "getattr"); - - if (is_success(info)) - log_attributes(c, "getattr", fh, attrs); - - print log_file, fmt("%s %s", prefix, get_fh_id(c,fh)); - } - -event nfs_proc_lookup(c: connection, info: info_t, req: diropargs_t, rep: lookup_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, "lookup"); - - if (! is_success(info) ) - { - print log_file, fmt("%s %s + %s", prefix, get_fh_id(c, req$dirfh), req$fname); - # could print dir_attr, if they are set .... - return; - } - if (rep?$dir_attr) - log_attributes(c, "lookup", req$dirfh, rep$dir_attr); - if (is_rpc_success(info) && rep?$obj_attr) - log_attributes(c, "lookup", rep$fh, rep$obj_attr); - add_update_fh(c, "lookup", req$dirfh, req$fname, rep$fh); - print log_file, fmt("%s %s + %s => %s", prefix, get_fh_id(c, req$dirfh), req$fname, get_fh_id(c, rep$fh)); - - } - -event nfs_proc_read(c: connection, info: info_t, req: readargs_t, rep: read_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "read"); - - msg = fmt("%s %s @%d: %d", msg, get_fh_id(c, req$fh), req$offset, req$size); - if (is_success(info)) - { - msg = fmt("%s got %d bytes %s %s", msg, rep$size, (rep$eof) ? "" : "x", - get_fh_chaintime_str(c, req$fh)); - if (rep?$data && req$offset==0 && rep$size>0) - set_fh_mimetype(c, req$fh, "read", rep$data); - if (is_rpc_success(info) && rep?$attr) - log_attributes(c, "read", req$fh, rep$attr); - } - - print log_file, msg; - } - -event nfs_proc_readlink(c: connection, info: info_t, fh: string, rep: readlink_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "readlink"); - - msg = fmt("%s %s", msg, get_fh_id(c, fh)); - if (is_success(info)) - { - msg = fmt("%s : %s", msg, rep$nfspath); - if (rep?$attr) - log_attributes(c, "readlink", fh, rep$attr); - } - - print log_file, msg; - } - -event nfs_proc_write(c: connection, info: info_t, req: writeargs_t, rep: write_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "write"); - - msg = fmt("%s %s @%d: %d %s", msg, get_fh_id(c, req$fh), req$offset, req$size, req$stable); - if (is_success(info)) - { - msg = fmt("%s wrote %d bytes %s %s", msg, rep$size, rep$commited, - get_fh_chaintime_str(c, req$fh)); - if (req?$data && req$offset==0 && rep$size>0) - set_fh_mimetype(c, req$fh, "write", req$data); - if (rep?$postattr) - log_attributes(c, "write", req$fh, rep$postattr); - } - - print log_file, msg; - } - -function nfs_newobj(c: connection, info: info_t, proc: string, req: diropargs_t, rep: newobj_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, proc); - local newfh_str: string; - if (! is_success(info) ) - { - print log_file, fmt("%s %s + %s", prefix, get_fh_id(c, req$dirfh), req$fname); - # could print dir_attr, if they are set .... - return; - } - if (is_rpc_success(info) && rep?$dir_post_attr) - log_attributes(c, proc, req$dirfh, rep$dir_post_attr); - # TODO: could print dir_pre_attr - if (is_rpc_success(info) && rep?$obj_attr) - log_attributes(c, proc, rep$fh, rep$obj_attr); - add_update_fh(c, proc, req$dirfh, req$fname, rep$fh); - - newfh_str = (rep?$fh) ? get_fh_id(c, rep$fh) : "FH??"; - print log_file, fmt("%s %s + %s => %s", prefix, get_fh_id(c, req$dirfh), req$fname, get_fh_id(c, rep$fh)); - } - -event nfs_proc_create(c: connection, info: info_t, req: diropargs_t, rep: newobj_reply_t) - { - # TODO: create request attributes not implemented in core - nfs_newobj(c, info, "create", req, rep); - } - -event nfs_proc_mkdir(c: connection, info: info_t, req: diropargs_t, rep: newobj_reply_t) - { - # TODO: mkidir request attributes not implemented in core - nfs_newobj(c, info, "mkdir", req, rep); - } - -function nfs_delobj(c: connection, info: info_t, proc: string, req: diropargs_t, rep: delobj_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, proc); - print log_file, fmt("%s %s - %s", prefix, get_fh_id(c, req$dirfh), req$fname); - if (is_rpc_success(info) && rep?$dir_post_attr) - log_attributes(c, proc, req$dirfh, rep$dir_post_attr); - # TODO: could print dir_pre_attr - } - -event nfs_proc_remove(c: connection, info: info_t, req: diropargs_t, rep: delobj_reply_t) - { - nfs_delobj(c, info, "remove", req, rep); - } - -event nfs_proc_rmdir(c: connection, info: info_t, req: diropargs_t, rep: delobj_reply_t) - { - nfs_delobj(c, info, "rmdir", req, rep); - } - -function fmt_direntry(c: connection, e: direntry_t): string - { - local rv = ""; - rv = fmt("%d %s %d", e$fileid, e$fname, e$cookie); - if (e?$fh) - rv = fmt("%s %s", rv, get_fh_id(c, e$fh)); - return rv; - - } - -event nfs_proc_readdir(c: connection, info: info_t, req: readdirargs_t, rep: readdir_reply_t) - { - local isplus = req$isplus; - local proc = (isplus) ? "readdirplus" : "readdir"; - local msg = nfs_get_log_prefix(c, info, proc); - msg = fmt("%s %s @%d (%x)", msg, get_fh_id(c, req$dirfh), req$cookie, req$cookieverf); - if (is_success(info)) - { - msg = fmt("%s %d entries %d", msg, |rep$entries|, rep$eof); - print readdir_log, msg; - for (i in rep$entries) - { - local curentry = rep$entries[i]; - if (curentry?$attr && curentry?$fh) - log_attributes(c, proc, curentry$fh, curentry$attr); - if (curentry?$fh) - add_update_fh(c, proc, req$dirfh, curentry$fname, curentry$fh); - print readdir_log,fmt(" %s", fmt_direntry(c, curentry)); - } - if (rep?$dir_attr) - log_attributes(c, proc, req$dirfh, rep$dir_attr); - } - else if (is_rpc_success(info) && rep?$dir_attr) - { - log_attributes(c, proc, req$dirfh, rep$dir_attr); - } - print log_file, msg; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in nfs_conns ) - return; - delete nfs_conns[c$id]; - } diff --git a/policy.old/notice-policy.bro b/policy.old/notice-policy.bro deleted file mode 100644 index 78d26c26ed..0000000000 --- a/policy.old/notice-policy.bro +++ /dev/null @@ -1,72 +0,0 @@ -# $Id: notice-policy.bro 4758 2007-08-10 06:49:23Z vern $ - -# Examples of using notice_policy and other mechanisms to filter out -# alarms that are not interesting. - -# Note: this file is not self-contained, in that it refers to Notice -# names that will only be defined if you've loaded other files (e.g., -# print-resources for the ResourceSummary notice). The full list of -# policy files it needs is: -# -# blaster.bro -# conn.bro -# http-request.bro -# netstats.bro -# print-resources.bro -# trw.bro -# weird.bro - - -# Remove these notices from logging since they can be too noisy. -redef notice_action_filters += { - [[Weird::ContentGap, Weird::AckAboveHole]] = ignore_notice, -}; - -# Send these only to the notice log, not the alarm log. -redef notice_action_filters += { - [[Drop::AddressDropIgnored, DroppedPackets, - ResourceSummary, W32B_SourceRemote, - TRW::TRWScanSummary, Scan::BackscatterSeen, - Weird::WeirdActivity, - Weird::RetransmissionInconsistency]] = file_notice, -}; - -# Other example use of notice_action_filters: -# -# To just get a summary Notice when Bro is shutdown/checkpointed, use -# tally_notice_type, such as: -#redef notice_action_filters += { -# [[RetransmissionInconsistency, ContentGap, AckAboveHole]] = -# tally_notice_type, -#}; - -# To get a summary once every hour per originator, use notice_alarm_per_orig, -# such as: -#redef notice_action_filters += { -# [[ BackscatterSeen, RetransmissionInconsistency]] = -# notice_alarm_per_orig, -#}; - - -# Fine-grained filtering of specific alarms. -redef notice_policy += { - - # Connections to 2766/tcp ("Solaris listen service") appear - # nearly always actually due to P2P apps. - [$pred(n: notice_info) = - { - return n$note == SensitiveConnection && - /Solaris listen service/ in n$msg; - }, - $result = NOTICE_FILE, - $priority = 1], - - # Ignore sensitive URLs that end in .gif, .jpg, .png - [$pred(n: notice_info) = - { - return n$note == HTTP::HTTP_SensitiveURI && - n$URL == /.*\.(gif|GIF|png|PNG|jpg|JPG)/; - }, - $result = NOTICE_FILE, - $priority = 1], -}; diff --git a/policy.old/ntp.bro b/policy.old/ntp.bro deleted file mode 100644 index eb746bc830..0000000000 --- a/policy.old/ntp.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: ntp.bro 4758 2007-08-10 06:49:23Z vern $ - -@load udp-common - -redef capture_filters += { ["ntp"] = "udp port 123" }; - -module NTP; - -export { - const excessive_ntp_request = 48 &redef; - const allow_excessive_ntp_requests: set[addr] &redef; -} - -# DPM configuration. -global ntp_ports = { 123/udp } &redef; -redef dpd_config += { [ANALYZER_NTP] = [$ports = ntp_ports] }; - -const ntp_code: table[count] of string = { - [0] = "unspec", - [1] = "sym_act", - [2] = "sym_psv", - [3] = "client", - [4] = "server", - [5] = "bcast", - [6] = "rsv1", - [7] = "rsv2", -}; - -event ntp_message(u: connection, msg: ntp_msg, excess: string) - { - local id = u$id; - - if ( id !in udp_rep_count && id !in udp_req_count ) - { - Hot::check_hot(u, Hot::CONN_ATTEMPTED); - Scan::check_scan(u, F, F); - } - - if ( msg$code == 4 ) - # "server" - ++udp_rep_count[id]; - else - # anything else - ++udp_req_count[id]; - - local n_excess = byte_len(excess); - if ( n_excess > excessive_ntp_request && - id$orig_h !in allow_excessive_ntp_requests ) - { - append_addl_marker(u, fmt("%s", n_excess), ","); - ++u$hot; - } - } diff --git a/policy.old/passwords.bro b/policy.old/passwords.bro deleted file mode 100644 index 84e98ec3ff..0000000000 --- a/policy.old/passwords.bro +++ /dev/null @@ -1,29 +0,0 @@ -# $Id: passwords.bro 688 2004-11-02 23:59:55Z vern $ - -# Generates notices of exposed passwords. Currently just works -# on telnet/rlogin access. Should be extended to do FTP, HTTP, etc. - -@load login - -redef enum Notice += { - PasswordExposed, -}; - -# Usernames which we ignore. -global okay_usernames: set[string] &redef; - -# Passwords which we ignore. -global okay_passwords = { "", "" } &redef; - -event login_success(c:connection, user: string, client_user: string, - password: string, line: string) - { - if ( user in okay_usernames || password in okay_passwords ) - return; - - NOTICE([$note=PasswordExposed, - $conn=c, - $user=user, - $sub=password, - $msg="login exposed user's password"]); - } diff --git a/policy.old/peer-status.bro b/policy.old/peer-status.bro deleted file mode 100644 index 95189873fd..0000000000 --- a/policy.old/peer-status.bro +++ /dev/null @@ -1,84 +0,0 @@ -# $Id: peer-status.bro 5954 2008-07-15 00:07:50Z vern $ -# -# Emits process status "update" event periodically. - -module PeerStatus; - -export { - type peer_status: record { - res: bro_resources; - stats: net_stats; - current_time: time; - cpu: double; # average CPU load since last update - default_filter: string; # default capture filter - }; - - # Event sent periodically. - global update: event(status: peer_status); - - # Update interval. - const update_interval = 1 min; - - # This keeps track of all (local and remote) updates - # (indexed by peer ID). - global peers: table[peer_id] of peer_status; -} - -global start_time = 0; -global cpu_last_proc_time = 0 secs; -global cpu_last_wall_time: time = 0; -global stats: net_stats; -global default_filter : string; - -event net_stats_update(t: time, ns: net_stats) - { - stats = ns; - } - -event emit_update() - { - # Get CPU load. - local res = resource_usage(); - local proc_time = res$user_time + res$system_time; - local wall_time = current_time(); - local dproc = proc_time - cpu_last_proc_time; - local dwall = wall_time - cpu_last_wall_time; - local load = dproc / dwall * 100.0; - cpu_last_proc_time = proc_time; - cpu_last_wall_time = wall_time; - - local status: peer_status; - status$res = res; - status$stats = stats; - status$current_time = current_time(); - status$cpu = load; - status$default_filter = default_filter; - - event PeerStatus::update(status); - - schedule update_interval { emit_update() }; - } - -event bro_init() - { - default_filter = build_default_pcap_filter(); - - local res = resource_usage(); - cpu_last_proc_time = res$user_time + res$system_time; - cpu_last_wall_time = current_time(); - stats = [$pkts_recvd=0, $pkts_dropped=0, $pkts_link=0]; - - schedule update_interval { emit_update() }; - } - -event update(status: peer_status) - { - local peer = get_event_peer(); - peers[peer$id] = status; - } - -event remote_connection_closed(p: event_peer) - { - if ( p$id in peers ) - delete peers[p$id]; - } diff --git a/policy.old/pkt-profile.bro b/policy.old/pkt-profile.bro deleted file mode 100644 index a499ec2c6e..0000000000 --- a/policy.old/pkt-profile.bro +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: pkt-profile.bro 325 2004-09-03 01:33:15Z vern $ - -redef pkt_profile_file = open_log_file("pkt-prof"); -redef pkt_profile_mode = PKT_PROFILE_MODE_SECS; -redef pkt_profile_freq = 1.0; diff --git a/policy.old/pop3.bro b/policy.old/pop3.bro deleted file mode 100644 index 40ae3920a9..0000000000 --- a/policy.old/pop3.bro +++ /dev/null @@ -1,155 +0,0 @@ -# $Id: pop3.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Analyzer for Post Office Protocol, version 3. -# -# If you want to decode the mail itself, also load mime-pop.bro. - -@load login - -module POP3; - -export { - # Report if source triggers more ERR messages. - const error_threshold: count = 3 &redef; - # Don't log these commands. - const ignore_commands: set[string] = { "STAT" } &redef; -} - -redef capture_filters += { ["pop3"] = "port 110" }; - -global pop3_ports = { 110/tcp } &redef; -redef dpd_config += { [ANALYZER_POP3] = [$ports = pop3_ports] }; - -const log_file = open_log_file("pop3") &redef; - -type pop3_session_info: record { - id: count; # Unique session ID. - quit_sent: bool; # Client issued a QUIT. - last_command: string; # Last command of client. -}; - - -global pop_log: function(conn: pop3_session_info, - command: string, message: string); -global get_connection: function(id: conn_id): pop3_session_info; - - -global pop_connections: - table[conn_id] of pop3_session_info &read_expire = 60 mins; -global pop_connection_weirds: - table[addr] of count &default=0 &read_expire = 60 mins; -global pop_session_id = 0; - - -event pop3_request(c: connection, is_orig: bool, command: string, arg: string) - { - local conn = get_connection(c$id); - - pop_log(conn, command, fmt("%.6f #%s > %s %s", - network_time(), prefixed_id(conn$id), command, arg)); - - conn$last_command = command; - - if ( command == "QUIT" ) - conn$quit_sent = T; - } - -event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string) - { - local conn = get_connection(c$id); - - pop_log(conn, cmd, - fmt("%.6f #%s < %s %s", network_time(), prefixed_id(conn$id), cmd, msg)); - - if ( cmd == "OK" ) - { - if ( conn$quit_sent ) - delete pop_connections[c$id]; - } - - else if ( cmd == "ERR" ) - { - ++pop_connection_weirds[c$id$orig_h]; - if ( pop_connection_weirds[c$id$orig_h] > error_threshold ) - print log_file, fmt("%.6f #%s %s/%d > %s/%d WARNING: error count exceeds threshold", - network_time(), prefixed_id(conn$id), - c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } - } - -event pop3_login_success(c: connection, is_orig: bool, - user: string, password: string) - { - local conn = get_connection(c$id); - - local pw = byte_len(password) != 0 ? password : ""; - - print log_file, fmt("%.6f #%s > login successful: user %s password: %s", - network_time(), prefixed_id(conn$id), user, pw); - - event login_success(c, user, "", password, ""); - } - -event pop3_login_failure(c: connection, is_orig: bool, - user: string, password: string) - { - local conn = get_connection(c$id); - - print log_file, fmt("%.6f #%s > login failed: user %s password: %s", - network_time(), prefixed_id(conn$id), user, password); - - event login_failure(c, user, "", password, ""); - } - -# event pop3_data(c: connection, is_orig: bool, data: string) -# { -# # We could instantiate partial connections here if we wished, -# # but at considerable cost in terms of event counts. -# local conn = get_connection(c$id); -# } - -event pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string) - { - local conn = get_connection(c$id); - print log_file, fmt("%.6f #%s unexpected cmd: %s detail: %s", - network_time(), prefixed_id(conn$id), - msg, detail); - } - -event pop3_terminate(c: connection, is_orig: bool, msg: string) - { - delete pop_connections[c$id]; - } - - -function pop_log(conn: pop3_session_info, command: string, message: string) - { - if ( command !in ignore_commands ) - { - if ( (command == "OK" || command == "ERR") && - conn$last_command in ignore_commands ) - ; - else - print log_file, message; - } - } - -function get_connection(id: conn_id): pop3_session_info - { - if ( id in pop_connections ) - return pop_connections[id]; - - local conn: pop3_session_info; - - conn$id = ++pop_session_id; - conn$quit_sent = F; - conn$last_command = "INIT"; - pop_connections[id] = conn; - - print log_file, fmt("%.6f #%s %s/%d > %s/%d: new connection", - network_time(), prefixed_id(conn$id), - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - - return conn; - } diff --git a/policy.old/port-name.bro b/policy.old/port-name.bro deleted file mode 100644 index c5b0f8c11f..0000000000 --- a/policy.old/port-name.bro +++ /dev/null @@ -1,63 +0,0 @@ -const port_names: table[port] of string = { - [0/icmp] = "icmp-echo", - [3/icmp] = "icmp-unreach", - [8/icmp] = "icmp-echo", - - [7/tcp] = "echo", - [9/tcp] = "discard", - [20/tcp] = "ftp-data", - [21/tcp] = "ftp", - [22/tcp] = "ssh", - [23/tcp] = "telnet", - [25/tcp] = "smtp", - [37/tcp] = "time", - [43/tcp] = "whois", - [53/tcp] = "dns", - [79/tcp] = "finger", - [80/tcp] = "http", - [109/tcp] = "pop-2", - [110/tcp] = "pop-3", - [111/tcp] = "portmap", - [113/tcp] = "ident", - [119/tcp] = "nntp", - [135/tcp] = "epmapper", - [139/tcp] = "netbios-ssn", - [143/tcp] = "imap4", - [179/tcp] = "bgp", - [389/tcp] = "ldap", - [443/tcp] = "https", - [445/tcp] = "smb", - [512/tcp] = "exec", - [513/tcp] = "rlogin", - [514/tcp] = "shell", - [515/tcp] = "printer", - [524/tcp] = "ncp", - [543/tcp] = "klogin", - [544/tcp] = "kshell", - [631/tcp] = "ipp", - [993/tcp] = "simap", - [995/tcp] = "spop", - [1521/tcp] = "oracle-sql", - [2049/tcp] = "nfs", - [6000/tcp] = "X11", - [6001/tcp] = "X11", - [6667/tcp] = "IRC", - - [53/udp] = "dns", - [69/udp] = "tftp", - [111/udp] = "portmap", - [123/udp] = "ntp", - [137/udp] = "netbios-ns", - [138/udp] = "netbios-dgm", - [161/udp] = "snmp", - [2049/udp] = "nfs", - -} &redef; - -function endpoint_id(h: addr, p: port): string - { - if ( p in port_names ) - return fmt("%s/%s", h, port_names[p]); - else - return fmt("%s/%d", h, p); - } diff --git a/policy.old/portmapper.bro b/policy.old/portmapper.bro deleted file mode 100644 index 4829812154..0000000000 --- a/policy.old/portmapper.bro +++ /dev/null @@ -1,468 +0,0 @@ -# $Id: portmapper.bro 4758 2007-08-10 06:49:23Z vern $ - -@load notice -@load hot -@load conn -@load weird -@load scan - -module Portmapper; - -export { - redef enum Notice += { - # Some combination of the service looked up, the host doing the - # request, and the server contacted is considered sensitive. - SensitivePortmapperAccess, - }; - - # Kudos to Job de Haas for a lot of these entries. - - const rpc_programs = { - [200] = "aarp", - - [100000] = "portmapper", [100001] = "rstatd", - [100002] = "rusersd", [100003] = "nfs", [100004] = "ypserv", - [100005] = "mountd", [100007] = "ypbind", [100008] = "walld", - [100009] = "yppasswdd", [100010] = "etherstatd", - [100011] = "rquotad", [100012] = "sprayd", - [100013] = "3270_mapper", [100014] = "rje_mapper", - [100015] = "selection_svc", [100016] = "database_svc", - [100017] = "rexd", [100018] = "alis", [100019] = "sched", - [100020] = "llockmgr", [100021] = "nlockmgr", - [100022] = "x25.inr", [100023] = "statmon", - [100024] = "status", [100026] = "bootparam", - [100028] = "ypupdate", [100029] = "keyserv", - [100033] = "sunlink_mapper", [100036] = "pwdauth", - [100037] = "tfsd", [100038] = "nsed", - [100039] = "nsemntd", [100041] = "pnpd", - [100042] = "ipalloc", [100043] = "filehandle", - [100055] = "ioadmd", [100062] = "NETlicense", - [100065] = "sunisamd", [100066] = "debug_svc", - [100068] = "cms", [100069] = "ypxfrd", - [100071] = "bugtraqd", [100078] = "kerbd", - [100083] = "tooltalkdb", [100087] = "admind", - [100099] = "autofsd", - - [100101] = "event", [100102] = "logger", [100104] = "sync", - [100105] = "diskinfo", [100106] = "iostat", - [100107] = "hostperf", [100109] = "activity", - [100111] = "lpstat", [100112] = "hostmem", - [100113] = "sample", [100114] = "x25", [100115] = "ping", - [100116] = "rpcnfs", [100117] = "hostif", [100118] = "etherif", - [100119] = "ippath", [100120] = "iproutes", - [100121] = "layers", [100122] = "snmp", [100123] = "traffic", - [100131] = "layers2", [100135] = "etherif2", - [100136] = "hostmem2", [100137] = "iostat2", - [100138] = "snmpv2", [100139] = "sender", - - [100221] = "kcms", [100227] = "nfs_acl", [100229] = "metad", - [100230] = "metamhd", [100232] = "sadmind", [100233] = "ufsd", - [100235] = "cachefsd", [100249] = "snmpXdmid", - - [100300] = "nisd", [100301] = "nis_cache", - [100302] = "nis_callback", [100303] = "nispasswd", - - [120126] = "nf_snmd", [120127] = "nf_snmd", - - [150001] = "pcnfsd", - - [300004] = "frameuser", [300009] = "stdfm", [300019] = "amd", - - [300433] = "bssd", [300434] = "drdd", - - [300598] = "dmispd", - - [390100] = "prestoctl_svc", - - [390600] = "arserverd", [390601] = "ntserverd", - [390604] = "arservtcd", - - [391000] = "SGI_snoopd", [391001] = "SGI_toolkitbus", - [391002] = "SGI_fam", [391003] = "SGI_notepad", - [391004] = "SGI_mountd", [391005] = "SGI_smtd", - [391006] = "SGI_pcsd", [391007] = "SGI_nfs", - [391008] = "SGI_rfind", [391009] = "SGI_pod", - [391010] = "SGI_iphone", [391011] = "SGI_videod", - [391012] = "SGI_testcd", [391013] = "SGI_ha_hb", - [391014] = "SGI_ha_nc", [391015] = "SGI_ha_appmon", - [391016] = "SGI_xfsmd", [391017] = "SGI_mediad", - - # 391018 - 391063 = "SGI_reserved" - - [545580417] = "bwnfsd", - - [555555554] = "inetray.start", [555555555] = "inetray", - [555555556] = "inetray", [555555557] = "inetray", - [555555558] = "inetray", [555555559] = "inetray", - [555555560] = "inetray", - - [600100069] = "fypxfrd", - - [1342177279] = "Solaris/CDE", # = 0x4fffffff - - # Some services that choose numbers but start often at these values. - [805306368] = "dmispd", - [824395111] = "cfsd", [1092830567] = "cfsd", - } &redef; - - const NFS_services = { - "mountd", "nfs", "pcnfsd", "nlockmgr", "rquotad", "status" - } &redef; - - # Indexed by the host providing the service, the host requesting it, - # and the service. - const RPC_okay: set[addr, addr, string] &redef; - const RPC_okay_nets: set[subnet] &redef; - const RPC_okay_services: set[string] &redef; - const NFS_world_servers: set[addr] &redef; - - # Indexed by the portmapper request and a boolean that's T if - # the request was answered, F it was attempted but not answered. - # If there's an entry in the set, then the access won't lead to a - # NOTICE (unless the connection is hot for some other reason). - const RPC_do_not_complain: set[string, bool] = { - ["pm_null", [T, F]], - } &redef; - - # Indexed by the host requesting the dump and the host from which it's - # requesting it. - const RPC_dump_okay: set[addr, addr] &redef; - - # Indexed by the host providing the service - any host can request it. - const any_RPC_okay = { - [NFS_world_servers, NFS_services], - [sun-rpc.mcast.net, "ypserv"], # sigh - } &redef; - - # Logs all portmapper activity as readable "messages" - # Format: timestamp orig_p resp_h resp_p proto localInit PortmapProcedure success details - const log_file = open_log_file("portmapper") &redef; - # Logs all portmapper mappings that we observe (i.e., getport and - # dump replies. Format: - # timestamp orig_h orig_p resp_h resp_p proto localInit PortmapProcedure RPCprogram version port proto - # the mapping is then: accepts with - # calls on . We learned this mapping via - const mapping_log_file = open_log_file("portmapper-maps") &redef; -} - -redef capture_filters += { ["portmapper"] = "port 111" }; - -const portmapper_ports = { 111/tcp, 111/udp } &redef; -redef dpd_config += { [ANALYZER_PORTMAPPER] = [$ports = portmapper_ports] }; - -# Indexed by source and destination addresses, plus the portmapper service. -# If the tuple is in the set, then we already created a NOTICE for it and -# shouldn't do so again. -global did_pm_notice: set[addr, addr, string]; - -# Indexed by source and portmapper service. If set, we already created -# a notice and shouldn't do so again. -global suppress_pm_notice: set[addr, string]; - - -function RPC_weird_action_filter(c: connection): Weird::WeirdAction - { - if ( c$id$orig_h in RPC_okay_nets ) - return Weird::WEIRD_FILE; - else - return Weird::WEIRD_UNSPECIFIED; - } - -redef Weird::weird_action_filters += { - [["bad_RPC", "excess_RPC", "multiple_RPCs", "partial_RPC"]] = - RPC_weird_action_filter, -}; - - -function rpc_prog(p: count): string - { - if ( p in rpc_programs ) - return rpc_programs[p]; - else - return fmt("unknown-%d", p); - } - - -function pm_get_conn_string(cid: conn_id) : string - { - return fmt("%s %d %s %d %s %s", - cid$orig_h, cid$orig_p, - cid$resp_h, cid$resp_p, - get_port_transport_proto(cid$resp_p), - is_local_addr(cid$orig_h) ? "L" : "X" - ); - } - -# Log a pm_request or pm_attempt to the log file -function pm_log(r: connection, proc: string, msg: string, success: bool) - { - print log_file, fmt("%f %s %s %s %s", network_time(), - pm_get_conn_string(r$id), - proc, success, msg); - } - -# Log portmapper mappings received from a dump procedure -function pm_log_mapping_dump(r: connection, m: pm_mappings) - { - # TODO: sort by program and version - for ( mp in m ) - { - local prog = rpc_prog(m[mp]$program); - local ver = m[mp]$version; - local p = m[mp]$p; - - print mapping_log_file, fmt("%f %s pm_dump %s %d %d %s", network_time(), - pm_get_conn_string(r$id), - prog, ver, p, get_port_transport_proto(p)); - } - } - -# Log portmapper mappings received from a getport procedure -# Unfortunately, pm_request_getport doesn't return pm_mapping, -# but returns the parameters separately .... -function pm_log_mapping_getport(r: connection, pr: pm_port_request, p: port) - { - local prog = rpc_prog(pr$program); - local ver = pr$version; - - print mapping_log_file, fmt("%f %s pm_getport %s %d %d %s", network_time(), - pm_get_conn_string(r$id), - prog, ver, p, get_port_transport_proto(p)); - } - - - -function pm_check_getport(r: connection, prog: string): bool - { - if ( prog in RPC_okay_services || - [r$id$resp_h, prog] in any_RPC_okay || - [r$id$resp_h, r$id$orig_h, prog] in RPC_okay ) - return F; - - if ( r$id$orig_h in RPC_okay_nets ) - return F; - - return T; - } - -function pm_activity(r: connection, do_notice: bool, proc: string) - { - local id = r$id; - - if ( do_notice && - [id$orig_h, id$resp_h, proc] !in did_pm_notice && - [id$orig_h, proc] !in suppress_pm_notice ) - { - NOTICE([$note=SensitivePortmapperAccess, $conn=r, - $msg=fmt("rpc: %s %s: %s", - id_string(r$id), proc, r$addl)]); - add did_pm_notice[id$orig_h, id$resp_h, proc]; - } - } - -function pm_request(r: connection, proc: string, addl: string, do_notice: bool) - { - if ( [proc, T] in RPC_do_not_complain ) - do_notice = F; - - if ( ! is_tcp_port(r$id$orig_p) ) - { - # It's UDP, so no connection_established event - check for - # scanning, hot access, here, instead. - Scan::check_scan(r, T, F); - Hot::check_hot(r, Hot::CONN_ESTABLISHED); - } - - if ( r$addl == "" ) - r$addl = addl; - - else - { - if ( byte_len(r$addl) > 80 ) - { - # r already has a lot of annotation. We can sometimes - # get *zillions* of successive pm_request's with the - # same connection ID, depending on how the RPC client - # behaves. For those, don't add any further, except - # add an ellipses if we don't already have one. - append_addl(r, "..."); - } - else - append_addl_marker(r, addl, ", "); - } - - add r$service[proc]; - Hot::check_hot(r, Hot::CONN_FINISHED); - pm_activity(r, do_notice || r$hot > 0, proc); - pm_log(r, proc, addl, T); - } - - -event pm_request_null(r: connection) - { - pm_request(r, "pm_null", "", F); - } - -event pm_request_set(r: connection, m: pm_mapping, success: bool) - { - pm_request(r, "pm_set", fmt("%s %d (%s)", - rpc_prog(m$program), m$p, success ? "ok" : "failed"), T); - } - -event pm_request_unset(r: connection, m: pm_mapping, success: bool) - { - pm_request(r, "pm_unset", fmt("%s %d (%s)", - rpc_prog(m$program), m$p, success ? "ok" : "failed"), T); - } - -function update_RPC_server_map(server: addr, p: port, prog: string) - { - if ( [server, p] in RPC_server_map ) - { - if ( prog !in RPC_server_map[server, p] ) - { - RPC_server_map[server, p] = - fmt("%s/%s", RPC_server_map[server, p], prog); - } - } - else - RPC_server_map[server, p] = prog; - } - -event pm_request_getport(r: connection, pr: pm_port_request, p: port) - { - local prog = rpc_prog(pr$program); - local do_notice = pm_check_getport(r, prog); - - update_RPC_server_map(r$id$resp_h, p, prog); - - pm_request(r, "pm_getport", fmt("%s -> %s", prog, p), do_notice); - pm_log_mapping_getport(r, pr, p); - } - -# Note, this function has the side effect of updating the -# RPC_server_map -function pm_mapping_to_text(server: addr, m: pm_mappings): string - { - # Used to suppress multiple entries for multiple versions. - local mapping_seen: set[count, port]; - local addls: vector of string; - local num_addls = 0; - - for ( mp in m ) - { - local prog = m[mp]$program; - local p = m[mp]$p; - - if ( [prog, p] !in mapping_seen ) - { - add mapping_seen[prog, p]; - addls[num_addls] = fmt("%s -> %s", rpc_prog(prog), p); - ++num_addls; - update_RPC_server_map(server, p, rpc_prog(prog)); - } - } - - local addl_str = fmt("%s", sort(addls, strcmp)); - - # Lop off surrounding []'s for compatibility with previous - # format. - addl_str = sub(addl_str, /^\[/, ""); - addl_str = sub(addl_str, /\]$/, ""); - - return addl_str; - } - -event pm_request_dump(r: connection, m: pm_mappings) - { - local do_notice = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay; - # pm_mapping_to_text has the side-effect of updating RPC_server_map - pm_request(r, "pm_dump", - length(m) == 0 ? "(nil)" : pm_mapping_to_text(r$id$resp_h, m), - do_notice); - pm_log_mapping_dump(r, m); - } - -event pm_request_callit(r: connection, call: pm_callit_request, p: port) - { - local orig_h = r$id$orig_h; - local prog = rpc_prog(call$program); - local do_notice = [orig_h, prog] !in suppress_pm_notice; - - pm_request(r, "pm_callit", fmt("%s/%d (%d bytes) -> %s", - prog, call$proc, call$arg_size, p), do_notice); - - if ( prog == "walld" ) - add suppress_pm_notice[orig_h, prog]; - } - - -function pm_attempt(r: connection, proc: string, status: rpc_status, - addl: string, do_notice: bool) - { - if ( [proc, F] in RPC_do_not_complain ) - do_notice = F; - - if ( ! is_tcp_port(r$id$orig_p) ) - { - # It's UDP, so no connection_attempt event - check for - # scanning here, instead. - Scan::check_scan(r, F, F); - Hot::check_hot(r, Hot::CONN_ATTEMPTED); - } - - add r$service[proc]; - append_addl(r, fmt("(%s)", RPC_status[status])); - - # Current policy is ignore any failed attempts. - pm_activity(r, F, proc); - pm_log(r, proc, addl, F); - } - -event pm_attempt_null(r: connection, status: rpc_status) - { - pm_attempt(r, "pm_null", status, "", T); - } - -event pm_attempt_set(r: connection, status: rpc_status, m: pm_mapping) - { - pm_attempt(r, "pm_set", status, fmt("%s %d", rpc_prog(m$program), m$p), T); - } - -event pm_attempt_unset(r: connection, status: rpc_status, m: pm_mapping) - { - pm_attempt(r, "pm_unset", status, fmt("%s %d", rpc_prog(m$program), m$p), T); - } - -event pm_attempt_getport(r: connection, status: rpc_status, pr: pm_port_request) - { - local prog = rpc_prog(pr$program); - local do_notice = pm_check_getport(r, prog); - pm_attempt(r, "pm_getport", status, prog, do_notice); - } - -event pm_attempt_dump(r: connection, status: rpc_status) - { - local do_notice = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay; - pm_attempt(r, "pm_dump", status, "", do_notice); - } - -event pm_attempt_callit(r: connection, status: rpc_status, - call: pm_callit_request) - { - local orig_h = r$id$orig_h; - local prog = rpc_prog(call$program); - local do_notice = [orig_h, prog] !in suppress_pm_notice; - - pm_attempt(r, "pm_callit", status, - fmt("%s/%d (%d bytes)", prog, call$proc, call$arg_size), - do_notice); - - if ( prog == "walld" ) - add suppress_pm_notice[orig_h, prog]; - } - -event pm_bad_port(r: connection, bad_p: count) - { - event conn_weird_addl("bad_pm_port", r, fmt("port %d", bad_p)); - } diff --git a/policy.old/print-filter.bro b/policy.old/print-filter.bro deleted file mode 100644 index 5d8d03b80a..0000000000 --- a/policy.old/print-filter.bro +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: print-filter.bro 4506 2007-06-27 14:40:34Z vern $ - -module PrintFilter; - -export { - # If true, terminate Bro after printing the filter. - const terminate_bro = T &redef; - - # If true, write to log file instead of stdout. - const to_file = F &redef; - } - -event bro_init() - { - if ( to_file ) - { - local f = open_log_file("pcap_filter"); - print f, build_default_pcap_filter(); - close(f); - } - else - print build_default_pcap_filter(); - - if ( terminate_bro ) - exit(); - } diff --git a/policy.old/print-globals.bro b/policy.old/print-globals.bro deleted file mode 100644 index 994ea17eba..0000000000 --- a/policy.old/print-globals.bro +++ /dev/null @@ -1,4 +0,0 @@ -event bro_done() - { - print global_sizes(); - } diff --git a/policy.old/print-resources.bro b/policy.old/print-resources.bro deleted file mode 100644 index 7b069f9415..0000000000 --- a/policy.old/print-resources.bro +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: print-resources.bro 6703 2009-05-13 22:27:44Z vern $ - -# Logs Bro resource usage information upon termination. - -@load notice - -redef enum Notice += { - ResourceSummary, # Notice type for this event -}; - -event bro_done() - { - local res = resource_usage(); - - NOTICE([$note=ResourceSummary, - $msg=fmt("elapsed time = %s, total CPU = %s, maximum memory = %d KB, peak connections = %d, peak timers = %d, peak fragments = %d", - res$real_time, res$user_time + res$system_time, - res$mem / 1024, - res$max_TCP_conns + res$max_UDP_conns + res$max_ICMP_conns, - res$max_timers, res$max_fragments)]); - } diff --git a/policy.old/print-sig-states.bro b/policy.old/print-sig-states.bro deleted file mode 100644 index c13677f6ca..0000000000 --- a/policy.old/print-sig-states.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: print-sig-states.bro 491 2004-10-05 05:44:59Z vern $ -# -# Simple profiling script for periodicaly dumping out signature-matching -# statistics. - -global sig_state_stats_interval = 5 mins; -global sig_state_file = open_log_file("sig-states"); - -event dump_sig_state_stats() - { - dump_rule_stats(sig_state_file); - schedule sig_state_stats_interval { dump_sig_state_stats() }; - } - -event bro_init() - { - schedule sig_state_stats_interval { dump_sig_state_stats() }; - } diff --git a/policy.old/profiling.bro b/policy.old/profiling.bro deleted file mode 100644 index a8aef46440..0000000000 --- a/policy.old/profiling.bro +++ /dev/null @@ -1,17 +0,0 @@ -# $Id: profiling.bro 1102 2005-03-17 09:17:46Z vern $ -# -# Turns on profiling of Bro resource consumption. - -redef profiling_file = open_log_file("prof"); - -# Cheap profiling every 15 seconds. -redef profiling_interval = 15 secs &redef; - -# Expensive profiling every 5 minutes. -redef expensive_profiling_multiple = 20; - -event bro_init() - { - set_buf(profiling_file, F); - } - diff --git a/policy.old/proxy.bro b/policy.old/proxy.bro deleted file mode 100644 index 1f43308f3a..0000000000 --- a/policy.old/proxy.bro +++ /dev/null @@ -1,99 +0,0 @@ -# $Id: proxy.bro,v 1.1.4.2 2006/05/31 00:16:22 sommer Exp $ -# -# Finds open proxies by matching incoming HTTP requests with outgoing ones. - -@load notice - -module Proxy; - -export { - const KnownProxies: set[addr] = { }; - - redef enum Notice += { - HTTPProxyFound, - }; -} - - -type request: record { - p: port; - paths: set[string]; -}; - -# Maps the address of the potential proxy to the paths that -# have been requested from it. -global requests: table[addr] of request; - -# A parsed URL. -type url: record { - host: string; - path: string; -}; - -global found_proxies: set[addr] &create_expire = 24 hrs; - -function parse_url(u: string) : url - { - # The URL parsing is imperfect, but should work sufficiently well. - local a = split1(u, /:\/\//); - if ( |a| == 1 ) - return [$host="", $path=a[1]]; - - local b = split1(a[2], /\//); - return [$host=b[1], $path=(|b| == 2 ? cat("/", b[2]) : "/")]; - } - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - if ( method != "GET" && method != "CONNECT" ) - return; - - local client = c$id$orig_h; - local server = c$id$resp_h; - - if ( server in KnownProxies ) - return; - - # FIXME: Which one? original_URI or unescaped_URI? - local u = parse_url(original_URI); - - if ( client in requests ) - { - # We have already seen requests to this host. Let's see - # any matches the one we're very currently seeing. - local r = requests[client]; - if ( u$path in r$paths ) - { - if ( client !in found_proxies ) - { - NOTICE([$note=HTTPProxyFound, - $conn=c, $src=client, - $p=r$p, $URL=original_URI, - $msg=fmt("HTTP proxy found %s:%d (%s)", - client, r$p, original_URI)]); - add found_proxies[client]; - } - - return; - } - } - - if ( u$host == "" ) - # A relative URL. That's fine. - return; - - # An absolute URL. Remember path for later. - # - # Note: using "when", could even lookup the destination - # host and remember that one, too! - - if ( server !in requests ) - { - local empty_set: set[string] &read_expire = 15 secs; - local req = [$p=c$id$resp_p, $paths=empty_set]; - requests[server] = req; - } - - add requests[server]$paths[u$path]; - } diff --git a/policy.old/remote-pcap.bro b/policy.old/remote-pcap.bro deleted file mode 100644 index 18b124707e..0000000000 --- a/policy.old/remote-pcap.bro +++ /dev/null @@ -1,52 +0,0 @@ -# $Id: remote-pcap.bro 2704 2006-04-04 07:35:46Z vern $ -# -# Allows remote peers to set our capture filter. - -@load remote - -# We install a filter which (hopefully) doesn't match anything to avoid Bro's -# default "tcp or udp" when no other script/peers adds a filter. - -## FIXME: We need non-blocking pacp for this to work. -## -## ##redef capture_filters["match-nothing"] = "ether src 0:0:0:0:0:0"; - -function build_capture_filter_index(p: event_peer): string - { - return fmt("remote-%d", p$id); - } - -event remote_capture_filter(p: event_peer, filter: string) - { - # If we send a capture filter to a peer and are subscribed to all - # of its events, we will get a remote_capture_filter event back. - if ( is_remote_event() ) - return; - - Remote::do_script_log(p, fmt("received capture filter: %s", filter)); - - capture_filters[build_capture_filter_index(p)] = filter; - - # This will recompile the filter, which may take some time. - # Thus, setting a new capture_filter may cost us some packets :-(. - update_default_pcap_filter(); - - Remote::do_script_log(p, fmt("new default pcap filter: %s", - default_pcap_filter)); - } - -event remote_connection_closed(p: event_peer) - { - local i = build_capture_filter_index(p); - - if ( i in capture_filters ) - { - Remote::do_script_log(p, fmt("removed capture filter: %s", - capture_filters[i])); - delete capture_filters[i]; - update_default_pcap_filter(); - } - - Remote::do_script_log(p, fmt("new default pcap filter: %s", - default_pcap_filter)); - } diff --git a/policy.old/remote-ping.bro b/policy.old/remote-ping.bro deleted file mode 100644 index c27c8884d2..0000000000 --- a/policy.old/remote-ping.bro +++ /dev/null @@ -1,49 +0,0 @@ -# $Id: remote-ping.bro 2704 2006-04-04 07:35:46Z vern $ -# -# Exchanges periodic pings between communicating Bro's to measure their -# processing times. - -@load remote - -module RemotePing; - -export { - const ping_interval = 1 secs; -} - -global pings: table[event_peer] of count; - -event remote_connection_established(p: event_peer) - { - pings[p] = 0; - } - -event remote_connection_closed(p: event_peer) - { - delete pings[p]; - } - -event ping() - { - for ( p in pings ) - send_ping(p, ++pings[p]); - - schedule ping_interval { ping() }; - } - -event remote_pong(p: event_peer, seq: count, - d1: interval, d2: interval, d3: interval) - { - # We log three times: "time= [/]" - # t1: round-trip between the two parent processes. - # t2: round-trip between the two child processes. - # t3: sum of time spent in client<->parent communication on - # either side - Remote::do_script_log(p, fmt("ping seq=%d time=%.3fs [%.3fs/%.3fs]", seq, - d1, d2 - d3, d1 - d2 + d3)); - } - -event bro_init() - { - schedule ping_interval { ping() }; - } diff --git a/policy.old/remote-print-id-reply.bro b/policy.old/remote-print-id-reply.bro deleted file mode 100644 index 81d0efe35e..0000000000 --- a/policy.old/remote-print-id-reply.bro +++ /dev/null @@ -1,17 +0,0 @@ -# $Id:$ -# -# Load this script to support remote printing of variables. The remote -# peer accesses these by loading remote-print-id.bro. - -module PrintID; - -global request_id_response: event(id: string, content: string); - -event request_id(id: string) - { - if ( ! is_remote_event() ) - return; - - local val = lookup_ID(id); - event request_id_response(id, fmt("%s", val)); - } diff --git a/policy.old/remote-print-id.bro b/policy.old/remote-print-id.bro deleted file mode 100644 index 550ff8b8b8..0000000000 --- a/policy.old/remote-print-id.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id:$ -# -# Requests the current value of a variable (identifier) from a remote -# peer, prints it, and then terminates. The other side must load -# remote-print-id-reply.bro. -# -# Intended to be used from the command line as in: -# -# bro -e 'redef PrintID::dst="" PrintID::id=""' -# remote-print-id -# -# The other scripts must set up the connection. is an index into -# Remote::destinations corresponding to the destination. - -module PrintID; - -@load remote -@load remote-print-id-reply - -export { - const dst = "" &redef; - const id = "" &redef; -} - -event remote_connection_handshake_done(p: event_peer) - { - local peer = Remote::destinations[dst]; - - if ( peer$host == p$host ) - { - print fmt("Requesting %s from %s at %s:%d", - id, dst, p$host, p$p); - event request_id(id); - } - } - -event request_id_response(id: string, content: string) - { - print fmt("%s = %s", id, content); - terminate_communication(); - } - -event bro_init() - { - if ( dst !in Remote::destinations ) - { - print fmt("Unknown destination %s", dst); - terminate(); - return; - } - - Remote::connect_peer(dst); - } diff --git a/policy.old/remote-print.bro b/policy.old/remote-print.bro deleted file mode 100644 index e0d29259c6..0000000000 --- a/policy.old/remote-print.bro +++ /dev/null @@ -1,9 +0,0 @@ -# $Id: remote-print.bro 415 2004-09-17 03:25:12Z vern $ -# -# Write remote print messages into local files. - -event print_hook(f: file, s: string) - { - if ( is_remote_event() ) - print f, s; - } diff --git a/policy.old/remote-report-notices.bro b/policy.old/remote-report-notices.bro deleted file mode 100644 index b70baf59c4..0000000000 --- a/policy.old/remote-report-notices.bro +++ /dev/null @@ -1,14 +0,0 @@ -# $Id:$ -# -# Forward remote notices to our local system. - -event notice_action(n: notice_info, action: NoticeAction) - { - if ( is_remote_event() ) - { - # Don't raise this event recursively. - suppress_notice_action = T; - NOTICE(n); - suppress_notice_action = F; - } - } diff --git a/policy.old/remote-send-id.bro b/policy.old/remote-send-id.bro deleted file mode 100644 index 15c1df5f75..0000000000 --- a/policy.old/remote-send-id.bro +++ /dev/null @@ -1,45 +0,0 @@ -# $Id:$ -# -# Sends the current value of an ID to a remote Bro and then terminates -# processing. -# -# Intended to be used from the command line as in: -# -# bro -e "redef Send::dst="" Send::id="" -# remote-send-id -# -# The other scripts must set up the connection. is an index into -# Remote::destinations corresponding to the destination. - -module Send; - -@load remote - -export { - const dst = "" &redef; - const id = "" &redef; -} - -event remote_connection_handshake_done(p: event_peer) - { - local peer = Remote::destinations[dst]; - - if ( peer$host == p$host ) - { - print fmt("Sending %s to %s at %s:%d", id, dst, p$host, p$p); - send_id(p, id); - terminate_communication(); - } - } - -event bro_init() - { - if ( dst !in Remote::destinations ) - { - print fmt("Unknown destination %s", dst); - terminate(); - return; - } - - Remote::connect_peer(dst); - } diff --git a/policy.old/remote.bro b/policy.old/remote.bro deleted file mode 100644 index 294c8fcd1e..0000000000 --- a/policy.old/remote.bro +++ /dev/null @@ -1,272 +0,0 @@ -# $Id: remote.bro 5101 2007-11-29 07:02:27Z vern $ -# -# Connect to remote Bros and request some of their events. - -module Remote; - -export { - const default_port_ssl = 47756/tcp &redef; - const default_port_clear = 47757/tcp &redef; - - # Default compression level. - global default_compression = 0 &redef; - - # A remote peer to which we would like to talk. - # If there's no entry for a peer, it may still connect - # and request state, but not send us any. - type Destination : record { - # Destination endpoint. - host: addr; - p: port &optional; - - # When accepting a connection, the configuration only - # applies if the class matches the one transmitted by - # the peer. - # - # When initiating a connection, the class is sent to - # the other side. - class: string &optional; - - # Events requested from remote side. - events: pattern &optional; - - # Whether we are going to connect (rather than waiting - # for the other sie to connect to us). - connect: bool &default = F; - - # If disconnected, reconnect after this many seconds. - retry: interval &default = 0 secs; - - # Whether to accept remote events. - accept_input: bool &default = T; - - # Whether to perform state synchronization with peer. - sync: bool &default = T; - - # Whether to request logs from the peer. - request_logs: bool &default = F; - - # When performing state synchronization, whether we consider - # our state to be authoritative. If so, we will send the peer - # our current set when the connection is set up. - # (Only one side can be authoritative.) - auth: bool &default = F; - - # If not set, no capture filter is sent. - # If set to "", the default cature filter is sent. - capture_filter: string &optional; - - # Whether to use SSL-based communication. - ssl: bool &default = F; - - # Take-over state from this host - # (activated by loading hand-over.bro) - hand_over: bool &default = F; - - # Compression level is 0-9, with 0 = no compression. - compression: count &default = default_compression; - - # Set when connected. - peer: event_peer &optional; - connected: bool &default = F; - }; - - const destinations: table[string] of Destination &redef; - - # redef destinations += { - # ["foo"] = [$host = foo.bar.com, $events = /.*/, $connect=T, $retry = 60 secs, $ssl=T] - # }; - - # Write log message into remote.log - global do_script_log: function(p: event_peer, msg: string); - - global pending_peers: table[peer_id] of Destination; - global connected_peers: table[peer_id] of Destination; - - # Connect to destionations[dst], independent of its "connect" flag. - global connect_peer: function(peer: string); -} - -# Called rm_log rather than remote_log because there's an event by that name. -global rm_log = open_log_file("remote"); - -global src_names = { - [REMOTE_SRC_CHILD] = "[child] ", - [REMOTE_SRC_PARENT] = "[parent]", - [REMOTE_SRC_SCRIPT] = "[script]", -}; - -function do_script_log_common(level: count, src: count, msg: string) - { - print rm_log, - fmt("%.6f %s %s %s", current_time(), - (level == REMOTE_LOG_INFO ? "[info] " : "[error]"), - src_names[src], msg); - } - -event remote_log(level: count, src: count, msg: string) - { - do_script_log_common(level, src, msg); - } - -function do_script_log(p: event_peer, msg: string) - { - do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, - fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg)); - } - -function connect_peer(peer: string) - { - local dst = destinations[peer]; - local p = dst$ssl ? default_port_ssl : default_port_clear; - - if ( dst?$p ) - p = dst$p; - - local class = dst?$class ? dst$class : ""; - local id = connect(dst$host, p, class ,dst$retry, dst$ssl); - - if ( id == PEER_ID_NONE ) - print rm_log, - fmt("%.6f %s/%d can't trigger connect", - current_time(), dst$host, p); - - pending_peers[id] = dst; - } - -event bro_init() &priority = -10 # let others modify destinations - { - set_buf(rm_log, F); - - for ( tag in destinations ) - { - if ( ! destinations[tag]$connect ) - next; - - connect_peer(tag); - } - } - -function setup_peer(p: event_peer, dst: Destination) - { - if ( dst?$events ) - { - do_script_log(p, fmt("requesting events matching %s", dst$events)); - request_remote_events(p, dst$events); - } - - if ( dst?$capture_filter ) - { - local filter = dst$capture_filter; - if ( filter == "" ) - filter = default_pcap_filter; - - do_script_log(p, fmt("sending capture_filter: %s", filter)); - send_capture_filter(p, filter); - } - - if ( dst$accept_input ) - { - do_script_log(p, "accepting state"); - set_accept_state(p, T); - } - - set_compression_level(p, dst$compression); - - if ( dst$sync ) - { - do_script_log(p, "requesting synchronized state"); - request_remote_sync(p, dst$auth); - } - - if ( dst$request_logs ) - { - do_script_log(p, "requesting logs"); - request_remote_logs(p); - } - - dst$peer = p; - dst$connected = T; - connected_peers[p$id] = dst; - } - -event remote_connection_established(p: event_peer) - { - if ( is_remote_event() ) - return; - - do_script_log(p, "connection established"); - - if ( p$id in pending_peers ) - { - # We issued the connect. - local dst = pending_peers[p$id]; - setup_peer(p, dst); - delete pending_peers[p$id]; - } - else - { # The other side connected to us. - local found = F; - for ( i in destinations ) - { - dst = destinations[i]; - if ( dst$host == p$host ) - { - local c = 0; - - # See if classes match = either both have - # the same class, or neither of them has - # a class. - if ( p?$class && p$class != "" ) - ++c; - - if ( dst?$class && dst$class != "" ) - ++c; - - if ( c == 1 || - (c == 2 && p$class != dst$class) ) - next; - - found = T; - setup_peer(p, dst); - break; - } - } - - if ( ! found ) - set_compression_level(p, default_compression); - } - - complete_handshake(p); - } - -event remote_connection_closed(p: event_peer) - { - if ( is_remote_event() ) - return; - - do_script_log(p, "connection closed"); - - if ( p$id in connected_peers ) - { - local dst = connected_peers[p$id]; - dst$connected = F; - - delete connected_peers[p$id]; - - if ( dst$retry != 0secs ) - # The core will retry. - pending_peers[p$id] = dst; - } - } - -event remote_state_inconsistency(operation: string, id: string, - expected_old: string, real_old: string) - { - if ( is_remote_event() ) - return; - - print rm_log, - fmt("%.6f state inconsistency: %s should be %s but is %s before %s", - network_time(), id, expected_old, real_old, operation); - } diff --git a/policy.old/rotate-logs.bro b/policy.old/rotate-logs.bro deleted file mode 100644 index 92ab4cf455..0000000000 --- a/policy.old/rotate-logs.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: rotate-logs.bro 4685 2007-07-30 23:50:26Z vern $ - -module RotateLogs; - -export { - # Maps file names to postprocessors. - global postprocessors: table[string] of string &redef; - - # Default postprocessor. - global default_postprocessor = "" &redef; - - # Files which are to be rotated according to log_rotate_interval - # and log_max_size, but aren't represented by a file object. - global aux_files: set[string] &redef; - - # For aux_files, the time interval in which we check the files' sizes. - global aux_check_size_interval = 30 secs &redef; - - # Callback to provide name for rotated file. - global build_name: function(info: rotate_info): string &redef; - - # Default naming suffix format. - global date_format = "%y-%m-%d_%H.%M.%S" &redef; - - # Whether to rotate files when shutting down. - global rotate_on_shutdown = T &redef; - - # If set, postprocessors get this tag as an additional argument. - global tag = "" &redef; -} - -# Default rotation is once per hour. -redef log_rotate_interval = 1 hr; - -# There are other variables that are defined in bro.init. Here are -# some example of how these might be redefined. -# redef log_rotate_base_time = "0:00"; -# redef log_max_size = 1e7; -# redef log_encryption_key = "mybigsecret"; - -# Given a rotate info record, returns new rotated filename. -function build_name(info: rotate_info): string - { - return fmt("%s-%s", info$old_name, strftime(date_format, info$open)); - } - -# Run post-processor on file. If there isn't any postprocessor defined, -# we move the file to a nicer name. -function run_pp(info: rotate_info) - { - local pp = default_postprocessor; - - if ( info$old_name in postprocessors ) - pp = postprocessors[info$old_name]; - - if ( pp != "" ) - # The date format is hard-coded here to provide a standardized - # script interface. - system(fmt("%s %s %s %s %s %s %s", - pp, info$new_name, info$old_name, - strftime("%y-%m-%d_%H.%M.%S", info$open), - strftime("%y-%m-%d_%H.%M.%S", info$close), - bro_is_terminating() ? "1" : "0", - tag)); - else - system(fmt("/bin/mv %s %s %s", - info$new_name, build_name(info), tag)); - } - -# Rotate file. -function rotate(f: file) - { - local info = rotate_file(f); - if ( info$old_name == "" ) - # Error. - return; - - run_pp(info); - } - -# Rotate file, but only if we know the name. -function rotate_by_name(f: string) - { - local info = rotate_file_by_name(f); - if ( info$old_name == "" ) - # Error. - return; - - run_pp(info); - } - -function make_nice_timestamp(i: interval) : time - { - # To get nice timestamps, we round the time up to - # the next multiple of the rotation interval. - - local nt = time_to_double(network_time()); - local ri = interval_to_double(i); - - return double_to_time(floor(nt / ri) * ri + ri); - } - -# Raised when a &rotate_interval expires. -event rotate_interval(f: file) - { - if ( bro_is_terminating() && ! rotate_on_shutdown ) - return; - - rotate(f); - } - -# Raised when a &rotate_size is reached. -event rotate_size(f: file) - { - rotate(f); - } - -# Raised for aux_files when log_rotate_inverval expires. - -global first_aux_rotate_interval = T; - -event aux_rotate_interval() - { - if ( bro_is_terminating() && ! rotate_on_shutdown ) - return; - - if ( ! first_aux_rotate_interval ) - for ( f in aux_files ) - rotate_by_name(f); - - first_aux_rotate_interval = F; - - if ( ! bro_is_terminating() ) - schedule calc_next_rotate(log_rotate_interval) - { aux_rotate_interval() }; - } - -# Regularly raised to check aux_files' sizes. -event aux_check_size() - { - for ( f in aux_files ) - if ( file_size(f) > log_max_size ) - rotate_by_name(f); - - if ( ! bro_is_terminating() ) - schedule aux_check_size_interval { aux_check_size() }; - } - -event bro_init() - { - if ( length(aux_files) != 0 ) - { - if ( log_rotate_interval != 0 secs ) - schedule calc_next_rotate(log_rotate_interval) - { aux_rotate_interval() }; - - if ( log_max_size != 0 ) - schedule aux_check_size_interval { aux_check_size() }; - } - } diff --git a/policy.old/rsh.bro b/policy.old/rsh.bro deleted file mode 100644 index 933d765dc7..0000000000 --- a/policy.old/rsh.bro +++ /dev/null @@ -1,105 +0,0 @@ -# $Id: rsh.bro 4758 2007-08-10 06:49:23Z vern $ - -@load conn -@load login - -module RSH; - -export { - redef enum Notice += { - # RSH client username and server username differ. - DifferentRSH_Usernames, - - # Attempt to authenticate via RSH failed. - FailedRSH_Authentication, - - # RSH session appears to be interactive - multiple lines of - # user commands. - InteractiveRSH, - - SensitiveRSH_Input, - SensitiveRSH_Output, - }; - - const failure_msgs = - /^Permission denied/ - | /Login failed/ - &redef; -} - -redef capture_filters += { ["rsh"] = "tcp port 514" }; - -global rsh_ports = { 514/tcp } &redef; -redef dpd_config += { [ANALYZER_RSH] = [$ports = rsh_ports] }; - -type rsh_session_info: record { - client_user: string; - server_user: string; - initial_cmd: string; - output_line: count; # number of lines seen -}; - -global rsh_sessions: table[conn_id] of rsh_session_info; - -function new_rsh_session(c: connection, client_user: string, - server_user: string, line: string) - { - if ( c$id in rsh_sessions ) - delete rsh_sessions[c$id]; - - local s: rsh_session_info; - s$client_user = client_user; - s$server_user = server_user; - s$initial_cmd = line; - s$output_line = 0; - - rsh_sessions[c$id] = s; - } - -event rsh_request(c: connection, client_user: string, server_user: string, - line: string, new_session: bool) - { - local id = c$id; - - local BS_line = edit(line, Login::BS); - local DEL_line = edit(line, Login::DEL); - - if ( new_session ) - { - new_rsh_session(c, client_user, server_user, line); - - if ( client_user != server_user ) - NOTICE([$note=DifferentRSH_Usernames, $conn=c, - $msg=fmt("differing client/server usernames (%s/%s)", - client_user, server_user), - $sub=client_user, $user=server_user]); - } - - local s = rsh_sessions[c$id]; - if ( s$output_line > 0 ) - NOTICE([$note=InteractiveRSH, $conn=c, - $msg="interactive RSH session, input following output", - $sub=s$client_user, $user=s$server_user]); - - if ( Login::input_trouble in line || - Login::input_trouble in BS_line || - Login::input_trouble in DEL_line || - line == Login::full_input_trouble ) - NOTICE([$note=SensitiveRSH_Input, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - } - -event rsh_reply(c: connection, client_user: string, server_user: string, - line: string) - { - local s = rsh_sessions[c$id]; - - if ( line != "" && ++s$output_line == 1 && failure_msgs in line ) - NOTICE([$note=FailedRSH_Authentication, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - - if ( Login::output_trouble in line || - line == Login::full_output_trouble ) - NOTICE([$note=SensitiveRSH_Output, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - } diff --git a/policy.old/save-peer-status.bro b/policy.old/save-peer-status.bro deleted file mode 100644 index 26481bc093..0000000000 --- a/policy.old/save-peer-status.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id$ -# -# Writes a summary of our peer's status into a file. - -@load peer-status - -event PeerStatus::update(status: PeerStatus::peer_status) &priority = -5 - { - local f = open_log_file("peer_status"); - - for ( id in PeerStatus::peers ) - { - local stat = PeerStatus::peers[id]; - local host: string; - - if ( id != 0 ) - { - if ( id !in Remote::connected_peers ) - next; - - host = Remote::connected_peers[id]$peer$descr; - } - else - host = get_local_event_peer()$descr; - - print f, fmt("%18s %s%s %D %D %02.0f%% %4dM #%d %dK/%dK/%dK (%.1f%%)", - host, stat$res$version, stat$res$debug ? "-DEBUG" : "", - stat$res$start_time, stat$current_time, stat$cpu, - stat$res$mem / 1024 / 1024, - stat$res$num_TCP_conns + stat$res$num_UDP_conns + stat$res$num_ICMP_conns, - stat$stats$pkts_dropped / 1024, - stat$stats$pkts_recvd / 1024, - stat$stats$pkts_link / 1024, - 100.0 * stat$stats$pkts_dropped / (stat$stats$pkts_dropped + stat$stats$pkts_recvd)); - } - - print f, "###"; - -# for ( id in PeerStatus::peers ) -# { -# stat = PeerStatus::peers[id]; -# -# if ( id != 0 ) -# host = Remote::connected_peers[id]$peer$descr; -# else -# host = get_local_event_peer()$descr; -# -# print f, fmt("%10s %s", host, stat$default_filter); -# print f; -# } - - close(f); - } diff --git a/policy.old/scan.bro b/policy.old/scan.bro deleted file mode 100644 index d3ee0574c3..0000000000 --- a/policy.old/scan.bro +++ /dev/null @@ -1,706 +0,0 @@ -# $Id: scan.bro 7073 2010-09-13 00:45:02Z vern $ - -@load conn -@load notice -@load port-name -@load hot -@load drop -@load trw-impl - -module Scan; - -export { - redef enum Notice += { - PortScan, # the source has scanned a number of ports - AddressScan, # the source has scanned a number of addrs - BackscatterSeen, - # apparent flooding backscatter seen from source - - ScanSummary, # summary of scanning activity - PortScanSummary, # summary of distinct ports per scanner - LowPortScanSummary, # summary of distinct low ports per scanner - - PasswordGuessing, # source tried many user/password combinations - SuccessfulPasswordGuessing, # same, but a login succeeded - - Landmine, # source touched a landmine destination - ShutdownThresh, # source reached shut_down_thresh - LowPortTrolling, # source touched privileged ports - }; - - # If true, we suppress scan-checking (we still do account-tried - # accounting). This is provided because scan-checking can consume - # a lot of memory. - const suppress_scan_checks = F &redef; - - # Whether to consider UDP "connections" for scan detection. - # Can lead to false positives due to UDP fanout from some P2P apps. - const suppress_UDP_scan_checks = F &redef; - - const activate_priv_port_check = T &redef; - const activate_landmine_check = F &redef; - const landmine_thresh_trigger = 5 &redef; - - const landmine_address: set[addr] &redef; - - const scan_summary_trigger = 25 &redef; - const port_summary_trigger = 20 &redef; - const lowport_summary_trigger = 10 &redef; - - # Raise ShutdownThresh after this many failed attempts - const shut_down_thresh = 100 &redef; - - # Which services should be analyzed when detecting scanning - # (not consulted if analyze_all_services is set). - const analyze_services: set[port] &redef; - const analyze_all_services = T &redef; - - # Track address scaners only if at least these many hosts contacted. - const addr_scan_trigger = 0 &redef; - - # Ignore address scanners for further scan detection after - # scanning this many hosts. - # 0 disables. - const ignore_scanners_threshold = 0 &redef; - - # Report a scan of peers at each of these points. - const report_peer_scan: vector of count = { - 20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000, - } &redef; - - const report_outbound_peer_scan: vector of count = { - 100, 1000, 10000, - } &redef; - - # Report a scan of ports at each of these points. - const report_port_scan: vector of count = { - 50, 250, 1000, 5000, 10000, 25000, 65000, - } &redef; - - # Once a source has scanned this many different ports (to however many - # different remote hosts), start tracking its per-destination access. - const possible_port_scan_thresh = 20 &redef; - - # Threshold for scanning privileged ports. - const priv_scan_trigger = 5 &redef; - const troll_skip_service = { - smtp, ftp, ssh, 20/tcp, http, - } &redef; - - const report_accounts_tried: vector of count = { - 20, 100, 1000, 10000, 100000, 1000000, - } &redef; - - const report_remote_accounts_tried: vector of count = { - 100, 500, - } &redef; - - # Report a successful password guessing if the source attempted - # at least this many. - const password_guessing_success_threshhold = 20 &redef; - - const skip_accounts_tried: set[addr] &redef; - - const addl_web = { - 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, } - &redef; - - const skip_services = { ident, } &redef; - const skip_outbound_services = { Hot::allow_services, ftp, addl_web, } - &redef; - - const skip_scan_sources = { - 255.255.255.255, # who knows why we see these, but we do - - # AltaVista. Here just as an example of what sort of things - # you might list. - test-scooter.av.pa-x.dec.com, - } &redef; - - const skip_scan_nets: set[subnet] = {} &redef; - - # List of well known local server/ports to exclude for scanning - # purposes. - const skip_dest_server_ports: set[addr, port] = {} &redef; - - # Reverse (SYN-ack) scans seen from these ports are considered - # to reflect possible SYN-flooding backscatter, and not true - # (stealth) scans. - const backscatter_ports = { - http, 53/tcp, 53/udp, bgp, 6666/tcp, 6667/tcp, - } &redef; - - const report_backscatter: vector of count = { - 20, - } &redef; - - global check_scan: - function(c: connection, established: bool, reverse: bool): bool; - - # The following tables are defined here so that we can redef - # the expire timeouts. - # FIXME: should we allow redef of attributes on IDs which - # are not exported? - - # How many different hosts connected to with a possible - # backscatter signature. - global distinct_backscatter_peers: table[addr] of table[addr] of count - &read_expire = 15 min; - - # Expire functions that trigger summaries. - global scan_summary: - function(t: table[addr] of set[addr], orig: addr): interval; - global port_summary: - function(t: table[addr] of set[port], orig: addr): interval; - global lowport_summary: - function(t: table[addr] of set[port], orig: addr): interval; - - # Indexed by scanner address, yields # distinct peers scanned. - # pre_distinct_peers tracks until addr_scan_trigger hosts first. - global pre_distinct_peers: table[addr] of set[addr] - &read_expire = 15 mins &redef; - - global distinct_peers: table[addr] of set[addr] - &read_expire = 15 mins &expire_func=scan_summary &redef; - global distinct_ports: table[addr] of set[port] - &read_expire = 15 mins &expire_func=port_summary &redef; - global distinct_low_ports: table[addr] of set[port] - &read_expire = 15 mins &expire_func=lowport_summary &redef; - - # Indexed by scanner address, yields a table with scanned hosts - # (and ports). - global scan_triples: table[addr] of table[addr] of set[port]; - - global remove_possible_source: - function(s: set[addr], idx: addr): interval; - global possible_scan_sources: set[addr] - &expire_func=remove_possible_source &read_expire = 15 mins; - - # Indexed by source address, yields user name & password tried. - global accounts_tried: table[addr] of set[string, string] - &read_expire = 1 days; - - global ignored_scanners: set[addr] &create_expire = 1 day &redef; - - # These tables track whether a threshold has been reached. - # More precisely, the counter is the next index of threshold vector. - global shut_down_thresh_reached: table[addr] of bool &default=F; - global rb_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rps_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rops_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rpts_idx: table[addr,addr] of count - &default=0 &read_expire = 1 days &redef; - global rat_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rrat_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; -} - -global thresh_check: function(v: vector of count, idx: table[addr] of count, - orig: addr, n: count): bool; -global thresh_check_2: function(v: vector of count, - idx: table[addr,addr] of count, orig: addr, - resp: addr, n: count): bool; - -function scan_summary(t: table[addr] of set[addr], orig: addr): interval - { - local num_distinct_peers = orig in t ? |t[orig]| : 0; - - if ( num_distinct_peers >= scan_summary_trigger ) - NOTICE([$note=ScanSummary, $src=orig, $n=num_distinct_peers, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_distinct_peers)]); - - return 0 secs; - } - -function port_summary(t: table[addr] of set[port], orig: addr): interval - { - local num_distinct_ports = orig in t ? |t[orig]| : 0; - - if ( num_distinct_ports >= port_summary_trigger ) - NOTICE([$note=PortScanSummary, $src=orig, $n=num_distinct_ports, - $msg=fmt("%s scanned a total of %d ports", - orig, num_distinct_ports)]); - - return 0 secs; - } - -function lowport_summary(t: table[addr] of set[port], orig: addr): interval - { - local num_distinct_lowports = orig in t ? |t[orig]| : 0; - - if ( num_distinct_lowports >= lowport_summary_trigger ) - NOTICE([$note=LowPortScanSummary, $src=orig, - $n=num_distinct_lowports, - $msg=fmt("%s scanned a total of %d low ports", - orig, num_distinct_lowports)]); - - return 0 secs; - } - -function clear_addr(a: addr) - { - delete distinct_peers[a]; - delete distinct_ports[a]; - delete distinct_low_ports[a]; - delete scan_triples[a]; - delete possible_scan_sources[a]; - delete distinct_backscatter_peers[a]; - delete pre_distinct_peers[a]; - delete rb_idx[a]; - delete rps_idx[a]; - delete rops_idx[a]; - delete rat_idx[a]; - delete rrat_idx[a]; - delete shut_down_thresh_reached[a]; - delete ignored_scanners[a]; - } - -function ignore_addr(a: addr) - { - clear_addr(a); - add ignored_scanners[a]; - } - -function check_scan(c: connection, established: bool, reverse: bool): bool - { - if ( suppress_scan_checks ) - return F; - - local id = c$id; - - local service = "ftp-data" in c$service ? 20/tcp - : (reverse ? id$orig_p : id$resp_p); - local rev_service = reverse ? id$resp_p : id$orig_p; - local orig = reverse ? id$resp_h : id$orig_h; - local resp = reverse ? id$orig_h : id$resp_h; - local outbound = is_local_addr(orig); - - # The following works better than using get_conn_transport_proto() - # because c might not correspond to an active connection (which - # causes the function to fail). - if ( suppress_UDP_scan_checks && - service >= 0/udp && service <= 65535/udp ) - return F; - - if ( service in skip_services && ! outbound ) - return F; - - if ( outbound && service in skip_outbound_services ) - return F; - - if ( orig in skip_scan_sources ) - return F; - - if ( orig in skip_scan_nets ) - return F; - - # Don't include well known server/ports for scanning purposes. - if ( ! outbound && [resp, service] in skip_dest_server_ports ) - return F; - - if ( orig in ignored_scanners) - return F; - - if ( (! established || service !in Hot::allow_services) && - # not established, service not expressly allowed - - # not known peer set - (orig !in distinct_peers || resp !in distinct_peers[orig]) && - - # want to consider service for scan detection - (analyze_all_services || service in analyze_services) ) - { - if ( reverse && rev_service in backscatter_ports && - # reverse, non-priv backscatter port - service >= 1024/tcp ) - { - if ( orig !in distinct_backscatter_peers ) - { - local empty_bs_table: - table[addr] of count &default=0; - distinct_backscatter_peers[orig] = - empty_bs_table; - } - - if ( ++distinct_backscatter_peers[orig][resp] <= 2 && - # The test is <= 2 because we get two check_scan() - # calls, once on connection attempt and once on - # tear-down. - - distinct_backscatter_peers[orig][resp] == 1 && - - # Looks like backscatter, and it's not scanning - # a privileged port. - - thresh_check(report_backscatter, rb_idx, orig, - |distinct_backscatter_peers[orig]|) - ) - { - local rev_svc = rev_service in port_names ? - port_names[rev_service] : - fmt("%s", rev_service); - - NOTICE([$note=BackscatterSeen, $src=orig, - $p=rev_service, - $msg=fmt("backscatter seen from %s (%d hosts; %s)", - orig, |distinct_backscatter_peers[orig]|, rev_svc)]); - } - - if ( ignore_scanners_threshold > 0 && - |distinct_backscatter_peers[orig]| > - ignore_scanners_threshold ) - ignore_addr(orig); - } - - else - { # done with backscatter check - local ignore = F; - - local svc = service in port_names ? - port_names[service] : fmt("%s", service); - - if ( orig !in distinct_peers && addr_scan_trigger > 0 ) - { - if ( orig !in pre_distinct_peers ) - pre_distinct_peers[orig] = set(); - - add pre_distinct_peers[orig][resp]; - if ( |pre_distinct_peers[orig]| < addr_scan_trigger ) - ignore = T; - } - - if ( ! ignore ) - { # XXXXX - - if ( orig !in distinct_peers ) - distinct_peers[orig] = set() &mergeable; - - if ( resp !in distinct_peers[orig] ) - add distinct_peers[orig][resp]; - - local n = |distinct_peers[orig]|; - - if ( activate_landmine_check && - n >= landmine_thresh_trigger && - mask_addr(resp, 24) in landmine_address ) - { - local msg2 = fmt("landmine address trigger %s%s ", orig, svc); - NOTICE([$note=Landmine, $src=orig, - $p=service, $msg=msg2]); - } - - # Check for threshold if not outbound. - if ( ! shut_down_thresh_reached[orig] && - n >= shut_down_thresh && - ! outbound && orig !in neighbor_nets ) - { - shut_down_thresh_reached[orig] = T; - local msg = fmt("shutdown threshold reached for %s", orig); - NOTICE([$note=ShutdownThresh, $src=orig, - $p=service, $msg=msg]); - } - - else - { - local address_scan = F; - if ( outbound && - # inside host scanning out? - thresh_check(report_outbound_peer_scan, rops_idx, orig, n) ) - address_scan = T; - - if ( ! outbound && - thresh_check(report_peer_scan, rps_idx, orig, n) ) - address_scan = T; - - if ( address_scan ) - NOTICE([$note=AddressScan, - $src=orig, $p=service, - $n=n, - $msg=fmt("%s has scanned %d hosts (%s)", - orig, n, svc)]); - - if ( address_scan && - ignore_scanners_threshold > 0 && - n > ignore_scanners_threshold ) - ignore_addr(orig); - } - } - } # XXXX - } - - if ( established ) - # Don't consider established connections for port scanning, - # it's too easy to be mislead by FTP-like applications that - # legitimately gobble their way through the port space. - return F; - - # Coarse search for port-scanning candidates: those that have made - # connections (attempts) to possible_port_scan_thresh or more - # distinct ports. - if ( orig !in distinct_ports || service !in distinct_ports[orig] ) - { - if ( orig !in distinct_ports ) - distinct_ports[orig] = set() &mergeable; - - if ( service !in distinct_ports[orig] ) - add distinct_ports[orig][service]; - - if ( |distinct_ports[orig]| >= possible_port_scan_thresh && - orig !in scan_triples ) - { - scan_triples[orig] = table() &mergeable; - add possible_scan_sources[orig]; - } - } - - # Check for low ports. - if ( activate_priv_port_check && ! outbound && service < 1024/tcp && - service !in troll_skip_service ) - { - if ( orig !in distinct_low_ports || - service !in distinct_low_ports[orig] ) - { - if ( orig !in distinct_low_ports ) - distinct_low_ports[orig] = set() &mergeable; - - add distinct_low_ports[orig][service]; - - if ( |distinct_low_ports[orig]| == priv_scan_trigger && - orig !in neighbor_nets ) - { - local s = service in port_names ? port_names[service] : - fmt("%s", service); - local svrc_msg = fmt("low port trolling %s %s", orig, s); - NOTICE([$note=LowPortTrolling, $src=orig, - $p=service, $msg=svrc_msg]); - } - - if ( ignore_scanners_threshold > 0 && - |distinct_low_ports[orig]| > - ignore_scanners_threshold ) - ignore_addr(orig); - } - } - - # For sources that have been identified as possible scan sources, - # keep track of per-host scanning. - if ( orig in possible_scan_sources ) - { - if ( orig !in scan_triples ) - scan_triples[orig] = table() &mergeable; - - if ( resp !in scan_triples[orig] ) - scan_triples[orig][resp] = set() &mergeable; - - if ( service !in scan_triples[orig][resp] ) - { - add scan_triples[orig][resp][service]; - - if ( thresh_check_2(report_port_scan, rpts_idx, - orig, resp, - |scan_triples[orig][resp]|) ) - { - local m = |scan_triples[orig][resp]|; - NOTICE([$note=PortScan, $n=m, $src=orig, - $p=service, - $msg=fmt("%s has scanned %d ports of %s", - orig, m, resp)]); - } - } - } - - return T; - } - - -event account_tried(c: connection, user: string, passwd: string) - { - local src = c$id$orig_h; - - if ( src !in accounts_tried ) - accounts_tried[src] = set(); - - if ( [user, passwd] in accounts_tried[src] ) - return; - - local threshold_check = F; - - if ( is_local_addr(src) ) - { - if ( thresh_check(report_remote_accounts_tried, rrat_idx, src, - |accounts_tried[src]|) ) - threshold_check = T; - } - else - { - if ( thresh_check(report_accounts_tried, rat_idx, src, - |accounts_tried[src]|) ) - threshold_check = T; - } - - if ( threshold_check && src !in skip_accounts_tried ) - { - local m = |accounts_tried[src]|; - NOTICE([$note=PasswordGuessing, $src=src, $n=m, - $user=user, $sub=passwd, $p=c$id$resp_p, - $msg=fmt("%s has tried %d username/password combinations (latest: %s@%s)", - src, m, user, c$id$resp_h)]); - } - - add accounts_tried[src][user, passwd]; - } - -# Check for a successful login attempt from a scan. -event login_successful(c: connection, user: string) - { - local id = c$id; - local src = id$orig_h; - - if ( src in accounts_tried && - |accounts_tried[src]| >= password_guessing_success_threshhold ) - NOTICE([$note=SuccessfulPasswordGuessing, $src=src, $conn=c, - $msg=fmt("%s successfully logged in user '%s' after trying %d username/password combinations", - src, user, |accounts_tried[src]|)]); - } - - -# Hook into the catch&release dropping. When an address gets restored, we reset -# the source to allow dropping it again. -event Drop::address_restored(a: addr) - { - Drop::debug_log(fmt("received restored for %s (scan.bro)", a)); - clear_addr(a); - } - -event Drop::address_cleared(a: addr) - { - Drop::debug_log(fmt("received cleared for %s (scan.bro)", a)); - clear_addr(a); - } - -# When removing a possible scan source, we automatically delete its scanned -# hosts and ports. But we do not want the deletion propagated, because every -# peer calls the expire_function on its own (and thus applies the delete -# operation on its own table). -function remove_possible_source(s: set[addr], idx: addr): interval - { - suspend_state_updates(); - delete scan_triples[idx]; - resume_state_updates(); - - return 0 secs; - } - -# To recognize whether a certain threshhold vector (e.g. report_peer_scans) -# has been transgressed, a global variable containing the next vector index -# (idx) must be incremented. This cumbersome mechanism is necessary because -# values naturally don't increment by one (e.g. replayed table merges). -function thresh_check(v: vector of count, idx: table[addr] of count, - orig: addr, n: count): bool - { - if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) - { - ignore_addr(orig); - return F; - } - - if ( idx[orig] < |v| && n >= v[idx[orig]] ) - { - ++idx[orig]; - return T; - } - else - return F; - } - -# Same as above, except the index has a different type signature. -function thresh_check_2(v: vector of count, idx: table[addr, addr] of count, - orig: addr, resp: addr, n: count): bool - { - if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) - { - ignore_addr(orig); - return F; - } - - if ( idx[orig,resp] < |v| && n >= v[idx[orig, resp]] ) - { - ++idx[orig,resp]; - return T; - } - else - return F; - } - -event connection_established(c: connection) - { - local is_reverse_scan = (c$orig$state == TCP_INACTIVE); - Scan::check_scan(c, T, is_reverse_scan); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && ! is_reverse_scan && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), F); - } - -event partial_connection(c: connection) - { - Scan::check_scan(c, T, F); - } - -event connection_attempt(c: connection) - { - Scan::check_scan(c, F, c$orig$state == TCP_INACTIVE); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), F); - } - -event connection_half_finished(c: connection) - { - # Half connections never were "established", so do scan-checking here. - Scan::check_scan(c, F, F); - } - -event connection_rejected(c: connection) - { - local is_reverse_scan = c$orig$state == TCP_RESET; - - Scan::check_scan(c, F, is_reverse_scan); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), is_reverse_scan); - } - -event connection_reset(c: connection) - { - if ( c$orig$state == TCP_INACTIVE || c$resp$state == TCP_INACTIVE ) - # We never heard from one side - that looks like a scan. - Scan::check_scan(c, c$orig$size + c$resp$size > 0, - c$orig$state == TCP_INACTIVE); - } - -event connection_pending(c: connection) - { - if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE ) - Scan::check_scan(c, F, F); - } - -# Report the remaining entries in the tables. -event bro_done() - { - for ( orig in distinct_peers ) - scan_summary(distinct_peers, orig); - - for ( orig in distinct_ports ) - port_summary(distinct_ports, orig); - - for ( orig in distinct_low_ports ) - lowport_summary(distinct_low_ports, orig); - } diff --git a/policy.old/secondary-filter.bro b/policy.old/secondary-filter.bro deleted file mode 100644 index 025e450225..0000000000 --- a/policy.old/secondary-filter.bro +++ /dev/null @@ -1,44 +0,0 @@ -# $Id: secondary-filter.bro 6022 2008-07-25 19:15:00Z vern $ - -# Examples of using the secondary-filter matching path. - -event rst_syn_fin_flag(filter: string, pkt: pkt_hdr) - { - print "rst_syn_fin_flag()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport, - pkt$ip$dst, pkt$tcp$dport); - } - -event a_udp_event(filter: string, pkt: pkt_hdr) - { - print "a_udp_event()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$udp$sport, - pkt$ip$dst, pkt$udp$dport); - } - -event a_tcp_event(filter: string, pkt: pkt_hdr) - { - print "a_tcp_event()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport, - pkt$ip$dst, pkt$tcp$dport); - } - -event sampled_1_in_1024_packet(filter: string, pkt: pkt_hdr) - { - print "sampled packet:"; - print "ip", pkt$ip; - - if ( pkt?$tcp ) - print "tcp", pkt$tcp; - if ( pkt?$udp ) - print "udp", pkt$udp; - if ( pkt?$icmp ) - print "icmp", pkt$icmp; - } - -redef secondary_filters += { - ["tcp[13] & 7 != 0"] = rst_syn_fin_flag, - ["udp"] = a_udp_event, - ["tcp"] = a_tcp_event, - ["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet, -}; diff --git a/policy.old/sensor-sshd.bro b/policy.old/sensor-sshd.bro deleted file mode 100644 index 060f0cef68..0000000000 --- a/policy.old/sensor-sshd.bro +++ /dev/null @@ -1,276 +0,0 @@ -# $Id: sensor-sshd.bro 4758 2007-08-10 06:49:23Z vern $ -# -# sshd sensor input, i.e., events received from instrumented SSH servers -# that communicate with Bro via the Broccoli library. - -# We leverage the login analyzer: -@load login -@load remote - -# To prevent requesting sshd events from any peering Bro that connects, -# here is a list of our sshds. List the IP addresses of the hosts your -# sshds are running on here: -# -redef Remote::destinations += { - ["sshd1"] = [$host = 127.0.0.1, $events = /sensor_sshd.*/, $connect=F, $ssl=F] -}; - -# A big log file for all kinds of notes: -# -global sshd_log: file = open_log_file("sshd"); - -# A record gathering everything we need to know per connection -# from an ssh client to the sshd: -# -type sshd_conn: record { - - # Connection record we create for connections to sshd - conn: connection; - - # A table indexed by channel numbers, yielding files. - # For each channel that contains a shell session this - # table contains a file to which the session content is - # logged. - sessions: table[count] of file; -}; - -# To avoid reporting IP/port quadruples repeatedly, connections in -# sshd are identified through a globally unique identifier for the -# sshd server (a string) plus an numerical identifier for each -# connection to that sshd. -# -global sshd_conns: table[string, count] of sshd_conn; - - -function sshd_conn_new(src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port, - ts: time): sshd_conn - { - local id: conn_id; - id$orig_h = src_ip; - id$orig_p = src_p; - id$resp_h = dst_ip; - id$resp_p = dst_p; - - local orig: endpoint; - local resp: endpoint; - orig$size = resp$size = 0; - orig$state = resp$state = 0; - - local c: connection; - c$id = id; - c$orig = orig; - c$resp = resp; - c$start_time = ts; - c$duration = 0 sec; - - # We mark this connection so the login analyzer can - # understand that it is a login session. - add c$service["ssh-login"]; - - c$addl = ""; - c$hot = 0; - - local sc: sshd_conn; - sc$conn = c; - - return sc; - } - - -event sensor_sshd_listen(ts: time, sid: string, - server_ip: addr, server_p: port) - { - print sshd_log, fmt("[%D][%s:%s] sshd listening at %s:%d", - ts, get_event_peer()$host, sid, server_ip, server_p); - } - - -event sensor_sshd_restart(ts: time, sid: string) - { - print sshd_log, fmt("[%D][%s:%s] sshd %s restarted", - ts, get_event_peer()$host, sid, sid); - } - - -event sensor_sshd_exit(ts: time, sid: string) - { - print sshd_log, fmt("[%D][%s:%s] sshd %s exiting", - ts, get_event_peer()$host, sid, sid); - } - - -event sensor_sshd_conn_new(ts: time, sid: string, cid: count, - src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port) - { - local sc = sshd_conn_new(src_ip, src_p, dst_ip, dst_p, ts); - sshd_conns[sid, cid] = sc; - print sshd_log, fmt("[%D][%s:%s:%d] conn attempt from %s:%d to %s:%d", - ts, get_event_peer()$host, sid, cid, src_ip, sc$conn$id$orig_p, - dst_ip, sc$conn$id$resp_p); - - Login::new_login_session(sc$conn, get_event_peer()$id, 0); - } - - -event sensor_sshd_conn_end(ts: time, sid: string, cid: count) - { - local pid = get_event_peer()$id; - local sc = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d] conn terminated", - ts, get_event_peer()$host, sid, cid); - - Login::remove_login_session(sc$conn, pid); - delete sshd_conns[sid, cid]; - } - - -event sensor_sshd_auth_ok(ts: time, sid: string, cid: count, - user: string, uid: int, gid: int) - { - local pid = get_event_peer()$id; - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth ok: %s (%d/%d)", - ts, get_event_peer()$host, sid, cid, user, uid, gid); - - Login::ext_set_login_state(sc$conn$id, pid, LOGIN_STATE_LOGGED_IN); - event authentication_accepted(user, sc$conn); - } - - -event sensor_sshd_auth_failed(ts: time, sid: string, cid: count, user: string) - { - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth reject: user %s from %s:%d", - ts, get_event_peer()$host, sid, cid, user, - sc$conn$id$orig_h, sc$conn$id$orig_p); - - event authentication_rejected(user, sc$conn); - } - - -event sensor_sshd_auth_timeout(ts: time, sid: string, cid: count) - { - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth timeout", ts, - sid, get_event_peer()$host, cid); - } - - -event sensor_sshd_auth_password_attempt(ts: time, sid: string, cid: count, - user: string, password: string, - valid: bool) - { - local sc = sshd_conns[sid, cid]; - - if ( ! valid ) - { - print sshd_log, fmt("[%D][%s:%s:%d] password bad: user %s, password '%s'", - ts, get_event_peer()$host, sid, cid, user, password); - event login_failure(sc$conn, user, "", password, ""); - } - else - { - print sshd_log, fmt("[%D][%s:%s:%d] password ok: user %s, password '%s'", - ts, get_event_peer()$host, sid, cid, user, password); - event login_success(sc$conn, user, "", password, ""); - } - } - - -event sensor_sshd_channel_new_session(ts: time, sid: string, cid: count, - chan_id: count, stype: string) - { - local sc = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d:%d] new session: type %s", - ts, get_event_peer()$host, sid, cid, chan_id, stype); - - if ( stype == "shell" ) - { - local filename = - fmt("sshd-%s-%s-%d-%d.log", - get_event_peer()$host, sid, cid, chan_id); - sc$sessions[chan_id] = open(filename); - } - } - - -event sensor_sshd_channel_new_forward(ts: time, sid: string, - cid: count, chan_id: count, - src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port, - s2h: bool) - { - if ( s2h ) - print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d -> c -> s -> %s:%d", - ts, get_event_peer()$host, sid, cid, - chan_id, src_ip, src_p, dst_ip, dst_p); - else - print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d <- c <- s <- %s:%d", - ts, get_event_peer()$host, sid, cid, - chan_id, dst_ip, dst_p, src_ip, src_p); - } - - -event sensor_sshd_data_rx(ts: time, sid: string, cid: count, chan_id: count, - line: string) - { - local sc = sshd_conns[sid, cid]; - - if ( chan_id in sc$sessions ) - { - print sc$sessions[chan_id], - fmt("[%D][%s:%s:%d:%d] rx: %s", ts, - get_event_peer()$host, sid, cid, chan_id, line); - event login_output_line(sc$conn, line); - } - } - - -event sensor_sshd_data_tx(ts: time, sid: string, cid: count, - chan_id: count, line: string) - { - local sc: sshd_conn = sshd_conns[sid, cid]; - - if ( chan_id in sc$sessions ) - { - print sc$sessions[chan_id], - fmt("[%D][%s:%s:%d:%d] tx: %s", ts, - get_event_peer()$host, sid, cid, chan_id, line); - event login_input_line(sc$conn, line); - } - } - - -event sensor_sshd_exec(ts: time, sid: string, cid: count, - chan_id: count, command: string) - { - print sshd_log, - fmt("[%D][%s:%s:%d:%d] exec: '%s'", ts, get_event_peer()$host, - sid, cid, chan_id, command); - } - - -event sensor_sshd_channel_exit(ts: time, sid: string, cid: count, - chan_id: count, status: int) - { - print sshd_log, - fmt("[%D][%s:%s:%d:%d] channel exit, code %d", ts, - get_event_peer()$host, sid, cid, chan_id, status); - } - - -event sensor_sshd_channel_cleanup(ts: time, sid: string, cid: count, - chan_id: count) - { - local sc: sshd_conn = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d:%d] channel cleanup", - ts, get_event_peer()$host, sid, cid, chan_id); - - if ( chan_id in sc$sessions ) - delete sc$sessions[chan_id]; - } diff --git a/policy.old/service-probe.bro b/policy.old/service-probe.bro deleted file mode 100644 index 2cb02a3463..0000000000 --- a/policy.old/service-probe.bro +++ /dev/null @@ -1,97 +0,0 @@ -# $Id: service-probe.bro 5892 2008-07-01 02:37:03Z vern $ -# -# Detects hosts that continually bang away at a particular service -# of a local host, for example for brute-forcing passwords. -# -# Written by Jim Mellander, LBNL. -# Updated by Robin Sommer, ICSI. - -@load conn - -module ServiceProbe; - -export { - redef enum Notice += { ServiceProbe }; - - # No work gets done unless this is set. - global detect_probes = F &redef; - - # By default, look for service probes targeting MySQL and SSH. - global probe_ports = { 1433/tcp, 22/tcp, } &redef; - - # They have to connect to this many to be flagged. - global connect_threshold: table[port] of count &default=100 &redef; - - # How many bytes the connection must have to be considered potentially - # a probe. If missing, then there's no lower/upper bound. - # - # Note, the attack that motivated including these was SSH password - # guessing, where it was empirically determined that connections - # with > 1KB and < 2KB bytes transferred appear to be unsuccessful - # password guesses. - # - global min_bytes: table[port] of int &default=-1 &redef; - global max_bytes: table[port] of int &default=-1 &redef; - - # How many tries a given originator host has made against a given - # port on a given responder host. - global tries: table[addr, addr, port] of count - &default=0 &read_expire = 10 min; -} - -global reported_hosts: set[addr] &read_expire = 1 day; - -function service_probe_check(c: connection) - { - if ( ! detect_probes ) - return; - - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local service = (port_names[20/tcp] in c$service) ? 20/tcp : id$resp_p; - - if ( orig in reported_hosts ) - # We've already blocked them. - return; - - if ( is_local_addr(orig) ) - # We only analyze probes of local servers. - return; - - if ( service !in probe_ports ) - # Not a port we care about. - return; - - local enough_bytes = T; - local bytes_xferred = c$orig$size + c$resp$size; - - if ( service in min_bytes && bytes_xferred < min_bytes[service] ) - enough_bytes = F; - - if ( service in max_bytes && bytes_xferred > max_bytes[service] ) - enough_bytes = F; - - if ( ! enough_bytes ) - return; - - local cnt = ++tries[orig, resp, service]; - if ( cnt == connect_threshold[service] ) - { - local svc = service_name(c); - - NOTICE([$note=ServiceProbe, $src=orig, - $msg=fmt("service probing %s -> %s %s", - orig, resp, svc)]); - - # Since we've dropped this host, we can now release the space. - delete tries[orig, resp, service]; - add reported_hosts[orig]; - } - } - - -event connection_state_remove(c: connection) - { - service_probe_check(c); - } diff --git a/policy.old/sigs/http-bots.sig b/policy.old/sigs/http-bots.sig deleted file mode 100644 index 26f61c7d45..0000000000 --- a/policy.old/sigs/http-bots.sig +++ /dev/null @@ -1,93 +0,0 @@ -# $Id:$ -# -# Some signatures for detecting certain HTTP-based botnet activity. - -signature nethell { - http-request /.*php\?userid=/ - http-request-body /userid=[0-9]{8}_/ - event "Nethell request" -} - -signature bzub { - http-request /.*ver=.*&lg=.*&phid=.*&r=/ - http-request-body /phid=[A-F0-9]{64}/ - event "bzub request" -} - -signature iebho { - http-request /.*ver=.*&lg=.*&phid=/ - http-request-body /phid=[A-F0-9]{32}/ - event "IEBHO request" -} - -signature bebloh { - payload /^GET/ - http-request /.*get\.php\?type=slg&id=/ - event "Bebloh request" -} - -signature black_enery { - payload /^POST/ - http-request-header /Cache-Control: no-cache/ - http-request-body /.*id=.*&build_id=.*id=x.+_[0-9A-F]{8}&build_id=.+/ - event "Black energy request" -} - -signature waledec { - payload /^POST/ - http-request /\/[A-Za-z0-9]+\.[pP][nN][gG]/ - event "Waledec request" -} - -signature silentbanker { - payload /^POST/ - http-request /.*\/getcfg\.php/ - event "SilentBanker request" -} - -signature icepack { - payload /^GET/ - http-request /.*\/exe\.php/ - event "Icepack request" -} - -signature torpig { - payload /^POST/ - http-request /.*\/gate\.php/ - event "Torpig request" -} - -signature peed { - http-request /.*\/controller\.php\?action=/ - http-request /.*&entity/ - http-request /.*&rnd=/ - event "Peed request" -} - -signature gozi { - payload /^GET/ - http-request /.*\?user_id=/ - http-request /.*&version_id=/ - http-request /.*&crc=/ - event "Gozi request" -} - -signature wsnpoem { - payload /^GET/ - http-request /.*\/((cfg|config)[0-9]*)\.bin$/ - event "wsnpoem request" -} - -signature pinch { - payload /^POST/ - http-request /.*\?act=online&.*s4=.*&s5=.*&nickname=/ - http-request-body /.*msg_out=/ - event "pinch request" -} - -signature grum { - payload /^GET/ - http-request /.*s_alive\.php/ - event "Grum request" -} - diff --git a/policy.old/sigs/p0fsyn.osf b/policy.old/sigs/p0fsyn.osf deleted file mode 100644 index 8767265819..0000000000 --- a/policy.old/sigs/p0fsyn.osf +++ /dev/null @@ -1,773 +0,0 @@ -# -# p0f - SYN fingerprints -# ---------------------- -# -# .-------------------------------------------------------------------------. -# | The purpose of this file is to cover signatures for incoming TCP/IP | -# | connections (SYN packets). This is the default mode of operation for | -# | p0f. This is also the biggest and most up-to-date set of signatures | -# | shipped with this project. The file also contains a detailed discussion | -# | of all metrics examined by p0f, and some practical notes on how to | -# | add new signatures. | -# `-------------------------------------------------------------------------' -# -# (C) Copyright 2000-2003 by Michal Zalewski -# -# Each line in this file specifies a single fingerprint. Please read the -# information below carefully before attempting to append any signatures -# reported by p0f as UNKNOWN to this file to avoid mistakes. Note that -# this file is compatible only with the default operation mode, and not -# with -R or -A options (SYN+ACK and RST+ modes). -# -# We use the following set metrics for fingerprinting: -# -# - Window size (WSS) - a highly OS dependent setting used for TCP/IP -# performance control (max. amount of data to be sent without ACK). -# Some systems use a fixed value for initial packets. On other -# systems, it is a multiple of MSS or MTU (MSS+40). In some rare -# cases, the value is just arbitrary. -# -# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number -# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' -# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the -# value of nn is not fixed (unlikely), just copy the Snn or Tnn token -# literally. If you know this device has a simple stack and a fixed -# MTU, you can however multiply S value by MSS, or T value by MSS+40, -# and put it instead of Snn or Tnn. One system may exhibit several T -# or S values. In some situations, this might be a source of some -# additional information about the setup if you have some time to dig -# thru the kernel sources; in some other cases, like Windows, there seem -# to be a multitude of variants and WSS selection algorithms, but it's -# rather difficult to find a pattern without having the source. -# -# If WSS looks like a regular fixed value (for example is a power of two), -# or if you can confirm the value is fixed by looking at several -# fingerprints, please quote it literaly. If there's no apparent pattern -# in WSS chosen, you should consider wildcarding this value - but this -# should be the last option. -# -# NOTE: Some NAT devices, such as Linux iptables with --set-mss, will -# modify MSS, but not WSS. As a result, MSS is changed to reflect -# the MTU of the NAT device, but WSS remains a multiple of the original -# MSS. Fortunately for us, the source device would almost always be -# hooked up to Ethernet. P0f handles it automatically for the original -# MSS of 1460, by adding "NAT!" tag to the result. -# -# In certain configurations, Linux erratically (?) uses MTU from another -# interface on the default gw interface. This only happens on systems with -# two network interfaces. Thus, some Linux systems that do not go thru NAT, -# but have multiple interfaces instead, will be also tagged this way. -# -# P0f recognizes and automatically wildcards WSS of 12345, as generated -# by sendack and sendsyn utilities shipped with the program, when -# reporting a new signature. See test/sendack.c and test/sendsyn.c for more -# information about this. -# -# - Overall packet size - a function of all IP and TCP options and bugs. -# While this is partly redundant in the real world, we record this value -# to capture rare cases when there are IP options (which we do not currently -# examine) or packet data past the headers. Both situations are rare. -# -# Packet size MAY be wildcarded, but the meaning of the wildcard is -# very special, and means the packet must be larger than PACKET_BIG -# (defined in config.h as 100). This is usually not necessary, except -# for some really broken implementations in RST+ mode. For more information, -# see p0fr.fp. P0f automatically wildcards big packets when reporting -# new signatures. -# -# NEW SIGNATURE: Copy this value literally. -# -# - Initial TTL - We check the actual TTL of a received packet. It can't -# be higher than the initial TTL, and also shouldn't be dramatically -# lower (maximum distance is defined in config.h as 40 hops). -# -# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. -# You need to determine the initial TTL. The best way to do it is to -# check the documentation for a remote system, or check its settings. -# A fairly good method is to simply round the observed TTL up to -# 32, 64, 128, or 255, but it should be noted that some obscure devices -# might not use round TTLs (in particular, some shoddy appliances and -# IRIX and Tru64 are known to use "original" initial TTL settings). If not -# sure, use traceroute or mtr to see how far you are from the host. -# -# Note that -F option overrides this check if no signature can be found. -# -# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU -# discovery. Others do not bother. -# -# NEW SIGNATURE: Copy this value literally. Note: this setting is -# sometimes cleared by firewalls and/or certain connectivity clients. -# Try to find out what's the actual state for a given OS if you see both, -# and add the right one. P0f will automatically detect a case when a -# firewall removed the DF flag and will append "(firewall!)" suffix to -# the signature, so if the DF version is the right one, don't add no-DF -# variant, unless it has a different meaning. -# -# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f -# uses it to determine link type of the remote host. -# -# NEW SIGNATURE: Always wildcard this value, except for rare cases when -# you have an appliance with a fixed value, know the system supports only -# a very limited number of network interface types, or know the system -# is using a value it pulled out of nowhere. I use specific unique MSS -# to tell Google crawlbots from the rest of Linux population, for example. -# -# If a specific MSS/MTU is unique to a certain link type, be sure to -# add it to mtu.h instead of creating several variants of each signature. -# -# - Window scaling (WSCALE) - this feature is used to scale WSS. -# It extends the size of a TCP/IP window to 32 bits, of sorts. Some modern -# systems implement this feature. -# -# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set -# to zero or other low value. There's usually no need to wildcard this -# parameter. -# -# - Timestamp - some systems that implement timestamps set them to -# zero in the initial SYN. This case is detected and handled appropriately. -# -# NEW SIGNATURE: Copy T or T0 option literally. -# -# - Selective ACK permitted - a flag set by systems that implement -# selective ACK functionality, -# -# NEW SIGNATURE: copy S option literally. -# -# - NOP option - its presence, count and sequence is a useful OS-dependent -# characteristic, -# -# NEW SIGNATURE: copy N options literally. -# -# - Other and unrecognized options (TTCP-related and such) - implemented by -# some eccentric or very buggy TCP/IP stacks ;-), -# -# NEW SIGNATURE: copy ? options literally. -# -# - EOL option. Contrary to the popular belief, the presence of EOL -# option is actually quite rare, most systems just NOP-pad to the -# packet boundary. -# -# NEW SIGNATURE: copy E option literally. -# -# - The sequence of TCP all options mentioned above - this is very -# specific to the implementation, -# -# NEW SIGNATURE: Copy the sequence literally. -# -# - Quirks. Some buggy stacks set certain values that should be zeroed in a -# TCP packet to non-zero values. This has no effect as of today, but is -# a valuable source of information. Some systems actually seem to leak -# memory there. Other systems just exhibit harmful but very specific -# behavior. This section captures all unusual yes-no properties not -# related to the main and expected header layout. We detect the following: -# -# - Data past the headers. Neither SYN nor SYN+ACK packets are supposed -# to carry any payload. If they do, we should take notice. The actual -# payload is not examined, but will be displayed if use the -X option. -# Note that payload is not unusual in RST+ mode (see p0fr.fp), very -# rare otherwise. -# -# - Options past EOL. Some systems have some trailing data past EOL -# in the options section of TCP/IP headers. P0f does not examine this -# data as of today, simply detects its presence. If there is a -# confirmed sizable population of systems that have data past EOL, it -# might be a good idea to look at it. Until then, you have to recompile -# p0f with DEBUG_EXTRAS set or use -x to display this data, -# -# - Zero IP ID. This again is a (mostly) harmless setting to use a fixed -# IP ID for packets with DF set. Some systems reportedly use zero ID, -# most OSes do not. There is a very slight probability of a false -# positive when IP ID is "naturally" chosen to be zero on a system -# that otherwise does set proper values, but the probability is -# neglible (if it becomes a problem, recompile p0f with IGNORE_ZEROID -# set in the sources). -# -# - IP options specified. Usually, packets do not have any IP options -# set, but there can be some. Until there is a confirmed sizable -# population of systems that do have IP options in a packet, p0f -# does not examine those in detail, but it might change (use -# DEBUG_EXTRAS or -x to display IP options if any found), -# -# - URG pointer value. SYN packets do not have URG flag set, so the -# value in URG pointer in TCP header is ignored. Most systems set it -# to zero, but some OSes (some versions of Windows, for example) do -# not zero this field or even simply leak memory; the actual value is -# not examined, because most cases seem to be just random garbage -# (you can use DEBUG_EXTRAS or -x to report this information though); -# see doc/win-memleak.txt for more information, -# -# - "Unused" field value. This should be always zero, but some systems -# forget to clear it. This might result in some funny issues in the -# future. P0f checks for non-zero value (and will display it if -# DEBUG_EXTRAS is set, or you can use -x), -# -# - ACK number non-zero. ACK value in SYN packets with no ACK flag -# is disregarded and is usually set to zero (just like with URG -# pointer), but some systems forget to do it. The exact value is -# not examined (but will be displayed with DEBUG_EXTRAS, or you can -# use -x). Note that this is not an anomaly in SYN+ACK and RST+ modes, -# -# - Non-zero second timestamp. The initial SYN packet should have the -# second timestamp always zeroed. SYN+ACK and RST+ may "legally" have -# this quirk though, -# -# - Unusual flags. If, in addition to SYN (or SYN+ACK), there are some -# auxilinary flags that do not modify the very meaning of a packet, -# p0f records this (this can be URG, PUSH, or something else). -# -# Note: ECN flags (ECE and CWR) are ignored and denoted in a separate -# way. ECN is never by default, because some systems can't handle it, -# and it probably does not make much sense to include it in signatures -# right now. -# -# - TCP option segment parsing problems. If p0f fails to decode options -# because of a badly broken packet, it records this fact. -# -# There are several other quirks valid only in RST+ mode, see p0fr.fp for -# more information. Those quirks are unheard of in SYN and SYN+ACK -# modes. -# -# NEW SIGNATURE: Copy "quirks" section literally. -# -# We DO NOT use ToS for fingerprinting. While the original TCP/IP -# fingerprinting research believed this value would be useful for this -# purpose, it is not. The setting is way too often tweaked by network -# devices. -# -# To wildcard MSS, WSS or WSCALE, replace it with '*'. You can also use a -# modulo operator to match any values that divide by nnn - '%nnn' (and, -# as stated above, WSS also supports special values Snn and Tnn). -# -# Fingerprint entry format: -# -# wwww:ttt:D:ss:OOO...:QQ:OS:Details -# -# wwww - window size (can be * or %nnn or Sxx or Txx) -# "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed. -# ttt - initial TTL -# D - don't fragment bit (0 - not set, 1 - set) -# ss - overall SYN packet size (* has a special meaning) -# OOO - option value and order specification (see below) -# QQ - quirks list (see below) -# OS - OS genre (Linux, Solaris, Windows) -# details - OS description (2.0.27 on x86, etc) -# -# If OS genre starts with '*', p0f will not show distance, link type -# and timestamp data. It is useful for userland TCP/IP stacks of -# network scanners and so on, where many settings are randomized or -# bogus. -# -# If OS genre starts with @, it denotes an approximate hit for a group -# of operating systems (signature reporting still enabled in this case). -# Use this feature at the end of this file to catch cases for which -# you don't have a precise match, but can tell it's Windows or FreeBSD -# or whatnot by looking at, say, flag layout alone. -# -# If OS genre starts with - (which can prefix @ or *), the entry is -# not considered to be a real operating system (but userland stack -# instead). It is important to mark all scanners and so on with -, -# so that they are not used for masquerade detection (also add this -# prefix for signatures of application-induced behavior, such as -# increased window size with Opera browser). -# -# Option block description is a list of comma or space separated -# options in the order they appear in the packet: -# -# N - NOP option -# E - EOL option -# Wnnn - window scaling option, value nnn (or * or %nnn) -# Mnnn - maximum segment size option, value nnn (or * or %nnn) -# S - selective ACK OK -# T - timestamp -# T0 - timestamp with zero value -# ?n - unrecognized option number n. -# -# P0f can sometimes report ?nn among the options. This means it couldn't -# recognize this option (option number nn). It's either a bug in p0f, or -# a faulty TCP/IP stack, or, if the number is listed here: -# -# http://www.iana.org/assignments/tcp-parameters -# -# ...the stack might be simply quite exotic. -# -# To denote no TCP options, use a single '.'. -# -# Quirks section is usually an empty list ('.') of oddities or bugs of this -# particular stack. List items are not separated in any way. Possible values: -# -# P - options past EOL, -# Z - zero IP ID, -# I - IP options specified, -# U - urg pointer non-zero, -# X - unused (x2) field non-zero, -# A - ACK number non-zero, -# T - non-zero second timestamp, -# F - unusual flags (PUSH, URG, etc), -# D - data payload, -# ! - broken options segment. -# -# WARNING WARNING WARNING -# ----------------------- -# -# Do not add a system X as OS Y just because NMAP says so. It is often -# the case that X is a NAT firewall. While nmap is talking to the -# device itself, p0f is fingerprinting the guy behind the firewall -# instead. -# -# When in doubt, use common sense, don't add something that looks like -# a completely different system as Linux or FreeBSD or LinkSys router. -# Check DNS name, establish a connection to the remote host and look -# at SYN+ACK (p0f -A -S should do) - does it look similar? -# -# Some users tweak their TCP/IP settings - enable or disable RFC1323, -# RFC1644 or RFC2018 support, disable PMTU discovery, change MTU, initial -# TTL and so on. Always compare a new rule to other fingerprints for -# this system, and verify the system isn't "customized". It is OK to -# add signature variants caused by commonly used software (PFs, security -# packages, etc), but it makes no sense to try to add every single -# possible /proc/sys/net/ipv4/* tweak on Linux or so. -# -# KEEP IN MIND: Some packet firewalls configured to normalize outgoing -# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, -# normalize packets. Signatures will not correspond to the originating -# system (and probably not quite to the firewall either). -# -# NOTE: Try to keep this file in some reasonable order, from most to -# least likely systems. This will speed up operation. Also keep most -# generic and broad rules near ehe end. -# -# Still decided to add signature? Let us know - mail a copy of your discovery -# to lcamtuf@coredump.cx. You can help make p0f better, and I can help you -# make your signature more accurate. -# - -########################## -# Standard OS signatures # -########################## - -# ----------------- AIX --------------------- - -# AIX is first because its signatures are close to NetBSD, MacOS X and -# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... -# This is a shoddy hack, though. - -45046:64:0:44:M*:.:AIX:4.3 - -16384:64:0:44:M512:.:AIX:4.3.2 and earlier - -16384:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (1) -32768:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (2) -65535:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (3) - -65535:64:0:64:M*,N,W1,N,N,T,N,N,S:.:AIX:5.3 ML1 - -# ----------------- Linux ------------------- - -512:64:0:44:M*:.:Linux:2.0.3x (1) -16384:64:0:44:M*:.:Linux:2.0.3x (2) - -# Endian snafu! Nelson says "ha-ha": -2:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (1) -64:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (2) - -S4:64:1:60:M1360,S,T,N,W0:.:Linux:2.4 (Google crawlbot) - -# Linux 2.6.0-test has an identical footprint as 2.4. I -# wouldn't put it here until 2.6 gets a bit more, err, -# mature (and perhaps starts to differ ;-), but many -# people keep submitting 2.6.0-tests. - -S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (big boy) -S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4.18 and newer -S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4/2.6 - -S3:64:1:60:M*,S,T,N,W1:.:Linux:2.5 (sometimes 2.4) (1) -S4:64:1:60:M*,S,T,N,W1:.:Linux:2.5/2.6 (sometimes 2.4) (2) -S3:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (3) -S4:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (4) - -S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2.20 and newer -S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1) -S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2) - -# Popular cluster config scripts disable timestamps and -# selective ACK: - -S4:64:1:48:M1460,N,W0:.:Linux:2.4 in cluster - -# This needs to be investigated. On some systems, WSS -# is selected as a multiple of MTU instead of MSS. I got -# many submissions for this for many late versions of 2.4: - -T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (late, uncommon) - -# This happens only over loopback, but let's make folks happy: -32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (local) -S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (local) - -# Opera visitors: -16384:64:1:60:M*,S,T,N,W0:.:-Linux:2.2 (Opera?) -32767:64:1:60:M*,S,T,N,W0:.:-Linux:2.4 (Opera?) - -# Some fairly common mods: -S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 w/o timestamps -S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 w/o timestamps - -# ----------------- FreeBSD ----------------- - -16384:64:1:44:M*:.:FreeBSD:2.0-4.1 -16384:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (1) - -1024:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (2) - -57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (no RFC1323) -57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.8 - -32768:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.8-5.1 (or MacOS X 10.2-10.3) -65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (1) -65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (2) - -65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-current (1) -65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-current (2) -65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-current (3) - -# 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (w/o timestamps) - -# ----------------- NetBSD ------------------ - -16384:64:0:60:M*,N,W0,N,N,T:.:NetBSD:1.3 -65535:64:0:60:M*,N,W0,N,N,T0:.:-NetBSD:1.6 (Opera) -16384:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6 -65535:64:1:60:M*,N,W1,N,N,T0:.:NetBSD:1.6W-current (DF) -65535:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6X (DF) - -# ----------------- OpenBSD ----------------- - -16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 -57344:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.3-3.4 -16384:64:0:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 (scrub) -65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera) - -# ----------------- Solaris ----------------- - -S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:.:Solaris:8 (RFC1323 on) -S17:64:1:48:N,N,S,M*:.:Solaris:8 (1) -S17:255:1:44:M*:.:Solaris:2.5 to 7 - -# Sometimes, just sometimes, Solaris feels like coming up with -# rather arbitrary MSS values ;-) - -S6:255:1:44:M*:.:Solaris:2.5-7 -S23:64:1:48:N,N,S,M*:.:Solaris:8 (2) -S34:64:1:48:M*,N,N,S:.:Solaris:9 -S44:255:1:44:M*:.:Solaris:7 - -4096:64:0:44:M1460:.:SunOS:4.1.x - -S34:64:1:52:M*,N,W0,N,N,S:.:Solaris:10 (beta) - -# ----------------- IRIX -------------------- - -49152:60:0:44:M*:.:IRIX:6.2-6.4 -61440:60:0:44:M*:.:IRIX:6.2-6.5 -49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323) (1) -49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323) (2) - -61440:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (1) -49152:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (2) - -# ----------------- Tru64 ------------------- -# Tru64 and OpenVMS share the same stack on occassions. -# Relax. - -32768:60:1:48:M*,N,W0:.:Tru64:4.0 (or OS/2 Warp 4) -32768:60:0:48:M*,N,W0:.:Tru64:5.0 (or OpenVMS 7.x on Compaq 5.0 stack) -8192:60:0:44:M1460:.:Tru64:5.1 (no RFC1323) (or QNX 6) -61440:60:0:48:M*,N,W0:.:Tru64:v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) - -# ----------------- OpenVMS ----------------- - -6144:64:1:60:M*,N,W0,N,N,T:.:OpenVMS:7.2 (Multinet 4.3-4.4 stack) - -# ----------------- MacOS ------------------- - -S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic - -16616:255:1:48:M*,W0,E:.:MacOS:7.3-8.6 (OTTCP) -16616:255:1:48:M*,N,N,N,E:.:MacOS:8.1-8.6 (OTTCP) -32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2 - -32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (1) (OT 2.7.4) -65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (2) (OT 2.7.4) - -# ----------------- Windows ----------------- - -# Windows TCP/IP stack is a mess. For most recent XP, 2000 and -# even 98, the pathlevel, not the actual OS version, is more -# relevant to the signature. They share the same code, so it would -# seem. Luckily for us, almost all Windows 9x boxes have an -# awkward MSS of 536, which I use to tell one from another -# in most difficult cases. - -8192:32:1:44:M*:.:Windows:3.11 (Tucows) -S44:64:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95 -8192:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95b - -# There were so many tweaking tools and so many stack versions for -# Windows 98 it is no longer possible to tell them from each other -# without some very serious research. Until then, there's an insane -# number of signatures, for your amusement: - -S44:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (1) -8192:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (2) -%8192:64:1:48:M536,N,N,S:.:Windows:98 (13) -%8192:128:1:48:M536,N,N,S:.:Windows:98 (15) -S4:64:1:48:M*,N,N,S:.:Windows:98 (1) -S6:64:1:48:M*,N,N,S:.:Windows:98 (2) -S12:64:1:48:M*,N,N,S:.:Windows:98 (3 -T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:.:Windows:98 (16) -32767:64:1:48:M*,N,N,S:.:Windows:98 (4) -37300:64:1:48:M*,N,N,S:.:Windows:98 (5) -46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323) -65535:64:1:44:M*:.:Windows:98 (no sack) -S16:128:1:48:M*,N,N,S:.:Windows:98 (6) -S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:98 (7) -S26:128:1:48:M*,N,N,S:.:Windows:98 (8) -T30:128:1:48:M*,N,N,S:.:Windows:98 (9) -32767:128:1:52:M*,N,W0,N,N,S:.:Windows:98 (10) -60352:128:1:48:M*,N,N,S:.:Windows:98 (11) -60352:128:1:64:M*,N,W2,N,N,T0,N,N,S:.:Windows:98 (12) - -# What's with 1414 on NT? -T31:128:1:44:M1414:.:Windows:NT 4.0 SP6a (1) -64512:128:1:44:M1414:.:Windows:NT 4.0 SP6a (2) -8192:128:1:44:M*:.:Windows:NT 4.0 (older) - -# Windows XP and 2000. Most of the signatures that were -# either dubious or non-specific (no service pack data) -# were deleted and replaced with generics at the end. - -65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1 -%8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1 (seldom 98 4.10.2222) -S20:128:1:48:M*,N,N,S:.:Windows:SP3 -S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP 1 (2) -40320:128:1:48:M*,N,N,S:.:Windows:2000 SP4 - -S6:128:1:48:M*,N,N,S:.:Windows:XP, 2000 SP2+ -S12:128:1:48:M*,N,N,S:.:Windows:XP SP1 (1) -S44:128:1:48:M*,N,N,S:.:Windows:XP Pro SP1, 2000 SP3 -64512:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP3 (2) -32767:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP4 (3) - -# Odds, ends, mods: - -S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco -65520:128:1:48:M*,N,N,S:.:Windows:XP bare-bone -16384:128:1:52:M536,N,W0,N,N,S:.:Windows:2000 w/ZoneAlarm? -2048:255:0:40:.:.:Windows:.NET Enterprise Server - -# No need to be more specific, it passes: -*:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) - -# ----------------- HP/UX ------------------- - -32768:64:1:44:M*:.:HP-UX:B.10.20 -32768:64:1:48:M*,W0,N:.:HP-UX:11.00-11.11 - -# Whoa. Hardcore WSS. -0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323) - -# ----------------- RiscOS ------------------ - -16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:.:RISC OS:3.70-4.36 (inet 5.04) -12288:32:0:44:M536:.:RISC OS:3.70 inet 4.10 -4096:64:1:56:M1460,N,N,T:T:.:RISC OS:3.70 freenet 2.00 - -# ----------------- BSD/OS ------------------ - -8192:64:1:60:M1460,N,W0,N,N,T:.:BSD/OS:3.1-4.3 (or MacOS X 10.2) - -# ---------------- NetwonOS ----------------- - -4096:64:0:44:M1420:.:NewtonOS:2.1 - -# ---------------- NeXTSTEP ----------------- - -S8:64:0:44:M512:.:NeXTSTEP:3.3 - -# ------------------ BeOS ------------------- - -1024:255:0:48:M*,N,W0:.:BeOS:5.0-5.1 -12288:255:0:44:M*:.:BeOS:5.0.x - -# ------------------ OS/400 ----------------- - -8192:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R4/R5 -8192:64:0:44:M536:.:OS/400:V4R3/M0 -4096:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R5 + CF67032 - -28672:64:0:44:M1460:A:OS/390:? - -# ------------------ ULTRIX ----------------- - -16384:64:0:40:.:.:ULTRIX:4.5 - -# ------------------- QNX ------------------- - -S16:64:0:44:M512:.:QNX:demodisk - -# ------------------ Novell ----------------- - -16384:128:1:44:M1460:.:Novell:NetWare 5.0 -6144:128:1:44:M1460:.:Novell:IntranetWare 4.11 -6144:128:1:44:M1368:.:Novell:BorderManager ? - -# According to rfp: -6144:128:1:52:M*,W0,N,S,N,N:.:Novell:Netware 6 SP3 - -# -------------- SCO UnixWare --------------- - -S3:64:1:60:M1460,N,W0,N,N,T:.:SCO:UnixWare 7.1 -S23:64:1:44:M1380:.:SCO:OpenServer 5.0 - -# ------------------- DOS ------------------- - -2048:255:0:44:M536:.:DOS:Arachne via WATTCP/1.05 - -# ------------------ OS/2 ------------------- - -S56:64:0:44:M512:.:OS/2:4 - -# ----------------- TOPS-20 ----------------- - -# Another hardcore MSS, one of the ACK leakers hunted down. -0:64:0:44:M1460:A:TOPS-20:version 7 - -# ------------------ AMIGA ------------------ - -S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack - -# ------------------ Minix ------------------ - -# Not quite sure. -# 8192:210:0:44:M1460:X:@Minix:? - -# ------------------ Plan9 ------------------ - -65535:255:0:48:M1460,W0,N:.:Plan9:edition 4 - -# ----------------- AMIGAOS ----------------- - -16384:64:1:48:M1560,N,N,S:.:AMIGAOS:3.9 BB2 MiamiDX - -########################################### -# Appliance / embedded / other signatures # -########################################### - -# ---------- Firewalls / routers ------------ - -S12:64:1:44:M1460:.:@Checkpoint:(unknown 1) -S12:64:1:48:N,N,S,M1460:.:@Checkpoint:(unknown 2) -4096:32:0:44:M1460:.:ExtremeWare:4.x -60352:64:0:52:M1460,N,W2,N,N,S:.:Clavister:firewall 7.x - -S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 -S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 - -S4:64:1:60:W0,N,S,T,M1460:.:FortiNet:FortiGate 50 - -8192:64:1:44:M1460:.:@Eagle:Secure Gateway - -# ------- Switches and other stuff ---------- - -4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, et -S8:255:0:44:M*:.:Cisco:12008 -60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:.:Alteon:ACEswitch -64512:128:1:44:M1370:.:Nortel:Contivity Client - -# ---------- Caches and whatnots ------------ - -8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.2 -16384:64:1:64:M1460,N,N,S,N,W0,N:.:NetCache:5.3 -65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5 -20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:4.1 - -32850:64:1:64:N,W1,N,N,T,N,N,S,M*:.:NetCache:Data OnTap 5.x - -65535:64:0:60:M1460,N,W0,N,N,T:.:CacheFlow:CacheOS 4.1 -8192:64:0:60:M1380,N,N,N,N,N,N,T:.:CacheFlow:CacheOS 1.1 - -S4:64:0:48:M1460,N,N,S:.:Cisco:Content Engine - -27085:128:0:40:.:.:Dell:PowerApp cache (Linux-based) - -65535:255:1:48:N,W1,M1460:.:Inktomi:crawler -S1:255:1:60:M1460,S,T,N,W0:.:LookSmart:ZyBorg - -16384:255:0:40:.:.:Proxyblocker:(what's this?) - -# ----------- Embedded systems -------------- - -S9:255:0:44:M536:.:PalmOS:Tungsten C -S5:255:0:44:M536:.:PalmOS:3/4 -S4:255:0:44:M536:.:PalmOS:3.5 -2948:255:0:44:M536:.:PalmOS:3.5.3 (Handera) -S29:255:0:44:M536:.:PalmOS:5.0 - -S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:.:SymbianOS:7 -8192:255:0:44:M1460:.:SymbianOS:6048 (on Nokia 7650?) -8192:255:0:44:M536:.:SymbianOS:(on Nokia 9210?) - -32768:32:1:44:M1460:.:Windows:CE 3 - -# Perhaps S4? -5840:64:1:60:M1452,S,T,N,W1:.:Zaurus:3.10 - -32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S:.:PocketPC:2002 - -S1:255:0:44:M346:.:Contiki:1.1-rc0 - -4096:128:0:44:M1460:.:Sega:Dreamcast Dreamkey 3.0 -T5:64:0:44:M536:.:Sega:Dreamcast HKT-3020 (browser disc 51027) -S22:64:1:44:M1460:.:Sony:Playstation 2 (SOCOM?) - -S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64 - -#################### -# Fancy signatures # -#################### - -1024:64:0:40:.:.:-*NMAP:syn scan (1) -2048:64:0:40:.:.:-*NMAP:syn scan (2) -3072:64:0:40:.:.:-*NMAP:syn scan (3) -4096:64:0:40:.:.:-*NMAP:syn scan (4) - -1024:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (1) -2048:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (2) -3072:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (3) -4096:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (4) - -1024:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (1) -2048:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (2) -3072:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (3) -4096:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (4) - -12345:255:0:40:.:A:-p0f:sendsyn utility - -# UFO - see tmp/*: -56922:128:0:40:.:A:-@Mysterious:port scanner (?) -5792:64:1:60:M1460,S,T,N,W0:T:-@Mysterious:NAT device (2nd tstamp) -S12:128:1:48:M1460,E:P:@Mysterious:Chello proxy (?) -S23:64:1:64:N,W1,N,N,T,N,N,S,M1380:.:@Mysterious:GPRS gateway (?) - -##################################### -# Generic signatures - just in case # -##################################### - -*:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323 no tstamp) -*:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323) -*:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP (RFC1323, w+) -*:128:1:48:M536,N,N,S:.:@Windows:98 -*:128:1:48:M*,N,N,S:.:@Windows:XP/2000 - - diff --git a/policy.old/smb.bro b/policy.old/smb.bro deleted file mode 100644 index 4d31393a13..0000000000 --- a/policy.old/smb.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id:$ - -redef capture_filters += { ["smb"] = "port 445" }; - -global smb_ports = { 445/tcp } &redef; -redef dpd_config += { [ANALYZER_SMB] = [$ports = smb_ports] }; - -# No default implementation for events. diff --git a/policy.old/smtp-relay.bro b/policy.old/smtp-relay.bro deleted file mode 100644 index 0a7f84e7ad..0000000000 --- a/policy.old/smtp-relay.bro +++ /dev/null @@ -1,192 +0,0 @@ -# $Id: smtp-relay.bro 5911 2008-07-03 22:59:01Z vern $ -# -# Tracks email relaying. - -@load smtp -@load mime - -module SMTP; - -redef process_smtp_relay = T; - -export { - const relay_log = open_log_file("relay") &redef; -} - -global print_smtp_relay: function(t: table[count] of smtp_session_info, - idx: count): interval; - -global smtp_relay_table: table[count] of smtp_session_info - &write_expire = 5 min &expire_func = print_smtp_relay; - -global smtp_session_by_recipient: table[string] of smtp_session_info - &write_expire = 5 min; -global smtp_session_by_message_id: table[string] of smtp_session_info - &write_expire = 5 min; -global smtp_session_by_content_hash: table[string] of smtp_session_info - &write_expire = 5 min; - - -function add_to_smtp_relay_table(session: smtp_session_info) - { - if ( session$id !in smtp_relay_table ) - smtp_relay_table[session$id] = session; - } - -function check_relay_1(session: smtp_session_info, rcpt: string) - { - if ( session$external_orig && rcpt != local_mail_addr ) - { - smtp_message(session, - fmt("relaying(1) message (from %s, to %s) to address %s", - session$connection_id$orig_h, - session$connection_id$resp_h, - rcpt)); - - if ( session$relay_1_rcpt != "" ) - session$relay_1_rcpt = cat(session$relay_1_rcpt, ","); - - session$relay_1_rcpt = cat(session$relay_1_rcpt, rcpt); - add_to_smtp_relay_table(session); - } - } - -function check_relay_2(session: smtp_session_info, rcpt: string) - { - if ( rcpt in smtp_session_by_recipient ) - { - local prev_session = smtp_session_by_recipient[rcpt]; - - # Should only check the first condition only (external - # followed by internal) but let's include the second one - # for testing purposes for now. - if ( (prev_session$external_orig && ! session$external_orig) || - (! prev_session$external_orig && session$external_orig) ) - { - smtp_message(session, - fmt("relaying(2) message (seen during #%d) to address %s (%s -> %s, %s -> %s)", - prev_session$id, rcpt, - prev_session$connection_id$orig_h, - prev_session$connection_id$resp_h, - session$connection_id$orig_h, - session$connection_id$resp_h)); - - session$relay_2_from = prev_session$id; - ++prev_session$relay_2_to; - - add_to_smtp_relay_table(session); - add_to_smtp_relay_table(prev_session); - } - } - - smtp_session_by_recipient[rcpt] = session; - } - -function check_relay_3(session: MIME::mime_session_info, msg_id: string) - { - local smtp_session = session$smtp_session; - - if ( msg_id in smtp_session_by_message_id ) - { - local prev_smtp_session = smtp_session_by_message_id[msg_id]; - - smtp_message(smtp_session, - fmt("relaying(3) message (seen during #%d) with id %s (%s -> %s, %s -> %s)", - prev_smtp_session$id, msg_id, - prev_smtp_session$connection_id$orig_h, - prev_smtp_session$connection_id$resp_h, - smtp_session$connection_id$orig_h, - smtp_session$connection_id$resp_h)); - - smtp_session$relay_3_from = prev_smtp_session$id; - ++prev_smtp_session$relay_3_to; - - add_to_smtp_relay_table(smtp_session); - add_to_smtp_relay_table(prev_smtp_session); - } - else - smtp_session_by_message_id[msg_id] = smtp_session; - } - -function check_relay_4(session: MIME::mime_session_info, content_hash: string) - { - local smtp_session = session$smtp_session; - smtp_session$content_hash = content_hash; - - if ( content_hash in smtp_session_by_content_hash ) - { - local prev_smtp_session = smtp_session_by_content_hash[content_hash]; - smtp_message(smtp_session, - fmt("relaying(4) message (seen during #%d) with hash %s (%s -> %s, %s -> %s)", - prev_smtp_session$id, - string_to_ascii_hex(content_hash), - prev_smtp_session$connection_id$orig_h, - prev_smtp_session$connection_id$resp_h, - smtp_session$connection_id$orig_h, - smtp_session$connection_id$resp_h)); - - smtp_session$relay_4_from = prev_smtp_session$id; - ++prev_smtp_session$relay_4_to; - - add_to_smtp_relay_table(smtp_session); - add_to_smtp_relay_table(prev_smtp_session); - } - else - smtp_session_by_content_hash[content_hash] = smtp_session; - } - -# event mime_all_data(c: connection, length: count, data: string) -# { -# local session = get_mime_session(c, T); -# session$content_hash = md5_hash(data); -# if ( process_smtp_relay ) -# check_relay_4(session, session$content_hash); -# # mime_log_msg(session, "all data", fmt("%s", data)); -# } - -event mime_content_hash(c: connection, content_len: count, hash_value: string) - { - local session = MIME::get_session(c, T); - session$content_hash = hash_value; - if ( process_smtp_relay && content_len > 0 ) - check_relay_4(session, session$content_hash); - } - -function relay_flow(from: count, to: count): string - { - if ( from > 0 ) - return fmt("<#%d", from); - - if ( to > 0 ) - return fmt(">%d", to); - - return "-"; - } - -function print_smtp_relay(t: table[count] of smtp_session_info, - idx: count): interval - { - local session = t[idx]; - - print relay_log, fmt("#%d: %s", - session$id, - directed_id_string(session$connection_id, T)); - - print relay_log, fmt("#%d: RCPT: <%s>, Subject: %s", - session$id, - session$recipients, session$subject); - - print relay_log, fmt("#%d: detected: [%s %s %s %s] %s", - session$id, - session$relay_1_rcpt == "" ? "-" : "1", - relay_flow(session$relay_2_from, session$relay_2_to), - relay_flow(session$relay_3_from, session$relay_3_to), - relay_flow(session$relay_4_from, session$relay_4_to), - session$content_gap ? "(content gap)" : ""); - - print relay_log, fmt("#%d: relay 1: <%s>", - session$id, - session$relay_1_rcpt); - - return 0 sec; - } diff --git a/policy.old/smtp.bro b/policy.old/smtp.bro deleted file mode 100644 index cddb926456..0000000000 --- a/policy.old/smtp.bro +++ /dev/null @@ -1,557 +0,0 @@ -# $Id: smtp.bro 5230 2008-01-14 01:38:18Z vern $ - -@load conn - -module SMTP; - -export { - redef enum Notice += { HotEmailRecipient, }; - - const process_smtp_relay = F &redef; - - const smtp_log = open_log_file("smtp") &redef; - - # Used to detect relaying. - const local_mail_addr = /.*@.*lbl.gov/ &redef; - - const hot_recipients = /@/ &redef; - - const smtp_legal_cmds: set[string] = { - ">", "EHLO", "HELO", "MAIL", - "RCPT", "DATA", ".", "QUIT", - "RSET", "VRFY", "EXPN", "HELP", "NOOP", - "SEND", "SOML", "SAML", "TURN", - "STARTTLS", - "BDAT", - "ETRN", - "AUTH", - "***", - } &redef; - - const smtp_hot_cmds: table[string] of pattern = { - ["MAIL"] = /.*<.*@.*:.*>.*/, # relay path - ["RCPT"] = /.*<.*@.*:.*>.*/, # relay path - ["VRFY"] = /.*/, - ["EXPN"] = /.*/, - ["TURN"] = /.*/, - } &redef; - - const smtp_sensitive_cmds: set[string] = { - "VRFY", "EXPN", "TURN", - } &redef; - - const smtp_expected_reply: set[string, count] = { - [">", 220], - ["EHLO", 250], - ["HELO", 250], - ["MAIL", 250], - ["RCPT", 250], - ["RCPT", 554], # transaction failed - ["QUIT", 221], - ["DATA", 354], - [".", 250], # end of data - ["RSET", 250], - ["VRFY", 250], - ["EXPN", 250], - ["HELP", 250], - ["HELP", 502], # help command not supported - ["NOOP", 250], - ["AUTH", 334], # two round authentication - ["AUTH", 235], # one round authentication - ["AUTH_ANSWER", 334], # multiple step authentication - ["AUTH_ANSWER", 235], # authentication successful - ["STARTTLS", 220], # Willing to do TLS - ["TURN", 502], # TURN is expected to be rejected - }; - - type smtp_cmd_info: record { - cmd: string; - cmd_arg: string; - reply: count; - reply_arg: string; - cont_reply: bool; - log_reply: bool; - }; - - type smtp_cmd_info_list: table[count] of smtp_cmd_info; - - type smtp_session_info: record { - id: count; - connection_id: conn_id; - external_orig: bool; - in_data: bool; - num_cmds: count; - num_replies: count; - cmds: smtp_cmd_info_list; - in_header: bool; - keep_current_header: bool; # hack till MIME rewriter ready - recipients: string; - subject: string; - content_hash: string; - num_lines_in_body: count; - # lines in RFC 822 body before MIME decoding - num_bytes_in_body: count; - # bytes in entity bodies after MIME decoding - content_gap: bool; # whether content gap in conversation - - relay_1_rcpt: string; # external recipients - relay_2_from: count; # session id of same recipient - relay_2_to: count; - relay_3_from: count; # session id of same msg id - relay_3_to: count; - relay_4_from: count; # session id of same content hash - relay_4_to: count; - }; - - global smtp_sessions: table[conn_id] of smtp_session_info; - global smtp_session_id = 0; - - global new_smtp_session: function(c: connection); -} - -redef capture_filters += { ["smtp"] = "tcp port smtp or tcp port 587" }; - -# DPM configuration. -global smtp_ports = { 25/tcp, 587/tcp } &redef; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = smtp_ports] }; - -function is_smtp_connection(c: connection): bool - { - return c$id$resp_p == smtp; - } - -event bro_init() - { - have_SMTP = T; - } - -global add_to_smtp_relay_table: function(session: smtp_session_info); - -function new_smtp_command(session: smtp_session_info, cmd: string, arg: string) - { - ++session$num_cmds; - - local cmd_info: smtp_cmd_info; - cmd_info$cmd = cmd; - cmd_info$cmd_arg = arg; - cmd_info$reply = 0; - cmd_info$reply_arg = ""; - cmd_info$cont_reply = F; - cmd_info$log_reply = F; - - session$cmds[session$num_cmds] = cmd_info; - } - -function new_smtp_session(c: connection) - { - local session = c$id; - local new_id = ++smtp_session_id; - - local info: smtp_session_info; - local cmds: smtp_cmd_info_list; - - info$id = new_id; - info$connection_id = session; - info$in_data = F; - info$num_cmds = 0; - info$num_replies = 0; - info$cmds = cmds; - info$in_header = F; - info$keep_current_header = T; - info$external_orig = !is_local_addr(session$orig_h); - - info$subject = ""; - info$recipients = ""; - info$content_hash = ""; - info$num_lines_in_body = info$num_bytes_in_body = 0; - info$content_gap = F; - - info$relay_1_rcpt = ""; - info$relay_2_from = info$relay_2_to = info$relay_3_from = - info$relay_3_to = info$relay_4_from = info$relay_4_to = 0; - - new_smtp_command(info, ">", ""); - - smtp_sessions[session] = info; - append_addl(c, fmt("#%s", prefixed_id(new_id))); - - print smtp_log, fmt("%.6f #%s %s start %s", c$start_time, - prefixed_id(new_id), id_string(session), info$external_orig ? - "external" : "internal" ); - } - -function smtp_message(session: smtp_session_info, msg: string) - { - print smtp_log, fmt("%.6f #%s %s", - network_time(), prefixed_id(session$id), msg); - } - -function smtp_log_msg(session: smtp_session_info, is_orig: bool, msg: string) - { - print smtp_log, fmt("%.6f #%s %s: %s", - network_time(), - prefixed_id(session$id), - directed_id_string(session$connection_id, is_orig), - msg); - } - -function smtp_log_reject_recipient(session: smtp_session_info, rcpt: string) - { - if ( rcpt == "" ) - rcpt = ""; - - smtp_message(session, fmt("Recipient addresses rejected: %s", rcpt)); - } - -function smtp_log_command(session: smtp_session_info, is_orig: bool, - msg: string, cmd_info: smtp_cmd_info) - { - smtp_log_msg(session, is_orig, fmt("%s: %s(%s)", - msg, cmd_info$cmd, cmd_info$cmd_arg)); - } - -function smtp_log_reply(session: smtp_session_info, is_orig: bool, - msg: string, cmd_info: smtp_cmd_info) - { - smtp_log_msg(session, is_orig, fmt("%s: %s(%s) --> %d(%s)", - msg, - cmd_info$cmd, cmd_info$cmd_arg, - cmd_info$reply, cmd_info$reply_arg)); - } - -event smtp_request(c: connection, is_orig: bool, command: string, arg: string) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - new_smtp_command(session, command, arg); - local cmd_info = session$cmds[session$num_cmds]; - - # Store the command in session record. - local log_this_cmd = F; - - if ( command in smtp_hot_cmds && arg == smtp_hot_cmds[command] ) - { - log_this_cmd = T; - cmd_info$log_reply = T; - } - - if ( command in smtp_sensitive_cmds ) - { - log_this_cmd = T; - cmd_info$log_reply = T; - } - - if ( log_this_cmd ) - smtp_log_command(session, is_orig, "unusual command", cmd_info); - - if ( command == "DATA" ) - { - session$in_data = T; - session$in_header = T; - } - - else if ( command == "." ) - session$in_data = F; - } - -function check_cmd_info(session: smtp_session_info): bool - { - if ( session$num_replies == 0 ) - return T; - - if ( session$num_replies <= session$num_cmds && - session$num_replies in session$cmds ) - return T; - - smtp_message(session, fmt("error: invalid num_replies: %d (num_cmds = %d)", - session$num_replies, session$num_cmds)); - return F; - } - -function smtp_command_mail(session: smtp_session_info, cmd_info: smtp_cmd_info) - { - local tokens = split(cmd_info$cmd_arg, /(<|:|>)*/); - - local i = 0; - for ( i in tokens ) - smtp_log_msg(session, T, fmt("%d: \"%s\"", i, tokens[i])); - } - -function extract_recipient(session: smtp_session_info, rcpt_cmd_arg: string): string - { - local pair: string_array; - local s: string; - - s = rcpt_cmd_arg; - - pair = split1(s, /<( |\t)*/); - if ( length(pair) != 2 ) - { - smtp_message(session, fmt("error: '<' not found in argument to RCPT: %s", - rcpt_cmd_arg)); - return ""; - } - - s = pair[2]; - # smtp_message(session, fmt("%s<%s", pair[1], pair[2])); - - pair = split1(s, /( |\t)*>/); - if ( length(pair) != 2 ) - { - smtp_message(session, fmt("error: '>' not found in argument to RCPT: %s", - rcpt_cmd_arg)); - return ""; - } - - s = pair[1]; - # smtp_message(session, fmt("%s>%s", pair[1], pair[2])); - - pair = split1(s, /:/); - if ( length(pair) == 2 ) - { - smtp_message(session, fmt("RCPT address is source route path: %s", - rcpt_cmd_arg)); - s = pair[2]; - } - - # Actually the local part of an address might be case-sensitive, - # but in most cases it is not. - - s = to_lower(s); - - return s; - } - -global check_relay_1: function(session: smtp_session_info, rcpt: string); -global check_relay_2: function(session: smtp_session_info, rcpt: string); - -function smtp_command_rcpt(c: connection, session: smtp_session_info, - cmd_info: smtp_cmd_info) - { - local rcpt = extract_recipient(session, cmd_info$cmd_arg); - - if ( cmd_info$reply == 554 ) - smtp_log_reject_recipient(session, rcpt); - - else if ( rcpt != "" ) - { - smtp_message(session, fmt("recipient: <%s>", rcpt)); - - if ( session$recipients != "" ) - session$recipients = cat(session$recipients, ","); - - session$recipients = cat(session$recipients, rcpt); - - if ( process_smtp_relay ) - { - check_relay_1(session, rcpt); - check_relay_2(session, rcpt); - } - - if ( rcpt == hot_recipients ) - { - local src = session$connection_id$orig_h; - local dst = session$connection_id$resp_h; - - NOTICE([$note=HotEmailRecipient, $src=src, $conn=c, - $user=rcpt, - $msg=fmt("hot email recipient %s -> %s@%s", - src, rcpt, dst)]); - } - } - } - -event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, - msg: string, cont_resp: bool) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - local new_reply = F; - - # Check entry before indexing. - if ( ! check_cmd_info(session) ) - return; - - if ( session$num_replies == 0 || - ! session$cmds[session$num_replies]$cont_reply ) - { - ++session$num_replies; - if ( session$num_replies !in session$cmds ) - { - smtp_message(session, fmt("error: unmatched reply: %d %s (%s)", - code, msg, cmd)); - return; - } - - new_reply = T; - } - - if ( ! check_cmd_info(session) ) - return; - - local cmd_info = session$cmds[session$num_replies]; - - if ( cmd_info$cmd != cmd ) - { - smtp_message(session, - fmt("error: command mismatch: %s(%d) %s(%d), %s (%d %s)", - cmd_info$cmd, session$num_replies, - session$cmds[session$num_cmds], session$num_cmds, - cmd, code, msg)); - return; - } - - cmd_info$reply = code; - if ( new_reply ) - cmd_info$reply_arg = msg; - else - cmd_info$reply_arg = cat(cmd_info$reply_arg, "\r\n", msg); - - cmd_info$cont_reply = cont_resp; - - local log_this_reply = cmd_info$log_reply; - - if ( [cmd, code] !in smtp_expected_reply ) - log_this_reply = T; - - if ( log_this_reply && ! cont_resp ) - smtp_log_reply(session, is_orig, "unusual command/reply", cmd_info); - - # else if ( cmd == "MAIL" && code == 250 ) - # smtp_command_mail(session, cmd_info); - - else if ( cmd == "RCPT" ) - { - if ( code == 250 || code == 554 ) - smtp_command_rcpt(c, session, cmd_info); - } - - else if ( cmd == "STARTTLS" && code == 220 ) - { # it'll now go encrypted - no more we can do. - skip_further_processing(c$id); - smtp_message(session, cmd); - } - } - -function reset_on_gap(session: smtp_session_info) - { - local i: count; - - clear_table(session$cmds); - - session$num_cmds = session$num_replies = 0; - session$in_data = F; - } - -event smtp_unexpected(c: connection, is_orig: bool, msg: string, detail: string) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - - smtp_log_msg(session, is_orig, fmt("unexpected: %s: %s", msg, detail)); - } - -function clear_smtp_session(session: smtp_session_info) - { - clear_table(session$cmds); - } - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - if ( is_smtp_connection(c) ) - { - local id = c$id; - if ( id !in smtp_sessions ) - new_smtp_session(c); - local session = smtp_sessions[id]; - session$content_gap = T; - reset_on_gap(session); - } - } - -event connection_finished(c: connection) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - smtp_message(session, "finish"); - clear_smtp_session(session); - delete smtp_sessions[id]; - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - smtp_message(session, "state remove"); - clear_smtp_session(session); - delete smtp_sessions[id]; - } - } - -global rewrite_smtp_header_line: - function(c: connection, is_orig: bool, - session: smtp_session_info, line: string); - -function smtp_header_line(c: connection, is_orig: bool, - session: smtp_session_info, line: string) - { - if ( rewriting_smtp_trace ) - rewrite_smtp_header_line(c, is_orig, session, line); - } - -function smtp_body_line(c: connection, is_orig: bool, - session: smtp_session_info, line: string) - { - ++session$num_lines_in_body; - session$num_bytes_in_body = - session$num_bytes_in_body + byte_len(line) + 2; # including CRLF - } - -event smtp_data(c: connection, is_orig: bool, data: string) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - # smtp_log_msg(session, is_orig, fmt("data: %s", data)); - if ( session$in_header ) - { - if ( data == "" ) - { - session$in_header = F; - skip_smtp_data(c); - } - else - { - smtp_header_line(c, is_orig, session, data); - # smtp_log_msg(session, T, fmt("header: %s", data)); - } - } - else - { - # smtp_body_line(c, is_orig, session, data); - } - } - } - -event bro_done() - { - clear_table(smtp_sessions); - } diff --git a/policy.old/snort.bro b/policy.old/snort.bro deleted file mode 100644 index 16a173de13..0000000000 --- a/policy.old/snort.bro +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: snort.bro 720 2004-11-12 16:45:48Z rwinslow $ -# -# Definitions needed for signatures converted by snort2bro. - -# Servers for some services. -const dns_servers: set[subnet] = { local_nets } &redef; -const http_servers: set[subnet] = { local_nets } &redef; -const smtp_servers: set[subnet] = { local_nets } &redef; -const telnet_servers: set[subnet] = { local_nets } &redef; -const sql_servers: set[subnet] = { local_nets } &redef; - -const aim_servers: set[subnet] = { - 64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, - 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, - 205.188.9.0/24 -} &redef; - -# Ports for some services. -const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp }; -const oracle_ports = { 1521/tcp }; -const non_shellcode_ports = { 80/tcp }; diff --git a/policy.old/ssh-stepping.bro b/policy.old/ssh-stepping.bro deleted file mode 100644 index 5658a56043..0000000000 --- a/policy.old/ssh-stepping.bro +++ /dev/null @@ -1,45 +0,0 @@ -@load stepping - -redef capture_filters += { ["ssh-stepping"] = "tcp port 22" }; - -module SSH_Stepping; - -# Keeps track of how many connections each source is responsible for. -global ssh_src_cnt: table[addr] of count &default=0 &write_expire=15sec; - -export { - # Threshold above which we stop analyzing a source. - # Use 0 to never stop. - global src_fanout_no_stp_analysis_thresh = 100 &redef; -} - -event connection_established(c: connection) - { - if ( c$id$resp_p == ssh ) - { - # No point recording these, and they're potentially huge - # due to use of ssh for file transfers. - set_record_packets(c$id, F); - - # Keep track of sources that create lots of connections - # so we can skip analyzing them - they're very likely - # uninteresting for stepping stones, and can present - # a large state burden. - local src = c$id$orig_h; - if ( ++ssh_src_cnt[src] == src_fanout_no_stp_analysis_thresh ) - add stp_skip_src[src]; - - if ( ssh_src_cnt[src] == 1 ) - # First entry. It's possible this entry was set - # before and has now expired. If so, stop skipping it. - delete stp_skip_src[src]; - } - } - -event partial_connection(c: connection) - { - if ( c$id$orig_p == ssh || c$id$resp_p == ssh ) - # No point recording these, and they're potentially huge - # due to use of ssh for file transfers. - set_record_packets(c$id, F); - } diff --git a/policy.old/ssl-alerts.bro b/policy.old/ssl-alerts.bro deleted file mode 100644 index 1a0d65dead..0000000000 --- a/policy.old/ssl-alerts.bro +++ /dev/null @@ -1,120 +0,0 @@ -# $Id: ssl-alerts.bro 416 2004-09-17 03:52:28Z vern $ -# -# Interface for SSL/TLS support. - -# --- constant definitions of the SSL/TLS alert/error records --- - -# --- Error descriptions for SSLv2. -const SSLv2_PE_NO_CIPHER = 0x0001; -const SSLv2_PE_NO_CERTIFICATE = 0x0002; -const SSLv2_PE_BAD_CERTIFICATE = 0x0004; -const SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006; - -# --- Alert descriptions in SSLv3.0 and SSLv3.1. -const SSLv3x_ALERT_DESCR_CLOSE_NOTIFY = 0; -const SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE = 10; -const SSLv3x_ALERT_DESCR_BAD_RECORD_MAC = 20; -const SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE = 30; -const SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE = 40; -const SSLv3x_ALERT_DESCR_BAD_CERTIFICATE = 42; -const SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE = 43; -const SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED = 44; -const SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED = 45; -const SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN = 46; - -# --- Alert descriptions only in SSLv3.0. -const SSLv30_ALERT_DESCR_NO_CERTIFICATE = 41; - -# --- Alert descriptions only in SSLv3.1. -const SSLv31_ALERT_DESCR_DESCRYPTION_FAILED = 21; -const SSLv31_ALERT_DESCR_RECORD_OVERFLOW = 22; -const SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER = 47; -const SSLv31_ALERT_DESCR_UNKNOWN_CA = 48; -const SSLv31_ALERT_DESCR_ACCESS_DENIED = 49; -const SSLv31_ALERT_DESCR_DECODE_ERROR = 50; -const SSLv31_ALERT_DESCR_DECRYPT_ERROR = 51; -const SSLv31_ALERT_DESCR_EXPORT_RESTRICTION = 60; -const SSLv31_ALERT_DESCR_PROTOCOL_VERSION = 70; -const SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY = 71; -const SSLv31_ALERT_DESCR_INTERNAL_ERROR = 80; -const SSLv31_ALERT_DESCR_USER_CANCELED = 90; -const SSLv31_ALERT_DESCR_NO_RENEGOTIATION = 100; - -# --- This is a table of all known alert descriptions. -# --- It can be used for detecting unknown alerts and for -# --- converting the alert descriptions constants into a human readable format. - -const ssl_alert_desc: table[count] of string = { - # --- SSLv2 - [SSLv2_PE_NO_CIPHER] = "SSLv2_PE_NO_CIPHER", - [SSLv2_PE_NO_CERTIFICATE] = "SSLv2_PE_NO_CERTIFICATE", - [SSLv2_PE_BAD_CERTIFICATE] = "SSLv2_PE_BAD_CERTIFICATE", - [SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE] = - "SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE", - - # --- sslv30 - [SSLv30_ALERT_DESCR_NO_CERTIFICATE] = - "SSLv30_ALERT_DESCR_NO_CERTIFICATE", - - # --- sslv31 - [SSLv31_ALERT_DESCR_DESCRYPTION_FAILED] = - "SSLv31_ALERT_DESCR_DESCRYPTION_FAILED", - [SSLv31_ALERT_DESCR_RECORD_OVERFLOW] = - "SSLv31_ALERT_DESCR_RECORD_OVERFLOW", - [SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER] = - "SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER", - [SSLv31_ALERT_DESCR_UNKNOWN_CA] = "SSLv31_ALERT_DESCR_UNKNOWN_CA", - [SSLv31_ALERT_DESCR_ACCESS_DENIED] = "SSLv31_ALERT_DESCR_ACCESS_DENIED", - [SSLv31_ALERT_DESCR_DECODE_ERROR] = "SSLv31_ALERT_DESCR_DECODE_ERROR", - [SSLv31_ALERT_DESCR_DECRYPT_ERROR] = "SSLv31_ALERT_DESCR_DECRYPT_ERROR", - [SSLv31_ALERT_DESCR_EXPORT_RESTRICTION] = - "SSLv31_ALERT_DESCR_EXPORT_RESTRICTION", - [SSLv31_ALERT_DESCR_PROTOCOL_VERSION] = - "SSLv31_ALERT_DESCR_PROTOCOL_VERSION", - [SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY] = - "SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY", - [SSLv31_ALERT_DESCR_INTERNAL_ERROR] = - "SSLv31_ALERT_DESCR_INTERNAL_ERROR", - [SSLv31_ALERT_DESCR_USER_CANCELED] = - "SSLv31_ALERT_DESCR_USER_CANCELED", - [SSLv31_ALERT_DESCR_NO_RENEGOTIATION] = - "SSLv31_ALERT_DESCR_NO_RENEGOTIATION", - - # -- sslv3.0 and sslv3.1 - [SSLv3x_ALERT_DESCR_CLOSE_NOTIFY] = "SSLv3x_ALERT_DESCR_CLOSE_NOTIFY", - [SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE] = - "SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE", - [SSLv3x_ALERT_DESCR_BAD_RECORD_MAC] = - "SSLv3x_ALERT_DESCR_BAD_RECORD_MAC", - [SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE] = - "SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE", - [SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE] = - "SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE", - [SSLv3x_ALERT_DESCR_BAD_CERTIFICATE] = - "SSLv3x_ALERT_DESCR_BAD_CERTIFICATE", - [SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE] = - "SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE", - [SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED", - [SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED", - [SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN", -}; - -# --- definitions for SSLv2 error levels: -# NOTE: We currently use the SSLv3x alert levels "WARNING" and "FATAL" -# for SSLv2, since SSLv2 does not support an explicit error level. - -# --- definitions for SSLv3.0/SSLv3.1 alert levels -const SSLv3x_ALERT_LEVEL_WARNING = 1; -const SSLv3x_ALERT_LEVEL_FATAL = 2; - -# --- This is a table of all known alert levels. -# --- It can be used for detecting unknown alert levels and for -# --- converting the alert level constants into a human readable format. - -const ssl_alert_level: table[count] of string = { - [SSLv3x_ALERT_LEVEL_WARNING] = "SSLv3x_ALERT_LEVEL_WARNING", - [SSLv3x_ALERT_LEVEL_FATAL] = "SSLv3x_ALERT_LEVEL_FATAL", -}; diff --git a/policy.old/ssl-worm.bro b/policy.old/ssl-worm.bro deleted file mode 100644 index 40c9ce432e..0000000000 --- a/policy.old/ssl-worm.bro +++ /dev/null @@ -1,58 +0,0 @@ -# $Id: ssl-worm.bro 340 2004-09-09 06:38:27Z vern $ - -@load signatures -@load software - -redef signature_files += "ssl-worm.sig"; - -redef capture_filters += { - ["ssl-worm"] = "udp port 2002 and src net 134.96" -}; - -function sslworm_is_server_vulnerable(state: signature_state): bool - { - local ip = state$conn$id$resp_h; - - if ( ip !in software_table ) - return F; - - local softset = software_table[ip]; - - if ( "Apache" !in softset ) - return F; - - if ( "OpenSSL" !in softset ) - return F; - - local safe_version: software_version = - [$major = +0, $minor = +9, $minor2 = +6, $addl = "e"]; - - if ( software_cmp_version(softset["OpenSSL"]$version, safe_version) >= 0 ) - return F; - - return T; - } - -function sslworm_has_server_been_probed(state: signature_state): bool - { - # FIXME: Bro segfaults without the tmp variable - local result = - has_signature_matched("sslworm-probe", - state$conn$id$orig_h, state$conn$id$resp_h); - - return result; - } - -function sslworm_has_server_been_exploited(state: signature_state): bool - { - # FIXME: I don't know which side starts the UDP conversation - local result = - has_signature_matched("sslworm-exploit", - state$conn$id$orig_h, state$conn$id$resp_h); - - if ( ! result ) - result = has_signature_matched("sslworm-exploit", - state$conn$id$resp_h, state$conn$id$orig_h); - - return result; - } diff --git a/policy.old/stats.bro b/policy.old/stats.bro deleted file mode 100644 index a4a4d7a8ac..0000000000 --- a/policy.old/stats.bro +++ /dev/null @@ -1,80 +0,0 @@ -# $Id: stats.bro 4011 2007-02-28 07:01:12Z vern $ - -# Track memory/lag statistics. Differs from profiling.bro in that this -# is lighter-weight (much less info, and less load to generate). - -@load notice - -redef enum Notice += { - ResourceStats, # generated when running live packet capture - OfflineResourceStats, # generated when reading trace files -}; - -# ResourceStats should by default be sent to the notice file -redef notice_action_filters += { - [[ResourceStats, OfflineResourceStats]] = file_notice -}; - -# Interval in which the results are sent as a notice. If this is less -# than heartbeat_interval, then it is set to heartbeat_interval, since -# some of the reported statistics are only gathered via the heartbeat. -global stats_report_interval = 10 sec &redef; - -event check_stats(last_time: time, last_ns: NetStats, last_res: bro_resources) - { - local now = current_time(); - local lag = now - network_time(); - local report_delta = now - last_time; - - local res = resource_usage(); - local ns = net_stats(); - - local total_CPU_time = res$user_time + res$system_time; - local last_CPU_time = last_res$user_time + last_res$system_time; - local CPU_util = ((total_CPU_time - last_CPU_time) / report_delta) * 100.0; - - local pkts_recvd = ns$pkts_recvd - last_ns$pkts_recvd; - local pkts_dropped = ns$pkts_dropped - last_ns$pkts_dropped; - local pkts_link = ns$pkts_link - last_ns$pkts_link; - - if ( bro_is_terminating() ) - # No more stats will be written or scheduled when Bro is - # shutting down. - return; - - local delta_pkts_processed = res$num_packets - last_res$num_packets; - local delta_events = res$num_events_dispatched - last_res$num_events_dispatched; - local delta_queued = res$num_events_queued - last_res$num_events_queued; - - local stat_msg = - fmt("mem=%dMB pkts_proc=%d events_proc=%d events_queued=%d", - res$mem / 1000000, delta_pkts_processed, - delta_events, delta_queued); - - if ( reading_live_traffic() ) - { - stat_msg = fmt("%s et=%.2f lag=%fsec util=%.01f%% pkts_rcv=%d pkts_drp=%d pkts_link=%d", - stat_msg, report_delta, lag, CPU_util, - pkts_recvd, pkts_dropped, pkts_link); - NOTICE([$note=ResourceStats, $msg=stat_msg]); - } - - else if ( reading_traces() ) - NOTICE([$note=OfflineResourceStats, $msg=stat_msg]); - - else - { - # Remote communication only. - stat_msg = fmt("mem=%dMB events_proc=%d events_queued=%d lag=%fsec util=%.01f%%", - res$mem / 1000000, delta_events, delta_queued, - lag, CPU_util); - NOTICE([$note=ResourceStats, $msg=stat_msg]); - } - - schedule stats_report_interval { check_stats(now, ns, res) }; - } - -event bro_init() - { - schedule stats_report_interval { check_stats(current_time(), net_stats(), resource_usage()) }; - } diff --git a/policy.old/stepping.bro b/policy.old/stepping.bro deleted file mode 100644 index 9b7fe23031..0000000000 --- a/policy.old/stepping.bro +++ /dev/null @@ -1,484 +0,0 @@ -# $Id: stepping.bro 6481 2008-12-15 00:47:57Z vern $ - -@load notice -@load port-name -@load demux -@load login - -module Stepping; - -export { - redef enum Notice += { - # A stepping stone was seen in which the first part of - # the chain is a clear-text connection but the second part - # is encrypted. This often means that a password or - # passphrase has been exposed in the clear, and may also - # mean that the user has an incomplete notion that their - # connection is protected from eavesdropping. - ClearToEncrypted_SS, - }; -} - -global step_log = open_log_file("step") &redef; - -# The following must be defined for the event engine to generate -# stepping stone events. -redef stp_delta = 0.08 sec; -redef stp_idle_min = 0.5 sec; - -global stepping_stone: event(c1: connection, c2: connection, method: string); - -#### First, tag-based schemes - $DISPLAY, Last Login #### - -# If was a login to propagating a $DISPLAY of , -# then we make an entry of [, ] = . -global display_pairs: table[addr, string] of connection; - -# Maps login tags like "Last login ..." to connections. -global tag_to_conn_map: table[string] of connection; - -type tag_info: record { - display: string; # $DISPLAY, if any - tag: string; # login tag, e.g. "Last login ..." -}; - -global conn_tag_info: table[conn_id] of tag_info; - -const STONE_DISPLAY = 1; -const STONE_LOGIN_BANNER = 2; -const STONE_TIMING = 4; -### fixme -global detected_stones: table[addr, port, addr, port, addr, port, addr, port] - of count &default = 0; -global did_stone_summary: table[addr, port, addr, port, addr, port, addr, port] - of count &default = 0; - -function new_tag_info(c: connection) - { - local ti: tag_info; - ti$tag = ti$display = ""; - conn_tag_info[c$id] = ti; - } - -event login_display(c: connection, display: string) - { - local id = c$id; - if ( id !in conn_tag_info ) - new_tag_info(c); - - conn_tag_info[id]$display = display; - display_pairs[id$resp_h, display] = c; - - if ( [id$orig_h, display] in display_pairs ) - event Stepping::stepping_stone(display_pairs[id$orig_h, display], c, "display"); - } - -event login_output_line(c: connection, line: string) - { - if ( /^([Ll]ast +(successful)? *login)/ | /^Last interactive login/ - !in line || - # Some finger output includes "Last login ..." but luckily - # appears to be terminated by ctrl-A. - /\001/ in line ) - return; - - if ( c$id !in conn_tag_info ) - new_tag_info(c); - - local ti = conn_tag_info[c$id]; - local tag = line; - - if ( ti$tag == "" ) - ti$tag = tag; - - if ( tag in tag_to_conn_map ) - { - local c2 = tag_to_conn_map[tag]; - - ### Would really like this taken care of by having - # tag_to_conn_map[tag] deleted when c2 goes away. - if ( active_connection(c2$id) ) - event Stepping::stepping_stone(c2, c, "login-tag"); - } - else - tag_to_conn_map[tag] = c; - } - -event connection_finished(c: connection) - { - ### would really like some automatic destructors invoked - ### whenever a connection goes away - local id = c$id; - if ( id in conn_tag_info ) - { - local ti = conn_tag_info[id]; - delete display_pairs[id$resp_h, ti$display]; - delete tag_to_conn_map[ti$tag]; - delete conn_tag_info[id]; - } - } - - -#### Now, timing-based correlation #### - -const stp_ratio_thresh = 0.3 &redef; # prop. of idle times that must coincide - -# Time scale to which following thresholds apply. -const stp_scale = 100.0 &redef; - -const stp_common_host_thresh = 2 &redef; # must be <= stp_random_pair_thresh -const stp_random_pair_thresh = 4 &redef; - -const stp_demux_disabled = T &redef; - -# Indexed by the center host (or destination of the first connection, -# for ABCD stepping stones) and the $addl information associated with -# the connection (i.e., often username). If present in the set, then -# we shouldn't bother generating a report for a clear->ssh stepping stone. -const skip_clear_ssh_reports: set[addr, string] &redef; - -global num_stp_pairs = 0; - -type endp_info: record { - conn: connection; - id: conn_id; - resume_time: time; # time when resuming from most recent idle period - old_resume_time: time; # time when resuming from penultimate idle period - idle_cnt: count; # number of idle periods for this endpoint (flow) -}; - -type pair_info: record { - is_stp: bool; # true if flow pair considered a stepping stone pair - hit: count; # number of coincidences - hit_two_in_row: count; # number of coincidences two-in-row -}; - -# For connection k: -# stp_endps[2k] is the orig endpoint -# stp_endps[2k+1] is the resp endpoint -global stp_endps: table[int] of endp_info; - -# Some endpoint pairs are weird, e.g., when two endp's share a common port. -# Such weird endp pairs may be correlated, but are unlikely to be stepping -# stone pairs. -global stp_weird_pairs: set[int, int]; - -# Normal (i.e., not weird) endp pairs. -global stp_normal_pairs: table[int, int] of pair_info; - -function is_orig(e: int): bool - { - return (e % 2) == 0; - } - -function peer(e: int): int - { - return (e % 2) == 0 ? (e + 1): (e - 1); - } - -function orig_host(e: int): addr - { - return stp_endps[e]$id$orig_h; - } - -function resp_host(e: int): addr - { - return stp_endps[e]$id$resp_h; - } - -function orig_port(e: int): port - { - return stp_endps[e]$id$orig_p; - } - -function resp_port(e: int): port - { - return stp_endps[e]$id$resp_p; - } - -function build_conn(e: int): connection - { # return the id of the orig, not the resp - return stp_endps[e]$conn; - } - -function stp_id_string(id: conn_id): string - { - return fmt("%s.%d > %s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p); - } - -function stp_create_weird_pair(e1: int, e2: int) - { - add stp_weird_pairs[e1, e2]; - } - -function stp_create_normal_pair(e1: int, e2: int) - { - local pair: pair_info; - - pair$is_stp = F; - pair$hit = pair$hit_two_in_row = 0; - - stp_normal_pairs[e1, e2] = pair; - } - -function stp_correlate_weird_pair(e1: int, e2: int) - { # do nothing right now - } - -global stp_check_normal_pair: function(e1: int, e2: int): bool; - -function stp_correlate_normal_pair(e1: int, e2: int) - { - if ( stp_normal_pairs[e1, e2]$is_stp ) - return; # already classified as stepping stone pair - - ++stp_normal_pairs[e1, e2]$hit; - - if ( stp_endps[e1]$old_resume_time != 0.0 && - stp_endps[e2]$old_resume_time != 0.0 ) - { - local dt = stp_endps[e2]$old_resume_time - - stp_endps[e1]$old_resume_time; - if ( dt >= 0.0 sec && dt <= stp_delta ) - ++stp_normal_pairs[e1, e2]$hit_two_in_row; - } - stp_check_normal_pair(e1, e2); - } - -function stp_check_weird_pair(e1: int, e2: int) - { # do nothing right now - } - -function stp_check_normal_pair(e1: int, e2: int): bool - { - if ( stp_normal_pairs[e1, e2]$is_stp ) - return T; # already classified as stepping stone pair - - local p1 = peer(e1); - local p2 = peer(e2); - local reverse_exists = [p2, p1] in stp_normal_pairs; - - if ( reverse_exists && stp_normal_pairs[p2, p1]$is_stp ) - { # already classified as stepping stone pair - stp_normal_pairs[e1, e2]$is_stp = T; - return T; - } - - local hit_two_in_row = stp_normal_pairs[e1, e2]$hit_two_in_row; - if ( reverse_exists ) - hit_two_in_row = hit_two_in_row + - stp_normal_pairs[p2, p1]$hit_two_in_row; - - # Criteria 1: - # if ( e1 and e2 share a common host ) - # hit_two_in_row >= stp_common_host_thresh - # else - # hit_two_in_row >= stp_random_pair_thresh - - local factor = max_double(1.0, - min_count(stp_endps[e1]$idle_cnt, - stp_endps[e2]$idle_cnt) / stp_scale); - - if ( hit_two_in_row < factor * stp_common_host_thresh ) - return F; - - if ( hit_two_in_row < factor * stp_random_pair_thresh && - orig_host(e1) != orig_host(e2) && orig_host(e1) != resp_host(e2) && - resp_host(e1) != orig_host(e2) && resp_host(e1) != resp_host(e2) ) - return F; - - # Criteria 2: - # hit_ratio >= stp_ratio_thresh - - local hit_ratio: double; - if ( reverse_exists && - stp_normal_pairs[p2, p1]$hit > stp_normal_pairs[e1, e2]$hit ) - hit_ratio = (1.0 * stp_normal_pairs[p2, p1]$hit) / - min_count(stp_endps[p1]$idle_cnt, - stp_endps[p2]$idle_cnt); - else - hit_ratio = (1.0 * stp_normal_pairs[e1, e2]$hit) / - min_count(stp_endps[e1]$idle_cnt, - stp_endps[e2]$idle_cnt); - - if ( hit_ratio < stp_ratio_thresh ) - return F; - - stp_normal_pairs[e1, e2]$is_stp = T; - event Stepping::stepping_stone(build_conn(e1), build_conn(e2), "timing"); - - return T; - } - -function reverse_id(id: conn_id): conn_id - { - local rid: conn_id; - - rid$orig_h = id$resp_h; - rid$orig_p = id$resp_p; - rid$resp_h = id$orig_h; - rid$resp_p = id$orig_p; - - return rid; - } - -event stp_create_endp(c: connection, e: int, is_orig: bool) - { - local end_i: endp_info; - - end_i$conn = c; - end_i$id = is_orig ? c$id : reverse_id(c$id); - end_i$resume_time = end_i$old_resume_time = 0.0; - end_i$idle_cnt = 0; - - stp_endps[e] = end_i; - } - -event stp_resume_endp(e: int) - { - stp_endps[e]$old_resume_time = stp_endps[e]$resume_time; - stp_endps[e]$resume_time = network_time(); - ++stp_endps[e]$idle_cnt; - } - -event stp_correlate_pair(e1: int, e2: int) - { - local normal = T; - - if ( [e1, e2] in stp_normal_pairs ) - ; - - else if ( [e1, e2] in stp_weird_pairs ) - normal = F; - - else - { - # An endpoint pair is considered weird, iff: - # the two flows both originated at same host, or - # both terminated at same host, or - # at least one flow is within a single host, or - # two flows share an endpoint (host, port) - - if ( orig_host(e1) == orig_host(e2) || resp_host(e1) == resp_host(e2) || - orig_host(e1) == resp_host(e1) || orig_host(e2) == resp_host(e2) || - (orig_host(e1) == resp_host(e2) && orig_port(e1) == resp_port(e2)) || - (resp_host(e1) == orig_host(e2) && resp_port(e1) == orig_port(e2)) ) - { - stp_create_weird_pair(e1, e2); - normal = F; - } - else - stp_create_normal_pair(e1, e2); - } - - if ( normal ) - stp_correlate_normal_pair(e1, e2); - else - stp_correlate_weird_pair(e1, e2); - } - -event stp_remove_pair(e1: int, e2: int) - { - delete stp_normal_pairs[e1, e2]; - delete stp_weird_pairs[e1, e2]; - } - -event stp_remove_endp(e: int) - { - delete stp_endps[e]; - } - - -function report_stone(id1: conn_id, addl1: string, id2: conn_id, addl2: string) -: string - { - if ( id1$resp_h == id2$orig_h ) - # A single-intermediary stepping stone. - return fmt("%s -> %s %s-> %s %s", - id1$orig_h, - endpoint_id(id1$resp_h, id1$resp_p), addl1, - endpoint_id(id2$resp_h, id2$resp_p), addl2); - else - # A multi-intermediary stepping stone. - return fmt("%s -> %s %s... %s -> %s %s", - id1$orig_h, - endpoint_id(id1$resp_h, id1$resp_p), addl1, - id2$orig_h, - endpoint_id(id2$resp_h, id2$resp_p), addl2); - } - -event stone_summary(id1: conn_id, id2: conn_id) - { - if ( ++did_stone_summary[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] > 1 ) - return; - - local detection_type = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p]; - - local report: string; - - if ( detection_type == STONE_DISPLAY ) - report = "only-display"; - else if ( detection_type == STONE_LOGIN_BANNER ) - report = "only-banner"; - else if ( detection_type == STONE_TIMING ) - report = "only-timing"; - else if ( detection_type == STONE_LOGIN_BANNER + STONE_TIMING ) - report = "stone-both"; - else - report = fmt("stone-other-%d", detection_type); - - print step_log, fmt("%s detected %s %s %d %s %d %s %d %s %d", - network_time(), report, id1$orig_h, id1$orig_p, id1$resp_h, - id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p); - } - -event stepping_stone(c1: connection, c2: connection, method: string) - { - # Put into canonical form: make #1 be the earlier of the two - # connections. - local id1 = c1$start_time < c2$start_time ? c1$id : c2$id; - local id2 = c1$start_time < c2$start_time ? c2$id : c1$id; - - local addl1 = c1$start_time < c2$start_time ? c1$addl : c2$addl; - local addl2 = c1$start_time < c2$start_time ? c2$addl : c1$addl; - - if ( id1$orig_h == id2$orig_h || id1$resp_h == id2$resp_h ) - # of the form A->B, A->C ; or B->A, C->A ; uninteresting. - return; - - local tag = fmt("stp.%d", ++num_stp_pairs); - local prelude = fmt("%.6f step %s (%s)", network_time(), num_stp_pairs, method); - - local stone_type = (method == "display" ? STONE_DISPLAY : - (method == "login-tag" ? STONE_LOGIN_BANNER : - STONE_TIMING)); - - local current_stones = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p]; - - if ( (current_stones / stone_type) % 2 == 0 ) - detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] = current_stones + stone_type; - - schedule 1 day { stone_summary(id1, id2) }; - - print step_log, fmt("%s: %s", prelude, report_stone(id1, addl1, id2, addl2)); - - local is_ssh1 = id1$orig_p == ssh || id1$resp_p == ssh; - local is_ssh2 = id2$orig_p == ssh || id2$resp_p == ssh; - - if ( ! is_ssh1 && is_ssh2 ) - { # Inbound clear-text, outbound ssh. - if ( [id1$resp_h, addl1] !in skip_clear_ssh_reports ) - NOTICE([$note=ClearToEncrypted_SS, - # The following isn't sufficient for - # A->(B->C)->D stepping stones, only A->B->C. - $src=c1$id$orig_h, $conn=c2, - $user=addl1, $sub=addl2, - $msg=fmt("clear -> ssh: %s", report_stone(id1, addl1, id2, addl2))]); - } - - if ( ! stp_demux_disabled ) - { - demux_conn(id1, tag, "keys", "server"); - demux_conn(id2, tag, "keys", "server"); - } - } diff --git a/policy.old/summaries/app-summary.bro b/policy.old/summaries/app-summary.bro deleted file mode 100644 index 5be50f661a..0000000000 --- a/policy.old/summaries/app-summary.bro +++ /dev/null @@ -1,57 +0,0 @@ -@load conn-util -@load conn-app-reduced - -global conn_size_table: table[conn_id] of count; -global conn_size_log = open_log_file("conn-size") &redef; - -function add_to_conn_size(id: conn_id, size: count) - { - if ( id !in conn_size_table ) - conn_size_table[id] = 0; - local previous_size = conn_size_table[id]; - conn_size_table[id] = conn_size_table[id] + size; - if ( conn_size_table[id] < previous_size ) - { - print conn_size_log, fmt("ERROR: %.6f size wrapping around: %s, prev_size = %d, add = %d", - network_time(), conn_id_string(id), previous_size, size); - } - } - -event after_connections_state_remove(c: connection) - { - local id = c$id; - local app_size: count; - local transport_size: count; - if ( id !in conn_size_table ) - conn_size_table[id] = 0; - app_size = conn_size_table[id]; - transport_size = c$orig$size + c$resp$size; - local size_delta: int = transport_size - app_size; - local annotation: string = "none"; - if ( app_size > transport_size ) - annotation = "negative_transport_overhead"; - else if ( size_delta > 1000 && 1.0 * size_delta / transport_size > 0.3 ) - annotation = "suspicious_transport_overhead"; - - print conn_size_log, fmt("conn %s app_size %d conn_size %d annotation %s", conn_id_string(id), app_size, transport_size, annotation); - - delete conn_size_table[id]; - } - -event connection_state_remove(c: connection) - { - event after_connections_state_remove(c); - } - -function print_app_summary(log: file, - id: conn_id, conn_start: time, func: string, start: time, - num_req: count, req_size: count, num_resp: count, resp_size: count, - extra: string) - { - add_to_conn_size(id, req_size + resp_size); - print log, fmt("conn %s conn_start %.6f app %s app_func %s start %.6f req %d pyld_^ %d reply %d pyld_v %d%s", - conn_id_string(id), conn_start, conn_app[id], func, start, - num_req, req_size, - num_resp, resp_size, - byte_len(extra) > 0 ? cat(" ", extra) : ""); - } diff --git a/policy.old/summaries/conn-app-reduced.bro b/policy.old/summaries/conn-app-reduced.bro deleted file mode 100644 index 74cce70dee..0000000000 --- a/policy.old/summaries/conn-app-reduced.bro +++ /dev/null @@ -1,37 +0,0 @@ -@load port-name - -# Used to annotate apps for connections on ephemeral ports -global conn_app: table[conn_id] of string &default = - function(id: conn_id): string - { - local p = is_icmp_port(id$resp_p) ? id$orig_p : id$resp_p; - if ( p in port_names ) - return port_names[p]; - else - return fmt("%s", p); - }; - -redef port_names += { - [0/icmp] = "icmp-echo", - [8/icmp] = "icmp-echo", - [3/icmp] = "icmp-unreach", - - [497/tcp] = "dantz", - [554/tcp] = "rtsp", - [5730/tcp] = "steltor", # calendar - [[7501/tcp, 7502/tcp, 7503/tcp, 7504/tcp, 7505/tcp, - 7506/tcp, 7507/tcp, 7508/tcp, 7509/tcp, 7510/tcp]] - = "hpss", - [[3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp]] = "http", - [8443/tcp] = "https", - [3396/tcp] = "printer-agent", - [13782/tcp] = "veritas-backup-ctrl", - [16384/tcp] = "connected-backup", - - [67/udp] = "dhcp-s", # bootstrap for diskless hosts - [68/udp] = "dhcp-c", # reply-port - [427/udp] = "srvloc", - [11001/udp] = "metasys", # cardkey - [38293/udp] = "nav-ping", # norton anti-virus host discovery -}; - diff --git a/policy.old/summaries/conn-app.bro b/policy.old/summaries/conn-app.bro deleted file mode 100644 index 243ad03f36..0000000000 --- a/policy.old/summaries/conn-app.bro +++ /dev/null @@ -1,21 +0,0 @@ -@load conn-app-reduced - -@load ftp -@load dce-rpc - -event new_connection(c: connection) - { - local id = c$id; - if ( [id$resp_h, id$resp_p] in DCE_RPC::dce_rpc_endpoint ) - { - # local uuid = DCE_RPC::dce_rpc_endpoint[id$resp_h, id$resp_p]; - # conn_app[id] = fmt("dce-rpc-%s", - # ( uuid in DCE_RPC::dce_rpc_uuid_name ) ? - # DCE_RPC::dce_rpc_uuid_name[uuid] : "unknown"); - conn_app[id] = "dce-rpc"; - } - else if ( FTP::is_ftp_data_connection(c) ) - { - conn_app[id] = "ftp-data"; - } - } diff --git a/policy.old/summaries/conn-size.bro b/policy.old/summaries/conn-size.bro deleted file mode 100644 index 8001911ed6..0000000000 --- a/policy.old/summaries/conn-size.bro +++ /dev/null @@ -1,83 +0,0 @@ -# const number_of_regions = 32; -const region_size = 1024 * 1024; # 1MB -@load large-conns - -global conn_size_log = open_log_file("conn-size") &redef; - -function conn_id_string(id: conn_id): string - { - return fmt("%s/%d=>%s/%s", - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - } - -function report_size_error(c: connection, msg: string) - { - print conn_size_log, fmt("conn %s start %.6f duration %.6f pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d size_error [%s]", - conn_id_string(c$id), - c$start_time, - c$duration, - c$orig$num_pkts, c$orig$size, - c$resp$num_pkts, c$resp$size, - msg); - } - -function conn_size(c: connection, is_orig: bool): string - { - local endp = is_orig ? c$orig : c$resp; - local endp_name = is_orig ? "orig" : "resp"; - local size = endp$size; - - if ( is_tcp_port(c$id$resp_p) ) - # double check TCP sizes - { - local est = estimate_flow_size_and_remove(c$id, is_orig); - if ( est$have_est ) - { - print conn_size_log, - fmt("conn %s endpoint %s size %d low %.0fMB high %.0fMB inconsistent %d", - conn_id_string(c$id), endp_name, - endp$size, - est$lower / 1e6, - est$upper / 1e6, - est$num_inconsistent); - - if ( est$num_inconsistent > 0 ) - { - report_size_error(c, - fmt("%s size error inconsistent %d", - endp_name, - est$num_inconsistent)); - return "-"; - } - - if ( size < est$lower || size > est$upper ) - { - report_size_error(c, - fmt("%s size error estimates: %.0fMB - %.0fMB", - endp_name, - est$lower / 1e6, - est$upper / 1e6)); - return "-"; - } - } - } - else if ( is_udp_port(c$id$resp_p) ) - { - if ( endp$num_pkts > size && size != 0 ) - { - report_size_error(c, - fmt("%s size error: pkt > size", - endp_name)); - return "-"; - } - } - - return fmt("%d", size); - } - -event connection_state_remove(c: connection) - { - local orig_size = conn_size(c, T); - local resp_size = conn_size(c, F); - } diff --git a/policy.old/summaries/conn-summary.bro b/policy.old/summaries/conn-summary.bro deleted file mode 100644 index dc89e49acc..0000000000 --- a/policy.old/summaries/conn-summary.bro +++ /dev/null @@ -1,99 +0,0 @@ -@load conn-util -# @load conn-app -# @load smb-tag -# @load dce-rpc-tag - -module ConnSummary; - -# redef capture_filters += { ["TUI"] = "tcp or udp or icmp" }; -redef capture_filters = { ["ip"] = "ip" }; # to also capture IP fragments -# redef SMB_tag::log_smb_tags = F; -# redef DCE_RPC_tag::log_dce_rpc_tags = F; - -global conn_summary_log = open_log_file("conn-summary") &redef; - -global conn_annotation: table[conn_id] of string &default = ""; - -function add_to_conn_annotation(cid: conn_id, new_annotation: string) - { - local a: string; - if ( cid in conn_annotation ) - conn_annotation[cid] = - cat(conn_annotation[cid], ",", new_annotation); - else - conn_annotation[cid] = new_annotation; - } - -# II. Annotation events -event new_connection(c: connection) - { - if ( is_tcp_port(c$id$resp_p) ) - { - if ( c$orig$state != TCP_SYN_SENT ) - { - # add_to_conn_annotation(c$id, "partial"); - } - } - } - -event partial_connection(c: connection) - { - add_to_conn_annotation(c$id, "partial"); - } - -event connection_established(c: connection) - { - if ( c$orig$state == TCP_ESTABLISHED && c$resp$state == TCP_ESTABLISHED ) - { - add_to_conn_annotation(c$id, "established"); - } - } - -event connection_rejected(c: connection) - { - add_to_conn_annotation(c$id, "rejected"); - } - -event connection_reset(c: connection) - { - add_to_conn_annotation(c$id, "reset"); - } - -event connection_attempt(c: connection) - { - add_to_conn_annotation(c$id, "attempt"); - } - -event connection_finished(c: connection) - { - add_to_conn_annotation(c$id, "finished"); - } - -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) - { - add_to_conn_annotation(context$id, "unreach"); - } - -event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) - { - add_to_conn_annotation(context$id, "time_exceeded"); - } - -event connection_state_remove(c: connection) - { - # local tag_smb = get_smb_tag(c$id); - # local tag_dce_rpc = get_dce_rpc_tag(c$id); - - print conn_summary_log, fmt("conn %s start %.6f duration %.6f app %s pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d state %s notes [%s]", - conn_id_string(c$id), - c$start_time, - c$duration, - conn_app[c$id], - c$orig$num_pkts, c$orig$size, - c$resp$num_pkts, c$resp$size, - conn_state(c, get_port_transport_proto(c$id$resp_p)), - conn_annotation[c$id]); - - delete conn_annotation[c$id]; - delete conn_app[c$id]; - } diff --git a/policy.old/summaries/conn-util.bro b/policy.old/summaries/conn-util.bro deleted file mode 100644 index 623ca04955..0000000000 --- a/policy.old/summaries/conn-util.bro +++ /dev/null @@ -1,55 +0,0 @@ -function conn_id_string(id: conn_id): string - { - return fmt("%s/%d=>%s/%s", - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - } - -function connection_state(c: connection, trans: transport_proto): string - { - local os = c$orig$state; - local rs = c$resp$state; - - local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL; - local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL; - - if ( trans == tcp ) - { - if ( rs == TCP_RESET ) - { - if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT || - (os == TCP_RESET && - c$orig$size == 0 && c$resp$size == 0) ) - return "REJ"; - else if ( o_inactive ) - return "RSTRH"; - else - return "RSTR"; - } - else if ( os == TCP_RESET ) - return r_inactive ? "RSTOS0" : "RSTO"; - else if ( rs == TCP_CLOSED && os == TCP_CLOSED ) - return "SF"; - else if ( os == TCP_CLOSED ) - return r_inactive ? "SH" : "S2"; - else if ( rs == TCP_CLOSED ) - return o_inactive ? "SHR" : "S3"; - else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE ) - return "S0"; - else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - return "S1"; - else - return "OTH"; - } - - else if ( trans == udp ) - { - if ( os == UDP_ACTIVE ) - return rs == UDP_ACTIVE ? "SF" : "S0"; - else - return rs == UDP_ACTIVE ? "SHR" : "OTH"; - } - - else - return "OTH"; - } diff --git a/policy.old/summaries/dce-rpc-summary.bro b/policy.old/summaries/dce-rpc-summary.bro deleted file mode 100644 index 0d6ffecf96..0000000000 --- a/policy.old/summaries/dce-rpc-summary.bro +++ /dev/null @@ -1,93 +0,0 @@ -@load conn-util -@load dce-rpc -@load app-summary - -module DCE_RPC_summary; - -global log = open_log_file("dce-rpc-summary") &redef; - -type dce_rpc_transaction: record { - connection_id: conn_id; - conn_start: time; - uuid: string; - opnum: count; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; -}; - -global conn_uuid: table[conn_id] of string &default = DCE_RPC::null_uuid; -global dce_rpc_trans_table: table[conn_id] of dce_rpc_transaction; -# global msg_size: table[conn_id, bool] of count; - -function end_dce_rpc_transaction(id: conn_id) - { - if ( id !in dce_rpc_trans_table ) - return; - - local t = dce_rpc_trans_table[id]; - local ifname = DCE_RPC::dce_rpc_uuid_name[t$uuid]; - local func_name = DCE_RPC::dce_rpc_func_name[ifname, t$opnum]; - print_app_summary(log, - t$connection_id, - t$conn_start, - fmt("%s/%s", ifname, func_name), - t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("ifname %s", ifname)); - - delete dce_rpc_trans_table[id]; - } - -function new_dce_rpc_transaction(c: connection, uuid: string, opnum: count): dce_rpc_transaction - { - local id = c$id; - - # End any previous trans - end_dce_rpc_transaction(id); - - local t = [ - $connection_id = id, $conn_start = c$start_time, - $uuid = uuid, $opnum = opnum, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0]; - - dce_rpc_trans_table[id] = t; - return t; - } - -event dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string) - { - # msg_size[c$id, is_orig] = byte_len(msg); - } - -event dce_rpc_bind(c: connection, uuid: string) - { - conn_uuid[c$id] = uuid; - } - -event dce_rpc_request(c: connection, opnum: count, stub: string) - { - local t = new_dce_rpc_transaction(c, conn_uuid[c$id], opnum); - ++t$num_req; - t$req_size = t$req_size + byte_len(stub); - # t$req_size = t$req_size + msg_size[c$id, T]; - } - -event dce_rpc_response(c: connection, opnum: count, stub: string) - { - local t = dce_rpc_trans_table[c$id]; - ++t$num_resp; - t$resp_size = t$resp_size + byte_len(stub); - # t$resp_size = t$resp_size + msg_size[c$id, F]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in dce_rpc_trans_table ) - end_dce_rpc_transaction(c$id); - } diff --git a/policy.old/summaries/dce-rpc-tag.bro b/policy.old/summaries/dce-rpc-tag.bro deleted file mode 100644 index b74aaa704b..0000000000 --- a/policy.old/summaries/dce-rpc-tag.bro +++ /dev/null @@ -1,68 +0,0 @@ -@load conn-util -@load dce-rpc - -redef capture_filters += { - ["dce-rpc"] = "tcp or udp", -}; - -global dce_rpc_tag: table[conn_id] of string &default = ""; - -const log_dce_rpc_tags = T &redef; -function get_dce_rpc_tag(id: conn_id): string - { - if ( id in dce_rpc_tag ) - return dce_rpc_tag[id]; - else - return ""; - } - -module DCE_RPC_tag; - -global log = open_log_file("dce_rpc-tag") &redef; - -function add_to_dce_rpc_tag(c: connection, name: string): bool - { - local id = c$id; - local orig_tag = dce_rpc_tag[id]; - - if ( orig_tag == "" ) - { - dce_rpc_tag[id] = name; - } - else if ( strstr(orig_tag, name) == 0 ) - { - dce_rpc_tag[id] = cat(orig_tag, ",", name); - } - - return T; - } - -# Deficiency: it only looks at the bind request, but not the reply, so we -# do not know if the bind is successful. - -event dce_rpc_bind(c: connection, uuid: string) - { - local if_name = DCE_RPC::dce_rpc_uuid_name[uuid]; - if ( log_dce_rpc_tags ) - print log, fmt("%.6f %s DCE_RPC_Bind: %s", - network_time(), id_string(c$id), if_name); - add_to_dce_rpc_tag(c, if_name); - } - -event delete_dce_rpc_tag(c: connection) - { - delete dce_rpc_tag[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in dce_rpc_tag ) - { - if ( log_dce_rpc_tags ) - print log, fmt("conn %s start %.6f DCE/RPC [%s]", - conn_id_string(c$id), - c$start_time, - dce_rpc_tag[c$id]); - event delete_dce_rpc_tag(c); - } - } diff --git a/policy.old/summaries/dns-common-summary.bro b/policy.old/summaries/dns-common-summary.bro deleted file mode 100644 index 14d4187d3f..0000000000 --- a/policy.old/summaries/dns-common-summary.bro +++ /dev/null @@ -1,245 +0,0 @@ -@load conn-util -@load app-summary -@load dns-info - -module DNS_common_summary; - - -export { - - global dns_summary_log = open_log_file("dns-common-summary") &redef; - - const server_ports = { - 53/udp, 53/tcp, 137/udp, - } &redef; -} - -redef capture_filters += { - ["dns"] = "port 53", - ["netbios-ns"] = "udp port 137", -}; - -const dns_op_name = { - [0] = "QUERY", - [1] = "IQUERY", - [2] = "STATUS", - [5] = "NB_REGISTER", - [6] = "NB_RELEASE", - [7] = "NB_WACK", - [8] = "NB_REFRESH", -} &default = function(op: count): string - { - return fmt("op-%d", op); - }; - -function dns_qtype(qtype: int, server_port: port): string - { - if ( qtype < 0 ) - return "none"; - - if ( server_port == 137/udp ) - { - if ( qtype == 32 ) - return "NB"; - if ( qtype == 33 ) - return "NBSTAT"; - } - - return query_types[int_to_count(qtype)]; - } - -function dns_rcode(rcode: int): string - { - return ( rcode < 0 ) ? "none" : - base_error[int_to_count(rcode)]; - } - -const netbios_host_type = { - ["00"] = "workstation", - ["03"] = "messenger", - ["1b"] = "domain_master_browser", - ["20"] = "server", - ["1c"] = "domain_group", - ["1d"] = "master_browser_group", - ["1e"] = "group", -} &default = function(t: string): string { return t; }; - -const dns_transaction_timeout = 30 sec &redef; - -type dns_transaction: record { - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - num_q: count; - qtype: string; - query: string; - host_type: string; - rcode: string; - resp_time: time; # of the first resp -}; - -# Use only the client addr and transaction id for index, because -# Netbios/NS clients sometimes send to broadcast address -type dns_trans_index: record { - client: addr; - client_port: port; - id: count; - server: addr; - server_port: port; -}; -global dns_trans_table: table[dns_trans_index] of dns_transaction; - -function fmt_list(x: string): string - { - if ( strstr(x, ",") > 0 ) - return cat("[", x, "]"); - else - return x; - } - -event expire_DNS_transaction(ind: dns_trans_index) - { - if ( ind !in dns_trans_table ) - return; - - local t = dns_trans_table[ind]; - if ( ind$server_port in server_ports ) - { - print_app_summary(dns_summary_log, - t$connection_id, - t$conn_start, - t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("qtype %s return %s query '%s' host_type %s latency %.6f", - fmt_list(t$qtype), fmt_list(t$rcode), - fmt_list(gsub(t$query, / /, "_")), - fmt_list(t$host_type), - t$resp_time >= t$start ? t$resp_time - t$start : -1 sec)); - } - delete dns_trans_table[ind]; - } - -function lookup_dns_transaction(c: connection, msg: dns_msg, is_orig: bool): dns_transaction - { - local id = c$id; - local client: addr; - local server: addr; - local client_port: port; - local server_port: port; - - if ( ( ! msg$QR && is_orig ) || ( msg$QR && ! is_orig ) ) - { - client = id$orig_h; - client_port = id$orig_p; - server = id$resp_h; - server_port = id$resp_p; - } - else - { - client = id$resp_h; - client_port = id$resp_p; - server = id$orig_h; - server_port = id$orig_p; - } - - # print fmt("%.6f client %s server %s", network_time(), client, server); - - # Netbios queries are sometimes sent to broadcast addresses, - # so we ignore the server part - if ( server_port == 137/udp ) - server = 0.0.0.0; - - local ind = [$client = client, $client_port = client_port, - $id = msg$id, - $server = server, $server_port = server_port]; - - if ( ind !in dns_trans_table ) - { - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $func = dns_op_name[msg$opcode], - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $num_q = 0, - $qtype = "none", - $query = "none", $host_type = "none", - $rcode = "none", - $resp_time = network_time() - 1 sec]; - dns_trans_table[ind] = t; - } - - schedule dns_transaction_timeout { - expire_DNS_transaction(ind) - }; - - return dns_trans_table[ind]; - } - -event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) - { - local t = lookup_dns_transaction(c, msg, is_orig); - if ( ! msg$QR ) - { - ++t$num_req; - t$req_size = t$req_size + len; - } - else - { - local rcode = dns_rcode(msg$rcode); - if ( t$rcode == "none" ) - t$rcode = rcode; - else if ( t$rcode != rcode ) - t$rcode = cat(t$rcode, ",", rcode); - ++t$num_resp; - t$resp_size = t$resp_size + len; - if ( t$num_resp == 1 ) - t$resp_time = network_time(); - } - } - -function append_query(t: dns_transaction, query: string, host_type: string, qtype: string) - { - ++t$num_q; - if ( t$num_q == 1 ) - { - t$qtype = qtype; - t$query = query; - t$host_type = host_type; - } - else - { - if ( qtype != t$qtype ) - t$qtype = cat(t$qtype, ",", qtype); - if ( query != t$query ) - t$query = cat(t$query, ",", query); - if ( host_type != t$host_type ) - t$host_type = cat(t$host_type, ",", host_type); - } - } - -event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) - { - local host_type = "n/a"; - if ( c$id$resp_p == 137/udp ) - { - query = decode_netbios_name(query); - local last_byte = sub_bytes(query, byte_len(query) - 2, 2); - host_type = netbios_host_type[last_byte]; - } - - # print log, fmt("conn %s start %.6f op %d qtype 0x%x name [%s]", - # conn_id_string(c$id), network_time(), - # msg$opcode, qtype, query); - - local t = lookup_dns_transaction(c, msg, T); - append_query(t, query, host_type, dns_qtype(qtype, c$id$resp_p)); - } diff --git a/policy.old/summaries/dns-summary.bro b/policy.old/summaries/dns-summary.bro deleted file mode 100644 index 327f2f5032..0000000000 --- a/policy.old/summaries/dns-summary.bro +++ /dev/null @@ -1,8 +0,0 @@ -@load dns-common-summary - -redef DNS_common_summary::log = open_log_file("dns-summary"); -redef DNS_common_summary::server_ports = { 53/udp, 53/tcp }; - -redef capture_filters = { - ["dns"] = "port 53", -}; diff --git a/policy.old/summaries/http-rps-summary.bro b/policy.old/summaries/http-rps-summary.bro deleted file mode 100644 index 0241a886b7..0000000000 --- a/policy.old/summaries/http-rps-summary.bro +++ /dev/null @@ -1,171 +0,0 @@ -# $Id:$ - -@load http -@load app-summary - -redef capture_filters = { - ["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128", -}; - -module HTTP_req_per_session; - -export { - global log = open_log_file("http-rps-summary") &redef; - const http_session_idle_timeout = 1 sec &redef; -} - -type http_session: record { - # standard stuff - connection_id: conn_id; # of the first conn - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - # for timeout - unfinished_req: count; - unfinished_resp: count; - last_time: time; -}; - -global expire_http_session: function( - tbl: table[addr] of http_session, index: addr): interval; - -global http_ssn_table: table[addr] of http_session - &read_expire = http_session_idle_timeout - &expire_func = expire_http_session; - -function new_http_session(c: connection): http_session - { - local t = [ - $connection_id = c$id, - $conn_start = c$start_time, - $func = "unknown", - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $unfinished_req = 0, $unfinished_resp = 0, - $last_time = network_time()]; - - return t; - } - -function lookup_http_session(c: connection, is_orig: bool): http_session - { - local id = c$id; - local index = id$orig_h; - - if ( index !in http_ssn_table ) - { - if ( ! is_orig ) - print fmt("%.6f HTTP session not found for a resposne", - network_time(), conn_id_string(id)); - - http_ssn_table[index] = new_http_session(c); - } - - return http_ssn_table[index]; - } - -function end_http_session(t: http_session) - { - print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("duration %.6f", t$last_time - t$start)); - } - -function check_expiration(t: http_session): bool - { - print fmt("%.6f check expiration http_session %s: %.6f %d,%d %d,%d", - network_time(), conn_id_string(t$connection_id), - t$last_time, - t$num_req, t$num_resp, - t$unfinished_req, t$unfinished_resp); - - if ( network_time() - t$last_time < http_session_idle_timeout - || ( t$unfinished_req + t$unfinished_resp > 0 && - network_time() - t$last_time < 15 min && - ! done_with_network ) ) - { - print fmt("do not expire"); - return F; - } - - end_http_session(t); - return T; - } - -function expire_http_session(tbl: table[addr] of http_session, - index: addr): interval - { - local t = tbl[index]; - if ( ! check_expiration(t) ) - { - print fmt("... no, wait one more second: %d, %d", - t$unfinished_req, t$unfinished_resp); - return 1 sec; - } - return 0 sec; - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - local t = lookup_http_session(c, T); - if ( check_expiration(t) ) - { - delete http_ssn_table[c$id$orig_h]; - t = lookup_http_session(c, T); - } - t$func = method; - ++t$num_req; - ++t$unfinished_req; - t$last_time = network_time(); - } - -event http_reply(c: connection, version: string, code: count, reason: string) - { - # print fmt("http reply"); - local t = lookup_http_session(c, F); - ++t$num_resp; - ++t$unfinished_resp; - t$last_time = network_time(); - } - -function http_request_done(c: connection, stat: http_message_stat) - { - # print fmt("http request done"); - local t = lookup_http_session(c, T); - t$req_size = t$req_size + stat$body_length; - if ( t$unfinished_req > 0 ) - --t$unfinished_req; - t$last_time = network_time(); - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - local t = lookup_http_session(c, F); - t$resp_size = t$resp_size + stat$body_length; - if ( t$unfinished_resp > 0 ) - --t$unfinished_resp; - t$last_time = network_time(); - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -event bro_done() - { - for ( index in http_ssn_table ) - { - end_http_session(http_ssn_table[index]); - } - } diff --git a/policy.old/summaries/http-summary.bro b/policy.old/summaries/http-summary.bro deleted file mode 100644 index 1f6c1219e4..0000000000 --- a/policy.old/summaries/http-summary.bro +++ /dev/null @@ -1,281 +0,0 @@ -@load http -@load app-summary - -redef capture_filters = { - ["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128", - ["ipp"] = "tcp port 631", -}; - -module HTTP_summary; - -global log = open_log_file("http-summary") &redef; - -type http_transaction: record { - # standard stuff - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - # for tracking the state - req_done: bool; - resp_done: bool; - done: bool; - - # http-specific stuff - code: count; - req_content_type: string; - resp_content_type: string; - conditional_get: string; - user_agent: string; - cache_control: string; - last_modified: string; - etag: string; -}; - -type http_trans_group: record { - trans: table[count] of http_transaction; - first_req: count; - last_req: count; -}; - -global http_trans_table: table[conn_id] of http_trans_group; - -function lookup_http_trans_group(id: conn_id, create: bool): http_trans_group - { - if ( id !in http_trans_table ) - { - if ( create ) - { - local trans: table[count] of http_transaction; - http_trans_table[id] = [ - $trans = trans, $first_req = 1, $last_req = 0]; - } - else - print fmt("HTTP trans_group not found: %s", conn_id_string(id)); - } - - return http_trans_table[id]; - } - -function new_http_transaction(c: connection, func: string): http_transaction - { - # print fmt("new http trans: %.6f %s", network_time(), func); - local g = lookup_http_trans_group(c$id, T); - - local t = [ - $connection_id = c$id, - $conn_start = c$start_time, - $func = func, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $req_done = F, $resp_done = F, $done = F, - $code = 0, - $req_content_type = "none", - $resp_content_type = "none", - $conditional_get = "no", - $user_agent = "none", - $cache_control = "none", - $last_modified = "none", - $etag = "none"]; - - ++g$last_req; - g$trans[g$last_req] = t; - - return t; - } - -function lookup_http_transaction(id: conn_id, is_orig: bool): http_transaction - { - local g = lookup_http_trans_group(id, F); - local index = is_orig ? g$last_req : g$first_req; - - if ( index !in g$trans ) - { - print fmt("HTTP transaction not found: %s : %d-%d", - conn_id_string(id), g$first_req, g$last_req); - } - - return g$trans[index]; - } - -function end_http_transaction(t: http_transaction) - { - if ( t$req_done && t$resp_done ) - { - if ( t$done ) - return; - t$done = T; - print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("code %d content_type_^ %s content_type_v %s conditional_get %s user_agent %s cache_control %s last_modified %s etag %s", - t$code, - t$req_content_type, t$resp_content_type, - t$conditional_get, - subst_string(t$user_agent, " ", "_"), - subst_string(t$cache_control, " ", ""), - t$last_modified == "none" ? "none" : "present", - t$etag == "none" ? "none" : "present" - )); - } - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - # print fmt("http request"); - local t = new_http_transaction(c, method); - ++t$num_req; - t$req_done = F; - } - -event http_reply(c: connection, version: string, code: count, reason: string) - { - # print fmt("http reply"); - local id = c$id; - local g = lookup_http_trans_group(id, T); - local t: http_transaction; - if ( g$first_req in g$trans ) - t = g$trans[g$first_req]; - else - t = new_http_transaction(c, "none"); - - ++t$num_resp; - t$code = code; - t$resp_done = F; - } - -function http_request_done(c: connection, stat: http_message_stat) - { - # print fmt("http request done"); - local t = lookup_http_transaction(c$id, T); - t$req_size = t$req_size + stat$body_length; - t$req_done = T; - end_http_transaction(t); - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - # print fmt("http reply done"); - local t = lookup_http_transaction(c$id, F); - t$resp_size = t$resp_size + stat$body_length; - if ( t$code >= 200 ) - { - t$resp_done = T; - end_http_transaction(t); - local g = lookup_http_trans_group(t$connection_id, F); - ++g$first_req; - } - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - local t = lookup_http_transaction(c$id, is_orig); - local type_str = fmt("%s/%s", ty, subty); - if ( is_orig ) - t$req_content_type = type_str; - else - t$resp_content_type = type_str; - } - -function http_conditional_get(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$conditional_get = h$name; - } - -function http_user_agent(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$user_agent = h$value; - } - -function http_cache_control(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$cache_control = h$value; - } - -function http_last_modified(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$last_modified = h$value; - } - -function http_etag(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$etag = h$value; - } - -# type mime_header_rec: record { -# name: string; -# value: string; -# }; -# type mime_header_list: table[count] of mime_header_rec; - -const conditional_get_headers = { - "IF-MODIFIED-SINCE", - "IF-UNMODIFIED-SINCE", - "IF-MATCH", - "IF-NONE-MATCH", - "IF-RANGE", -}; - -event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list) - { - if ( ! is_orig ) - return; - - for ( i in hlist ) - { - local h = hlist[i]; - if ( h$name in conditional_get_headers ) - http_conditional_get(c, is_orig, h); - if ( h$name == "USER-AGENT" ) - http_user_agent(c, is_orig, h); - if ( h$name == "CACHE-CONTROL" ) - http_cache_control(c, is_orig, h); - if ( h$name == "LAST-MODIFIED" ) - http_last_modified(c, is_orig, h); - if ( h$name == "ETAG" ) - http_etag(c, is_orig, h); - } - } - -function end_http_trans_group(g: http_trans_group, index: count) - { - if ( index !in g$trans ) - return; - local t = g$trans[index]; - - t$req_done = T; - t$resp_done = T; - end_http_transaction(t); - - delete g$trans[index]; - end_http_trans_group(g, index + 1); - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( id in http_trans_table ) - { - end_http_trans_group(http_trans_table[id], 1); - delete http_trans_table[id]; - } - } diff --git a/policy.old/summaries/ipp-summary.bro b/policy.old/summaries/ipp-summary.bro deleted file mode 100644 index 5bc4c3df86..0000000000 --- a/policy.old/summaries/ipp-summary.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load http-summary - -redef HTTP_summary::log = open_log_file("ipp-summary") &redef; diff --git a/policy.old/summaries/ncp-summary.bro b/policy.old/summaries/ncp-summary.bro deleted file mode 100644 index 89c19c6713..0000000000 --- a/policy.old/summaries/ncp-summary.bro +++ /dev/null @@ -1,78 +0,0 @@ -@load ncp -@load app-summary - -module NCP_summary; - -global ncp_summary_log = open_log_file("ncp-summary") &redef; - -type ncp_transaction: record { - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - completion_code: int; # ... of the first reply -}; - -global ncp_trans_table: table[conn_id] of ncp_transaction; - -function end_ncp_transaction(id: conn_id) - { - if ( id !in ncp_trans_table ) - return; - - local t = ncp_trans_table[id]; - print_app_summary(ncp_summary_log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("completion_code %d", t$completion_code)); - } - -function new_ncp_transaction(c: connection, func: string): ncp_transaction - { - local id = c$id; - - # End any previous trans - end_ncp_transaction(id); - - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $func = func, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $completion_code = -1]; - - ncp_trans_table[id] = t; - return t; - } - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - local f = ( frame_type == 0x2222 ) ? - NCP::ncp_function_name[func] : - NCP::ncp_frame_type_name[frame_type]; - - local t = new_ncp_transaction(c, f); - ++t$num_req; - t$req_size = t$req_size + length; - } - -event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count) - { - local t = ncp_trans_table[c$id]; - ++t$num_resp; - if ( t$num_resp == 1 ) - t$completion_code = completion_code; - t$resp_size = t$resp_size + length; - } - -event connection_state_remove(c: connection) - { - if ( c$id in ncp_trans_table ) - end_ncp_transaction(c$id); - } diff --git a/policy.old/summaries/ncp-tag.bro b/policy.old/summaries/ncp-tag.bro deleted file mode 100644 index 61c63a2f3f..0000000000 --- a/policy.old/summaries/ncp-tag.bro +++ /dev/null @@ -1,26 +0,0 @@ -@load conn-id -@load ncp - -module NCP_tag; - -global log = open_log_file("ncp-tag") &redef; - -const ncp_request_type = { -[ 0x11 ] = "print", -[ 0x16, 0x68 ] = "directory", -} &default = function(code: count): string - { - return fmt("unknown(%x)", code); - }; - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - print log, fmt("%.6f %s NCP request type=%s function=%s", - network_time(), id_string(c$id), - NCP::ncp_frame_type_name[frame_type], - NCP::ncp_function_name[func]); - } - -event ncp_reply(c: connection, frame_type: count, length: count, completion_code: count) - { - } diff --git a/policy.old/summaries/netbios-ns-summary.bro b/policy.old/summaries/netbios-ns-summary.bro deleted file mode 100644 index 3587b9a954..0000000000 --- a/policy.old/summaries/netbios-ns-summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load dns-common-summary - -redef DNS_common_summary::dns_summary_log = open_log_file("netbios-ns-summary"); -redef DNS_common_summary::server_ports = { 137/udp }; - -redef capture_filters += { - ["netbios-ns"] = "udp port 137", -}; - diff --git a/policy.old/summaries/netbios-ssn-summary.bro b/policy.old/summaries/netbios-ssn-summary.bro deleted file mode 100644 index 5166e56baa..0000000000 --- a/policy.old/summaries/netbios-ssn-summary.bro +++ /dev/null @@ -1,112 +0,0 @@ -@load app-summary - -redef capture_filters = { - ["netbios-ssn"] = "tcp port 139", -}; - -module NetbiosSSN_summary; - -global netbios_log = open_log_file("netbios-ssn-summary") &redef; - -const netbios_msg_types = { - [0x0] = "ssn_message", - [0x81] = "ssn_request", - [0x82] = "positive_resp", - [0x83] = "negative_resp", - [0x84] = "retarget_resp", - [0x85] = "keep_alive", -} &default = function(msg_type: count): string - { - return fmt("unknown-0x%x", msg_type); - }; - -type netbios_ssn_transaction: record { - connection_id: conn_id; - conn_start: time; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - req_type: string; - resp_type: string; # ... of the first reply - raw_ssn_msg: count; -}; - -global netbios_ssn_trans_table: table[conn_id] of netbios_ssn_transaction; - -function end_netbios_ssn_transaction(id: conn_id) - { - if ( id !in netbios_ssn_trans_table ) - return; - - local t = netbios_ssn_trans_table[id]; - print_app_summary(netbios_log, t$connection_id, t$conn_start, - t$req_type, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("req_type %s resp_type %s raw %d", - t$req_type, t$resp_type, t$raw_ssn_msg)); - - delete netbios_ssn_trans_table[id]; - } - -function lookup_netbios_ssn_transaction(c: connection, new_trans: bool): netbios_ssn_transaction - { - local id = c$id; - - if ( new_trans ) - { - # End any previous trans - end_netbios_ssn_transaction(id); - } - - if ( id !in netbios_ssn_trans_table ) - { - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $req_type = "none", $resp_type = "none", - $raw_ssn_msg = 0]; - netbios_ssn_trans_table[c$id] = t; - } - - return netbios_ssn_trans_table[c$id]; - } - -event netbios_ssn_message(c: connection, is_orig: bool, msg_type: count, data_len: count) - { - local msg_type_name = netbios_msg_types[msg_type]; - local t: netbios_ssn_transaction; - if ( is_orig ) - { - t = lookup_netbios_ssn_transaction(c, T); - ++t$num_req; - if ( t$num_req == 1 ) - t$req_type = msg_type_name; - t$req_size = t$req_size + data_len; - } - else - { - t = lookup_netbios_ssn_transaction(c, F); - ++t$num_resp; - if ( t$num_resp == 1 ) - t$resp_type = msg_type_name; - t$resp_size = t$resp_size + data_len; - } - } - -event netbios_session_raw_message(c: connection, is_orig: bool, msg: string) - { - local t = lookup_netbios_ssn_transaction(c, F); - ++t$raw_ssn_msg; - } - -event connection_state_remove(c: connection) - { - if ( c$id in netbios_ssn_trans_table ) - end_netbios_ssn_transaction(c$id); - } diff --git a/policy.old/summaries/nfs-summary.bro b/policy.old/summaries/nfs-summary.bro deleted file mode 100644 index ad1979b33b..0000000000 --- a/policy.old/summaries/nfs-summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load sun-rpc-summary - -redef SUN_RPC_summary::log = open_log_file("nfs-summary"); - -redef capture_filters = { - ["nfs"] = "port 2049", - # UDP packets are often fragmented - ["nfs-frag"] = "ip[6:2] & 0x1fff != 0", -}; diff --git a/policy.old/summaries/rexmit-summary.bro b/policy.old/summaries/rexmit-summary.bro deleted file mode 100644 index 9f5c1ef0c9..0000000000 --- a/policy.old/summaries/rexmit-summary.bro +++ /dev/null @@ -1,26 +0,0 @@ -# Statistical analysis of TCP connection in terms of the packet streams -# in each direction. - -@load conn-util - -redef capture_filters = { ["tcp"] = "tcp" }; -redef ignore_keep_alive_rexmit = T; - -global log = open_log_file("rexmit-summary") &redef; - -const min_num_pkts = 0; - -event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats) - { - if ( os$num_pkts < min_num_pkts && rs$num_pkts < min_num_pkts ) - return; - - print log, fmt("conn %s start %.6f duration %.6f pkt_^ %d rexmit_pkt_^ %d pyld_^ %d rexmit_pyld_^ %d pkt_v %d rexmit_pkt_v %d pyld_v %d rexmit_pyld_v %d", - conn_id_string(c$id), c$start_time, c$duration, - os$num_pkts, os$num_rxmit, - # os$num_pkts == 0 ? 0.0 : 1.0 * os$num_rxmit / os$num_pkts, - c$orig$size, os$num_rxmit_bytes, - rs$num_pkts, rs$num_rxmit, - # rs$num_pkts == 0 ? 0.0 : 1.0 * rs$num_rxmit / rs$num_pkts, - c$resp$size, rs$num_rxmit_bytes); - } diff --git a/policy.old/summaries/smb-summary.bro b/policy.old/summaries/smb-summary.bro deleted file mode 100644 index 4ba9c575a0..0000000000 --- a/policy.old/summaries/smb-summary.bro +++ /dev/null @@ -1,251 +0,0 @@ -@load app-summary - -redef capture_filters += { - ["netbios-dgm"] = "udp port 138", - ["netbios-ssn"] = "tcp port 139", - ["microsft-ds"] = "tcp port 445", -}; - -module SMB_summary; - -global smb_log = open_log_file("smb-summary") &redef; -global chris_log = open_log_file("chris-summary") &redef; - -#const smb_transaction_func = { -# ["SMB_COM_TRANSACTION", 0x0 ] = "\\PIPE\\LANMAN\\", -# ["SMB_COM_TRANSACTION", 0x1 ] = "\\MAILSLOT\\", -# ["SMB_COM_TRANSACTION", 0x54] = "CallNamedPipe", -# ["SMB_COM_TRANSACTION", 0x53] = "WaitNamedPipe", -# ["SMB_COM_TRANSACTION", 0x26] = "TransactNmPipe", -# -# ["SMB_COM_TRANSACTION2", 0x0] = "TRANS2_OPEN2", -# ["SMB_COM_TRANSACTION2", 0x1] = "TRANS2_FIND_FIRST2", -# ["SMB_COM_TRANSACTION2", 0x2] = "TRANS2_FIND_NEXT2", -# ["SMB_COM_TRANSACTION2", 0x3] = "TRANS2_QUERY_FS_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x5] = "TRANS2_QUERY_PATH_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x6] = "TRANS2_SET_PATH_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x7] = "TRANS2_QUERY_FILE_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x8] = "TRANS2_SET_FILE_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x0d] = "TRANS2_CREATE_DIRECTORY", -# ["SMB_COM_TRANSACTION2", 0x0e] = "TRANS2_SESSION_SETUP", -# ["SMB_COM_TRANSACTION2", 0x10] = "TRANS2_GET_DFS_REFERRAL", -#} &default = function(cmd: string, subcmd: count): string -# { -# return fmt("%s/%d", cmd, subcmd); -# }; - -type smb_req_resp: record { - connection_id: conn_id; - conn_start: time; - func: string; - cmd: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; -}; - -type smb_req_reply_group: record { - trans: table[count] of smb_req_resp; - first_req: count; - last_req: count; -}; - -global smb_trans_table: table[conn_id] of smb_req_reply_group; - -function lookup_smb_req_reply_group(id: conn_id, create: bool): smb_req_reply_group - { - if ( id !in smb_trans_table ) - { - if ( create ) - { - local trans: table[count] of smb_req_resp; - smb_trans_table[id] = [ - $trans = trans, $first_req = 1, $last_req = 0]; - } - else - print fmt("SMB req_reply_group not found: %s", - conn_id_string(id)); - } - - return smb_trans_table[id]; - } - -function new_smb_req_resp(c: connection, cmd: string): smb_req_resp - { - local id = c$id; - local g = lookup_smb_req_reply_group(id, T); - - if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) ) - print fmt("%.6f %s a new req_resp was triggered on a UDP connection!: %s", - network_time(), conn_id_string(id), cmd); - - local t = [ - $connection_id = id, $conn_start = c$start_time, - $cmd = cmd, $func = cmd, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0 - ]; - - ++g$last_req; - g$trans[g$last_req] = t; - - return g$trans[g$last_req]; - } - -function end_smb_req_resp(t: smb_req_resp) - { - print_app_summary(smb_log, t$connection_id, t$conn_start, - t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("cmd %s", t$cmd)); - } - -function lookup_smb_req_resp(c: connection, is_orig: bool, cmd: string): smb_req_resp - { - local id = c$id; - local g = lookup_smb_req_reply_group(id, T); - - if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) ) - print fmt("%.6f %s a lookup was triggered on a UDP connection!: %s", - network_time(), conn_id_string(id), cmd); - - if ( g$first_req > g$last_req ) - { - print fmt("%.6f %s request missing: %s", - network_time(), conn_id_string(id), cmd); - return new_smb_req_resp(c, cmd); - } - - if ( is_orig ) - { - return g$trans[g$last_req]; - } - else if ( cmd == "(current)" ) - { - return g$trans[g$first_req]; - } - else - { - local t = g$trans[g$first_req]; - if ( g$first_req < g$last_req ) - { - end_smb_req_resp(t); - ++g$first_req; - t = g$trans[g$first_req]; - } - if ( t$cmd != cmd ) - { - if ( g$first_req < g$last_req ) - return lookup_smb_req_resp(c, is_orig, cmd); - print fmt("%.6f %s SMB command-reply mismatch", - network_time(), conn_id_string(id)); - } - return t; - } - } - -event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: - string, body_length: count, body : string) - { - print chris_log, fmt("%.6f %s %s", network_time(), conn_id_string(c$id), cmd); - - local t: smb_req_resp; - - if ( is_udp_port( c$id$orig_p ) || is_udp_port ( c$id$resp_p ) ) - { - # dont need to keep track of UDP smb commands - print_app_summary(smb_log, c$id, network_time(), - cmd, network_time(), - 0, 0, 0, 0, - fmt("cmd %s", cmd)); - } - else if ( is_orig ) - { - t = new_smb_req_resp(c, cmd); - ++t$num_req; - t$req_size = t$req_size + body_length; - } - else - { - t = lookup_smb_req_resp(c, is_orig, cmd); - ++t$num_resp; - t$resp_size = t$resp_size + body_length; - } - } - -event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string) - { - print chris_log, fmt("%.6f %s SMB_ERROR:%s", network_time(), conn_id_string(c$id), cmd_str); - } - -event dce_rpc_bind(c: connection, uuid: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, T, "(current)"); - t$func = "DCE_RPC_BIND"; - } - -event dce_rpc_request(c: connection, opnum: count, stub: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, T, "(current)"); - t$func = "DCE_RPC_CALL"; - } - -event dce_rpc_response(c: connection, opnum: count, stub: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, F, "(current)"); - t$func = "DCE_RPC_CALL"; - } - -event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool) - { - if ( is_orig && !is_udp_port( c$id$orig_p ) ) - { - local t = lookup_smb_req_resp(c, T, "(current)"); - } - } - -event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool) - { - if ( is_orig && !is_udp_port( c$id$orig_p ) ) - { - local t = lookup_smb_req_resp(c, T, "(current)"); - } - } - -function end_smb_req_reply_group(g: smb_req_reply_group, index: count) - { - if ( index > g$last_req ) - return; - - if ( index >= g$first_req && index in g$trans ) - end_smb_req_resp(g$trans[index]); - - if( index in g$trans ) - { - delete g$trans[index]; - end_smb_req_reply_group(g, index + 1); - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( !is_udp_port( id$orig_p ) && id in smb_trans_table ) - { - local g = smb_trans_table[id]; - end_smb_req_reply_group(g, 1); - } - } diff --git a/policy.old/summaries/smb-tag.bro b/policy.old/summaries/smb-tag.bro deleted file mode 100644 index 82813b5284..0000000000 --- a/policy.old/summaries/smb-tag.bro +++ /dev/null @@ -1,160 +0,0 @@ -@load conn-util - -redef capture_filters += { - ["smb"] = "tcp port 445", - ["netbios-ss"] = "tcp port 139", -}; - -global smb_filename_tag: table[conn_id] of string &default = ""; - -const log_smb_tags = T &redef; -function get_smb_tag(id: conn_id): string - { - if ( id in smb_filename_tag ) - return smb_filename_tag[id]; - else - return ""; - } - -module SMB_tag; - -global log = open_log_file("smb-tag") &redef; - -const well_known_files = { - "\\IPC$", - "\\print$", - "\\LANMAN", - "\\atsvc", - "\\AudioSrv", - "\\browser", - "\\cert", - "\\Ctx_Winstation_API_Service", - "\\DAV", - "\\dnsserver", - "\\epmapper", - "\\eventlog", - "\\HydraLsPipe", - "\\InitShutdown", - "\\keysvc", - "\\locator", - "\\llsrpc", - "\\lsarpc", - "\\msgsvc", - "\\netdfs", - "\\netlogon", - "\\ntsvcs", - "\\policyagent", - "\\ipsec", - "\\ProfMapApi", - "\\protected_storage", - "\\ROUTER", - "\\samr", - "\\scerpc", - "\\SECLOGON", - "\\SfcApi", - "\\spoolss", - "\\srvsvc", - "\\ssdpsrv", - "\\svcctl", - "\\tapsrv", - "\\trkwks", - "\\W32TIME", - "\\W32TIME_ALT", - "\\winlogonrpc", - "\\winreg", - "\\winspipe", - "\\wkssvc", - "\\lbl.gov", - "\\LBL" -}; - -function well_known_file(n: string): string - { - n = to_lower(n); - local a = ""; - for ( p in well_known_files ) - { - if ( strstr(n, to_lower(p)) > 0 ) - if ( byte_len(p) > byte_len(a) ) - a = p; - } - return a; - } - -function add_to_smb_filename_tag(c: connection, name: string): bool - { - if ( name == "\\PIPE\\" || name == "" ) - return F; - - local id = c$id; - local orig_tag = smb_filename_tag[id]; - - local n = well_known_file(name); - if ( n == "" ) - { - if ( log_smb_tags ) - print log, fmt("%.6f %s regular file: \"%s\"", - network_time(), conn_id_string(c$id), name); - n = ""; - } - - n = fmt("\"%s\"", n); - - if ( orig_tag == "" ) - { - smb_filename_tag[id] = n; - } - else if ( strstr(orig_tag, n) == 0 ) - { - smb_filename_tag[id] = cat(orig_tag, ",", n); - } - - return T; - } - -event smb_com_nt_create_andx(c: connection, name: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_com_transaction(c: connection, is_orig: bool, subcmd: count, - name: string, data: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_com_transaction2(c: connection, is_orig: bool, subcmd: count, - name: string, data: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_get_dfs_referral(c: connection, max_referral_level: count, file_name: string) - { - add_to_smb_filename_tag(c, file_name); - } - -event smb_com_tree_connect_andx(c: connection, path: string, service: string) - { - local basic = sub(path, /.*\\/, "\\"); - if ( /\$$/ in basic ) - add_to_smb_filename_tag(c, basic); - } - -event delete_smb_tag(c: connection) - { - delete smb_filename_tag[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in smb_filename_tag ) - { - if ( log_smb_tags ) - print log, fmt("conn %s start %.6f SMB [%s]", - conn_id_string(c$id), - c$start_time, - smb_filename_tag[c$id]); - event delete_smb_tag(c); - } - } diff --git a/policy.old/summaries/sun-rpc-summary.bro b/policy.old/summaries/sun-rpc-summary.bro deleted file mode 100644 index 9f0f376cfd..0000000000 --- a/policy.old/summaries/sun-rpc-summary.bro +++ /dev/null @@ -1,46 +0,0 @@ -@load app-summary -@load rpc - -redef capture_filters += { - ["port-map"] = "port 111", - ["nfs"] = "port 2049", - # UDP packets are often fragmented - ["nfs-frag"] = "ip[6:2] & 0x1fff != 0", -}; - -module SUN_RPC_summary; - -export { - global log = open_log_file("sun-rpc-summary") &redef; -} - -global nfs_status: table[conn_id] of count; - -event nfs_reply_status(n: connection, status: count) - { - # print fmt("%.6f status = %d", network_time(), status); - nfs_status[n$id] = status; - } - -event rpc_call(c: connection, prog: count, ver: count, proc: count, status: count, - start_time: time, call_len: count, reply_len: count) - { - # print fmt("%.6f rpc_call", network_time()); - local prog_name = RPC::program_name(prog); - local nfs_st = "n/a"; - if ( c$id in nfs_status ) - { - nfs_st = fmt("%d", nfs_status[c$id]); - # print fmt("%.6f get_status = %s", network_time(), nfs_st); - delete nfs_status[c$id]; - } - - print_app_summary(log, c$id, c$start_time, - fmt("%sv%d/%s", - prog_name, - ver, - RPC::procedure_name(prog, ver, proc)), - start_time, - 1, call_len, status == RPC_TIMEOUT ? 0 : 1, reply_len, - fmt("rpc_status %s nfs_status %s", status, nfs_st)); - } diff --git a/policy.old/synflood.bro b/policy.old/synflood.bro deleted file mode 100644 index 3c2ecde4b7..0000000000 --- a/policy.old/synflood.bro +++ /dev/null @@ -1,131 +0,0 @@ -# $Id: synflood.bro 4054 2007-03-05 21:45:58Z vern $ - -@load notice - -redef enum Notice += { - SynFloodStart, # start of syn-flood against a certain victim - SynFloodEnd, # end of syn-flood against a certain victim - SynFloodStatus, # report of ongoing syn-flood -}; - -# We report a syn-flood if more than SYNFLOOD_THRESHOLD new connections -# have been reported within the last SYNFLOOD_INTERVAL for a certain IP. -# (We sample the conns by one out of SYNFLOOD_SAMPLE_RATE, so the attempt -# counter is an estimated value.). If a victim is identified, we install a -# filter via install_dst_filter and sample the packets targeting it by -# SYNFLOOD_VICTIM_SAMPLE_RATE. -# -# Ongoing syn-floods are reported every SYNFLOOD_REPORT_INTERVAL. - -global SYNFLOOD_THRESHOLD = 15000 &redef; -global SYNFLOOD_INTERVAL = 60 secs &redef; -global SYNFLOOD_REPORT_INTERVAL = 1 mins &redef; - -# Sample connections by one out of x. -global SYNFLOOD_SAMPLE_RATE = 100 &redef; - -# Sample packets to known victims with probability x. -global SYNFLOOD_VICTIM_SAMPLE_RATE = 0.01 &redef; - -global conn_attempts: table[addr] of count &default = 0; -global victim_attempts: table[addr,addr] of count - &default = 0 &read_expire = 5mins; - -# We remember up to this many number of sources per victim. -global max_sources = 100; -global current_victims: table[addr] of set[addr] &read_expire = 60mins; -global accumulated_conn_attempts: table[addr] of count &default = 0; - -global sample_count = 0; -global interval_start: time = 0; - -# Using new_connection() can be quite expensive but connection_attempt() has -# a rather large lag that may lead to detecting flood too late. Additionally, -# it does not cover UDP/ICMP traffic. -event new_connection(c: connection) - { - if ( c$id$resp_h in current_victims ) - { - ++conn_attempts[c$id$resp_h]; - - local srcs = current_victims[c$id$resp_h]; - if ( length(srcs) < max_sources ) - add srcs[c$id$orig_h]; - return; - } - - if ( ++sample_count % SYNFLOOD_SAMPLE_RATE == 0 ) - { - local ip = c$id$resp_h; - - if ( ++conn_attempts[ip] * SYNFLOOD_SAMPLE_RATE > - SYNFLOOD_THRESHOLD ) - { - NOTICE([$note=SynFloodStart, $src=ip, - $msg=fmt("start of syn-flood against %s; sampling packets now", ip)]); - - add current_victims[ip][c$id$orig_h]; - - # Drop most packets to victim. - install_dst_addr_filter(ip, 0, - 1 - SYNFLOOD_VICTIM_SAMPLE_RATE); - # Drop all packets from victim. - install_src_addr_filter(ip, 0, 1.0); - } - } - } - -event check_synflood() - { - for ( ip in current_victims ) - { - accumulated_conn_attempts[ip] = - accumulated_conn_attempts[ip] + conn_attempts[ip]; - - if ( conn_attempts[ip] * (1 / SYNFLOOD_VICTIM_SAMPLE_RATE) < - SYNFLOOD_THRESHOLD ) - { - NOTICE([$note=SynFloodEnd, $src=ip, $n=length(current_victims[ip]), - $msg=fmt("end of syn-flood against %s; stopping sampling", - ip)]); - - delete current_victims[ip]; - uninstall_dst_addr_filter(ip); - uninstall_src_addr_filter(ip); - } - } - - clear_table(conn_attempts); - schedule SYNFLOOD_INTERVAL { check_synflood() }; - } - -event report_synflood() - { - for ( ip in current_victims ) - { - local est_num_conn = accumulated_conn_attempts[ip] * - (1 / SYNFLOOD_VICTIM_SAMPLE_RATE); - - local interv: interval; - - if ( interval_start != 0 ) - interv = network_time() - interval_start; - else - interv = SYNFLOOD_INTERVAL; - - NOTICE([$note=SynFloodStatus, $src=ip, $n=length(current_victims[ip]), - $msg=fmt("syn-flood against %s; estimated %.0f connections in last %s", - ip, est_num_conn, interv)]); - } - - clear_table(accumulated_conn_attempts); - - schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() }; - interval_start = network_time(); - } - -event bro_init() - { - schedule SYNFLOOD_INTERVAL { check_synflood() }; - schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() }; - } diff --git a/policy.old/targeted-scan.bro b/policy.old/targeted-scan.bro deleted file mode 100644 index 09922644ba..0000000000 --- a/policy.old/targeted-scan.bro +++ /dev/null @@ -1,114 +0,0 @@ -# $Id:$ -# -# Drop external hosts that continually bang away on a particular open port. -# -# Note that we time out identified scanners to avoid excessive memory -# utilitization in the event of a wide scan across address space. - -@load notice -@load site - -module TargetedScan; - -export { - redef enum Notice += { TargetedScan, }; - - # If true, then only consider traffic from external sources. - global external_only = T &redef; - - # Which ports to consider. - const ports = { 1433/tcp, } &redef; - - # If set, at least/most this many bytes need to be transferred for - # a connection using the given port. These are useful for example - # for inferring that SSH connections reflect password-guessing - # attempts. - const min_bytes: table[port] of count &redef; - const max_bytes: table[port] of count &redef; - - # If set, then this is the threshold for reportin accessing - # for a given service. - const port_threshold: table[port] of count &redef; - - # Otherwise, this is the threshold. - const general_threshold = 1000 &redef; - - # The data structure we use to track targeted probing. - # It's exported to enable redef'ing the &write_expire value. - global targeted_tries: table[addr, addr, port] of count - &default=0 &write_expire=10 min &redef; -} - -function delete_targeted_data(orig: addr, resp: addr, service: port) - { - delete targeted_tries[orig, resp, service]; - } - -function targeted_check(c: connection) - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local service = ("ftp-data" in c$service) ? 20/tcp : id$resp_p; - - if ( service !in ports || (external_only && is_local_addr(orig)) ) - return; - - local bytes_xferred = c$orig$size + c$resp$size; - - if ( service in min_bytes && bytes_xferred < min_bytes[service] ) - return; - if ( service in max_bytes && bytes_xferred > max_bytes[service] ) - return; - - local cnt = ++targeted_tries[orig, resp, service]; - - if ( service in port_threshold ) - { - if ( cnt != port_threshold[service] ) - return; - } - - else if ( cnt != general_threshold ) - return; - - local svc = service in port_names ? - port_names[service] : fmt("%s", service); - - NOTICE([$note=TargetedScan, $src=orig, $dst=resp, $p=service, - $msg=fmt("targeted attack on service %s, count = %d", svc, cnt)]); - - # Since we've reported this host, we can stop tracking it. - delete targeted_tries[orig, resp, service]; - } - - -event connection_finished(c: connection) - { - targeted_check(c); - } - -event connection_rejected(c: connection) - { - targeted_check(c); - } - -event connection_half_finished(c: connection) - { - targeted_check(c); - } - -event connection_reset(c: connection) - { - targeted_check(c); - } - -event connection_partial_close(c: connection) - { - targeted_check(c); - } - -event connection_state_remove(c: connection) - { - targeted_check(c); - } diff --git a/policy.old/tcp.bro b/policy.old/tcp.bro deleted file mode 100644 index fd561180bb..0000000000 --- a/policy.old/tcp.bro +++ /dev/null @@ -1,6 +0,0 @@ -# Generic TCP connection processing. - -@load conn - -redef capture_filters += { ["tcp"] = "tcp[13] & 7 != 0" }; -# redef capture_filters += { ["tcp"] = "(tcp[13] & 7 != 0) or (ip6[53] & 7 != 0)" }; diff --git a/policy.old/terminate-connection.bro b/policy.old/terminate-connection.bro deleted file mode 100644 index 5242afaf6d..0000000000 --- a/policy.old/terminate-connection.bro +++ /dev/null @@ -1,77 +0,0 @@ -# $Id$ - -@load site -@load notice - -# Ugly: we need the following from conn.bro, but we can't soundly load -# it because it in turn loads us. -global full_id_string: function(c: connection): string; - -# TODO: this is a notice action filter but it shouldn't cause this -# script to be come a dependency on notice-action-filters.bro -# Figure out where to put this! -function drop_source_and_terminate(n: Notice::Info, a: Notice::Action): Notice::Action - { - if ( n?$conn ) - TerminateConnection::terminate_connection(n$conn); - - return NOTICE_DROP; - } - - -module TerminateConnection; - -export { - redef enum Notice += { - TerminatingConnection, # connection will be terminated - TerminatingConnectionIgnored, # connection terminated disabled - }; - - # Whether we're allowed (and/or are capable) to terminate connections - # using "rst". - const activate_terminate_connection = F &redef; - - # Terminate the given connection. - global terminate_connection: function(c: connection); - -} - -function terminate_connection(c: connection) - { - local id = c$id; - - if ( activate_terminate_connection ) - { - local local_init = is_local_addr(id$orig_h); - - local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d", - local_init ? "-R" : "", - id$orig_h, id$orig_p, get_orig_seq(id), - id$resp_h, id$resp_p, get_resp_seq(id)); - - if ( reading_live_traffic() ) - system(term_cmd); - else - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=term_cmd, $sub="first termination command"]); - - term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d", - local_init ? "-R" : "", - id$orig_h, id$orig_p, get_orig_seq(id), - id$resp_h, id$resp_p, get_resp_seq(id)); - - if ( reading_live_traffic() ) - system(term_cmd); - else - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=term_cmd, $sub="second termination command"]); - - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=fmt("terminating %s", full_id_string(c))]); - } - - else - NOTICE([$note=TerminatingConnectionIgnored, $conn=c, - $msg=fmt("ignoring request to terminate %s", - full_id_string(c))]); - } diff --git a/policy.old/tftp.bro b/policy.old/tftp.bro deleted file mode 100644 index d1f3e43746..0000000000 --- a/policy.old/tftp.bro +++ /dev/null @@ -1,33 +0,0 @@ -# $Id: tftp.bro 4758 2007-08-10 06:49:23Z vern $ - -# Very simplistic - doesn't pick up the replies. - -@load notice -@load udp-common -@load site - -module TFTP; - -export { - redef enum Notice += { - OutboundTFTP, # outbound TFTP seen - }; -} - -redef capture_filters += { ["tftp"] = "udp port 69" }; - -global tftp_notice_count: table[addr] of count &default = 0 &read_expire = 7 days; - -event udp_request(u: connection) - { - if ( u$id$resp_p == 69/udp && u$id$orig_p >= 1024/udp ) - { - local src = u$id$orig_h; - local dst = u$id$resp_h; - - if ( is_local_addr(src) && ! is_local_addr(dst) && - ++tftp_notice_count[src] == 1 ) - NOTICE([$note=OutboundTFTP, $conn=u, - $msg=fmt("outbound TFTP: %s -> %s", src, dst)]); - } - } diff --git a/policy.old/time-machine/time-machine.bro b/policy.old/time-machine/time-machine.bro deleted file mode 100644 index 98e37437ae..0000000000 --- a/policy.old/time-machine/time-machine.bro +++ /dev/null @@ -1,278 +0,0 @@ -# $Id: time-machine.bro,v 1.1.2.8 2006/01/06 01:51:37 sommer Exp $ -# -# Low-level time-machine interface. - -@load notice - -module TimeMachine; - -export { - # Request to send us a connection. Automatically subscribes - # and suspends cut-off. - # - # start : time where to start searching (0 for as early as possible). - # in_mem: only scan TM's memory-buffer but not any on-disk data. - # descr: description to be written to log file to identify the query - # - # Returns tag of this query. - global request_connection: - function(c: connection, in_mem: bool, descr: string) : string; - - # id$orig_p = 0/tcp acts as wildcard. - global request_connection_id: - function(id: conn_id, start: time, in_mem: bool, descr: string) - : string; - - # Request to save connection to file in TM host. Automatically - # suspends cut-off. - # - # filename: destination file on TM host. - # start : time where to start searching (0 = as early as possible). - # in_mem : only scan TM's memory-buffer, but not any on-disk data. - global capture_connection: - function(filename: string, c: connection, in_mem: bool, - descr: string); - - # id$orig_p = 0/tcp acts as wildcard. - global capture_connection_id: - function(filename: string, id: conn_id, start: time, - in_mem: bool, descr: string); - - # Request to send everything involving a certain host to us. - # Always searches mem and disk buffers. - # - # host : address of host - # start: time where to start searching (0 for as early as possible). - # - # Returns tag of this query. - global request_addr: function(host: addr, start: time, - in_mem: bool, descr: string) : string; - - # Don't issue duplicate queries. Should be on for normal use; - # only need to turn off for benchmarking. - global filter_duplicates = T &redef; - - # Automatically issue suspend_cutoff as specified above. - # Should be on for normal use; off only used for benchmarking. - global auto_suspend_cutoff = T &redef; - - # Automatically subscribe as specified above. - # Should be on for normal use; off only used for benchmarking. - global auto_subscribe = F &redef; - - # Automatically set start time for query. - # Should be on for normal use; off only used for benchmarking. - global auto_set_start = T &redef; - - # Request to save everything involving a certain host. - # Always searches mem and disk buffers. - # - # filename: destination file on TM host. - # host : address of host - # start: time where to start searching (0 for as early as possible). - # - global capture_addr: function(filename: string, host: addr, - start: time, in_mem: bool, - descr: string); - - # Prevent the TM from cutting the connection off. - global suspend_cut_off: function(c: connection, descr: string); - - # id$orig_p = 0/tcp acts as wildcard. - global suspend_cut_off_id: function(id: conn_id, descr: string); - - type Direction: enum { - ORIG, # connections originating from host - RESP, # connections responded to by host - BOTH # independent of direction - }; - - # Change the TM class for given IP. - global set_class: function(host: addr, class: string, dir: Direction, - descr: string); - - # Revoke class assignment for IP. - global unset_class: function(host: addr, descr: string); - - # ID of this Bro instance for TM queries. Automatically set. - global feed_id = ""; -} - -global tag = 0; - -global cmds: table[string] of string &read_expire = 1 day; - -global command: event(cmd: string); -global descrs: table[string] of string; - -global profile: file; -global logfile = open_log_file("tm"); - -function id2str(id: conn_id, include_index: bool) : string - { - local index = ""; - if ( include_index ) - index = id$orig_p != 0/tcp ? "connection4 " : "connection3 "; - - if ( id$orig_p != 0/tcp) - return fmt("%s\"%s %s:%d %s:%d\"", index, - get_port_transport_proto(id$resp_p), - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - else - return fmt("%s\"%s %s %s:%d\"", index, - get_port_transport_proto(id$resp_p), - id$orig_h, - id$resp_h, id$resp_p); - } - -function issue_query(result: string, add_tag: bool, cmd: string, - start: time, in_mem: bool, sub: bool, descr: string) : string - { - local key = fmt("%s %s", result, cmd); - local qtag = ""; - - if ( key in cmds && filter_duplicates ) - return cmds[key]; - - if ( add_tag ) - { - qtag = fmt("t%x", ++tag); - result = fmt("%s tag %s", result, qtag); - } - - local range = ""; - - if ( time_to_double(start) > 0.0 && auto_set_start ) - { # We subtract a few seconds to allow for clock skew. - start = start - 2 secs; - range += fmt("start %.6f end 9876543210 ", start); - } - - if ( in_mem ) - range += "mem_only "; - - if ( sub ) - range += "subscribe "; - - local c = fmt("query %s %s %s", result, cmd, range); - descrs[c] = descr; - - if ( time_machine_profiling ) - print profile, fmt("%.6f %s %s", current_time(), - (qtag != "" ? qtag : "-"), c); - - event TimeMachine::command(c); - - cmds[key] = qtag; - - return qtag; - } - -function issue_command(cmd: string, descr: string) - { - if ( cmd in cmds && filter_duplicates ) - return; - - descrs[cmd] = descr; - event TimeMachine::command(cmd); - - cmds[cmd] = ""; - } - -function request_connection(c: connection, in_mem: bool, descr: string) : string - { - return request_connection_id(c$id, c$start_time, in_mem, descr); - } - -function request_connection_id(id: conn_id, start: time, in_mem: bool, - descr: string) : string - { - if ( auto_suspend_cutoff ) - suspend_cut_off_id(id, descr); - return issue_query(fmt("feed %s", feed_id), T, - fmt("index %s", id2str(id, T)), start, in_mem, - auto_subscribe, descr); - } - -function capture_connection(filename: string, c: connection, - in_mem: bool, descr: string) - { - capture_connection_id(filename, c$id, c$start_time, in_mem, descr); - } - -function capture_connection_id(filename: string, id: conn_id, start: time, - in_mem: bool, descr: string) - { - if ( auto_suspend_cutoff ) - suspend_cut_off_id(id, descr); - - issue_query(fmt("to_file \"%s\"", filename), F, - fmt("index %s", id2str(id, T)), - start, in_mem, auto_subscribe, descr); - } - -function request_addr(host: addr, start: time, in_mem: bool, descr: string) -: string - { - return issue_query(fmt("feed %s", feed_id), T, - fmt("index ip \"%s\"", host), start, in_mem, F, descr); - } - -function capture_addr(filename: string, host: addr, start: time, - in_mem: bool, descr: string) - { - issue_query(fmt("to_file \"%s\"", filename), F, - fmt("index ip \"%s\"", host), start, in_mem, F, descr); - } - -function suspend_cut_off(c: connection, descr: string) - { - suspend_cut_off_id(c$id, descr); - } - -function suspend_cut_off_id(id: conn_id, descr: string) - { - issue_command(fmt("suspend_cutoff %s", id2str(id, F)), descr); - } - -function set_class(host: addr, class: string, dir: Direction, descr: string) - { - local d = ""; - - if ( dir == ORIG ) - d = " orig"; - else if ( dir == RESP ) - d = " resp"; - - issue_command(fmt("set_dyn_class %s %s%s", host, class, d), descr); - } - -function unset_class(host: addr, descr: string) - { - issue_command(fmt("unset_dyn_class %s", host), descr); - } - -event command(cmd: string) - { - # We might not know the command if we're just relaying the event - # from external. - if ( cmd in descrs ) - { - local descr = descrs[cmd]; - delete descrs[cmd]; - - print logfile, fmt("%.6f %.6f [%s] %s", network_time(), current_time(), descr, cmd); - } - } - -event bro_init() - { - set_buf(logfile, F); - - # Create a feed ID that's unique across restarts w/ high probability. - feed_id = fmt("%s-%d-%d", gethostname(), getpid(), rand(100)); - - if ( time_machine_profiling ) - profile = open_log_file("tm-prof.queries"); - } diff --git a/policy.old/time-machine/tm-capture.bro b/policy.old/time-machine/tm-capture.bro deleted file mode 100644 index a322f25263..0000000000 --- a/policy.old/time-machine/tm-capture.bro +++ /dev/null @@ -1,91 +0,0 @@ -# $Id: tm-capture.bro,v 1.1.2.1 2006/01/04 03:52:02 sommer Exp $ -# -# For each non-scan alert, we can -# (a) tell the time-machine to permanently store the connection's packets -# (b) request the connection, to store the (reassembled) payload ourselves -# (c) request all other traffic from that IP within the last X hours -# (d) store all other traffic from that IP within the last X hours - -@load time-machine -@load tm-contents -@load notice -@load scan - -module TimeMachineCapture; - -export { - # Request past traffic. Set to 0 to disable. - # This does on-disk queries, potentially expensive. - const history_interval = 0 hrs &redef; - - # Capture past traffic. Set to 0 to disable. - # This does on-disk queries, potentially expensive. - const history_capture_interval = 0 hrs &redef; - - const ignore_notices: set[Notice] = { - Scan::AddressScan, - Scan::PortScan, - } &redef; -} - -@ifdef ( TimeMachineGap::ContentGapTmAndLink ) -redef ignore_notices += { - TimeMachineGap::ContentGapTmAndLink, - TimeMachineGap::ContentGapSolved, -}; -@endif - -global hosts: set[addr] &create_expire = history_capture_interval; - -global dbg = open_log_file("tm-capture"); - -event notice_alarm(n: notice_info, action: NoticeAction) - { - if ( n$note in ignore_notices ) - return; - - if ( ! n?$id ) - return; - - if ( n?$conn && is_external_connection(n$conn) ) - return; - - local id = n$id; - local start: time; - - if ( n?$conn ) - start = n$conn$start_time; - else if ( connection_exists(id) ) - start = lookup_connection(id)$start_time; - else - start = network_time() - 5 min; # shouldn't usually get here - - local tag = fmt("conn.%s", n$tag); - n$captured = tag; - - # It should be in the TM's memory. - TimeMachine::capture_connection_id(fmt("%s.pcap", tag), id, start, - T, "tm-capture"); - - if ( get_port_transport_proto(id$resp_p) == tcp ) - { - n$captured += " (contents)"; - TimeMachine::save_contents_id(tag, id, start, T, "tm-capture"); - } - - if ( n$src !in hosts ) - { - if ( history_interval != 0 sec ) - TimeMachine::request_addr(n$src, - network_time() - history_interval, F, - "tm-capture"); - - if ( history_capture_interval != 0secs ) - TimeMachine::capture_addr(fmt("host.%s.%s.pcap", - n$src, n$tag), n$src, - network_time() - history_capture_interval, F, - "tm-capture"); - - add hosts[n$src]; - } - } diff --git a/policy.old/time-machine/tm-class.bro b/policy.old/time-machine/tm-class.bro deleted file mode 100644 index 4d69308517..0000000000 --- a/policy.old/time-machine/tm-class.bro +++ /dev/null @@ -1,22 +0,0 @@ -# $Id:$ -# -# Changes the class for addresses that have generated alerts. - -@load time-machine -@load notice -@load scan - -event notice_alarm(n: notice_info, action: NoticeAction) - { - if ( ! n?$src ) - return; - - if ( n?$conn && is_external_connection(n$conn) ) - return; - - local class = "alarm"; - if ( n$note == Scan::AddressScan || n$note == Scan::PortScan ) - class = "scanner"; - - TimeMachine::set_class(n$src, class, TimeMachine::BOTH, "tm-class"); - } diff --git a/policy.old/time-machine/tm-contents.bro b/policy.old/time-machine/tm-contents.bro deleted file mode 100644 index ea921342ae..0000000000 --- a/policy.old/time-machine/tm-contents.bro +++ /dev/null @@ -1,111 +0,0 @@ -# $Id:$ -# -# Provides a function that requests a particular connection from the -# Time Machine and stores the subsequent reassembled payload into a -# local file. - -@load time-machine - -module TimeMachine; - -export { - global save_contents: - function(filename_prefix: string, c: connection, - in_mem: bool, descr: string); - - global save_contents_id: - function(filename_prefix: string, id: conn_id, start: time, - in_mem: bool, descr: string); - - # Raised when contents have been fully saved. - global contents_saved: - event(c: connection, orig_file: string, resp_file: string); - - const contents_dir = "tm-contents" &redef; - } - -# Table associating TM tag with filename. -global requested_conns: table[string] of string; - -type fnames: record { - orig: string; - resp: string; - orig_f: file; - resp_f: file; - }; - -global external_conns: table[conn_id] of fnames; - -function save_contents(filename_prefix: string, c: connection, - in_mem: bool, descr: string) - { - if ( is_external_connection(c) ) - return; - - save_contents_id(filename_prefix, c$id, c$start_time, in_mem, descr); - } - -function save_contents_id(filename_prefix: string, id: conn_id, start: time, - in_mem: bool, descr: string) - { - TimeMachine::suspend_cut_off_id(id, descr); - local qtag = TimeMachine::request_connection_id(id, start, in_mem, descr); - if ( qtag == "" ) - return; - - requested_conns[qtag] = filename_prefix; - } - -event connection_external(c: connection, tag: string) - { - if ( tag !in requested_conns ) - return; - - local fn = requested_conns[tag]; - local id = c$id; - local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p); - - local orig_fn = fmt("%s/%s.%s.orig.dat", contents_dir, fn, idstr); - local resp_fn = fmt("%s/%s.%s.resp.dat", contents_dir, fn, idstr); - local orig_f = open(orig_fn); - local resp_f = open(resp_fn); - - set_contents_file(c$id, CONTENTS_ORIG, orig_f); - set_contents_file(c$id, CONTENTS_RESP, resp_f); - - delete requested_conns[tag]; - external_conns[c$id] = - [$orig=orig_fn, $resp=resp_fn, $orig_f=orig_f, $resp_f=resp_f]; - } - -event delayed_contents_saved(c: connection, orig_file: string, resp_file: string) - { - schedule 2 min { TimeMachine::contents_saved(c, orig_file, resp_file) }; - } - -event connection_state_remove(c: connection) - { - if ( ! is_external_connection(c) ) - return; - - if ( c$id !in external_conns ) - return; - - local fn = external_conns[c$id]; - - close(fn$orig_f); - close(fn$resp_f); - - # FIXME: We delay this a bit as there seems to be some race-condition - # with the file's data being flushed to disk. Not sure why, though. - # However, we need to delay indirectly through another event to - # install it into the global timer manager. - event delayed_contents_saved(c, fn$orig, fn$resp); - - delete external_conns[c$id]; - } - -event bro_init() - { - mkdir(contents_dir); - } diff --git a/policy.old/time-machine/tm-ftp.bro b/policy.old/time-machine/tm-ftp.bro deleted file mode 100644 index cc09fc8328..0000000000 --- a/policy.old/time-machine/tm-ftp.bro +++ /dev/null @@ -1,42 +0,0 @@ -# $Id: tm-ftp.bro,v 1.1.2.1 2006/01/04 03:55:48 sommer Exp $ -# -# For sensitive FTP connections, request the data connection from the TM. -# When we get it, we store the reassembled payload and run the file-analyzer -# (the latter is automatically done by ftp.bro). - -@load time-machine -@load tm-contents -@load ftp - -module TimeMachineFTP; - -global data_conns: table[count] of conn_id; - -event ftp_sensitive_file(c: connection, session: FTP::ftp_session_info, - filename: string) - { - if ( is_external_connection(c) ) - return; - - if ( session$id !in data_conns ) - # Should not happen, as transfer parameters need to be - # negotiated first. We let ftp.bro deal with this, though. - return; - - local id = data_conns[session$id]; - TimeMachine::save_contents(fmt("ftp.%s", session$id), c, T, "tm-ftp"); - } - -event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr, - resp_p: port, session: FTP::ftp_session_info) - { - data_conns[session$id] = - [$orig_h=orig_h, $orig_p=0/tcp, $resp_h=resp_h, $resp_p=resp_p]; - } - -event connection_state_remove(c: connection) - &priority = 5 # to be called before FTP's handler - { - if ( c$id in FTP::ftp_sessions ) - delete data_conns[FTP::ftp_sessions[c$id]$id]; - } diff --git a/policy.old/time-machine/tm-gap.bro b/policy.old/time-machine/tm-gap.bro deleted file mode 100644 index e97d6a848a..0000000000 --- a/policy.old/time-machine/tm-gap.bro +++ /dev/null @@ -1,127 +0,0 @@ -# $Id: tm-gap.bro,v 1.1.2.1 2006/01/05 22:38:37 sommer Exp $ -# -# When we see a content gap, we request the same connection from the TM. -# If we get it from there completely, fine. If not, we check whether the -# gap is at the same place as before, which would indicate that the packet -# was indeed missing on the link. - -@load conn-id -@load time-machine - -module TimeMachineGap; - -export { - # If true, we assume a BPF filter that includes *all* data packets. - const seeing_all_packets = F &redef; - - # Exclude these ports. - const ignore_ports = { 80/tcp, 22/tcp, 443/tcp }; - - redef enum Notice += { - # A connection has at least one gap that matches a gap - # on the link. - ContentGapTmAndLink, - - # A connection that had a gap on the link has been fully - # received from the TM. - ContentGapSolved, - }; -} - -type gap : record { - is_orig: bool; - seq: count; - length: count; -}; - -# Remembers the first gap per connection. -# (FIXME: Would it make sense to remember all gaps?) -global conns: table[conn_id] of gap; - -global f = open_log_file("gap"); - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - if ( ! is_external_connection(c) ) - { - if ( c$id in conns ) - # We already requested the conn. - return; - - if ( c$id$resp_p in ignore_ports ) - return; - - # It only makes sense to request the connection if we are - # not just analyzing TCP control packets for it. There's - # no perfect way to determine whether we do so but, as a - # heuristic, we assume that we are supposed to see data - # packets if: - # - # (1) the service port is well-known for one of our analyzers - # (because then the analyzer script is loaded which extends - # the capture filter accordingly; or - # (2) the user explicitly tells us they are using a filter that - # includes all packets (e.g., DPD); or - # (3) (special case) it's an HTTP reply, but we only - # load http-request. - - if ( ! seeing_all_packets ) - { - if ( c$id$resp_p !in dpd_analyzer_ports ) - return; - - if ( c$id$resp_p in dpd_analyzer_ports && ! is_orig && - ANALYZER_HTTP in dpd_analyzer_ports[c$id$resp_p]) - { -@ifdef ( process_HTTP_replies ) - if ( ! process_HTTP_replies ) -@endif - return; - } - } - - local g: gap = [$is_orig=is_orig, $seq=seq, $length=length]; - conns[c$id] = g; - - # Should be in TM's memory. - TimeMachine::request_connection(c, T, "tm-gap"); - - print f, "ask", id_string(c$id); - } - - else - { # a gap in a connection from the TM - if ( c$id !in conns ) - # Will be reported as ContentGap by weird.bro. - return; - - local h = conns[c$id]; - - if ( h$is_orig == is_orig && h$seq == seq && h$length == length ) - { - NOTICE([$note=ContentGapTmAndLink, $conn=c, - $msg=fmt("%s same content gap on link and from time-machine (%s %d/%d)", - id_string(c$id), - is_orig ? ">" : "<", seq, length)]); - } - - delete conns[c$id]; - } - } - -event connection_external(c: connection, tag: string) - { - if ( c$id in conns ) - print f, "got", id_string(c$id); - } - -event connection_state_remove(c: connection) - { - if ( c$id in conns && is_external_connection(c) ) - { # It's still in the table, so we got it completely. Yippie! - NOTICE([$note=ContentGapSolved, $conn=c, - $msg=fmt("%s content gap(s) solved by time-machine", - id_string(c$id))]); - delete conns[c$id]; - } - } diff --git a/policy.old/time-machine/tm-http.bro b/policy.old/time-machine/tm-http.bro deleted file mode 100644 index ad9d997ffc..0000000000 --- a/policy.old/time-machine/tm-http.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: tm-http.bro,v 1.1.2.1 2005/11/29 21:39:05 sommer Exp $ -# -# Requests connections from time-machine for which we have seen a sensitive URI. - -@load http -@load time-machine - -redef notice_policy += { - [$pred(a: notice_info) = - { - if ( a$note == HTTP::HTTP_SensitiveURI && - a?$conn && ! is_external_connection(a$conn) ) - TimeMachine::request_connection(a$conn, T, "tm-http"); - return F; - }, - $result = NOTICE_FILE, # irrelevant, since we always return F - $priority = 1] -}; diff --git a/policy.old/trw-impl.bro b/policy.old/trw-impl.bro deleted file mode 100644 index a93782d11c..0000000000 --- a/policy.old/trw-impl.bro +++ /dev/null @@ -1,191 +0,0 @@ -# $Id: trw.bro 2911 2006-05-06 17:58:43Z vern $ - -@load notice -@load port-name -@load hot - -module TRW; - -export { - redef enum Notice += { - TRWAddressScan, # source flagged as scanner by TRW algorithm - TRWScanSummary, # summary of scanning activities reported by TRW - }; - - # Activate TRW if T. - global use_TRW_algorithm = F &redef; - - # Tell TRW not to flag a friendly remote. - global do_not_flag_friendly_remotes = T &redef; - - # Set of services for outbound connections that are possibly triggered - # by incoming connections. - const triggered_outbound_services = { ident, finger, 20/tcp, } &redef; - - # The following correspond to P_D and P_F in the TRW paper, i.e., the - # desired detection and false positive probabilities. - global target_detection_prob = 0.99 &redef; - global target_false_positive_prob = 0.01 &redef; - - # Given a legitimate remote, the probability that its connection - # attempt will succeed. - global theta_zero = 0.8 &redef; - - # Given a scanner, the probability that its connection attempt - # will succeed. - global theta_one = 0.2 &redef; - - - # These variables the user usually won't alter, except they - # might want to adjust the expiration times, which is why - # they're exported here. - global scan_sources: set[addr] &write_expire = 1 hr; - global benign_sources: set[addr] &write_expire = 1 hr; - - global failed_locals: set[addr, addr] &write_expire = 30 mins; - global successful_locals: set[addr, addr] &write_expire = 30 mins; - - global lambda: table[addr] of double - &default = 1.0 &write_expire = 30 mins; - global num_scanned_locals: - table[addr] of count &default = 0 &write_expire = 30 mins; - - # Function called to perform TRW analysis. - global check_TRW_scan: function(c: connection, state: string, - reverse: bool): bool; -} - -# Set of remote hosts that have been successfully accessed by local hosts. -global friendly_remotes: set[addr] &read_expire = 30 mins; - -# Set of local honeypot hosts - for internal use at LBL. -global honeypot: set[addr]; - -# Approximate solutions for upper and lower thresholds. -global eta_zero: double; # initialized when Bro starts -global eta_one: double; - -event bro_init() - { - eta_zero = - (1 - target_detection_prob) / (1 - target_false_positive_prob); - eta_one = target_detection_prob / target_false_positive_prob; - } - - -event TRW_scan_summary(orig: addr) - { - NOTICE([$note=TRWScanSummary, $src=orig, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_scanned_locals[orig])]); - } - -function check_TRW_scan(c: connection, state: string, reverse: bool): bool - { - local id = c$id; - - local service = "ftp-data" in c$service ? 20/tcp - : (reverse ? id$orig_p : id$resp_p); - local orig = reverse ? id$resp_h : id$orig_h; - local resp = reverse ? id$orig_h : id$resp_h; - local outbound = is_local_addr(orig); - - # Mark a remote as friendly if it is successfully accessed by - # a local with protocols other than triggered_outbound_services. - # XXX There is an ambiguity to determine who initiated a - # connection when the status is "OTH". - if ( outbound ) - { - if ( resp !in scan_sources && - service !in triggered_outbound_services && - orig !in honeypot && state != "OTH" ) - add friendly_remotes[resp]; - - return F; - } - - if ( orig in scan_sources ) - return T; - - if ( orig in benign_sources ) - return F; - - if ( do_not_flag_friendly_remotes && orig in friendly_remotes ) - return F; - - # Start TRW evaluation. - local flag = +0; - local resp_byte = reverse ? c$orig$size : c$resp$size; - local established = T; - - if ( state == "S0" || state == "REJ" || state == "OTH" || - (state == "RSTOS0" && resp_byte <= 0) ) - established = F; - - if ( ! established || resp in honeypot ) - { - if ( [orig, resp] !in failed_locals ) - { - flag = 1; - add failed_locals[orig, resp]; - } - } - - else if ( [orig, resp] !in successful_locals ) - { - flag = -1; - add successful_locals[orig, resp]; - } - - if ( flag == 0 ) - return F; - - local ratio = 1.0; - - # Update the corresponding likelihood ratio of orig. - if ( theta_zero <= 0 || theta_zero >= 1 || theta_one <= 0 || - theta_one >= 1 || theta_one >= theta_zero ) - { - # Error: theta_zero should be between 0 and 1. - # Log::error("bad theta_zero/theta_one in check_TRW_scan"); - use_TRW_algorithm = F; - return F; - } - - if ( flag == 1 ) - ratio = (1 - theta_one) / (1 - theta_zero); - - if ( flag == -1 ) - ratio = theta_one / theta_zero; - - ++num_scanned_locals[orig]; - - lambda[orig] = lambda[orig] * ratio; - local updated_lambda = lambda[orig]; - - if ( target_detection_prob <= 0 || - target_detection_prob >= 1 || - target_false_positive_prob <= 0 || - target_false_positive_prob >= 1 ) - { - # Error: target probabilities should be between 0 and 1 - # Log::error("bad target probabilities in check_TRW_scan"); - use_TRW_algorithm = F; - return F; - } - - if ( updated_lambda > eta_one ) - { - add scan_sources[orig]; - NOTICE([$note=TRWAddressScan, $src=orig, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_scanned_locals[orig])]); - schedule 1 day { TRW_scan_summary(orig) }; - return T; - } - - if ( updated_lambda < eta_zero ) - add benign_sources[orig]; - - return F; - } diff --git a/policy.old/trw.bro b/policy.old/trw.bro deleted file mode 100644 index 0ffe6246f7..0000000000 --- a/policy.old/trw.bro +++ /dev/null @@ -1,7 +0,0 @@ -# $Id: trw.bro 3297 2006-06-18 00:56:58Z vern $ -# -# Load this file to actiate TRW analysis. - -@load trw-impl - -redef TRW::use_TRW_algorithm = T; diff --git a/policy.old/udp-common.bro b/policy.old/udp-common.bro deleted file mode 100644 index a6ca5a647b..0000000000 --- a/policy.old/udp-common.bro +++ /dev/null @@ -1,46 +0,0 @@ -# $Id: udp-common.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Performs generic UDP request/reply processing, but doesn't set -# the packet filter to capture all UDP traffic (use udp.bro for that). - -@load hot -@load conn -@load scan - -global udp_req_count: table[conn_id] of count &default = 0; -global udp_rep_count: table[conn_id] of count &default = 0; - -event udp_request(u: connection) - { - Scan::check_scan(u, F, F); -# if ( TRW::use_TRW_algorithm ) -# TRW::check_TRW_scan(u, conn_state(u, udp), F); - - Hot::check_hot(u, Hot::CONN_ATTEMPTED); - } - -event udp_reply(u: connection) - { - Scan::check_scan(u, T, F); -# if ( TRW::use_TRW_algorithm ) -# TRW::check_TRW_scan(u, conn_state(u, udp), F); - - Hot::check_hot(u, Hot::CONN_ESTABLISHED); - Hot::check_hot(u, Hot::CONN_FINISHED); - } - -function add_req_rep_addl(u: connection) - { - local id = u$id; - if ( udp_req_count[id] > 1 || udp_rep_count[id] > 1 ) - append_addl(u, fmt("[%d/%d]", udp_req_count[id], udp_rep_count[id])); - - delete udp_req_count[id]; - delete udp_rep_count[id]; - } - -event udp_session_done(u: connection) - { - add_req_rep_addl(u); - Hot::check_hot(u, Hot::CONN_FINISHED); - } diff --git a/policy.old/udp.bro b/policy.old/udp.bro deleted file mode 100644 index ae5f1834ad..0000000000 --- a/policy.old/udp.bro +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: udp.bro 1103 2005-03-17 09:18:28Z vern $ - -@load udp-common - -redef capture_filters += { ["udp"] = "udp" }; diff --git a/policy.old/weird.bro b/policy.old/weird.bro deleted file mode 100644 index 245f6b79ac..0000000000 --- a/policy.old/weird.bro +++ /dev/null @@ -1,424 +0,0 @@ -# $Id: weird.bro 6452 2008-12-07 01:19:13Z vern $ - -@load notice -@load port-name - -module Weird; - -export { - redef enum Notice += { - WeirdActivity, # generic unusual, alarm-worthy activity - RetransmissionInconsistency, - # possible evasion; usually just chud - AckAboveHole, - # could mean packet drop; could also be chud - ContentGap, - # data has sequence hole; perhaps due to filtering - }; - - const weird_file = open_log_file("weird") &redef; - - type WeirdAction: enum { - WEIRD_UNSPECIFIED, WEIRD_IGNORE, WEIRD_FILE, - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, - }; - - # Which of the above actions lead to logging. For internal use. - const notice_actions = { - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, - }; - - const weird_action: table[string] of WeirdAction = { - # tcp_weird - ["above_hole_data_without_any_acks"] = WEIRD_FILE, - ["active_connection_reuse"] = WEIRD_FILE, - ["bad_HTTP_reply"] = WEIRD_FILE, - ["bad_HTTP_version"] = WEIRD_FILE, - ["bad_ICMP_checksum"] = WEIRD_FILE, - ["bad_ident_port"] = WEIRD_FILE, - ["bad_ident_reply"] = WEIRD_FILE, - ["bad_ident_request"] = WEIRD_FILE, - ["bad_rlogin_prolog"] = WEIRD_FILE, - ["bad_rsh_prolog"] = WEIRD_FILE, - ["rsh_text_after_rejected"] = WEIRD_FILE, - ["bad_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["bad_RPC_program"] = WEIRD_FILE, - ["bad_SYN_ack"] = WEIRD_FILE, - ["bad_TCP_checksum"] = WEIRD_FILE, - ["bad_UDP_checksum"] = WEIRD_FILE, - ["baroque_SYN"] = WEIRD_FILE, - ["base64_illegal_encoding"] = WEIRD_FILE, - ["connection_originator_SYN_ack"] = WEIRD_FILE, - ["corrupt_tcp_options"] = WEIRD_FILE, - ["crud_trailing_HTTP_request"] = WEIRD_FILE, - ["data_after_reset"] = WEIRD_FILE, - ["data_before_established"] = WEIRD_FILE, - ["data_without_SYN_ACK"] = WEIRD_FILE, - ["DHCP_no_type_option"] = WEIRD_FILE, - ["DHCP_wrong_msg_type"] = WEIRD_FILE, - ["DHCP_wrong_op_type"] = WEIRD_FILE, - ["DNS_AAAA_neg_length"] = WEIRD_FILE, - ["DNS_Conn_count_too_large"] = WEIRD_FILE, - ["DNS_NAME_too_long"] = WEIRD_FILE, - ["DNS_RR_bad_length"] = WEIRD_FILE, - ["DNS_RR_length_mismatch"] = WEIRD_FILE, - ["DNS_RR_unknown_type"] = WEIRD_FILE, - ["DNS_label_forward_compress_offset"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_name_len"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_pkt"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_too_long"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_truncated_RR_rdlength_lt_len"] = WEIRD_FILE, - ["DNS_truncated_ans_too_short"] = WEIRD_FILE, - ["DNS_truncated_len_lt_hdr_len"] = WEIRD_FILE, - ["DNS_truncated_quest_too_short"] = WEIRD_FILE, - ["excessive_data_without_further_acks"] = WEIRD_FILE, - ["excess_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["excessive_RPC_len"] = WEIRD_NOTICE_PER_ORIG, - ["FIN_advanced_last_seq"] = WEIRD_FILE, - ["FIN_after_reset"] = WEIRD_IGNORE, - ["FIN_storm"] = WEIRD_NOTICE_ALWAYS, - ["HTTP_bad_chunk_size"] = WEIRD_FILE, - ["HTTP_chunked_transfer_for_multipart_message"] = WEIRD_FILE, - ["HTTP_overlapping_messages"] = WEIRD_FILE, - ["HTTP_unknown_method"] = WEIRD_FILE, - ["HTTP_version_mismatch"] = WEIRD_FILE, - ["ident_request_addendum"] = WEIRD_FILE, - ["inappropriate_FIN"] = WEIRD_FILE, - ["inflate_data_failed"] = WEIRD_FILE, - ["inflate_failed"] = WEIRD_FILE, - ["invalid_irc_global_users_reply"] = WEIRD_FILE, - ["irc_invalid_command"] = WEIRD_FILE, - ["irc_invalid_dcc_message_format"] = WEIRD_FILE, - ["irc_invalid_invite_message_format"] = WEIRD_FILE, - ["irc_invalid_join_line"] = WEIRD_FILE, - ["irc_invalid_kick_message_format"] = WEIRD_FILE, - ["irc_invalid_line"] = WEIRD_FILE, - ["irc_invalid_mode_message_format"] = WEIRD_FILE, - ["irc_invalid_names_line"] = WEIRD_FILE, - ["irc_invalid_njoin_line"] = WEIRD_FILE, - ["irc_invalid_notice_message_format"] = WEIRD_FILE, - ["irc_invalid_oper_message_format"] = WEIRD_FILE, - ["irc_invalid_privmsg_message_format"] = WEIRD_FILE, - ["irc_invalid_reply_number"] = WEIRD_FILE, - ["irc_invalid_squery_message_format"] = WEIRD_FILE, - ["irc_invalid_topic_reply"] = WEIRD_FILE, - ["irc_invalid_who_line"] = WEIRD_FILE, - ["irc_invalid_who_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_channel_line"] = WEIRD_FILE, - ["irc_invalid_whois_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_operator_line"] = WEIRD_FILE, - ["irc_invalid_whois_user_line"] = WEIRD_FILE, - ["irc_line_size_exceeded"] = WEIRD_FILE, - ["irc_line_too_short"] = WEIRD_FILE, - ["irc_too_many_invalid"] = WEIRD_FILE, - ["line_terminated_with_single_CR"] = WEIRD_FILE, - ["line_terminated_with_single_LF"] = WEIRD_FILE, - ["malformed_ssh_identification"] = WEIRD_FILE, - ["malformed_ssh_version"] = WEIRD_FILE, - ["matching_undelivered_data"] = WEIRD_FILE, - ["multiple_HTTP_request_elements"] = WEIRD_FILE, - ["multiple_RPCs"] = WEIRD_NOTICE_PER_ORIG, - ["non_IPv4_packet"] = WEIRD_NOTICE_ONCE, - ["NUL_in_line"] = WEIRD_FILE, - ["originator_RPC_reply"] = WEIRD_NOTICE_PER_ORIG, - ["partial_finger_request"] = WEIRD_FILE, - ["partial_ftp_request"] = WEIRD_FILE, - ["partial_ident_request"] = WEIRD_FILE, - ["partial_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["partial_RPC_request"] = WEIRD_FILE, - ["pending_data_when_closed"] = WEIRD_FILE, - ["pop3_bad_base64_encoding"] = WEIRD_FILE, - ["pop3_client_command_unknown"] = WEIRD_FILE, - ["pop3_client_sending_server_commands"] = WEIRD_FILE, - ["pop3_malformed_auth_plain"] = WEIRD_FILE, - ["pop3_server_command_unknown"] = WEIRD_FILE, - ["pop3_server_sending_client_commands"] = WEIRD_FILE, - ["possible_split_routing"] = WEIRD_FILE, - ["premature_connection_reuse"] = WEIRD_FILE, - ["repeated_SYN_reply_wo_ack"] = WEIRD_FILE, - ["repeated_SYN_with_ack"] = WEIRD_FILE, - ["responder_RPC_call"] = WEIRD_NOTICE_PER_ORIG, - ["rlogin_text_after_rejected"] = WEIRD_FILE, - ["RPC_rexmit_inconsistency"] = WEIRD_FILE, - ["RPC_underflow"] = WEIRD_FILE, - ["RST_storm"] = WEIRD_NOTICE_ALWAYS, - ["RST_with_data"] = WEIRD_FILE, # PC's do this - ["simultaneous_open"] = WEIRD_NOTICE_PER_CONN, - ["spontaneous_FIN"] = WEIRD_IGNORE, - ["spontaneous_RST"] = WEIRD_IGNORE, - ["SMB_parsing_error"] = WEIRD_FILE, - ["no_smb_session_using_parsesambamsg"] = WEIRD_FILE, - ["smb_andx_command_failed_to_parse"] = WEIRD_FILE, - ["transaction_subcmd_missing"] = WEIRD_FILE, - ["SSLv3_data_without_full_handshake"] = WEIRD_FILE, - ["unexpected_SSLv3_record"] = WEIRD_FILE, - ["successful_RPC_reply_to_invalid_request"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_close"] = WEIRD_FILE, - ["SYN_after_partial"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_reset"] = WEIRD_FILE, - ["SYN_inside_connection"] = WEIRD_FILE, - ["SYN_seq_jump"] = WEIRD_FILE, - ["SYN_with_data"] = WEIRD_FILE, - ["TCP_christmas"] = WEIRD_FILE, - ["truncated_ARP"] = WEIRD_FILE, - ["truncated_NTP"] = WEIRD_FILE, - ["UDP_datagram_length_mismatch"] = WEIRD_NOTICE_PER_ORIG, - ["unexpected_client_HTTP_data"] = WEIRD_FILE, - ["unexpected_multiple_HTTP_requests"] = WEIRD_FILE, - ["unexpected_server_HTTP_data"] = WEIRD_FILE, - ["unmatched_HTTP_reply"] = WEIRD_FILE, - ["unpaired_RPC_response"] = WEIRD_FILE, - ["unsolicited_SYN_response"] = WEIRD_IGNORE, - ["window_recision"] = WEIRD_FILE, - ["double_%_in_URI"] = WEIRD_FILE, - ["illegal_%_at_end_of_URI"] = WEIRD_FILE, - ["unescaped_%_in_URI"] = WEIRD_FILE, - ["unescaped_special_URI_char"] = WEIRD_FILE, - - ["UDP_zone_transfer"] = WEIRD_NOTICE_ONCE, - - ["deficit_netbios_hdr_len"] = WEIRD_FILE, - ["excess_netbios_hdr_len"] = WEIRD_FILE, - ["netbios_client_session_reply"] = WEIRD_FILE, - ["netbios_raw_session_msg"] = WEIRD_FILE, - ["netbios_server_session_request"] = WEIRD_FILE, - ["unknown_netbios_type"] = WEIRD_FILE, - - # flow_weird - ["excessively_large_fragment"] = WEIRD_NOTICE_ALWAYS, - - # Code Red generates slews ... - ["excessively_small_fragment"] = WEIRD_NOTICE_PER_ORIG, - - ["fragment_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_overlap"] = WEIRD_NOTICE_ALWAYS, - ["fragment_protocol_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_size_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_with_DF"] = WEIRD_FILE, # these do indeed happen! - ["incompletely_captured_fragment"] = WEIRD_NOTICE_ALWAYS, - - # net_weird - ["bad_IP_checksum"] = WEIRD_FILE, - ["bad_TCP_header_len"] = WEIRD_FILE, - ["internally_truncated_header"] = WEIRD_NOTICE_ALWAYS, - ["truncated_IP"] = WEIRD_FILE, - ["truncated_header"] = WEIRD_FILE, - - # generated by policy script - ["Land_attack"] = WEIRD_NOTICE_PER_ORIG, - ["bad_pm_port"] = WEIRD_NOTICE_PER_ORIG, - } &redef; - - # table that maps weird types into a function that should be called - # to determine the action. - const weird_action_filters: - table[string] of function(c: connection): WeirdAction &redef; - - const weird_ignore_host: set[addr, string] &redef; - - # But don't ignore these (for the weird file), it's handy keeping - # track of clustered checksum errors. - const weird_do_not_ignore_repeats = { - "bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum", - "bad_ICMP_checksum", - } &redef; -} - -# id/msg pairs that should be ignored (because the problem has already -# been reported). -global weird_ignore: table[string] of set[string] &write_expire = 10 min; - -# For WEIRD_NOTICE_PER_CONN. -global did_notice_conn: set[addr, port, addr, port, string] - &read_expire = 1 day; - -# For WEIRD_NOTICE_PER_ORIG. -global did_notice_orig: set[addr, string] &read_expire = 1 day; - -# For WEIRD_NOTICE_ONCE. -global did_weird_log: set[string] &read_expire = 1 day; - -global did_inconsistency_msg: set[conn_id]; - -function weird_id_string(id: conn_id): string - { - return fmt("%s > %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -# Used to pass the optional connection into report_weird(). -global current_conn: connection; - -function report_weird(t: time, name: string, id: string, have_conn: bool, - addl: string, action: WeirdAction, no_log: bool) - { - if ( action == WEIRD_IGNORE || - (id in weird_ignore && name in weird_ignore[id]) ) - return; - - local msg = id; - - if ( action == WEIRD_UNSPECIFIED ) - { - if ( name in weird_action ) - { - action = weird_action[name]; - if ( action == WEIRD_IGNORE ) - return; - - msg = fmt("%s: %s", msg, name); - } - else - { - action = WEIRD_NOTICE_ALWAYS; - msg = fmt("** %s: %s", msg, name); - } - } - else - msg = fmt("%s: %s", msg, name); - - if ( addl != "" ) - msg = fmt("%s (%s)", msg, addl); - - if ( action in notice_actions && ! no_log ) - { - if ( have_conn ) - NOTICE([$note=WeirdActivity, $conn=current_conn, - $msg=msg]); - else - NOTICE([$note=WeirdActivity, $msg=msg]); - } - - else if ( id != "" && name !in weird_do_not_ignore_repeats ) - { - if ( id !in weird_ignore ) - weird_ignore[id] = set() &mergeable; - - add weird_ignore[id][name]; - } - - print weird_file, fmt("%.6f %s", t, msg); - } - -function report_weird_conn(t: time, name: string, id: string, addl: string, - c: connection) - { - if ( [c$id$orig_h, name] in weird_ignore_host || - [c$id$resp_h, name] in weird_ignore_host ) - return; - - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - if ( name in weird_action_filters ) - action = weird_action_filters[name](c); - - if ( action == WEIRD_UNSPECIFIED ) - action = weird_action[name]; - - local cid = c$id; - - if ( action == WEIRD_NOTICE_PER_CONN ) - { - if ( [cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name] in did_notice_conn ) - no_log = T; - else - add did_notice_conn[cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name]; - } - - else if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [c$id$orig_h, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[c$id$orig_h, name]; - } - - else if ( action == WEIRD_NOTICE_ONCE ) - { - if ( name in did_weird_log ) - no_log = T; - else - add did_weird_log[name]; - } - } - - current_conn = c; - report_weird(t, name, id, T, addl, action, no_log); - } - -function report_weird_orig(t: time, name: string, id: string, orig: addr) - { - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - action = weird_action[name]; - if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [orig, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[orig, name]; - } - } - - report_weird(t, name, id, F, "", action, no_log); - } - -event conn_weird(name: string, c: connection) - { - report_weird_conn(network_time(), name, weird_id_string(c$id), "", c); - } - -event conn_weird_addl(name: string, c: connection, addl: string) - { - report_weird_conn(network_time(), name, weird_id_string(c$id), addl, c); - } - -event flow_weird(name: string, src: addr, dst: addr) - { - report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src); - } - -event net_weird(name: string) - { - report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F); - } - -event rexmit_inconsistency(c: connection, t1: string, t2: string) - { - if ( c$id !in did_inconsistency_msg ) - { - NOTICE([$note=RetransmissionInconsistency, $conn=c, - $msg=fmt("%s rexmit inconsistency (%s) (%s)", - weird_id_string(c$id), t1, t2)]); - add did_inconsistency_msg[c$id]; - } - } - -event ack_above_hole(c: connection) - { - NOTICE([$note=AckAboveHole, $conn=c, - $msg=fmt("%s ack above a hole", weird_id_string(c$id))]); - } - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - NOTICE([$note=ContentGap, $conn=c, - $msg=fmt("%s content gap (%s %d/%d)%s", - weird_id_string(c$id), is_orig ? ">" : "<", seq, length, - is_external_connection(c) ? " [external]" : "")]); - } - -event connection_state_remove(c: connection) - { - delete weird_ignore[weird_id_string(c$id)]; - delete did_inconsistency_msg[c$id]; - } diff --git a/policy.old/worm.bro b/policy.old/worm.bro deleted file mode 100644 index 18e9649096..0000000000 --- a/policy.old/worm.bro +++ /dev/null @@ -1,117 +0,0 @@ -# $Id: worm.bro 4758 2007-08-10 06:49:23Z vern $ - -@load notice -@load site - -# signatures.bro needs this. -global is_worm_infectee: function(ip: addr) : bool; - -@load signatures - -redef enum Notice += { - LocalWorm, # worm seen in local host - RemoteWorm, # worm seen in remote host -}; - -# redef capture_filters += { ["worm"] = "tcp dst port 80" }; - -const worm_log = open_log_file("worm") &redef; - -# Maps types of worms to URI patterns. -const worm_types: table[string] of pattern = { - ["Code Red 1"] = /\.id[aq]\?.*NNNNNNNNNNNNN/, - ["Code Red 2"] = /\.id[aq]\?.*XXXXXXXXXXXXX/, - ["Nimda"] = /\/scripts\/root\.exe\?\/c\+tftp/ | - /\/MSADC\/root.exe\?\/c\+dir/ | - /cool\.dll.*httpodbc\.dll/, # 29Oct01 Nimda variant -} &redef; - -# Maps signatures to worm types. -const worm_sigs: table[string] of string = { - ["slammer"] = "Slammer", - ["nimda"] = "Nimda", - ["bagle-bc"] = "Bagle.bc" -}; - -# We handle these ourselves. -redef signature_actions += { - ["codered1"] = SIG_IGNORE, - ["codered2"] = SIG_IGNORE, - ["slammer"] = SIG_IGNORE, - ["nimda"] = SIG_IGNORE, - ["bagle-bc"] = SIG_IGNORE -}; - -# Indexed by infectee. -global worm_list: table[addr] of count &default=0 &read_expire = 2 days; - -# Indexed by infectee and type of worm. -global worm_type_list: table[addr, string] of count - &default=0 &read_expire = 2 days; - -# Invoked each time a new infectee (or a new type of worm for an existing -# infectee) is seen. For the first instance of any type for a new infectee, -# two events will be generated, one with worm_type of "first instance", -# and another with the particular worm type. -global worm_infectee_seen: event(c: connection, is_local: bool, worm_type: string); - -# Invoked whenever connection c has included a URI of worm type "worm_type". -event worm_instance(c: connection, worm_type: string) - { - local id = c$id; - local src = id$orig_h; - local is_local = is_local_addr(src); - - if ( ++worm_list[src] == 1 ) - event worm_infectee_seen(c, is_local, "first instance"); - - if ( ++worm_type_list[src, worm_type] == 1 ) - event worm_infectee_seen(c, is_local, worm_type); - } - -event worm_infectee_seen(c: connection, is_local: bool, worm_type: string) - { - if ( worm_type == "first instance" ) - return; # just do the reporting for the specific type - - local infectee = c$id$orig_h; - local where = is_local ? "local" : "remote"; - local msg = fmt("%s %s worm source: %s", where, worm_type, infectee); - - if ( is_local ) - NOTICE([$note=LocalWorm, $conn=c, $src=infectee, - $msg=msg, $sub=worm_type]); - else - NOTICE([$note=RemoteWorm, $conn=c, $src=infectee, - $msg=msg, $sub=worm_type]); - - print worm_log, fmt("%.6f %s", network_time(), msg); - } - -event http_request(c: connection, method: string, - original_URI: string, unescaped_URI: string, version: string) - { - # It's a pity to do this as a loop. Better would be if Bro could - # search the patterns as one large RE and note which matched. - - for ( wt in worm_types ) - if ( worm_types[wt] in unescaped_URI ) - event worm_instance(c, wt); - } - -event signature_match(state: signature_state, msg: string, data: string) - { - if ( state$id in worm_sigs ) - event worm_instance(state$conn, worm_sigs[state$id]); - } - -# Ignore "weird" events, we get some due to the capture_filter above that -# only captures the client side of an HTTP session. -event conn_weird(name: string, c: connection) - { - } - -function is_worm_infectee(ip: addr): bool - { - return ip in worm_list; - } diff --git a/src/ARP.cc b/src/ARP.cc index cdf0baa170..3606ed66d5 100644 --- a/src/ARP.cc +++ b/src/ARP.cc @@ -1,5 +1,3 @@ -// $Id: ARP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/ARP.h b/src/ARP.h index c7765eb9a9..6b84dbd587 100644 --- a/src/ARP.h +++ b/src/ARP.h @@ -1,5 +1,3 @@ -// $Id: ARP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef arp_h diff --git a/src/Analyzer.cc b/src/Analyzer.cc index b995c2f74b..9e7407e8b9 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -1,5 +1,3 @@ -// $Id: Analyzer.cc,v 1.1.4.28 2006/06/01 17:18:10 sommer Exp $ - #include #include "Analyzer.h" diff --git a/src/Analyzer.h b/src/Analyzer.h index 4a3ead5844..9eec49c233 100644 --- a/src/Analyzer.h +++ b/src/Analyzer.h @@ -1,5 +1,3 @@ -// $Id:$ -// // Main analyzer interface. #ifndef ANALYZER_H diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index e64a4ec76e..fd31773120 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -1,5 +1,3 @@ -// $Id: AnalyzerTags.h,v 1.1.2.5 2006/06/01 01:55:42 sommer Exp $ - #ifndef ANALYZERTAGS_H #define ANALYZERTAGS_H diff --git a/src/Anon.cc b/src/Anon.cc index bd29b3cfe9..440f8600d5 100644 --- a/src/Anon.cc +++ b/src/Anon.cc @@ -1,5 +1,3 @@ -// $Id: Anon.cc 7075 2010-09-13 02:39:38Z vern $ - #include #include #include diff --git a/src/Anon.h b/src/Anon.h index 2f138c36d7..ce234f4680 100644 --- a/src/Anon.h +++ b/src/Anon.h @@ -1,5 +1,3 @@ -// $Id: Anon.h 416 2004-09-17 03:52:28Z vern $ - // The prefix-preserving IP address anonymization code is largely // based on (and sometimes directly copied from) Eddie Kohler's // ipsumdump-1.20 code, per: diff --git a/src/Attr.cc b/src/Attr.cc index 22b4337405..a5a350f452 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -1,5 +1,3 @@ -// $Id: Attr.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Attr.h b/src/Attr.h index 89a81428e5..6c835dc61c 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -1,5 +1,3 @@ -// $Id: Attr.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef attr_h diff --git a/src/BPF_Program.cc b/src/BPF_Program.cc index 7796ccce81..a6d3d80c05 100644 --- a/src/BPF_Program.cc +++ b/src/BPF_Program.cc @@ -1,5 +1,3 @@ -// $Id: BPF_Program.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BPF_Program.h b/src/BPF_Program.h index 4c6e090cda..88ed669da2 100644 --- a/src/BPF_Program.h +++ b/src/BPF_Program.h @@ -1,5 +1,3 @@ -// $Id: BPF_Program.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef bpf_program_h diff --git a/src/BackDoor.cc b/src/BackDoor.cc index 493fd9ae00..c218a98ce2 100644 --- a/src/BackDoor.cc +++ b/src/BackDoor.cc @@ -1,5 +1,3 @@ -// $Id: BackDoor.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BackDoor.h b/src/BackDoor.h index 50d97514ef..40ea3bbaa3 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -1,5 +1,3 @@ -// $Id: BackDoor.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef backdoor_h diff --git a/src/Base64.cc b/src/Base64.cc index 2585debf5e..9008837f35 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -1,5 +1,3 @@ -// $Id: Base64.cc 6024 2008-07-26 19:20:47Z vern $ - #include "config.h" #include "Base64.h" diff --git a/src/Base64.h b/src/Base64.h index 5bf5d4e2bc..0fe7e04910 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -1,5 +1,3 @@ -// $Id: Base64.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef base64_h #define base64_h diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc index e99047beb1..c58eb4cf65 100644 --- a/src/BitTorrent.cc +++ b/src/BitTorrent.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #include "BitTorrent.h" diff --git a/src/BitTorrent.h b/src/BitTorrent.h index 7f745d48c8..191b4c50d7 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #ifndef bittorrent_h diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc index f0b290751d..995a01dd63 100644 --- a/src/BitTorrentTracker.cc +++ b/src/BitTorrentTracker.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index 167c9d0d10..d57665d104 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #ifndef bittorrenttracker_h diff --git a/src/BroList.h b/src/BroList.h index b71615a18a..6168bf7bda 100644 --- a/src/BroList.h +++ b/src/BroList.h @@ -1,5 +1,3 @@ -// $Id: BroList.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef brolist_h diff --git a/src/BroString.cc b/src/BroString.cc index 8677cd9533..e05995b156 100644 --- a/src/BroString.cc +++ b/src/BroString.cc @@ -1,5 +1,3 @@ -// $Id: BroString.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BroString.h b/src/BroString.h index 48471cb99e..58991d78af 100644 --- a/src/BroString.h +++ b/src/BroString.h @@ -1,5 +1,3 @@ -// $Id: BroString.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef brostring_h diff --git a/src/CCL.cc b/src/CCL.cc index 326dcc7320..6c4ec5ea2e 100644 --- a/src/CCL.cc +++ b/src/CCL.cc @@ -1,5 +1,3 @@ -// $Id: CCL.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/CCL.h b/src/CCL.h index 760e64b6f9..2870acf53a 100644 --- a/src/CCL.h +++ b/src/CCL.h @@ -1,5 +1,3 @@ -// $Id: CCL.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ccl_h diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc index d54b4eb70b..ff84a343c7 100644 --- a/src/ChunkedIO.cc +++ b/src/ChunkedIO.cc @@ -1,5 +1,3 @@ -// $Id: ChunkedIO.cc 6888 2009-08-20 18:23:11Z vern $ - #include #include #include diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h index 1f946c18ba..ca95f4b40b 100644 --- a/src/ChunkedIO.h +++ b/src/ChunkedIO.h @@ -1,5 +1,3 @@ -// $Id: ChunkedIO.h 6888 2009-08-20 18:23:11Z vern $ -// // Implements non-blocking chunk-wise I/O. #ifndef CHUNKEDIO_H diff --git a/src/CompHash.cc b/src/CompHash.cc index 8f80c26def..916ca124ac 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -1,5 +1,3 @@ -// $Id: CompHash.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/CompHash.h b/src/CompHash.h index 0e12cbf9a8..1a02114358 100644 --- a/src/CompHash.h +++ b/src/CompHash.h @@ -1,5 +1,3 @@ -// $Id: CompHash.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef comphash_h diff --git a/src/Conn.cc b/src/Conn.cc index bab032cbd0..df59b1037a 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -1,5 +1,3 @@ -// $Id: Conn.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Conn.h b/src/Conn.h index 8f817fd003..8e90d6a9c3 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -1,5 +1,3 @@ -// $Id: Conn.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef conn_h diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc index 2bf28fe06a..7a04cb4f0b 100644 --- a/src/ConnCompressor.cc +++ b/src/ConnCompressor.cc @@ -1,5 +1,3 @@ -// $Id: ConnCompressor.cc 7008 2010-03-25 02:42:20Z vern $ - #include #include "ConnCompressor.h" diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h index e2140526d0..36959b615c 100644 --- a/src/ConnCompressor.h +++ b/src/ConnCompressor.h @@ -1,5 +1,3 @@ -// $Id: ConnCompressor.h 6008 2008-07-23 00:24:22Z vern $ -// // The ConnCompressor keeps track of the first packet seen for a conn_id using // only a minimal amount of memory. This helps us to avoid instantiating // full Connection objects for never-established sessions. diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index c98a9f6827..a1b892f4db 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -1,5 +1,3 @@ -// $Id$ -// // See the file "COPYING" in the main distribution directory for copyright. // // See ConnSize.h for more extensive comments. diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 38446b0763..1fdd57bb15 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -1,5 +1,3 @@ -// $Id$ -// // See the file "COPYING" in the main distribution directory for copyright. // diff --git a/src/ContentLine.cc b/src/ContentLine.cc index e9f0856462..5601694e1d 100644 --- a/src/ContentLine.cc +++ b/src/ContentLine.cc @@ -1,5 +1,3 @@ -// $Id: ContentLine.cc,v 1.1.2.8 2006/06/01 01:55:42 sommer Exp $ - #include #include "ContentLine.h" diff --git a/src/ContentLine.h b/src/ContentLine.h index 25482ecc2f..5e9f01945f 100644 --- a/src/ContentLine.h +++ b/src/ContentLine.h @@ -1,5 +1,3 @@ -// $Id: ContentLine.h,v 1.1.2.9 2006/06/01 01:55:42 sommer Exp $ -// // Support-analyzer to split a reassembled stream into lines. #ifndef CONTENTLINE_H diff --git a/src/Continuation.h b/src/Continuation.h index bde07203a9..009d2a87f3 100644 --- a/src/Continuation.h +++ b/src/Continuation.h @@ -1,5 +1,3 @@ -// $Id: Continuation.h 2698 2006-04-03 05:50:52Z vern $ -// // Helper class to implement continuation-like mechanisms for // suspending/resuming tasks for incremental operation. // diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 4e21ecd545..1d9acaf1fa 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -1,5 +1,3 @@ -// $Id: DCE_RPC.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index a856599b19..63237a151b 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -1,5 +1,3 @@ -// $Id: DCE_RPC.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dce_rpc_h diff --git a/src/DFA.cc b/src/DFA.cc index 43e719f24a..e58ea260e5 100644 --- a/src/DFA.cc +++ b/src/DFA.cc @@ -1,5 +1,3 @@ -// $Id: DFA.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DFA.h b/src/DFA.h index 6fa4d85f0d..0f6c7d2f25 100644 --- a/src/DFA.h +++ b/src/DFA.h @@ -1,5 +1,3 @@ -// $Id: DFA.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc index 23149b7837..2aec6e6e9f 100644 --- a/src/DHCP-binpac.cc +++ b/src/DHCP-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "DHCP-binpac.h" DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index d0e93dcfc2..06ddff3bb6 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef dhcp_binpac_h #define dhcp_binpac_h diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc index e06ef1ab19..eb95ac2e1c 100644 --- a/src/DNS-binpac.cc +++ b/src/DNS-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "DNS-binpac.h" #include "TCP_Reassembler.h" diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h index b43e3b6aae..9e8cb16f69 100644 --- a/src/DNS-binpac.h +++ b/src/DNS-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef dns_binpac_h #define dns_binpac_h diff --git a/src/DNS.cc b/src/DNS.cc index d13f184ca5..8259a547bb 100644 --- a/src/DNS.cc +++ b/src/DNS.cc @@ -1,5 +1,3 @@ -// $Id: DNS.cc 6885 2009-08-20 04:37:55Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DNS.h b/src/DNS.h index ca9261c008..83ca80911e 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -1,5 +1,3 @@ -// $Id: DNS.h 6885 2009-08-20 04:37:55Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dns_h diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc index 87d0db4dac..3c0d00c43c 100644 --- a/src/DNS_Mgr.cc +++ b/src/DNS_Mgr.cc @@ -1,5 +1,3 @@ -// $Id: DNS_Mgr.cc 7073 2010-09-13 00:45:02Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h index 151c05289f..c4abb93525 100644 --- a/src/DNS_Mgr.h +++ b/src/DNS_Mgr.h @@ -1,5 +1,3 @@ -// $Id: DNS_Mgr.h 6915 2009-09-22 05:04:17Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dnsmgr_h diff --git a/src/DPM.cc b/src/DPM.cc index 69b859a9e1..345741dfc8 100644 --- a/src/DPM.cc +++ b/src/DPM.cc @@ -1,5 +1,3 @@ -// $Id: DPM.cc,v 1.1.4.14 2006/06/01 17:18:10 sommer Exp $ - #include "DPM.h" #include "PIA.h" #include "Hash.h" diff --git a/src/DPM.h b/src/DPM.h index 056f6b25cc..4bacbfbeea 100644 --- a/src/DPM.h +++ b/src/DPM.h @@ -1,5 +1,3 @@ -// $Id:$ -// // The central management unit for dynamic analyzer selection. #ifndef DPM_H diff --git a/src/DbgBreakpoint.cc b/src/DbgBreakpoint.cc index 7205a78521..11847fc4dc 100644 --- a/src/DbgBreakpoint.cc +++ b/src/DbgBreakpoint.cc @@ -1,5 +1,3 @@ -// $Id: DbgBreakpoint.cc 1345 2005-09-08 07:42:11Z vern $ - // Implementation of breakpoints. #include "config.h" diff --git a/src/DbgBreakpoint.h b/src/DbgBreakpoint.h index 505d1389a4..5fadfe0474 100644 --- a/src/DbgBreakpoint.h +++ b/src/DbgBreakpoint.h @@ -1,5 +1,3 @@ -// $Id: DbgBreakpoint.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing breakpoints in the Bro debugger. #ifndef DbgBreakpoint_h diff --git a/src/DbgDisplay.h b/src/DbgDisplay.h index 033dac79e9..1c83d84ec4 100644 --- a/src/DbgDisplay.h +++ b/src/DbgDisplay.h @@ -1,5 +1,3 @@ -// $Id: DbgDisplay.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing watches in the Bro debugger. #ifndef dbg_display_h diff --git a/src/DbgWatch.h b/src/DbgWatch.h index ed85e88748..e3359f53ad 100644 --- a/src/DbgWatch.h +++ b/src/DbgWatch.h @@ -1,5 +1,3 @@ -// $Id: DbgWatch.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing watches in the Bro debugger. #ifndef dbgwatch_h diff --git a/src/Debug.h b/src/Debug.h index ad82337b12..a83e05c224 100644 --- a/src/Debug.h +++ b/src/Debug.h @@ -1,5 +1,3 @@ -// $Id: Debug.h 80 2004-07-14 20:15:50Z jason $ - // Debugging support for Bro policy files. #ifndef debug_h diff --git a/src/DebugCmds.h b/src/DebugCmds.h index a14990b918..e7b9c6a4c1 100644 --- a/src/DebugCmds.h +++ b/src/DebugCmds.h @@ -1,5 +1,3 @@ -// $Id: DebugCmds.h 80 2004-07-14 20:15:50Z jason $ -// // Support routines to help deal with Bro debugging commands and // implementation of most commands. diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index adf06b7d67..6d189a3303 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -1,5 +1,3 @@ -// $Id: DebugLogger.cc 4771 2007-08-11 05:50:24Z vern $ - #ifdef DEBUG #include diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 49c875a5c4..a2dece5b3c 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -1,5 +1,3 @@ -// $Id: DebugLogger.h 4771 2007-08-11 05:50:24Z vern $ -// // A logger for (selective) debugging output. Only compiled in if DEBUG is // defined. diff --git a/src/Desc.cc b/src/Desc.cc index d7106a5b6a..8c161e07b2 100644 --- a/src/Desc.cc +++ b/src/Desc.cc @@ -1,5 +1,3 @@ -// $Id: Desc.cc 6245 2008-10-07 00:56:59Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Desc.h b/src/Desc.h index a9758d764b..5849736cbf 100644 --- a/src/Desc.h +++ b/src/Desc.h @@ -1,5 +1,3 @@ -// $Id: Desc.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef descriptor_h diff --git a/src/Dict.cc b/src/Dict.cc index 6bef17ad3e..c0e2d0e4d2 100644 --- a/src/Dict.cc +++ b/src/Dict.cc @@ -1,5 +1,3 @@ -// $Id: Dict.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Dict.h b/src/Dict.h index 75ac82c827..c7b3a21eac 100644 --- a/src/Dict.h +++ b/src/Dict.h @@ -1,5 +1,3 @@ -// $Id: Dict.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dict_h diff --git a/src/Discard.cc b/src/Discard.cc index fcee23e5e0..2705aa55be 100644 --- a/src/Discard.cc +++ b/src/Discard.cc @@ -1,5 +1,3 @@ -// $Id: Discard.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/Discard.h b/src/Discard.h index 4ffcab39d1..16f7a58e6e 100644 --- a/src/Discard.h +++ b/src/Discard.h @@ -1,5 +1,3 @@ -// $Id: Discard.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef discard_h diff --git a/src/EquivClass.cc b/src/EquivClass.cc index ff5dc88603..6ab667b146 100644 --- a/src/EquivClass.cc +++ b/src/EquivClass.cc @@ -1,5 +1,3 @@ -// $Id: EquivClass.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/EquivClass.h b/src/EquivClass.h index 9b35a9bb64..e5193cde47 100644 --- a/src/EquivClass.h +++ b/src/EquivClass.h @@ -1,5 +1,3 @@ -// $Id: EquivClass.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef equiv_class_h diff --git a/src/Event.cc b/src/Event.cc index 0ba5b68a21..97f29000d6 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -1,5 +1,3 @@ -// $Id: Event.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Event.h b/src/Event.h index ce498ae9cc..805396a488 100644 --- a/src/Event.h +++ b/src/Event.h @@ -1,5 +1,3 @@ -// $Id: Event.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef event_h diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 9a06763bc0..55f9902079 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -1,5 +1,3 @@ -// $Id: EventHandler.cc 5911 2008-07-03 22:59:01Z vern $ - #include "Event.h" #include "EventHandler.h" #include "Func.h" diff --git a/src/EventHandler.h b/src/EventHandler.h index 6a9438fd4c..2aebe87584 100644 --- a/src/EventHandler.h +++ b/src/EventHandler.h @@ -1,5 +1,3 @@ -// $Id: EventHandler.h 5911 2008-07-03 22:59:01Z vern $ -// // Capsulates local and remote event handlers. #ifndef EVENTHANDLER diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc index 1982d78c11..246c9dc8aa 100644 --- a/src/EventLauncher.cc +++ b/src/EventLauncher.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "Val.h" #include "Analyzer.h" #include "EventLauncher.h" diff --git a/src/EventLauncher.h b/src/EventLauncher.h index 276f28ef75..6a57c59391 100644 --- a/src/EventLauncher.h +++ b/src/EventLauncher.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef event_launcher_h #define event_launcher_h diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index f5691ab448..4d29c5d95f 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -1,5 +1,3 @@ -// $Id: EventRegistry.cc 6829 2009-07-09 09:12:59Z vern $ - #include "EventRegistry.h" #include "RE.h" #include "RemoteSerializer.h" diff --git a/src/EventRegistry.h b/src/EventRegistry.h index bd9e0cd185..6ee5e3bcbd 100644 --- a/src/EventRegistry.h +++ b/src/EventRegistry.h @@ -1,5 +1,3 @@ -// $Id: EventRegistry.h 6829 2009-07-09 09:12:59Z vern $ -// // Each event raised/handled by Bro is registered in the EventRegistry. #ifndef EVENT_REGISTRY diff --git a/src/Expr.cc b/src/Expr.cc index cc93c47be0..bb5a1273fb 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -1,5 +1,3 @@ -// $Id: Expr.cc 6864 2009-08-16 23:30:39Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Expr.h b/src/Expr.h index 2e5d5b637a..95016a8d13 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -1,5 +1,3 @@ -// $Id: Expr.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef expr_h diff --git a/src/FTP.cc b/src/FTP.cc index 3dcf5722d8..588348ea8d 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -1,5 +1,3 @@ -// $Id: FTP.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/FTP.h b/src/FTP.h index c50d463b65..4ef6c44d83 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -1,5 +1,3 @@ -// $Id: FTP.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ftp_h diff --git a/src/File.cc b/src/File.cc index c8390c9bb5..437370205a 100644 --- a/src/File.cc +++ b/src/File.cc @@ -1,5 +1,3 @@ -// $Id: File.cc 6942 2009-11-16 03:54:08Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/File.h b/src/File.h index dad0d6da8b..444d6209e2 100644 --- a/src/File.h +++ b/src/File.h @@ -1,5 +1,3 @@ -// $Id: File.h 6888 2009-08-20 18:23:11Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef file_h diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 16bf003775..1abe88caec 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -1,5 +1,3 @@ -// $Id: FileAnalyzer.cc,v 1.1.4.2 2006/06/01 17:18:10 sommer Exp $ - #include #include "FileAnalyzer.h" diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index f343547210..8c1890bb85 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -1,5 +1,3 @@ -// $Id:$ -// // Analyzer for connections that transfer binary data. #ifndef FILEANALYZER_H diff --git a/src/Finger.cc b/src/Finger.cc index 9a0fda8985..be0f3754b5 100644 --- a/src/Finger.cc +++ b/src/Finger.cc @@ -1,5 +1,3 @@ -// $Id: Finger.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Finger.h b/src/Finger.h index 98738765a3..3c61c4ad2a 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -1,5 +1,3 @@ -// $Id: Finger.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef finger_h diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc index 6f31cf2c3e..fe6998ea79 100644 --- a/src/FlowSrc.cc +++ b/src/FlowSrc.cc @@ -1,5 +1,3 @@ -/// $Id: FlowSrc.cc 4621 2007-07-10 13:37:13Z bager $ -// // See the file "COPYING" in the main distribution directory for copyright. // // Written by Bernhard Ager, TU Berlin (2006/2007). diff --git a/src/FlowSrc.h b/src/FlowSrc.h index 3173badf66..7b0b14ad15 100644 --- a/src/FlowSrc.h +++ b/src/FlowSrc.h @@ -1,5 +1,3 @@ -// $Id: FlowSrc.h 4618 2007-07-09 18:12:32Z bager $ -// // See the file "COPYING" in the main distribution directory for copyright. // // Written by Bernhard Ager, TU Berlin (2006/2007). diff --git a/src/Frag.cc b/src/Frag.cc index abf68baa14..b72fac4b16 100644 --- a/src/Frag.cc +++ b/src/Frag.cc @@ -1,5 +1,3 @@ -// $Id: Frag.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Frag.h b/src/Frag.h index ddd5f73144..92bf1b3bbd 100644 --- a/src/Frag.h +++ b/src/Frag.h @@ -1,5 +1,3 @@ -// $Id: Frag.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef frag_h diff --git a/src/Frame.cc b/src/Frame.cc index 4eeb7e1fcc..f86fa32805 100644 --- a/src/Frame.cc +++ b/src/Frame.cc @@ -1,5 +1,3 @@ -// $Id: Frame.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Frame.h b/src/Frame.h index 34a4f63f89..85e1dbec2e 100644 --- a/src/Frame.h +++ b/src/Frame.h @@ -1,5 +1,3 @@ -// $Id: Frame.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef frame_h diff --git a/src/Func.cc b/src/Func.cc index 4c36ea0bbb..8f26ea27df 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -1,5 +1,3 @@ -// $Id: Func.cc 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Func.h b/src/Func.h index 6e1ea8597c..b9f6ffe808 100644 --- a/src/Func.h +++ b/src/Func.h @@ -1,5 +1,3 @@ -// $Id: Func.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef func_h diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 9787147400..448c8dcb3b 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -1,5 +1,3 @@ -// $Id: Gnutella.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Gnutella.h b/src/Gnutella.h index c390f418f4..f06c816c90 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -1,5 +1,3 @@ -// $Id: Gnutella.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef gnutella_h diff --git a/src/H3.h b/src/H3.h index b4eab3a727..9e6f1c5c35 100644 --- a/src/H3.h +++ b/src/H3.h @@ -1,5 +1,3 @@ -// $Id: H3.h 3230 2006-06-08 02:19:25Z vern $ - // Copyright 2004, 2005 // The Regents of the University of California // All Rights Reserved diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc index 003d74d8e2..70cf37457b 100644 --- a/src/HTTP-binpac.cc +++ b/src/HTTP-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "HTTP-binpac.h" #include "TCP_Reassembler.h" diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h index 9352515dc8..62b6fd0db3 100644 --- a/src/HTTP-binpac.h +++ b/src/HTTP-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef http_binpac_h #define http_binpac_h diff --git a/src/HTTP.cc b/src/HTTP.cc index 54613bb9e1..0d154f1873 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -1,5 +1,3 @@ -// $Id: HTTP.cc 7073 2010-09-13 00:45:02Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/HTTP.h b/src/HTTP.h index 7512f368a9..6614886e44 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -1,5 +1,3 @@ -// $Id: HTTP.h 6942 2009-11-16 03:54:08Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef http_h diff --git a/src/Hash.cc b/src/Hash.cc index 1902af4f37..7873e398c3 100644 --- a/src/Hash.cc +++ b/src/Hash.cc @@ -1,5 +1,3 @@ -// $Id: Hash.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. // The hash function works as follows: diff --git a/src/Hash.h b/src/Hash.h index d9659b442a..3a1b42084c 100644 --- a/src/Hash.h +++ b/src/Hash.h @@ -1,5 +1,3 @@ -// $Id: Hash.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef hash_h diff --git a/src/ICMP.cc b/src/ICMP.cc index 4e11583651..bc081ace51 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -1,5 +1,3 @@ -// $Id: ICMP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/ICMP.h b/src/ICMP.h index 62b859beba..ad43d7b948 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -1,5 +1,3 @@ -// $Id: ICMP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef icmp_h diff --git a/src/ID.cc b/src/ID.cc index 2decef725f..3f5c76ca1d 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -1,5 +1,3 @@ -// $Id: ID.cc 6724 2009-06-07 09:23:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/ID.h b/src/ID.h index 49d844ebc3..9c1f56e80f 100644 --- a/src/ID.h +++ b/src/ID.h @@ -1,5 +1,3 @@ -// $Id: ID.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef id_h diff --git a/src/IOSource.cc b/src/IOSource.cc index 83f4ef15f2..d47007caad 100644 --- a/src/IOSource.cc +++ b/src/IOSource.cc @@ -1,5 +1,3 @@ -// $Id: IOSource.cc 4771 2007-08-11 05:50:24Z vern $ - #include #include #include diff --git a/src/IOSource.h b/src/IOSource.h index 53057f3583..db50bbd2a9 100644 --- a/src/IOSource.h +++ b/src/IOSource.h @@ -1,5 +1,3 @@ -// $Id: IOSource.h 6888 2009-08-20 18:23:11Z vern $ -// // Interface for classes providing/consuming data during Bro's main loop. #ifndef iosource_h diff --git a/src/IP.h b/src/IP.h index 4f76ef50ed..73ac4ee5c7 100644 --- a/src/IP.h +++ b/src/IP.h @@ -1,5 +1,3 @@ -// $Id: IP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ip_h diff --git a/src/IRC.cc b/src/IRC.cc index 0e3705a97d..caf7c492b6 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -1,5 +1,3 @@ -// $Id: IRC.cc 4582 2007-07-04 01:14:09Z vern $ - // An IRC analyzer contributed by Roland Gruber. #include diff --git a/src/IRC.h b/src/IRC.h index fb6e9869ae..0fe36957de 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -1,5 +1,3 @@ -// $Id: IRC.h 4582 2007-07-04 01:14:09Z vern $ - // An IRC analyzer contributed by Roland Gruber. #ifndef irc_h diff --git a/src/Ident.cc b/src/Ident.cc index 2231c50ae8..b2e82e5f12 100644 --- a/src/Ident.cc +++ b/src/Ident.cc @@ -1,5 +1,3 @@ -// $Id: Ident.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Ident.h b/src/Ident.h index c87e98c6d4..a848d233e1 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -1,5 +1,3 @@ -// $Id: Ident.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ident_h diff --git a/src/IntSet.cc b/src/IntSet.cc index a6c176f829..fb198f0e25 100644 --- a/src/IntSet.cc +++ b/src/IntSet.cc @@ -1,5 +1,3 @@ -// $Id: IntSet.cc 80 2004-07-14 20:15:50Z jason $ - #include "config.h" #ifdef HAVE_MEMORY_H diff --git a/src/IntSet.h b/src/IntSet.h index 412b06d418..ef58e8b12f 100644 --- a/src/IntSet.h +++ b/src/IntSet.h @@ -1,5 +1,3 @@ -// $Id: IntSet.h 80 2004-07-14 20:15:50Z jason $ - // A simple but fast data structure for sets of integers. // Only supported operations are insert, remove and membership test. // diff --git a/src/InterConn.cc b/src/InterConn.cc index 664982fd02..403081181a 100644 --- a/src/InterConn.cc +++ b/src/InterConn.cc @@ -1,5 +1,3 @@ -// $Id: InterConn.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/InterConn.h b/src/InterConn.h index 1f9ee12f62..d9cd10de27 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -1,5 +1,3 @@ -// $Id: InterConn.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef interconn_h diff --git a/src/List.cc b/src/List.cc index 2a28d4ae00..9a1af3fe4f 100644 --- a/src/List.cc +++ b/src/List.cc @@ -1,5 +1,3 @@ -// $Id: List.cc 1905 2005-12-14 03:27:33Z vern $ - #include "config.h" #include diff --git a/src/List.h b/src/List.h index 38afad35c9..bf87ade67d 100644 --- a/src/List.h +++ b/src/List.h @@ -1,5 +1,3 @@ -// $Id: List.h 463 2004-09-26 21:04:20Z vern $ - #ifndef list_h #define list_h diff --git a/src/Login.cc b/src/Login.cc index 0a3849ccd0..56efd12f53 100644 --- a/src/Login.cc +++ b/src/Login.cc @@ -1,5 +1,3 @@ -// $Id: Login.cc 6724 2009-06-07 09:23:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/MIME.cc b/src/MIME.cc index 3fe652d4cc..109b897b88 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -1,5 +1,3 @@ -// $Id: MIME.cc 5906 2008-07-03 19:52:50Z vern $ - #include "config.h" #include "NetVar.h" diff --git a/src/MIME.h b/src/MIME.h index b5cdf556ac..c8c70cf65b 100644 --- a/src/MIME.h +++ b/src/MIME.h @@ -1,5 +1,3 @@ -// $Id: MIME.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef mime_h #define mime_h diff --git a/src/NCP.cc b/src/NCP.cc index c065e48e87..83378a09a7 100644 --- a/src/NCP.cc +++ b/src/NCP.cc @@ -1,5 +1,3 @@ -// $Id: NCP.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NCP.h b/src/NCP.h index 714d1879f8..1e783ee3ab 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -1,5 +1,3 @@ -// $Id: NCP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ncp_h diff --git a/src/NFA.cc b/src/NFA.cc index 74958823dc..4849755941 100644 --- a/src/NFA.cc +++ b/src/NFA.cc @@ -1,5 +1,3 @@ -// $Id: NFA.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NFA.h b/src/NFA.h index 9dcb435d61..9877b8787c 100644 --- a/src/NFA.h +++ b/src/NFA.h @@ -1,5 +1,3 @@ -// $Id: NFA.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nfa_h diff --git a/src/NFS.cc b/src/NFS.cc index 2951361baf..2911ee7f59 100644 --- a/src/NFS.cc +++ b/src/NFS.cc @@ -1,5 +1,3 @@ -// $Id: NFS.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/NFS.h b/src/NFS.h index 28a1d5c4ac..6a65143808 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -1,5 +1,3 @@ -// $Id: NFS.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nfs_h diff --git a/src/NTP.cc b/src/NTP.cc index ac7d12fb6d..60b7e6202d 100644 --- a/src/NTP.cc +++ b/src/NTP.cc @@ -1,5 +1,3 @@ -// $Id: NTP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NTP.h b/src/NTP.h index c4ccdd644a..a22a7b231b 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -1,5 +1,3 @@ -// $Id: NTP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ntp_h diff --git a/src/NVT.cc b/src/NVT.cc index ad5e321595..5ba12ac32a 100644 --- a/src/NVT.cc +++ b/src/NVT.cc @@ -1,5 +1,3 @@ -// $Id: NVT.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NVT.h b/src/NVT.h index 63c0cc6620..61aa1ef740 100644 --- a/src/NVT.h +++ b/src/NVT.h @@ -1,5 +1,3 @@ -// $Id: NVT.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nvt_h diff --git a/src/Net.cc b/src/Net.cc index df91521eee..2d8ee85353 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -1,5 +1,3 @@ -// $Id: Net.cc 6915 2009-09-22 05:04:17Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Net.h b/src/Net.h index 3569e85336..9e68cc025b 100644 --- a/src/Net.h +++ b/src/Net.h @@ -1,5 +1,3 @@ -// $Id: Net.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef net_h diff --git a/src/NetVar.cc b/src/NetVar.cc index cc40681494..25e4f7a0bc 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -1,5 +1,3 @@ -// $Id: NetVar.cc 6887 2009-08-20 05:17:33Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NetVar.h b/src/NetVar.h index b9667a19c9..f8def230c0 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -1,5 +1,3 @@ -// $Id: NetVar.h 6887 2009-08-20 05:17:33Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netvar_h diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc index 0bb135f59d..274e76f137 100644 --- a/src/NetbiosSSN.cc +++ b/src/NetbiosSSN.cc @@ -1,5 +1,3 @@ -// $Id: NetbiosSSN.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index ba724fa2fb..7c4dd91b90 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -1,5 +1,3 @@ -// $Id: NetbiosSSN.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netbios_ssn_h diff --git a/src/OSFinger.cc b/src/OSFinger.cc index e8fd929885..70504e8422 100644 --- a/src/OSFinger.cc +++ b/src/OSFinger.cc @@ -1,5 +1,3 @@ -// $Id: OSFinger.cc 5857 2008-06-26 23:00:03Z vern $ - /* Taken with permission from: diff --git a/src/OSFinger.h b/src/OSFinger.h index f1f9e492f2..1e745505eb 100644 --- a/src/OSFinger.h +++ b/src/OSFinger.h @@ -1,5 +1,3 @@ -// $Id: OSFinger.h 5857 2008-06-26 23:00:03Z vern $ - // Taken with permission from: // // p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE) diff --git a/src/Obj.cc b/src/Obj.cc index dfa8ed0148..91aea0989b 100644 --- a/src/Obj.cc +++ b/src/Obj.cc @@ -1,5 +1,3 @@ -// $Id: Obj.cc 6752 2009-06-14 04:24:52Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Obj.h b/src/Obj.h index d5a60aa972..be0d91b398 100644 --- a/src/Obj.h +++ b/src/Obj.h @@ -1,5 +1,3 @@ -// $Id: Obj.h 6781 2009-06-28 00:50:04Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef obj_h diff --git a/src/Op.h b/src/Op.h index 7c8d4afe38..a628a6bb68 100644 --- a/src/Op.h +++ b/src/Op.h @@ -1,5 +1,3 @@ -// $Id: Op.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef op_h diff --git a/src/PIA.cc b/src/PIA.cc index 32c0b40fc5..6a00e7e1d0 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -1,5 +1,3 @@ -// $Id: PIA.cc,v 1.1.2.14 2006/05/31 23:19:07 sommer Exp $ - #include "PIA.h" #include "RuleMatcher.h" #include "TCP_Reassembler.h" diff --git a/src/PIA.h b/src/PIA.h index 8a1079f617..907350bbdf 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -1,5 +1,3 @@ -// $Id:$ -// // An analyzer for application-layer protocol-detection. #ifndef PIA_H diff --git a/src/POP3.cc b/src/POP3.cc index b364541be1..4ffe67ef48 100644 --- a/src/POP3.cc +++ b/src/POP3.cc @@ -1,5 +1,3 @@ -// $Id: POP3.cc 6782 2009-06-28 02:19:03Z vern $ - // This code contributed to Bro by Florian Schimandl, Hugh Dollman and // Robin Sommer. diff --git a/src/POP3.h b/src/POP3.h index 6ad0a7e755..8d09d5e686 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -1,5 +1,3 @@ -// $Id: POP3.h 3526 2006-09-12 07:32:21Z vern $ - // This code contributed to Bro by Florian Schimandl and Hugh Dollman. // // An analyser for the POP3 protocol. diff --git a/src/PacketDumper.cc b/src/PacketDumper.cc index d401cd63cb..84b22ff17c 100644 --- a/src/PacketDumper.cc +++ b/src/PacketDumper.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/PacketDumper.h b/src/PacketDumper.h index b0d5943b36..baace47876 100644 --- a/src/PacketDumper.h +++ b/src/PacketDumper.h @@ -1,5 +1,3 @@ -// $Id:$ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef packetdumper_h diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc index fa88350713..9b6b881ce5 100644 --- a/src/PacketFilter.cc +++ b/src/PacketFilter.cc @@ -1,5 +1,3 @@ -// $Id: PacketFilter.cc 967 2005-01-03 07:19:06Z vern $ - #include "PacketFilter.h" void PacketFilter::AddSrc(addr_type src, uint32 tcp_flags, double probability) diff --git a/src/PacketFilter.h b/src/PacketFilter.h index 6a70504280..ed8000f40f 100644 --- a/src/PacketFilter.h +++ b/src/PacketFilter.h @@ -1,5 +1,3 @@ -// $Id: PacketFilter.h 80 2004-07-14 20:15:50Z jason $ -// // Provides some very limited but fast packet filter mechanisms #ifndef PACKETFILTER_H diff --git a/src/PacketSort.cc b/src/PacketSort.cc index 8beaa51474..0ff08b3280 100644 --- a/src/PacketSort.cc +++ b/src/PacketSort.cc @@ -1,5 +1,3 @@ -// $Id: PacketSort.cc 3228 2006-06-08 02:12:03Z vern $ - #include "IP.h" #include "PacketSort.h" diff --git a/src/PacketSort.h b/src/PacketSort.h index 6c6a4f4994..199da0732f 100644 --- a/src/PacketSort.h +++ b/src/PacketSort.h @@ -1,5 +1,3 @@ -// $Id: PacketSort.h 3228 2006-06-08 02:12:03Z vern $ - #ifndef packetsort_h #define packetsort_h diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc index 60247c7519..c72f59c0dd 100644 --- a/src/PersistenceSerializer.cc +++ b/src/PersistenceSerializer.cc @@ -1,5 +1,3 @@ -// $Id: PersistenceSerializer.cc 6752 2009-06-14 04:24:52Z vern $ - #include #include #include diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h index 572ab0238e..dcd712bf84 100644 --- a/src/PersistenceSerializer.h +++ b/src/PersistenceSerializer.h @@ -1,5 +1,3 @@ -// $Id: PersistenceSerializer.h 2698 2006-04-03 05:50:52Z vern $ -// // Implements persistance for Bro's data structures. #ifndef persistence_serializer_h diff --git a/src/PktSrc.cc b/src/PktSrc.cc index c3f47d651f..014f611e59 100644 --- a/src/PktSrc.cc +++ b/src/PktSrc.cc @@ -1,5 +1,3 @@ -// $Id: PktSrc.cc 6951 2009-12-04 22:23:28Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/PktSrc.h b/src/PktSrc.h index 04524ec405..70eef4dd00 100644 --- a/src/PktSrc.h +++ b/src/PktSrc.h @@ -1,5 +1,3 @@ -// $Id: PktSrc.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef pktsrc_h diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc index 22a6a96cb6..53b115048a 100644 --- a/src/PolicyFile.cc +++ b/src/PolicyFile.cc @@ -1,5 +1,3 @@ -// $Id: PolicyFile.cc 1473 2005-10-06 21:32:45Z vern $ - #include "config.h" #include diff --git a/src/PolicyFile.h b/src/PolicyFile.h index ac040d5584..62c475a98b 100644 --- a/src/PolicyFile.h +++ b/src/PolicyFile.h @@ -1,5 +1,3 @@ -// $Id: PolicyFile.h 80 2004-07-14 20:15:50Z jason $ - // Functions for displaying the contents of policy files. // Mostly useful for debugging code that wants to show context. // diff --git a/src/Portmap.cc b/src/Portmap.cc index e806acdc7a..dd1049a361 100644 --- a/src/Portmap.cc +++ b/src/Portmap.cc @@ -1,5 +1,3 @@ -// $Id: Portmap.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Portmap.h b/src/Portmap.h index cb2cb1293c..62e954bc80 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -1,5 +1,3 @@ -// $Id: Portmap.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef portmap_h diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc index 03e1495957..e04c3f9294 100644 --- a/src/PrefixTable.cc +++ b/src/PrefixTable.cc @@ -1,5 +1,3 @@ -// $Id: PrefixTable.cc 1016 2005-01-31 21:23:50Z vern $ - #include "PrefixTable.h" #include "Reporter.h" diff --git a/src/PrefixTable.h b/src/PrefixTable.h index b718b3c561..78596c7f35 100644 --- a/src/PrefixTable.h +++ b/src/PrefixTable.h @@ -1,5 +1,3 @@ -// $Id: PrefixTable.h 969 2005-01-04 06:36:21Z vern $ - #ifndef PREFIXTABLE_H #define PREFIXTABLE_H diff --git a/src/PriorityQueue.cc b/src/PriorityQueue.cc index d94ccba7d6..8db161b10a 100644 --- a/src/PriorityQueue.cc +++ b/src/PriorityQueue.cc @@ -1,5 +1,3 @@ -// $Id: PriorityQueue.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h index 45028553ce..87e10aa7ac 100644 --- a/src/PriorityQueue.h +++ b/src/PriorityQueue.h @@ -1,5 +1,3 @@ -// $Id: PriorityQueue.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef __PriorityQueue__ diff --git a/src/Queue.cc b/src/Queue.cc index a0de35777b..28bcb92405 100644 --- a/src/Queue.cc +++ b/src/Queue.cc @@ -1,5 +1,3 @@ -// $Id: Queue.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Queue.h b/src/Queue.h index 293d74ba7a..c9a69ad926 100644 --- a/src/Queue.h +++ b/src/Queue.h @@ -1,5 +1,3 @@ -// $Id: Queue.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef queue_h diff --git a/src/RE.cc b/src/RE.cc index af72d84519..b6f1a1361f 100644 --- a/src/RE.cc +++ b/src/RE.cc @@ -1,5 +1,3 @@ -// $Id: RE.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/RE.h b/src/RE.h index f46f835649..a2fc709c88 100644 --- a/src/RE.h +++ b/src/RE.h @@ -1,5 +1,3 @@ -// $Id: RE.h 6781 2009-06-28 00:50:04Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef re_h diff --git a/src/RPC.cc b/src/RPC.cc index 02fb20a436..81fd6709b1 100644 --- a/src/RPC.cc +++ b/src/RPC.cc @@ -1,5 +1,3 @@ -// $Id: RPC.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/RPC.h b/src/RPC.h index 1b75b6cc48..0eee423460 100644 --- a/src/RPC.h +++ b/src/RPC.h @@ -1,5 +1,3 @@ -// $Id: RPC.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef rpc_h diff --git a/src/RSH.cc b/src/RSH.cc index cbbce944f5..ceef3ba7a4 100644 --- a/src/RSH.cc +++ b/src/RSH.cc @@ -1,5 +1,3 @@ -// $Id: RSH.cc 6219 2008-10-01 05:39:07Z vern $ - // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/RSH.h b/src/RSH.h index 8a6c5fde6f..136d0b07f1 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -1,5 +1,3 @@ -// $Id: RSH.h 6219 2008-10-01 05:39:07Z vern $ - // See the file "COPYING" in the main distribution directory for copyright. #ifndef rsh_h diff --git a/src/Reassem.cc b/src/Reassem.cc index 319fcbff3b..89fe29e7d4 100644 --- a/src/Reassem.cc +++ b/src/Reassem.cc @@ -1,5 +1,3 @@ -// $Id: Reassem.cc 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/Reassem.h b/src/Reassem.h index 1563732180..06d1e28f40 100644 --- a/src/Reassem.h +++ b/src/Reassem.h @@ -1,5 +1,3 @@ -// $Id: Reassem.h 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef reassem_h diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 814f387718..f9694f597e 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1,5 +1,3 @@ -// $Id: RemoteSerializer.cc 6951 2009-12-04 22:23:28Z vern $ -// // Processes involved in the communication: // // (Local-Parent) <-> (Local-Child) <-> (Remote-Child) <-> (Remote-Parent) diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h index 5374e6f931..395cca2ad9 100644 --- a/src/RemoteSerializer.h +++ b/src/RemoteSerializer.h @@ -1,5 +1,3 @@ -// $Id: RemoteSerializer.h 6951 2009-12-04 22:23:28Z vern $ -// // Communication between two Bro's. #ifndef REMOTE_SERIALIZER diff --git a/src/Rlogin.cc b/src/Rlogin.cc index 6dd1cc362d..1ad3f16d7e 100644 --- a/src/Rlogin.cc +++ b/src/Rlogin.cc @@ -1,5 +1,3 @@ -// $Id: Rlogin.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Rlogin.h b/src/Rlogin.h index ae1946369c..f8ad480630 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -1,5 +1,3 @@ -// $Id: Rlogin.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef rlogin_h diff --git a/src/Rule.cc b/src/Rule.cc index f54a725320..e9847c1721 100644 --- a/src/Rule.cc +++ b/src/Rule.cc @@ -1,5 +1,3 @@ -// $Id: Rule.cc 6914 2009-09-22 00:35:24Z vern $ - #include "config.h" #include "Rule.h" diff --git a/src/Rule.h b/src/Rule.h index e95dadc074..959008fbf9 100644 --- a/src/Rule.h +++ b/src/Rule.h @@ -1,5 +1,3 @@ -// $Id: Rule.h 6914 2009-09-22 00:35:24Z vern $ - #ifndef rule_h #define rule_h diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 9fe807ffb2..bf90c0681e 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -1,5 +1,3 @@ -// $Id: RuleAction.cc 5906 2008-07-03 19:52:50Z vern $ - #include using std::string; diff --git a/src/RuleAction.h b/src/RuleAction.h index 33d37bc6e2..a9feb0c314 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -1,5 +1,3 @@ -// $Id: RuleAction.h 5880 2008-06-30 17:42:45Z vern $ - #ifndef ruleaction_h #define ruleaction_h diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 78dbee39cd..1b94fcffe6 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,5 +1,3 @@ -// $Id: RuleCondition.cc 6008 2008-07-23 00:24:22Z vern $ - #include "config.h" #include "RuleCondition.h" diff --git a/src/RuleCondition.h b/src/RuleCondition.h index a092543d62..b859930581 100644 --- a/src/RuleCondition.h +++ b/src/RuleCondition.h @@ -1,5 +1,3 @@ -// $Id: RuleCondition.h 80 2004-07-14 20:15:50Z jason $ - #ifndef rulecondition_h #define rulecondition_h diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 1ca891883d..311d9814f3 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -1,5 +1,3 @@ -// $Id: RuleMatcher.cc 6724 2009-06-07 09:23:03Z vern $ - #include #include "config.h" diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 085253c16e..5bba69e130 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -1,5 +1,3 @@ -// $Id: RuleMatcher.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef sigs_h #define sigs_h diff --git a/src/SMB.cc b/src/SMB.cc index 5b3db68db9..edce2a69b8 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -1,5 +1,3 @@ -// $Id: SMB.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "NetVar.h" diff --git a/src/SMB.h b/src/SMB.h index 408fa91068..f7287efb79 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -1,5 +1,3 @@ -// $Id: SMB.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smb_h diff --git a/src/SMTP.cc b/src/SMTP.cc index 5822d9d75f..3af8af3b7b 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -1,5 +1,3 @@ -// $Id: SMTP.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SMTP.h b/src/SMTP.h index 69a5bc3e24..5b15dc44c0 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -1,5 +1,3 @@ -// $Id: SMTP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smtp_h diff --git a/src/SMTP_cmd.def b/src/SMTP_cmd.def index 79667ba7bd..545136048d 100644 --- a/src/SMTP_cmd.def +++ b/src/SMTP_cmd.def @@ -1,5 +1,3 @@ -// $Id: SMTP_cmd.def 80 2004-07-14 20:15:50Z jason $ -// // Definitions of SMTP commands. SMTP_CMD_DEF(EHLO) diff --git a/src/SSH.cc b/src/SSH.cc index b4ca9aa153..c07aad3dd1 100644 --- a/src/SSH.cc +++ b/src/SSH.cc @@ -1,5 +1,3 @@ -// $Id: SSH.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SSH.h b/src/SSH.h index 503b1abcbe..ccdcd76929 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -1,5 +1,3 @@ -// $Id: SSH.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ssh_h diff --git a/src/SSLv2.cc b/src/SSLv2.cc index f699b7bfdb..9fa654048d 100644 --- a/src/SSLv2.cc +++ b/src/SSLv2.cc @@ -1,5 +1,3 @@ -// $Id: SSLv2.cc 5988 2008-07-19 07:02:12Z vern $ - #include "SSLv2.h" #include "SSLv3.h" diff --git a/src/Scope.cc b/src/Scope.cc index 196937d984..cd47b325c1 100644 --- a/src/Scope.cc +++ b/src/Scope.cc @@ -1,5 +1,3 @@ -// $Id: Scope.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Scope.h b/src/Scope.h index 1ed8d6da42..1ef58d871c 100644 --- a/src/Scope.h +++ b/src/Scope.h @@ -1,5 +1,3 @@ -// $Id: Scope.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef scope_h diff --git a/src/ScriptAnaly.cc b/src/ScriptAnaly.cc index 700c0ed4e8..bca75cc800 100644 --- a/src/ScriptAnaly.cc +++ b/src/ScriptAnaly.cc @@ -1,5 +1,3 @@ -// $Id: ScriptAnaly.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Dict.h" diff --git a/src/ScriptAnaly.h b/src/ScriptAnaly.h index 180971e769..0561ecd389 100644 --- a/src/ScriptAnaly.h +++ b/src/ScriptAnaly.h @@ -1,5 +1,3 @@ -// $Id: ScriptAnaly.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef scriptanaly_h diff --git a/src/SerialInfo.h b/src/SerialInfo.h index 3ed2e91d26..d322aa4b37 100644 --- a/src/SerialInfo.h +++ b/src/SerialInfo.h @@ -1,5 +1,3 @@ -// $Id: SerialInfo.h 6752 2009-06-14 04:24:52Z vern $ -// // Helper classes to pass data between serialization methods. #ifndef serialinfo_h diff --git a/src/SerialObj.cc b/src/SerialObj.cc index cddb0b0963..6921115c56 100644 --- a/src/SerialObj.cc +++ b/src/SerialObj.cc @@ -1,5 +1,3 @@ -// $Id: SerialObj.cc 7075 2010-09-13 02:39:38Z vern $ - #include "SerialObj.h" #include "Serializer.h" diff --git a/src/SerialObj.h b/src/SerialObj.h index 4a12d53fe6..c3dc65684c 100644 --- a/src/SerialObj.h +++ b/src/SerialObj.h @@ -1,5 +1,3 @@ -// $Id: SerialObj.h 6752 2009-06-14 04:24:52Z vern $ -// // Infrastructure for serializable objects. // // How to make objects of class Foo serializable: diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 4d9b7a5880..0ba48f89a9 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -1,5 +1,3 @@ -// $Id: SerialTypes.h 6752 2009-06-14 04:24:52Z vern $ - #ifndef serialtypes_h #define serialtypes_h diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc index b229cbbc87..5e3a68a42e 100644 --- a/src/SerializationFormat.cc +++ b/src/SerializationFormat.cc @@ -1,5 +1,3 @@ -// $Id: SerializationFormat.cc 5873 2008-06-28 19:25:03Z vern $ - #include #include "net_util.h" diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h index b9c7ec1549..2067456bf1 100644 --- a/src/SerializationFormat.h +++ b/src/SerializationFormat.h @@ -1,5 +1,3 @@ -// $Id: SerializationFormat.h 5873 2008-06-28 19:25:03Z vern $ -// // Implements different data formats for serialization. #ifndef SERIALIZATION_FORMAT diff --git a/src/Serializer.cc b/src/Serializer.cc index 96821408a5..a29cb93b77 100644 --- a/src/Serializer.cc +++ b/src/Serializer.cc @@ -1,5 +1,3 @@ -// $Id: Serializer.cc 6752 2009-06-14 04:24:52Z vern $ - #include #include #include diff --git a/src/Serializer.h b/src/Serializer.h index 857abc0980..eabdbc62c1 100644 --- a/src/Serializer.h +++ b/src/Serializer.h @@ -1,5 +1,3 @@ -// $Id: Serializer.h 6752 2009-06-14 04:24:52Z vern $ - #ifndef SERIALIZER_H #define SERIALIZER_H diff --git a/src/Sessions.cc b/src/Sessions.cc index 1678f6798f..3825f35f62 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1,5 +1,3 @@ -// $Id: Sessions.cc 7075 2010-09-13 02:39:38Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/Sessions.h b/src/Sessions.h index 6adc333282..452de874db 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -1,5 +1,3 @@ -// $Id: Sessions.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef sessions_h diff --git a/src/SmithWaterman.cc b/src/SmithWaterman.cc index 3f27018550..ef329e49a5 100644 --- a/src/SmithWaterman.cc +++ b/src/SmithWaterman.cc @@ -1,5 +1,3 @@ -// $Id: SmithWaterman.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h index c8c80d09af..6ea191f5d9 100644 --- a/src/SmithWaterman.h +++ b/src/SmithWaterman.h @@ -1,5 +1,3 @@ -// $Id: SmithWaterman.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smith_waterman_h diff --git a/src/StateAccess.cc b/src/StateAccess.cc index ef4c257f6b..e62904469c 100644 --- a/src/StateAccess.cc +++ b/src/StateAccess.cc @@ -1,5 +1,3 @@ -// $Id: StateAccess.cc 6888 2009-08-20 18:23:11Z vern $ - #include "Val.h" #include "StateAccess.h" #include "Serializer.h" diff --git a/src/StateAccess.h b/src/StateAccess.h index 1154756c83..bc5064602b 100644 --- a/src/StateAccess.h +++ b/src/StateAccess.h @@ -1,5 +1,3 @@ -// $Id: StateAccess.h 6781 2009-06-28 00:50:04Z vern $ -// // A class describing a state-modyfing access to a Value or an ID. #ifndef STATEACESSS_H diff --git a/src/Stats.cc b/src/Stats.cc index 28c0b38c22..4798a789a7 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -1,5 +1,3 @@ -// $Id: Stats.cc 7008 2010-03-25 02:42:20Z vern $ - #include "Conn.h" #include "File.h" #include "Event.h" diff --git a/src/Stats.h b/src/Stats.h index 8acb7ef190..eeebfe2213 100644 --- a/src/Stats.h +++ b/src/Stats.h @@ -1,5 +1,3 @@ -// $Id: Stats.h 6703 2009-05-13 22:27:44Z vern $ -// // Classes that collect and report statistics. #ifndef STATS_H diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc index 96652456bf..32850d82c6 100644 --- a/src/SteppingStone.cc +++ b/src/SteppingStone.cc @@ -1,5 +1,3 @@ -// $Id: SteppingStone.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SteppingStone.h b/src/SteppingStone.h index 15165387f9..a47b268c83 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -1,5 +1,3 @@ -// $Id: SteppingStone.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef steppingstone_h diff --git a/src/Stmt.cc b/src/Stmt.cc index 80603a717b..6a83940b3b 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1,5 +1,3 @@ -// $Id: Stmt.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Stmt.h b/src/Stmt.h index bbfdd98bfd..8e3a4b4118 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -1,5 +1,3 @@ -// $Id: Stmt.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef stmt_h diff --git a/src/StmtEnums.h b/src/StmtEnums.h index c00b16112f..f431e3fea1 100644 --- a/src/StmtEnums.h +++ b/src/StmtEnums.h @@ -1,5 +1,3 @@ -// $Id: StmtEnums.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/TCP.cc b/src/TCP.cc index 4c56eb7ff9..0fae07a24d 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1,5 +1,3 @@ -// $Id: TCP.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/TCP.h b/src/TCP.h index 1db8c1ed68..65f437856a 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -1,5 +1,3 @@ -// $Id: TCP.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef TCP_H diff --git a/src/TCP_Endpoint.cc b/src/TCP_Endpoint.cc index 6d74a1d818..5a65a18d7c 100644 --- a/src/TCP_Endpoint.cc +++ b/src/TCP_Endpoint.cc @@ -1,5 +1,3 @@ -// $Id: TCP_Endpoint.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Net.h" diff --git a/src/TCP_Endpoint.h b/src/TCP_Endpoint.h index baae2037c4..758a504ff5 100644 --- a/src/TCP_Endpoint.h +++ b/src/TCP_Endpoint.h @@ -1,5 +1,3 @@ -// $Id: TCP_Endpoint.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef tcpendpoint_h diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc index bbde905320..ba31ab68d0 100644 --- a/src/TCP_Reassembler.cc +++ b/src/TCP_Reassembler.cc @@ -1,5 +1,3 @@ -// $Id: TCP_Reassembler.cc,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $ - #include #include "Analyzer.h" diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h index 772c5f6f9c..cb1750e2a2 100644 --- a/src/TCP_Reassembler.h +++ b/src/TCP_Reassembler.h @@ -1,5 +1,3 @@ -// $Id: TCP_Reassembler.h,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $ - #ifndef TCP_REASSEMBLER_H #define TCP_REASSEMBLER_H diff --git a/src/Telnet.cc b/src/Telnet.cc index 91151fe735..62c7d7b500 100644 --- a/src/Telnet.cc +++ b/src/Telnet.cc @@ -1,5 +1,3 @@ -// $Id: Telnet.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Telnet.h b/src/Telnet.h index 89150bcbc7..5675775789 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -1,5 +1,3 @@ -// $Id: Telnet.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef telnet_h diff --git a/src/Timer.cc b/src/Timer.cc index c7feb0bbd8..2e2fb09c6b 100644 --- a/src/Timer.cc +++ b/src/Timer.cc @@ -1,5 +1,3 @@ -// $Id: Timer.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Timer.h b/src/Timer.h index c98aeefc22..bb6b8d56ae 100644 --- a/src/Timer.h +++ b/src/Timer.h @@ -1,5 +1,3 @@ -// $Id: Timer.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef timer_h diff --git a/src/Traverse.cc b/src/Traverse.cc index 733ceb450c..78eed27800 100644 --- a/src/Traverse.cc +++ b/src/Traverse.cc @@ -1,5 +1,3 @@ -// $Id: Traverse.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Scope.h" diff --git a/src/Traverse.h b/src/Traverse.h index ea300fad18..3791a9bbdc 100644 --- a/src/Traverse.h +++ b/src/Traverse.h @@ -1,5 +1,3 @@ -// $Id: Traverse.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef traverse_h diff --git a/src/TraverseTypes.h b/src/TraverseTypes.h index 0cba17a5a9..b0528f34be 100644 --- a/src/TraverseTypes.h +++ b/src/TraverseTypes.h @@ -1,5 +1,3 @@ -// $Id: TraverseTypes.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef statictypes_h diff --git a/src/Trigger.cc b/src/Trigger.cc index 45d1959ee7..272d03a859 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -1,5 +1,3 @@ -// $Id: Trigger.cc 2359 2005-12-21 23:55:32Z vern $ - #include #include "Trigger.h" diff --git a/src/Trigger.h b/src/Trigger.h index 7f9931b033..8001308bce 100644 --- a/src/Trigger.h +++ b/src/Trigger.h @@ -1,5 +1,3 @@ -// $Id: Trigger.h 2359 2005-12-21 23:55:32Z vern $ - #ifndef TRIGGER_H #define TRIGGER_H diff --git a/src/Type.cc b/src/Type.cc index c2ab7e85df..2bee9c50b2 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1,5 +1,3 @@ -// $Id: Type.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Type.h b/src/Type.h index 1d7637828d..5ebc5761a3 100644 --- a/src/Type.h +++ b/src/Type.h @@ -1,5 +1,3 @@ -// $Id: Type.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef type_h diff --git a/src/UDP.cc b/src/UDP.cc index 5331560eff..35e9f58388 100644 --- a/src/UDP.cc +++ b/src/UDP.cc @@ -1,5 +1,3 @@ -// $Id: UDP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/UDP.h b/src/UDP.h index b04c5e3ef0..5124adf4cd 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -1,5 +1,3 @@ -// $Id: UDP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef udp_h diff --git a/src/Val.cc b/src/Val.cc index a2a3323b13..8aa46181f9 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1,5 +1,3 @@ -// $Id: Val.cc 6945 2009-11-27 19:25:10Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Val.h b/src/Val.h index c840254d7c..6ba16114db 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1,5 +1,3 @@ -// $Id: Val.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef val_h diff --git a/src/Var.cc b/src/Var.cc index 390b6b3684..897a454670 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -1,5 +1,3 @@ -// $Id: Var.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Var.h b/src/Var.h index 6b4ddaece2..8b9866ed2d 100644 --- a/src/Var.h +++ b/src/Var.h @@ -1,5 +1,3 @@ -// $Id: Var.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef var_h diff --git a/src/X509.cc b/src/X509.cc index 783bccdad1..55b6b78f04 100644 --- a/src/X509.cc +++ b/src/X509.cc @@ -1,5 +1,3 @@ -// $Id: X509.cc 6724 2009-06-07 09:23:03Z vern $ - #include #include "X509.h" diff --git a/src/XDR.cc b/src/XDR.cc index 53e9a4b2dd..96d855ddbd 100644 --- a/src/XDR.cc +++ b/src/XDR.cc @@ -1,5 +1,3 @@ -// $Id: XDR.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/XDR.h b/src/XDR.h index 2c6e1d69ac..65192d6067 100644 --- a/src/XDR.h +++ b/src/XDR.h @@ -1,5 +1,3 @@ -// $Id: XDR.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef xdr_h diff --git a/src/ZIP.cc b/src/ZIP.cc index 84643c2874..26095d1f11 100644 --- a/src/ZIP.cc +++ b/src/ZIP.cc @@ -1,5 +1,3 @@ -// $Id: ZIP.cc,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "ZIP.h" diff --git a/src/ZIP.h b/src/ZIP.h index 3debb6c3c8..ab5d2ce68b 100644 --- a/src/ZIP.h +++ b/src/ZIP.h @@ -1,5 +1,3 @@ -// $Id: ZIP.h,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef zip_h diff --git a/src/bif_arg.cc b/src/bif_arg.cc index 5900c117eb..a4772e4d73 100644 --- a/src/bif_arg.cc +++ b/src/bif_arg.cc @@ -1,5 +1,3 @@ -// $Id: bif_arg.cc 3234 2006-06-08 02:38:11Z vern $ - #include "config.h" #include diff --git a/src/bif_arg.h b/src/bif_arg.h index 0462f6e173..4ba6fa0c4f 100644 --- a/src/bif_arg.h +++ b/src/bif_arg.h @@ -1,5 +1,3 @@ -// $Id: bif_arg.h 3234 2006-06-08 02:38:11Z vern $ - #ifndef bif_arg_h #define bif_arg_h diff --git a/src/bif_type.def b/src/bif_type.def index e9bf22eafc..4e206ceea2 100644 --- a/src/bif_type.def +++ b/src/bif_type.def @@ -1,5 +1,3 @@ -// $Id: bif_type.def 5083 2007-11-28 17:42:58Z vern $ - // DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) DEFINE_BIF_TYPE(TYPE_ADDR, "addr", "addr", "addr_type", "%s->AsAddr()", "new AddrVal(%s)") diff --git a/src/binpac-lib.pac b/src/binpac-lib.pac index 4e95a1a3db..2c501d90a4 100644 --- a/src/binpac-lib.pac +++ b/src/binpac-lib.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include diff --git a/src/binpac.pac b/src/binpac.pac index 8704fb5a61..ae601ce6b9 100644 --- a/src/binpac.pac +++ b/src/binpac.pac @@ -1,5 +1,3 @@ -# $Id:$ - # Prototypes for functions implemented in binpac-lib.pac. function bytestring_to_int(s: const_bytestring, base: int): int; diff --git a/src/binpac_bro-lib.pac b/src/binpac_bro-lib.pac index 20648e2d4f..c7cee6dc98 100644 --- a/src/binpac_bro-lib.pac +++ b/src/binpac_bro-lib.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "util.h" %} diff --git a/src/binpac_bro.h b/src/binpac_bro.h index ffeb4ff28d..dcdbe94f57 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef binpac_bro_h #define binpac_bro_h diff --git a/src/bittorrent-analyzer.pac b/src/bittorrent-analyzer.pac index 7e8678b7de..ee7a70ea21 100644 --- a/src/bittorrent-analyzer.pac +++ b/src/bittorrent-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ -# # This code contributed by Nadi Sarrar. connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) { diff --git a/src/bittorrent-protocol.pac b/src/bittorrent-protocol.pac index 8bd1652cfa..d3a147f157 100644 --- a/src/bittorrent-protocol.pac +++ b/src/bittorrent-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ -# # This code contributed by Nadi Sarrar. enum BitTorrent_peer_msg_type { diff --git a/src/bro.bif b/src/bro.bif index 5629805ec5..03ed17a449 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1,5 +1,3 @@ -# $Id: bro.bif 7075 2010-09-13 02:39:38Z vern $ -# # Definitions of Bro built-in functions. %%{ // C segment diff --git a/src/bro.pac b/src/bro.pac index 169f7c27ef..b622041c12 100644 --- a/src/bro.pac +++ b/src/bro.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "binpac_bro.h" %} diff --git a/src/bsd-getopt-long.c b/src/bsd-getopt-long.c index 5b3cc093b0..7ecb064fc8 100644 --- a/src/bsd-getopt-long.c +++ b/src/bsd-getopt-long.c @@ -1,5 +1,3 @@ -/* $Id: bsd-getopt-long.c 1362 2005-09-12 19:49:08Z vern $ */ - /* $OpenBSD: getopt_long.c,v 1.17 2004/06/03 18:46:52 millert Exp $ */ /* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ diff --git a/src/bsd-getopt-long.h b/src/bsd-getopt-long.h index e2c381f3b7..c94589afaa 100644 --- a/src/bsd-getopt-long.h +++ b/src/bsd-getopt-long.h @@ -1,5 +1,3 @@ -/* $Id: bsd-getopt-long.h 1361 2005-09-12 19:48:26Z vern $ */ - /* $OpenBSD: getopt_long.c,v 1.13 2003/06/03 01:52:40 millert Exp $ */ /* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ diff --git a/src/builtin-func.l b/src/builtin-func.l index 9e69adc69d..1d61f31734 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -1,6 +1,4 @@ %{ -// $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $ - #include #include #include "bif_arg.h" diff --git a/src/const.bif b/src/const.bif index 825c21e7a5..96630e300b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -1,5 +1,3 @@ -# $Id: const.bif 3929 2007-01-14 00:37:59Z vern $ - # Documentation and default values for these are located in policy/bro.init. const ignore_keep_alive_rexmit: bool; diff --git a/src/cq.c b/src/cq.c index b669dabd35..c5405e526a 100644 --- a/src/cq.c +++ b/src/cq.c @@ -2,11 +2,6 @@ * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: cq.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif - #include #include diff --git a/src/cq.h b/src/cq.h index 38c5204f0c..540cccde74 100644 --- a/src/cq.h +++ b/src/cq.h @@ -1,5 +1,3 @@ -/* @(#) $Id: cq.h 80 2004-07-14 20:15:50Z jason $ (LBL) */ - struct cq_handle *cq_init(double, double); void cq_destroy(struct cq_handle *); int cq_enqueue(struct cq_handle *, double, void *); diff --git a/src/dce_rpc-analyzer.pac b/src/dce_rpc-analyzer.pac index 353c9f3795..ddc99abd8e 100644 --- a/src/dce_rpc-analyzer.pac +++ b/src/dce_rpc-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - # DCE/RPC protocol data unit. type DCE_RPC_PDU = record { diff --git a/src/dce_rpc-protocol.pac b/src/dce_rpc-protocol.pac index 77c7aaff62..a7bfcb5368 100644 --- a/src/dce_rpc-protocol.pac +++ b/src/dce_rpc-protocol.pac @@ -1,5 +1,3 @@ -# $Id: dce_rpc-protocol.pac,v 1.1.4.2 2006/06/02 15:13:09 rpang Exp $ -# # Definitions for DCE RPC. enum dce_rpc_ptype { diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac index 58c2250c26..cbcd0cbdc4 100644 --- a/src/dce_rpc.pac +++ b/src/dce_rpc.pac @@ -1,5 +1,3 @@ -# $Id: dce_rpc.pac 4608 2007-07-05 18:23:58Z vern $ - %include binpac.pac %include bro.pac diff --git a/src/dce_rpc_simple.pac b/src/dce_rpc_simple.pac index ff495a2e2b..f31c2a078b 100644 --- a/src/dce_rpc_simple.pac +++ b/src/dce_rpc_simple.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DCE_RPC_Simple withcontext {}; diff --git a/src/dhcp-analyzer.pac b/src/dhcp-analyzer.pac index ef8b888330..a9f1c6bab0 100644 --- a/src/dhcp-analyzer.pac +++ b/src/dhcp-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - connection DHCP_Conn(bro_analyzer: BroAnalyzer) { upflow = DHCP_Flow(true); downflow = DHCP_Flow(false); diff --git a/src/dhcp-protocol.pac b/src/dhcp-protocol.pac index 46cceb56c6..d77780b1b3 100644 --- a/src/dhcp-protocol.pac +++ b/src/dhcp-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - # DHCP Message Type according to RFC 1533. # Refer to RFC 2131 for op types. diff --git a/src/dhcp.pac b/src/dhcp.pac index 852433a410..9e9d7755a4 100644 --- a/src/dhcp.pac +++ b/src/dhcp.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DHCP withcontext { diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac index 72bda3165f..0c2dc1b491 100644 --- a/src/dns-analyzer.pac +++ b/src/dns-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include %} diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac index d5b8036e11..fbeb9d0fa3 100644 --- a/src/dns-protocol.pac +++ b/src/dns-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - enum DNS_answer_type { DNS_QUESTION, DNS_ANSWER, diff --git a/src/dns.pac b/src/dns.pac index dc5ca586f8..aeffdf0bc7 100644 --- a/src/dns.pac +++ b/src/dns.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DNS withcontext { diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac index f2c7f5f523..d31ff58c6e 100644 --- a/src/dns_tcp.pac +++ b/src/dns_tcp.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "dns_pac.h" // for DNS_Conn %} diff --git a/src/epmapper.pac b/src/epmapper.pac index c9eea3c139..7fbaf47418 100644 --- a/src/epmapper.pac +++ b/src/epmapper.pac @@ -1,5 +1,3 @@ -# $Id:$ - type epmapper_lookup_req = record { inquiry_type : uint32; # object : uuid_p_t; diff --git a/src/event.bif b/src/event.bif index c3c11b6a7e..d953ac78fe 100644 --- a/src/event.bif +++ b/src/event.bif @@ -1,5 +1,3 @@ -# $Id: event.bif 6942 2009-11-16 03:54:08Z vern $ - event bro_init%(%); event bro_done%(%); diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac index c1a4dd7b26..e12be59438 100644 --- a/src/http-analyzer.pac +++ b/src/http-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include diff --git a/src/http-protocol.pac b/src/http-protocol.pac index 1c9f4b4c17..e4487a75e3 100644 --- a/src/http-protocol.pac +++ b/src/http-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - enum ExpectBody { BODY_EXPECTED, BODY_NOT_EXPECTED, diff --git a/src/http.pac b/src/http.pac index 217215e998..38e6ad0b5e 100644 --- a/src/http.pac +++ b/src/http.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include binpac.pac %include bro.pac diff --git a/src/input.h b/src/input.h index 8af7a35445..8fcceb256b 100644 --- a/src/input.h +++ b/src/input.h @@ -1,5 +1,3 @@ -// $Id: input.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef input_h diff --git a/src/main.cc b/src/main.cc index 139fc802c5..5ec5423ce6 100644 --- a/src/main.cc +++ b/src/main.cc @@ -1,5 +1,3 @@ -// $Id: main.cc 6829 2009-07-09 09:12:59Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/make_dbg_constants.pl b/src/make_dbg_constants.pl index d4781dccf6..29efac8050 100644 --- a/src/make_dbg_constants.pl +++ b/src/make_dbg_constants.pl @@ -1,5 +1,3 @@ -# $Id: make_dbg_constants.pl 80 2004-07-14 20:15:50Z jason $ -# # Build the DebugCmdConstants.h and DebugCmdInfoConstants.h files from the # DebugCmdInfoConstants.in file. # diff --git a/src/md5.c b/src/md5.c index 941c0d37e5..888993b9c4 100644 --- a/src/md5.c +++ b/src/md5.c @@ -21,7 +21,6 @@ ghost@aladdin.com */ -/* $Id: md5.c 80 2004-07-14 20:15:50Z jason $ */ /* Independent implementation of MD5 (RFC 1321). diff --git a/src/md5.h b/src/md5.h index 8cff20d0af..2806b5b9b5 100644 --- a/src/md5.h +++ b/src/md5.h @@ -21,7 +21,6 @@ ghost@aladdin.com */ -/* $Id: md5.h 80 2004-07-14 20:15:50Z jason $ */ /* Independent implementation of MD5 (RFC 1321). diff --git a/src/nb_dns.c b/src/nb_dns.c index 225eb984cf..6f42004dd0 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -1,10 +1,6 @@ /* * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: nb_dns.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif /* * nb_dns - non-blocking dns routines * diff --git a/src/nb_dns.h b/src/nb_dns.h index 5787a3fdb0..d458f61716 100644 --- a/src/nb_dns.h +++ b/src/nb_dns.h @@ -1,5 +1,4 @@ -/* @(#) $Id: nb_dns.h 6219 2008-10-01 05:39:07Z vern $ (LBL) - * +/* * See the file "COPYING" in the main distribution directory for copyright. */ diff --git a/src/ncp.pac b/src/ncp.pac index 8a3fcf1478..86b8bca5da 100644 --- a/src/ncp.pac +++ b/src/ncp.pac @@ -1,5 +1,3 @@ -# $Id: ncp.pac 4608 2007-07-05 18:23:58Z vern $ -# # Netware Core Protocol %include bro.pac diff --git a/src/net_util.cc b/src/net_util.cc index d7dc3f4add..f1cb760f64 100644 --- a/src/net_util.cc +++ b/src/net_util.cc @@ -1,5 +1,3 @@ -// $Id: net_util.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/net_util.h b/src/net_util.h index 25b6b293fc..28abf4dbcb 100644 --- a/src/net_util.h +++ b/src/net_util.h @@ -1,5 +1,3 @@ -// $Id: net_util.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netutil_h diff --git a/src/netflow-analyzer.pac b/src/netflow-analyzer.pac index 68de4d4a4e..e89a0181a2 100644 --- a/src/netflow-analyzer.pac +++ b/src/netflow-analyzer.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). analyzer NetFlow withcontext { diff --git a/src/netflow-protocol.pac b/src/netflow-protocol.pac index 7d106aed34..6b97b7cee6 100644 --- a/src/netflow-protocol.pac +++ b/src/netflow-protocol.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). type NetFlowPacket = record { diff --git a/src/netflow.pac b/src/netflow.pac index 8484d5fd11..91040aadeb 100644 --- a/src/netflow.pac +++ b/src/netflow.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). %extern{ diff --git a/src/parse.y b/src/parse.y index 2410358f81..dcae74a80c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1,5 +1,4 @@ %{ -// $Id: parse.in 6688 2009-04-16 22:44:55Z vern $ // See the file "COPYING" in the main distribution directory for copyright. %} diff --git a/src/patricia.c b/src/patricia.c index 8e40cb5ef6..ef9c008f4b 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -1,5 +1,4 @@ /* - * $Id: patricia.c 80 2004-07-14 20:15:50Z jason $ * Dave Plonka * * This product includes software developed by the University of Michigan, diff --git a/src/patricia.h b/src/patricia.h index 0118679331..4bc2f9b81f 100644 --- a/src/patricia.h +++ b/src/patricia.h @@ -1,5 +1,4 @@ /* - * $Id: patricia.h 967 2005-01-03 07:19:06Z vern $ * Dave Plonka * * This product includes software developed by the University of Michigan, diff --git a/src/re-parse.y b/src/re-parse.y index 26c8ab6716..3847c06f29 100644 --- a/src/re-parse.y +++ b/src/re-parse.y @@ -1,8 +1,6 @@ // parse.y - parser for flex input %{ -// $Id: re-parse.y 5857 2008-06-26 23:00:03Z vern $ - #include #include "CCL.h" diff --git a/src/re-scan.l b/src/re-scan.l index fbd85899a4..0d737f08a6 100644 --- a/src/re-scan.l +++ b/src/re-scan.l @@ -5,8 +5,6 @@ */ %{ -// $Id: re-scan.l 6219 2008-10-01 05:39:07Z vern $ - #include "CCL.h" #include "NFA.h" #include "util.h" diff --git a/src/rule-parse.y b/src/rule-parse.y index 73c04a72ab..c8770c3e22 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -1,6 +1,4 @@ %{ -/* $Id: rule-parse.y 5988 2008-07-19 07:02:12Z vern $ */ - #include #include "RuleMatcher.h" #include "Reporter.h" diff --git a/src/rule-scan.l b/src/rule-scan.l index 0c444543b2..1ba9bed1de 100644 --- a/src/rule-scan.l +++ b/src/rule-scan.l @@ -1,5 +1,3 @@ -/* $Id: rule-scan.l 6914 2009-09-22 00:35:24Z vern $ */ - %{ typedef unsigned int uint32; diff --git a/src/scan.l b/src/scan.l index a6f6d14593..2b1d86929a 100644 --- a/src/scan.l +++ b/src/scan.l @@ -1,4 +1,3 @@ -/* $Id: scan.l 6510 2009-01-08 14:51:04Z vern $ */ %{ // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/setsignal.c b/src/setsignal.c index f5263bb06d..b49f0784e9 100644 --- a/src/setsignal.c +++ b/src/setsignal.c @@ -2,11 +2,6 @@ * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: setsignal.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif - #include "config.h" /* must appear before first ifdef */ #include diff --git a/src/setsignal.h b/src/setsignal.h index 8bacdca8db..b768ed031f 100644 --- a/src/setsignal.h +++ b/src/setsignal.h @@ -1,7 +1,6 @@ /* * See the file "COPYING" in the main distribution directory for copyright. * - * @(#) $Id: setsignal.h 6219 2008-10-01 05:39:07Z vern $ (LBL) */ #ifndef setsignal_h #define setsignal_h diff --git a/src/smb-protocol.pac b/src/smb-protocol.pac index b00613f16c..585edfacd6 100644 --- a/src/smb-protocol.pac +++ b/src/smb-protocol.pac @@ -1,5 +1,3 @@ -# $Id$ -# # CIFS/SMB # TODO: diff --git a/src/smb.pac b/src/smb.pac index 4bd2c34bc5..740ad47991 100644 --- a/src/smb.pac +++ b/src/smb.pac @@ -1,5 +1,3 @@ -# $Id: smb.pac 3929 2007-01-14 00:37:59Z vern $ - %include binpac.pac %include bro.pac diff --git a/src/ssl-defs.pac b/src/ssl-defs.pac index 6a4a91bb36..31d90338f5 100644 --- a/src/ssl-defs.pac +++ b/src/ssl-defs.pac @@ -1,5 +1,3 @@ -# $Id:$ - # Some common definitions for the SSL and SSL record-layer analyzers. %extern{ diff --git a/src/ssl.pac b/src/ssl.pac index 82dd0246c4..25aed7a66f 100644 --- a/src/ssl.pac +++ b/src/ssl.pac @@ -1,5 +1,3 @@ -# $Id:$ - # binpac file for SSL analyzer # split in three parts: diff --git a/src/strings.bif b/src/strings.bif index d13de8accb..3945569f15 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -1,5 +1,3 @@ -# $Id: strings.bif 6920 2009-10-03 20:47:25Z vern $ -# # Definitions of Bro built-in functions related to strings. diff --git a/src/util.cc b/src/util.cc index 8305bf9f9f..054eb5b06c 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1,5 +1,3 @@ -// $Id: util.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/util.h b/src/util.h index f74440bdb0..132aac4eac 100644 --- a/src/util.h +++ b/src/util.h @@ -1,5 +1,3 @@ -// $Id: util.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef util_h