Updating baselines for doc changes.

2025-10-02 06:38:20 +00:00 · 2013-09-20 14:38:15 -07:00 · 2013-09-20 14:38:15 -07:00 · d070b01828
commit d070b01828
parent 589a0239be
6 changed files with 41 additions and 32 deletions
--- a/2
+++ b/2
@ -1,5 +1,5 @@

-2.1-1376 | 2013-09-20 14:18:30 -0700
+2.1-1377 | 2013-09-20 14:38:15 -0700

  * Updates to the scripting introduction. (Scott Runnels)

--- a/2
+++ b/2
@ -1 +1 @@
-2.1-1376
+2.1-1377
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output
@ -2,24 +2,20 @@

 -- event.bif.bro

+## Generated for every new connection. This event is raised with the first
+## packet of a previously unknown connection. Bro uses a flow-based definition
+## of "connection" here that includes not only TCP sessions but also UDP and
+## ICMP flows.
+global new_connection: event(c: connection );
+## Generated when a TCP connection timed out. This event is raised when
+## no activity was seen for an interval of at least
+## :bro:id:`tcp_connection_linger`, and either one endpoint has already
+## closed the connection or one side never became active.
+global connection_timeout: event(c: connection );
+## Generated when a connection's internal state is about to be removed from
+## memory. Bro generates this event reliably once for every connection when it
+## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
 ## flows.
-##
-##
-global connection_external: event(c: connection , tag: string );
-
-
-## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
-## Generated when a connection is seen that is marked as being expected.
-
-
-global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
-##    their specifics differ slightly. Often, however, both will be raised for
-##    the same connection if some of its data is missing. We should eventually
-##    merge the two.
-global ack_above_hole: event(c: connection );
-
-
-##
+global connection_state_remove: event(c: connection );
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output
@ -2,8 +2,6 @@

 -- detect-MHR.bro

-
-module TeamCymruMalwareHashRegistry;
-
-export {
-	redef enum Notice::Type += {
+@load base/frameworks/files
+@load base/frameworks/notice
+@load frameworks/files/hash-all-files
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output
@ -2,6 +2,8 @@

 -- detect-MHR.bro

+export {
+	redef enum Notice::Type += {
 		## The hash value of a file transferred over HTTP matched in the
 		## malware hash registry.
 		Match
@ -15,3 +17,10 @@
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;
+
+	## The malware hash registry runs each malware sample through several A/V engines.
+	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
+	## sample as malicious. This threshold allows you to require a minimum detection
+	## rate.
+	const notice_threshold = 10 &redef;
+}
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
@ -2,13 +2,6 @@

 -- detect-MHR.bro

-	## The malware hash registry runs each malware sample through several A/V engines.
-	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
-	## sample as malicious. This threshold allows you to require a minimum detection
-	## rate.
-	const notice_threshold = 10 &redef;
-}
-
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
 	if ( kind=="sha1" && match_file_types in f$mime_type )
@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
 			if ( |MHR_answer| == 2 )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local mhr_detect_rate = to_count(MHR_answer[2]);
+
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+				if ( mhr_detect_rate >= notice_threshold )
+					{
+					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
+					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+					}
+				}
+			}
+		}
+	}
 @ -1 +1 @@
 .1-1376
 .1-1377