diff --git a/doc/broids/index.rst b/doc/broids/index.rst index 7f4c45623d..0c94c914c1 100644 --- a/doc/broids/index.rst +++ b/doc/broids/index.rst @@ -24,7 +24,7 @@ rejected usernames and passwords occurring from a single address. We start by defining a threshold for the number of attempts, a monitoring interval (in minutes), and a new notice type. -.. code-block:: bro +.. code:: bro :caption: detect-bruteforcing.bro module FTP; @@ -53,7 +53,7 @@ function to break down the reply code and check if the first digit is a "5" or not. If true, we then use the :ref:`Summary Statistics Framework ` to keep track of the number of failed attempts. -.. code-block:: bro +.. code:: bro :caption: detect-bruteforcing.bro event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -70,7 +70,7 @@ Next, we use the SumStats framework to raise a notice of the attack when the number of failed attempts exceeds the specified threshold during the measuring interval. -.. code-block:: bro +.. code:: bro :caption: detect-bruteforcing.bro event bro_init() @@ -99,7 +99,7 @@ measuring interval. Below is the final code for our script. -.. code-block:: bro +.. code:: bro :caption: detect-bruteforcing.bro ##! FTP brute-forcing detector, triggering when too many rejected usernames or @@ -163,7 +163,7 @@ Below is the final code for our script. } } -.. code-block:: console +.. console:: $ bro -r ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro $ cat notice.log diff --git a/doc/frameworks/file-analysis.rst b/doc/frameworks/file-analysis.rst index 855d51858a..4b551497a7 100644 --- a/doc/frameworks/file-analysis.rst +++ b/doc/frameworks/file-analysis.rst @@ -41,7 +41,7 @@ Here's a simple example: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/get.trace file_analysis_01.bro file_state_remove @@ -88,7 +88,7 @@ calculate the MD5 of plain text files: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/get.trace file_analysis_02.bro new file, FakNcS1Jfe01uljb3 @@ -137,7 +137,7 @@ the input framework uses to uniquely identify an input stream. Example output of the above script may be: -.. code-block:: console +.. console:: $ echo "Hello world" > myfile $ bro file_analysis_03.bro diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst index 309c74418c..0bf6f22368 100644 --- a/doc/frameworks/netcontrol.rst +++ b/doc/frameworks/netcontrol.rst @@ -143,7 +143,7 @@ plugin to print one line to the standard output, which contains information about the rule that was added. It will also cause creation of `netcontrol.log`, which contains information about all actions that are taken by NetControl: -.. code-block:: console +.. console:: $ bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro netcontrol debug (Debug-All): init @@ -179,7 +179,7 @@ additional log called `netcontrol_drop.log`. This log file is much more succinct only contains information that is specific to drops that are enacted by NetControl: -.. code-block:: console +.. console:: $ cat netcontrol_drop.log #separator \x09 @@ -203,7 +203,7 @@ following code automatically blocks a recognized SSH guesser: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro netcontrol debug (Debug-All): init @@ -233,7 +233,7 @@ the :bro:see:`Notice::ACTION_DROP` action of the notice framework: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro netcontrol debug (Debug-All): init @@ -259,7 +259,7 @@ Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also will cause the `dropped` column in `notice.log` to be set to true each time that the NetControl framework enacts a block: -.. code-block:: console +.. console:: $ cat notice.log #separator \x09 @@ -326,7 +326,7 @@ drops all connections on the network: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro netcontrol debug (Debug-All): init @@ -386,7 +386,7 @@ originating from the 192.168.* network: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro netcontrol debug (Debug-All): init @@ -465,7 +465,7 @@ address is already blocked in the second connection. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro netcontrol debug (Debug-All): init @@ -519,7 +519,7 @@ Using catch and release in your scripts is easy; just use :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro netcontrol debug (Debug-All): init @@ -535,7 +535,7 @@ first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc. Catch and release adds its own new logfile in addition to the already existing ones (netcontrol_catch_release.log): -.. code-block:: console +.. console:: $ cat netcontrol_catch_release.log #separator \x09 @@ -664,7 +664,7 @@ plugin. We manually block a few addresses in the :language: bro :linenos: -.. code-block:: console +.. console:: $ bro netcontrol-8-multiple.bro netcontrol debug (Debug-All): init @@ -675,7 +675,7 @@ output to the command line. The other two lines are handled by the OpenFlow plugin. We can verify this by looking at netcontrol.log. The plugin column shows which plugin handled a rule and reveals that two rules were handled by OpenFlow: -.. code-block:: console +.. console:: $ cat netcontrol.log #separator \x09 @@ -702,7 +702,7 @@ which plugin handled a rule and reveals that two rules were handled by OpenFlow: Furthermore, openflow.log also shows the two added rules, converted to OpenFlow flow mods: -.. code-block:: console +.. console:: $ cat openflow.log #separator \x09 @@ -792,7 +792,7 @@ to our very first example: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst index a6b27e92b5..d49bebb7ce 100644 --- a/doc/frameworks/notice.rst +++ b/doc/frameworks/notice.rst @@ -96,7 +96,7 @@ the server at 192.168.56.103: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro $ cat notice.log diff --git a/doc/frameworks/sumstats.rst b/doc/frameworks/sumstats.rst index 79b8eeaad9..6eeddf9490 100644 --- a/doc/frameworks/sumstats.rst +++ b/doc/frameworks/sumstats.rst @@ -81,7 +81,7 @@ inline documentation that does this with the Sumstats framework: When run on a sample PCAP file from the Bro test suite, the following output is created: -.. code-block:: console +.. console:: $ bro -r workshop_2011_browse.trace sumstats-countconns.bro Number of connections established: 6 @@ -103,7 +103,7 @@ real-world functional example, that is left to the Let's see if there are any hosts that crossed the threshold in a PCAP file containing a host running nmap: -.. code-block:: console +.. console:: $ bro -r nmap-vsn.trace sumstats-toy-scan.bro 192.168.1.71 attempted 5 or more connections diff --git a/doc/httpmonitor/index.rst b/doc/httpmonitor/index.rst index 9e8374bf44..9b10cc15bb 100644 --- a/doc/httpmonitor/index.rst +++ b/doc/httpmonitor/index.rst @@ -89,7 +89,7 @@ detect a reply for a ``GET http://`` request. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/proxy.pcap http_proxy_01.bro A local server is acting as an open proxy: 192.168.56.101 @@ -104,7 +104,7 @@ will extend our basic script to also consider the additional codes. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/proxy.pcap http_proxy_02.bro A local server is acting as an open proxy: 192.168.56.101 @@ -117,7 +117,7 @@ network. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/proxy.pcap http_proxy_03.bro A local server is acting as an open proxy: 192.168.56.101 @@ -140,7 +140,7 @@ Below is the complete script. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/proxy.pcap http_proxy_04.bro $ cat notice.log @@ -178,7 +178,7 @@ using the :ref:`File Analysis Framework ` :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r bro.org.pcap file_extraction.bro Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html diff --git a/doc/logs/index.rst b/doc/logs/index.rst index 315549a87a..1de56ded1a 100644 --- a/doc/logs/index.rst +++ b/doc/logs/index.rst @@ -41,7 +41,7 @@ As the fields of the log entries can be further customized by the user, the Logging Framework makes use of a header block to ensure that it remains self-describing. Here's the first few lines of a ``conn.log``. -.. code-block:: console +.. console:: $ cat conn.log #separator \x09 @@ -139,7 +139,7 @@ require the user to refer to fields referenced by their position). For example, the following command extracts just the given columns from a ``conn.log``: -.. code-block:: console +.. console:: $ cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration 141.142.220.202 5353 224.0.0.251 - @@ -156,7 +156,7 @@ from a ``conn.log``: The corresponding ``awk`` command will look like this: -.. code-block:: console +.. console:: $ awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log 141.142.220.202 5353 224.0.0.251 5353 - @@ -223,7 +223,7 @@ includes the human readable time stamp, the unique identifier, the HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log`` file: -.. code-block:: console +.. console:: $ bro-cut -d ts uid host uri < http.log 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css @@ -237,7 +237,7 @@ Often times log files from multiple sources are stored in UTC time to allow easy correlation. Converting the timestamp from a log file to UTC can be accomplished with the ``-u`` option: -.. code-block:: console +.. console:: $ bro-cut -u ts uid host uri < http.log 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css @@ -255,7 +255,7 @@ using the ``-D`` and ``-U`` flags, using the standard ``strftime`` syntax. For example, to format the timestamp in the US-typical "Middle Endian" you could use a format string of: ``%d-%m-%YT%H:%M:%S%z`` -.. code-block:: console +.. console:: $ bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log 18-03-2011T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css @@ -285,7 +285,7 @@ largest number of bytes from the responder by redirecting the output for ``cat conn.log`` into bro-cut to extract the UID and the resp_bytes, then sorting that output by the resp_bytes field. -.. code-block:: console +.. console:: $ cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5 CwjjYJ2WqgTbAqiHl6 734 @@ -297,7 +297,7 @@ resp_bytes, then sorting that output by the resp_bytes field. Taking the UID of the first of the top responses, we can now crossreference that with the UIDs in the ``http.log`` file. -.. code-block:: console +.. console:: $ cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11 CUM0KZ3MLUfNB0cl11 208.80.152.118 GET 304 bits.wikimedia.org /skins-1.5/monobook/main.css diff --git a/doc/mimestats/index.rst b/doc/mimestats/index.rst index 928cefe871..6a0f95c75a 100644 --- a/doc/mimestats/index.rst +++ b/doc/mimestats/index.rst @@ -81,7 +81,7 @@ final code for our script. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r http/bro.org.pcap mimestats.bro #separator \x09 diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index e6fe82c850..a6f17da0d5 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -260,7 +260,7 @@ In ``local.bro``, let's define a new ``policy`` hook handler body: :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -r tls/tls-expired-cert.trace conditional-notice.bro $ cat notice.log diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index a3e59b45c7..a4c73e81bc 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -41,7 +41,7 @@ script :doc:`/scripts/policy/frameworks/files/detect-MHR.bro` that is responsible for generating the appropriate DNS lookup, parsing the response, and generating a notice if appropriate. -.. code-block:: bro +.. code:: bro :caption: detect-MHR.bro ##! Detect file downloads that have hash values matching files in Team @@ -126,7 +126,7 @@ specific event (``event file_hash``). Don't get discouraged if you don't understand every section of the script; we'll cover the basics of the script and much more in following sections. -.. code-block:: bro +.. code:: bro :caption: detect-MHR.bro @load base/frameworks/files @@ -145,7 +145,7 @@ this level of granularity might not be entirely necessary. The ``@load`` direct are ensuring the Files framework, the Notice framework and the script to hash all files has been loaded by Bro. -.. code-block:: bro +.. code:: bro :caption: detect-MHR.bro export { @@ -196,7 +196,7 @@ Up until this point, the script has merely done some basic setup. With the next section, the script starts to define instructions to take in a given event. -.. code-block:: bro +.. code:: bro :caption: detect-MHR.bro function do_mhr_lookup(hash: string, fi: Notice::FileInfo) @@ -324,7 +324,7 @@ This effort resulted in built-in-function files organized such that each entry contains a descriptive event name, the arguments passed to the event, and a concise explanation of the functions use. -.. code-block:: bro +.. code:: bro ## Generated for DNS requests. For requests with multiple queries, this event ## is raised once for each. @@ -413,7 +413,7 @@ more layers of information about a connection. This will give us a chance to see the contents of the connection record without it being overly populated. -.. code-block:: console +.. console:: $ bro -b -r http/get.trace connection_record_01.bro [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ @@ -449,7 +449,7 @@ brackets, which would correspond to the ``$``-delimiter in a Bro script. :language: bro :linenos: -.. code-block:: console +.. console:: $bro -b -r http/get.trace connection_record_02.bro [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ @@ -562,7 +562,7 @@ would fail. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -b data_type_const.bro { @@ -711,7 +711,7 @@ You can see the full script and its output below. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro data_struct_set_declaration.bro SSL Port: 22/tcp @@ -735,7 +735,7 @@ to preserve a one-to-one mapping of keys to values. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro data_struct_table_declaration.bro Service Name: SSH - Common Port: 22/tcp @@ -771,7 +771,7 @@ security platform. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -b data_struct_table_complex.bro Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai @@ -824,7 +824,7 @@ lengths. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro data_struct_vector_declaration.bro contents of v1: [1, 2, 3, 4] @@ -846,7 +846,7 @@ current item in the vector with ``addr_vector[i]``. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro -b data_struct_vector_iter.bro 1.2.0.0/18 @@ -923,7 +923,7 @@ For example, ``10.0.0.1 in 10.0.0.0/8`` would return true while script, we get the output listing the IP address and the subnet in which it belongs. -.. code-block:: console +.. console:: $ bro data_type_subnets.bro 172.16.4.56 belongs to subnet 172.16.0.0/20 @@ -959,7 +959,7 @@ produce a common date time formatted time stamp. When the script is executed we get an output showing the details of established connections. -.. code-block:: console +.. console:: $ bro -r wikipedia.trace data_type_time.bro 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118\x0a @@ -1009,7 +1009,7 @@ This time, when we execute the script we see an additional line in the output to display the time delta since the last fully established connection. -.. code-block:: console +.. console:: $ bro -r wikipedia.trace data_type_interval.bro 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118 @@ -1064,7 +1064,7 @@ excluding the actual matches. In this case, our pattern matches twice, and results in a table with three entries. The ``print`` statements in the script will print the contents of the table in order. -.. code-block:: console +.. console:: $ bro data_type_pattern_01.bro The @@ -1081,7 +1081,7 @@ on the result of the comparison between the pattern and the string. .. literalinclude:: data_type_pattern_02.bro -.. code-block:: console +.. console:: $ bro data_type_pattern_02.bro equality and /^?(equal)$?/ are not equal @@ -1126,7 +1126,7 @@ field is unique. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro data_struct_record_01.bro Service: dns(RFC1035) @@ -1153,7 +1153,7 @@ record. .. literalinclude:: data_struct_record_02.bro -.. code-block:: console +.. console:: $ bro data_struct_record_02.bro System: morlock @@ -1173,7 +1173,7 @@ It's also common to see a ``type`` used to simply alias a data structure to a more descriptive name. The example below shows an example of this from Bro's own type definitions file. -.. code-block:: bro +.. code:: bro :caption: init-bare.bro type string_array: table[count] of string; @@ -1240,7 +1240,7 @@ into the Logging Framework. :language: bro :linenos: -.. code-block:: console +.. console:: $ bro framework_logging_factorial_01.bro 1 @@ -1297,7 +1297,7 @@ Now, if we run this script, instead of generating logging information to stdout, no output is created. Instead the output is all in ``factor.log``, properly formatted and organized. -.. code-block:: console +.. console:: $ bro framework_logging_factorial_02.bro $ cat factor.log @@ -1371,7 +1371,7 @@ factorials that are a factors of 5, ``factor-non5.log`` with the factorials that are not factors of 5, and ``factor.log`` which would have included all factorials. -.. code-block:: console +.. console:: $ bro framework_logging_factorial_03.bro $ cat factor-mod5.log @@ -1473,7 +1473,7 @@ or not that notice is acted upon is decided by the local Notice Policy, but the script attempts to supply as much information as possible while staying concise. -.. code-block:: bro +.. code:: bro :caption: scripts/policy/protocols/ssh/interesting-hostnames.bro ##! This script will generate a notice if an apparent SSH login originates @@ -1604,7 +1604,7 @@ identifier. An identifier is a unique string of information collected from the connection relative to the behavior that has been observed by Bro. -.. code-block:: bro +.. code:: bro :caption: scripts/policy/protocols/ssl/expiring-certs.bro NOTICE([$note=Certificate_Expires_Soon,