Make Syslog analyzer accept messages that omit Priority

Essentially, it will now process/parse priority values if they are
there, or else just accept whatever remaining data/text is there as the
syslog message.  Reasoning is that there's syslog producers out there
that may have simply forgotten/neglected to send the priority value
and technically won't conform to what the standard says, though we can
infer the intent (some syslog consumers already may do similarly, but
I didn't verify).

doc

@@ -1 +1 @@
-Subproject commit 5849f875ea6cae038d4881eba326256202e711be
+Subproject commit 11db899c89686d551b539c069b4d2aec2ffd49c9

scripts/base/protocols/syslog/consts.bro

@@ -29,6 +29,7 @@ export {
 		[21] =  "LOCAL5",
 		[22] =  "LOCAL6",
 		[23] =  "LOCAL7",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
 	
 	## Mapping between the constants and string values for syslog severities.
@@ -41,5 +42,6 @@ export {
 		[5] = "NOTICE",
 		[6] = "INFO",
 		[7] = "DEBUG",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
 }

src/analyzer/protocol/syslog/syslog-analyzer.pac

@@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer)
 
 flow Syslog_Flow
 {
-	datagram = Syslog_Message withcontext(connection, this);
+	datagram = Syslog_Message_Optional_PRI withcontext(connection, this);
 
 	function process_syslog_message(m: Syslog_Message): bool
 		%{
-		BifEvent::generate_syslog_message(connection()->bro_analyzer(),
+		if ( ${m.has_pri} )
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
 			    connection()->bro_analyzer()->Conn(),
 			    ${m.PRI.facility},
 			    ${m.PRI.severity},
 			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
 			    );
+		else
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    999,
+			    999,
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+
 		return true;
 		%}
 

src/analyzer/protocol/syslog/syslog-protocol.pac

@@ -1,12 +1,27 @@
-type Syslog_Message = record {
-	PRI: Syslog_Priority;
+type Syslog_Message_Optional_PRI = record {
+	lt:       uint8;
+	after_lt: bytestring &restofdata &transient;
+}
+&byteorder = littleendian
+&exportsourcedata
+&let {
+	standard:    Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<'
+	nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60);
+};
+
+type Syslog_Message(has_pri: bool) = record {
+	opt_pri: case has_pri of {
+		true  -> PRI: Syslog_Priority;
+		false -> nothing: empty;
+	};
+
 	msg: bytestring &restofdata;
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8; # &check(lt == 60); # '<'
+	lt    : uint8 &enforce(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8; # &check(gt == 62); # '>'
+	gt    : uint8 &enforce(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);

testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	syslog
+#open	2019-03-15-01-41-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	facility	severity	message
+#types	time	string	addr	port	addr	port	enum	string	string	string
+1552584410.781231	CHhAvVGS1DHFjwGM9	192.168.2.118	60786	192.168.2.21	514	udp	UNSPECIFIED	UNSPECIFIED	This is not really a syslog message #173538 1552584410.781186
+#close	2019-03-15-01-41-39

testing/btest/scripts/base/protocols/syslog/missing-pri.bro

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/syslog-missing-pri.trace %INPUT
+# @TEST-EXEC: btest-diff syslog.log
+
+@load base/protocols/syslog