Make Syslog analyzer accept messages that omit Priority

Essentially, it will now process/parse priority values if they are there, or else just accept whatever remaining data/text is there as the syslog message. Reasoning is that there's syslog producers out there that may have simply forgotten/neglected to send the priority value and technically won't conform to what the standard says, though we can infer the intent (some syslog consumers already may do similarly, but I didn't verify).
2025-10-09 18:18:19 +00:00 · 2019-03-14 18:47:32 -07:00 · 2019-03-14 18:47:32 -07:00 · be7110f6c0
commit be7110f6c0
parent 158313875c
7 changed files with 55 additions and 13 deletions
--- a/src/analyzer/protocol/syslog/syslog-analyzer.pac
+++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac
@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer)

 flow Syslog_Flow
 {
-	datagram = Syslog_Message withcontext(connection, this);
+	datagram = Syslog_Message_Optional_PRI withcontext(connection, this);

 	function process_syslog_message(m: Syslog_Message): bool
 		%{
-		BifEvent::generate_syslog_message(connection()->bro_analyzer(),
-		                                  connection()->bro_analyzer()->Conn(),
-		                                  ${m.PRI.facility},
-		                                  ${m.PRI.severity},
-		                                  new StringVal(${m.msg}.length(), (const char*) ${m.msg}.begin())
-		                                  );
+		if ( ${m.has_pri} )
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    ${m.PRI.facility},
+			    ${m.PRI.severity},
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+		else
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    999,
+			    999,
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+
 		return true;
 		%}

--- a/src/analyzer/protocol/syslog/syslog-protocol.pac
+++ b/src/analyzer/protocol/syslog/syslog-protocol.pac
@ -1,12 +1,27 @@
-type Syslog_Message = record {
-	PRI: Syslog_Priority;
+type Syslog_Message_Optional_PRI = record {
+	lt:       uint8;
+	after_lt: bytestring &restofdata &transient;
+}
+&byteorder = littleendian
+&exportsourcedata
+&let {
+	standard:    Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<'
+	nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60);
+};
+
+type Syslog_Message(has_pri: bool) = record {
+	opt_pri: case has_pri of {
+		true  -> PRI: Syslog_Priority;
+		false -> nothing: empty;
+	};
+
 	msg: bytestring &restofdata;
 } &byteorder = littleendian;

 type Syslog_Priority = record {
-	lt    : uint8; # &check(lt == 60); # '<'
+	lt    : uint8 &enforce(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8; # &check(gt == 62); # '>'
+	gt    : uint8 &enforce(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);