diff --git a/.gitmodules b/.gitmodules index 12e758c23a..95053091cf 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,6 @@ [submodule "aux/btest"] path = aux/btest url = git://git.bro-ids.org/btest +[submodule "cmake"] + path = cmake + url = git://git.bro-ids.org/cmake diff --git a/CHANGES b/CHANGES index fe93a096e4..c181fd6c1b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,74 @@ +1.6-dev-1261 | 2011-09-15 17:13:55 -0700 + + * Memory leak fixes. Addresses #574 (Jon Siwek) + + * Add configure options for ruby/bindings integration. (Jon Siwek) + + * Fix filter path_func to allow record argument as a subset of + stream's columns. Addresses #600. (Jon Siwek) + + * Log rotation is now controlled directly through Filter records. (Jon Siwek) + + * Fix indexing for record types with optional fields. Addresses #378 + (Jon Siwek) + +1.6-dev-1248 | 2011-09-15 16:01:32 -0700 + + * Removed custom malloc() implementation for FreeBSD. Closes #557. + (Jon Siwek) + + * Testing/external scripts no longer compute MD5 checksums for SMTP + entities. (Robin Sommer) + + * External tests no longer include the full content of mismatching + files in the diagnostics output. (Robin Sommer) + +1.6-dev-1241 | 2011-09-14 22:51:52 -0400 + + * Fixing a major memory utilization issues with SSL analysis. (Seth + Hall) + + * Enhancements to HTTP analysis: (Seth Hall) + + - More options for the header-names.bro script. + + - New script for logging header names and values. Closes #519. + (Seth Hall) + + - HTTP body size measurement added to http.log. + + - The value of the content-length headers has now been removed + in the default output but it could be added back locally at an + installation by a user. + + - Added fields to indicate if some parsing interruption happened + during the body transfer. Closes #581 (Seth Hall) + + * Misc smaller usability and correctness updates: (Seth Hall) + + - Removed an notice definition from the base SSL scripts. + + - Moved a logging stream ID into the export section for known-services + and bumped priority for creating the stream. + + - Adding configuration knobs for the SQL injection attack detection + script and renaming the HTTP::SQL_Injection_Attack notice to + HTTP::SQL_Injection_Attack_Against + + - Bumped priority when creating Known::CERTS_LOG. + + - Fixing a warning from the cluster framework. (Seth Hall) + + * Bugfix for log writer, which didn't escape binary stuff in some + situations. Closes #585. (Robin Sommer) + + * A larget set of changes to the testing/external infrastructure. + The traces for external test-suites are no longer kept inside the + repositories themselves but downloaded separately via curl. This + is because git is pretty bad at dealing with large files. See the + README for more information. (Robin Sommer) + 1.6-dev-1221 | 2011-09-08 08:41:17 -0700 * Updates for documentation framework and script docs. (Jon Siwek) @@ -26,7 +96,7 @@ parse Bro log files. (Gilbert Clark) * Potential fix for rotation crashes. Addresses #588. (Robin Sommer) - + * Added PF_RING load balancing support to the scripting layer, enabled by loading the misc/pf-ring-load-balancing script. (Seth Hall) @@ -51,7 +121,7 @@ line option to set it explicitly. Addresses #447. (Jon Siwek) * Various updates to logging framework. (Seth Hall) - + * Changed presentation of enum labels to include namespace. (Jon Siwek) @@ -65,7 +135,7 @@ (Gregor Maier) * Added a Reporter::fatal BIF. (Jon Siwek) - + * Fixes for GeoIP support. Addresses #538. (Jon Siwek) * Fixed excessive memory usage of SSL analyzer on connections with @@ -82,7 +152,7 @@ * Fixed bare-mode @load dependency problems. (Jon Siwek) * Fixed check_for_unused_event_handlers option. (Jon Siwek) - + * Fixing some more bare-mode @load dependency issues (Jon Siwek) * Reorganizing btest/policy directory to match new scripts/ @@ -92,18 +162,18 @@ $prefix/share/bro/base. Addresses #545 (Jon Siwek) * Changeed/fixed some cluster script error reporting. (Jon Siwek) - + * Various script normalization. (Jon Siwek) * Add a test that checks each individual script can be loaded in bare-mode. Adressess #545. (Jon Siwek) * Tune when c$conn is set. Addresses #554. (Gregor Maier) - + * Add ConnSize_Analyzer's fields to conn.log. (Gregor Maier) - + * Fixing bug in "interesting hostnames" detection. (Seth Hall) - + * Adding metrics framework intermediate updates. (Seth Hall) 1.6-dev-1120 | 2011-08-19 19:00:15 -0700 @@ -131,7 +201,7 @@ framework updates. (Seth Hall) * Metrics framework now works on cluster setups. (Seth Hall) - + * Reclassifying more DNS manager errors as non-fatal errors. (Robin Sommer) @@ -147,9 +217,9 @@ Siwek) * Workaround for FreeBSD CMake port missing debug flags. (Jon Siwek) - + * piped_exec() can now deal with null bytes. (Seth Hall) - + * Fix vector initialization for lists of records with optional types. Closes #485. (Jon Siwek) @@ -163,19 +233,19 @@ (Jon Siwek) * Fixing reporter's location tracking. Closes #492. (Robin Sommer) - + * Turning DNS errors into warnings. Closes #255. (Robin Sommer) - + * Logging's path_func now receives the log record as argument. Closes #555. (Robin Sommer) - * Functions can now be logged; their full body gets recorded. + * Functions can now be logged; their full body gets recorded. Closes #506. (Robin Sommer) * Bugfix for hostname notice email extension. (Seth Hall) - + * Updates for notice framework. (Seth Hall) - + - New ACTION_ADD_GEODATA to add geodata to notices in an extension field named remote_location. @@ -185,7 +255,7 @@ * Updates to local.bro (Seth Hall) * Added the profiling script. (Seth Hall) - + * Updates for SSH scripts. (Seth Hall) * ConnSize analyzer is turned on by default now. (Seth Hall) @@ -196,12 +266,12 @@ * HTTP now uses the extract_filename_from_content_disposition function. (Seth Hall) * Major SMTP script refactor. Closes #509. (Jon Siwek and Seth Hall) - + * New variable Site::local_nets_table in utils/site for mapping address to defined local subnet. * Metrics framework updates, more to come. (Seth Hall) - + 1.6-dev-1061 | 2011-08-08 18:25:27 -0700 diff --git a/CMakeLists.txt b/CMakeLists.txt index 9a18752881..78e9344a4c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,43 +1,6 @@ project(Bro C CXX) - -if (NOT CMAKE_C_COMPILER) - message(FATAL_ERROR "Could not find prerequisite C compiler") -endif () - -if (NOT CMAKE_CXX_COMPILER) - message(FATAL_ERROR "Could not find prerequisite C++ compiler") -endif () - -######################################################################## -## CMake Configuration cmake_minimum_required(VERSION 2.6 FATAL_ERROR) - -# Prohibit in-source builds. -if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}") - message(FATAL_ERROR "In-source builds are not allowed. Please use " - "./configure to choose a build directory and " - "initialize the build configuration.") -endif () - -set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake) - -if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") - # uninstall target - configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake/cmake_uninstall.cmake.in" - "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" - @ONLY) - - add_custom_target(uninstall COMMAND - ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) -endif () - -# Keep RPATH upon installing so that user doesn't have to ensure the linker -# can find internal/private libraries or libraries external to the build -# directory that were explicitly linked against -if (NOT BINARY_PACKAGING_MODE) - SET(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE) - SET(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib") -endif () +include(cmake/CommonCMakeConfig.cmake) ######################################################################## ## Project/Build Configuration @@ -69,25 +32,9 @@ list(GET version_numbers 0 VERSION_MAJOR) list(GET version_numbers 1 VERSION_MINOR) set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}") -set(EXTRA_COMPILE_FLAGS "-Wall -Wno-unused") - -if (ENABLE_DEBUG) - set(CMAKE_BUILD_TYPE Debug) - # manual add of -g works around its omission in FreeBSD's CMake port - set(EXTRA_COMPILE_FLAGS "${EXTRA_COMPILE_FLAGS} -g -DDEBUG") -else () - set(CMAKE_BUILD_TYPE RelWithDebInfo) -endif () - -# Compiler flags may already exist in CMake cache (e.g. when specifying -# CFLAGS environment variable before running cmake for the the first time) -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_COMPILE_FLAGS}") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_COMPILE_FLAGS}") - ######################################################################## ## Dependency Configuration -include(MacDependencyPaths) include(FindRequiredPackage) # Check cache value first to avoid displaying "Found sed" messages everytime @@ -244,16 +191,4 @@ message( "\n================================================================\n" ) -######################################################################## -## Show warning when installing user is different from the one that configured - -install(CODE " - if (NOT $ENV{USER} STREQUAL \$ENV{USER}) - message(STATUS \"ATTENTION: Install is being performed by user \" - \"'\$ENV{USER}', but the build directory was configured by \" - \"user '$ENV{USER}'. This may result in a permissions error \" - \"when writing the install manifest, but you can ignore it \" - \"and consider the installation as successful if you don't \" - \"care about the install manifest.\") - endif () -") +include(UserChangedWarning) diff --git a/INSTALL b/INSTALL index 5f61d0d663..c34e441324 100644 --- a/INSTALL +++ b/INSTALL @@ -59,47 +59,50 @@ installation time: Installation ============ -To build and install into /usr/local/bro: +To build and install into ``/usr/local/bro``:: > ./configure - > cd build > make > make install This will perform an out-of-source build into a directory called -build/, using default build options. It then installs the Bro binary -into /usr/local/bro/bin. Depending on the Bro package you -downloaded, there may be auxiliary tools and libraries available in -the aux/ directory. If so, they will be installed by default as well -if not explicitly disabled via configure options and may also have -additional installation/configuration instructions that you can -find in their source directories. +``build/``, using default build options. It then installs the Bro binary +into ``/usr/local/bro/bin``. Depending on the Bro package you +downloaded, there may be auxiliary tools and libraries available in the +``aux/`` directory. All of them except for ``aux/bro-aux`` will also be +built and installed by doing ``make install``. To install the programs +that come in the ``aux/bro-aux`` directory, additionally use ``make +install-aux``. There are ``--disable`` options that can be given to the +configure script to turn off unwanted auxiliary projects. -You can specify a different installation directory with +You can specify a different installation directory with:: > ./configure --prefix= -Note that "/usr" and "/opt/bro" are standard prefixes for binary +Note that ``/usr`` and ``/opt/bro`` are standard prefixes for binary packages to be installed, so those are typically not good choices unless you are creating such a package. -Run "./configure --help" for more options. +Run ``./configure --help`` for more options. Running Bro =========== Bro is a complex program and it takes a bit of time to get familiar -with it. In the following we give a few simple examples. See the -quickstart guide at http://www.bro-ids.org for more information; you -can the source that in doc/quick-start. +with it. A good place for newcomers to start is the quick start guide +available here: -For developers that wish to run Bro from the the build/ directory -after performing "make", but without performing "make install", they -will have to first set BROPATH to look for scripts inside the build -directory. Sourcing either build/bro-path-dev.sh or build/bro-path-dev.csh -as appropriate for the current shell accomplishes this. e.g.: + http://www.bro-ids.org/documentation/quickstart.html + +For developers that wish to run Bro from the the ``build/`` directory +after performing ``make``, but without performing ``make install``, they +will have to first set ``BROPATH`` to look for scripts inside the build +directory. Sourcing either ``build/bro-path-dev.sh`` or +``build/bro-path-dev.csh`` as appropriate for the current shell +accomplishes this and also augments your ``PATH`` so you can use Bro +without qualifying the path to it. e.g.:: > ./configure > make > source build/bro-path-dev.sh - > ./build/src/bro + > bro diff --git a/Makefile b/Makefile index 482bfde17f..0e0b41554b 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,9 @@ all: configured install: configured ( cd $(BUILD) && make install ) +install-aux: configured + ( cd $(BUILD) && make install-aux ) + clean: configured docclean ( cd $(BUILD) && make clean ) diff --git a/README b/README index 66a580fa19..387201d3c7 100644 --- a/README +++ b/README @@ -1,31 +1,23 @@ -This is release 1.6 of Bro, a system for detecting network intruders in -real-time using passive network monitoring. +============================ +Bro Network Security Monitor +============================ -Please see the file INSTALL for installation instructions and -pointers for getting started. For more documentation, see the -documentation on Bro's home page: +Bro is a powerful framework for network analysis and security +monitoring. - http://www.bro-ids.org/docs +Please see the INSTALL file for installation instructions and pointers +for getting started. For more documentation, research publications, or +community contact information see Bro's home page: -The main parts of Bro's documentation are also available in the doc/ -directory of the distribution. (Please note that the documentation -is still a work in progress; there will be more in future releases.) + http://www.bro-ids.org -Numerous other Bro-related publications, including a paper describing the -system, can be found at +Please see COPYING for licensing information. - http://www.bro-ids.org/publications.html - -Send comments, etc., to the Bro mailing list, bro@bro-ids.org. -However, please note that you must first subscribe to the list in -order to be able to post to it. - -- Vern Paxson & Robin Sommer, on behalf of the Bro development team +On behalf of the Bro Development Team, +Vern Paxson & Robin Sommer, +International Computer Science Institute & Lawrence Berkeley National Laboratory -University of California, Berkeley USA - -ICSI Center for Internet Research (ICIR) -International Computer Science Institute -Berkeley, CA USA vern@icir.org / robin@icir.org + + diff --git a/VERSION b/VERSION index 558ee30a94..e4031dc7bc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6-dev-1221 +1.6-dev-1261 diff --git a/aux/binpac b/aux/binpac index 4fc13f7c69..796b6e7e14 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 4fc13f7c6987b4163609e3df7a31f38501411cb7 +Subproject commit 796b6e7e1492021984bbc297b3fcc2952f20c778 diff --git a/aux/bro-aux b/aux/bro-aux index 86990f1640..2a5a709b5c 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 86990f1640d986e39d5bb1287dbeb03b59a464f0 +Subproject commit 2a5a709b5c85e74a88d88ef385ee0fb44ca02cd6 diff --git a/aux/broccoli b/aux/broccoli index 6df97331bb..adae807493 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 6df97331bb74d02ef2252138b301e4ca14523962 +Subproject commit adae807493dbb24ec8baf759e4589258ae57cc3e diff --git a/aux/broctl b/aux/broctl index c7499ee54f..0731a7b881 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit c7499ee54f50bca65606dc3edc1aff132d93af80 +Subproject commit 0731a7b88145c73efc6221fa4f7ce30c4036a35b diff --git a/aux/btest b/aux/btest index ab78a66dd7..3c0b0e9a91 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit ab78a66dd782f165ddf921faaf1f065b2f987481 +Subproject commit 3c0b0e9a91060a7a453a5d6fb72ed1fd9071fda9 diff --git a/cmake b/cmake new file mode 160000 index 0000000000..47fa45b726 --- /dev/null +++ b/cmake @@ -0,0 +1 @@ +Subproject commit 47fa45b726793aa15491d240cd5a84f4a4f7bd0a diff --git a/cmake/ChangeMacInstallNames.cmake b/cmake/ChangeMacInstallNames.cmake deleted file mode 100644 index 1e7370d3e7..0000000000 --- a/cmake/ChangeMacInstallNames.cmake +++ /dev/null @@ -1,87 +0,0 @@ -# Calling this macro with the name of a list variable will modify that -# list such that any third party libraries that do not come with a -# vanilla Mac OS X system will be replaced by an adjusted library that -# has an install_name relative to the location of any executable that -# links to it. -# -# Also, it will schedule the modified libraries for installation in a -# 'support_libs' subdirectory of the CMAKE_INSTALL_PREFIX. -# -# The case of third party libraries depending on other third party -# libraries is currently not handled by this macro. -# -# Ex. -# -# set(libs /usr/lib/libz.dylib -# /usr/lib/libssl.dylib -# /usr/local/lib/libmagic.dylib -# /usr/local/lib/libGeoIP.dylib -# /usr/local/lib/somestaticlib.a) -# -# include(ChangeMacInstallNames) -# ChangeMacInstallNames(libs) -# -# Should result in ${libs} containing: -# /usr/lib/libz.dylib -# /usr/lib/libssl.dylib -# ${CMAKE_BINARY_DIR}/darwin_support_libs/libmagic.dylib -# ${CMAKE_BINARY_DIR}/darwin_support_libs/libGeoIP.dylib -# /usr/local/lib/somestaticlib.a -# -# such that we can now do: -# -# add_executable(some_exe ${srcs}) -# target_link_libraries(some_exe ${libs}) -# -# Any binary packages created from such a build should be self-contained -# and provide working installs on vanilla OS X systems. - -macro(ChangeMacInstallNames libListVar) - if (APPLE) - find_program(INSTALL_NAME_TOOL install_name_tool) - - set(MAC_INSTALL_NAME_DEPS) - set(SUPPORT_BIN_DIR ${CMAKE_BINARY_DIR}/darwin_support_libs) - set(SUPPORT_INSTALL_DIR support_libs) - - file(MAKE_DIRECTORY ${SUPPORT_BIN_DIR}) - - foreach (_lib ${${libListVar}}) - # only care about install_name for shared libraries that are - # not shipped in Apple's vanilla OS X installs - string(REGEX MATCH ^/usr/lib/* apple_provided_lib ${_lib}) - string(REGEX MATCH dylib$ is_shared_lib ${_lib}) - - if (NOT apple_provided_lib AND is_shared_lib) - get_filename_component(_libname ${_lib} NAME) - set(_adjustedLib ${SUPPORT_BIN_DIR}/${_libname}) - set(_tmpLib - ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${_libname}) - - # make a tempory copy so we can adjust permissions - configure_file(${_lib} ${_tmpLib} COPYONLY) - - # copy to build directory with correct write permissions - file(COPY ${_tmpLib} - DESTINATION ${SUPPORT_BIN_DIR} - FILE_PERMISSIONS OWNER_READ OWNER_WRITE - GROUP_READ WORLD_READ) - - # remove the old library from the list provided as macro - # argument and add the new library with modified install_name - list(REMOVE_ITEM ${libListVar} ${_lib}) - list(APPEND ${libListVar} ${_adjustedLib}) - - # update the install target to install the third party libs - # with modified install_name - install(FILES ${_adjustedLib} - DESTINATION ${SUPPORT_INSTALL_DIR}) - - # perform the install_name change - execute_process(COMMAND install_name_tool -id - @executable_path/../${SUPPORT_INSTALL_DIR}/${_libname} - ${_adjustedLib}) - endif () - endforeach () - endif () -endmacro() diff --git a/cmake/CheckFunctions.cmake b/cmake/CheckFunctions.cmake deleted file mode 100644 index e378ef237b..0000000000 --- a/cmake/CheckFunctions.cmake +++ /dev/null @@ -1,12 +0,0 @@ -include(CheckFunctionExists) - -check_function_exists(getopt_long HAVE_GETOPT_LONG) -check_function_exists(mallinfo HAVE_MALLINFO) -check_function_exists(strcasestr HAVE_STRCASESTR) -check_function_exists(strerror HAVE_STRERROR) -check_function_exists(strsep HAVE_STRSEP) -check_function_exists(sigset HAVE_SIGSET) - -if (NOT HAVE_SIGSET) - check_function_exists(sigaction HAVE_SIGACTION) -endif () diff --git a/cmake/CheckHeaders.cmake b/cmake/CheckHeaders.cmake deleted file mode 100644 index ff206679d2..0000000000 --- a/cmake/CheckHeaders.cmake +++ /dev/null @@ -1,28 +0,0 @@ -include(CheckIncludeFiles) -include(CheckStructHasMember) - -check_include_files(getopt.h HAVE_GETOPT_H) -check_include_files(magic.h HAVE_MAGIC_H) -check_include_files(memory.h HAVE_MEMORY_H) -check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/if_ether.h" - HAVE_NETINET_IF_ETHER_H) -check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/ip6.h" - HAVE_NETINET_IP6_H) -check_include_files("sys/socket.h;net/if.h;net/ethernet.h" HAVE_NET_ETHERNET_H) -check_include_files(sys/ethernet.h HAVE_SYS_ETHERNET_H) -check_include_files(sys/time.h HAVE_SYS_TIME_H) -check_include_files("time.h;sys/time.h" TIME_WITH_SYS_TIME) -check_include_files(os-proto.h HAVE_OS_PROTO_H) - -check_struct_has_member(HISTORY_STATE entries "stdio.h;readline/readline.h" - HAVE_READLINE_HISTORY_ENTRIES) -check_include_files("stdio.h;readline/readline.h" HAVE_READLINE_READLINE_H) -check_include_files("stdio.h;readline/history.h" HAVE_READLINE_HISTORY_H) - -if (HAVE_READLINE_READLINE_H AND - HAVE_READLINE_HISTORY_H AND - HAVE_READLINE_HISTORY_ENTRIES) - set(HAVE_READLINE true) -endif () - -check_struct_has_member("struct sockaddr_in" sin_len "netinet/in.h" SIN_LEN) diff --git a/cmake/CheckNameserCompat.cmake b/cmake/CheckNameserCompat.cmake deleted file mode 100644 index 1a71411f1b..0000000000 --- a/cmake/CheckNameserCompat.cmake +++ /dev/null @@ -1,21 +0,0 @@ -include(CheckCSourceCompiles) - -# Check whether the namser compatibility header is required -# This can be the case on the Darwin platform - -check_c_source_compiles(" - #include - int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }" - have_nameser_header) - -if (NOT have_nameser_header) - check_c_source_compiles(" - #include - #include - int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }" - NEED_NAMESER_COMPAT_H) - if (NOT NEED_NAMESER_COMPAT_H) - message(FATAL_ERROR - "Asynchronous DNS support compatibility check failed.") - endif () -endif () diff --git a/cmake/CheckOptionalBuildSources.cmake b/cmake/CheckOptionalBuildSources.cmake deleted file mode 100644 index f901d432f6..0000000000 --- a/cmake/CheckOptionalBuildSources.cmake +++ /dev/null @@ -1,21 +0,0 @@ -# A macro that checks whether optional sources exist and if they do, they -# are added to the build/install process, else a warning is issued -# -# _dir: the subdir of the current source dir in which the optional -# sources are located -# _packageName: a string that identifies the package -# _varName: name of the variable indicating whether package is scheduled -# to be installed - -macro(CheckOptionalBuildSources _dir _packageName _varName) - if (${_varName}) - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${_dir}/CMakeLists.txt) - add_subdirectory(${_dir}) - else () - message(WARNING "${_packageName} source code does not exist in " - "${CMAKE_CURRENT_SOURCE_DIR}/${_dir} " - "so it will not be built or installed") - set(${_varName} false) - endif () - endif () -endmacro(CheckOptionalBuildSources) diff --git a/cmake/CheckTypes.cmake b/cmake/CheckTypes.cmake deleted file mode 100644 index 1fab29e3f8..0000000000 --- a/cmake/CheckTypes.cmake +++ /dev/null @@ -1,31 +0,0 @@ -include(CheckTypeSize) - -check_type_size("long int" SIZEOF_LONG_INT) -check_type_size("long long" SIZEOF_LONG_LONG) -check_type_size("void *" SIZEOF_VOID_P) - -# checks existence of ${_type}, and if it does not, sets CMake variable ${_var} -# to alternative type, ${_alt_type} -macro(CheckType _type _alt_type _var) - # don't perform check if we have a result from a previous CMake run - if (NOT HAVE_${_var}) - check_type_size(${_type} ${_var}) - if (NOT ${_var}) - set(${_var} ${_alt_type}) - else () - unset(${_var}) - unset(${_var} CACHE) - endif () - endif () -endmacro(CheckType _type _alt_type _var) - -set(CMAKE_EXTRA_INCLUDE_FILES sys/types.h) -CheckType(int32_t int int32_t) -CheckType(u_int32_t u_int u_int32_t) -CheckType(u_int16_t u_short u_int16_t) -CheckType(u_int8_t u_char u_int8_t) -set(CMAKE_EXTRA_INCLUDE_FILES) - -set(CMAKE_EXTRA_INCLUDE_FILES sys/socket.h) -CheckType(socklen_t int socklen_t) -set(CMAKE_EXTRA_INCLUDE_FILES) diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake deleted file mode 100644 index 6d7cb3d76f..0000000000 --- a/cmake/ConfigurePackaging.cmake +++ /dev/null @@ -1,238 +0,0 @@ -# A collection of macros to assist in configuring CMake/Cpack -# source and binary packaging - -# Sets CPack version variables by splitting the first macro argument -# using "." as a delimiter. If the length of the split list is -# greater than 2, all remaining elements are tacked on to the patch -# level version. Not that the version set by the macro is internal -# to binary packaging, the file name of our package will reflect the -# exact version number. -macro(SetPackageVersion _version) - string(REPLACE "." " " version_numbers ${_version}) - separate_arguments(version_numbers) - - list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MAJOR) - list(REMOVE_AT version_numbers 0) - list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MINOR) - list(REMOVE_AT version_numbers 0) - list(LENGTH version_numbers version_length) - - while (version_length GREATER 0) - list(GET version_numbers 0 patch_level) - if (CPACK_PACKAGE_VERSION_PATCH) - set(CPACK_PACKAGE_VERSION_PATCH - "${CPACK_PACKAGE_VERSION_PATCH}.${patch_level}") - else () - set(CPACK_PACKAGE_VERSION_PATCH ${patch_level}) - endif () - list(REMOVE_AT version_numbers 0) - list(LENGTH version_numbers version_length) - endwhile () - - if (APPLE) - # Mac PackageMaker package requires only numbers in the versioning - string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MAJOR - ${CPACK_PACKAGE_VERSION_MAJOR}) - string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MINOR - ${CPACK_PACKAGE_VERSION_MINOR}) - if (CPACK_PACKAGE_VERSION_PATCH) - string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH - ${CPACK_PACKAGE_VERSION_PATCH}) - endif () - endif () - - if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - # RPM version accepts letters, but not dashes. - string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MAJOR - ${CPACK_PACKAGE_VERSION_MAJOR}) - string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MINOR - ${CPACK_PACKAGE_VERSION_MINOR}) - if (CPACK_PACKAGE_VERSION_PATCH) - string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_PATCH - ${CPACK_PACKAGE_VERSION_PATCH}) - endif () - endif () - - # Minimum supported OS X version - set(CPACK_OSX_PACKAGE_VERSION 10.5) -endmacro(SetPackageVersion) - -# Sets the list of desired package types to be created by the make -# package target. A .tar.gz is only made for source packages, and -# binary pacakage format depends on the operating system: -# -# Darwin - PackageMaker -# Linux - RPM if the platform has rpmbuild installed -# DEB if the platform has dpkg-shlibdeps installed -# -# CPACK_GENERATOR is set by this macro -# CPACK_SOURCE_GENERATOR is set by this macro -macro(SetPackageGenerators) - set(CPACK_SOURCE_GENERATOR TGZ) - #set(CPACK_GENERATOR TGZ) - if (APPLE) - list(APPEND CPACK_GENERATOR PackageMaker) - elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - find_program(RPMBUILD_EXE rpmbuild) - find_program(DPKGSHLIB_EXE dpkg-shlibdeps) - if (RPMBUILD_EXE) - set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM) - endif () - if (DPKGSHLIB_EXE) - set(CPACK_GENERATOR ${CPACK_GENERATOR} DEB) - set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS true) - endif () - endif () -endmacro(SetPackageGenerators) - -# Sets CPACK_PACKAGE_FILE_NAME in the following format: -# -# --- -# -# and CPACK_SOURCE_PACKAGE_FILE_NAME as: -# -# - -macro(SetPackageFileName _version) - if (PACKAGE_NAME_PREFIX) - set(CPACK_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}") - set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}") - else () - set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}") - set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}") - endif () - - set(CPACK_PACKAGE_FILE_NAME - "${CPACK_PACKAGE_FILE_NAME}-${CMAKE_SYSTEM_NAME}") - - if (APPLE) - # Only Intel-based Macs are supported. CMAKE_SYSTEM_PROCESSOR may - # return the confusing 'i386' if running a 32-bit kernel, but chances - # are the binary is x86_64 (or more generally 'Intel') compatible. - set(arch "Intel") - else () - set (arch ${CMAKE_SYSTEM_PROCESSOR}) - endif () - - set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${arch}") -endmacro(SetPackageFileName) - -# Sets up binary package metadata -macro(SetPackageMetadata) - set(CPACK_PACKAGE_VENDOR "Lawrence Berkeley National Laboratory") - set(CPACK_PACKAGE_CONTACT "info@bro-ids.org") - set(CPACK_PACKAGE_DESCRIPTION_SUMMARY - "The Bro Network Intrusion Detection System") - - # CPack may enforce file name extensions for certain package generators - configure_file(${CMAKE_CURRENT_SOURCE_DIR}/README - ${CMAKE_CURRENT_BINARY_DIR}/README.txt - COPYONLY) - configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING - ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt - COPYONLY) - configure_file(${CMAKE_CURRENT_SOURCE_DIR}/cmake/MAC_PACKAGE_INTRO - ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt) - - set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt) - set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt) - set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt) - set(CPACK_RESOURCE_FILE_WELCOME - ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt) - - set(CPACK_RPM_PACKAGE_LICENSE "BSD") -endmacro(SetPackageMetadata) - -# Sets pre and post install scripts for PackageMaker packages. -# The main functionality that such scripts offer is a way to make backups -# of "configuration" files that a user may have modified. -# Note that RPMs already have a robust mechanism for dealing with -# user-modified files, so we do not need this additional functionality -macro(SetPackageInstallScripts VERSION) - - if (INSTALLED_CONFIG_FILES) - # Remove duplicates from the list of installed config files - separate_arguments(INSTALLED_CONFIG_FILES) - list(REMOVE_DUPLICATES INSTALLED_CONFIG_FILES) - # Space delimit the list again - foreach (_file ${INSTALLED_CONFIG_FILES}) - set(_tmp "${_tmp} ${_file}") - endforeach () - set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE) - endif () - - if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - # DEB packages can automatically handle configuration files - # if provided in a "conffiles" file in the packaging - set(conffiles_file ${CMAKE_CURRENT_BINARY_DIR}/conffiles) - if (INSTALLED_CONFIG_FILES) - string(REPLACE " " ";" conffiles ${INSTALLED_CONFIG_FILES}) - endif () - file(WRITE ${conffiles_file} "") - foreach (_file ${conffiles}) - file(APPEND ${conffiles_file} "${_file}\n") - endforeach () - - list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA - ${CMAKE_CURRENT_BINARY_DIR}/conffiles) - - # RPMs don't need any explicit direction regarding config files. - - # Leaving the set of installed config files empty will just - # bypass the logic in the default pre/post install scripts and let - # the RPMs/DEBs do their own thing (regarding backups, etc.) - # when upgrading packages. - set(INSTALLED_CONFIG_FILES "") - endif () - - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in) - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in - ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh - @ONLY) - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in - ${CMAKE_CURRENT_BINARY_DIR}/preinst - @ONLY) - set(CPACK_PREFLIGHT_SCRIPT - ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh) - set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE - ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh) - list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA - ${CMAKE_CURRENT_BINARY_DIR}/preinst) - endif () - - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in) - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in - ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh - @ONLY) - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in - ${CMAKE_CURRENT_BINARY_DIR}/postinst - @ONLY) - set(CPACK_POSTUPGRADE_SCRIPT - ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh) - set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE - ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh) - list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA - ${CMAKE_CURRENT_BINARY_DIR}/postinst) - endif () -endmacro(SetPackageInstallScripts) - -# Main macro to configure all the packaging options -macro(ConfigurePackaging _version) - SetPackageVersion(${_version}) - SetPackageGenerators() - SetPackageFileName(${_version}) - SetPackageMetadata() - SetPackageInstallScripts(${_version}) - - set(CPACK_SET_DESTDIR true) - set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) - - # add default files/directories to ignore for source package - # user may specify others via configure script - list(APPEND CPACK_SOURCE_IGNORE_FILES ${CMAKE_BINARY_DIR} ".git") - - include(CPack) -endmacro(ConfigurePackaging) diff --git a/cmake/FindBIND.cmake b/cmake/FindBIND.cmake deleted file mode 100644 index 4cbc481ae6..0000000000 --- a/cmake/FindBIND.cmake +++ /dev/null @@ -1,101 +0,0 @@ -# - Try to find libpcap include dirs and libraries -# -# Usage of this module as follows: -# -# find_package(BIND) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# BIND_ROOT_DIR Set this variable to the root installation of BIND -# if the module has problems finding the proper -# installation path. -# -# Variables defined by this module: -# -# BIND_FOUND System has BIND, include and library dirs found -# BIND_INCLUDE_DIR The BIND include directories. -# BIND_LIBRARY The BIND library (if any) required for -# ns_inittab and res_mkquery symbols - -find_path(BIND_ROOT_DIR - NAMES include/resolv.h -) - -find_path(BIND_INCLUDE_DIR - NAMES resolv.h - HINTS ${BIND_ROOT_DIR}/include -) - -if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - # the static resolv library is preferred because - # on some systems, the ns_initparse symbol is not - # exported in the shared library (strangely) - # see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291609 - set(bind_libs none libresolv.a resolv bind) -else () - set(bind_libs none resolv bind) -endif () - -include(CheckCSourceCompiles) - -# Find which library has the res_mkquery and ns_initparse symbols -set(CMAKE_REQUIRED_INCLUDES ${BIND_INCLUDE_DIR}) -foreach (bindlib ${bind_libs}) - if (NOT ${bindlib} MATCHES "none") - find_library(BIND_LIBRARY - NAMES ${bindlib} - HINTS ${BIND_ROOT_DIR}/lib - ) - endif () - - set(CMAKE_REQUIRED_LIBRARIES ${BIND_LIBRARY}) - - check_c_source_compiles(" - #include - int main() { - ns_initparse(0, 0, 0); - return 0; - } -" ns_initparse_works_${bindlib}) - - check_c_source_compiles(" - #include - #include - #include - #include - #include - int main() { - int (*p)() = res_mkquery; - } -" res_mkquery_works_${bindlib}) - - set(CMAKE_REQUIRED_LIBRARIES) - - if (ns_initparse_works_${bindlib} AND res_mkquery_works_${bindlib}) - break () - else () - set(BIND_LIBRARY BIND_LIBRARY-NOTFOUND) - endif () -endforeach () -set(CMAKE_REQUIRED_INCLUDES) - -include(FindPackageHandleStandardArgs) - -if (ns_initparse_works_none AND res_mkquery_works_none) - # system does not require linking to a BIND library - find_package_handle_standard_args(BIND DEFAULT_MSG - BIND_INCLUDE_DIR - ) -else () - find_package_handle_standard_args(BIND DEFAULT_MSG - BIND_LIBRARY - BIND_INCLUDE_DIR - ) -endif () - -mark_as_advanced( - BIND_ROOT_DIR - BIND_LIBRARY - BIND_INCLUDE_DIR -) diff --git a/cmake/FindBISON.cmake b/cmake/FindBISON.cmake deleted file mode 100644 index 3f6d11d04f..0000000000 --- a/cmake/FindBISON.cmake +++ /dev/null @@ -1,221 +0,0 @@ -# - Find bison executable and provides macros to generate custom build rules -# The module defines the following variables: -# -# BISON_EXECUTABLE - path to the bison program -# BISON_VERSION - version of bison -# BISON_FOUND - true if the program was found -# -# If bison is found, the module defines the macros: -# BISON_TARGET( [VERBOSE ] -# [COMPILE_FLAGS ] [HEADER ]) -# which will create a custom rule to generate a parser. is -# the path to a yacc file. is the name of the source file -# generated by bison. A header file containing the token list is also -# generated according to bison's -d option by default or if the HEADER -# option is used, the argument is passed to bison's --defines option to -# specify output file. If COMPILE_FLAGS option is specified, the next -# parameter is added in the bison command line. if VERBOSE option is -# specified, is created and contains verbose descriptions of the -# grammar and parser. The macro defines a set of variables: -# BISON_${Name}_DEFINED - true is the macro ran successfully -# BISON_${Name}_INPUT - The input source file, an alias for -# BISON_${Name}_OUTPUT_SOURCE - The source file generated by bison -# BISON_${Name}_OUTPUT_HEADER - The header file generated by bison -# BISON_${Name}_OUTPUTS - The sources files generated by bison -# BISON_${Name}_COMPILE_FLAGS - Options used in the bison command line -# -# ==================================================================== -# Example: -# -# find_package(BISON) -# BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp) -# add_executable(Foo main.cpp ${BISON_MyParser_OUTPUTS}) -# ==================================================================== - -#============================================================================= -# Copyright 2009 Kitware, Inc. -# Copyright 2006 Tristan Carel -# Modified 2010 by Jon Siwek, adding HEADER option -# -# Distributed under the OSI-approved BSD License (the "License"): -# CMake - Cross Platform Makefile Generator -# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium -# All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# * Neither the names of Kitware, Inc., the Insight Software Consortium, -# nor the names of their contributors may be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# This software is distributed WITHOUT ANY WARRANTY; without even the -# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -# See the License for more information. -#============================================================================= - -FIND_PROGRAM(BISON_EXECUTABLE bison DOC "path to the bison executable") -MARK_AS_ADVANCED(BISON_EXECUTABLE) - -IF(BISON_EXECUTABLE) - - EXECUTE_PROCESS(COMMAND ${BISON_EXECUTABLE} --version - OUTPUT_VARIABLE BISON_version_output - ERROR_VARIABLE BISON_version_error - RESULT_VARIABLE BISON_version_result - OUTPUT_STRIP_TRAILING_WHITESPACE) - IF(NOT ${BISON_version_result} EQUAL 0) - MESSAGE(SEND_ERROR "Command \"${BISON_EXECUTABLE} --version\" failed with output:\n${BISON_version_error}") - ELSE() - STRING(REGEX REPLACE "^bison \\(GNU Bison\\) ([^\n]+)\n.*" "\\1" - BISON_VERSION "${BISON_version_output}") - ENDIF() - - # internal macro - MACRO(BISON_TARGET_option_verbose Name BisonOutput filename) - LIST(APPEND BISON_TARGET_cmdopt "--verbose") - GET_FILENAME_COMPONENT(BISON_TARGET_output_path "${BisonOutput}" PATH) - GET_FILENAME_COMPONENT(BISON_TARGET_output_name "${BisonOutput}" NAME_WE) - ADD_CUSTOM_COMMAND(OUTPUT ${filename} - COMMAND ${CMAKE_COMMAND} - ARGS -E copy - "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output" - "${filename}" - DEPENDS - "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output" - COMMENT "[BISON][${Name}] Copying bison verbose table to ${filename}" - WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}) - SET(BISON_${Name}_VERBOSE_FILE ${filename}) - LIST(APPEND BISON_TARGET_extraoutputs - "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output") - ENDMACRO(BISON_TARGET_option_verbose) - - # internal macro - MACRO(BISON_TARGET_option_extraopts Options) - SET(BISON_TARGET_extraopts "${Options}") - SEPARATE_ARGUMENTS(BISON_TARGET_extraopts) - LIST(APPEND BISON_TARGET_cmdopt ${BISON_TARGET_extraopts}) - ENDMACRO(BISON_TARGET_option_extraopts) - - #============================================================ - # BISON_TARGET (public macro) - #============================================================ - # - MACRO(BISON_TARGET Name BisonInput BisonOutput) - SET(BISON_TARGET_output_header "") - #SET(BISON_TARGET_command_opt "") - SET(BISON_TARGET_cmdopt "") - SET(BISON_TARGET_outputs "${BisonOutput}") - IF(NOT ${ARGC} EQUAL 3 AND - NOT ${ARGC} EQUAL 5 AND - NOT ${ARGC} EQUAL 7 AND - NOT ${ARGC} EQUAL 9) - MESSAGE(SEND_ERROR "Usage") - ELSE() - # Parsing parameters - IF(${ARGC} GREATER 5 OR ${ARGC} EQUAL 5) - IF("${ARGV3}" STREQUAL "VERBOSE") - BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV4}") - ENDIF() - IF("${ARGV3}" STREQUAL "COMPILE_FLAGS") - BISON_TARGET_option_extraopts("${ARGV4}") - ENDIF() - IF("${ARGV3}" STREQUAL "HEADER") - set(BISON_TARGET_output_header "${ARGV4}") - ENDIF() - ENDIF() - - IF(${ARGC} GREATER 7 OR ${ARGC} EQUAL 7) - IF("${ARGV5}" STREQUAL "VERBOSE") - BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV6}") - ENDIF() - - IF("${ARGV5}" STREQUAL "COMPILE_FLAGS") - BISON_TARGET_option_extraopts("${ARGV6}") - ENDIF() - - IF("${ARGV5}" STREQUAL "HEADER") - set(BISON_TARGET_output_header "${ARGV6}") - ENDIF() - ENDIF() - - IF(${ARGC} EQUAL 9) - IF("${ARGV7}" STREQUAL "VERBOSE") - BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV8}") - ENDIF() - - IF("${ARGV7}" STREQUAL "COMPILE_FLAGS") - BISON_TARGET_option_extraopts("${ARGV8}") - ENDIF() - - IF("${ARGV7}" STREQUAL "HEADER") - set(BISON_TARGET_output_header "${ARGV8}") - ENDIF() - ENDIF() - - IF(BISON_TARGET_output_header) - # Header's name passed in as argument to be used in --defines option - LIST(APPEND BISON_TARGET_cmdopt - "--defines=${BISON_TARGET_output_header}") - set(BISON_${Name}_OUTPUT_HEADER ${BISON_TARGET_output_header}) - ELSE() - # Header's name generated by bison (see option -d) - LIST(APPEND BISON_TARGET_cmdopt "-d") - STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\2" _fileext "${ARGV2}") - STRING(REPLACE "c" "h" _fileext ${_fileext}) - STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\1${_fileext}" - BISON_${Name}_OUTPUT_HEADER "${ARGV2}") - ENDIF() - - LIST(APPEND BISON_TARGET_outputs "${BISON_${Name}_OUTPUT_HEADER}") - - ADD_CUSTOM_COMMAND(OUTPUT ${BISON_TARGET_outputs} - ${BISON_TARGET_extraoutputs} - COMMAND ${BISON_EXECUTABLE} - ARGS ${BISON_TARGET_cmdopt} -o ${ARGV2} ${ARGV1} - DEPENDS ${ARGV1} - COMMENT "[BISON][${Name}] Building parser with bison ${BISON_VERSION}" - WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) - - # define target variables - SET(BISON_${Name}_DEFINED TRUE) - SET(BISON_${Name}_INPUT ${ARGV1}) - SET(BISON_${Name}_OUTPUTS ${BISON_TARGET_outputs}) - SET(BISON_${Name}_COMPILE_FLAGS ${BISON_TARGET_cmdopt}) - SET(BISON_${Name}_OUTPUT_SOURCE "${BisonOutput}") - - ENDIF(NOT ${ARGC} EQUAL 3 AND - NOT ${ARGC} EQUAL 5 AND - NOT ${ARGC} EQUAL 7 AND - NOT ${ARGC} EQUAL 9) - ENDMACRO(BISON_TARGET) - # - #============================================================ - -ENDIF(BISON_EXECUTABLE) - -INCLUDE(FindPackageHandleStandardArgs) -FIND_PACKAGE_HANDLE_STANDARD_ARGS(BISON DEFAULT_MSG BISON_EXECUTABLE) - -# FindBISON.cmake ends here diff --git a/cmake/FindBinPAC.cmake b/cmake/FindBinPAC.cmake deleted file mode 100644 index 5cd1697bb3..0000000000 --- a/cmake/FindBinPAC.cmake +++ /dev/null @@ -1,53 +0,0 @@ -# - Try to find BinPAC binary and library -# -# Usage of this module as follows: -# -# find_package(BinPAC) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# BinPAC_ROOT_DIR Set this variable to the root installation of -# BinPAC if the module has problems finding the -# proper installation path. -# -# Variables defined by this module: -# -# BINPAC_FOUND System has BinPAC binary and library -# BinPAC_EXE The binpac executable -# BinPAC_LIBRARY The libbinpac.a library -# BinPAC_INCLUDE_DIR The binpac headers - -# look for BinPAC in standard locations or user-provided root -find_path(BinPAC_ROOT_DIR - NAMES include/binpac.h -) - -find_file(BinPAC_EXE - NAMES binpac - HINTS ${BinPAC_ROOT_DIR}/bin -) - -find_library(BinPAC_LIBRARY - NAMES libbinpac.a - HINTS ${BinPAC_ROOT_DIR}/lib -) - -find_path(BinPAC_INCLUDE_DIR - NAMES binpac.h - HINTS ${BinPAC_ROOT_DIR}/include -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(BinPAC DEFAULT_MSG - BinPAC_EXE - BinPAC_LIBRARY - BinPAC_INCLUDE_DIR -) - -mark_as_advanced( - BinPAC_ROOT_DIR - BinPAC_EXE - BinPAC_LIBRARY - BinPAC_INCLUDE_DIR -) diff --git a/cmake/FindFLEX.cmake b/cmake/FindFLEX.cmake deleted file mode 100644 index c56e8edad8..0000000000 --- a/cmake/FindFLEX.cmake +++ /dev/null @@ -1,179 +0,0 @@ -# - Find flex executable and provides a macro to generate custom build rules -# -# The module defines the following variables: -# FLEX_FOUND - true is flex executable is found -# FLEX_EXECUTABLE - the path to the flex executable -# FLEX_VERSION - the version of flex -# FLEX_LIBRARIES - The flex libraries -# -# The minimum required version of flex can be specified using the -# standard syntax, e.g. FIND_PACKAGE(FLEX 2.5.13) -# -# -# If flex is found on the system, the module provides the macro: -# FLEX_TARGET(Name FlexInput FlexOutput [COMPILE_FLAGS ]) -# which creates a custom command to generate the file from -# the file. If COMPILE_FLAGS option is specified, the next -# parameter is added to the flex command line. Name is an alias used to -# get details of this custom command. Indeed the macro defines the -# following variables: -# FLEX_${Name}_DEFINED - true is the macro ran successfully -# FLEX_${Name}_OUTPUTS - the source file generated by the custom rule, an -# alias for FlexOutput -# FLEX_${Name}_INPUT - the flex source file, an alias for ${FlexInput} -# -# Flex scanners oftenly use tokens defined by Bison: the code generated -# by Flex depends of the header generated by Bison. This module also -# defines a macro: -# ADD_FLEX_BISON_DEPENDENCY(FlexTarget BisonTarget) -# which adds the required dependency between a scanner and a parser -# where and are the first parameters of -# respectively FLEX_TARGET and BISON_TARGET macros. -# -# ==================================================================== -# Example: -# -# find_package(BISON) -# find_package(FLEX) -# -# BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp -# FLEX_TARGET(MyScanner lexer.l ${CMAKE_CURRENT_BIANRY_DIR}/lexer.cpp) -# ADD_FLEX_BISON_DEPENDENCY(MyScanner MyParser) -# -# include_directories(${CMAKE_CURRENT_BINARY_DIR}) -# add_executable(Foo -# Foo.cc -# ${BISON_MyParser_OUTPUTS} -# ${FLEX_MyScanner_OUTPUTS} -# ) -# ==================================================================== - -#============================================================================= -# Copyright 2009 Kitware, Inc. -# Copyright 2006 Tristan Carel -# Modified 2010 by Jon Siwek, backporting for CMake 2.6 compat -# -# Distributed under the OSI-approved BSD License (the "License"): -# CMake - Cross Platform Makefile Generator -# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium -# All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# * Neither the names of Kitware, Inc., the Insight Software Consortium, -# nor the names of their contributors may be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# This software is distributed WITHOUT ANY WARRANTY; without even the -# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -# See the License for more information. -#============================================================================= - -FIND_PROGRAM(FLEX_EXECUTABLE flex DOC "path to the flex executable") -MARK_AS_ADVANCED(FLEX_EXECUTABLE) - -FIND_LIBRARY(FL_LIBRARY NAMES fl - DOC "path to the fl library") -MARK_AS_ADVANCED(FL_LIBRARY) -SET(FLEX_LIBRARIES ${FL_LIBRARY}) - -IF(FLEX_EXECUTABLE) - - EXECUTE_PROCESS(COMMAND ${FLEX_EXECUTABLE} --version - OUTPUT_VARIABLE FLEX_version_output - ERROR_VARIABLE FLEX_version_error - RESULT_VARIABLE FLEX_version_result - OUTPUT_STRIP_TRAILING_WHITESPACE) - IF(NOT ${FLEX_version_result} EQUAL 0) - IF(FLEX_FIND_REQUIRED) - MESSAGE(SEND_ERROR "Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}") - ELSE() - MESSAGE("Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}\nFLEX_VERSION will not be available") - ENDIF() - ELSE() - STRING(REGEX REPLACE "^flex (.*)$" "\\1" - FLEX_VERSION "${FLEX_version_output}") - ENDIF() - - #============================================================ - # FLEX_TARGET (public macro) - #============================================================ - # - MACRO(FLEX_TARGET Name Input Output) - SET(FLEX_TARGET_usage "FLEX_TARGET( [COMPILE_FLAGS ]") - IF(${ARGC} GREATER 3) - IF(${ARGC} EQUAL 5) - IF("${ARGV3}" STREQUAL "COMPILE_FLAGS") - SET(FLEX_EXECUTABLE_opts "${ARGV4}") - SEPARATE_ARGUMENTS(FLEX_EXECUTABLE_opts) - ELSE() - MESSAGE(SEND_ERROR ${FLEX_TARGET_usage}) - ENDIF() - ELSE() - MESSAGE(SEND_ERROR ${FLEX_TARGET_usage}) - ENDIF() - ENDIF() - - ADD_CUSTOM_COMMAND(OUTPUT ${Output} - COMMAND ${FLEX_EXECUTABLE} - ARGS ${FLEX_EXECUTABLE_opts} -o${Output} ${Input} - DEPENDS ${Input} - COMMENT "[FLEX][${Name}] Building scanner with flex ${FLEX_VERSION}" - WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) - - SET(FLEX_${Name}_DEFINED TRUE) - SET(FLEX_${Name}_OUTPUTS ${Output}) - SET(FLEX_${Name}_INPUT ${Input}) - SET(FLEX_${Name}_COMPILE_FLAGS ${FLEX_EXECUTABLE_opts}) - ENDMACRO(FLEX_TARGET) - #============================================================ - - - #============================================================ - # ADD_FLEX_BISON_DEPENDENCY (public macro) - #============================================================ - # - MACRO(ADD_FLEX_BISON_DEPENDENCY FlexTarget BisonTarget) - - IF(NOT FLEX_${FlexTarget}_OUTPUTS) - MESSAGE(SEND_ERROR "Flex target `${FlexTarget}' does not exists.") - ENDIF() - - IF(NOT BISON_${BisonTarget}_OUTPUT_HEADER) - MESSAGE(SEND_ERROR "Bison target `${BisonTarget}' does not exists.") - ENDIF() - - SET_SOURCE_FILES_PROPERTIES(${FLEX_${FlexTarget}_OUTPUTS} - PROPERTIES OBJECT_DEPENDS ${BISON_${BisonTarget}_OUTPUT_HEADER}) - ENDMACRO(ADD_FLEX_BISON_DEPENDENCY) - #============================================================ - -ENDIF(FLEX_EXECUTABLE) - -INCLUDE(FindPackageHandleStandardArgs) -FIND_PACKAGE_HANDLE_STANDARD_ARGS(FLEX FLEX_EXECUTABLE - FLEX_VERSION) - -# FindFLEX.cmake ends here diff --git a/cmake/FindGooglePerftools.cmake b/cmake/FindGooglePerftools.cmake deleted file mode 100644 index 7ddd5a532e..0000000000 --- a/cmake/FindGooglePerftools.cmake +++ /dev/null @@ -1,44 +0,0 @@ -# - Try to find GooglePerftools headers and libraries -# -# Usage of this module as follows: -# -# find_package(GooglePerftools) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# GooglePerftools_ROOT_DIR Set this variable to the root installation of -# GooglePerftools if the module has problems finding -# the proper installation path. -# -# Variables defined by this module: -# -# GOOGLEPERFTOOLS_FOUND System has GooglePerftools libs/headers -# GooglePerftools_LIBRARIES The GooglePerftools libraries -# GooglePerftools_INCLUDE_DIR The location of GooglePerftools headers - -find_path(GooglePerftools_ROOT_DIR - NAMES include/google/heap-profiler.h -) - -find_library(GooglePerftools_LIBRARIES - NAMES tcmalloc - HINTS ${GooglePerftools_ROOT_DIR}/lib -) - -find_path(GooglePerftools_INCLUDE_DIR - NAMES google/heap-profiler.h - HINTS ${GooglePerftools_ROOT_DIR}/include -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(GooglePerftools DEFAULT_MSG - GooglePerftools_LIBRARIES - GooglePerftools_INCLUDE_DIR -) - -mark_as_advanced( - GooglePerftools_ROOT_DIR - GooglePerftools_LIBRARIES - GooglePerftools_INCLUDE_DIR -) diff --git a/cmake/FindLibGeoIP.cmake b/cmake/FindLibGeoIP.cmake deleted file mode 100644 index 529886d866..0000000000 --- a/cmake/FindLibGeoIP.cmake +++ /dev/null @@ -1,68 +0,0 @@ -# - Try to find GeoIP headers and libraries -# -# Usage of this module as follows: -# -# find_package(LibGeoIP) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# LibGeoIP_ROOT_DIR Set this variable to the root installation of -# libGeoIP if the module has problems finding the -# proper installation path. -# -# Variables defined by this module: -# -# LIBGEOIP_FOUND System has GeoIP libraries and headers -# LibGeoIP_LIBRARY The GeoIP library -# LibGeoIP_INCLUDE_DIR The location of GeoIP headers -# HAVE_GEOIP_COUNTRY_EDITION_V6 Whether the API support IPv6 country edition -# HAVE_GEOIP_CITY_EDITION_REV0_V6 Whether the API supports IPv6 city edition - -find_path(LibGeoIP_ROOT_DIR - NAMES include/GeoIPCity.h -) - -if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") - # the static version of the library is preferred on OS X for the - # purposes of making packages (libGeoIP doesn't ship w/ OS X) - set(libgeoip_names libGeoIp.a GeoIP) -else () - set(libgeoip_names GeoIP) -endif () - -find_library(LibGeoIP_LIBRARY - NAMES ${libgeoip_names} - HINTS ${LibGeoIP_ROOT_DIR}/lib -) - -find_path(LibGeoIP_INCLUDE_DIR - NAMES GeoIPCity.h - HINTS ${LibGeoIP_ROOT_DIR}/include -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(LibGeoIP DEFAULT_MSG - LibGeoIP_LIBRARY - LibGeoIP_INCLUDE_DIR -) - -if (LIBGEOIP_FOUND) - include(CheckCXXSourceCompiles) - set(CMAKE_REQUIRED_INCLUDES ${LibGeoIP_INCLUDE_DIR}) - check_cxx_source_compiles(" - #include - int main() { GEOIP_COUNTRY_EDITION_V6; return 0; } - " HAVE_GEOIP_COUNTRY_EDITION_V6) - check_cxx_source_compiles(" - #include - int main() { GEOIP_CITY_EDITION_REV0_V6; return 0; } - " HAVE_GEOIP_CITY_EDITION_REV0_V6) - set(CMAKE_REQUIRED_INCLUDES) -endif () - -mark_as_advanced( - LibGeoIP_ROOT_DIR - LibGeoIP_LIBRARY - LibGeoIP_INCLUDE_DIR -) diff --git a/cmake/FindLibMagic.cmake b/cmake/FindLibMagic.cmake deleted file mode 100644 index 23cc7efe39..0000000000 --- a/cmake/FindLibMagic.cmake +++ /dev/null @@ -1,52 +0,0 @@ -# - Try to find libmagic header and library -# -# Usage of this module as follows: -# -# find_package(LibMagic) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# LibMagic_ROOT_DIR Set this variable to the root installation of -# libmagic if the module has problems finding the -# proper installation path. -# -# Variables defined by this module: -# -# LIBMAGIC_FOUND System has libmagic and magic.h -# LibMagic_LIBRARY The libmagic library -# LibMagic_INCLUDE_DIR The location of magic.h - -find_path(LibMagic_ROOT_DIR - NAMES include/magic.h -) - -if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") - # the static version of the library is preferred on OS X for the - # purposes of making packages (libmagic doesn't ship w/ OS X) - set(libmagic_names libmagic.a magic) -else () - set(libmagic_names magic) -endif () - -find_library(LibMagic_LIBRARY - NAMES ${libmagic_names} - HINTS ${LibMagic_ROOT_DIR}/lib -) - -find_path(LibMagic_INCLUDE_DIR - NAMES magic.h - HINTS ${LibMagic_ROOT_DIR}/include -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(LibMagic DEFAULT_MSG - LibMagic_LIBRARY - LibMagic_INCLUDE_DIR -) - -mark_as_advanced( - LibMagic_ROOT_DIR - LibMagic_LIBRARY - LibMagic_INCLUDE_DIR -) diff --git a/cmake/FindOpenSSL.cmake b/cmake/FindOpenSSL.cmake deleted file mode 100644 index 599a846f0a..0000000000 --- a/cmake/FindOpenSSL.cmake +++ /dev/null @@ -1,56 +0,0 @@ -# - Try to find openssl include dirs and libraries -# -# Usage of this module as follows: -# -# find_package(OpenSSL) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# OpenSSL_ROOT_DIR Set this variable to the root installation of -# openssl if the module has problems finding the -# proper installation path. -# -# Variables defined by this module: -# -# OPENSSL_FOUND System has openssl, include and library dirs found -# OpenSSL_INCLUDE_DIR The openssl include directories. -# OpenSSL_LIBRARIES The openssl libraries. -# OpenSSL_CYRPTO_LIBRARY The openssl crypto library. -# OpenSSL_SSL_LIBRARY The openssl ssl library. - -find_path(OpenSSL_ROOT_DIR - NAMES include/openssl/ssl.h -) - -find_path(OpenSSL_INCLUDE_DIR - NAMES openssl/ssl.h - HINTS ${OpenSSL_ROOT_DIR}/include -) - -find_library(OpenSSL_SSL_LIBRARY - NAMES ssl ssleay32 ssleay32MD - HINTS ${OpenSSL_ROOT_DIR}/lib -) - -find_library(OpenSSL_CRYPTO_LIBRARY - NAMES crypto - HINTS ${OpenSSL_ROOT_DIR}/lib -) - -set(OpenSSL_LIBRARIES ${OpenSSL_SSL_LIBRARY} ${OpenSSL_CRYPTO_LIBRARY} - CACHE STRING "OpenSSL SSL and crypto libraries" FORCE) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(OpenSSL DEFAULT_MSG - OpenSSL_LIBRARIES - OpenSSL_INCLUDE_DIR -) - -mark_as_advanced( - OpenSSL_ROOT_DIR - OpenSSL_INCLUDE_DIR - OpenSSL_LIBRARIES - OpenSSL_CRYPTO_LIBRARY - OpenSSL_SSL_LIBRARY -) diff --git a/cmake/FindPCAP.cmake b/cmake/FindPCAP.cmake deleted file mode 100644 index 6a0bf3468a..0000000000 --- a/cmake/FindPCAP.cmake +++ /dev/null @@ -1,68 +0,0 @@ -# - Try to find libpcap include dirs and libraries -# -# Usage of this module as follows: -# -# find_package(PCAP) -# -# Variables used by this module, they can change the default behaviour and need -# to be set before calling find_package: -# -# PCAP_ROOT_DIR Set this variable to the root installation of -# libpcap if the module has problems finding the -# proper installation path. -# -# Variables defined by this module: -# -# PCAP_FOUND System has libpcap, include and library dirs found -# PCAP_INCLUDE_DIR The libpcap include directories. -# PCAP_LIBRARY The libpcap library (possibly includes a thread -# library e.g. required by pf_ring's libpcap) - -find_path(PCAP_ROOT_DIR - NAMES include/pcap.h -) - -find_path(PCAP_INCLUDE_DIR - NAMES pcap.h - HINTS ${PCAP_ROOT_DIR}/include -) - -find_library(PCAP_LIBRARY - NAMES pcap - HINTS ${PCAP_ROOT_DIR}/lib -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(PCAP DEFAULT_MSG - PCAP_LIBRARY - PCAP_INCLUDE_DIR -) - -include(CheckCSourceCompiles) -set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY}) -check_c_source_compiles("int main() { return 0; }" PCAP_LINKS_SOLO) -set(CMAKE_REQUIRED_LIBRARIES) - -# check if linking against libpcap also needs to link against a thread library -if (NOT PCAP_LINKS_SOLO) - find_package(Threads) - if (THREADS_FOUND) - set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY} ${CMAKE_THREAD_LIBS_INIT}) - check_c_source_compiles("int main() { return 0; }" PCAP_NEEDS_THREADS) - set(CMAKE_REQUIRED_LIBRARIES) - endif () - if (THREADS_FOUND AND PCAP_NEEDS_THREADS) - set(_tmp ${PCAP_LIBRARY} ${CMAKE_THREAD_LIBS_INIT}) - list(REMOVE_DUPLICATES _tmp) - set(PCAP_LIBRARY ${_tmp} - CACHE STRING "Libraries needed to link against libpcap" FORCE) - else () - message(FATAL_ERROR "Couldn't determine how to link against libpcap") - endif () -endif () - -mark_as_advanced( - PCAP_ROOT_DIR - PCAP_INCLUDE_DIR - PCAP_LIBRARY -) diff --git a/cmake/FindRequiredPackage.cmake b/cmake/FindRequiredPackage.cmake deleted file mode 100644 index ff76b646cc..0000000000 --- a/cmake/FindRequiredPackage.cmake +++ /dev/null @@ -1,44 +0,0 @@ -# A wrapper macro around the standard CMake find_package macro that -# facilitates displaying better error messages by default, or even -# accepting custom error messages on a per package basis. -# -# If a package is not found, then the MISSING_PREREQS variable gets -# set to true and either a default or custom error message appended -# to MISSING_PREREQ_DESCS. -# -# The caller can use these variables to display a list of any missing -# packages and abort the build/configuration if there were any. -# -# Use as follows: -# -# include(FindRequiredPackage) -# FindRequiredPackage(Perl) -# FindRequiredPackage(FLEX "You need to install flex (Fast Lexical Analyzer)") -# -# if (MISSING_PREREQS) -# foreach (prereq ${MISSING_PREREQ_DESCS}) -# message(SEND_ERROR ${prereq}) -# endforeach () -# message(FATAL_ERROR "Configuration aborted due to missing prerequisites") -# endif () - -macro(FindRequiredPackage packageName) - find_package(${packageName}) - string(TOUPPER ${packageName} canonPackageName) - if (NOT ${canonPackageName}_FOUND) - set(MISSING_PREREQS true) - - set(customDesc) - foreach (descArg ${ARGN}) - set(customDesc "${customDesc} ${descArg}") - endforeach () - - if (customDesc) - # append the custom error message that was provided as an argument - list(APPEND MISSING_PREREQ_DESCS ${customDesc}) - else () - list(APPEND MISSING_PREREQ_DESCS - " Could not find prerequisite package '${packageName}'") - endif () - endif () -endmacro(FindRequiredPackage) diff --git a/cmake/InstallClobberImmune.cmake b/cmake/InstallClobberImmune.cmake deleted file mode 100644 index f3da8b88bb..0000000000 --- a/cmake/InstallClobberImmune.cmake +++ /dev/null @@ -1,26 +0,0 @@ -# Determines at `make install` time if a file, typically a configuration -# file placed in $PREFIX/etc, shouldn't be installed to prevent overwrite -# of an existing file. -# -# _srcfile: the file to install -# _dstfile: the absolute file name after installation - -macro(InstallClobberImmune _srcfile _dstfile) - install(CODE " - if (EXISTS ${_dstfile}) - message(STATUS \"Skipping: ${_dstfile} (already exists)\") - execute_process(COMMAND \"${CMAKE_COMMAND}\" -E compare_files - ${_srcfile} ${_dstfile} RESULT_VARIABLE _diff) - if (NOT \"\${_diff}\" STREQUAL \"0\") - message(STATUS \"Installing: ${_dstfile}.example\") - configure_file(${_srcfile} ${_dstfile}.example COPY_ONLY) - endif () - else () - message(STATUS \"Installing: ${_dstfile}\") - # install() is not scriptable within install(), and - # configure_file() is the next best thing - configure_file(${_srcfile} ${_dstfile} COPY_ONLY) - # TODO: create additional install_manifest files? - endif () - ") -endmacro(InstallClobberImmune) diff --git a/cmake/InstallPackageConfigFile.cmake b/cmake/InstallPackageConfigFile.cmake deleted file mode 100644 index 5850bb3783..0000000000 --- a/cmake/InstallPackageConfigFile.cmake +++ /dev/null @@ -1,42 +0,0 @@ -include(InstallClobberImmune) - -# This macro can be used to install configuration files which -# users are expected to modify after installation. It will: -# -# - If binary packaging is enabled: -# Install the file in the typical CMake fashion, but append to the -# INSTALLED_CONFIG_FILES cache variable for use with the Mac package's -# pre/post install scripts -# - If binary packaging is not enabled: -# Install the script in a way such that it will check at `make install` -# time whether the file does not exist. See InstallClobberImmune.cmake -# -# _srcfile: the absolute path to the file to install -# _dstdir: absolute path to the directory in which to install the file -# _dstfilename: how to (re)name the file inside _dstdir - -macro(InstallPackageConfigFile _srcfile _dstdir _dstfilename) - set(_dstfile ${_dstdir}/${_dstfilename}) - - if (BINARY_PACKAGING_MODE) - # If packaging mode is enabled, always install the distribution's - # version of the file. The Mac package's pre/post install scripts - # or native functionality of RPMs will take care of not clobbering it. - install(FILES ${_srcfile} DESTINATION ${_dstdir} RENAME ${_dstfilename}) - # This cache variable is what the Mac package pre/post install scripts - # use to avoid clobbering user-modified config files - set(INSTALLED_CONFIG_FILES - "${INSTALLED_CONFIG_FILES} ${_dstfile}" CACHE STRING "" FORCE) - - # Additionally, the Mac PackageMaker packages don't have any automatic - # handling of configuration file conflicts so install an example file - # that the post install script will cleanup in the case it's extraneous - if (APPLE) - install(FILES ${_srcfile} DESTINATION ${_dstdir} - RENAME ${_dstfilename}.example) - endif () - else () - # Have `make install` check at run time whether the file does not exist - InstallClobberImmune(${_srcfile} ${_dstfile}) - endif () -endmacro(InstallPackageConfigFile) diff --git a/cmake/MAC_PACKAGE_INTRO b/cmake/MAC_PACKAGE_INTRO deleted file mode 100644 index ef37e62a1a..0000000000 --- a/cmake/MAC_PACKAGE_INTRO +++ /dev/null @@ -1,20 +0,0 @@ -This package will install @CMAKE_PROJECT_NAME@ into the following location: - - @CMAKE_INSTALL_PREFIX@ - -You may choose to update your PATH environment variable: - - # For Bash - export PATH=@CMAKE_INSTALL_PREFIX@/bin:$PATH - - # For CSH - setenv PATH @CMAKE_INSTALL_PREFIX@/bin:$PATH - -If you have more than one volume, please choose the install -destination as the one that contains the root filesystem. - -If you have existing configuration files that are modified or -otherwise different from the version included in the package, -this installer will attempt to prevent overwirting them, -but its also advisable to make your own backups of important -files before proceeding. diff --git a/cmake/MacDependencyPaths.cmake b/cmake/MacDependencyPaths.cmake deleted file mode 100644 index 9a8c6efc6a..0000000000 --- a/cmake/MacDependencyPaths.cmake +++ /dev/null @@ -1,10 +0,0 @@ -if (NOT _MAC_DEPENDENCY_PATHS) -set(_MAC_DEPENDENCY_PATHS) - # As of CMake 2.8.3, Fink and MacPorts search paths are appended to the - # default search prefix paths, but the nicer thing would be if they are - # prepended to the default, so that is fixed here. - if (APPLE) - list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /opt/local) # MacPorts - list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /sw) # Fink - endif () -endif () diff --git a/cmake/MiscTests.cmake b/cmake/MiscTests.cmake deleted file mode 100644 index da46dd83d7..0000000000 --- a/cmake/MiscTests.cmake +++ /dev/null @@ -1,34 +0,0 @@ -include(CheckCXXSourceCompiles) -include(CheckCSourceCompiles) - -# This autoconf variable is obsolete; it's portable to assume C89 and signal -# handlers returning void -set(RETSIGTYPE "void") -set(RETSIGVAL "") - -check_c_source_compiles(" - #include - #include - extern int socket(int, int, int); - extern int connect(int, const struct sockaddr *, int); - extern int send(int, const void *, int, int); - extern int recvfrom(int, void *, int, int, struct sockaddr *, int *); - int main() { return 0; } -" DO_SOCK_DECL) -if (DO_SOCK_DECL) - message(STATUS "socket() and friends need explicit declaration") -endif () - -check_cxx_source_compiles(" - #include - #include - extern \"C\" { - int openlog(const char* ident, int logopt, int facility); - int syslog(int priority, const char* message_fmt, ...); - int closelog(); - } - int main() { return 0; } -" SYSLOG_INT) -if (SYSLOG_INT) - message(STATUS "syslog prototypes need declaration") -endif () diff --git a/cmake/OSSpecific.cmake b/cmake/OSSpecific.cmake deleted file mode 100644 index 03788813c3..0000000000 --- a/cmake/OSSpecific.cmake +++ /dev/null @@ -1,66 +0,0 @@ -if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") - # alternate malloc is faster for FreeBSD, but needs more testing - # need to add way to set this from the command line - set(USE_NMALLOC true) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD") - set(USE_NMALLOC true) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - set(HAVE_LINUX true) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "Solaris") - set(SOCKET_LIBS nsl socket) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "osf") - # Workaround ip_hl vs. ip_vhl problem in netinet/ip.h - add_definitions(-D__STDC__=2) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "irix") - list(APPEND CMAKE_C_FLAGS -xansi -signed -g3) - list(APPEND CMAKE_CXX_FLAGS -xansi -signed -g3) - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "ultrix") - list(APPEND CMAKE_C_FLAGS -std1 -g3) - list(APPEND CMAKE_CXX_FLAGS -std1 -g3) - include(CheckCSourceCompiles) - check_c_source_compiles(" - #include - int main() { - void c(const struct a *); - return 0; - } - " have_ultrix_const) - if (NOT have_ultrix_const) - set(NEED_ULTRIX_CONST_HACK true) - endif () - -elseif (${CMAKE_SYSTEM_NAME} MATCHES "hpux" OR - ${CMAKE_SYSTEM_NAME} MATCHES "HP-UX") - include(CheckCSourceCompiles) - set(CMAKE_REQUIRED_FLAGS -Aa) - set(CMAKE_REQUIRED_DEFINITIONS -D_HPUX_SOURCE) - check_c_source_compiles(" - #include - int main() { - int frob(int, char *); - return 0; - } - " have_ansi_prototypes) - set(CMAKE_REQUIRED_FLAGS) - set(CMAKE_REQUIRED_DEFINITIONS) - - if (have_ansi_prototypes) - add_definitions(-D_HPUX_SOURCE) - list(APPEND CMAKE_C_FLAGS -Aa) - list(APPEND CMAKE_CXX_FLAGS -Aa) - endif () - - if (NOT have_ansi_prototypes) - message(FATAL_ERROR "Can't get HPUX compiler to handle ANSI prototypes") - endif () -endif () - - diff --git a/cmake/OpenSSLTests.cmake b/cmake/OpenSSLTests.cmake deleted file mode 100644 index 1b418135e4..0000000000 --- a/cmake/OpenSSLTests.cmake +++ /dev/null @@ -1,72 +0,0 @@ -include(CheckCSourceCompiles) -include(CheckCXXSourceCompiles) - -set(CMAKE_REQUIRED_LIBRARIES ${OpenSSL_LIBRARIES}) -set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR}) - -check_c_source_compiles(" - #include - int main() { return 0; } -" including_ssl_h_works) - -if (NOT including_ssl_h_works) - # On Red Hat we may need to include Kerberos header. - set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR} /usr/kerberos/include) - check_c_source_compiles(" - #include - #include - int main() { return 0; } - " NEED_KRB5_H) - set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR}) - if (NOT NEED_KRB5_H) - message(FATAL_ERROR - "OpenSSL test failure. See CmakeError.log for details.") - else () - message(STATUS "OpenSSL requires Kerberos header") - include_directories("/usr/kerberos/include") - endif () -endif () - -# check for OPENSSL_add_all_algorithms_conf function -# and thus OpenSSL >= v0.9.7 -check_c_source_compiles(" - #include - int main() { - OPENSSL_add_all_algorithms_conf(); - return 0; - } -" openssl_greater_than_0_9_7) - -if (NOT openssl_greater_than_0_9_7) - message(FATAL_ERROR "OpenSSL >= v0.9.7 required") -endif () - -check_cxx_source_compiles(" -#include - int main() { - const unsigned char** cpp = 0; - X509** x =0; - d2i_X509(x, cpp, 0); - return 0; - } -" OPENSSL_D2I_X509_USES_CONST_CHAR) - -if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR) - # double check that it compiles without const - check_cxx_source_compiles(" - #include - int main() { - unsigned char** cpp = 0; - X509** x =0; - d2i_X509(x, cpp, 0); - return 0; - } - " OPENSSL_D2I_X509_USES_CHAR) - if (NOT OPENSSL_D2I_X509_USES_CHAR) - message(FATAL_ERROR - "Can't determine if openssl_d2i_x509() takes const char parameter") - endif () -endif () - -set(CMAKE_REQUIRED_INCLUDES) -set(CMAKE_REQUIRED_LIBRARIES) diff --git a/cmake/PCAPTests.cmake b/cmake/PCAPTests.cmake deleted file mode 100644 index 1b62d3ab57..0000000000 --- a/cmake/PCAPTests.cmake +++ /dev/null @@ -1,63 +0,0 @@ -include(CheckFunctionExists) -include(CheckCSourceCompiles) -include(CheckIncludeFiles) - -set(CMAKE_REQUIRED_INCLUDES ${PCAP_INCLUDE_DIR}) -set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY}) - -check_include_files(pcap-int.h HAVE_PCAP_INT_H) - -check_function_exists(pcap_freecode HAVE_LIBPCAP_PCAP_FREECODE) -if (NOT HAVE_LIBPCAP_PCAP_FREECODE) - set(DONT_HAVE_LIBPCAP_PCAP_FREECODE true) - message(STATUS "No implementation for pcap_freecode()") -endif () - -check_c_source_compiles(" -#include -int main () { - int snaplen; - int linktype; - struct bpf_program fp; - int optimize; - bpf_u_int32 netmask; - char str[10]; - char error[1024]; - snaplen = 50; - linktype = DLT_EN10MB; - optimize = 1; - netmask = 0L; - str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0'; - (void)pcap_compile_nopcap( - snaplen, linktype, &fp, str, optimize, netmask, &error); - return 0; -} -" LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER) -if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER) - # double check - check_c_source_compiles(" -#include -int main () { - int snaplen; - int linktype; - struct bpf_program fp; - int optimize; - bpf_u_int32 netmask; - char str[10]; - snaplen = 50; - linktype = DLT_EN10MB; - optimize = 1; - netmask = 0L; - str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0'; - (void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask); - return 0; -} -" LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER) - if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER) - message(FATAL_ERROR - "Can't determine if pcap_compile_nopcap takes an error parameter") - endif () -endif () - -set(CMAKE_REQUIRED_INCLUDES) -set(CMAKE_REQUIRED_LIBRARIES) diff --git a/cmake/cmake_uninstall.cmake.in b/cmake/cmake_uninstall.cmake.in deleted file mode 100644 index bed4da63d3..0000000000 --- a/cmake/cmake_uninstall.cmake.in +++ /dev/null @@ -1,35 +0,0 @@ -function(uninstall_manifest manifestPath) - file(READ "${manifestPath}" files) - string(REGEX REPLACE "\n" ";" files "${files}") - foreach (file ${files}) - set(fileName $ENV{DESTDIR}${file}) - - if (EXISTS "${fileName}" OR IS_SYMLINK "${fileName}") - message(STATUS "Uninstalling: ${fileName}") - - execute_process( - COMMAND "@CMAKE_COMMAND@" -E remove "${fileName}" - OUTPUT_VARIABLE rm_out - RESULT_VARIABLE rm_retval - ) - - if (NOT ${rm_retval} EQUAL 0) - message(FATAL_ERROR "Problem when removing: ${fileName}") - endif () - else () - message(STATUS "Does not exist: ${fileName}") - endif () - - endforeach () -endfunction(uninstall_manifest) - -file(GLOB install_manifests @CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt) - -if (install_manifests) - foreach (manifest ${install_manifests}) - uninstall_manifest(${manifest}) - endforeach () -else () - message(FATAL_ERROR "Cannot find any install manifests in: " - "\"@CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt\"") -endif () diff --git a/cmake/package_postupgrade.sh.in b/cmake/package_postupgrade.sh.in deleted file mode 100755 index 7d40950fc1..0000000000 --- a/cmake/package_postupgrade.sh.in +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh - -# This script is meant to be used by binary packages post-installation. -# Variables between @ symbols are replaced by CMake at configure time. - -backupNamesFile=/tmp/bro_install_backups -version=@VERSION@ -sampleFiles="" - -# check whether it's safe to remove backup configuration files that -# the most recent package install created - -if [ -e ${backupNamesFile} ]; then - backupFileList=`cat ${backupNamesFile}` - - for backupFile in ${backupFileList}; do - origFileName=`echo ${backupFile} | sed 's/\(.*\)\..*/\1/'` - - diff ${origFileName} ${backupFile} > /dev/null 2>&1 - - if [ $? -eq 0 ]; then - # if the installed version and the backup version don't differ - # then we can remove the backup version and the example file - rm ${backupFile} - rm ${origFileName}.example - else - # The backup file differs from the newly installed version, - # since we can't tell if the backup version has been modified - # by the user, we should restore it to its original location - # and rename the new version appropriately. - - sampleFiles="${sampleFiles}\n${origFileName}.example" - - mv ${backupFile} ${origFileName} - fi - - done - - rm ${backupNamesFile} -fi - -if [ -n "${sampleFiles}" ]; then -# Use some apple script to display a message to user -/usr/bin/osascript << EOF - tell application "System Events" - activate - display alert "Existing configuration files differ from the ones that would be installed by this package. To avoid overwriting configuration which you may have modified, the following new config files have been installed:\n${sampleFiles}\n\nIf you have previously modified configuration files, please make sure that they are still compatible, else you should update your config files to the new versions." - end tell -EOF -fi - -# Set up world writeable spool and logs directory for broctl, making sure -# to set the sticky bit so that unprivileged users can't rename/remove files. -# (CMake/CPack is supposed to install them, but has problems with empty dirs) -if [ -n "@EMPTY_WORLD_DIRS@" ]; then - for dir in "@EMPTY_WORLD_DIRS@"; do - mkdir -p ${dir} - chmod 777 ${dir} - chmod +t ${dir} - done -fi diff --git a/cmake/package_preinstall.sh.in b/cmake/package_preinstall.sh.in deleted file mode 100755 index 749b01fdfc..0000000000 --- a/cmake/package_preinstall.sh.in +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -# This script is meant to be used by binary packages pre-installation. -# Variables between @ symbols are replaced by CMake at configure time. - -configFiles="@INSTALLED_CONFIG_FILES@" -backupNamesFile=/tmp/bro_install_backups - -# Checks if a config file exists in a default location and makes a backup -# so that a modified version is not clobbered -backupFile () { - origFile="$1" - - if [ -e ${origFile} ]; then - # choose a file suffix that doesn't already exist - ver=1 - while [ -e ${origFile}.${ver} ]; do - ver=$(( ver + 1 )) - done - - backupFile=${origFile}.${ver} - - cp -p ${origFile} ${backupFile} - - # the post upgrade script will check whether the installed - # config file actually differs from existing version - # and delete unnecessary backups - echo "${backupFile}" >> ${backupNamesFile} - fi -} - -for file in ${configFiles}; do - backupFile "${file}" -done diff --git a/configure b/configure index 2e168f0550..0f74674c0f 100755 --- a/configure +++ b/configure @@ -32,6 +32,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --disable-broccoli don't build or install the Broccoli library --disable-broctl don't install Broctl --disable-auxtools don't build or install auxilliary tools + --disable-python don't try to build python bindings for broccoli + --disable-ruby don't try to build ruby bindings for broccoli Required Packages in Non-Standard Locations: --with-openssl=PATH path to OpenSSL install root @@ -49,6 +51,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-python=PATH path to Python interpreter --with-python-lib=PATH path to libpython --with-python-inc=PATH path to Python headers + --with-ruby=PATH path to ruby interpreter + --with-ruby-lib=PATH path to ruby library + --with-ruby-inc=PATH path to ruby headers --with-swig=PATH path to SWIG executable Packaging Options (for developers): @@ -144,6 +149,12 @@ while [ $# -ne 0 ]; do --disable-auxtools) append_cache_entry INSTALL_AUX_TOOLS BOOL false ;; + --disable-python) + append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true + ;; + --disable-ruby) + append_cache_entry DISABLE_RUBY_BINDINGS BOOL true + ;; --with-openssl=*) append_cache_entry OpenSSL_ROOT_DIR PATH $optarg ;; @@ -185,6 +196,16 @@ while [ $# -ne 0 ]; do append_cache_entry PYTHON_INCLUDE_DIR PATH $optarg append_cache_entry PYTHON_INCLUDE_PATH PATH $optarg ;; + --with-ruby=*) + append_cache_entry RUBY_EXECUTABLE PATH $optarg + ;; + --with-ruby-lib=*) + append_cache_entry RUBY_LIBRARY PATH $optarg + ;; + --with-ruby-inc=*) + append_cache_entry RUBY_INCLUDE_DIRS PATH $optarg + append_cache_entry RUBY_INCLUDE_PATH PATH $optarg + ;; --with-swig=*) append_cache_entry SWIG_EXECUTABLE PATH $optarg ;; diff --git a/policy.old/OS-fingerprint.bro b/policy.old/OS-fingerprint.bro deleted file mode 100644 index 8f00fe93fd..0000000000 --- a/policy.old/OS-fingerprint.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: OS-fingerprint.bro 1071 2005-03-08 14:09:31Z vern $ -# -# Tracks operating system versioning using the "software" framework. - -@load software - -event OS_version_found(c: connection, host: addr, OS: OS_version) - { - local version: software_version; - version$major = version$minor = version$minor2 = -1; - version$addl = OS$detail; - - local sw: software; - sw$name = OS$genre; - sw$version = version; - - event software_version_found(c, host, sw, "OS"); - } diff --git a/policy.old/adu.bro b/policy.old/adu.bro deleted file mode 100644 index 3c2168784a..0000000000 --- a/policy.old/adu.bro +++ /dev/null @@ -1,278 +0,0 @@ -# $Id: adu.bro 5152 2007-12-04 21:48:56Z vern $ - -@load conn-id - -module adu; - -# This script parses application-layer data (ADU) units, or "messages", -# out of the packet streams. Since the analysis is generic, we define -# an ADU simply as all application-layer data in a 5-tuple flow going -# in one direction without any data going the other way. Once we see -# data in the other direction, we finish the current ADU and start -# a new one (going the other way). While this approach is only -# approximate, it can work well for both UDP and TCP. -# -# The script reports ADUs as strings, up to a configurable maximum size, and -# up to a configurable depth into the flow. -# -# Generated events: -# -# - adu_tx(c: connection, a: adu_state) reports an ADU seen from -# c's originator to its responder. -# -# - adu_rx(c: connection, a: adu_state) reports an ADU seen from -# c's responder to the originator. -# -# - adu_done(c: connection) indicates that no more ADUs will be seen -# on connection c. This is useful to know in case your statekeeping -# relies on event connection_state_remove(), which is also used by -# adu.bro. -# - -# --- Input configuration -- which ports to look at -------------------- - -# Right now: everything! -# -redef tcp_content_deliver_all_orig = T; -redef tcp_content_deliver_all_resp = T; -redef udp_content_deliver_all_orig = T; -redef udp_content_deliver_all_resp = T; - -# --- Debugging -- should really be a separate policy ------------------ - -# Comment out to disable debugging output: -#global adu_debug = T; - -# Uncomment to enable tests: -#global adu_test = T; - -@ifdef (adu_debug) -function DBG(msg: string) { print fmt("DBG[adu.bro]: %s", msg); } -@else -function DBG(msg: string) { } -@endif - -export { - -# --- Constants -------------------------------------------------------- - - # The maximum depth in bytes up to which we follow a flow. - # This is counting bytes seen in both directions. - const adu_conn_max_depth = 100000 &redef; - - # The maximum message depth that we report. - const adu_max_depth = 3 &redef; - - # The maximum message size in bytes that we report. - const adu_max_size = 1000 &redef; - - # Whether ADUs are reported beyond content gaps. - const adu_gaps_ok = F &redef; - -# --- Types ------------------------------------------------------------ - - # adu_state records contain the latest ADU and aditional flags to help - # the user identify the direction of the message, its depth in the flow, - # etc. - type adu_state: record { - adu: string &default = ""; # the current ADU - - # Message counter (>= 1), orig->resp and resp->orig. - depth_tx: count &default = 1; - depth_rx: count &default = 1; - - # TCP: seqno tracking to recognize gaps. - seen_tx: count &default = 0; - seen_rx: count &default = 0; - - size: count &default = 0; # total connection size in bytes - is_orig: bool &default = F; # whether ADU is orig->resp - ignore: bool &default = F; # ignore future activity on conn - }; - - # Tell the ADU policy that you do not wish to receive further - # adu_tx/adu_rx events for a given connection. Other policies - # may continue to process the connection. - # - global adu_skip_further_processing: function(cid: conn_id); -} - - -# --- Globals ---------------------------------------------------------- - -# A global table that tracks each flow's messages. -global adu_conns: table[conn_id] of adu_state; - -# Testing invokes the following events. -global adu_tx: event(c: connection, astate: adu_state); -global adu_rx: event(c: connection, astate: adu_state); -global adu_done: event(c: connection); - -# --- Functions -------------------------------------------------------- - -function adu_skip_further_processing(cid: conn_id) - { - if ( cid !in adu_conns ) - return; - - adu_conns[cid]$ignore = T; - } - -function flow_contents(c: connection, is_orig: bool, seq: count, contents: string) - { - local astate: adu_state; - - DBG(fmt("contents %s, %s: %s", id_string(c$id), is_orig, contents)); - - # Ensure we track the given connection. - if ( c$id !in adu_conns ) - adu_conns[c$id] = astate; - else - astate = adu_conns[c$id]; - - # Forget it if we've been asked to ignore. - # - if ( astate$ignore == T ) - return; - - # Don't report if flow is too big. - # - if ( astate$size >= adu_conn_max_depth ) - return; - - # If we have an assembled message, we may now have something - # to report. - if ( |astate$adu| > 0 ) - { - # If application-layer data flow is switching - # from resp->orig to orig->resp, report the assembled - # message as a received ADU. - if ( is_orig && ! astate$is_orig ) - { - event adu_rx(c, copy(astate)); - astate$adu = ""; - - if ( ++astate$depth_rx > adu_max_depth ) - adu_skip_further_processing(c$id); - } - - # If application-layer data flow is switching - # from orig->resp to resp->orig, report the assembled - # message as a transmitted ADU. - # - if ( !is_orig && astate$is_orig ) - { - event adu_tx(c, copy(astate)); - astate$adu = ""; - - if ( ++astate$depth_tx > adu_max_depth ) - adu_skip_further_processing(c$id); - } - } - - # Check for content gaps. If we identify one, only continue - # if user allowed it. - # - if ( !adu_gaps_ok && seq > 0 ) - { - if ( is_orig ) - { - if ( seq > astate$seen_tx + 1 ) - return; - else - astate$seen_tx += |contents|; - } - else - { - if ( seq > astate$seen_rx + 1 ) - return; - else - astate$seen_rx += |contents|; - } - } - - # Append the contents to the end of the currently - # assembled message, if the message hasn't already - # reached the maximum size. - # - if ( |astate$adu| < adu_max_size ) - { - astate$adu += contents; - - # As a precaution, clip the string to the maximum - # size. A long content string with astate$adu just - # below its maximum allowed size could exceed that - # limit by a lot. - ### str_clip(astate$adu, adu_max_size); - } - - - # Note that this counter is bumped up even if we have - # exceeded the maximum size of an individual message. - # - astate$size += |contents|; - - astate$is_orig = is_orig; - } - -# --- Event Handlers --------------------------------------------------- - -event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string) - { - flow_contents(c, is_orig, seq, contents); - } - -event udp_contents(u: connection, is_orig: bool, contents: string) - { - flow_contents(u, is_orig, 0, contents); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in adu_conns ) - return; - - local astate = adu_conns[c$id]; - - # Forget it if we've been asked to ignore. - # - if ( astate$ignore == T ) - return; - - # Report the remaining data now, if any. - # - if ( |astate$adu| > 0 ) { - if ( astate$is_orig ) - { - if ( astate$depth_tx <= adu_max_depth ) - event adu_tx(c, copy(astate)); - } - else - { - if ( astate$depth_rx <= adu_max_depth ) - event adu_rx(c, copy(astate)); - } - } - - delete adu_conns[c$id]; - event adu_done(c); -} - - -# --- Tests ------------------------------------------------------------ - -@ifdef (adu_test) - -event adu_tx(c: connection, astate: adu_state) - { - print fmt("%s ---- %s, %d -> ----", network_time(), id_string(c$id), astate$depth_tx); -# print astate$adu; - } - -event adu_rx(c: connection, astate: adu_state) - { - print fmt("%s ---- %s, %d <- ----", network_time(), id_string(c$id), astate$depth_rx); -# print astate$adu; - } - -@endif diff --git a/policy.old/alarm.bro b/policy.old/alarm.bro deleted file mode 100644 index 4c4943c948..0000000000 --- a/policy.old/alarm.bro +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: alarm.bro 340 2004-09-09 06:38:27Z vern $ - -redef bro_alarm_file = open_log_file("alarm"); diff --git a/policy.old/all.bro b/policy.old/all.bro deleted file mode 100644 index 4bbe3e8afe..0000000000 --- a/policy.old/all.bro +++ /dev/null @@ -1,141 +0,0 @@ -@load heavy-analysis -@load OS-fingerprint -@load adu -@load alarm -@load analy -@load anon -@load arp -@load backdoor -@load bittorrent -@load blaster -@load bt-tracker -@load brolite-backdoor -@load capture-events -@load capture-loss -@load capture-state-updates -@load checkpoint -@load clear-passwords -@load conn-flood -@load conn-id -@load conn -@load contents -@load cpu-adapt -@load dce -@load demux -@load detect-protocols-http -@load detect-protocols -@load dhcp -@load dns-info -@load dns-lookup -@load dns -@load dpd -@load drop-adapt -@load dyn-disable -@load file-flush -@load finger -@load firewall -@load flag-irc -@load flag-warez -@load frag -@load ftp -@load gnutella -@load hot-ids -@load hot -@load http-abstract -@load http-anon-server -@load http-anon-useragent -@load http-anon-utils -@load http-body -@load http-detect-passwd -@load http-entity -@load http-event -@load http-header -@load http-identified-files.bro -@load http-reply -@load http-request -@load http-rewriter -@load http -@load icmp -@load ident-rewriter -@load ident -@load inactivity -@load interconn -@load irc-bot-syslog -@load irc-bot -@load irc -@load large-conns -@load listen-clear -@load listen-ssl -@load load-level -@load load-sample -@load log-append -@load login -@load mime-pop -@load mime -@load mt -@load ncp -@load netflow -@load netstats -@load nfs -@load notice-action-filters -@load notice -@load ntp -@load passwords -@load pcap -@load pkt-profile -@load pop3 -@load port-name -@load portmapper -@load print-filter -@load print-globals -@load print-resources -@load print-sig-states -@load profiling -@load proxy -@load remote-pcap -@load remote-ping -@load remote-print-id-reply -@load remote-print-id -@load remote-print -@load remote-report-notices -@load remote-send-id -@load remote -@load rotate-logs -@load rsh -@load scan -@load secondary-filter -@load sensor-sshd -@load server-ports -@load service-probe -@load signatures -@load site -@load smb -@load smtp-relay -@load smtp-rewriter -@load smtp -@load snort -@load software -@load ssh -@load ssh-stepping -@load ssl-alerts -@load ssl-ciphers -@load ssl-errors -@load ssl-worm -@load ssl -@load stats -@load stepping -@load synflood -@load targeted-scan -@load tcp -@load tftp -@load trw-impl -@load trw -@load udp-common -@load udp -@load vlan -@load weird -@load worm -@load notice-policy - -# The following keeps us running after the bro_init event. -redef PrintFilter::terminate_bro = F; diff --git a/policy.old/analy.bro b/policy.old/analy.bro deleted file mode 100644 index 714c1deb41..0000000000 --- a/policy.old/analy.bro +++ /dev/null @@ -1,16 +0,0 @@ -# Statistical analysis of TCP connection in terms of the packet streams -# in each direction. - -@load dns-lookup -@load udp - - -event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats) - { - local id = c$id; - - print fmt("%.6f %s %s %s %s %s %s %s %s %s", - c$start_time, c$duration, id$orig_p, id$resp_p, - conn_size(c$orig, tcp), conn_size(c$resp, tcp), - id$orig_h, id$resp_h, os, rs); - } diff --git a/policy.old/anon.bro b/policy.old/anon.bro deleted file mode 100644 index f2532cb38e..0000000000 --- a/policy.old/anon.bro +++ /dev/null @@ -1,193 +0,0 @@ -# $Id: anon.bro 6889 2009-08-21 16:45:17Z vern $ - -redef anonymize_ip_addr = T; - -const orig_addr_anonymization = RANDOM_MD5 &redef; -const resp_addr_anonymization = RANDOM_MD5 &redef; -const other_addr_anonymization = SEQUENTIALLY_NUMBERED &redef; - -const preserve_orig_addr: set[addr] = {} &redef; -const preserve_resp_addr: set[addr] = {} &redef; -const preserve_other_addr: set[addr] = { - 0.0.0.0, -} &redef; - -const preserved_subnet: set[subnet] = { -# 192.150.186/23, -} &redef; - -const preserved_net: set[net] = { -# 192.150.186, 192.150.187, -} &redef; - -global anon_log = open_log_file("anon") &redef; - -global anonymized_args: table[string] of string; - -global ip_anon_mapping: set[addr, addr]; - -event bro_init() - { - for ( n in preserved_net ) - preserve_net(n); - } - -function anonymize_address(a: addr, id: conn_id): addr - { - if ( a == id$orig_h ) - return anonymize_addr(a, ORIG_ADDR); - else if ( a == id$resp_h ) - return anonymize_addr(a, RESP_ADDR); - else - return anonymize_addr(a, OTHER_ADDR); - } - -event anonymization_mapping(orig: addr, mapped: addr) - { - if ( [orig, mapped] !in ip_anon_mapping ) - { - add ip_anon_mapping[orig, mapped]; - print anon_log, fmt("%s -> %s", orig, mapped); - } - } - -function string_anonymized(from: string, to: string, seed: count) - { - print anon_log, fmt("\"%s\" %d=> \"%s\"", from, seed, to); - } - -global num_string_id: count = 0 &redef; -global anonymized_strings: table[string] of record { - s: string; - c: count; -} &redef; - -# Hopefully, the total number of strings to anonymize is much less than -# 36^unique_string_length. -const unique_string_length = 8 &redef; -# const anonymized_string_pattern = /U[0-9a-f]+U/; -global unique_string_set: set[string]; - -event bro_init() - { - for ( s in anonymized_strings ) - add unique_string_set[anonymized_strings[s]$s]; - } - -function unique_string(s: string, seed: count): string - { - local t = cat("U", sub_bytes(md5_hmac(seed, s), - 1, unique_string_length), "U"); - if ( t in unique_string_set ) - return unique_string(s, seed+1); - - anonymized_strings[s] = [$s = t, $c = 1]; - add unique_string_set[t]; - string_anonymized(s, t, seed); - - return t; - } - -function anonymize_string(from: string): string - { - if ( from in anonymized_strings ) - { - ++anonymized_strings[from]$c; - return anonymized_strings[from]$s; - } - - local t = unique_string(from, 0); - return t; - } - -function anonymize_arg(typ: string, arg: string): string - { - if ( arg == "" ) - return ""; # an empty argument is safe - - local arg_seed = string_cat(typ, arg); - - if ( arg_seed in anonymized_args ) - return anonymized_args[arg_seed]; - - local a = anonymize_string(arg_seed); - anonymized_args[arg_seed] = a; - - print anon_log, fmt("anonymize_arg: (%s) {%s} -> %s ", - typ, to_string_literal(arg), to_string_literal(a)); - return a; - } - - -# Does not contain ? and ends with an allowed suffix. -const path_to_file_pat = - /\/[^?]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/ - ; - -# Acceptable domain names. -const kosher_dom_pat = - /ar|au|biz|br|ca|cc|cl|cn|co|com|cx|cz|de|ec|es|edu|fi|fm|fr|gov|hn|il|is|it|jp|lv|mx|net|no|nz|org|pe|pl|ru|sk|tv|tw|uk|us|arpa/ - ; - -# Simple filename pattern. -const simple_filename = - /[0-9\-A-Za-z]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/ - ; - -function anonymize_path(path: string): string - { - local hashed_path = ""; - - if ( to_lower(path) != path_to_file_pat ) - { - hashed_path = anonymize_arg("path", path); - return hashed_path; - } - - local file_parts = split(path, /\./); - - local i = 1; - for ( part in file_parts ) - { - # This looks broken to me - VP. - hashed_path = fmt("%s.%s", hashed_path, file_parts[i]); - if ( ++i == length(file_parts) ) - break; - } - - return fmt("%s.%s", anonymize_arg("path", hashed_path), file_parts[i]); - } - -function anonymize_host(host: string): string - { - local hashed_host = ""; - local host_parts = split(host, /\./); - - local i = 1; - for ( hosty in host_parts ) - { - if ( i == length(host_parts) ) - break; - - # Check against "kosher" tld list. - hashed_host = fmt("%s%s.", hashed_host, - anonymize_arg("host", host_parts[i])); - - ++i; - } - - if ( host_parts[i] == kosher_dom_pat ) - return string_cat(hashed_host, host_parts[i]); - - print anon_log, fmt("anonymize_host: non-kosher domain %s", host); - return string_cat(hashed_host, anonymize_arg("host", host_parts[i])); - } - -event bro_done() - { - for ( s in anonymized_strings ) - { - print anon_log, fmt("appearance: %d: \"%s\" => \"%s\"", - anonymized_strings[s]$c, s, anonymized_strings[s]$s); - } - } diff --git a/policy.old/arp.bro b/policy.old/arp.bro deleted file mode 100644 index dfae133b38..0000000000 --- a/policy.old/arp.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: arp.bro 4909 2007-09-24 02:26:36Z vern $ - -@load notice - -module ARP; - -export { - redef enum Notice += { - ARPSourceMAC_Mismatch, # source MAC doesn't match mappings - ARPAddlMAC_Mapping, # another MAC->addr seen beyond just one - ARPUnsolicitedReply, # could be poisoning; or just gratuitous - # ARPRequestProvidesTargetAddr, # request includes non-triv addr - - # MAC/addr pair seen in request/reply different from - # that in the cache. - ARPCacheInconsistency, - - # ARP reply gives different value than previously seen. - ARPMappingChanged, - }; - - const arp_log = open_log_file("arp") &redef; -} - -redef capture_filters += { ["arp"] = "arp" }; - -# Abbreviations taken from RFC 826: -# -# SHA: source hardware address -# SPA: source protocol address (i.e., IP address) -# THA: target hardware address -# TPA: target protocol address - -# ARP requests indexed on SHA/SPA/TPA (no THA, as it's what it's being -# queried). -global arp_requests: set[string, addr, addr] &create_expire = 1 min; - -# ARP responses we've seen: indexed by IP address, yielding MAC address. -global ARP_cache: table[addr] of string; - - -# Bad ARPs can occur when: -# - type/size pairs are not OK for HW and L3 addresses (Ethernet=6, IP=4) -# - opcode is neither request (1) nor reply (2) -# - MAC src address != ARP sender MAC address -event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, - explanation: string) - { - print arp_log, fmt("%.06f bad-arp %s(%s) ? %s(%s): %s", - network_time(), SPA, SHA, TPA, THA, explanation); - } - - -# The first of these maps a MAC address to the last protocol address seen -# for it. The second tracks every protocol address seen. -global mac_addr_map: table[string] of addr; -global mac_addr_associations: table[string] of set[addr]; - -# A somewhat general notion of broadcast MAC/IP addresses. -const broadcast_mac_addrs = { "00:00:00:00:00:00", "ff:ff:ff:ff:ff:ff", }; -const broadcast_addrs = { 0.0.0.0, 255.255.255.255, }; - - -# Called to note that we've seen an association between a MAC address -# and an IP address. Note that this is *not* an association advertised -# in an ARP reply (those are tracked in ARP_cache), but instead the -# pairing of hardware address + protocol address as expressed in -# an ARP request or reply header. -function mac_addr_association(mac_addr: string, a: addr) - { - # Ignore placeholders. - if ( mac_addr in broadcast_mac_addrs || a in broadcast_addrs ) - return; - - local is_addl = F; - if ( mac_addr in mac_addr_associations ) - is_addl = a !in mac_addr_associations[mac_addr]; - else - mac_addr_associations[mac_addr] = set(); - - print arp_log, fmt("%.06f association %s -> %s%s", network_time(), - mac_addr, a, is_addl ? " " : ""); - - mac_addr_map[mac_addr] = a; - add mac_addr_associations[mac_addr][a]; - - if ( a in ARP_cache && ARP_cache[a] != mac_addr ) - NOTICE([$note=ARPCacheInconsistency, $src=a, - $msg=fmt("mapping for %s to %s doesn't match cache of %s", - mac_addr, a, ARP_cache[a])]); - } - -# Returns the IP address associated with a MAC address, if we've seen one. -# Otherwise just returns the MAC address. -function addr_from_mac(mac_addr: string): string - { - return mac_addr in mac_addr_map ? - fmt("%s", mac_addr_map[mac_addr]) : mac_addr; - } - -event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string) - { - mac_addr_association(SHA, SPA); - - local msg = fmt("%s -> %s who-has %s", - addr_from_mac(mac_src), addr_from_mac(mac_dst), TPA); - - local mismatch = SHA != mac_src; - if ( mismatch ) - NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]); - - # It turns out that some hosts fill in the THA field even though - # that doesn't make sense. (The RFC specifically allows this, - # however.) Perhaps there's an attack that can be launched - # doing so, but it's hard to see what it might be, so for now - # we don't bother notice'ing these. - # if ( THA !in broadcast_addrs ) - # NOTICE([$note=ARPRequestProvidesTargetAddr, $src=SPA, - # $msg=fmt("%s: %s", msg, THA)]); - - print arp_log, fmt("%.06f %s%s", network_time(), msg, - mismatch ? " " : ""); - - add arp_requests[SHA, SPA, TPA]; - } - -event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string) - { - mac_addr_association(SHA, SPA); - mac_addr_association(THA, TPA); - - local msg = fmt("%s -> %s: %s is-at %s", - addr_from_mac(mac_src), addr_from_mac(mac_dst), - SPA, SHA); - - local unsolicited = [THA, TPA, SPA] !in arp_requests; - delete arp_requests[THA, TPA, SPA]; - if ( unsolicited ) - NOTICE([$note=ARPUnsolicitedReply, $src=SPA, - $msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]); - - local mismatch = SHA != mac_src; - if ( mismatch ) - NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]); - - local mapping_changed = SPA in ARP_cache && ARP_cache[SPA] != SHA; - if ( mapping_changed ) - NOTICE([$note=ARPMappingChanged, $src=SPA, - $msg=fmt("%s: was %s", msg, ARP_cache[SPA])]); - - print arp_log, fmt("%.06f %s%s%s%s", network_time(), msg, - unsolicited ? " " : "", - mismatch ? " " : "", - mapping_changed ? - fmt(" ", ARP_cache[SPA]) : ""); - - ARP_cache[SPA] = SHA; - } diff --git a/policy.old/backdoor.bro b/policy.old/backdoor.bro deleted file mode 100644 index f611d424fa..0000000000 --- a/policy.old/backdoor.bro +++ /dev/null @@ -1,559 +0,0 @@ -# $Id: backdoor.bro 4909 2007-09-24 02:26:36Z vern $ - -# Looks for a variety of applications running on ports other than -# their usual ports. -# -# Note that this script by itself does *not* change capture_filters -# to add in the extra ports to look at. You need to specify that -# separately. - - -# Some tcpdump filters can be used to replace or work together with -# some detection algorithms. They could be used with the "secondary -# filter" for more efficient (but in some cases potentially less reliable) -# matching: -# -# - looking for "SSH-1." or "SSH-2." at the beginning of the packet; -# somewhat weaker than ssh-sig in that ssh-sig only looks for such -# pattern in the first packet of a connection: -# -# tcp[(tcp[12]>>2):4] = 0x5353482D and -# (tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e) -# -# - looking for pkts with 8k+4 (<=128) bytes of data (combined with ssh-len); -# only effective for ssh 1.x: -# -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) & 0xFF87 = 4 -# -# - looking for packets with <= 512 bytes of data that ends with a NUL -# (can be potentially combined with rlogin-sig or rlogin-sig-1byte): -# -# (tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512) -# -# - looking for telnet negotiation (can be combined with telnet-sig(-3byte)): -# -# (tcp[(tcp[12]>>2):2] > 0xfffa) and -# (tcp[(tcp[12]>>2):2] < 0xffff) and -# ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12] >> 2)) >= 3) -# -# - looking for packets with <= 20 bytes of data (combined with small-pkt): -# -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 -# -# - looking for FTP servers by the initial "220-" or "220 " sent by the server: -# -# tcp[(tcp[12]>>2):4] = 0x3232302d or tcp[(tcp[12]>>2):4] = 0x32323020 -# -# - looking for root backdoors by seeing a server payload of exactly "# ": -# -# tcp[(tcp[12]>>2):2] = 0x2320 and -# (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2 -# -# - looking for Napster by the initial "GET" or "SEND" sent by the originator: -# -# ((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=4 and -# tcp[(tcp[12]>>2):4]=0x53454e44) or -# ((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=3 and -# tcp[(tcp[12]>>2):2]=0x4745 and tcp[(tcp[12]>>2)+2]=0x54) -# -# - looking for Gnutella handshaking "GNUTELLA " -# -# tcp[(tcp[12]>>2):4] = 0x474e5554 and -# tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and -# tcp[8+(tcp[12]>>2)] = 0x20 -# -# - looking for KaZaA via "GIVE " (not present in all connections) -# -# tcp[(tcp[12]>>2):4] = 0x47495645 and -# tcp[(4+(tcp[12]>>2)):1] = 0x20 -# - -@load site -@load port-name -@load demux -@load notice - -redef enum Notice += { BackdoorFound, }; - -# Set to dump the packets that trigger the backdoor detector to a file. -const dump_backdoor_packets = F &redef; - -redef backdoor_stat_period = 60 sec; -redef backdoor_stat_backoff = 2.0; - -const ssh_min_num_pkts = 8 &redef; -const ssh_min_ssh_pkts_ratio = 0.6 &redef; - -const backdoor_min_num_lines = 2 &redef; -const backdoor_min_normal_line_ratio = 0.5 &redef; - -const backdoor_min_bytes = 10 &redef; -const backdoor_min_7bit_ascii_ratio = 0.75 &redef; - -type rlogin_conn_info : record { - o_num_null: count; - o_len: count; - r_num_null: count; - r_len: count; -}; - -const backdoor_demux_disabled = T &redef; -const backdoor_demux_skip_tags: set[string] &redef; - -const ftp_backdoor_sigs = "ftp-sig"; -const ssh_backdoor_sigs = { "ssh-sig", "ssh-len-v1.x", "ssh-len-v2.x" }; -const rlogin_backdoor_sigs = { "rlogin-sig", "rlogin-sig-1byte" }; -const root_backdoor_sigs = "root-bd-sig"; -const telnet_backdoor_sigs = { "telnet-sig", "telnet-sig-3byte" }; -const napster_backdoor_sigs = "napster-sig"; -const gnutella_backdoor_sigs = "gnutella-sig"; -const kazaa_backdoor_sigs = "kazaa-sig"; -const http_backdoor_sigs = "http-sig"; -const http_proxy_backdoor_sigs = "http-proxy-sig"; -const smtp_backdoor_sigs = "smtp-sig"; -const irc_backdoor_sigs = "irc-sig"; -const gaobot_backdoor_sigs = "gaobot-sig"; - -# List of backdoors, so you can use it when defining sets and tables -# with values over all of them. -const backdoor_sigs = { - ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs, - root_backdoor_sigs, telnet_backdoor_sigs, - napster_backdoor_sigs, gnutella_backdoor_sigs, kazaa_backdoor_sigs, - http_backdoor_sigs, http_proxy_backdoor_sigs, - smtp_backdoor_sigs, irc_backdoor_sigs, gaobot_backdoor_sigs, -}; - -# List of address-port pairs that if present in a backdoor are ignored. -# Note that these can be either the client and its source port (unusual) -# or the server and its service port (the common case). -const backdoor_ignore_host_port_pairs: set[addr, port] &redef; - -const backdoor_ignore_ports: table[string, port] of bool = { - # The following ignore backdoors that are detected on their - # usual ports. The definitions for ftp-sig, telnet-sig and - # telnet-sig-3byte are somehwat broad since those backdoors - # are also frequently triggered for other similar protocols. - - [ftp_backdoor_sigs, [ftp, smtp, 587/tcp ]] = T, - [ssh_backdoor_sigs, ssh] = T, - [rlogin_backdoor_sigs , [512/tcp, rlogin, 514/tcp]] = T, - [root_backdoor_sigs, [telnet, 512/tcp, rlogin, 514/tcp]] = T, - [telnet_backdoor_sigs, [telnet, ftp, smtp, 143/tcp, 110/tcp]] = T, - - # The following don't have well-known ports (well, Napster does - # somewhat, as shown below), hence the definitions are F rather - # than T. - [napster_backdoor_sigs, [6688/tcp, 6699/tcp]] = F, - [gnutella_backdoor_sigs, 6346/tcp] = F, - - [kazaa_backdoor_sigs, 1214/tcp] = F, - - [http_backdoor_sigs, [http, 8000/tcp, 8080/tcp]] = T, - - [smtp_backdoor_sigs, [smtp, 587/tcp]] = T, - - # Skip FTP, as "USER foo" generates false positives. There's - # also a lot of IRC on 7000/tcp. - [irc_backdoor_sigs, [ftp, 6666/tcp, 6667/tcp, 7000/tcp]] = T, - - # The following are examples of wildcards, and since they're defined - # to be F, they don't affect the policy unless redefined. - ["*", http] = F, # entry for "any backdoor, service http" - ["ssh-sig", 0/tcp] = F, # entry for "ssh-sig, any port" - -} &redef &default = F; - -# Indexed by the backdoor, indicates which backdoors residing on -# a local (remote) host should be ignored. -const backdoor_ignore_local: set[string] &redef; -const backdoor_ignore_remote: set[string] &redef; - -# Indexed by the source (destination) address and the backdoor. -# Also indexed by the /24 and /16 versions of the source address. -# backdoor "*" means "all backdoors". -const backdoor_ignore_src_addrs: table[string, addr] of bool &redef &default=F; -const backdoor_ignore_dst_addrs: table[string, addr] of bool &redef &default=F; - -const backdoor_standard_ports = { - telnet, rlogin, 512/tcp, 514/tcp, ftp, ssh, smtp, 143/tcp, - 110/tcp, 6667/tcp, -} &redef; -const backdoor_annotate_standard_ports = T &redef; - -const backdoor_ignore_hosts: set[addr] &redef; -const backdoor_ignore_src_nets: set[subnet] &redef; -const backdoor_ignore_dst_nets: set[subnet] &redef; - -# Most backdoors are enabled by default, but a few are disabled by -# default (T below) because they generated too many false positives -# (or, for HTTP, too many uninteresting true positives). -const ftp_sig_disabled = F &redef; -const gaobot_sig_disabled = F &redef; -const gnutella_sig_disabled = F &redef; -const http_proxy_sig_disabled = T &redef; -const http_sig_disabled = T &redef; -const irc_sig_disabled = F &redef; -const kazaa_sig_disabled = F &redef; -const napster_sig_disabled = F &redef; -const rlogin_sig_1byte_disabled = T &redef; -const rlogin_sig_disabled = T &redef; -const root_backdoor_sig_disabled = T &redef; -const smtp_sig_disabled = F &redef; - # Note, for the following there's a corresponding variable - # interconn_ssh_len_disabled in interconn.bro. -const ssh_len_disabled = T &redef; -const ssh_sig_disabled = F &redef; -const telnet_sig_3byte_disabled = T &redef; -const telnet_sig_disabled = T &redef; - -global ssh_len_conns: set[conn_id]; -global rlogin_conns: table[conn_id] of rlogin_conn_info; -global root_backdoor_sig_conns: set[conn_id]; - -global did_sig_conns: table[conn_id] of set[string]; - -const BACKDOOR_UNKNOWN = 0; -const BACKDOOR_YES = 1; -const BACKDOOR_NO = 2; -const BACKDOOR_SIG_FOUND = 3; - -global telnet_sig_conns: table[conn_id] of count; -global telnet_sig_3byte_conns: table[conn_id] of count; - -global smtp_sig_conns: table[conn_id] of count; -global irc_sig_conns: table[conn_id] of count; -global gaobot_sig_conns: table[conn_id] of count; - -const backdoor_log = open_log_file("backdoor") &redef; - -function ignore_backdoor_conn(c: connection, bd: string): bool - { - local oa = c$id$orig_h; - local ra = c$id$resp_h; - local op = c$id$orig_p; - local rp = c$id$resp_p; - - if ( backdoor_ignore_ports[bd, op] || - backdoor_ignore_ports[bd, rp] || - - # Check port wildcards. - backdoor_ignore_ports[bd, 0/tcp] || - - (ra in local_nets && bd in backdoor_ignore_local) || - (ra !in local_nets && bd in backdoor_ignore_remote) || - - backdoor_ignore_src_addrs[bd, oa] || - backdoor_ignore_src_addrs[bd, mask_addr(oa, 16)] || - backdoor_ignore_src_addrs[bd, mask_addr(oa, 24)] || - - backdoor_ignore_dst_addrs[bd, ra] || - backdoor_ignore_dst_addrs[bd, mask_addr(ra, 16)] || - backdoor_ignore_dst_addrs[bd, mask_addr(ra, 24)] ) - return T; - - if ( [oa, op] in backdoor_ignore_host_port_pairs || - [ra, rp] in backdoor_ignore_host_port_pairs ) - return T; - - if ( bd != "*" ) - # Evaluate again, but for wildcarding the backdoor. - return ignore_backdoor_conn(c, "*"); - else - return F; - } - -function log_backdoor(c: connection, tag: string): bool - { - if ( ignore_backdoor_conn(c, tag) ) - return F; - - local id = c$id; - - if ( backdoor_annotate_standard_ports && - (id$orig_p in backdoor_standard_ports || - id$resp_p in backdoor_standard_ports) ) - append_addl(c, fmt("[%s]", tag)); - - else if ( id$orig_h in backdoor_ignore_hosts || - id$resp_h in backdoor_ignore_hosts || - id$orig_h in backdoor_ignore_src_nets || - id$resp_h in backdoor_ignore_dst_nets ) - return F; - - else - { - print backdoor_log, fmt("%.6f %s > %s %s", - c$start_time, - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p), - tag); - - NOTICE([$note=BackdoorFound, $msg=tag, $conn=c]); - - if ( dump_backdoor_packets ) - { - mkdir("backdoor-packets"); - local fname = fmt("backdoor-packets/%s:%.2f", - tag, current_time()); - dump_current_packet(fname); - } - - if ( backdoor_demux_disabled || - tag in backdoor_demux_skip_tags ) - { - if ( active_connection(c$id) ) - skip_further_processing(c$id); - } - else - demux_conn(id, tag, "orig", "resp"); - } - - return T; - } - -event new_connection(c: connection) - { - local id = c$id; - - if ( ! rlogin_sig_disabled || ! rlogin_sig_1byte_disabled ) - { - local i: rlogin_conn_info; - i$o_num_null = i$o_len = i$r_num_null = i$r_len = 0; - - rlogin_conns[id] = i; - } - } - -event backdoor_remove_conn(c: connection) - { - local id = c$id; - - delete ssh_len_conns[id]; - delete telnet_sig_conns[id]; - delete telnet_sig_3byte_conns[id]; - delete rlogin_conns[id]; - delete root_backdoor_sig_conns[id]; - delete smtp_sig_conns[id]; - delete irc_sig_conns[id]; - delete gaobot_sig_conns[id]; - - delete did_sig_conns[id]; - } - -event root_backdoor_signature_found(c: connection) - { - if ( root_backdoor_sig_disabled || - ignore_backdoor_conn(c, "root-bd-sig") ) - return; - - local id = c$id; - - # For root backdoors, don't ignore standard ports. This is because - # we shouldn't see such a backdoor even 23/tcp or 513/tcp! - - if ( id !in root_backdoor_sig_conns ) - { - add root_backdoor_sig_conns[id]; - log_backdoor(c, "root-bd-sig"); - } - } - -function signature_found(c: connection, sig_disabled: bool, sig_name: string) - { - if ( sig_disabled ) - return; - - if ( ignore_backdoor_conn(c, sig_name) ) - return; - - if ( c$id !in did_sig_conns ) - did_sig_conns[c$id] = set(); - - if ( sig_name !in did_sig_conns[c$id] ) - { - add did_sig_conns[c$id][sig_name]; - log_backdoor(c, sig_name); - } - } - -event ftp_signature_found(c: connection) - { - signature_found(c, ftp_sig_disabled, "ftp-sig"); - } - -event napster_signature_found(c: connection) - { - signature_found(c, napster_sig_disabled, "napster-sig"); - } - -event gnutella_signature_found(c: connection) - { - signature_found(c, gnutella_sig_disabled, "gnutella-sig"); - } - -event kazaa_signature_found(c: connection) - { - signature_found(c, kazaa_sig_disabled, "kazaa-sig"); - } - -event http_signature_found(c: connection) - { - signature_found(c, http_sig_disabled, "http-sig"); - } - -event http_proxy_signature_found(c: connection) - { - signature_found(c, http_proxy_sig_disabled, "http-proxy-sig"); - } - -event ssh_signature_found(c: connection, is_orig: bool) - { - signature_found(c, ssh_sig_disabled, "ssh-sig"); - } - -event smtp_signature_found(c: connection) - { - signature_found(c, smtp_sig_disabled, "smtp-sig"); - } - -event irc_signature_found(c: connection) - { - signature_found(c, irc_sig_disabled, "irc-sig"); - } - -event gaobot_signature_found(c: connection) - { - signature_found(c, gaobot_sig_disabled, "gaobot-sig"); - } - -event telnet_signature_found(c: connection, is_orig: bool, len: count) - { - local id = c$id; - - if ( ignore_backdoor_conn(c, "telnet-sig") ) - return; - - if ( ! telnet_sig_disabled && id !in telnet_sig_conns ) - telnet_sig_conns[id] = BACKDOOR_SIG_FOUND; - - if ( ! telnet_sig_3byte_disabled && len == 3 && - id !in telnet_sig_3byte_conns ) - telnet_sig_3byte_conns[id] = BACKDOOR_SIG_FOUND; - } - -event rlogin_signature_found(c: connection, is_orig: bool, - num_null: count, len: count) - { - local id = c$id; - - if ( (rlogin_sig_disabled && rlogin_sig_1byte_disabled) || - ignore_backdoor_conn(c, "rlogin-sig") ) - return; - - local ri = rlogin_conns[id]; - if ( is_orig && ri$o_num_null == 0 ) - ri$o_num_null = num_null; - - else if ( ! is_orig && ri$r_num_null == 0 ) - { - ri$r_num_null = num_null; - ri$r_len = len; - } - else - return; - - if ( ri$o_num_null == 0 || ri$r_num_null == 0 ) - return; - - if ( ! rlogin_sig_1byte_disabled && ri$r_len == 1 ) - log_backdoor(c, "rlogin-sig-1byte"); - - if ( ! rlogin_sig_disabled ) - log_backdoor(c, "rlogin-sig"); - } - - -function ssh_len_stats(c: connection, os: backdoor_endp_stats, - rs: backdoor_endp_stats) : bool - { - if ( ssh_len_disabled || c$id in ssh_len_conns ) - return F; - - if ( os$num_pkts == 0 || rs$num_pkts == 0 ) - return F; - - # xxx: only use ssh-len for partial connection - - local is_partial = os$is_partial || rs$is_partial; - if ( ! is_partial ) - return F; - - local num_pkts = os$num_pkts + rs$num_pkts; - - if ( num_pkts < ssh_min_num_pkts ) - return F; - - local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts; - local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts; - - local id = c$id; - if ( num_8k0_pkts >= num_pkts * ssh_min_ssh_pkts_ratio ) - { - add ssh_len_conns[id]; - log_backdoor(c, "ssh-len-v2.x"); - } - - else if ( num_8k4_pkts >= num_pkts * ssh_min_ssh_pkts_ratio ) - { - add ssh_len_conns[id]; - log_backdoor(c, "ssh-len-v1.x"); - } - - return T; - } - -function telnet_stats(c: connection, os: backdoor_endp_stats, - rs: backdoor_endp_stats) : bool - { - local num_lines = os$num_lines + rs$num_lines; - local num_normal_lines = os$num_normal_lines + rs$num_normal_lines; - - if ( num_lines < backdoor_min_num_lines || - num_normal_lines < num_lines * backdoor_min_normal_line_ratio ) - return F; - - local num_bytes = os$num_bytes + rs$num_bytes; - local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii; - - if ( num_bytes < backdoor_min_bytes || - num_7bit_ascii < num_bytes * backdoor_min_7bit_ascii_ratio ) - return F; - - local id = c$id; - - if ( id in telnet_sig_conns && - telnet_sig_conns[id] != BACKDOOR_YES ) - { - telnet_sig_conns[id] = BACKDOOR_YES; - log_backdoor(c, "telnet-sig"); - } - - if ( id in telnet_sig_3byte_conns && - telnet_sig_3byte_conns[id] != BACKDOOR_YES ) - { - telnet_sig_3byte_conns[id] = BACKDOOR_YES; - log_backdoor(c, "telnet-sig-3byte"); - } - - return T; - } - -event backdoor_stats(c: connection, - os: backdoor_endp_stats, rs: backdoor_endp_stats) - { - telnet_stats(c, os, rs); - ssh_len_stats(c, os, rs); - } diff --git a/policy.old/bittorrent.bro b/policy.old/bittorrent.bro deleted file mode 100644 index 7a1576abf5..0000000000 --- a/policy.old/bittorrent.bro +++ /dev/null @@ -1,277 +0,0 @@ -# $Id:$ -# -# bittorrent.bro - policy script for analyzing BitTorrent traffic -# --------------------------------------------------------------- -# This code contributed by Nadi Sarrar. - -@load dpd -@load weird - -module BitTorrent; - -export { - # Whether to log the length of PDUs. - global log_pdu_length = T &redef; -} - -redef capture_filters += { ["bittorrent"] = "tcp" }; - -type bt_peer_state: enum { - choked, # peer won't receive any responses to requests (initial state) - unchoked # peer may do requests -}; - -type bt_peer_info: record { - # Total of pure peer wire protocol overhead data (w/o pieces). - protocol_total: count &default = 0; - - # State of the peer - choked or unchoked. - state: bt_peer_state &default = choked; - - # Total number of seconds the peer was unchoked. - unchoked: interval &default = 0 secs; - - # Time of the last received unchoke message. - time_last_unchoked: time; -}; - -type bt_peer_conn: record { - id: count; - orig: bt_peer_info; - resp: bt_peer_info; - weird: bool &default = F; -}; - -global bittorrent_log = open_log_file("bittorrent") &redef; -global bt_peer_conns : table[conn_id] of bt_peer_conn; -global peer_conn_count = 0; - -function record_peer_protocol_traffic(c: connection, is_orig: bool, - protocol_len: count): count - { - if ( c$id in bt_peer_conns ) - { - local pc = bt_peer_conns[c$id]; - - if ( is_orig ) - pc$orig$protocol_total += protocol_len; - else - pc$resp$protocol_total += protocol_len; - - return pc$id; - } - - return 0; - } - -function record_choke(pi: bt_peer_info, now: time) - { - if ( pi$state == unchoked ) - { - pi$state = choked; - pi$unchoked += now - pi$time_last_unchoked; - } - } - -function record_unchoke(pi: bt_peer_info, now: time) - { - if ( pi$state == choked ) - { - pi$state = unchoked; - pi$time_last_unchoked = now; - } - } - -function lookup_bt_peer(id: conn_id): bt_peer_conn - { - if ( id in bt_peer_conns ) - return bt_peer_conns[id]; - - local orig: bt_peer_info; - local resp: bt_peer_info; - local pc: bt_peer_conn; - pc$orig = orig; - pc$resp = resp; - pc$id = ++peer_conn_count; - bt_peer_conns[id] = pc; - - return pc; - } - -function bt_log_id(id: conn_id, cid: count, tag: string, is_orig: bool): string - { - return fmt("%.6f P%d %s %s:%d %s %s:%d", - network_time(), cid, tag, id$orig_h, id$orig_p, - is_orig ? ">" : "<", id$resp_h, id$resp_p); - } - -function pdu_log_len(len: count): string - { - return log_pdu_length ? fmt("[PDU-len:%d]", len) : ""; - } - -function log_pdu(c: connection, is_orig: bool, tag: string, len: count): count - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(len)); - - return cid; - } - -function log_pdu_str(c: connection, is_orig: bool, tag: string, len: count, - str: string) - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(len), str); - } - -function log_pdu_str_n(c: connection, is_orig: bool, tag: string, len: count, - n: count, str: string) - { - local cid = record_peer_protocol_traffic(c, is_orig, len); - print bittorrent_log, - fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig), - pdu_log_len(n), str); - } - -event bittorrent_peer_handshake(c: connection, is_orig: bool, reserved: string, - info_hash: string, peer_id: string) - { - local pc = lookup_bt_peer(c$id); - log_pdu_str(c, is_orig, "handshake", 68, - fmt("[peer_id:%s info_hash:%s reserved:%s]", - bytestring_to_hexstr(peer_id), - bytestring_to_hexstr(info_hash), - bytestring_to_hexstr(reserved))); - } - -event bittorrent_peer_keep_alive(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "keep-alive", 4); - } - -event bittorrent_peer_choke(c: connection, is_orig: bool) - { - local cid = log_pdu(c, is_orig, "choke", 5); - if ( cid > 0 ) - { - local pc = bt_peer_conns[c$id]; - record_choke(is_orig ? pc$resp : pc$orig, network_time()); - } - } - -event bittorrent_peer_unchoke(c: connection, is_orig: bool) - { - local cid = log_pdu(c, is_orig, "unchoke", 5); - if ( cid > 0 ) - { - local pc = bt_peer_conns[c$id]; - record_unchoke(is_orig ? pc$resp : pc$orig, network_time()); - } - } - -event bittorrent_peer_interested(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "interested", 5); - } - -event bittorrent_peer_not_interested(c: connection, is_orig: bool) - { - log_pdu(c, is_orig, "not-interested", 5); - } - -event bittorrent_peer_have(c: connection, is_orig: bool, piece_index: count) - { - log_pdu(c, is_orig, "have", 9); - } - -event bittorrent_peer_bitfield(c: connection, is_orig: bool, bitfield: string) - { - log_pdu_str(c, is_orig, "bitfield", 5 + byte_len(bitfield), - fmt("[bitfield:%s]", - bytestring_to_hexstr(bitfield))); - } - -event bittorrent_peer_request(c: connection, is_orig: bool, index: count, - begin: count, length: count) - { - log_pdu_str(c, is_orig, "request", 17, - fmt("[index:%d begin:%d length:%d]", index, begin, length)); - } - -event bittorrent_peer_piece(c: connection, is_orig: bool, index: count, - begin: count, piece_length: count) - { - log_pdu_str_n(c, is_orig, "piece", 13, 13 + piece_length, - fmt("[index:%d begin:%d piece_length:%d]", - index, begin, piece_length)); - } - -event bittorrent_peer_cancel(c: connection, is_orig: bool, index: count, - begin: count, length: count) - { - log_pdu_str(c, is_orig, "cancel", 7, - fmt("[index:%d begin:%d length:%d]", - index, begin, length)); - } - -event bittorrent_peer_port(c: connection, is_orig: bool, listen_port: port) - { - log_pdu_str(c, is_orig, "port", 5, - fmt("[listen_port:%s]", listen_port)); - } - -event bittorrent_peer_unknown(c: connection, is_orig: bool, message_id: count, - data: string) - { - log_pdu_str(c, is_orig, "", 5 + byte_len(data), - fmt("[message_id:%d]", message_id)); - } - -event bittorrent_peer_weird(c: connection, is_orig: bool, msg: string) - { - local pc = lookup_bt_peer(c$id); - pc$weird = T; - - print bittorrent_log, - fmt("%s [%s]", bt_log_id(c$id, pc$id, "", is_orig), msg); - - event conn_weird(msg, c); - } - -function log_close(c: connection, pc: bt_peer_conn, is_orig: bool) - { - local endp = is_orig ? c$orig : c$resp; - local peer_i = is_orig ? pc$orig : pc$resp; - - local status = - pc$weird ? - fmt("size:%d", endp$size) : - fmt("unchoked:%.06f size_protocol:%d size_pieces:%d", - peer_i$unchoked, peer_i$protocol_total, - endp$size - peer_i$protocol_total); - - print bittorrent_log, - fmt("%s [duration:%.06f %s]", - bt_log_id(c$id, pc$id, "", is_orig), - c$duration, status); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in bt_peer_conns ) - return; - - local pc = bt_peer_conns[c$id]; - delete bt_peer_conns[c$id]; - - record_choke(pc$orig, c$start_time + c$duration); - record_choke(pc$resp, c$start_time + c$duration); - - log_close(c, pc, T); - log_close(c, pc, F); - } diff --git a/policy.old/blaster.bro b/policy.old/blaster.bro deleted file mode 100644 index 07cc542199..0000000000 --- a/policy.old/blaster.bro +++ /dev/null @@ -1,52 +0,0 @@ -# $Id: blaster.bro 5952 2008-07-13 19:45:15Z vern $ -# -# Identifies W32.Blaster-infected hosts by observing their scanning -# activity. - -@load notice -@load site - -# Which hosts have scanned which addresses via 135/tcp. -global w32b_scanned: table[addr] of set[addr] &write_expire = 5min; -global w32b_reported: set[addr] &persistent; - -const W32B_port = 135/tcp; -const W32B_MIN_ATTEMPTS = 50 &redef; - -redef enum Notice += { - W32B_SourceLocal, - W32B_SourceRemote, -}; - -event connection_attempt(c: connection) - { - if ( c$id$resp_p != W32B_port ) - return; - - local ip = c$id$orig_h; - - if ( ip in w32b_reported ) - return; - - if ( ip in w32b_scanned ) - { - add (w32b_scanned[ip])[c$id$resp_h]; - - if ( length(w32b_scanned[ip]) >= W32B_MIN_ATTEMPTS ) - { - if ( is_local_addr(ip) ) - NOTICE([$note=W32B_SourceLocal, $conn=c, - $msg=fmt("W32.Blaster local source: %s", - ip)]); - else - NOTICE([$note=W32B_SourceRemote, $conn=c, - $msg=fmt("W32.Blaster remote source: %s", - ip)]); - - add w32b_reported[ip]; - } - } - - else - w32b_scanned[ip] = set(ip) &mergeable; - } diff --git a/policy.old/brolite-backdoor.bro b/policy.old/brolite-backdoor.bro deleted file mode 100644 index c2a378f907..0000000000 --- a/policy.old/brolite-backdoor.bro +++ /dev/null @@ -1,55 +0,0 @@ -# $Id: brolite-backdoor.bro 2956 2006-05-14 01:08:34Z vern $ - -# Sample file for running backdoor detector -# -# Note, this can consume significant processing resources when running -# on live traffic. -# -# To run bro with this script using a Bro Lite setup: -# -# rename this script to hostname.bro -# run: $BROHOME/etc/bro.rc start -# or bro -i interface brolite-backdoor.bro - -@load site - -@load backdoor -@load weird - -# By default, do backdoor detection on everything except standard HTTP -# and SMTP ports. -redef capture_filters += [ ["tcp"] = "tcp" ]; -redef restrict_filters += - [ ["not-http"] = "not (port 80 or port 8000 or port 8080)" ]; -redef restrict_filters += [ ["not-smtp"] = "not (port 25 or port 587)" ]; - -redef use_tagging = T; - -# Set if you want to dump packets that trigger the detections. -redef dump_backdoor_packets = T; - -# Disable (set to T) if you don't care about this traffic. -# redef gnutella_sig_disabled = T; -# redef kazaa_sig_disabled = T; - -redef napster_sig_disabled = T; # too many false positives - -# Ignore outgoing, only report incoming backdoors. -redef backdoor_ignore_remote += { - ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs, - http_backdoor_sigs, http_proxy_backdoor_sigs, smtp_backdoor_sigs, -}; - -# Set these to send mail on backdoor alarms. -# redef mail_dest = "youremail@yourhost.dom"; -# redef notice_action_filters += { -# [BackdoorFound] = send_email_notice, -#}; - -# Tuning: use more aggressive timeouts to reduce CPU and memory, as these -# have little effect on backdoor analysis. -redef tcp_SYN_timeout = 1 sec; -redef tcp_attempt_delay = 1 sec; -redef tcp_inactivity_timeout = 1 min; -redef udp_inactivity_timeout = 5 secs; -redef icmp_inactivity_timeout = 5 secs; diff --git a/policy.old/brolite-sigs.bro b/policy.old/brolite-sigs.bro deleted file mode 100644 index 33b5be7730..0000000000 --- a/policy.old/brolite-sigs.bro +++ /dev/null @@ -1,82 +0,0 @@ -# $Id: brolite-sigs.bro 3856 2006-12-02 00:18:57Z vern $ - -# Bro Lite signature configuration file - -# General policy - these scripts are more infrastructural than service -# oriented, so in general avoid changing anything here. - -# Set global constant. This can be used in ifdef statements to determine -# if signatures are enabled. -const use_signatures = T; - -@load snort # basic definitions for signatures -@load signatures # the signature policy engine -@load sig-functions # addl. functions added for signature accuracy -@load sig-action # actions related to particular signatures - -# Flag HTTP worm sources such as Code Red. -@load worm - -# Do worm processing -redef notice_action_filters += { [RemoteWorm] = file_notice }; - -# Ports that need to be captured for signatures to see a useful -# cross section of traffic. -redef capture_filters += { - ["sig-http"] = - "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001", - ["sig-ftp"] = "port ftp", - ["sig-telnet"] = "port telnet", - ["sig-portmapper"] = "port 111", - ["sig-smtp"] = "port smtp", - ["sig-imap"] = "port 143", - ["sig-snmp"] = "port 161 or port 162", - ["sig-dns"] = "port 53", - - # rsh/rlogin/rexec - ["sig-rfoo"] = "port 512 or port 513 or port 515", - - # Range of TCP ports for general RPC traffic. This can also - # occur on other ports, but these should catch a lot without - # a major performance hit. We skip ports assosciated with - # HTTP, SSH and M$. - ["sig-rpc"] = "tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139", -}; - -### Why is this called "tcp3"? -# Catch outbound M$ scanning. Returns filter listing local addresses -# along with the interesting ports. -function create_tcp3_filter(): string - { - local local_addrs = ""; - local firsttime = T; - - for ( l in local_nets ) - { - if ( firsttime ) - { - local_addrs = fmt("src net %s", l); - firsttime = F; - } - else - local_addrs = fmt("%s or src net %s", local_addrs, l); - } - - local MS_scan_ports = - "dst port 135 or dst port 137 or dst port 139 or dst port 445"; - - if ( local_addrs == "" ) - return MS_scan_ports; - else - return fmt("(%s) and (%s)", local_addrs, MS_scan_ports); - } - -# Create and apply the filter. -redef capture_filters += { ["tcp3"] = create_tcp3_filter()}; - -# Turn on ICMP analysis. -redef capture_filters += { ["icmp"] = "icmp"}; - -# Load the addendum signatures. These are utility signatures that do not -# produce event messages. -redef signature_files += "sig-addendum"; diff --git a/policy.old/brolite.bro b/policy.old/brolite.bro deleted file mode 100644 index 36d9ad3653..0000000000 --- a/policy.old/brolite.bro +++ /dev/null @@ -1,195 +0,0 @@ -# Bro Lite base configuration file. - -# General policy - these scripts are more infrastructural than service -# oriented, so in general avoid changing anything here. - -@load site # defines local and neighbor networks from static config -@load tcp # initialize BPF filter for SYN/FIN/RST TCP packets -@load weird # initialize generic mechanism for unusual events -@load conn # access and record connection events -@load hot # defines certain forms of sensitive access -@load frag # process TCP fragments -@load print-resources # on exit, print resource usage information - -# Scan detection policy. -@load scan # generic scan detection mechanism -@load trw # additional, more sensitive scan detection -#@load drop # include if installation has ability to drop hostile remotes - -# Application level policy - these scripts operate on the specific service. -@load http # general http analyzer, low level of detail -@load http-request # detailed analysis of http requests -@load http-reply # detailed analysis of http reply's - -# Track software versions; required for some signature matching. Also -# can be used by http and ftp policies. -@load software - -@load ftp # FTP analysis -@load portmapper # record and analyze RPC portmapper requests -@load tftp # identify and log TFTP sessions -@load login # rlogin/telnet analyzer -@load irc # IRC analyzer -@load blaster # blaster worm detection -@load stepping # "stepping stone" detection -@load synflood # synflood attacks detection -@load smtp # record and analyze email traffic - somewhat expensive - -@load notice-policy # tuning of notices to downgrade some alarms - -# off by default -#@load icmp # icmp analysis - -# Tuning of memory consumption. -@load inactivity # time out connections for certain services more quickly -# @load print-globals # on exit, print the size of global script variables - -# Record system statistics to the notice file -@load stats - -# udp analysis - potentially expensive, depending on a site's traffic profile -#@load udp.all -#@load remove-multicast - -# Prints the pcap filter and immediately exits. Not used during -# normal operation. -#@load print-filter - -## End policy script loading. - -## General configuration. - -@load rotate-logs -redef log_rotate_base_time = "0:00"; -redef log_rotate_interval = 24 hr; - - -# Set additional policy prefixes. -@prefixes += lite - -## End basic configuration. - - -## Scan configuration. -@ifdef ( Scan::analyze_all_services ) - redef Scan::analyze_all_services = T; - - # The following turns off scan detection. - #redef Scan::suppress_scan_checks = T; - - # Be a bit more aggressive than default (though the defaults - # themselves should be fixed). - redef Scan::report_outbound_peer_scan = { 100, 1000, }; - - # These services are skipped for scan detection due to excessive - # background noise. - redef Scan::skip_services += { - http, # Avoid Code Red etc. overload - 27374/tcp, # Massive scanning in Jan 2002 - 1214/tcp, # KaZaa scans - 12345/tcp, # Massive scanning in Apr 2002 - 445/tcp, # Massive distributed scanning Oct 2002 - 135/tcp, # These days, NetBIOS scanning is endemic - 137/udp, # NetBIOS - 139/tcp, # NetBIOS - 1025/tcp, - 6129/tcp, # Dameware - 3127/tcp, # MyDoom worms worms worms! - 2745/tcp, # Bagel worm - 1433/tcp, # Distributed scanning, April 2004 - 5000/tcp, # Distributed scanning, May 2004 - 5554/tcp, # More worm food, May 2004 - 9898/tcp, # Worms attacking worms. ugh - May 2004 - 3410/tcp, # More worm food, June 2004 - 3140/tcp, # Dyslexic worm food, June 2004 - 27347/tcp, # Can't kids type anymore? - 1023/tcp, # Massive scanning, July 2004 - 17300/tcp, # Massive scanning, July 2004 - }; - -@endif - -@ifdef ( ICMP::detect_scans ) - # Whether to detect ICMP scans. - redef ICMP::detect_scans = F; - redef ICMP::scan_threshold = 100; -@endif - -@ifdef ( TRW::TRWAddressScan ) - # remove logging TRW scan events - redef notice_action_filters += { - [TRW::TRWAddressScan] = ignore_notice, - }; -@endif - -# Note: default scan configuration is conservative in terms of memory use and -# might miss slow scans. Consider uncommenting these based on your sites scan -# traffic. -#redef distinct_peers &create_expire = 30 mins; -#redef distinct_ports &create_expire = 30 mins; -#redef distinct_low_ports &create_expire= 30 mins; - - -## End scan configuration. - -## additional IRC checks -redef IRC::hot_words += /.*exe/ ; - - -## Dynamic Protocol Detection configuration -# -# This is off by default, as it requires a more powerful Bro host. -# Uncomment next line to activate. -# const use_dpd = T; - -@ifdef ( use_dpd ) - @load dpd - @load irc-bot - @load dyn-disable - @load detect-protocols - @load detect-protocols-http - @load proxy - @load ssh - - # By default, DPD looks at all traffic except port 80. - # For lightly loaded networks, comment out the restrict_filters line. - # For heavily loaded networks, try adding addition ports (e.g., 25) to - # the restrict filters. - redef capture_filters += [ ["tcp"] = "tcp" ]; - redef restrict_filters += [ ["not-http"] = "not (port 80)" ]; -@endif - -@ifdef ( ProtocolDetector::ServerFound ) -# Report servers on non-standard ports only for local addresses. -redef notice_policy += { - [$pred(a: notice_info) = - { return a$note == ProtocolDetector::ServerFound && - ! is_local_addr(a$src); }, - $result = NOTICE_FILE, - $priority = 1], - - # Report protocols on non-standard ports only for local addresses - # (unless it's IRC). - [$pred(a: notice_info) = - { return a$note == ProtocolDetector::ProtocolFound && - ! is_local_addr(a$dst) && - a$sub != "IRC"; }, - $result = NOTICE_FILE, - $priority = 1], -}; -@endif - -# The following is used to transfer state between Bro's when one -# takes over from another. -# -# NOTE: not implemented in the production version, so ignored for now. -@ifdef ( remote_peers_clear ) - redef remote_peers_clear += { - [127.0.0.1, 55555/tcp] = [$hand_over = T], - [127.0.0.1, 0/tcp] = [$hand_over = T] - }; -@endif - -# Use tagged log files for notices. -redef use_tagging = T; - diff --git a/policy.old/bt-tracker.bro b/policy.old/bt-tracker.bro deleted file mode 100644 index dfc948a9e2..0000000000 --- a/policy.old/bt-tracker.bro +++ /dev/null @@ -1,190 +0,0 @@ -# $Id:$ -# -# bt-tracker.bro - analysis of BitTorrent tracker traffic -# ------------------------------------------------------------------------------ -# This code contributed by Nadi Sarrar. - -@load dpd -@load weird - -module BitTorrent; - -export { - # Whether to log tracker URIs. - global log_tracker_request_uri = F &redef; -} - -redef capture_filters += { ["bittorrent"] = "tcp", }; - -global bt_tracker_log = open_log_file("bt-tracker") &redef; - -global bt_tracker_conns: table[conn_id] of count; -global tracker_conn_count: count = 0; - - -function bt_log_tag(id: conn_id, cid: count, tag: string, is_orig: bool): string - { - return fmt("%.6f T%d %s %s:%d %s %s:%d", - network_time(), cid, tag, id$orig_h, id$orig_p, - is_orig ? ">" : "<", id$resp_h, id$resp_p); - } - -event bt_tracker_request(c: connection, uri: string, - headers: bt_tracker_headers) - { - # Parse and validate URI. - local pair = split1(uri, /\?/); - local keys = split(pair[2], /&/); - - local info_hash = ""; - local peer_ide = ""; - local peer_port = 0/udp; - local uploaded = -1; - local downloaded = -1; - local left = -1; - local compact = T; - local peer_event = "empty"; - - for ( idx in keys ) - { - local keyval = split1(keys[idx], /=/); - if ( length(keyval) != 2 ) - next; - - local key = to_lower(keyval[1]); - local val = keyval[2]; - - if ( key == "info_hash" ) - info_hash = unescape_URI(val); - else if ( key == "peer_id" ) - peer_ide = unescape_URI(val); - else if ( key == "port" ) - peer_port = to_port(to_count(val), tcp); - else if ( key == "uploaded" ) - uploaded = to_int(val); - else if ( key == "downloaded" ) - downloaded = to_int(val); - else if ( key == "left" ) - left = to_int(val); - else if ( key == "compact" ) - compact = (to_int(val) == 1); - - else if ( key == "event" ) - { - val = to_lower(val); - if ( val == /started|stopped|completed/ ) - peer_event = val; - } - } - - if ( info_hash == "" || peer_ide == "" || peer_port == 0/udp ) - { # Does not look like BitTorrent. - disable_analyzer(c$id, current_analyzer()); - delete bt_tracker_conns[c$id]; - return; - } - - if ( peer_port != 0/tcp ) - expect_connection(to_addr("0.0.0.0"), c$id$orig_h, - peer_port, ANALYZER_BITTORRENT, 1 min); - - local id: count; - if ( c$id in bt_tracker_conns ) - id = bt_tracker_conns[c$id]; - else - { - id = ++tracker_conn_count; - bt_tracker_conns[c$id] = id; - } - - print bt_tracker_log, - fmt("%s [peer_id:%s info_hash:%s port:%s event:%s up:%d down:%d left:%d compact:%s]%s", - bt_log_tag(c$id, id, "request", T), - bytestring_to_hexstr(peer_ide), - bytestring_to_hexstr(info_hash), - peer_port, peer_event, - uploaded, downloaded, left, - compact ? "yes" : "no", - log_tracker_request_uri ? fmt(" GET %s", uri) : ""); - } - -function benc_status(benc: bittorrent_benc_dir, tag: string): string - { - if ( tag !in benc || ! benc[tag]?$i ) - return ""; - - local fmt_tag = sub(tag, / /, "_"); - return fmt("%s:%d", fmt_tag, benc[tag]$i); - } - -event bt_tracker_response(c: connection, status: count, - headers: bt_tracker_headers, - peers: bittorrent_peer_set, - benc: bittorrent_benc_dir) - { - if ( c$id !in bt_tracker_conns ) - return; - - local id = bt_tracker_conns[c$id]; - - for ( peer in peers ) - expect_connection(c$id$orig_h, peer$h, peer$p, - ANALYZER_BITTORRENT, 1 min); - - if ( "failure reason" in benc ) - { - print bt_tracker_log, - fmt("%s [failure_reason:\"%s\"]", - bt_log_tag(c$id, id, "response", F), - benc["failure reason"]?$s ? - benc["failure reason"]$s : ""); - return; - } - - print bt_tracker_log, - fmt("%s [%s%s%s%s%speers:%d]", - bt_log_tag(c$id, id, "response", F), - benc_status(benc, "warning message"), - benc_status(benc, "complete"), - benc_status(benc, "incomplete"), - benc_status(benc, "interval"), - benc_status(benc, "min interval"), - length(peers)); - } - -event bt_tracker_response_not_ok(c: connection, status: count, - headers: bt_tracker_headers) - { - if ( c$id in bt_tracker_conns ) - { - local id = bt_tracker_conns[c$id]; - print bt_tracker_log, - fmt("%s [status:%d]", - bt_log_tag(c$id, id, "response", F), status); - } - } - -event bt_tracker_weird(c: connection, is_orig: bool, msg: string) - { - local id = (c$id in bt_tracker_conns) ? bt_tracker_conns[c$id] : 0; - print bt_tracker_log, - fmt("%s [%s]", bt_log_tag(c$id, id, "", is_orig), msg); - - event conn_weird(msg, c); - } - -event connection_state_remove(c: connection) - { - if ( c$id !in bt_tracker_conns ) - return; - - local id = bt_tracker_conns[c$id]; - delete bt_tracker_conns[c$id]; - - print bt_tracker_log, - fmt("%s [duration:%.06f total:%d]", - # Ideally the direction here wouldn't be T or F - # but both, displayed as "<>". - bt_log_tag(c$id, id, "", T), c$duration, - c$orig$size + c$resp$size); - } diff --git a/policy.old/capture-events.bro b/policy.old/capture-events.bro deleted file mode 100644 index 2ba6eba7b7..0000000000 --- a/policy.old/capture-events.bro +++ /dev/null @@ -1,9 +0,0 @@ -#! $Id: capture-events.bro 4674 2007-07-30 22:00:43Z vern $ -# -# Captures all events to events.bst. -# - -event bro_init() - { - capture_events("events.bst"); - } diff --git a/policy.old/capture-loss.bro b/policy.old/capture-loss.bro deleted file mode 100644 index a641749bd4..0000000000 --- a/policy.old/capture-loss.bro +++ /dev/null @@ -1,74 +0,0 @@ -# $Id:$ - -# Logs evidence regarding the degree to which the packet capture process -# suffers from measurment loss. -# -# By default, only reports loss computed in terms of number of "gap events" -# (ACKs for a sequence number that's above a gap). You can also get an -# estimate in terms of number of bytes missing; this however is sometimes -# heavily affected by miscomputations due to broken packets with incorrect -# sequence numbers. (These packets also affect the first estimator, but -# only to a quite minor degree.) - -@load notice - -module CaptureLoss; - -export { - redef enum Notice += { - CaptureLossReport, # interval report - CaptureLossSummary, # end-of-run summary - }; - - # Whether to also report byte-weighted estimates. - global report_byte_based_estimates = F &redef; - - # Whether to generate per-interval reports even if there - # was no evidence of loss. - global report_if_none = F &redef; - - # Whether to generate a summary even if there was no - # evidence of loss. - global summary_if_none = F &redef; -} - - -# Redefine this to be non-zero to get per-interval reports. -redef gap_report_freq = 0 sec; - -event gap_report(dt: interval, info: gap_info) - { - if ( info$gap_events > 0 || report_if_none ) - { - local msg = report_byte_based_estimates ? - fmt("gap-dt=%.6f acks=%d bytes=%d gaps=%d gap-bytes=%d", - dt, info$ack_events, info$ack_bytes, - info$gap_events, info$gap_bytes) : - fmt("gap-dt=%.6f acks=%d gaps=%d", - dt, info$ack_events, info$gap_events); - - NOTICE([$note=CaptureLossReport, $msg=msg]); - } - } - -event bro_done() - { - local g = get_gap_summary(); - - local gap_rate = - g$ack_events == 0 ? 0.0 : - (1.0 * g$gap_events) / (1.0 * g$ack_events); - local gap_bytes = - g$ack_bytes == 0 ? 0.0 : - (1.0 * g$gap_bytes) / (1.0 * g$ack_bytes); - - if ( gap_rate == 0.0 && gap_bytes == 0.0 && ! summary_if_none ) - return; - - local msg = report_byte_based_estimates ? - fmt("estimated rate = %g / %g (events/bytes)", - gap_rate, gap_bytes) : - fmt("estimated rate = %g", gap_rate); - - NOTICE([$note=CaptureLossSummary, $msg=msg]); - } diff --git a/policy.old/capture-state-updates.bro b/policy.old/capture-state-updates.bro deleted file mode 100644 index 7630015365..0000000000 --- a/policy.old/capture-state-updates.bro +++ /dev/null @@ -1,9 +0,0 @@ -#! $Id: capture-events.bro 6 2004-04-30 00:31:26Z jason $ -# -# Captures all operations on &synchronized variables to state-updates.bst. -# - -event bro_init() - { - capture_state_updates("state-updates.bst"); - } diff --git a/policy.old/checkpoint.bro b/policy.old/checkpoint.bro deleted file mode 100644 index 2222d69c0c..0000000000 --- a/policy.old/checkpoint.bro +++ /dev/null @@ -1,54 +0,0 @@ -# $Id: checkpoint.bro 6724 2009-06-07 09:23:03Z vern $ -# -# Checkpoints Bro's persistent state at regular intervals and scans -# the state directory for external updates. - -const state_rescan_interval = 15 secs &redef; -const state_checkpoint_interval = 15 min &redef; - -# Services for which the internal connection state is stored. -const persistent_services = { - 21/tcp, # ftp - 22/tcp, # ssh - 23/tcp, # telnet - 513/tcp, # rlogin -} &redef; - -# The first timer fires immediately. This flags lets us ignore it. -global state_ignore_first = T; - -event state_checkpoint() - { - if ( state_ignore_first ) - state_ignore_first = F; - - else if ( ! bro_is_terminating() ) - checkpoint_state(); - - if ( state_checkpoint_interval > 0 secs ) - schedule state_checkpoint_interval { state_checkpoint() }; - } - -event state_rescan() - { - rescan_state(); - - if ( state_rescan_interval > 0 secs ) - schedule state_rescan_interval { state_rescan() }; - } - -event bro_init() - { - if ( state_checkpoint_interval > 0 secs ) - schedule state_checkpoint_interval { state_checkpoint() }; - - if ( state_rescan_interval > 0 secs ) - schedule state_rescan_interval { state_rescan() }; - } - -event connection_established(c: connection) - { - # Buggy? - # if ( c$id$resp_p in persistent_services ) - # make_connection_persistent(c); - } diff --git a/policy.old/clear-passwords.bro b/policy.old/clear-passwords.bro deleted file mode 100644 index 7607738dcc..0000000000 --- a/policy.old/clear-passwords.bro +++ /dev/null @@ -1,36 +0,0 @@ -# $Id: clear-passwords.bro 4758 2007-08-10 06:49:23Z vern $ - -# Monitoring for use of cleartext passwords. - -@load ftp -@load login -@load pop3 -@load irc - -const passwd_file = open_log_file("passwords") &redef; - -# ftp, login and pop3 call login_{success,failure}, which in turn -# calls account_tried(), so we can snarf all at once here: -event account_tried(c: connection, user: string, passwd: string) - { - print passwd_file, fmt("%s account name '%s', password '%s': %s", - is_local_addr(c$id$orig_h) ? "local" : "remote", - user, passwd, id_string(c$id)); - } - -# IRC raises a different event on login, so we hook into it here: -event irc_join_message(c: connection, info_list: irc_join_list) - { - for ( l in info_list) - { - print passwd_file, fmt("IRC JOIN name '%s', password '%s'", - l$nick, l$password); - } - } - -# Raised if IRC user tries to become operator: -event irc_oper_message(c: connection, user: string, password: string) - { - print passwd_file, fmt("IRC OPER name '%s', password '%s'", - user, password); - } diff --git a/policy.old/conn-flood.bro b/policy.old/conn-flood.bro deleted file mode 100644 index 7da1cccff4..0000000000 --- a/policy.old/conn-flood.bro +++ /dev/null @@ -1,71 +0,0 @@ -# $Id$ -# -# Script which alarms if the number of connections per time interval -# exceeds a threshold. -# -# This script is mainly meant as a demonstration; it hasn't been hardened -# with/for operational use. - -@load notice - -module ConnFlood; - -export { - redef enum Notice += { - ConnectionFloodStart, ConnectionFloodEnd, - }; - - # Thresholds to reports (conns/sec). - const thresholds: set[count] = - { 1000, 2000, 4000, 6000, 8000, 10000, 20000, 50000 } - &redef; - - # Average over this time interval. - const avg_interval = 10 sec &redef; -} - -global conn_counter = 0; -global last_thresh = 0; - -# Note: replace with connection_attempt if too expensive. -event new_connection(c: connection) - { - ++conn_counter; - } - -event check_flood() - { - local thresh = 0; - local rate = double_to_count(interval_to_double((conn_counter / avg_interval))); - - # Find the largest threshold reached this interval. - for ( i in thresholds ) - { - if ( rate >= i && rate > thresh ) - thresh = i; - } - - # Report if larger than last reported threshold. - if ( thresh > last_thresh ) - { - NOTICE([$note=ConnectionFloodStart, $n=thresh, - $msg=fmt("flood begins at rate %d conns/sec", rate)]); - last_thresh = thresh; - } - - # If no threshold was reached, the flood is over. - else if ( thresh == 0 && last_thresh > 0 ) - { - NOTICE([$note=ConnectionFloodEnd, $n=thresh, - $msg=fmt("flood ends at rate %d conns/sec", rate)]); - last_thresh = 0; - } - - conn_counter = 0; - schedule avg_interval { check_flood() }; - } - -event bro_init() - { - schedule avg_interval { check_flood() }; - } diff --git a/policy.old/conn-id.bro b/policy.old/conn-id.bro deleted file mode 100644 index 9a81e307c9..0000000000 --- a/policy.old/conn-id.bro +++ /dev/null @@ -1,24 +0,0 @@ -# $Id: conn-id.bro 45 2004-06-09 14:29:49Z vern $ - -# Simple functions for generating ASCII connection identifiers. - -@load port-name - -function id_string(id: conn_id): string - { - return fmt("%s > %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -function reverse_id_string(id: conn_id): string - { - return fmt("%s < %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -function directed_id_string(id: conn_id, is_orig: bool): string - { - return is_orig ? id_string(id) : reverse_id_string(id); - } diff --git a/policy.old/conn.bro b/policy.old/conn.bro deleted file mode 100644 index 6491c9b8e1..0000000000 --- a/policy.old/conn.bro +++ /dev/null @@ -1,425 +0,0 @@ -# $Id: conn.bro 6782 2009-06-28 02:19:03Z vern $ - -@load notice -@load hot -@load port-name -@load netstats -@load conn-id - -redef enum Notice += { - SensitiveConnection, # connection marked "hot" -}; - -const conn_closed = { TCP_CLOSED, TCP_RESET }; - -global have_FTP = F; # if true, we've loaded ftp.bro -global have_SMTP = F; # if true, we've loaded smtp.bro - -# TODO: Do we have a nicer way of doing this? -export { global FTP::is_ftp_data_conn: function(c: connection): bool; } - -# Whether to include connection state history in the logs generated -# by record_connection. -const record_state_history = F &redef; - -# Whether to translate the local address in SensitiveConnection notices -# to a hostname. Meant as a demonstration of the "when" construct. -const xlate_hot_local_addr = F &redef; - -# Whether to use DPD for generating the service field in the summaries. -# Default off, because it changes the format of conn.log in a way -# potentially incompatible with existing scripts. -const dpd_conn_logs = F &redef; - -# Maps a given port on a given server's address to an RPC service. -# If we haven't loaded portmapper.bro, then it will be empty -# (and, ideally, queries to it would be optimized away ...). -global RPC_server_map: table[addr, port] of string; - -const conn_file = open_log_file("conn") &redef; - -function conn_state(c: connection, trans: transport_proto): string - { - local os = c$orig$state; - local rs = c$resp$state; - - local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL; - local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL; - - if ( trans == tcp ) - { - if ( rs == TCP_RESET ) - { - if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT || - (os == TCP_RESET && - c$orig$size == 0 && c$resp$size == 0) ) - return "REJ"; - else if ( o_inactive ) - return "RSTRH"; - else - return "RSTR"; - } - else if ( os == TCP_RESET ) - return r_inactive ? "RSTOS0" : "RSTO"; - else if ( rs == TCP_CLOSED && os == TCP_CLOSED ) - return "SF"; - else if ( os == TCP_CLOSED ) - return r_inactive ? "SH" : "S2"; - else if ( rs == TCP_CLOSED ) - return o_inactive ? "SHR" : "S3"; - else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE ) - return "S0"; - else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - return "S1"; - else - return "OTH"; - } - - else if ( trans == udp ) - { - if ( os == UDP_ACTIVE ) - return rs == UDP_ACTIVE ? "SF" : "S0"; - else - return rs == UDP_ACTIVE ? "SHR" : "OTH"; - } - - else - return "OTH"; - } - -function conn_size(e: endpoint, trans: transport_proto): string - { - if ( e$size > 0 || (trans == tcp && e$state == TCP_CLOSED) ) - return fmt("%d", e$size); - else - ### should return 0 for TCP_RESET that went through TCP_CLOSED - return "?"; - } - -function service_name(c: connection): string - { - local p = c$id$resp_p; - - if ( p in port_names ) - return port_names[p]; - else - return "other"; - } - -const state_graphic = { - ["OTH"] = "?>?", ["REJ"] = "[", - ["RSTO"] = ">]", ["RSTOS0"] = "}]", ["RSTR"] = ">[", ["RSTRH"] = "<[", - ["S0"] = "}", ["S1"] = ">", ["S2"] = "}2", ["S3"] = "}3", - ["SF"] = ">", ["SH"] = ">h", ["SHR"] = " 0 ) - log_hot_conn(c); - - if ( trans == tcp ) - { - if ( c$orig$state in conn_closed || c$resp$state in conn_closed ) - duration = fmt("%.06f", c$duration); - else - duration = "?"; - } - else - duration = fmt("%.06f", c$duration); - - local addl = c$addl; - -@ifdef ( estimate_flow_size_and_remove ) - # Annotate connection with separately-estimated size, if present. - local orig_est = estimate_flow_size_and_remove(id, T); - local resp_est = estimate_flow_size_and_remove(id, F); - - if ( orig_est$have_est ) - addl = fmt("%s olower=%.0fMB oupper=%.0fMB oincon=%s", addl, - orig_est$lower / 1e6, orig_est$upper / 1e6, - orig_est$num_inconsistent); - - if ( resp_est$have_est ) - addl = fmt("%s rlower=%.0fMB rupper=%.0fMB rincon=%s", addl, - resp_est$lower / 1e6, resp_est$upper / 1e6, - resp_est$num_inconsistent); -@endif - - local service = determine_service(c); - - local log_msg = - fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s", - c$start_time, duration, id$orig_h, id$resp_h, service, - id$orig_p, id$resp_p, trans, - conn_size(c$orig, trans), conn_size(c$resp, trans), - conn_state(c, trans), flags); - - if ( record_state_history ) - log_msg = fmt("%s %s", log_msg, - c$history == "" ? "X" : c$history); - - if ( addl != "" ) - log_msg = fmt("%s %s", log_msg, addl); - - print f, log_msg; - } - -event connection_established(c: connection) - { - Hot::check_hot(c, Hot::CONN_ESTABLISHED); - - if ( c$hot > 0 ) - log_hot_conn(c); - } - -event partial_connection(c: connection) - { - if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE ) - # This appears to be a stealth scan. Don't do hot-checking - # as there wasn't an established connection. - ; - else - { - Hot::check_hot(c, Hot::CONN_ESTABLISHED); - Hot::check_hot(c, Hot::APPL_ESTABLISHED); # assume it's been established - } - - if ( c$hot > 0 ) - log_hot_conn(c); - } - -event connection_attempt(c: connection) - { - Hot::check_spoof(c); - Hot::check_hot(c, Hot::CONN_ATTEMPTED); - } - -event connection_finished(c: connection) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - # Hard to get excited about this - not worth logging again. - c$hot = 0; - else - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_partial_close(c: connection) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - # Hard to get excited about this - not worth logging again. - c$hot = 0; - else - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_half_finished(c: connection) - { - Hot::check_hot(c, Hot::CONN_ATTEMPTED); - } - -event connection_rejected(c: connection) - { - Hot::check_hot(c, Hot::CONN_REJECTED); - } - -event connection_reset(c: connection) - { - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -event connection_pending(c: connection) - { - if ( c$orig$state in conn_closed && - (c$resp$state == TCP_INACTIVE || c$resp$state == TCP_PARTIAL) ) - # This is a stray FIN or RST - don't bother reporting. - return; - - if ( c$orig$state == TCP_RESET || c$resp$state == TCP_RESET ) - # We already reported this connection when the RST - # occurred. - return; - - Hot::check_hot(c, Hot::CONN_FINISHED); - } - -function connection_gone(c: connection, gone_type: string) - { - if ( c$orig$size == 0 || c$resp$size == 0 ) - { - if ( c$orig$state == TCP_RESET && c$resp$state == TCP_INACTIVE) - # A bare RST, no other context. Ignore it. - return; - - # Hard to get excited about this - not worth logging again, - # per connection_finished(). - c$hot = 0; - } - else - Hot::check_hot(c, Hot::CONN_TIMEOUT); - } - -event connection_state_remove(c: connection) &priority = -10 - { - local os = c$orig$state; - local rs = c$resp$state; - - if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - # It was still active, no summary generated. - connection_gone(c, "remove"); - - else if ( (os == TCP_CLOSED || rs == TCP_CLOSED) && - (os == TCP_ESTABLISHED || rs == TCP_ESTABLISHED) ) - # One side has closed, the other hasn't - it's in state S2 - # or S3, hasn't been reported yet. - connection_gone(c, "remove"); - - record_connection(conn_file, c); - - delete hot_conns_reported[c$id]; - } diff --git a/policy.old/contents.bro b/policy.old/contents.bro deleted file mode 100644 index 152b54ed3b..0000000000 --- a/policy.old/contents.bro +++ /dev/null @@ -1,40 +0,0 @@ -# $Id: contents.bro 47 2004-06-11 07:26:32Z vern $ - -redef capture_filters += { ["contents"] = "tcp" }; - -# Keeps track of to which given contents files we've written. -global contents_files: set[string]; - -event new_connection_contents(c: connection) - { - local id = c$id; - - local orig_file = - fmt("contents.%s.%d-%s.%d", - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - local resp_file = - fmt("contents.%s.%d-%s.%d", - id$resp_h, id$resp_p, id$orig_h, id$orig_p); - - local orig_f: file; - local resp_f: file; - - if ( orig_file !in contents_files ) - { - add contents_files[orig_file]; - orig_f = open(orig_file); - } - else - orig_f = open_for_append(orig_file); - - if ( resp_file !in contents_files ) - { - add contents_files[resp_file]; - resp_f = open(resp_file); - } - else - resp_f = open_for_append(resp_file); - - set_contents_file(id, CONTENTS_ORIG, orig_f); - set_contents_file(id, CONTENTS_RESP, resp_f); - } diff --git a/policy.old/cpu-adapt.bro b/policy.old/cpu-adapt.bro deleted file mode 100644 index 7376e0780a..0000000000 --- a/policy.old/cpu-adapt.bro +++ /dev/null @@ -1,62 +0,0 @@ -# $Id: cpu-adapt.bro 1904 2005-12-14 03:27:15Z vern $ -# -# Adjust load level based on cpu load. - -@load load-level - -# We increase the load-level if the average CPU load (percentage) is -# above this limit. -global cpu_upper_limit = 70.0 &redef; - -# We derease the load-level if the average CPU load is below this limit. -global cpu_lower_limit = 30.0 &redef; - -# Time interval over which we average the CPU load. -global cpu_interval = 1 min &redef; - -global cpu_last_proc_time = 0 secs; -global cpu_last_wall_time: time = 0; - -event cpu_measure_load() - { - local res = resource_usage(); - local proc_time = res$user_time + res$system_time; - local wall_time = current_time(); - - if ( cpu_last_proc_time > 0 secs ) - { - local dproc = proc_time - cpu_last_proc_time; - local dwall = wall_time - cpu_last_wall_time; - local load = dproc / dwall * 100.0; - - print ll_file, fmt("%.6f CPU load %.02f", network_time(), load); - - # Second test is for whether we have any room to change - # things. It shouldn't be hardwired to "xxx10" .... - if ( load > cpu_upper_limit && - current_load_level != LoadLevel10 ) - { - print ll_file, fmt("%.6f CPU load above limit: %.02f", - network_time(), load); - increase_load_level(); - } - - else if ( load < cpu_lower_limit && - current_load_level != LoadLevel1 ) - { - print ll_file, fmt("%.6f CPU load below limit: %.02f", - network_time(), load); - decrease_load_level(); - } - } - - cpu_last_proc_time = proc_time; - cpu_last_wall_time = wall_time; - - schedule cpu_interval { cpu_measure_load() }; - } - -event bro_init() - { - schedule cpu_interval { cpu_measure_load() }; - } diff --git a/policy.old/dce.bro b/policy.old/dce.bro deleted file mode 100644 index 51b82d3894..0000000000 --- a/policy.old/dce.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id:$ - -redef capture_filters += { ["dce"] = "port 135" }; - -global dce_ports = { 135/tcp } &redef; -redef dpd_config += { [ANALYZER_DCE_RPC] = [$ports = dce_ports] }; - -# No default implementation for events. diff --git a/policy.old/demux.bro b/policy.old/demux.bro deleted file mode 100644 index cfb70d6686..0000000000 --- a/policy.old/demux.bro +++ /dev/null @@ -1,41 +0,0 @@ -# $Id: demux.bro 4758 2007-08-10 06:49:23Z vern $ - -const demux_dir = log_file_name("xscript") &redef; -global created_demux_dir = F; - -# Table of which connections we're demuxing. -global demuxed_conn: set[conn_id]; - -# tag: identifier to use for the reason for demuxing -# otag: identifier to use for originator side of the connection -# rtag: identifier to use for responder side of the connection -function demux_conn(id: conn_id, tag: string, otag: string, rtag: string): bool - { - if ( id in demuxed_conn || ! active_connection(id) ) - return F; - - if ( ! created_demux_dir ) - { - mkdir(demux_dir); - created_demux_dir = T; - } - - local orig_file = - fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, otag, tag, - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - local resp_file = - fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, rtag, tag, - id$resp_h, id$resp_p, id$orig_h, id$orig_p); - - set_contents_file(id, CONTENTS_ORIG, open(orig_file)); - set_contents_file(id, CONTENTS_RESP, open(resp_file)); - - add demuxed_conn[id]; - - return T; - } - -event connection_finished(c: connection) - { - delete demuxed_conn[c$id]; - } diff --git a/policy.old/detect-protocols-http.bro b/policy.old/detect-protocols-http.bro deleted file mode 100644 index fb1fed33ac..0000000000 --- a/policy.old/detect-protocols-http.bro +++ /dev/null @@ -1,156 +0,0 @@ -# $Id: detect-protocols-http.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $ -# -# Identifies protocols that use HTTP. - -@load detect-protocols - -module DetectProtocolHTTP; - -export { - # Defines characteristics of a protocol. All attributes must match - # to trigger the detection. We match patterns against lower-case - # versions of the data. - type protocol : record { - url: pattern &optional; - client_header: pattern &optional; - client_header_content: pattern &optional; - server_header: pattern &optional; - server_header_content: pattern &optional; - }; - - const protocols: table[string] of protocol = { - ["Kazaa"] = [$url=/^\/\.hash=.*/, $server_header=/^x-kazaa.*/], - ["Gnutella"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^x-gnutella-.*/], - ["Gnutella_"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^x-(content-urn|features).*/], - ["Gnutella__"] = [$url=/^\/(uri-res|gnutella).*/, - $server_header=/^content-type/, - $server_header_content=/.*x-gnutella.*/], - ["BitTorrent"] = [$url=/^.*\/(scrape|announce)\?.*info_hash.*/], - ["SOAP"] = [$client_header=/^([:print:]+-)?(soapaction|methodname|messagetype).*/], - ["Squid"] = [$server_header=/^x-squid.*/], - } &redef; -} - -# Bit masks. -const url_found = 1; -const client_header_found = 2; -const server_header_found = 2; - -type index : record { - id: conn_id; - pid: string; -}; - -# Maps to characteristics found so far. -# FIXME: An integer would suffice for the bit-field -# if we had bit-operations ... -global conns: table[index] of set[count] &read_expire = 1hrs; - -function check_match(c: connection, pid: string, mask: set[count]) - { - conns[[$id=c$id, $pid=pid]] = mask; - - local p = protocols[pid]; - - if ( p?$url && url_found !in mask ) - return; - - if ( p?$client_header && client_header_found !in mask ) - return; - - if ( p?$server_header && server_header_found !in mask ) - return; - - # All found. - - ProtocolDetector::found_protocol(c, ANALYZER_HTTP, pid); - } - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - for ( pid in protocols ) - { - local p = protocols[pid]; - - if ( ! p?$url ) - next; - - local mask: set[count]; - local idx = [$id=c$id, $pid=pid]; - if ( idx in conns ) - mask = conns[idx]; - - if ( url_found in mask ) - # Already found a match. - next; - - # FIXME: There are people putting NULs into the URLs - # (BitTorrent), which to_lower() does not like. Not sure - # what the right fix is, though. - unescaped_URI = subst_string(unescaped_URI, "\x00", ""); - - if ( to_lower(unescaped_URI) == p$url ) - { - add mask[url_found]; - check_match(c, pid, mask); - } - } - } - -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - if ( name == /[sS][eE][rR][vV][eE][rR]/ ) - { - # Try to extract the server software. - local s = split1(strip(value), /[[:space:]\/]/); - if ( s[1] == /[-a-zA-Z0-9_]+/ ) - ProtocolDetector::found_protocol(c, ANALYZER_HTTP, s[1]); - } - - for ( pid in protocols ) - { - local p = protocols[pid]; - - local mask: set[count]; - local idx = [$id=c$id, $pid=pid]; - if ( idx in conns ) - mask = conns[idx]; - - if ( p?$client_header && is_orig ) - { - if ( client_header_found in mask ) - return; - - if ( to_lower(name) == p$client_header ) - { - if ( p?$client_header_content ) - if ( to_lower(value) != - p$client_header_content ) - return; - - add mask[client_header_found]; - check_match(c, pid, mask); - } - } - - if ( p?$server_header && ! is_orig ) - { - if ( server_header_found in mask ) - return; - - if ( to_lower(name) == p$server_header ) - { - if ( p?$server_header_content ) - if ( to_lower(value) != - p$server_header_content ) - return; - - add mask[server_header_found]; - check_match(c, pid, mask); - } - } - } - } diff --git a/policy.old/detect-protocols.bro b/policy.old/detect-protocols.bro deleted file mode 100644 index 49f02e60e9..0000000000 --- a/policy.old/detect-protocols.bro +++ /dev/null @@ -1,258 +0,0 @@ -# $Id: detect-protocols.bro,v 1.1.4.4 2006/05/31 18:07:27 sommer Exp $ -# -# Finds connections with protocols on non-standard ports using the DPM -# framework. - -@load site - -@load conn-id -@load notice - -module ProtocolDetector; - -export { - redef enum Notice += { - ProtocolFound, # raised for each connection found - ServerFound, # raised once per dst host/port/protocol tuple - }; - - # Table of (protocol, resp_h, resp_p) tuples known to be uninteresting - # in the given direction. For all other protocols detected on - # non-standard ports, we raise a ProtocolFound notice. (More specific - # filtering can then be done via notice_filters.) - # - # Use 0.0.0.0 for to wildcard-match any resp_h. - - type dir: enum { NONE, INCOMING, OUTGOING, BOTH }; - - const valids: table[count, addr, port] of dir = { - # A couple of ports commonly used for benign HTTP servers. - - # For now we want to see everything. - - # [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, - # - # [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella - } &redef; - - # Set of analyzers for which we suppress ServerFound notices - # (but not ProtocolFound). Along with avoiding clutter in the - # log files, this also saves memory because for these we don't - # need to remember which servers we already have reported, which - # for some can be a lot. - const suppress_servers: set [count] = { - # ANALYZER_HTTP - } &redef; - - # We consider a connection to use a protocol X if the analyzer for X - # is still active (i) after an interval of minimum_duration, or (ii) - # after a payload volume of minimum_volume, or (iii) at the end of the - # connection. - const minimum_duration = 30 secs &redef; - const minimum_volume = 4e3 &redef; # bytes - - # How often to check the size of the connection. - const check_interval = 5 secs; - - # Entry point for other analyzers to report that they recognized - # a certain (sub-)protocol. - global found_protocol: function(c: connection, analyzer: count, - protocol: string); - - # Table keeping reported (server, port, analyzer) tuples (and their - # reported sub-protocols). - global servers: table[addr, port, string] of set[string] - &read_expire = 14 days; -} - -# Table that tracks currently active dynamic analyzers per connection. -global conns: table[conn_id] of set[count]; - -# Table of reports by other analyzers about the protocol used in a connection. -global protocols: table[conn_id] of set[string]; - -type protocol : record { - a: string; # analyzer name - sub: string; # "sub-protocols" reported by other sources -}; - -function get_protocol(c: connection, a: count) : protocol - { - local str = ""; - if ( c$id in protocols ) - { - for ( p in protocols[c$id] ) - str = |str| > 0 ? fmt("%s/%s", str, p) : p; - } - - return [$a=analyzer_name(a), $sub=str]; - } - -function fmt_protocol(p: protocol) : string - { - return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a; - } - -function do_notice(c: connection, a: count, d: dir) - { - if ( d == BOTH ) - return; - - if ( d == INCOMING && is_local_addr(c$id$resp_h) ) - return; - - if ( d == OUTGOING && ! is_local_addr(c$id$resp_h) ) - return; - - local p = get_protocol(c, a); - local s = fmt_protocol(p); - - NOTICE([$note=ProtocolFound, - $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c, $n=a]); - - # We report multiple ServerFound's per host if we find a new - # sub-protocol. - local known = [c$id$resp_h, c$id$resp_p, p$a] in servers; - - local newsub = F; - if ( known ) - newsub = (p$sub != "" && - p$sub !in servers[c$id$resp_h, c$id$resp_p, p$a]); - - if ( (! known || newsub) && a !in suppress_servers ) - { - NOTICE([$note=ServerFound, - $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, - c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]); - - if ( ! known ) - servers[c$id$resp_h, c$id$resp_p, p$a] = set(); - - add servers[c$id$resp_h, c$id$resp_p, p$a][p$sub]; - } - } - -function report_protocols(c: connection) - { - # We only report the connection if both sides have transferred data. - if ( c$resp$size == 0 || c$orig$size == 0 ) - { - delete conns[c$id]; - delete protocols[c$id]; - return; - } - - local analyzers = conns[c$id]; - - for ( a in analyzers ) - { - if ( [a, c$id$resp_h, c$id$resp_p] in valids ) - do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]); - - else if ( [a, 0.0.0.0, c$id$resp_p] in valids ) - do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]); - else - do_notice(c, a, NONE); - - append_addl(c, analyzer_name(a)); - } - - delete conns[c$id]; - delete protocols[c$id]; - } - -event ProtocolDetector::check_connection(c: connection) - { - if ( c$id !in conns ) - return; - - local duration = network_time() - c$start_time; - local size = c$resp$size + c$orig$size; - - if ( duration >= minimum_duration || size >= minimum_volume ) - report_protocols(c); - else - { - local delay = min_interval(minimum_duration - duration, - check_interval); - schedule delay { ProtocolDetector::check_connection(c) }; - } - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - { - delete protocols[c$id]; - return; - } - - # Reports all analyzers that have remained to the end. - report_protocols(c); - } - -event protocol_confirmation(c: connection, atype: count, aid: count) - { - # Don't report anything running on a well-known port. - if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports ) - return; - - if ( c$id in conns ) - { - local analyzers = conns[c$id]; - add analyzers[atype]; - } - else - { - conns[c$id] = set(atype); - - local delay = min_interval(minimum_duration, check_interval); - schedule delay { ProtocolDetector::check_connection(c) }; - } - } - -# event connection_analyzer_disabled(c: connection, analyzer: count) -# { -# if ( c$id !in conns ) -# return; -# -# delete conns[c$id][analyzer]; -# } - -function append_proto_addl(c: connection) - { - for ( a in conns[c$id] ) - append_addl(c, fmt_protocol(get_protocol(c, a))); - } - -function found_protocol(c: connection, analyzer: count, protocol: string) - { - # Don't report anything running on a well-known port. - if ( analyzer in dpd_config && - c$id$resp_p in dpd_config[analyzer]$ports ) - return; - - if ( c$id !in protocols ) - protocols[c$id] = set(); - - add protocols[c$id][protocol]; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - return; - - append_proto_addl(c); - } - diff --git a/policy.old/dhcp.bro b/policy.old/dhcp.bro deleted file mode 100644 index 2c60f73fe4..0000000000 --- a/policy.old/dhcp.bro +++ /dev/null @@ -1,525 +0,0 @@ -# $Id: dhcp.bro 4054 2007-08-14 21:45:58Z pclin $ - -@load dpd -@load weird - -module DHCP; - -export { - # Set to false to disable printing to dhcp.log. - const logging = T &redef; -} - -# Type of states in DHCP client. See Figure 5 in RFC 2131. -# Each state name is prefixed with DHCP_ to avoid name conflicts. -type dhcp_state: enum { - - DHCP_INIT_REBOOT, - DHCP_INIT, - DHCP_SELECTING, - DHCP_REQUESTING, - DHCP_REBINDING, - DHCP_BOUND, - DHCP_RENEWING, - DHCP_REBOOTING, - - # This state is not in Figure 5. Client has been externally configured. - DHCP_INFORM, -}; - -global dhcp_log: file; - -# Source port 68: client -> server; source port 67: server -> client. -global dhcp_ports: set[port] = { 67/udp, 68/udp } &redef; - -redef dpd_config += { [ANALYZER_DHCP_BINPAC] = [$ports = dhcp_ports] }; - -# Default handling for peculiarities in DHCP analysis. -redef Weird::weird_action += { - ["DHCP_no_type_option"] = Weird::WEIRD_FILE, - ["DHCP_wrong_op_type"] = Weird::WEIRD_FILE, - ["DHCP_wrong_msg_type"] = Weird::WEIRD_FILE, -}; - -# Types of DHCP messages, identified from the 'options' field. See RFC 1533. -global dhcp_msgtype_name: table[count] of string = { - [1] = "DHCP_DISCOVER", - [2] = "DHCP_OFFER", - [3] = "DHCP_REQUEST", - [4] = "DHCP_DECLINE", - [5] = "DHCP_ACK", - [6] = "DHCP_NAK", - [7] = "DHCP_RELEASE", - [8] = "DHCP_INFORM", -}; - -# Type of DHCP client state, inferred from the messages. See RFC 2131, fig 5. -global dhcp_state_name: table[dhcp_state] of string = { - [DHCP_INIT_REBOOT] = "INIT-REBOOT", - [DHCP_INIT] = "INIT", - [DHCP_SELECTING] = "SELECTING", - [DHCP_REQUESTING] = "REQUESTING", - [DHCP_REBINDING] = "REBINDING", - [DHCP_BOUND] = "BOUND", - [DHCP_RENEWING] = "RENEWING", - [DHCP_REBOOTING] = "REBOOTING", - [DHCP_INFORM] = "INFORM", -}; - -type dhcp_session_info: record { - state: dhcp_state; # the state of a DHCP client - seq: count; # sequence of session in the trace - lease: interval; # lease time of an IP address - h_addr: string; # hardware/MAC address of the client -}; - -# Track the DHCP session info of each client, indexed by the transaction ID. -global dhcp_session: table[count] of dhcp_session_info - &default = record($state = DHCP_INIT_REBOOT, $seq = 0, $lease = 0 sec, - $h_addr = "") - &write_expire = 5 min -; - -# We need the following table to track some DHCPINFORM messages since they -# use xid = 0 (I do not know why), starting from the second pair of INFORM -# and ACK. Since the client address is ready before DHCPINFORM, we can use -# it as the index to find its corresponding xid. -global session_xid: table[addr] of count &read_expire = 30 sec; - -# Count how many DHCP sessions have been detected, for use in dhcp_session_seq. -global pkt_cnt: count = 0; -global session_cnt: count = 0; - -# Record the address of client that sends a DHCPINFORM message with xid = 0. -global recent_client: addr; - -global BROADCAST_ADDR = 255.255.255.255; -global NULL_ADDR = 0.0.0.0; - -# Used to detect if an ACK is duplicated. They are used only in dhcp_ack(). -# We put them here since Bro scripts lacks the equivalent of "static" variables. -global ack_from: addr; -global duplicated_ack: bool; - - -function warning_wrong_state(msg_type: count): string - { - return fmt("%s not sent in a correct state.", - dhcp_msgtype_name[msg_type]); - } - -function dhcp_message(c: connection, seq: count, show_conn: bool): string - { - local conn_info = fmt("%.06f #%d", network_time(), seq); - if ( show_conn ) - return fmt("%s %s > %s", conn_info, - endpoint_id(c$id$orig_h, c$id$orig_p), - endpoint_id(c$id$resp_h, c$id$resp_p)); - - return conn_info; - } - -function new_dhcp_session(xid: count, state: dhcp_state, h_addr: string) -: dhcp_session_info - { - local session: dhcp_session_info; - session$state = state; - session$seq = ++session_cnt; - session$lease = 0 sec; - session$h_addr = h_addr; - - dhcp_session[xid] = session; - - return session; - } - - -event bro_init() - { - if ( logging ) - dhcp_log = open_log_file("dhcp"); - } - -event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr) - { - local old_session = T; - - if ( msg$xid !in dhcp_session ) - { - local session = - new_dhcp_session(msg$xid, DHCP_SELECTING, msg$h_addr); - old_session = F; - } - - if ( logging ) - { - if ( old_session && - dhcp_session[msg$xid]$state == DHCP_SELECTING ) - print dhcp_log, fmt("%s DISCOVER (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - print dhcp_log, - fmt("%s DISCOVER (xid = %x, client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - msg$xid, dhcp_state_name[dhcp_session[msg$xid]$state]); - } - } - -event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, - router: dhcp_router_list, lease: interval, serv_addr: addr) - { - local standalone = msg$xid !in dhcp_session; - local err_state = - standalone && dhcp_session[msg$xid]$state != DHCP_SELECTING; - - if ( logging ) - { - # Note that no OFFER messages are considered duplicated, - # since they may come from multiple DHCP servers in a session. - if ( standalone ) - print dhcp_log, fmt("%s OFFER (standalone)", - dhcp_message(c, ++session_cnt, T)); - - else if ( err_state ) - print dhcp_log, fmt("%s OFFER (in error state %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[dhcp_session[msg$xid]$state]); - - else - print dhcp_log, fmt("%s OFFER (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[DHCP_SELECTING]); - } - } - -event dhcp_request(c: connection, msg: dhcp_msg, - req_addr: addr, serv_addr: addr) - { - local log_info: string; - - if ( msg$xid in dhcp_session ) - { - if ( ! logging ) - return; - - local state = dhcp_session[msg$xid]$state; - - if ( state == DHCP_REBOOTING ) - recent_client = req_addr; - else - recent_client = c$id$orig_h; - - session_xid[recent_client] = msg$xid; - - if ( state == DHCP_RENEWING || state == DHCP_REBINDING || - state == DHCP_REQUESTING || state == DHCP_REBOOTING ) - print dhcp_log, fmt("%s REQUEST (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - { - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T); - print dhcp_log, fmt("%s REQUEST (in error state %s)", - log_info, - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - } - else - { - local d_state = DHCP_REBOOTING; - - if ( c$id$resp_h != BROADCAST_ADDR ) - d_state = DHCP_RENEWING; - else if ( msg$ciaddr != NULL_ADDR ) - d_state = DHCP_REBINDING; - else if ( serv_addr != NULL_ADDR ) - d_state = DHCP_REQUESTING; - - local session = new_dhcp_session(msg$xid, d_state, msg$h_addr); - - if ( session$state == DHCP_REBOOTING ) - recent_client = req_addr; - else - recent_client = c$id$orig_h; - - session_xid[recent_client] = msg$xid; - - if ( logging ) - { - log_info = dhcp_message(c, session$seq, T); - if ( req_addr != NULL_ADDR ) - log_info = fmt("%s REQUEST %As", - log_info, req_addr); - else - log_info = fmt("%s REQUEST", log_info); - - print dhcp_log, fmt("%s (xid = %x, client state = %s)", - log_info, msg$xid, - dhcp_state_name[session$state]); - } - } - } - -event dhcp_decline(c: connection, msg: dhcp_msg) - { - local old_session = msg$xid in dhcp_session; - local err_state = F; - - if ( old_session ) - { - if ( dhcp_session[msg$xid]$state == DHCP_REQUESTING ) - dhcp_session[msg$xid]$state = DHCP_INIT; - else - err_state = T; - } - else - new_dhcp_session(msg$xid, DHCP_INIT, ""); - - if ( ! logging ) - return; - - if ( old_session ) - { - if ( err_state ) - print dhcp_log, fmt("%s DECLINE (in error state %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, T), - dhcp_state_name[dhcp_session[msg$xid]$state]); - else - print dhcp_log, fmt("%s DECLINE (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - } - else - print dhcp_log, fmt("%s DECLINE (xid = %x)", - dhcp_message(c, ++session_cnt, T), msg$xid); - } - -event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, - router: dhcp_router_list, lease: interval, serv_addr: addr) - { - local log_info: string; - - if ( msg$xid == 0 ) - { # An ACK for a DHCPINFORM message with xid = 0. - local xid = - c$id$orig_h in session_xid ? - # An ACK to the client. - session_xid[c$id$orig_h] - : - # Assume ACK from a relay agent to the server. - session_xid[recent_client]; - - local seq: count; - - if ( xid > 0 ) - { - duplicated_ack = dhcp_session[xid]$state != DHCP_INFORM; - dhcp_session[xid]$state = DHCP_BOUND; - seq = dhcp_session[xid]$seq; - } - else - { - # This is a weird situation. We arbitrarily set - # duplicated_ack to false to have more information - # shown. - duplicated_ack = F; - seq = session_cnt; - } - - if ( ! logging ) - return; - - log_info = dhcp_message(c, seq, F); - if ( c$id$orig_h in session_xid ) - { - if ( duplicated_ack ) - print dhcp_log, fmt("%s ACK (duplicated)", - log_info); - else - print dhcp_log, - fmt("%s ACK (client state = %s)", - log_info, - dhcp_state_name[DHCP_BOUND]); - } - else - print dhcp_log, - fmt("%s ACK (relay agent at = %As)", - log_info, c$id$orig_h); - return; - } - - if ( msg$xid in dhcp_session ) - { - local last_state = dhcp_session[msg$xid]$state; - local from_reboot_state = last_state == DHCP_REBOOTING; - - if ( last_state == DHCP_REQUESTING || - last_state == DHCP_REBOOTING || - last_state == DHCP_RENEWING || - last_state == DHCP_REBINDING || - last_state == DHCP_INFORM ) - { - dhcp_session[msg$xid]$state = DHCP_BOUND; - dhcp_session[msg$xid]$lease = lease; - } - - if ( ! logging ) - return; - - if ( last_state == DHCP_BOUND ) - { - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F); - if ( c$id$orig_h == ack_from ) - log_info = fmt("%s ACK (duplicated)", - log_info); - - else - # Not a duplicated ACK. - log_info = fmt("%s ACK (relay agent at = %As)", - log_info, c$id$orig_h); - } - else - { - ack_from = c$id$orig_h; - - # If in a reboot state, we had better - # explicitly show the original address - # and the destination address of ACK, - # because the client initally has a - # zero address. - if ( from_reboot_state ) - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T); - else - log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F); - - if ( last_state != DHCP_INFORM && - lease > 0 sec ) - log_info = fmt("%s ACK (lease time = %s, ", - log_info, lease); - else - log_info = fmt("%s ACK (", log_info); - - log_info = fmt("%sclient state = %s)", - log_info, - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - print dhcp_log, log_info; - } - - else if ( logging ) - print dhcp_log, fmt("%s ACK (standalone)", - dhcp_message(c, ++session_cnt, T)); - } - -event dhcp_nak(c: connection, msg: dhcp_msg) - { - if ( msg$xid in dhcp_session ) - { - local last_state = dhcp_session[msg$xid]$state; - - if ( last_state == DHCP_REQUESTING || - last_state == DHCP_REBOOTING || - last_state == DHCP_RENEWING || - last_state == DHCP_REBINDING ) - dhcp_session[msg$xid]$state = DHCP_INIT; - - if ( logging ) - print dhcp_log, fmt("%s NAK (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - else if ( logging ) - print dhcp_log, fmt("%s NAK (standalone)", - dhcp_message(c, ++session_cnt, T)); - } - -event dhcp_release(c: connection, msg: dhcp_msg) - { - local old_session = msg$xid in dhcp_session; - - if ( ! old_session ) - # We assume the client goes back to DHCP_INIT - # because the RFC does not specify which state to go to. - new_dhcp_session(msg$xid, DHCP_INIT, ""); - - if ( ! logging ) - return; - - if ( old_session ) - { - if ( dhcp_session[msg$xid]$state == DHCP_INIT ) - print dhcp_log, fmt("%s RELEASE (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else - print dhcp_log, fmt("%s RELEASE, (client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - else - print dhcp_log, fmt("%s RELEASE (xid = %x, IP addr = %As)", - dhcp_message(c, session_cnt, T), msg$xid, c$id$orig_h); - } - -event dhcp_inform(c: connection, msg: dhcp_msg) - { - recent_client = c$id$orig_h; - - if ( msg$xid == 0 ) - { - # Oops! Try to associate message with transaction ID 0 with - # a previous session. - local xid: count; - local seq: count; - - if ( c$id$orig_h in session_xid ) - { - xid = session_xid[c$id$orig_h]; - dhcp_session[xid]$state = DHCP_INFORM; - seq = dhcp_session[xid]$seq; - } - else - { - # Weird: xid = 0 and no previous INFORM-ACK dialog. - xid = 0; - seq = ++session_cnt; - - # Just record that a INFORM message has appeared, - # although the xid is not useful. - session_xid[c$id$orig_h] = 0; - } - - if ( logging ) - print dhcp_log, - fmt("%s INFORM (xid = %x, client state = %s)", - dhcp_message(c, seq, T), - xid, dhcp_state_name[DHCP_INFORM]); - return; - } - - if ( msg$xid in dhcp_session ) - { - if ( logging ) - if ( dhcp_session[msg$xid]$state == DHCP_INFORM ) - print dhcp_log, fmt("%s INFORM (duplicated)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F)); - else { - print dhcp_log, - fmt("%s INFORM (duplicated, client state = %s)", - dhcp_message(c, dhcp_session[msg$xid]$seq, F), - dhcp_state_name[dhcp_session[msg$xid]$state]); - } - - return; - } - - local session = new_dhcp_session(msg$xid, DHCP_INFORM, msg$h_addr); - - # Associate this transaction ID with the host so we can identify - # subsequent pairs of INFORM/ACK if client uses xid=0. - session_xid[c$id$orig_h] = msg$xid; - - if ( logging ) - print dhcp_log, fmt("%s INFORM (xid = %x, client state = %s)", - dhcp_message(c, session$seq, T), - msg$xid, dhcp_state_name[session$state]); - } diff --git a/policy.old/dns-info.bro b/policy.old/dns-info.bro deleted file mode 100644 index 3ad36d461e..0000000000 --- a/policy.old/dns-info.bro +++ /dev/null @@ -1,81 +0,0 @@ -# $Id: dns-info.bro 3919 2007-01-14 00:27:09Z vern $ - -# Types, errors, and fields for analyzing DNS data. A helper file -# for dns.bro. - -const PTR = 12; -const EDNS = 41; -const ANY = 255; - -const query_types = { - [1] = "A", [2] = "NS", [3] = "MD", [4] = "MF", - [5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG", - [9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR", - [13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT", - [17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN", - [21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG", - [25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA", - [29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB", - [33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX", - [37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK", - [EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK", - [45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY", - [49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID", - [102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG", - [251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA", - [32768] = "TA", [32769] = "DLV", - [ANY] = "*", -} &default = function(n: count): string { return fmt("query-%d", n); }; - -const DNS_code_types = { - [0] = "X0", - [1] = "Xfmt", - [2] = "Xsrv", - [3] = "Xnam", - [4] = "Ximp", - [5] = "X[", -} &default = function(n: count): string { return "?"; }; - -# Used for non-TSIG/EDNS types. -const base_error = { - [0] = "NOERROR", # No Error - [1] = "FORMERR", # Format Error - [2] = "SERVFAIL", # Server Failure - [3] = "NXDOMAIN", # Non-Existent Domain - [4] = "NOTIMP", # Not Implemented - [5] = "REFUSED", # Query Refused - [6] = "YXDOMAIN", # Name Exists when it should not - [7] = "YXRRSET", # RR Set Exists when it should not - [8] = "NXRRSet", # RR Set that should exist does not - [9] = "NOTAUTH", # Server Not Authoritative for zone - [10] = "NOTZONE", # Name not contained in zone - [11] = "unassigned-11", # available for assignment - [12] = "unassigned-12", # available for assignment - [13] = "unassigned-13", # available for assignment - [14] = "unassigned-14", # available for assignment - [15] = "unassigned-15", # available for assignment - [16] = "BADVERS", # for EDNS, collision w/ TSIG - [17] = "BADKEY", # Key not recognized - [18] = "BADTIME", # Signature out of time window - [19] = "BADMODE", # Bad TKEY Mode - [20] = "BADNAME", # Duplicate key name - [21] = "BADALG", # Algorithm not supported - [22] = "BADTRUNC", # draft-ietf-dnsext-tsig-sha-05.txt - [3842] = "BADSIG", # 16 <= number collision with EDNS(16); - # this is a translation from TSIG(16) -} &default = function(n: count): string { return "?"; }; - -# This deciphers EDNS Z field values. -const edns_zfield = { - [0] = "NOVALUE", # regular entry - [32768] = "DNS_SEC_OK", # accepts DNS Sec RRs -} &default = function(n: count): string { return "?"; }; - -const dns_class = { - [1] = "C_INTERNET", - [2] = "C_CSNET", - [3] = "C_CHAOS", - [4] = "C_HESOD", - [254] = "C_NONE", - [255] = "C_ANY", -} &default = function(n: count): string { return "?"; }; diff --git a/policy.old/dns-lookup.bro b/policy.old/dns-lookup.bro deleted file mode 100644 index 8ef1dd4f0a..0000000000 --- a/policy.old/dns-lookup.bro +++ /dev/null @@ -1,65 +0,0 @@ -# $Id: dns-lookup.bro 340 2004-09-09 06:38:27Z vern $ - -@load notice - -redef enum Notice += { - DNS_MappingChanged, # some sort of change WRT previous Bro lookup -}; - -const dns_interesting_changes = { - "unverified", "old name", "new name", "mapping", -} &redef; - -function dump_dns_mapping(msg: string, dm: dns_mapping): bool - { - if ( msg in dns_interesting_changes || - 127.0.0.1 in dm$addrs ) - { - local req = dm$req_host == "" ? - fmt("%As", dm$req_addr) : dm$req_host; - NOTICE([$note=DNS_MappingChanged, - $msg=fmt("DNS %s: %s/%s %s-> %As", msg, req, - dm$hostname, dm$valid ? - "" : "(invalid) ", dm$addrs), - $sub=msg]); - - return T; - } - else - return F; - } - -event dns_mapping_valid(dm: dns_mapping) - { - dump_dns_mapping("valid", dm); - } - -event dns_mapping_unverified(dm: dns_mapping) - { - dump_dns_mapping("unverified", dm); - } - -event dns_mapping_new_name(dm: dns_mapping) - { - dump_dns_mapping("new name", dm); - } - -event dns_mapping_lost_name(dm: dns_mapping) - { - dump_dns_mapping("lost name", dm); - } - -event dns_mapping_name_changed(old_dm: dns_mapping, new_dm: dns_mapping) - { - if ( dump_dns_mapping("old name", old_dm) ) - dump_dns_mapping("new name", new_dm); - } - -event dns_mapping_altered(dm: dns_mapping, - old_addrs: set[addr], new_addrs: set[addr]) - { - if ( dump_dns_mapping("mapping", dm) ) - NOTICE([$note=DNS_MappingChanged, - $msg=fmt("changed addresses: %As -> %As", old_addrs, new_addrs), - $sub="changed addresses"]); - } diff --git a/policy.old/dns.bro b/policy.old/dns.bro deleted file mode 100644 index 812e7245cc..0000000000 --- a/policy.old/dns.bro +++ /dev/null @@ -1,675 +0,0 @@ -# $Id: dns.bro 6724 2009-06-07 09:23:03Z vern $ - -@load notice -@load weird -@load udp-common -@load dns-info - -module DNS; - -export { - # Lookups of hosts in here are flagged ... - const sensitive_lookup_hosts: set[addr] &redef; - - # ... unless the lookup comes from one of these hosts. - const okay_to_lookup_sensitive_hosts: set[addr] &redef; - - # Start considering whether we're seeing PTR scanning if we've seen - # at least this many rejected PTR queries. - const report_rejected_PTR_thresh = 100 &redef; - - # Generate a PTR_scan event if at any point (once we're above - # report_rejected_PTR_thresh) we see this many more distinct - # rejected PTR requests than distinct answered PTR requests. - const report_rejected_PTR_factor = 2.0 &redef; - - # The following sources are allowed to do PTR scanning. - const allow_PTR_scans: set[addr] &redef; - - # Annotations that if returned for a PTR lookup actually indicate - # a rejected query; for example, "illegal-address.lbl.gov". - const actually_rejected_PTR_anno: set[string] &redef; - - # Hosts allowed to do zone transfers. - const zone_transfers_okay: set[addr] &redef; - - # Set to false to disable printing to dns.log. - const logging = T &redef; - - redef enum Notice += { - SensitiveDNS_Lookup, # DNS lookup of sensitive hostname/addr - DNS_PTR_Scan, # A set of PTR lookups - DNS_PTR_Scan_Summary, # Summary of a set of PTR lookups - ResolverInconsistency, # DNS answer changed - ZoneTransfer, # a DNS zone transfer request was seen - - }; - - # This is a list of domains that have a history of providing - # more RR's in response than they are supposed to. There is - # some danger here in that record inconsistancies will not be - # identified for these domains... - const bad_domain_resp: set[string] &redef; - - # Same idea, except that it applies to a list of host names. - const bad_host_resp: set[string] &redef; - - # Turn resolver consistancy checking on/off. - const resolver_consist_check = F &redef; - - # Should queries be checked against 'bad' domains? - const check_domain_list = T; - - # List of 'bad' domains. - const hostile_domain_list: set[string] &redef; - - # Used for PTR scan detection. Exported so their timeouts can be - # adjusted. - global distinct_PTR_requests: - table[addr, string] of count &default = 0 &write_expire = 5 min; - global distinct_rejected_PTR_requests: - table[addr] of count &default = 0 &write_expire = 5 min; - global distinct_answered_PTR_requests: - table[addr] of count &default = 0 &write_expire = 5 min; -} - -redef capture_filters += { - ["dns"] = "port 53", - ["netbios-ns"] = "udp port 137", -}; - -# DPM configuration. -global dns_ports = { 53/udp, 53/tcp, 137/udp } &redef; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - -global dns_udp_ports = { 53/udp, 137/udp } &redef; -global dns_tcp_ports = { 53/tcp } &redef; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; - -# Default handling for peculiarities in DNS analysis. You can redef these -# again in your site-specific script if you want different behavior. -redef Weird::weird_action += { - ["DNS_AAAA_neg_length"] = Weird::WEIRD_FILE, - ["DNS_Conn_count_too_large"] = Weird::WEIRD_FILE, - ["DNS_NAME_too_long"] = Weird::WEIRD_FILE, - ["DNS_RR_bad_length"] = Weird::WEIRD_FILE, - ["DNS_RR_length_mismatch"] = Weird::WEIRD_FILE, - ["DNS_RR_unknown_type"] = Weird::WEIRD_FILE, - ["DNS_label_forward_compress_offset"] = Weird::WEIRD_FILE, - ["DNS_label_len_gt_name_len"] = Weird::WEIRD_FILE, - ["DNS_label_len_gt_pkt"] = Weird::WEIRD_FILE, - ["DNS_label_too_long"] = Weird::WEIRD_FILE, - ["DNS_name_too_long"] = Weird::WEIRD_FILE, - ["DNS_truncated_RR_rdlength_lt_len"] = Weird::WEIRD_FILE, - ["DNS_truncated_ans_too_short"] = Weird::WEIRD_FILE, - ["DNS_truncated_len_lt_hdr_len"] = Weird::WEIRD_FILE, - ["DNS_truncated_quest_too_short"] = Weird::WEIRD_FILE, -}; - -type dns_session_info: record { - id: count; - is_zone_transfer: bool; - last_active: time; # when we last saw activity - - # Indexed by query id, returns string annotation corresponding to - # queries for which no answer seen yet. - pending_queries: table[count] of string; -}; - -# Indexed by client and server. -global dns_sessions: table[addr, addr, count] of dns_session_info; -global num_dns_sessions = 0; - -const PTR_pattern = /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa/; - -# Keeps track of for which addresses we processed a PTR_scan event. -global did_PTR_scan_event: table[addr] of count &default = 0; - -# The following definitions relate to tracking when DNS records -# change and whether they do so in a consistent fashion. -type dns_response_record: record { - dns_name: string; # domain name in question - dns_type: count; # type of query - num_resp: count; # number of responses - resp_count: count; # how many responses have been registered - addrs: set[addr]; # addresses in response -}; - -global dns_history: table[string, count, count] of dns_response_record; - -global did_zone_transfer_notice: table[addr] of count &default = 0; - -# Sample known irregular domains. -redef bad_domain_resp += { "instacontent.net", "mirror-image.net", }; - -# Sample hostile domains. -redef hostile_domain_list += { "undernet.org", "afraid.org", }; - -global dns_log : file; - -event bro_init() - { - if ( logging ) - dns_log = open_log_file("dns"); - } - -event remove_name(name: string, qtype: count, id: count) - { - if ( [name, qtype, id] in dns_history ) - { - # We need to remove the dns_history record and the assosciated - # dns_consistency_info records. - - local drr = dns_history[name, qtype, id]; - local a: addr; - - for ( a in drr$addrs ) - delete drr$addrs[a]; - - delete dns_history[name, qtype, id]; - } - else if ( logging ) - print dns_log, fmt("ERROR in history session removal: %s/%d doesn't exist", name, qtype); - } - -# Returns the second-level domain, so for example an argument of "a.b.c.d" -# returns "c.d". -function second_level_domain(name: string): string - { - local split_on_dots = split(name, /\./); - local num_dots = length(split_on_dots); - - if ( num_dots <= 1 ) - return name; - - return fmt("%s.%s", split_on_dots[num_dots-1], split_on_dots[num_dots]); - } - -function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr) - { - local drr: dns_response_record; - - if ( [ans$query, ans$qtype, msg$id] !in dns_history ) - { # add record - drr$dns_name = ans$query; - drr$dns_type = ans$qtype; - - # Here we modified the expected number of addresses to allow - # for the number of answer RR's along with the provided - # additional RR's. - drr$num_resp = msg$num_answers+msg$num_addl; - drr$resp_count = 0; - add drr$addrs[a]; - - dns_history[ans$query, ans$qtype, msg$id] = drr; - - if ( ans$TTL < 0 sec ) - # Strangely enough, the spec allows this, - # though it's hard to see why! But because - # of that, we don't generate a Weird, we - # just change the TTL to 0. - ans$TTL = 0 sec; - - # Check the TTL, but allow a smidgen of skew to avoid - # possible race conditions. - schedule ans$TTL + 1 sec - { remove_name(ans$query, ans$qtype, msg$id) }; - } - else - { # extract record and do some counting - drr = dns_history[ans$query, ans$qtype, msg$id]; - - # In some broken records, the number of reported records is 0. - # This makes the test below fail, to 'fix' set to 1 ... - if ( drr$num_resp == 0 ) - drr$num_resp = 1; - - # Check if we have filled in the expected number of responses - # already - it should be > current responder count to allow - # for resolver timeouts. Addresses are only added if they - # are not already prsent. This comes at a slight performance - # cost. - if ( a !in drr$addrs ) - { - add drr$addrs[a]; - ++drr$resp_count; - dns_history[ans$query, ans$qtype, msg$id]=drr; - } - - if ( drr$num_resp >= drr$resp_count ) - return; - - if ( second_level_domain(ans$query) in bad_domain_resp ) - return; - - if ( ans$query in bad_host_resp ) - return; - - # Too many responses to the request, or some other - # inconsistency has been introduced. - - NOTICE([$note=ResolverInconsistency, $conn=c, - $msg=fmt("address inconsistency for %s, %s", ans$query, a), - $dst=a]); - } - } - -event expire_DNS_session(orig: addr, resp: addr, trans_id: count) - { - if ( [orig, resp, trans_id] in dns_sessions ) - { - local session = dns_sessions[orig, resp, trans_id]; - local last_active = session$last_active; - if ( network_time() > last_active + dns_session_timeout || - done_with_network ) - { - # Flush out any pending requests. - if ( logging ) - { - for ( query in session$pending_queries ) - print dns_log, fmt("%0.6f #%d %s", - network_time(), session$id, - session$pending_queries[query]); - - print dns_log, fmt("%.06f #%d finish", - network_time(), session$id); - } - - delete dns_sessions[orig, resp, trans_id]; - } - - else - schedule dns_session_timeout { - expire_DNS_session(orig, resp, trans_id) - }; - } - } - -function lookup_DNS_session(c: connection, trans_id: count): dns_session_info - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - - if ( [orig, resp, trans_id] !in dns_sessions ) - { - local session: dns_session_info; - session$id = ++num_dns_sessions; - session$last_active = network_time(); - session$is_zone_transfer = F; - - if ( logging ) - print dns_log, fmt("%.06f #%d %s start", - c$start_time, session$id, id_string(id)); - - dns_sessions[orig, resp, trans_id] = session; - - schedule 15 sec { expire_DNS_session(orig, resp, trans_id) }; - - append_addl(c, fmt("#%d", session$id)); - - return session; - } - - else - return dns_sessions[orig, resp, trans_id]; - } - -event sensitive_addr_lookup(c: connection, a: addr, is_query: bool) - { - local orig = c$id$orig_h; - local resp = c$id$resp_h; - local holding = 0; - - if ( orig in okay_to_lookup_sensitive_hosts ) - return; - - local session_id: string; - if ( [orig, resp, holding] in dns_sessions ) - session_id = fmt("#%d", dns_sessions[orig, resp, holding]$id); - else - session_id = "#?"; - - local id = fmt("%s > %s (%s)", orig, resp, session_id); - - if ( is_query ) - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s PTR lookup of %s", id, a), - $sub="PTR lookup"]); - else - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s name lookup of %s", id, a), - $sub="name lookup"]); - } - -function DNS_query_annotation(c: connection, msg: dns_msg, query: string, - qtype: count, is_zone_xfer: bool): string - { - local anno: string; - - if ( (qtype == PTR || qtype == ANY) && query == PTR_pattern ) - { - # convert PTR text to more readable form. - local a = ptr_name_to_addr(query); - if ( a in sensitive_lookup_hosts && ! is_zone_xfer ) - event sensitive_addr_lookup(c, a, T); - - anno = fmt("?%s %As", query_types[qtype], a); - } - else - anno = fmt("%s %s", query_types[qtype], query); - - if ( ! is_zone_xfer && - (msg$num_answers > 0 || msg$num_auth > 0 || msg$num_addl > 0) ) - anno = fmt("%s ", anno, - msg$num_answers, msg$num_auth, msg$num_addl); - - return anno; - } - - -event dns_zone_transfer_request(c: connection, session: dns_session_info, - msg: dns_msg, query: string) - { - session$is_zone_transfer = T; - - if ( ! is_tcp_port(c$id$orig_p) ) - event conn_weird("UDP_zone_transfer", c); - - local src = c$id$orig_h; - if ( src !in zone_transfers_okay && - ++did_zone_transfer_notice[src] == 1 ) - { - NOTICE([$note=ZoneTransfer, $src=src, $conn=c, - $msg=fmt("transfer of %s requested by %s", query, src)]); - } - } - -event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local session = lookup_DNS_session(c, msg$id); - local anno = DNS_query_annotation(c, msg, query, qtype, F); - - local report = fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - local q: string; - - if ( query_types[qtype] == "AXFR" ) - { - event dns_zone_transfer_request(c, session, msg, query); - - q = DNS_query_annotation(c, msg, query, qtype, T); - report = fmt("%s ?%s", report, q); - } - else - report = fmt("%s %s Trunc:%s Recurs:%s", - report, query_types[qtype], query, msg$TC, msg$RD); - - if ( logging ) - print dns_log, fmt("%s", report); - - # Check to see if this is a host or MX lookup for a designated - # hostile domain. - if ( check_domain_list && - (query_types[qtype] == "A" || query_types[qtype] == "MX") && - second_level_domain(query) in hostile_domain_list ) - { - NOTICE([$note=SensitiveDNS_Lookup, $conn=c, - $msg=fmt("%s suspicious domain lookup: %s", id, query)]); - } - - session$pending_queries[msg$id] = anno; - session$last_active = network_time(); - } - -event dns_rejected(c: connection, msg: dns_msg, - query: string, qtype: count, qclass: count) - { - local session = lookup_DNS_session(c, msg$id); - local code = DNS_code_types[msg$rcode]; - local id = msg$id; - - if ( id in session$pending_queries ) - { - if ( logging ) - print dns_log, fmt("%.06f #%d %s %s", network_time(), - session$id, - session$pending_queries[id], - code); - - delete session$pending_queries[id]; - } - - else if ( logging ) - { - if ( c$start_time == network_time() ) - print dns_log, fmt("%.06f #%d [?%s] %s", network_time(), - session$id, query, code); - else - print dns_log, fmt("%.06f #%d %s", network_time(), - session$id, code); - } - } - -event PTR_scan_summary(src: addr) - { - NOTICE([$note=DNS_PTR_Scan_Summary, $src=src, - $msg=fmt("%s totaled %d/%d un/successful PTR lookups", src, - distinct_rejected_PTR_requests[src], - distinct_answered_PTR_requests[src]), - $sub="final summary"]); - } - -event PTR_scan(src: addr) - { - ++did_PTR_scan_event[src]; - - if ( src !in allow_PTR_scans && src !in okay_to_lookup_sensitive_hosts ) - { - NOTICE([$note=DNS_PTR_Scan, $src=src, - $msg=fmt("%s has made %d/%d un/successful PTR lookups", - src, distinct_rejected_PTR_requests[src], - distinct_answered_PTR_requests[src]), - $sub="scan detected"]); - - schedule 1 day { PTR_scan_summary(src) }; - } - } - -function check_PTR_scan(src: addr) - { - if ( src !in did_PTR_scan_event && - distinct_rejected_PTR_requests[src] >= - distinct_answered_PTR_requests[src] * report_rejected_PTR_factor ) - event PTR_scan(src); - } - -function DNS_answer(c: connection, msg: dns_msg, - ans: dns_answer, annotation: string) - { - local is_answer = ans$answer_type == DNS_ANS; - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - local id = msg$id; - local query: string; - - if ( id in session$pending_queries ) - { - query = fmt("%s = ", session$pending_queries[id], - query_types[ans$qtype]); - delete session$pending_queries[id]; - report = fmt("%s %s", report, query); - } - - else if ( session$is_zone_transfer ) - { # need to provide the query directly. - query = fmt("", query_types[ans$qtype]); - report = fmt("%s ?%s", report, query); - } - - else - { - # No corresponding query. This can happen if it's - # already been deleted because we've already processed - # an answer to it; or if the session itself was timed - # out prior to this answer being generated. In the - # first case, we don't want to provide the query again; - # in the second, we do. We can determine that we're - # likely in the second case if either (1) this session - # was just now created, or (2) we're now processing the - # sole answer to the original query. - # - # However, for now we punt. - # - # if ( c$start_time == network_time() || - # (is_answer && msg$num_answers == 1) ) - # { - # query = DNS_query_annotation(c, msg, ans$query, ans$qtype, F); - # report = fmt("%s [?%s]", report, query); - # } - # else - # query = ""; - - query = fmt("", query_types[ans$qtype]); - report = fmt("%s %s", report, query); - } - - # Append a bunch of additional annotation. - report = fmt("%s %s RCode:%s AA=%s TR=%s %s/%s/%s/%s", - report, annotation, base_error[msg$rcode], msg$AA, msg$TC, - msg$num_queries, msg$num_answers, msg$num_auth, msg$num_addl ); - - local src = c$id$orig_h; - - if ( msg$rcode != 0 ) - { - if ( /\?(PTR|\*.*in-addr).*/ in query ) - ##### should check for private address - { - if ( ++distinct_PTR_requests[src, query] == 1 && - ++distinct_rejected_PTR_requests[src] >= - report_rejected_PTR_thresh ) - check_PTR_scan(src); - } - - report = fmt("%s %s", report, DNS_code_types[msg$rcode]); - } - - else if ( is_answer ) - { - if ( /\?(PTR|\*.*in-addr).*/ in query ) - { - if ( annotation in actually_rejected_PTR_anno ) - { - if ( ++distinct_PTR_requests[src, query] == 1 && - ++distinct_rejected_PTR_requests[src] >= - report_rejected_PTR_thresh ) - check_PTR_scan(src); - } - else - { - if ( ++distinct_PTR_requests[src, query] == 1 ) - ++distinct_answered_PTR_requests[src]; - } - } - } - - if ( logging ) - print dns_log, fmt("%s TTL=%g", report, ans$TTL); - - ### Note, DNS_AUTH and DNS_ADDL not processed. - - session$last_active = network_time(); - } - -event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) - { - if ( a in sensitive_lookup_hosts ) - event sensitive_addr_lookup(c, a, F); - - DNS_answer(c, msg, ans, fmt("%As", a)); - - if ( resolver_consist_check ) - insert_name(c, msg, ans, a ); - - } - -event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s", name)); - } - -event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s %s", query_types[ans$qtype], name)); - } - -event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) - { - DNS_answer(c, msg, ans, fmt("%s", name)); - } - -event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa) - { - DNS_answer(c, msg, ans, fmt("%s", soa$mname)); - } - -event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string, - preference: count) - { - DNS_answer(c, msg, ans, fmt("%s/%d", name, preference)); - } - -event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer) - { - DNS_answer(c, msg, ans, "<---?--->"); - } - - -# From here on down we need to modify the way that data is recorded. The -# standard resource record format is no longer universally applicable in -# that we may see modified structs or some number of value pairs that may take -# more flexability in reporting. - -event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) - { - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - - if ( ans$is_query == 1 ) - report = fmt("%s ", report); - else - report = fmt("%s ", report); - - if ( logging ) - print dns_log, fmt("%s pldsize:%s RCode:%s VER:%s Z:%s", - report, ans$payload_size, - base_error[ans$extended_rcode], - ans$version, edns_zfield[ans$z_field]); - } - -event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional) - { - local session = lookup_DNS_session(c, msg$id); - local report = - fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h); - - # Error handling with this is a little odd: number collision with EDNS. - # We set the collided value to the first private space number. gross. - local trans_error_num = (ans$rr_error == 16) ? 3842 : ans$rr_error; - - if ( ans$is_query == 1 ) - report = fmt("%s ", report); - else - report = fmt("%s ", report); - - if ( logging ) - print dns_log, fmt("%s name:%s alg:%s origID:%s RCode:%s", - report, ans$query, ans$alg_name, - ans$orig_id, base_error[trans_error_num]); - } diff --git a/policy.old/drop-adapt.bro b/policy.old/drop-adapt.bro deleted file mode 100644 index b599770ded..0000000000 --- a/policy.old/drop-adapt.bro +++ /dev/null @@ -1,74 +0,0 @@ -# $Id: drop-adapt.bro 6940 2009-11-14 00:38:53Z robin $ -# -# Adjust load level based on packet drops. -# - -@load load-level - -# Increase load-level if packet drops are successively 'count' times -# above 'threshold' percent. -const drop_increase_count = 5 &redef; -const drop_increase_threshold = 5.0 &redef; - -# Same for decreasing load-level. -const drop_decrease_count = 15 &redef; -const drop_decrease_threshold = 0.0 &redef; - -# Minimum time to wait after a load-level increase before new decrease. -const drop_decrease_wait = 20 mins &redef; - -global drop_last_stat: net_stats; -global drop_have_stats = F; -global drop_above = 0; -global drop_below = 0; - -global drop_last_increase: time = 0; - -event net_stats_update(t: time, ns: net_stats) - { - if ( drop_have_stats ) - { - local new_recvd = ns$pkts_recvd - drop_last_stat$pkts_recvd; - local new_dropped = - ns$pkts_dropped - drop_last_stat$pkts_dropped; - - local p = new_dropped * 100.0 / new_recvd; - - drop_last_stat = ns; - - if ( p >= 0 ) - { - if ( p >= drop_increase_threshold ) - { - if ( ++drop_above >= drop_increase_count ) - { - increase_load_level(); - drop_above = 0; - drop_last_increase = t; - } - } - else - drop_above = 0; - - if ( t - drop_last_increase < drop_decrease_wait ) - return; - - if ( p <= drop_decrease_threshold ) - { - if ( ++drop_below >= drop_decrease_count ) - { - decrease_load_level(); - drop_below = 0; - } - } - else - drop_below = 0; - - } - } - else - { - drop_have_stats = T; - drop_last_stat = ns; - } - } diff --git a/policy.old/drop.bro b/policy.old/drop.bro deleted file mode 100644 index b2e75fa269..0000000000 --- a/policy.old/drop.bro +++ /dev/null @@ -1,340 +0,0 @@ -# $Id:$ -# -# drop.bro implements a drop/restore policy termed "catch-and-release" -# whereby the first time an address is dropped, it is restored a while after -# the last connection attempt seen. If a connection attempt is subsequently -# seen, however, then the system is blocked again, and for a longer time. -# -# This policy has significant benefits when using Bro to update router -# ACLs for which: -# - The router has a limited number of ACLs slots. -# - You care about possible reuse of IP addresses by now-benign hosts, -# so don't want blocks to last forever. -# -# Original code by Jim Mellander, LBNL. -# Updated by Brian Tierney, LBNL and by Robin Sommer, ICSI. - -@load site - -module Drop; - -export { - redef enum Notice += { - # Connectivity with given address has been dropped. - AddressDropped, - - # A request to drop connectivity has been ignored. - AddressDropIgnored, - - # Connectivity with given address has been restored. - AddressRestored, - - AddressAlreadyDropped, # host is already dropped - - # Previously dropped host connects again. - AddressSeenAgain, - - # Previous offenders re-dropped or re-restored. - RepeatAddressDropped, - RepeatAddressRestored, - }; - - # True if we have the capability to drop hosts at all. - const can_drop_connectivity = F &redef; - - # True if we never want to drop local addresses. - const dont_drop_locals = T &redef; - - # True if we should use the catch-and-release scheme. If not then - # we simply drop addresses via the drop_connectivity_script and - # never restore them (they must be restored out-of-band). - const use_catch_release = F &redef; - - # Catch-and-release parameters. - - # Interval to wait for release following inactivity after - # first offense. - global drop_time = 5 min &redef; - - # For repeat offenders: if the total time a host has already been - # dropped reaches persistent_offender_time, we drop the host for - # long_drop_time. Setting persistent_offender_time to zero disables - # this functionality. - const persistent_offender_time = 2 hr &redef; - global long_drop_time = 12 hr &redef; - - # Scripts to perform the actual dropping/restore. They get the - # IP address as their first argument. - const drop_connectivity_script = "drop-connectivity" &redef; - const restore_connectivity_script = "restore-connectivity" &redef; - - const root_servers = { - a.root-servers.net, b.root-servers.net, c.root-servers.net, - d.root-servers.net, e.root-servers.net, f.root-servers.net, - g.root-servers.net, h.root-servers.net, i.root-servers.net, - j.root-servers.net, k.root-servers.net, l.root-servers.net, - m.root-servers.net, - } &redef; - - const gtld_servers = { - a.gtld-servers.net, b.gtld-servers.net, c.gtld-servers.net, - d.gtld-servers.net, e.gtld-servers.net, f.gtld-servers.net, - g.gtld-servers.net, h.gtld-servers.net, i.gtld-servers.net, - j.gtld-servers.net, k.gtld-servers.net, l.gtld-servers.net, - m.gtld-servers.net, - } &redef; - - const never_shut_down = { - root_servers, gtld_servers, - } &redef; - - const never_drop_nets: set[subnet] &redef; - - # Drop the connectivity for the address. "msg" gives a reason. - # It returns a copy of the NOTICE generated for the drop, which - # gives more information about the kind of dropping performed. - # If the notice type is NoticeNone, the drop was not successful - # (e.g., because this Bro instance is not configured to do drops.) - global drop_address: function(a: addr, msg: string) : notice_info; - - # The following events are used to communicate information about the - # drops, in particular for C&R in the cluster setting. - - # Address has been dropped. - global address_dropped: event(a: addr); - - # Raised when an IP is restored. - global address_restored: event(a: addr); - - # Raised when an that was dropped in the past is no - # longer monitored specifically for new connections. - global address_cleared: event(a: addr); - - const debugging = F &redef; - global debug_log: function(msg: string); -} - -type drop_rec: record { - tot_drop_count: count &default=0; - tot_restore_count: count &default=0; - actual_restore_count: count &default=0; - tot_drop_time: interval &default=0secs; - last_timeout: interval &default=0secs; -}; - -global clear_host: function(t: table[addr] of drop_rec, a: addr): interval; - -global drop_info: table[addr] of drop_rec - &read_expire = 1 days &expire_func=clear_host &persistent; - -global last_notice: notice_info; - -function do_notice(n: notice_info) - { - last_notice = n; - NOTICE(n); - } - -function dont_drop(a: addr) : bool - { - return ! can_drop_connectivity || a in never_shut_down || - a in never_drop_nets || (dont_drop_locals && is_local_addr(a)); - } - -function is_dropped(a: addr) : bool - { - if ( a !in drop_info ) - return F; - - local di = drop_info[a]; - - if ( di$tot_drop_count < di$tot_restore_count ) - { # This shouldn't happen. - # FIXME: We need an assert(). - print "run-time error: more restores than drops!"; - return F; - } - - return di$tot_drop_count > di$tot_restore_count; - } - -global debug_log_file: file; - -function debug_log(msg: string) - { - if ( ! debugging ) - return; - - print debug_log_file, - fmt("%.6f [%s] %s", network_time(), peer_description, msg); - } - -event bro_init() - { - if ( debugging ) - { - debug_log_file = - open_log_file(fmt("drop-debug.%s", peer_description)); - set_buf(debug_log_file, F); - } - } - -function do_direct_drop(a: addr, msg: string) - { - if ( msg != "" ) - msg = fmt(" (%s)", msg); - - if ( a !in drop_info ) - { - local tmp: drop_rec; - drop_info[a] = tmp; - } - - local di = drop_info[a]; - - if ( is_dropped(a) ) - # Already dropped. Nothing to do. - do_notice([$note=Drop::AddressAlreadyDropped, $src=a, - $msg=fmt("%s%s", a, msg)]); - else - { - system(fmt("%s %s", Drop::drop_connectivity_script, a)); - - debug_log(fmt("sending drop for %s", a)); - event Drop::address_dropped(a); - - if ( di$tot_drop_count == 0 ) - do_notice([$note=Drop::AddressDropped, $src=a, - $msg=fmt("%s%s", a, msg)]); - else - { - local s = fmt("(%d times)", di$tot_drop_count + 1); - do_notice([$note=Drop::RepeatAddressDropped, - $src=a, $n=di$tot_drop_count+1, - $msg=fmt("%s%s %s", a, msg, s), $sub=s]); - } - } - - ++di$tot_drop_count; - debug_log(fmt("dropped %s: tot_drop_count=%d tot_restore_count=%d", - a, di$tot_drop_count, di$tot_restore_count)); - } - -# Restore a previously dropped address. -global do_restore: function(a: addr, force: bool); - -event restore_dropped_address(a: addr) - { - do_restore(a, F); - } - -function do_catch_release_drop(a: addr, msg: string) - { - do_direct_drop(a, msg); - - local di = drop_info[a]; - - local t = (persistent_offender_time != 0 sec && - di$tot_drop_time >= persistent_offender_time) ? - long_drop_time : drop_time; - - di$tot_drop_time += t; - di$last_timeout = t; - - schedule t { restore_dropped_address(a) }; - } - -function do_restore(a: addr, force: bool) - { - if ( a !in drop_info ) - return; - - local di = drop_info[a]; - ++drop_info[a]$tot_restore_count; - debug_log(fmt("restored %s: tot_drop_count=%d tot_restore_count=%d force=%s", a, drop_info[a]$tot_drop_count, drop_info[a]$tot_restore_count, force)); - - if ( di$tot_drop_count == di$tot_restore_count || force ) - { - ++di$actual_restore_count; - system(fmt("%s %s", Drop::restore_connectivity_script, a)); - - debug_log(fmt("sending restored for %s", a)); - event Drop::address_restored(a); - - local t = di$last_timeout; - - if ( di$actual_restore_count == 1 ) - { - local s1 = fmt("(timeout %.1f)", t); - do_notice([$note=Drop::AddressRestored, $src=a, - $msg=fmt("%s %s", a, s1), $sub=s1]); - } - - else - { - local s2 = fmt("(%d times, timeout %.1f)", - di$actual_restore_count, t); - do_notice([$note=Drop::RepeatAddressRestored, $src=a, - $n=di$tot_restore_count, - $msg=fmt("%s %s", a, s2), $sub=s2]); - } - } - } - -function clear_host(t: table[addr] of drop_rec, a: addr): interval - { - if ( is_dropped(a) ) - # Restore address. - do_restore(a, T); - - debug_log(fmt("sending cleared for %s", a)); - event Drop::address_cleared(a); - - return 0 secs; - } - -# Returns true if drop was successful (or IP was already dropped). -function drop_address(a: addr, msg: string) : notice_info - { - debug_log(fmt("drop_address(%s, %s)", a, msg)); - - last_notice = [$note=NoticeNone]; - - if ( dont_drop(a) ) - do_notice([$note=AddressDropIgnored, $src=a, - $msg=fmt("ignoring request to drop %s (%s)", a, msg)]); - else if ( use_catch_release ) - do_catch_release_drop(a, msg); - else - do_direct_drop(a, msg); - - if ( last_notice$note == NoticeNone ) - print "run-time error: drop_address did not raise a NOTICE"; - - return last_notice; - } - -event new_connection(c: connection) - { - if ( ! can_drop_connectivity ) - return; - - # With Catch & Release, 1 connection from a previously dropped system - # triggers an immediate redrop. - if ( ! use_catch_release ) - return; - - local a = c$id$orig_h; - - if ( a !in drop_info ) - # Never dropped. - return; - - local di = drop_info[a]; - if ( is_dropped(a) ) - # Still dropped. - return; - - NOTICE([$note=AddressSeenAgain, $src=a, - $msg=fmt("%s seen again after release", a)]); - } diff --git a/policy.old/dyn-disable.bro b/policy.old/dyn-disable.bro deleted file mode 100644 index b1b5bd937e..0000000000 --- a/policy.old/dyn-disable.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: dyn-disable.bro,v 1.1.4.3 2006/05/31 01:52:02 sommer Exp $ -# -# When this script is loaded, analyzers that raise protocol_violation events -# are disabled for the affected connection. - -# Note that this a first-shot solution. Eventually, we should make the -# disable-decision more fine-grained/sophisticated. - -@load conn -@load notice - -module DynDisable; - -export { - redef enum Notice += { - ProtocolViolation - }; - - # Ignore violations which go this many bytes into the connection. - const max_volume = 10 * 1024 &redef; -} - -global conns: table[conn_id] of set[count]; - -event protocol_violation(c: connection, atype: count, aid: count, - reason: string) - { - if ( c$id in conns && aid in conns[c$id] ) - return; - - local size = c$orig$size + c$resp$size; - - if ( max_volume > 0 && size > max_volume ) - return; - - # Disable the analyzer that raised the last core-generated event. - disable_analyzer(c$id, aid); - - NOTICE([$note=ProtocolViolation, $conn=c, - $msg=fmt("%s analyzer %s disabled due to protocol violation", - id_string(c$id), analyzer_name(atype)), - $sub=reason, $n=atype]); - - if ( c$id !in conns ) - conns[c$id] = set(); - - add conns[c$id][aid]; - } - -event connection_state_remove(c: connection) - { - delete conns[$id=c$id]; - } diff --git a/policy.old/file-flush.bro b/policy.old/file-flush.bro deleted file mode 100644 index 481d078e59..0000000000 --- a/policy.old/file-flush.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: file-flush.bro 786 2004-11-24 08:25:16Z vern $ - -# Causes all files to be flushed every file_flush_interval seconds. -# Useful if you want to poke through the log files in real time, -# particularly if network traffic is light. - -global file_flush_interval = 10 sec &redef; - -event file_flush_event() - { - flush_all(); - schedule file_flush_interval { file_flush_event() }; - } - -event bro_init() - { - schedule file_flush_interval { file_flush_event() }; - } diff --git a/policy.old/finger.bro b/policy.old/finger.bro deleted file mode 100644 index 7765ce45c6..0000000000 --- a/policy.old/finger.bro +++ /dev/null @@ -1,69 +0,0 @@ -# $Id: finger.bro 4758 2007-08-10 06:49:23Z vern $ - -module Finger; - -export { - const hot_names = { - "root", "lp", "uucp", "nuucp", "demos", "operator", "sync", - "r00t", "tutor", "tour", "admin", "system", "guest", "visitor", - "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", - } &redef; - - const max_finger_request_len = 80 &redef; -} - -redef capture_filters += { ["finger"] = "port finger" }; - -# DPM configuration. -global finger_ports = { 79/tcp } &redef; -redef dpd_config += { [ANALYZER_FINGER] = [$ports = finger_ports] }; - -function public_user(user: string): bool - { - return T; - } - -function authorized_client(host: addr): bool - { - return T; - } - -event finger_request(c: connection, full: bool, username: string, hostname: string) - { - local id = c$id; - local request: string; - - if ( hostname != "" ) - request = cat(username, "@", hostname); - else - request = username; - - if ( byte_len(request) > max_finger_request_len ) - { - request = fmt("%s...", sub_bytes(request, 1, max_finger_request_len)); - ++c$hot; - } - - if ( hostname != "" ) - ++c$hot; - - if ( username in hot_names ) - ++c$hot; - - local req = request == "" ? "ALL" : fmt("\"%s\"", request); - - if ( full ) - req = fmt("%s (/W)", req); - - if ( c$addl != "" ) - # This is an additional request. - req = fmt("(%s)", req); - - append_addl_marker(c, req, " *"); - } - -function is_finger_conn(c: connection): bool - { - return c$id$resp_p == finger; - } - diff --git a/policy.old/firewall.bro b/policy.old/firewall.bro deleted file mode 100644 index 59a92206b4..0000000000 --- a/policy.old/firewall.bro +++ /dev/null @@ -1,195 +0,0 @@ -# $Id: firewall.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Firewall-like rules. - -@load notice -@load conn -@load ftp - -module Firewall; - -export { - type action: enum { ALLOW, DENY }; - type cmp: enum { EQ, NE }; - - type rule: record { - label: string &default = ""; - orig: subnet &default = 0.0.0.0/0; - orig_set: set[addr] &optional; - orig_cmp: cmp &default = EQ; - orig_p: port &default = 0/tcp; - orig_p_cmp: cmp &default = EQ; - resp: subnet &default = 0.0.0.0/0; - resp_set: set[addr] &optional; - resp_cmp: cmp &default = EQ; - resp_p: port &default = 0/tcp; - resp_p_cmp: cmp &default = EQ; - prot: transport_proto &default = unknown_transport; - prot_cmp: cmp &default = EQ; - state: string &default = ""; - state_cmp: cmp &default = EQ; - is_ftp: bool &default = F; - - action: action &default = ALLOW; - }; - - redef enum Notice += { - DenyRuleMatched - }; - - global begin: function(c: connection); - global match_rule: function(c: connection, r: rule); -} - -const log_file = open_log_file("firewall") &redef; - -global stop_matching = F; - -function do_match(c: connection, r: rule): bool - { - if ( r$orig_cmp == EQ ) - { - if ( r?$orig_set ) - { - if ( c$id$orig_h !in r$orig_set && c$id$orig_h !in r$orig ) - return F; - } - else - { - if ( c$id$orig_h !in r$orig ) - return F; - } - } - else - { - if ( r?$orig_set ) - { - if ( c$id$orig_h in r$orig_set || c$id$orig_h in r$orig ) - return F; - } - else - { - if ( c$id$orig_h in r$orig ) - return F; - } - } - - if ( r$resp_cmp == EQ ) - { - if ( r?$resp_set ) - { - if ( c$id$resp_h !in r$resp_set && c$id$resp_h !in r$resp ) - return F; - } - else - { - if ( c$id$resp_h !in r$resp ) - return F; - } - } - else - { - if ( r?$resp_set ) - { - if ( c$id$resp_h in r$resp_set || c$id$resp_h in r$resp ) - return F; - } - else - { - if ( c$id$resp_h in r$resp ) - return F; - } - } - - if ( r$orig_p != 0/tcp ) - { - if ( r$orig_p_cmp == EQ ) - { - if ( c$id$orig_p != r$orig_p ) - return F; - } - else - if ( c$id$orig_p == r$orig_p ) - return F; - } - - if ( r$resp_p != 0/tcp ) - { - if ( r$resp_p_cmp == EQ ) - { - if ( c$id$resp_p != r$resp_p ) - return F; - } - else - if ( c$id$resp_p == r$resp_p ) - return F; - } - - if ( r$state != "" ) - { - local state = conn_state(c, get_port_transport_proto(c$id$orig_p)); - if ( r$state_cmp == EQ ) - { - if ( state != r$state ) - return F; - } - else - if ( state == r$state ) - return F; - } - - if ( r$prot != unknown_transport ) - { - local proto = get_port_transport_proto(c$id$orig_p); - if ( r$prot_cmp == EQ ) - { - if ( proto != r$prot ) - return F; - } - else - if ( proto == r$prot ) - return F; - } - - if ( r$is_ftp && ! FTP::is_ftp_data_conn(c) ) - return F; - - return T; - } - - -function report_violation(c: connection, r:rule) - { - local trans = get_port_transport_proto(c$id$orig_p); - local state = conn_state(c, trans); - - NOTICE([$note=DenyRuleMatched, - $msg=fmt("%s %s", - id_string(c$id), trans), $conn=c, $sub=r$label]); - append_addl(c, fmt("<%s>", r$label)); - record_connection(log_file, c); - } - -function begin(c: connection) - { - stop_matching = F; - } - -function match_rule(c: connection, r: rule) - { - if ( stop_matching ) - return; - - if ( do_match(c, r) ) - { - stop_matching = T; - - if ( r$action == DENY ) - report_violation(c, r); - } - } - -event bro_init() - { - set_buf(log_file, F); - } diff --git a/policy.old/flag-irc.bro b/policy.old/flag-irc.bro deleted file mode 100644 index 60d687bff7..0000000000 --- a/policy.old/flag-irc.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: flag-irc.bro 4758 2007-08-10 06:49:23Z vern $ -# -# include this module to flag various forms of IRC access. - -@load ftp - -redef FTP::hot_files += - /.*eggdrop.*/ - | /.*eggsun.*/ - ; - -redef Hot::flag_successful_inbound_service: table[port] of string += { - [[6666/tcp, 6667/tcp]] = "inbound IRC", -}; - -redef Hot::hot_dsts: table[addr] of string += { - [bitchx.com] = "IRC source sites", -}; diff --git a/policy.old/flag-warez.bro b/policy.old/flag-warez.bro deleted file mode 100644 index 6781252338..0000000000 --- a/policy.old/flag-warez.bro +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: flag-warez.bro 416 2004-09-17 03:52:28Z vern $ -# -# include this module to flag various forms of Warez access. - -@load hot-ids -@load ftp - -redef FTP::hot_files += /.*[wW][aA][rR][eE][zZ].*/ ; - -redef always_hot_ids += { "warez", "hanzwarez", "zeraw", }; -redef hot_ids += { "warez", "hanzwarez", "zeraw", }; diff --git a/policy.old/frag.bro b/policy.old/frag.bro deleted file mode 100644 index fcced8cd9a..0000000000 --- a/policy.old/frag.bro +++ /dev/null @@ -1,6 +0,0 @@ -# Capture TCP fragments, but not UDP (or ICMP), since those are a lot more -# common due to high-volume, fragmenting protocols such as NFS :-(. - -redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; - -redef frag_timeout = 5 min; diff --git a/policy.old/ftp-reply-pattern.bro b/policy.old/ftp-reply-pattern.bro deleted file mode 100644 index 59c507978e..0000000000 --- a/policy.old/ftp-reply-pattern.bro +++ /dev/null @@ -1,1317 +0,0 @@ -# $Id: ftp-reply-pattern.bro 6 2004-04-30 00:31:26Z jason $ - -@load ftp-anonymizer - -redef process_ftp_reply_by_message_pattern = T; - - -# A line of reply message is split into fields with the following -# regular expression. The regular expression defines the pattern of -# field separators. Basically a field separator is blank space -# enclosed by optional punctuations. - -const ftp_msg_field_separator = - /@@BOL@@ [[:space:][:punct:]]*( @@EOL@@)?/ - | /[[:space:][:punct:]]+/ - | /[[:space:][:punct:]]* @@EOL@@/ - ; - -# Type *msg_format_info* defines a message format extracted from -# messages. - -type msg_format_info: record { - parts: string_array; - code: count; - msg: string; # one of the original messages - hit: count; # number of messages that match the pattern -}; - -type msg_format_group: table[string] of msg_format_info; -global msg_format_groups: table[string] of msg_format_group; - - -# A pattern string (derived from one or more message formats) contains -# fields enclosed by '|': e.g. -# -# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@" -# -# Thus we the field separator can be defined by the following pattern: -# everything up to the first '|', after the last '|', or between two -# adjacent '|'s in the middle. - -const ftp_pattern_field_separator = - /@@BOL@@ @@EOL@@/ - | /@@BOL@@ [^|]*\|/ - | /\|[^|]+\|/ - | /\|[^|]* @@EOL@@/ - ; - -# A message pattern is very similar to a message format, except that -# the former is for message pattern matching and thus is used in a -# different phase than a message format, which is used in pattern -# extraction. - -type msg_pattern_info: record { - code: count; - str: string; - num_parts: count; - parts: string_array; - sep: string_array; - tok: string_array; - hit: count; -}; - -type msg_pattern_group: table[string] of msg_pattern_info; -global msg_pattern_groups: table[string] of msg_pattern_group; - - -# Here starts patterns of individual fields (numbers, ip address, domain -# name, etc.) in the reply message: - -# Numbers (including float numbers and negative numbers) -const ftp_number_pat = /[\-]?[0-9]+(\.[0-9]+)?/; - -# English words (including 's and 't) -# const ftp_word_pat = - /[[:alpha:]]*('m|'re|[[:alpha:]]'s|s'|n't|'d|'ve|'ll)|[[:alpha:]]+/ - ; - -# File modes in ls -l (seen in replies for STAT) -const ftp_file_mode_pat = /[ld\-]([r-][w-][xs-]){3}/; - -# FTP server version string -const ftp_server_version_pat = /[a-zA-Z0-9]+([\.\-_][a-zA-Z0-9]+)+/ &redef; - -# FTP path name -# -# As it is not clear how to define a pattern for path names, it is -# defined in two aspects: first, we define a pattern for strings that -# are path names *almost for sure*: - -const ftp_path_pat = /\/.+\/.*/ - | /README/ - | /.*\.(gz|tar|Z|ps|pdf)/ # TODO: add other extensions - | /[A-Z]:[\\\/].*/ # a path name almost for sure - ; - -# Second, we define a pattern for strings that can possibly be a path name: -# const ftp_file_name_pat = /[[:print:]]+/; -# -# Together, we assume that -# Set(ftp_path_pat) <= Set(path names) <= Set(ftp_file_name_pat) - -# DOS file names -const ftp_dos_path_pat = /[A-Z]:[\\\/].*/; - - -# Finally, a table of message field patterns -const ftp_msg_part_patterns = { - ["~ num"] = ftp_number_pat, - ["~ port"] = ftp_port_pat, - ["~ ip"] = ftp_ip_pat, - ["~ domain"] = ftp_domain_name_pat, - ["~ file_mode"] = ftp_file_mode_pat, - ["~ time"] = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/, - ["~ day"] = /Mon|Tue|Wed|Thu|Fri|Sat|Sun/, - ["~ month"] = /Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec/, - ["~ ip,port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3},[0-9]+/, - ["~ ip:port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3}:[0-9]+/, - ["~ email"] = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/, - ["~ path"] = ftp_path_pat, - ["~ url"] = /http:\/\/.+/, -} &redef; - - -# One critical issue in understanding an FTP reply message is to -# recognize the request arguments in messages. The argument of an FTP -# request may appear in various forms in the reply message, -# e.g. argument "/abc//def/" may appear as "/abc/def/" (eliminate -# duplicat /), "/abc/def" (w/o last /), or even "def" (base file name -# only). - -# Type *ftp_arg_variant* defines the set of variants of an argument, -# and function *expand_ftp_arg_variants* expands an argument to -# its variants. - -type ftp_arg_variants: record { - arg: string; # the argument - path: string; # after eliminating options - norm_path: string; # normalized path, after eliminating dup slashes - abs_path: string; # the absolute path - base_path: string; # the base file name only, without the directory part -}; - - -# Trace-specific anonymization of replies -# 1. Whether function anonymize_trace_specific_reply is defined: -const trace_specific_reply_anonymization = F &redef; - -# 2. Result of message anonymization -type ftp_reply_anon_result: record { - anonymized: bool; - msg: string; -}; - -# 3. The trace-specific function (to be defined externally) -global anonymize_trace_specific_reply: - function(session: ftp_session_info, code: count, msg: string, - cmd_arg: ftp_cmd_arg, - arg_var: ftp_arg_variants): ftp_reply_anon_result; - - -# Other global states: - -# Reply messages that are entirely stripped out (e.g. server banner message) -global msg_stripped_out: set[string]; - -# Remember wildcard matches to suppress the number of outputs -global all_wildcard_matches: set[string, string]; - - -# PART I. Message pattern extraction - -function init_msg_format_info(parts: string_array, code: count, msg: string, level: count): msg_format_info - { - return [$parts = parts, - $code = code, - $msg = msg, - $hit = 0]; - } - - -# Whether the pattern defined by *parts* is a sub-pattern of -# *fmt_parts*. - -function match_msg_format(fmt_parts: string_array, parts: string_array): bool - { - if ( length(fmt_parts) != length(parts) ) - return F; - - for ( i in fmt_parts ) - { - if ( i % 2 == 1 ) - { - local t1 = fmt_parts[i]; - local t2 = parts[i]; - - if ( t1 == t2 || t1 == "~ *" || - (t1 == "~ path" && - (t2 == ftp_file_name_pat || t2 == "~ num")) ) - ; # t2 matches t1 - else - return F; - } - } - - return T; - } - - -# Abstract msg_parts[k]. The whole msg_parts is passed because the -# function needs to look at the context to decide whether a pattern is -# applicable (in the case of version pattern). - -function abstract_msg_part(msg_parts: string_array, k: count, other_pat: table[string] of string): string - { - local part = msg_parts[k]; - local abs_part: string; - - if ( part in other_pat ) - abs_part = other_pat[part]; - else if ( k > 2 && - msg_parts[int_to_count(k-2)] == /[Vv]er(sion)?|[Rr]elease|.*ftpd.*|Server|Process/ && - part == ftp_server_version_pat && - part != ftp_domain_name_pat ) - abs_part = "~ version"; - else if ( part == ftp_msg_part_patterns["~ path"] && - part == ftp_file_name_pat ) - abs_part = "~ path"; - else - { - local known_pattern = 0; - - for ( pat_ty in ftp_msg_part_patterns ) - if ( part == ftp_msg_part_patterns[pat_ty] ) - { - ++known_pattern; - abs_part = pat_ty; - } - if ( known_pattern > 1 ) - print ftp_anon_log, - fmt("ERROR: ambiguous ftp msg part pattern: %s", part); - if ( known_pattern != 1 ) - abs_part = part; - } - - return abs_part; - } - - -# Transform a message format to a pattern string. - -function fmt_parts_to_string(parts: string_array): string - { - local p: string_array; - local num_parts = length(parts); - for ( i in parts ) - { - local s = parts[i]; - - if ( i == 1 || i == num_parts ) - p[i] = ""; - else if ( i % 2 == 1 ) - p[i] = string_cat("|", to_lower(s), "|"); - else - p[i] = " "; - } - return string_cat("@@BOL@@", cat_string_array(p), "@@EOL@@"); - } - - -# Extract the format of a message, if it does not match any known -# format. The message is already splitted into *msg_parts*, and the -# *act_msg* is only used for logging and debugging. Parameter -# *other_pat* defines an instance-specific mapping from strings to -# field types (e.g. "~ cmd", "~ arg"). For example, when "/fileA" is -# the argument of the corresponding FTP requests, other_pat["/fileA"] -# = "~ arg". - -function extract_ftp_reply_pattern(code: count, act_msg: string, msg_parts: string_array, - other_pat: table[string] of string, - session: ftp_session_info): bool - { - local num_parts = length(msg_parts); - - # Abstract each part of the message. - local abs_parts: string_array; - for ( i in msg_parts ) - { - if ( i % 2 == 1 ) - abs_parts[i] = abstract_msg_part(msg_parts, i, other_pat); - else - abs_parts[i] = msg_parts[i]; - } - - # Derive the abstract message format - local abs_msg = fmt_parts_to_string(abs_parts); - - # Locate the corresponding format group - local ind = fmt("%3d %3d", code, num_parts); - local fmt_group: msg_format_group; - - if ( ind in msg_format_groups ) - fmt_group = msg_format_groups[ind]; - else - msg_format_groups[ind] = fmt_group; - - # Check existing message formats - if ( abs_msg in fmt_group ) - { - ++fmt_group[abs_msg]$hit; - return F; - } - - local the_fmt = init_msg_format_info(abs_parts, code, - fmt("%s: %s", id_string(session$connection_id), act_msg), 1); - the_fmt$hit = 1; - - # Check whether it is a sub-format of a known format, or vice versa - - # Whether the_fmt is a sub-format of another format - local sub_format = F; - - # Which other formats are sub-formats of the_fmt - local sub_format_set: set[string]; - - for ( fm2 in fmt_group ) - { - local f2 = fmt_group[fm2]; - if ( match_msg_format(f2$parts, abs_parts) ) - { - sub_format = T; # abs_parts is a sub-format of f2 - ++f2$hit; - } - else if ( match_msg_format(abs_parts, f2$parts) ) - add sub_format_set[fm2]; - else - ; # do nothing - } - - # Do not add the format if it is a sub-format of another one. - if ( ! sub_format ) - { - fmt_group[abs_msg] = the_fmt; - - # remove sub-formats of this message - for ( fm3 in sub_format_set ) - { - the_fmt$hit = the_fmt$hit + fmt_group[fm3]$hit; - delete fmt_group[fm3]; - } - } - - return T; - } - -function print_msg_format(the_log: file, ind: string, m: string, f: msg_format_info) - { - local lm = to_string_literal(m); - if ( lm != m ) - print the_log, fmt("special_character_in_pattern: \"%s\"", lm); - local fm = fmt("%d %s", f$code, lm); - local pat_ind = fmt("%3d %3d", f$code, length(f$parts)); - - print the_log, fmt("reply_pattern: $%s$ \"%s\", # \"%s\"", - ind, fm, f$msg); - - if ( pat_ind in msg_pattern_groups && fm in msg_pattern_groups[pat_ind] ) - print the_log, fmt("ERROR: pattern_already_exists: \"%s\"", fm); - } - -event bro_done() - { - for ( ind in msg_format_groups ) - { - local fmt_group = msg_format_groups[ind]; - for ( m2 in fmt_group ) - print_msg_format(ftp_anon_log, ind, m2, fmt_group[m2]); - } - } - - -# PART II. Read and parse patterns - -type msg_pattern_result: record { - valid: bool, - msg_pat: msg_pattern_info, -}; - - -# Parse message pattern string -- put the separators in and -# tokens in . - -function parse_msg_format(fm: string): msg_pattern_result - { - local msg_pat: msg_pattern_info; - local ret = [$valid = F, $msg_pat = msg_pat]; - - # Separate the reply code from the rest of the pattern string - local code_fmt = split1(fm, / /); - local sep: string_array; - local tok: string_array; - - msg_pat$code = to_count(code_fmt[1]); - msg_pat$str = fm; - # print ftp_anon_log, fmt("msg_format: %d \"%s\"", msg_pat$code, msg_pat$str); - msg_pat$sep = sep; - msg_pat$tok = tok; - msg_pat$hit = 0; - - # Split the pattern string with the pattern field separator - local parts = split_all(code_fmt[2], ftp_pattern_field_separator); - local num_parts = length(parts); - msg_pat$parts = parts; - msg_pat$num_parts = num_parts; - - for ( i in parts ) - { - local s = parts[i]; - local j: count; - if ( i % 2 == 0 ) - { - j = int_to_count(i / 2); - sep[j] = s; - } - else if ( i > 1 && i < num_parts ) - { - j = int_to_count((i - 1) / 2); - tok[j] = s; - } - else - ; # do nothing - } - - ret$valid = T; - return ret; - } - - -# Parse the pattern string and insert the pattern into -# msg_pattern_groups. - -function process_predefined_msg_format(f: string): bool - { - local r: msg_pattern_result; - r = parse_msg_format(f); - if ( ! r$valid ) - return F; - local msg_pat = r$msg_pat; - - local pat_ind = fmt("%3d %3d", msg_pat$code, msg_pat$num_parts); - - local pat_group: msg_pattern_group; - if ( pat_ind !in msg_pattern_groups ) - msg_pattern_groups[pat_ind] = pat_group; - else - pat_group = msg_pattern_groups[pat_ind]; - - if ( msg_pat$str in pat_group ) - return F; # there should not be duplicates - pat_group[msg_pat$str] = msg_pat; - - return T; - } - -const ftp_msg_format_white_list: set[string] = {} &redef; - -event bro_init() - { - for ( f in ftp_msg_format_white_list ) - process_predefined_msg_format(f); - } - - -# PART III. Merge message patterns - -# moved to ftp-merge-pattern.bro - -# PART IV. Message pattern matching - -# Note that $parts is not redundant with $pat, because each field in -# $pat may contain multiple patterns, as in -# -# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@" -# -# $parts tells whether "~ domain" or "~ ip" is matched. - -type msg_pattern_match_result: record { - valid: bool; - pat: msg_pattern_info; # the pattern matched - parts: string_array; # the matched pattern of each part -}; - - -# Return -1 if t1 is more specific than t2, 1 if vice versa, and 0 if -# t1 equals to t2 or if t1 and t2 are incomparable. - -function cmp_pattern_part(t1: string, t2: string): int - { - if ( t1 == t2 ) return 0; - - local ret: int = 0; - - if ( t1 != /~ .*/ || t2 != /~ .*/ ) - { - if ( t2 == /~ .*/ ) ret = -1; # t1 < t2 - if ( t1 == /~ .*/ ) ret = 1; # t2 < t1 - } - else if ( t1 == /~ (arg|cmd)/ || t2 == /~ (arg|cmd)/ ) - { - if ( t2 != /~ (arg|cmd)/ ) ret = -1; # t1 < t2 - if ( t1 != /~ (arg|cmd)/ ) ret = 1; # t2 < t1 - } - else if ( t1 == "~ ip" && t2 == "~ domain" ) - ret = -1; - else if ( t1 == "~ domain" && t2 == "~ ip" ) - ret = 1; - else if ( t1 == "~ *" || t2 == "~ *" ) - { - if ( t1 != "~ *" ) ret = -1; - if ( t2 != "~ *" ) ret = 1; - } - - # print ftp_anon_log, - # fmt("compare pattern part: \"%s\" vs. \"%s\" = %d", t1, t2, ret); - - if ( ret == 0 ) - print ftp_anon_log, - fmt("ERROR: cannot compare pattern part: \"%s\" vs. \"%s\"", t1, t2); - return ret; - } - - -# Which pattern is more specific, returns -1 if m1 < m2, ... - -function cmp_msg_pattern_match(m1: msg_pattern_match_result, m2: msg_pattern_match_result): int - { - local b1 = F; # whether part of m1 is more specific - local b2 = F; # whether part of m2 is more specific - - for ( i in m1$parts ) - { - local c = cmp_pattern_part(m1$parts[i], m2$parts[i]); - if ( c < 0 ) b1 = T; - if ( c > 0 ) b2 = T; - } - if ( b1 && ! b2 ) return -1; - if ( ! b1 && b2 ) return 1; - - print ftp_anon_log, - fmt("ERROR: cannot compare pattern match: \"%s\" vs. \"%s\"", m1$pat$str, m2$pat$str); - return 0; - } - - -# Whether data matches pat. Parameter aux_pat contains a set of (data, -# pat) pairs in addition to the predefined patterns and usually -# contains pairs such as "~ cmd : USER", "~ arg : anonymous". - -function do_match_pattern_part(pat: string, data: string, aux_pat: set[string]): bool - { - if ( pat == /~ .+[-+]/ ) # with a flag - pat = cut_tail(pat, 1); # ignore the flag - - if ( string_cat(pat, " : ", data) in aux_pat ) - return T; - else if ( pat != /~ .*/ ) # not an abstract pattern - { - return ( to_lower(data) == pat ); - } - else if ( pat == "~ *" ) - return T; # always match - else if ( pat == "~ path" ) - { - return ( data == ftp_file_name_pat || - /\// in data || /\\ / in data ); - } - else if ( pat == "~ domain" ) - { - return ( data == /([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/ ); - } - else if ( pat == "~ version" ) - { - return ( data == /[A-Za-z0-9\-\.\_]+/ ); - } - else if ( pat in ftp_msg_part_patterns ) - { - return ( data == ftp_msg_part_patterns[pat] ); - } - else - return F; - } - - -# Return the most promising part of that matches , where -# = ", [, ...]". - -function match_pattern_part(pat: string, data: string, aux_pat: set[string]): string - { - # print ftp_anon_log, fmt("part_match: \"%s\" ~? \"%s\"", data, pat); - - local best = "~ none"; - local pp = split(pat, /, /); - for ( i in pp ) - { - local p = pp[i]; - if ( do_match_pattern_part(p, data, aux_pat) ) - { - if ( best == "~ none" || cmp_pattern_part(best, p) > 0 ) - best = p; - } - } - - # if ( best != "~ none" ) - # print ftp_anon_log, fmt("part_match: \"%s\" ~ \"%s\"", data, best); - - return best; - } - - -# Return T if the message (act_msg) matches the pattern; otherwise -# return F. - -function do_msg_pattern_match(act_msg: string, msg_parts: string_array, - msg_pat: msg_pattern_info, aux_pat: set[string]): msg_pattern_match_result - { - local ret: msg_pattern_match_result; - ret$valid = F; - - local num_parts = length(msg_parts); - local pat = msg_pat$tok; - - local data: string_array; - for ( i2 in msg_parts ) - if ( i2 % 2 == 1 && i2 > 1 && i2 < num_parts ) - data[int_to_count((i2-1)/2)] = msg_parts[i2]; - - if ( length(pat) != length(data) ) - return ret; - - local matched: string_array; - - for ( i in pat ) - { - local m = match_pattern_part(pat[i], data[i], aux_pat); - if ( m == "~ none" ) - return ret; - matched[i] = m; - } - - ret$valid = T; - ret$parts = matched; - ret$pat = msg_pat; - return ret; - } - - -# Anonymize a data field according to its pattern type. - -function anonymize_msg_part(data: string, pat: string, - cmd_arg: ftp_cmd_arg, session: ftp_session_info): string - { - if ( pat == /~ .+[-+]/ ) - { - local pat_len = byte_len(pat); - local annotation = sub_bytes(pat, pat_len, 1); # the last character - if ( annotation == "+" ) # to expose the data - return data; - else if ( annotation == "-" ) # to hide the data - return "<->"; - pat = cut_tail(pat, 1); # otherwise ignore the annotation - } - - if ( pat == "~ cmd" ) - return cmd_arg$anonymized_cmd; - else if ( pat == "~ arg" ) - return cmd_arg$anonymized_arg; - else if ( pat == "~ num" ) - return ""; # hide the number by default - else if ( pat == "~ port" ) - return anonymize_port_arg(session, "", data); - else if ( pat == "~ ip" ) - { - local a = parse_dotted_addr(data); - return cat(anonymize_address(a, session$connection_id)); - } - else if ( pat == "~ domain" ) - return ""; - else if ( pat == "~ file_mode" ) - return ""; - else if ( pat == "~ time" || pat == "~ day" || pat == "~ month" ) - return data; - else if ( pat == "~ email" ) - return ""; - else if ( pat == "~ url" ) - return ""; - else if ( pat == "~ ip,port" || pat == "~ ip:port" ) - { - local b = split_all(data, /[:,]/); - b[1] = cat(anonymize_address(parse_dotted_addr(b[1]), session$connection_id)); - return cat_string_array(b); - } - else if ( pat == "~ path" || pat == "~ dir" ) - return anonymize_file_name_arg(session, "", data, - (session$reply_code >= 100 && session$reply_code < 300)); - else if ( pat == "~ version" ) - return data; # keep version of the server - else if ( pat == "~ *" ) - return "<*>"; - else - { - return ""; - print ftp_anon_log, fmt("ERROR: do not know how to anonymize pattern: %s", pat); - } - } - - -# Compute a unique id that does not appear in . - -function get_unique_subst_id(context: string, seed: string): string - { - local id = string_cat("X", md5_hmac(seed), "X"); - if ( strstr(context, id) > 0 ) - return get_unique_subst_id(context, string_cat(seed, ".")); - return id; - } - - -# Substitute all occurances of in with a unique id, if -# the occurrance of is followed by (context-sensitive -# substitution), and add to the mapping -> -# . It returns the message after substitution. - -function subst_part(msg1: string, part: string, suffix: string, subst_map: table[string] of string): string - { - local ps = string_cat(part, suffix); - if ( strstr(msg1, ps) <= 0 ) return msg1; - local subst_id = get_unique_subst_id(msg1, part); - subst_map[subst_id] = part; - return subst_string(msg1, ps, string_cat(subst_id, suffix)); - } - - -# Expand argument variants (see comments of ftp_arg_variants). - -function expand_ftp_arg_variants(session: ftp_session_info, cmd_arg: ftp_cmd_arg): ftp_arg_variants - { - local var: ftp_arg_variants; - - var$arg = cmd_arg$arg; - var$path = "~ none"; - var$norm_path = "~ none"; - var$abs_path = "~ none"; - var$base_path = "~ none"; - - if ( cmd_arg$cmd in ftp_cmds_with_file_arg ) - { - local opt_fn = separate_option_str(cmd_arg$arg); - var$path = opt_fn$file_name; - - # eliminate duplicate slashes - local norm_path = subst(var$path, /\/+|\\+/, "/"); - # eliminate '/./' (as '/') - norm_path = subst(norm_path, /\/(\.\/)+/, "/"); - if ( norm_path == /.*\/\./ ) # end with '/.' - norm_path = cut_tail(norm_path, 1); - - # compress .. - norm_path = compress_path(norm_path); - - if ( var$path == ftp_dos_path_pat ) - { - norm_path = subst(norm_path, /\//, "\\"); - # cut the last '\' off if it is not "C:\" - if ( norm_path == /.*\\/ && norm_path != /[[:alpha:]]:\\/ ) - norm_path = cut_tail(norm_path, 1); - } - else - { - if ( norm_path == /.*\// && norm_path != /\//) # if it is not '/' - norm_path = cut_tail(norm_path, 1); - } - - var$norm_path = norm_path; - - var$abs_path = absolute_path(session, norm_path); - - var$base_path = subst(norm_path, /.*(\/+|\\+)/, ""); - # But ignore base path names that only contain whitespace and/or punctuations - # if ( var$base_path == ftp_msg_field_separator ) - if ( var$base_path == "" ) - var$base_path = "~ none"; - - # print ftp_anon_log, fmt("path=\"%s\", norm_path=\"%s\", abs_path = \"%s\", base_path=\"%s\"", - # var$path, var$norm_path, var$abs_path, var$base_path); - } - - return var; - } - - -function strstr_clean(big: string, little: string, clean_match: bool): count - { - local i = strstr(big, little); - - if ( i == 0 ) return i; - - if ( clean_match ) - { - local prefix = sub_bytes(big, 1, i - 1); - local suffix = sub_bytes(big, i + byte_len(little), -1); - - # print ftp_anon_log, fmt("prefix = \"%s\", suffix = \"%s\"", prefix, suffix); - # if little is not surrounded by blanks or punctuations - if ( prefix != /|.*[[:blank:][:punct:]]/ || - suffix != /|[[:blank:][:punct:]].*/ ) - return 0; - } - - return i; - } - - -# Search s for an argument variant. Note that variants are searched in -# the order of priorities -- the more specific the varient is, the -# higher priority it gets. - -type arg_in_msg: record { - arg: string; - arg_ind: count; - arg_len: count; - prefix: string; - suffix: string; -}; - -function check_arg_variant(s: string, arg: string, v: arg_in_msg, clean_match: bool): bool - { - if ( arg == "" || arg == "~ none" ) - return F; - - local i = strstr_clean(s, arg, clean_match); - if ( i <= 0 ) return F; - - local len = byte_len(arg); - if ( len <= v$arg_len ) return F; - - v$arg = arg; - v$arg_ind = i; - v$arg_len = len; - v$prefix = sub_bytes(s, 1, i - 1); - v$suffix = sub_bytes(s, i + len, -1); - return T; - } - -function expand_path_arg(v: arg_in_msg): bool - { - if ( v$prefix != /.*\// ) return F; - - local parts = split_all(v$prefix, /([^[:blank:][:punct:]]*\/)+/); - local num_parts = length(parts); - if ( parts[num_parts] != "" ) return F; - local last_part = int_to_count(num_parts - 1); - local s = parts[last_part]; - local s_len = byte_len(s); - - print ftp_anon_log, fmt("expand_path_arg: \"%s\" + \"%s\"", s, v$arg); - v$arg_len = v$arg_len + s_len; - v$arg_ind = int_to_count(v$arg_ind - s_len); - v$arg = string_cat(s, v$arg); - - parts[last_part] = ""; - v$prefix = cat_string_array(parts); - return T; - } - -function search_arg_variant(s: string, var: ftp_arg_variants, clean_match: bool): string - { - local v = [$arg = "", $arg_ind = 0, $arg_len = 0, $prefix = "", $suffix = ""]; - - check_arg_variant(s, var$arg, v, clean_match); - check_arg_variant(s, var$path, v, clean_match); - check_arg_variant(s, var$norm_path, v, clean_match); - check_arg_variant(s, var$abs_path, v, clean_match); - check_arg_variant(s, var$base_path, v, clean_match); - - if ( var$path != "~ none" ) - expand_path_arg(v); - - return ( v$arg != "" ) ? v$arg : "~ none"; - } - - -# Substitute with a unique id in , store the mapping from -# the id to in , and update and -# about the argument. -# -# It returns the message after substituion. - -function process_arg_in_reply(arg_var: ftp_arg_variants, msg: string, - other_pat: table[string] of string, aux_pat: set[string], - subst_map: table[string] of string): string - { - add aux_pat[string_cat("~ arg", " : ", arg_var$arg)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$abs_path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$norm_path)]; - add aux_pat[string_cat("~ arg", " : ", arg_var$base_path)]; - - local arg = search_arg_variant(msg, arg_var, T); - if ( arg != "~ none" ) - { - print ftp_anon_log, fmt("arg_variant_found: \"%s\" in \"%s\"", arg, msg); - - if ( arg != "" ) - { - other_pat[arg] = "~ arg"; - if ( ftp_msg_field_separator in arg && arg != ftp_msg_field_separator ) - msg = subst_part(msg, arg, "", subst_map); - } - } - - return msg; - } - - -# Record the message being stripped out - -function strip_out_message(session: ftp_session_info, code: count, msg: string): string - { - local ind = fmt("%d %s", code, msg); - if ( ind !in msg_stripped_out ) - { - print ftp_anon_log, - fmt("message_stripped_out: %s", msg); - add msg_stripped_out[ind]; - } - return ""; - } - - -type msg_component: record { - msg: pattern; - part: pattern; - context: pattern; -}; - -global msg_components_not_to_split: table[string] of msg_component; - -event bro_init() -{ - # quoted string - msg_components_not_to_split["quoted"] = - [$msg = /.*/, - $part = /([^"]|\"\")*/, - $context = /@@BOL@@ *\"([^"]|\"\")*\"/]; - - # port numbers in reply to PASV - msg_components_not_to_split["port"] = - [$msg = /227 .*/, - $part = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/, - $context = /\([0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}\)/]; - - # dotted IP address - msg_components_not_to_split["ip"] = - [$msg = /.*/, # any reply code - $part = /[0-9]{1,3}(\.[0-9]{1,3}){3}/, - $context = /[[:space:]\(\[][0-9]{1,3}(\.[0-9]{1,3}){3}[[:space:][:punct:]]/]; - - # email - msg_components_not_to_split["email"] = - [$msg = /.*/, # any reply code - $part = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/, - $context = /[[:space:]\(\[<][[:alnum:]\-\.\_]+@([\-[:alnum:]]+\.)*[\-[:alnum:]]+[[:space:][:punct:]]/]; - - # URL - msg_components_not_to_split["url"] = - [$msg = /.*/, # any reply code - $part = /(http|ftp):\/\/[[:alnum:][:punct:]]+/, - $context = /(http|ftp):\/\/[[:alnum:][:punct:]]+/]; - - # domain name - msg_components_not_to_split["domain-version-filename"] = - [$msg = /.*/, # any reply code - $part = /([[:alnum:]]+[\-\.\_])+[[:alnum:]]+/, - $context = /[^\@\.\-\_[:alnum:]]([[:alnum:]]+[\-\.\_])+[[:alnum:]]+[[:space:][:punct:]]/]; # not proceeded by '@' (as in email) - - # UNIX file mode string - msg_components_not_to_split["file_mode"] = - [$msg = /(211|213) .*/, - $part = /[ld\-]([r-][w-][xs-]){3}/, - $context = /@@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3}/]; - - # file name in `ls -l` - msg_components_not_to_split["ls_l_file_name"] = - [$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3} .*/, - $part = /[^[:blank:]]+/, - $context = /[[:blank:]][^[:blank:]]+ @@EOL@@/]; - - # symbolic links in `ls -l` - msg_components_not_to_split["ls_l_symbolic_link"] = - [$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r-][w-][xs-]){3} .*/, - $part = /[^[:blank:]]+/, - $context = /[[:blank:]][^[:blank:]]+ -> /]; - - # time - msg_components_not_to_split["time"] = - [$msg = /.*/, # any reply code - $part = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/, - $context = /[[:space:]\(\[][0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?[[:space:][:punct:]]/]; -} - -function subst_in_context(msg: string, orig_msg: string, c: msg_component, subst_map: table[string] of string): string - { - # print ftp_anon_log, fmt("msg = \"%s\", context = %s", msg, c$context); - - if ( orig_msg != c$msg || c$context !in msg ) - return msg; - - local parts = split_all(msg, c$context); - local msg0 = msg; - - for ( i in parts ) - { - # print ftp_anon_log, fmt("part[%d] = \"%s\"", i, parts[i]); - if ( i % 2 == 0 ) - { - local s = parts[i]; - local t = split_all(s, c$part); - - if ( length(t) > 1 && /X[[:alnum:]]{32}X/ !in t[2] ) - { - # print ftp_anon_log, fmt("\"%s\" -> \"%s\" + \"%s\" + \"%s\"", - # to_string_literal(parts[i]), t[1], t[2], t[3]); - # print ftp_anon_log, fmt("subst_in_context: \"%s\" [%s].[%s]", - # to_string_literal(s), c$part, c$context); - - local id = get_unique_subst_id(msg0, msg0); - msg0 = string_cat(msg0, id); - subst_map[id] = t[2]; - t[2] = id; - parts[i] = cat_string_array(t); - # print ftp_anon_log, fmt("subst_in_context: \"%s\"->\"%s\" in \"%s\"", - # subst_map[id], id, to_string_literal(parts[i])); - } - } - } - - return cat_string_array(parts); - } - - -# The main function for FTP reply anonymization. cmd_arg is the -# corresponding FTP request. - -function anonymize_ftp_reply_by_msg_pattern(code: count, act_msg: string, - cmd_arg: ftp_cmd_arg, session: ftp_session_info): string - { - local cmd = cmd_arg$cmd; - local arg = cmd_arg$arg; - local arg_var = expand_ftp_arg_variants(session, cmd_arg); - - # First check if trace-specific anonymization applies to the message - if ( trace_specific_reply_anonymization ) - { - local ret = anonymize_trace_specific_reply(session, code, act_msg, cmd_arg, arg_var); - if ( ret$anonymized ) - { - print ftp_anon_log, fmt("trace_specific_reply: %d \"%s\" ->\"%s\"", - code, to_string_literal(act_msg), to_string_literal(ret$msg)); - return ret$msg; - } - } - - # Extract any prefix of form "-" - local prefix = ""; - local msg0 = act_msg; - - if ( code > 0 ) - { - prefix = fmt("%d-", code); - if ( strstr(msg0, prefix) == 1 ) # msg0 starts with prefix like '220-' - msg0 = sub_bytes(msg0, byte_len(prefix) + 1, -1); - else - prefix = ""; - } - - - # Below we will split the message into fields. However, before - # the split we will first substitute certain substrings of the - # message with unique ID's and switch the ID's back to the - # corresponding strings after the split. - - # This is necessary to keep some part of the message from - # being splitted, for instance, we'd like to split the - # message: - # - # "'CWD /My Document/music/' command successful." - # - # with "/My Document/music/" as a single field instead two - # fields: "/My" and "Document/music/". - - # Mark the two ends of the message - msg0 = string_cat("@@BOL@@ ", msg0, " @@EOL@@"); - - # For pattern extraction -- used by extract_ftp_reply_pattern - local other_pat: table[string] of string; - - # For pattern matching -- used by match_pattern_part - local aux_pat: set[string]; - - local subst_map: table[string] of string; - - local orig_msg = fmt("%d %s", code, msg0); - local msg1 = msg0; - - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["file_mode"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_file_name"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_symbolic_link"], subst_map); - - # Process command in the reply message - if ( cmd != "" ) - { - other_pat[cmd] = "~ cmd"; - add aux_pat[string_cat("~ cmd", " : ", cmd)]; - add aux_pat[string_cat("~ cmd", " : ", to_lower(cmd))]; - if ( ftp_msg_field_separator in cmd ) - msg1 = subst_part(msg1, cmd, "", subst_map); - } - - # Process arguments in reply. Note that the order is - # critical: the argument variants are processed starting from - # the most specific one. - msg1 = process_arg_in_reply(arg_var, msg1, other_pat, aux_pat, subst_map); - - # Process directory in the reply - local dir = "~ none"; # any directory contained in the reply - if ( code == 257 || [cmd, code] in ftp_dir_operation ) - { - dir = extract_dir_from_reply(session, msg1, dir); - if ( dir != "~ none" ) - { - other_pat[dir] = "~ dir"; - add aux_pat[string_cat("~ dir", " : ", dir)]; - if ( ftp_msg_field_separator in dir ) - msg1 = subst_part(msg1, dir, "", subst_map); - } - } - - # msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["quoted"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["port"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["email"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["url"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ip"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["domain-version-filename"], subst_map); - msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["time"], subst_map); - - # Summarize all the substitution for debugging and verification - local subst_str = ""; - if ( length(subst_map) > 0 ) - { - for ( xx in subst_map ) - { - if ( subst_str != "" ) - subst_str = string_cat(subst_str, ", "); - subst_str = string_cat(subst_str, fmt("(\"%s\"->\"%s\")", to_string_literal(subst_map[xx]), xx)); - } - print ftp_anon_log, fmt("substitute: \"%d %s\" with {%s}", - code, act_msg, subst_str); - } - - # Split the message to parts - local msg_parts = split_all(msg1, ftp_msg_field_separator); - local num_parts = length(msg_parts); - - # According to subst_map, change substitution ID's back to the - # corresponding parts. Note that here we only look at whole - # fields to look for substitution ID's. - for ( i in msg_parts ) - { - local this_part = msg_parts[i]; - if ( this_part in subst_map ) - { - msg_parts[i] = subst_map[this_part]; - # print ftp_anon_log, fmt("substitute_part: \"%s\"", to_string_literal(msg_parts[i])); - } - } - - # Sanity check for string substitution - local msg2 = cat_string_array(msg_parts); - # msg2 != msg0 suggests that there is an improper substitution - if ( msg2 != msg0 ) - { - print ftp_anon_log, fmt("ERROR: substitution: \"%s\" -> \"%s\" with {%s} in [%s]", - to_string_literal(msg0), to_string_literal(msg2), - subst_str, id_string(session$connection_id)); - return strip_out_message(session, code, act_msg); - } - - # So far the message is successfully splitted. Now we will try - # to find a matching pattern. - - # Look it up in message patterns. - local ind = fmt("%3d %3d", code, num_parts); - - if ( ind !in msg_pattern_groups ) - { - print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]", - code, act_msg, id_string(session$connection_id)); - extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session); - return strip_out_message(session, code, act_msg); - } - - local pat_group = msg_pattern_groups[ind]; - - # There can be more than one matches ... record all of them - # and pick the most promising one. - local matches: table[string] of msg_pattern_match_result; - local the_pat: msg_pattern_match_result; # the best match - the_pat$valid = F; - - for ( pat_str in pat_group ) - { - local msg_pat = pat_group[pat_str]; - local tok: string_array; - local r = do_msg_pattern_match(act_msg, msg_parts, msg_pat, aux_pat); - if ( r$valid ) - { - if ( length(matches) == 0 || cmp_msg_pattern_match(r, the_pat) < 0 ) - the_pat = r; - matches[pat_str] = r; - } - } - - if ( length(matches) == 0 ) - { - print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]", - code, act_msg, id_string(session$connection_id)); - - extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session); - - return strip_out_message(session, code, act_msg); - } - - if ( length(matches) > 1 ) - print ftp_anon_log, fmt("multiple_patterns: \"%d %s\"", code, act_msg); - - print ftp_anon_log, fmt("message_matched: (%d) \"%d %s\" ~ \"%s\"", - length(matches), code, act_msg, the_pat$pat$str); - - ++the_pat$pat$hit; - - # Now we anonymize the message according to the_pat. During - # the process we log two kinds of anonymization for manual - # inspection: - # 1) when a field matches the wild card pattern ('~ *'): this - # will help us find information that is over-conservatively - # anonymized; - # 2) when a field matches a pattern with a 'to expose' flag (a - # '+' at the end): this will help us to verify that the - # exposed data is privacy-safe. - - local anon_parts: string_array; - local match_wildcard = ""; - local match_exposure = ""; - - for ( i in msg_parts ) - { - local data = msg_parts[i]; - if ( i <= 2 || i >= num_parts - 1 ) - anon_parts[i] = subst(data, /@@BOL@@ | @@EOL@@/, ""); - else if ( i % 2 == 0 ) - anon_parts[i] = data; - else - { - local p = the_pat$parts[int_to_count((i-1)/2)]; - anon_parts[i] = ( p != /~ .*/ ) ? data : - anonymize_msg_part(data, p, - cmd_arg, session); - - if ( p == /~ .+[+]/ ) - { - if ( match_exposure != "" ) match_exposure = string_cat(match_exposure, "; "); - match_exposure = string_cat(match_exposure, data); - } - - if ( p == "~ *" ) - { - if ( match_wildcard != "" ) match_wildcard = string_cat(match_wildcard, "; "); - match_wildcard = string_cat(match_wildcard, data); - } - } - } - - if ( match_wildcard != "" && [match_wildcard, the_pat$pat$str] !in all_wildcard_matches ) - { - add all_wildcard_matches[match_wildcard, the_pat$pat$str]; - print ftp_anon_log, fmt("wildcard_match: in pattern: \"%s\" data: [%s] in [%s]", - the_pat$pat$str, - match_wildcard, - id_string(session$connection_id)); - } - - if ( match_exposure != "" ) - { - print ftp_anon_log, fmt("data_exposure: in pattern: \"%s\" data: [%s] in [%s]", - the_pat$pat$str, - match_exposure, - id_string(session$connection_id)); - } - - local result = cat_string_array(anon_parts); - - # Stick the prefix back to the message. - if ( prefix != "" ) - result = string_cat(prefix, result); - - return result; - } diff --git a/policy.old/ftp-safe-words.bro b/policy.old/ftp-safe-words.bro deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/policy.old/gnutella.bro b/policy.old/gnutella.bro deleted file mode 100644 index 0fd4429f83..0000000000 --- a/policy.old/gnutella.bro +++ /dev/null @@ -1,61 +0,0 @@ -# $Id: gnutella.bro 4017 2007-02-28 07:11:54Z vern $ - -redef capture_filters += { ["gnutella"] = "port 6346 or port 8436" }; - -global gnutella_ports = { 6346/tcp, 8436/tcp } &redef; -redef dpd_config += { [ANALYZER_GNUTELLA] = [$ports = gnutella_ports] }; - -event gnutella_text_msg(c: connection, orig: bool, headers: string) - { - if ( orig ) - print fmt("gnu txt %s -> %s %s", c$id$orig_h, c$id$resp_h, headers); - else - print fmt("gnu txt %s -> %s %s", c$id$resp_h, c$id$orig_h, headers); - } - - -event gnutella_binary_msg(c: connection, orig: bool, msg_type: count, - ttl: count, hops: count, msg_len: count, - payload: string, payload_len: count, - trunc: bool, complete: bool) - { - local s = ""; - - if ( orig ) - s = fmt("gnu bin %s -> %s", c$id$orig_h, c$id$resp_h); - else - s = fmt("gnu bin %s -> %s", c$id$resp_h, c$id$orig_h); - - print fmt("%s %d %d %d %d %d %d %d %s", - s, msg_type, ttl, hops, msg_len, - trunc, complete, payload_len, payload); - } - - -event gnutella_partial_binary_msg(c: connection, orig: bool, - msg: string, len: count) - { - if ( orig ) - print fmt("gnu pbin %s -> %s", c$id$orig_h, c$id$resp_h); - else - print fmt("gnu pbin %s -> %s", c$id$resp_h, c$id$orig_h); - } - - -event gnutella_establish(c: connection) - { - print fmt("gnu est %s <-> %s", c$id$orig_h, c$id$resp_h); - } - - -event gnutella_not_establish(c: connection) - { - print fmt("gnu !est %s <-> %s", c$id$orig_h, c$id$resp_h); - } - - -event gnutella_http_notify(c: connection) - { - print fmt("gnu http %s/%s <-> %s/%s", c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } diff --git a/policy.old/hand-over.bro b/policy.old/hand-over.bro deleted file mode 100644 index 5c017c66b5..0000000000 --- a/policy.old/hand-over.bro +++ /dev/null @@ -1,144 +0,0 @@ -# $Id: hand-over.bro 617 2004-11-02 00:54:31Z scottc $ -# -# Hand-over between two instances of Bro. - -@load remote - -# The host from which we want to take over the state has to be -# added to remote_peers_{clear,ssl}, setting hand_over to T. -# -# The host which we want to allow to perform a hand-over with us -# has to be added to remote_peers with a port of 0/tcp and -# hand_over = T. - -function is_it_us(host: addr, p: port): bool - { -@ifdef ( listen_if_clear ) - if ( is_local_interface(host) && p == listen_port_clear ) - return T; -@endif - -@ifdef ( listen_if_ssl ) - if ( is_local_interface(host) && p == listen_port_ssl ) - return T; -@endif - return F; - } - -function is_handover_peer(p: event_peer): bool - { - local peer: Remote::Destination; - - if ( p$id in Remote::pending_peers ) - peer = Remote::pending_peers[p$id]; - else - return F; - - return peer$hand_over; - } - -function handover_start_processing() - { - uninstall_src_net_filter(0.0.0.0/0); - } - -event bro_init() - { - # Disable packet processing. - install_src_net_filter(0.0.0.0/0, 0, 100); - # Reporter::message("waiting for hand-over - packet processing disabled."); - } - -event remote_connection_error(p: event_peer, reason: string) - { - if ( is_remote_event() || ! ( p$id in Remote::connected_peers) ) - return; - - # Seems that the other side in not running. - # Reporter::error("can't connect for hand-over - starting processing ..."); - handover_start_processing(); - } - -event remote_connection_established(p: event_peer) - { - if ( is_remote_event() ) - return; - - # If [p$id] is defined in Remote::connected_peers and p != 0, we have connected - # to the host. - if ( p$p != 0/tcp && - ([p$id] in Remote::connected_peers ) ) - { - if ( ! is_handover_peer(p) ) - return; - - # Reporter::message(fmt("requesting hand-over from %s:%d", p$host, p$p)); - - request_remote_events(p, /handover_.*|finished_send_state/); - - # Give the remote side some time to register its handlers. - schedule 3 secs { handover_request(p$host, p$p) }; - return; - } - - # If the other side connected to us, we will allow the hand-over - # if the remote host is defined as a hand-over host in remote_peers. - if ( is_handover_peer(p) ) - { - # Reporter::message(fmt("allowing hand-over from %s:%d", p$host, p$p)); - request_remote_events(p, /handover_.*|finished_send_state/); - } - } - -event handover_send_state(p: event_peer) - { - if ( is_remote_event() ) - return; - - # There may be a serialization in progress in which case - # we will have to try again. - if ( ! send_state(p) ) - { - # Reporter::message("can't send state; serialization in progress"); - schedule 5 secs { handover_send_state(p$host, p$p) }; - } - } - -event handover_request(p: event_peer) - { - # Make sure the event is for us. - if ( ! (is_remote_event() && is_it_us(p$host, p$p)) ) - return; - - # Send state to other side. - schedule 1 sec { handover_send_state(p) }; - } - -event finished_send_state(p: event_peer) - { - # We will get this event from the remote side. - # Make sure it's indeed for us. - if ( ! is_remote_event() ) - return; - - if ( ! is_handover_peer(p) ) - return; - - #Reporter::message(fmt("full state received from %s:%d - starting processing ...", - # p$host, p$p)); - - event handover_got_state(p); - - # Start processing. - handover_start_processing(); - } - -event handover_got_state(p: event_peer) - { - # Make sure the event is for us. - if ( ! (is_remote_event() && is_it_us(p$host, p$p)) ) - return; - - # Reporter::message(fmt("%s:%d received our state - terminating", p$host, p$p)); - terminate(); - } diff --git a/policy.old/heavy-analysis.bro b/policy.old/heavy-analysis.bro deleted file mode 100644 index 6d3bf29a0c..0000000000 --- a/policy.old/heavy-analysis.bro +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: heavy-analysis.bro 2771 2006-04-18 23:53:09Z vern $ -# -# Loading this files enables somewhat more accurate, yet also significantly -# more expensive, analysis (in terms of memory as well as CPU time). -# -# This script only sets core-level options. Script-level timeouts are -# adjusted in heavy.*.bro, loaded via Bro's prefix mechanism. To make this -# work, the prefix has to be set *before* reading other scripts, either by -# loading this script first of all, or by manually putting a @prefix -# at the start of Bro's configuration. - -@prefixes += heavy - -redef tcp_SYN_timeout = 120 secs; -redef tcp_session_timer = 30 secs; -redef tcp_connection_linger = 30 secs; -redef tcp_attempt_delay = 300 secs; -redef tcp_close_delay = 15 secs; -redef tcp_reset_delay = 15 secs; -redef tcp_partial_close_delay = 10 secs; - -redef max_timer_expires = 32; - -redef tcp_inactivity_timeout = 2 hrs; -redef udp_inactivity_timeout = 1 hrs; -redef icmp_inactivity_timeout = 1 hrs; diff --git a/policy.old/heavy.irc.bro b/policy.old/heavy.irc.bro deleted file mode 100644 index 0e2cdf0dbb..0000000000 --- a/policy.old/heavy.irc.bro +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: heavy.irc.bro 4723 2007-08-07 18:14:35Z vern $ - -redef active_users &persistent &read_expire = 1 days; -redef active_channels &persistent &read_expire = 1 days; diff --git a/policy.old/heavy.scan.bro b/policy.old/heavy.scan.bro deleted file mode 100644 index 570e79bf6a..0000000000 --- a/policy.old/heavy.scan.bro +++ /dev/null @@ -1,6 +0,0 @@ -# $Id: heavy.scan.bro 4758 2007-08-10 06:49:23Z vern $ - -redef distinct_peers &create_expire = 10 hrs; -redef distinct_ports &create_expire = 10 hrs; -redef distinct_low_ports &create_expire = 10 hrs; -redef possible_scan_sources &create_expire = 10 hrs; diff --git a/policy.old/heavy.software.bro b/policy.old/heavy.software.bro deleted file mode 100644 index f9e8d0b694..0000000000 --- a/policy.old/heavy.software.bro +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: heavy.software.bro 2771 2006-04-18 23:53:09Z vern $ - -redef only_report_local = F; diff --git a/policy.old/heavy.trw.bro b/policy.old/heavy.trw.bro deleted file mode 100644 index 1bfce8f6b4..0000000000 --- a/policy.old/heavy.trw.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id: heavy.trw.bro 4723 2007-08-07 18:14:35Z vern $ - -redef TRW::scan_sources &write_expire = 1 day; -redef TRW::benign_sources &write_expire = 1 day; -redef TRW::failed_locals &write_expire = 12 hrs; -redef TRW::successful_locals &write_expire = 12 hrs; -redef TRW::lambda &write_expire = 12 hrs; -redef TRW::num_scanned_locals &write_expire = 12 hrs; diff --git a/policy.old/hot-ids.bro b/policy.old/hot-ids.bro deleted file mode 100644 index 64a6a7a71f..0000000000 --- a/policy.old/hot-ids.bro +++ /dev/null @@ -1,29 +0,0 @@ -# @(#) $Id: hot-ids.bro 785 2004-11-24 05:56:06Z rwinslow $ (LBL) - -# If these ids are seen, the corresponding connection is terminated. -const forbidden_ids = { - "uucp", "daemon", "rewt", "nuucp", - "EZsetup", "OutOfBox", "4Dgifts", - "ezsetup", "outofbox", "4dgifts", "sgiweb", - "r00t", "ruut", "bomb", "backdoor", - "bionic", "warhead", "check_mate", "checkmate", "check_made", - "themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack", -} &redef; - -const forbidden_ids_if_no_password = { "lp" } &redef; - -const forbidden_id_patterns = /(y[o0]u)(r|ar[e3])([o0]wn.*)/ &redef; - -const always_hot_ids = { - "sync", "tutor", "tour", - "retro", "milk", "moof", "own", "gdm", "anacnd", - "lp", "demos", forbidden_ids, -} &redef; - -# The ones here that aren't in always_hot_ids are only hot upon -# success. -const hot_ids = { - "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag", - "operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper", - "wank", always_hot_ids, -} &redef; diff --git a/policy.old/hot.bro b/policy.old/hot.bro deleted file mode 100644 index 5c4fd6a395..0000000000 --- a/policy.old/hot.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: hot.bro 7057 2010-07-19 23:22:19Z vern $ - -@load site -@load port-name -@load notice -@load terminate-connection - -module Hot; - -export { - # True if it should be considered a spoofing attack if a connection has - # the same local net for source and destination. - const same_local_net_is_spoof = F &redef; - - const allow_spoof_services = { - 110/tcp, # pop-3 - 139/tcp, # netbios-ssn - } &redef; - - # Indexed by source address and destination address. - const allow_pairs: set[addr, addr] &redef; - - const hot_srcs: table[addr] of string = { - # [ph33r.the.eleet.com] = "kidz", - } &redef; - - const hot_dsts: table[addr] of string = { - [206.101.197.226] = "ILOVEYOU worm destination", - } &redef; - - const allow_services = { - ssh, http, gopher, ident, smtp, 20/tcp, - 53/udp, # DNS queries - 123/udp, # NTP - } &redef; - - const allow_services_to: set[addr, port] &redef; - const allow_services_from: set[addr, port] &redef; - const allow_service_pairs: set[addr, addr, port] &redef; - - const flag_successful_service: table[port] of string = { - [[31337/tcp]] = "popular backdoors", - } &redef; - - const flag_successful_inbound_service: table[port] of string = { - [1524/tcp] = "popular backdoor, but with false hits outbound", - } &redef; - - const terminate_successful_inbound_service: table[port] of string &redef; - - const flag_rejected_service: table[port] of string &redef; - - # Different values to hand to check_hot() at different stages in - # a connection's lifetime. - const CONN_ATTEMPTED = 1; - const CONN_ESTABLISHED = 2; - const APPL_ESTABLISHED = 3; - const CONN_FINISHED = 4; - const CONN_REJECTED = 5; - const CONN_TIMEOUT = 6; - const CONN_REUSED = 7; - - global check_hot: function(c: connection, state: count): bool; - global check_spoof: function(c: connection): bool; -} - -# An internal function used by check_hot. -function do_hot_check(c: connection, a: addr, t: table[addr] of string) - { - if ( a in t ) - { - ++c$hot; - local hot_msg = fmt("<%s>", t[a]); - append_addl(c, hot_msg); - } - } - -function check_spoof(c: connection): bool - { - local orig = c$id$orig_h; - local resp = c$id$resp_h; - local service = c$id$resp_p; - - if ( is_local_addr(orig) && is_local_addr(resp) && - service !in allow_spoof_services ) - { - if ( c$id$orig_p == service && orig == resp ) - event conn_weird("Land_attack", c, ""); - - if ( same_local_net_is_spoof ) - ++c$hot; - } - - return c$hot != 0; - } - -function check_hot(c: connection, state: count): bool - { - local id = c$id; - local service = id$resp_p; - - if ( service in allow_services || "ftp-data" in c$service ) - return F; - - if ( state == CONN_ATTEMPTED ) - check_spoof(c); - - else if ( state == CONN_REJECTED ) - { - check_spoof(c); - - if ( service in flag_rejected_service ) - ++c$hot; - } - - else if ( state == CONN_ESTABLISHED ) - { - check_spoof(c); - - local inbound = is_local_addr(id$resp_h); - - if ( (service in flag_successful_service || - (inbound && - service in flag_successful_inbound_service)) && - ([id$resp_h, id$resp_p] !in allow_services_to || - [id$orig_h, id$resp_p] !in allow_services_from) ) - { - if ( inbound && - service in terminate_successful_inbound_service ) - TerminateConnection::terminate_connection(c); - - ++c$hot; - if ( service in flag_successful_service ) - append_addl(c, flag_successful_service[service]); - else - append_addl(c, flag_successful_inbound_service[service]); - } - } - - else if ( state == APPL_ESTABLISHED || - ((state == CONN_FINISHED || state == CONN_TIMEOUT || - state == CONN_REUSED) && - service != telnet && c$orig$size > 0 && c$resp$size > 0) ) - { - # Connection established and has a non-trivial size. - local orig = c$id$orig_h; - local resp = c$id$resp_h; - - if ( [resp, service] in allow_services_to || - [orig, service] in allow_services_from || - [orig, resp, service] in allow_service_pairs || - [orig, resp] in allow_pairs ) - return F; - - do_hot_check(c, resp, hot_srcs); - do_hot_check(c, resp, hot_dsts); - } - - return c$hot != 0; - } diff --git a/policy.old/http-abstract.bro b/policy.old/http-abstract.bro deleted file mode 100644 index 3eaeb273f0..0000000000 --- a/policy.old/http-abstract.bro +++ /dev/null @@ -1,54 +0,0 @@ -# $Id: http-abstract.bro 47 2004-06-11 07:26:32Z vern $ - -@load http -@load http-entity - -module HTTP; - -export { - const abstract_max_length = 512 &redef; -} - -redef http_entity_data_delivery_size = 4096; -redef include_HTTP_abstract = T; - -function skip_abstract(c: connection, is_orig: bool, msg: http_message) - { - msg$skip_abstract = T; - if ( ! process_HTTP_data ) - skip_http_entity_data(c, is_orig); - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$entity_level == 1 && ty == "TEXT" ) - # Do not skip the body in this case. - return; - - skip_abstract(c, is_orig, msg); - } - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$skip_abstract ) - return; - - local len = byte_len(data); - if ( len > abstract_max_length ) - msg$abstract = sub_bytes(data, 1, abstract_max_length); - else - msg$abstract = data; - - skip_abstract(c, is_orig, msg); - - # print http_log, fmt("%.6f %s %s %d bytes: \"%s\"", - # network_time(), s$id, - # is_orig ? "=>" : "<=", byte_len(msg$abstract), - # msg$abstract); - } diff --git a/policy.old/http-anon-server.bro b/policy.old/http-anon-server.bro deleted file mode 100644 index ecf755c39a..0000000000 --- a/policy.old/http-anon-server.bro +++ /dev/null @@ -1,209 +0,0 @@ -# $Id:$ - -# Anonymize values in Server: headers. -# -# TODO: -# -# - Zedo and IBM web servers can have Apache mods -- the parsing should -# be extended to support them -# - -@load anon -@load http-anon-utils - -# --------------------------------------------------------------------- -# Apache (and friends) -# - abandon all hope ye who enter here ..... -# --------------------------------------------------------------------- - -const apache_server = - /apache(-ish)?(\/([0-9]+\.)*[0-9]+)? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -const apache_mod_pat = - /mod_fastcgi\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /openssl\/([0-9]+\.)*[0-9a-z]{1,4}(-beta[0-9]{0,2})?/ - | /dav\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /php-cgi\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /ben-ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /embperl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_ruby\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /nexadesic\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /postgresql\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_tsunami\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_svn\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_mda\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /rus\/pl(([0-9]+\.)*[0-9]{1,4})/ - | /authmysql\/(([0-9]+\.)*[0-9]{1,4})/ - | /mod_auth_pgsql\/(([0-9]+\.)*[0-9]{1,4})/ - | /mod_ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /php\/(([0-9]+\.)*[0-9a-z]{1,4})(-[0-9]+)?/ - | /mod_perl\/(([0-9]+\.)*[0-9a-z]{1,4})(\_[0-9]+)?/ - | /mod_macro\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_pam\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_oas\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_cap\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /powweb\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_gzip\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /resin\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_jk\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /python\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /perl\/(v)?(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_python\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_log_bytes\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_auth_passthrough\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_bwlimited\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_throttle\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /mod_webapp\/(([0-9]+\.)*[0-9a-z]{1,4})(-dev)?/ - | /frontpage\/(([0-9]+\.)*[0-9a-z]{1,5})/ - | /mod_pubcookie\/[0-9a-z]{2}\/[0-9]+\.[0-9]+\-[0-9]+/ - | /(-)?coyote\/(([0-9]+\.)*[0-9a-z]{1,4})/ - | /svn\/(([0-9]+\.)*[0-9a-z]{1,4})/ - ; - -# Various Apache variants (e.g., stronghold). -const apache_misc = - /stronghold\/(([0-9]+\.)*[0-9]+) apache(\/([0-9]+\.)*[0-9]+)? (c2neteu\/[0-9])? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -const apache_basic = /apache?(\/([0-9]+\.)*[0-9]+)?/; -const apache_platforms = - /(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/; - -# ibm_http_server/1.3.26.2, apache/1.3.26 (unix). -const IBM_server = - /ibm_http_server(\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)?( *apache\/[0-9]+\.[0-9]+\.[0-9]+ \(unix\))?/; - - -# --------------------------------------------------------------------- -# Servers values for which we don't retain all values. -# --------------------------------------------------------------------- - -const zope_server = - /zope\/\(zope ([0-9]+\.)*[0-9]+-[a-z0-9]{1,2}\, python ([0-9]+\.)*[0-9]+\, linux[0-9]\)/; - -const thttp_server = /thttpd\/[0-9]+\.[0-9]+(beta[0-9]+)?/; -const weblogic_server = /weblogic server [0-9]+\.[0-9]+/; -const zedo_server = /zedo 3g(\/([0-9]+\.)*[0-9]+)?/; -const jetty_server = /jetty\/[0-9]+\.[0-9]+/; - -# --------------------------------------------------------------------- -# Misc Servers -# --------------------------------------------------------------------- - -const misc_server = - /dclk creative/ - | /gws\/[0-9]+\.[0-9]+/ - | /nfe\/[0-9]+\.[0-9]+/ - | /gfe\/[0-9]+\.[0-9]+/ - | /dclk-adsvr/ - | /rsi/ - | /swcd\/([0-9]+\.)*[0-9]+/ - | /microsoft-iis\/[0-9]{1,2}\.[0-9]{1,2}/ - | /cafe\/[0-9]+\.[0-9]+/ - | /artblast\/([0-9]+\.)*[0-9]+/ - | /aolserver\/([0-9]+\.)*[0-9]+/ - | /resin\/([0-9]+\.)*s?[0-9]+/ - | /netscape-enterprise\/([0-9]+\.)*[0-9a-z]{1,2}+ *(aol)?/ - | /mapquest listener/ - | /miixpc\/[0-9]+\.[0-9]+/ - | /sun-one-web-server\/[0-9]+\.[0-9]+/ - | /appledotmacserver/ - | /cj\/[0-9]+\.[0-9]+/ - | /jigsaw\/([0-9]+\.)*[0-9]+/ - | /boa\/[0-9]+\.[0-9]+(\.[0-9]+(rc[0-9]+)?)?/ - | /tux\/[0-9]+\.[0-9]+ *\(linux\)/ - | /igfe/ - | /trafficmarketplace-jforce\/([0-9]+\.)*[0-9]+/ - | /lighttpd/ - | /hitbox gateway ([0-9]+\.)*[0-9]+ [a-z][0-9]/ - | /jbird\/[0-9]+\.[0-9a-z]{1,2}/ - | /perlbal/ - | /big-ip/ - | /konichiwa\/[0-9]+\.[0-9]+/ - | /footprint [0-9]+\.[0-9]+\/fpmc/ - | /iii [0-9]+/ - | /clickability web server\/([0-9]+\.)*[0-9]+ *\(unix\)/ - | /accipiter-directserver\/([0-9]+\.)*[0-9]+ \(nt; pentium\)/ - | /ibm-proxy-wte\/([0-9]+\.)*[0-9]+/ - | /netscape-commerce\/[0-9]+\.[0-9]+/ - | /nde/ - ; - -function do_apache_server(server: string): string - { - local apache_parts = split_all(server, apache_server); - if ( apache_parts[3] == "" ) - return apache_parts[2]; - - local apache_return_string = apache_parts[2]; - local mod_parts = split(apache_parts[3], / /); - - for ( part in mod_parts ) - { - if ( mod_parts[part] == apache_mod_pat ) - { - apache_return_string = - string_cat(apache_return_string, - " "); - apache_return_string = - string_cat(apache_return_string, - mod_parts[part]); - } - else - print http_anon_log, fmt("** unknown Apache mod: %s:%s", mod_parts[part], server); - } - - return apache_return_string; - } - -function check_server(server: string, server_pat: pattern): bool - { - return server_pat in server; - } - -function do_server(server: string, server_pat: pattern): string - { - return split_all(server, server_pat)[2]; - } - -function filter_in_http_server(server: string): string - { - # Vanilla Apache is a hard one and a special case. Let's get the - # nastiness over first. - - if ( apache_server in server ) - return do_apache_server(server); - - if ( check_server(server, apache_misc) ) - return do_server(server, apache_misc); - if ( check_server(server, IBM_server) ) - return do_server(server, IBM_server); - if ( check_server(server, zedo_server) ) - return do_server(server, zedo_server); - if ( check_server(server, zope_server) ) - return do_server(server, zope_server); - if ( check_server(server, jetty_server) ) - return do_server(server, jetty_server); - if ( check_server(server, thttp_server) ) - return do_server(server, thttp_server); - if ( check_server(server, weblogic_server) ) - return do_server(server, weblogic_server); - - # Grab bag. - if ( misc_server in server ) - return server; - - # Best guess - unknown Apache variant of some sort. - if ( apache_basic in server ) - { - print http_anon_log, - fmt("** unknown Apache variant: %s", server); - - return fmt("(bro: unknown) %s %s", - split_all(server, apache_basic)[2], - split_all(server, apache_platforms)[2]); - } - - print http_anon_log, fmt("** unknown server: %s", server); - - return fmt("(bro: unknown) %s", anonymize_arg("server", server)); - } diff --git a/policy.old/http-anon-useragent.bro b/policy.old/http-anon-useragent.bro deleted file mode 100644 index b8edd4a637..0000000000 --- a/policy.old/http-anon-useragent.bro +++ /dev/null @@ -1,111 +0,0 @@ -# $Id:$ - -# Filter-in known "USER-AGENT:" values. - -@load anon -@load http-anon-utils - -# --------------------------------------------------------------------- -# Mozilla (and friends) -# --------------------------------------------------------------------- - -const mozilla_full_pat = - /mozilla\/[0-9]\.[0-9] \(( *|;|iebar| freebsd i[0-9]{1,4}|fr|-|windows|windows 98|sunos sun4u|compatible|msie [0-9]\.[0-9]|windows nt [0-9]\.[0-9]|google-tr-1|sv1|\.net clr ([0-9]\.)*[0-9]+|x11|en|ppc mac os x|macintosh|u|linux i[0-9]{1,4}|en-us|rv\:([0-9]+\.)*[0-9]+|aol [0-9]\.[0-9]|gnotify ([0-9]+\.)*[0-9]+)*\) *(gecko\/[0-9]+)? *(firefox\/([0-9]+.)*[0-9]+)?/; - -const mozilla_head_pat = /mozilla\/[0-9]\.[0-9]/; - -const misc_user_pat = - /spiderman/ - | /w3m\/([0-9]+\.)*[0-9]+/ - | /java([0-9]+\.)*[0-9]+(_[0-9]+)?/ - | /java\/([0-9]+\.)*[0-9]+(_[0-9]+)?/ - | /freecorder/ - | /industry update control/ - | /microsoft-cryptoapi\/([0-9]+\.)*[0-9]+/ - | /ruriko\/([0-9]+\.)*[0-9]+/ - | /crawler[0-9]\.[0-9]/ - | /w3search/ - | /symantec liveupdate/ - | /davkit\/[0-9]\.[0-9]/ - | /windows-media-player\/([0-9]+\.)*[0-9]+/ - | /winamp\/([0-9]+\.)*[0-9]+/ - | /headdump/ - ; - -const misc_cmplx_user_pat = - /lynx\/([0-9]+\.)*[0-9]+.*/ - | /wget\/([0-9]+\.)*[0-9]+.*/ - | /yahooseeker\/([0-9]+\.)*[0-9]+.*/ - | /rma\/([0-9]+\.)*[0-9]+.*/ - | /aim\/[0-9]+.*/ - | /ichiro\/([0-9]+\.)*[0-9]+.*/ - | /unchaos.*/ - | /irlbot\/[0-9]\.[0-9]+.*/ - | /msnbot\/([0-9]+\.)*[0-9]+.*/ - | /opera\/([0-9]+\.)*[0-9]+.*/ - | /netnewswire\/([0-9]+\.)*[0-9]+.*/ - | /nsplayer\/([0-9]+\.)*[0-9]+.*/ - | /aipbot\/([0-9]+\.)*[0-9]+.*/ - | /mac os x; webservicescore\.framework.*/ - | /fast-webcrawler\/([0-9]+\.)*[0-9]+.*/ - | /skype.*/ - | /googlebot\/([0-9]+\.)*[0-9]+.*/ - ; - -const misc_cmplx_user_start = - /lynx\/([0-9]+\.)*[0-9]+/ - | /wget\/([0-9]+\.)*[0-9]+/ - | /yahooseeker\/([0-9]+\.)*[0-9]+/ - | /rma\/([0-9]+\.)*[0-9]+/ - | /aim\/[0-9]+/ - | /ichiro\/([0-9]+\.)*[0-9]+/ - | /unchaos/ - | /irlbot\/[0-9]\.[0-9]+/ - | /opera\/([0-9]+\.)*[0-9]+/ - | /msnbot\/([0-9]+\.)*[0-9]+/ - | /netnewswire\/([0-9]+\.)*[0-9]+/ - | /nsplayer\/([0-9]+\.)*[0-9]+/ - | /aipbot\/([0-9]+\.)*[0-9]+/ - | /mac os x; webservicescore\.framework/ - | /fast-webcrawler\/([0-9]+\.)*[0-9]+/ - | /skype/ - | /googlebot\/([0-9]+\.)*[0-9]+/ - ; - -function filter_in_http_useragent(user: string): string - { - # Check for an exact match for Mozilla. - if ( mozilla_full_pat in user ) - return split_all(user, mozilla_full_pat)[2]; - - # Look for popular Mozilla-compatible crawlers. - if ( mozilla_head_pat in user ) - { - local crawler = "(bro: unknown)"; - - if ( /.*yahoo\! slurp/ in user ) - crawler = "(yahoo! slurp)"; - - else if ( /.*ask jeeves/ in user ) - crawler = "(ask jeeves)"; - - else - print http_anon_log, - fmt("*** unknown Mozilla user-agent %s\n", user); - - return fmt("%s %s", split_all(user, mozilla_head_pat)[2], - crawler); - } - - # Some simple, common user names. - if ( misc_user_pat in user ) - return user; - - # Require some info removal. - if ( misc_cmplx_user_pat in user ) - return split_all(user, misc_cmplx_user_pat)[2]; - - print http_anon_log,fmt("*** unknown user agent %s\n", user); - - return fmt("(bro: unknown) %s", anonymize_arg("user-agent", user)); - } diff --git a/policy.old/http-anon-utils.bro b/policy.old/http-anon-utils.bro deleted file mode 100644 index 660452cc2f..0000000000 --- a/policy.old/http-anon-utils.bro +++ /dev/null @@ -1,164 +0,0 @@ -# $Id:$ - -@load anon - -global http_anon_log = open_log_file("http-anon") &redef; - -const URI_proto_pat = /^ *([a-zA-Z]+)\:\/\// ; -const known_URI_proto_pat = /^ *(http|https|ftp|ssh)\:\/\// ; - -const host_pat = / *^([\-0-9a-zA-Z]+\.)+([\_\-0-9a-zA-Z])*/ ; -const port_pat = /^ *(\:[0-9]+\.)/ ; - -const query_pat = /\?/ ; - -function anonymize_http_URI(URI: string): string - { - URI = to_lower(URI); - - # Strip off protocol. - local proto = ""; - if ( URI_proto_pat in URI ) - { - local proto_part = split(URI, /\:\/\//); - - # Check if we know the protocol. If not, flag it so we - # can update our protocol database. - - if ( known_URI_proto_pat !in URI ) - { - print http_anon_log, - fmt("*** protocol %s unknown ", proto_part[1]); - - proto_part[1] = - string_cat(" (bro: unknown) ", - anonymize_arg("proto", proto_part[1])); - } - - proto = string_cat(proto_part[1],"://"); - URI = proto_part[2]; - } - - # Strip off domain. - local host = ""; - if ( host_pat in URI ) - { - local base_parts = - split_all(URI, / *^([\-\_0-9a-z]+\.)+[\-\_0-9a-z]*/); - - if ( |base_parts| < 2 ) - { - print http_anon_log, - fmt (" XXXXXXXXXXXXXXXXXXXXXX BASE %s", URI); - return " XXXX processing error XXXX"; - } - - if ( |base_parts| == 2 ) - URI = ""; - - else if ( |base_parts| == 3) - URI = base_parts[3]; - - else if ( |base_parts| > 3) - { - local patch_me = ""; - local hack = base_parts[2]; - - local i = 1; - for ( part in base_parts ) - { - if ( i != 2 ) - patch_me = string_cat(patch_me, - base_parts[i]); - i += 1; - } - - URI = patch_me; - } - - if ( host == simple_filename ) - host = anonymize_path(host); - else - host = anonymize_host(base_parts[2]); - } - - # Strip off port (if it exists). - local pport = ""; - if ( port_pat in URI ) - { - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXX anon.bro doing nothing with port XXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "; - } - - # Handle query (if exists). - local tail = ""; - if ( URI == "/" ) - { - # -- pass - } - - else if ( query_pat in URI ) - { - local query_part = split(URI, /\?/); - - tail = fmt("%s?%s", - anonymize_path(query_part[1]), - anonymize_path(query_part[2])); - } - - else - tail = anonymize_path(URI); - - tail = string_cat("/", tail); - - return fmt("%s%s%s%s", proto, host, pport, tail); - } - - -const a_href_pat = /.*\< *a *href.*\>.*/ ; - #/.*\< *a *href *= *\"[[:print:]]+\" *\>.*/; - -# Doesn't get everything ... but works for most. -const a_href_split = - /\< *a *href *= *(\\)?(\"|\')?([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\\)?(\"|\')?/ ; - -# Elegant ... yeah ... really .. :-/ -const file_split = - /(\"|\')([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\"|\')/ ; -const file_strip_split = /([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+/ ; - -function http_doc_link_list(abstract: string): string - { - abstract = to_lower(abstract); - - if ( abstract == "" ) - return abstract; - - local concat_key = ""; - local href_parts = split_all(abstract, a_href_split); - - for ( part in href_parts ) - { - if ( href_parts[part] == a_href_split ) - { - local file_parts = - split_all(href_parts[part], file_split); - for ( a_part in file_parts ) - { - if ( file_parts[a_part] == file_split ) - { - local file_strip_parts = - split_all(file_parts[a_part], - file_strip_split); - concat_key = fmt("%s %s", concat_key, - anonymize_http_URI(file_strip_parts[2])); - } - } - } - } - - return concat_key; - } diff --git a/policy.old/http-body.bro b/policy.old/http-body.bro deleted file mode 100644 index 4990a37341..0000000000 --- a/policy.old/http-body.bro +++ /dev/null @@ -1,60 +0,0 @@ -# $Id: http-body.bro 5230 2008-01-14 01:38:18Z vern $ - -# Counts length of data. -# -# If log_HTTP_data = T, it also outputs an abstract of data. - -@load http - -module HTTP; - -redef process_HTTP_data = T; -redef log_HTTP_data = T; - -export { - # If the following is > 0, then when logging contents, they will be - # truncated beyond this many bytes. - global content_truncation_limit = 40 &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - local len = byte_len(data); - - msg$data_length = msg$data_length + length; - - if ( log_HTTP_data ) - { - local abstract: string; - if ( content_truncation_limit > 0 && - len > content_truncation_limit ) - abstract = cat(sub_bytes(data, 1, content_truncation_limit), "..."); - else - abstract = data; - - print http_log, fmt("%.6f %s %s %d bytes: \"%s\"", - network_time(), s$id, - is_orig ? "=>" : "<=", length, - abstract); - } - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - # This is for debugging purpose only - if ( msg$data_length > 0 && - stat$body_length != msg$data_length + stat$content_gap_length) - { - # This can happen for multipart messages with a - # 'content-length' header, which is not required for multipart - # messages. - # Log::warning(fmt("length mismatch: %s %d %d %d", - # id_string(c$id), stat$body_length, msg$data_length, - # stat$content_gap_length)); - } - } diff --git a/policy.old/http-detect-passwd.bro b/policy.old/http-detect-passwd.bro deleted file mode 100644 index 8ad71168c2..0000000000 --- a/policy.old/http-detect-passwd.bro +++ /dev/null @@ -1,45 +0,0 @@ -@load http - -module HTTP; - -export { - redef enum Notice += { - PasswordFullFetch, # they got back the whole thing - PasswordShadowFetch, # they got back a shadowed version - }; - - # Pattern to search for in replies indicating that a full password - # file was returned. - const full_fetch = - /[[:alnum:]]+\:[[:alnum:]]+\:[[:digit:]]+\:[[:digit:]]+\:/ - &redef; - - # Same, but indicating a shadow password file was returned. - const shadow_fetch = - /[[:alnum:]]+\:\*\:[[:digit:]]+\:[[:digit:]]+\:/ - &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local s = lookup_http_request_stream(c); - local n = s$first_pending_request; - if ( n !in s$requests ) - return; - - local req = s$requests[n]; - local passwd_request = req$passwd_req; - if ( ! passwd_request ) - return; - - if ( full_fetch in data ) - NOTICE([$note=PasswordFullFetch, - $conn=c, $method=req$method, $URL=req$URI, - $msg=fmt("%s %s: %s %s", id_string(c$id), c$addl, - req$method, req$URI)]); - else if ( shadow_fetch in data ) - NOTICE([$note=PasswordShadowFetch, - $conn=c, $method=req$method, $URL=req$URI, - $msg=fmt("%s %s: %s %s", id_string(c$id), c$addl, - req$method, req$URI)]); - } diff --git a/policy.old/http-entity.bro b/policy.old/http-entity.bro deleted file mode 100644 index 9084b65661..0000000000 --- a/policy.old/http-entity.bro +++ /dev/null @@ -1,20 +0,0 @@ -# $Id: http-entity.bro 6 2004-04-30 00:31:26Z jason $ - -# Counts entity_level. - -module HTTP; - -event http_begin_entity(c: connection, is_orig: bool) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - ++msg$entity_level; - } - -event http_end_entity(c: connection, is_orig: bool) - { - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - if ( msg$entity_level > 0 ) - --msg$entity_level; - } diff --git a/policy.old/http-event.bro b/policy.old/http-event.bro deleted file mode 100644 index 450be5cf1d..0000000000 --- a/policy.old/http-event.bro +++ /dev/null @@ -1,12 +0,0 @@ -# $Id: http-event.bro 6 2004-04-30 00:31:26Z jason $ - -@load http - -module HTTP; - -event http_event(c: connection, event_type: string, detail: string) - { - print http_log, fmt("%.6f %s HTTP event: [%s] \"%s\"", - network_time(), id_string(c$id), - event_type, detail); - } diff --git a/policy.old/http-extract-items.bro b/policy.old/http-extract-items.bro deleted file mode 100644 index 4c7b1a1c0d..0000000000 --- a/policy.old/http-extract-items.bro +++ /dev/null @@ -1,41 +0,0 @@ -# $Id:$ - -# Extracts the items from HTTP traffic, one per file. -# Files are named: -# -# .._._. -# -# where is a redef'able prefix (default: "http-item"), is -# a number uniquely identifying the item, the next four are describe -# the connection tuple, and is "orig" if the item was transferred -# from the originator to the responder, "resp" otherwise. - -@load http-reply - -module HTTP_extract_items; - -global prefix = "http-item" &redef; -global item_file: table[conn_id] of file; -global nitems = 0; - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - local id = c$id; - if ( id !in item_file ) - { - # Create a new file for this one. - local fname = fmt("%s.%d.%s_%d.%s_%d.%s", - prefix, ++nitems, - id$orig_h, id$orig_p, - id$resp_h, id$resp_p, - is_orig ? "orig" : "resp"); - item_file[id] = open(fname); - } - - write_file(item_file[id], data); - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - delete item_file[c$id]; - } diff --git a/policy.old/http-header.bro b/policy.old/http-header.bro deleted file mode 100644 index 259031b024..0000000000 --- a/policy.old/http-header.bro +++ /dev/null @@ -1,36 +0,0 @@ -# $Id: http-header.bro 7073 2010-09-13 00:45:02Z vern $ - -# Prints out detailed HTTP headers. - -@load http - -module HTTP; - -export { - # The following lets you specify headers that you don't want - # to print out. - global skip_header: set[string] &redef; - - # If you add anything to the following table, *only* the headers - # included will be recorded. - global include_header: set[string] &redef; - - # For example: - # redef skip_header += { "COOKIE", "SET-COOKIE" }; - # will refrain from printing cookies. -} - -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - if ( name in skip_header ) - return; - - if ( |include_header| > 0 && name !in include_header ) - return; - - local s = lookup_http_request_stream(c); - - print http_log, fmt("%.6f %s %s %s: %s", - network_time(), s$id, - is_orig ? ">" : "<", name, value); - } diff --git a/policy.old/http-identified-files.bro b/policy.old/http-identified-files.bro deleted file mode 100644 index a4ecd2cf7f..0000000000 --- a/policy.old/http-identified-files.bro +++ /dev/null @@ -1,115 +0,0 @@ -# $Id:$ -# -# Analyze HTTP entities for sensitive types (e.g., executables). -# -# Contributed by Seth Hall. - -@load http-reply - -module HTTP; - -const http_identified_log = open_log_file("http-id"); - -export { - # Base the libmagic analysis on this many bytes. Currently, - # we will in fact use fewer (basically, just what's in the - # first data packet). - const magic_content_limit = 1024 &redef; - - # These MIME types are logged and generate a Notice. The patterns - # need to match the entire description as returned by libMagic. - # For example, for plain text it can return - # "text/plain charset=us-ascii", so you might want to use - # /text\/plain.*/. - const watched_mime_types = - /application\/x-dosexec/ # Windows and DOS executables - | /application\/x-executable/ # *NIX executable binary - &redef; - - const watched_descriptions = /PHP script text/ &redef; - - # URLs included here are not logged and notices are not generated. - # Take care when defining patterns to not be overly broad. - const ignored_urls = - /^http:\/\/www\.download\.windowsupdate\.com\// &redef; - - redef enum Notice += { - # Generated when we see a MIME type we flagged for watching. - HTTP_WatchedMIMEType, - - # Generated when the file extension doesn't match - # the file contents. - HTTP_IncorrectFileType, - }; - - # Create patterns that *should* be in the URLs for specific MIME types. - # Notices are generated if the pattern doesn't match. - const mime_types_extensions = { - ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/, - } &redef; -} - -event http_entity_data(c: connection, is_orig: bool, length: count, data: string) - { - if ( is_orig ) - # For now we only inspect server responses. - return; - - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - -@ifndef ( content_truncation_limit ) - # This is only done if http-body.bro is not loaded. - msg$data_length = msg$data_length + length; -@endif - - # For the time being, we'll just use the data from the first packet. - # Don't continue until we have enough data. - # if ( msg$data_length < magic_content_limit ) - # return; - - # Right now, only try this for the first chunk of data - if ( msg$data_length > length ) - return; - - local abstract = sub_bytes(data, 1, magic_content_limit); - local magic_mime = identify_data(abstract, T); - local magic_descr = identify_data(abstract, F); - - if ( (magic_mime == watched_mime_types || - watched_descriptions in magic_descr) && - s$first_pending_request in s$requests ) - { - local r = s$requests[s$first_pending_request]; - local host = (s$next_request$host=="") ? - fmt("%s", c$id$resp_h) : s$next_request$host; - - event file_transferred(c, abstract, magic_descr, magic_mime); - - local url = fmt("http://%s%s", host, r$URI); - if ( ignored_urls in url ) - return; - - local file_type = ""; - if ( magic_mime == watched_mime_types ) - file_type = magic_mime; - else - file_type = magic_descr; - - local message = fmt("%s %s %s %s", - id_string(c$id), file_type, r$method, url); - - NOTICE([$note=HTTP_WatchedMIMEType, $msg=message, $conn=c, - $method=r$method, $URL=url]); - - print http_identified_log, fmt("%.06f %s %s", - network_time(), s$id, message); - - if ( (magic_mime in mime_types_extensions && - mime_types_extensions[magic_mime] !in url) || - (magic_descr in mime_types_extensions && - mime_types_extensions[magic_descr] !in url) ) - NOTICE([$note=HTTP_IncorrectFileType, $msg=message, - $conn=c, $method=r$method, $URL=url]); - } - } diff --git a/policy.old/http-reply.bro b/policy.old/http-reply.bro deleted file mode 100644 index e410b1fc34..0000000000 --- a/policy.old/http-reply.bro +++ /dev/null @@ -1,117 +0,0 @@ -# $Id: http-reply.bro 2694 2006-04-02 22:50:00Z vern $ - -@load http-request - -module HTTP; - -redef capture_filters += { - ["http-reply"] = "tcp src port 80 or tcp src port 8080 or tcp src port 8000" -}; - -redef process_HTTP_replies = T; - -event http_reply(c: connection, version: string, code: count, reason: string) - { - local s = lookup_http_request_stream(c); - local msg = s$next_reply; - - init_http_message(msg); - - msg$initiated = T; - msg$code = code; - msg$reason = reason; - } - -function http_request_done(c: connection, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local msg = s$next_request; - msg$initiated = F; - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - local s = lookup_http_request_stream(c); - local req_msg = s$next_request; - local msg = s$next_reply; - local req: string; - local have_request = F; - local log_it: bool; - - if ( s$num_pending_requests == 0 ) - { - # Weird - reply w/o request - perhaps due to cold start? - req = ""; - log_it = F; - } - else - { - local r = s$requests[s$first_pending_request]; - have_request = T; - - # Remove pending request. - delete s$requests[s$first_pending_request]; - --s$num_pending_requests; - ++s$first_pending_request; - - req = fmt("%s %s", r$method, r$URI); - log_it = r$log_it; - } - - local req_rep = - fmt("%s (%d \"%s\" [%d%s]%s)", - req, msg$code, string_escape(msg$reason, "\""), - stat$body_length, - stat$interrupted ? " (interrupted)" : "", - have_request ? fmt(" %s", req_msg$host) : ""); - - # The following is a more verbose form: -# local req_rep = -# fmt("%s (%d \"%s\" [\"%s\", %d%s%s])", -# req, msg$code, msg$reason, -# msg$content_length, stat$body_length, -# stat$interrupted ? " (interrupted)" : "", -# stat$content_gap_length > 0 ? -# fmt(" (gap = %d bytes)", stat$content_gap_length) : ""); - - if ( log_it ) - NOTICE([$note=HTTP_SensitiveURI, $conn=c, - $method = r$method, $URL = r$URI, - $n = msg$code, - $msg = fmt("%s %s: %s", - id_string(c$id), c$addl, req_rep)]); - - print http_log, fmt("%.6f %s %s", network_time(), s$id, req_rep); - - msg$initiated = F; - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -@load http-entity -event http_header(c: connection, is_orig: bool, name: string, value: string) - { - # Only rewrite top-level headers. - local s = lookup_http_request_stream(c); - local msg = get_http_message(s, is_orig); - - if ( msg$entity_level == 1 ) - { - if ( name == "CONTENT-LENGTH" ) - msg$content_length = value; - - else if ( is_orig && name == "HOST" ) - { # suppress leading blank - if ( /^ / in value ) - msg$host = sub_bytes(value, 2, -1); - else - msg$host = value; - } - } - } diff --git a/policy.old/http-request.bro b/policy.old/http-request.bro deleted file mode 100644 index d5d647c977..0000000000 --- a/policy.old/http-request.bro +++ /dev/null @@ -1,104 +0,0 @@ -# $Id: http-request.bro 6726 2009-06-07 22:09:55Z vern $ - -# Analysis of HTTP requests. - -@load http - -module HTTP; - -export { - const sensitive_URIs = - /etc\/(passwd|shadow|netconfig)/ - | /IFS[ \t]*=/ - | /nph-test-cgi\?/ - | /(%0a|\.\.)\/(bin|etc|usr|tmp)/ - | /\/Admin_files\/order\.log/ - | /\/carbo\.dll/ - | /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ - | /\/cgi-dos\/args\.bat/ - | /\/cgi-win\/uploader\.exe/ - | /\/search97\.vts/ - | /tk\.tgz/ - | /ownz/ # somewhat prone to false positives - | /viewtopic\.php.*%.*\(.*\(/ # PHP attack, 26Nov04 - # a bunch of possible rootkits - | /sshd\.(tar|tgz).*/ - | /[aA][dD][oO][rR][eE][bB][sS][dD].*/ - # | /[tT][aA][gG][gG][eE][dD].*/ # prone to FPs - | /shv4\.(tar|tgz).*/ - | /lrk\.(tar|tgz).*/ - | /lyceum\.(tar|tgz).*/ - | /maxty\.(tar|tgz).*/ - | /rootII\.(tar|tgz).*/ - | /invader\.(tar|tgz).*/ - &redef; - - # Used to look for attempted password file fetches. - const passwd_URI = /passwd/ &redef; - - # URIs that match sensitive_URIs but can be generated by worms, - # and hence should not be flagged (because they're so common). - const worm_URIs = - /.*\/c\+dir/ - | /.*cool.dll.*/ - | /.*Admin.dll.*Admin.dll.*/ - &redef; - - # URIs that should not be considered sensitive if accessed by - # a local client. - const skip_remote_sensitive_URIs = - /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ - &redef; - - const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef; -} - -redef capture_filters += { - ["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000" -}; - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - local log_it = F; - local URI = unescaped_URI; - - if ( (sensitive_URIs in URI && URI != worm_URIs) || - (method == "POST" && sensitive_post_URIs in URI) ) - { - if ( is_local_addr(c$id$orig_h) && - skip_remote_sensitive_URIs in URI ) - ; # don't flag it after all - else - log_it = T; - } - - local s = lookup_http_request_stream(c); - - if ( process_HTTP_replies ) - { - # To process HTTP replies, we need to record the corresponding - # requests. - local n = s$first_pending_request + s$num_pending_requests; - - s$requests[n] = [$method=method, $URI=URI, $log_it=log_it, - $passwd_req=passwd_URI in URI]; - ++s$num_pending_requests; - - # if process_HTTP_messages - local msg = s$next_request; - - init_http_message(msg); - msg$initiated = T; - } - else - { - if ( log_it ) - NOTICE([$note=HTTP_SensitiveURI, $conn=c, - $method = method, $URL = URI, - $msg=fmt("%s %s: %s %s", - id_string(c$id), c$addl, method, URI)]); - print http_log, - fmt("%.6f %s %s %s", network_time(), s$id, method, URI); - } - } diff --git a/policy.old/http.bro b/policy.old/http.bro deleted file mode 100644 index 5a774b6e97..0000000000 --- a/policy.old/http.bro +++ /dev/null @@ -1,203 +0,0 @@ -# $Id: http.bro 6726 2009-06-07 22:09:55Z vern $ - -@load notice -@load site -@load conn-id - -module HTTP; - -export { - redef enum Notice += { - HTTP_SensitiveURI, # sensitive URI in GET/POST/HEAD - }; -} - -# DPM configuration. -global http_ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] }; -redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] }; - -# HTTP processing options. -export { - const process_HTTP_replies = F &redef; - const process_HTTP_data = F &redef; - const include_HTTP_abstract = F &redef; - const log_HTTP_data = F &redef; -} - -type http_pending_request: record { - method: string; - URI: string; - log_it: bool; - - # Whether we determined it's an attempted passwd file fetch. - passwd_req: bool; -}; - -# Eventually we will combine http_pending_request and http_message. - -type http_message: record { - initiated: bool; - code: count; # for HTTP reply message - reason: string; # for HTTP reply message - entity_level: count; # depth of enclosing MIME entities - data_length: count; # actual length of data delivered - content_length: string; # length specified in CONTENT-LENGTH header - header_slot: count; # rewrite slot at the end of headers - abstract: string; # data abstract - skip_abstract: bool; # to skip abstract for certain content types - host: string; # host indicated in Host header -}; - -type http_pending_request_stream: record { - # Number of first pending request. - first_pending_request: count &default = 0; - - # Total number of pending requests. - num_pending_requests: count &default = 0; - - # Indexed from [first_pending_request .. - # (first_pending_request + num_pending_requests - 1)] - requests: table[count] of http_pending_request; - - next_request: http_message; # the on-going request - next_reply: http_message; # the on-going reply - - # len_next_reply: count; # 0 means unspecified - # len_next_request: count; - - id: string; # repeated from http_session_info, for convenience -}; - -type http_session_info: record { - id: string; - request_stream: http_pending_request_stream; -}; - -const http_log = open_log_file("http") &redef; - -export { - global http_sessions: table[conn_id] of http_session_info; -} - -global http_session_id = 0; - -function init_http_message(msg: http_message) - { - msg$initiated = F; - msg$code = 0; - msg$reason = ""; - msg$entity_level = 0; - msg$data_length = 0; - msg$content_length = ""; - msg$header_slot = 0; - msg$abstract = ""; - msg$skip_abstract = F; - msg$host = ""; - } - -function new_http_message(): http_message - { - local msg: http_message; - init_http_message(msg); - return msg; - } - -function new_http_session(c: connection): http_session_info - { - local session = c$id; - local new_id = ++http_session_id; - - local info: http_session_info; - info$id = fmt("%%%s", prefixed_id(new_id)); - - local rs: http_pending_request_stream; - - rs$first_pending_request = 1; - rs$num_pending_requests = 0; - rs$id = info$id; - - rs$next_request = new_http_message(); - rs$next_reply = new_http_message(); - rs$requests = table(); - - info$request_stream = rs; - - http_sessions[session] = info; - - print http_log, fmt("%.6f %s start %s:%d > %s:%d", network_time(), - info$id, c$id$orig_h, - c$id$orig_p, c$id$resp_h, c$id$resp_p); - - return info; - } - -function lookup_http_session(c: connection): http_session_info - { - local s: http_session_info; - local id = c$id; - - s = id in http_sessions ? http_sessions[id] : new_http_session(c); - - append_addl(c, s$id); - - return s; - } - -function lookup_http_request_stream(c: connection): http_pending_request_stream - { - local s = lookup_http_session(c); - - return s$request_stream; - } - -function get_http_message(s: http_pending_request_stream, is_orig: bool): http_message - { - return is_orig ? s$next_request : s$next_reply; - } - -function finish_stream(session: conn_id, id: string, - rs: http_pending_request_stream) - { - ### We really want to do this in sequential order, not table order. - for ( i in rs$requests ) - { - local req = rs$requests[i]; - - if ( req$log_it ) - NOTICE([$note=HTTP_SensitiveURI, - $src=session$orig_h, $dst=session$resp_h, - $URL=req$URI, - $method=req$method, - $msg=fmt("%s:%d -> %s:%d %s: ", - session$orig_h, session$orig_p, - session$resp_h, session$resp_p, id)]); - - local msg = fmt("%s %s ", req$method, req$URI); - print http_log, fmt("%.6f %s %s", network_time(), rs$id, msg); - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - - if ( id !in http_sessions ) - return; - - local s = http_sessions[id]; - finish_stream(id, s$id, s$request_stream); - delete http_sessions[c$id]; - } - - -# event http_stats(c: connection, stats: http_stats_rec) -# { -# if ( stats$num_requests == 0 && stats$num_replies == 0 ) -# return; -# -# c$addl = fmt("%s (%d v%.1f v%.1f)", c$addl, stats$num_requests, stats$request_version, stats$reply_version); -# } diff --git a/policy.old/icmp.bro b/policy.old/icmp.bro deleted file mode 100644 index c6c3c87d44..0000000000 --- a/policy.old/icmp.bro +++ /dev/null @@ -1,306 +0,0 @@ -# $Id: icmp.bro 6883 2009-08-19 21:08:09Z vern $ - -@load hot -@load weird -@load conn -@load scan - -global icmp_file = open_log_file("icmp"); - -redef capture_filters += { ["icmp"] = "icmp" }; - -module ICMP; - -export { - - redef enum Notice += { - ICMPAsymPayload, # payload in echo req-resp not the same - ICMPConnectionPair, # too many ICMPs between hosts - ICMPAddressScan, - - # The following isn't presently sufficiently useful due - # to cold start and packet drops. - # ICMPUnpairedEchoReply, # no EchoRequest seen for EchoReply - }; - - # Whether to log detailed information icmp.log. - const log_details = T &redef; - - # ICMP scan detection. - const detect_scans = T &redef; - const scan_threshold = 25 &redef; - - # Analysis of connection pairs. - const detect_conn_pairs = F &redef; # switch for connection pair - const detect_payload_asym = F &redef; # switch for echo payload - const conn_pair_threshold = 200 &redef; -} - -global conn_pair:table[addr] of set[addr] &create_expire = 1 day; -global conn_pair_thresh_reached: table[addr] of bool &default=F; - - - -type flow_id: record { - orig_h: addr; - resp_h: addr; - id: count; -}; - -type flow_info: record { - start_time: time; - last_time: time; - orig_bytes: count; - resp_bytes: count; - payload: string; -}; - -const names: table[count] of string = { - [0] = "echo_reply", - [3] = "unreach", - [4] = "quench", - [5] = "redirect", - [8] = "echo_req", - [9] = "router_adv", - [10] = "router_sol", - [11] = "time_xcd", - [12] = "param_prob", - [13] = "tstamp_req", - [14] = "tstamp_reply", - [15] = "info_req", - [16] = "info_reply", - [17] = "mask_req", - [18] = "mask_reply", -} &default = function(n: count): string { return fmt("icmp-%d", n); }; - - -# Map IP protocol number to the protocol's name. -const IP_proto_name: table[count] of string = { - [1] = "ICMP", - [2] = "IGMP", - [6] = "TCP", - [17] = "UDP", - [41] = "IPV6", -} &default = function(n: count): string { return fmt("%s", n); } - &redef; - -# Print a report for the given ICMP flow. -function generate_flow_summary(flow: flow_id, fi: flow_info) - { - local local_init = is_local_addr(flow$orig_h); - local local_addr = local_init ? flow$orig_h : flow$resp_h; - local remote_addr = local_init ? flow$resp_h : flow$orig_h; - local flags = local_init ? "L" : ""; - - local state: string; - if ( fi$orig_bytes > 0 ) - { - if ( fi$resp_bytes > 0 ) - state = "SF"; - else - state = "SH"; - } - else if ( fi$resp_bytes > 0 ) - state = "SHR"; - else - state = "OTH"; - - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s", - fi$start_time, fi$last_time - fi$start_time, - flow$orig_h, flow$resp_h, "icmp_echo", - fi$orig_bytes, fi$resp_bytes, state, flags); - } - -# Called when a flow is expired in order to generate a report for it. -function flush_flow(ft: table[flow_id] of flow_info, fi: flow_id): interval - { - generate_flow_summary(fi, ft[fi]); - return 0 sec; - } - -# Table to track each active flow. -global flows: table[flow_id] of flow_info - &read_expire = 45 sec - &expire_func = flush_flow; - -event icmp_sent(c: connection, icmp: icmp_conn) - { - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s", - network_time(), 0.0, icmp$orig_h, icmp$resp_h, - names[icmp$itype], icmp$itype, icmp$icode, "icmp", - icmp$len, "0", "SH"); - } - -event flow_summary(flow: flow_id, last_time: time) - { - if ( flow !in flows ) - return; - - local fi = flows[flow]; - - if ( fi$last_time == last_time ) - { - generate_flow_summary(flow, fi); - delete flows[flow]; - } - } - -function update_flow(icmp: icmp_conn, id: count, is_orig: bool, payload: string) - { - local fid: flow_id; - fid$orig_h = is_orig ? icmp$orig_h : icmp$resp_h; - fid$resp_h = is_orig ? icmp$resp_h : icmp$orig_h; - fid$id = id; - - if ( fid !in flows ) - { - local info: flow_info; - info$start_time = network_time(); - info$orig_bytes = info$resp_bytes = 0; - info$payload = payload; # checked in icmp_echo_reply - flows[fid] = info; - } - - local fi = flows[fid]; - - fi$last_time = network_time(); - - if ( is_orig ) - fi$orig_bytes = fi$orig_bytes + byte_len(payload); - else - fi$resp_bytes = fi$resp_bytes + byte_len(payload); - - schedule +30sec { flow_summary(fid, fi$last_time) }; - } - -event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) - { - update_flow(icmp, id, T, payload); - - local orig = icmp$orig_h; - local resp = icmp$resp_h; - - # Simple ping scan detector. - if ( detect_scans && - (orig !in Scan::distinct_peers || - resp !in Scan::distinct_peers[orig]) ) - { - if ( orig !in Scan::distinct_peers ) - { - local empty_peer_set: set[addr] &mergeable; - Scan::distinct_peers[orig] = empty_peer_set; - } - - if ( resp !in Scan::distinct_peers[orig] ) - add Scan::distinct_peers[orig][resp]; - - if ( ! Scan::shut_down_thresh_reached[orig] && - orig !in Scan::skip_scan_sources && - orig !in Scan::skip_scan_nets && - |Scan::distinct_peers[orig]| >= scan_threshold ) - { - NOTICE([$note=ICMPAddressScan, $src=orig, - $n=scan_threshold, - $msg=fmt("%s has icmp echo scanned %s hosts", - orig, scan_threshold)]); - - Scan::shut_down_thresh_reached[orig] = T; - } - } - - if ( detect_conn_pairs ) - { - if ( orig !in conn_pair ) - { - local empty_peer_set2: set[addr] &mergeable; - conn_pair[orig] = empty_peer_set2; - } - - if ( resp !in conn_pair[orig] ) - add conn_pair[orig][resp]; - - if ( ! conn_pair_thresh_reached[orig] && - |conn_pair[orig]| >= conn_pair_threshold ) - { - NOTICE([$note=ICMPConnectionPair, - $msg=fmt("ICMP connection threshold exceeded : %s -> %s", - orig, resp)]); - conn_pair_thresh_reached[orig] = T; - } - } - } - -event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, - seq: count, payload: string) - { - # Check payload with the associated flow. - - local fid: flow_id; - fid$orig_h = icmp$resp_h; # We know the expected results since - fid$resp_h = icmp$orig_h; # it's an echo reply. - fid$id = id; - - if ( fid !in flows ) - { -# NOTICE([$note=ICMPUnpairedEchoReply, -# $msg=fmt("ICMP echo reply w/o request: %s -> %s", -# icmp$orig_h, icmp$resp_h)]); - } - else - { - if ( detect_payload_asym ) - { - local fi = flows[fid]; - local pl = fi$payload; - - if ( pl != payload ) - { - NOTICE([$note=ICMPAsymPayload, - $msg=fmt("ICMP payload inconsistancy: %s(%s) -> %s(%s)", - icmp$orig_h, byte_len(fi$payload), - icmp$resp_h, byte_len(payload))]); - } - } - } - - update_flow(icmp, id, F, payload); - } - -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, - context: icmp_context) - { - if ( active_connection(context$id) ) - { - # This section allows Bro to act on ICMP-unreachable packets - # that happen in the context of an active connection. It is - # not currently used. - local c2 = connection_record(context$id); - local os = c2$orig$state; - local rs = c2$resp$state; - local is_attempt = - is_tcp_port(c2$id$orig_p) ? - (os == TCP_SYN_SENT && rs == TCP_INACTIVE) : - (os == UDP_ACTIVE && rs == UDP_INACTIVE); - - # Insert action here. - } - - if ( log_details ) - { - # ICMP unreachable packets are the only ones currently - # logged. Due to the connection data contained *within* - # them, each log line will contain two connections' worth - # of data. The initial ICMP connection info is the same - # as logged for connections. - print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s", - network_time(), 0.0, icmp$orig_h, icmp$resp_h, - names[icmp$itype], icmp$itype, icmp$icode, "icmp", - icmp$len, "0", "EncapPkt:", - # This is the encapsulated packet: - context$id$orig_h, context$id$orig_p, - context$id$resp_h, context$id$resp_p, - context$len, IP_proto_name[context$proto], - context$len, context$bad_hdr_len, - context$bad_checksum); - } - } diff --git a/policy.old/ident.bro b/policy.old/ident.bro deleted file mode 100644 index d52265db65..0000000000 --- a/policy.old/ident.bro +++ /dev/null @@ -1,68 +0,0 @@ -# $Id: ident.bro 5948 2008-07-11 22:29:49Z vern $ - -@load notice -@load hot-ids - -module Ident; - -export { - redef enum Notice += { - IdentSensitiveID, # sensitive username in Ident lookup - }; - - const hot_ident_ids = { always_hot_ids, } &redef; - const hot_ident_exceptions = { "uucp", "nuucp", "daemon", } &redef; -} - -redef capture_filters += { ["ident"] = "tcp port 113" }; - -global ident_ports = { 113/tcp } &redef; -redef dpd_config += { [ANALYZER_IDENT] = [$ports = ident_ports] }; - -global pending_ident_requests: set[addr, port, addr, port, port, port]; - -event ident_request(c: connection, lport: port, rport: port) - { - local id = c$id; - add pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport]; - } - -function add_ident_tag(c: connection, lport: port, rport: port, tag: string) -: connection - { - local id = c$id; - if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport] in - pending_ident_requests ) - delete pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport]; - else - tag = fmt("orphan-%s", tag); - - local c_orig_id = [$orig_h = id$resp_h, $orig_p = rport, - $resp_h = id$orig_h, $resp_p = lport]; - - local c_orig = active_connection(c_orig_id) ? - connection_record(c_orig_id) : c; - - append_addl(c_orig, tag); - - return c_orig; - } - -event ident_reply(c: connection, lport: port, rport: port, - user_id: string, system: string) - { - local c_orig = add_ident_tag(c, lport, rport, fmt("ident/%s", user_id)); - - if ( user_id in hot_ident_ids && user_id !in hot_ident_exceptions ) - { - ++c_orig$hot; - NOTICE([$note=IdentSensitiveID, $conn=c, - $msg=fmt("%s hot ident: %s", - $user=c_orig$addl, id_string(c_orig$id))]); - } - } - -event ident_error(c: connection, lport: port, rport: port, line: string) - { - add_ident_tag(c, lport, rport, fmt("iderr/%s", line)); - } diff --git a/policy.old/inactivity.bro b/policy.old/inactivity.bro deleted file mode 100644 index ea984a2fc2..0000000000 --- a/policy.old/inactivity.bro +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: inactivity.bro 7073 2010-09-13 00:45:02Z vern $ - -@load port-name - -const inactivity_timeouts: table[port] of interval = { - # For interactive services, allow longer periods of inactivity. - [[telnet, rlogin, ssh, ftp]] = 1 hrs, -} &redef; - -function determine_inactivity_timeout(c: connection) - { - local service = c$id$resp_p; - - # Determine service (adapted from hot.bro) - if ( c$orig$state == TCP_INACTIVE ) - { - # We're seeing a half-established connection. Use the - # service of the originator if it's well-known and the - # responder isn't. - if ( service !in port_names && c$id$orig_p in port_names ) - service = c$id$orig_p; - } - - if ( service in inactivity_timeouts ) - set_inactivity_timeout(c$id, inactivity_timeouts[service]); - } - -event connection_established(c: connection) - { - determine_inactivity_timeout(c); - } diff --git a/policy.old/interconn.bro b/policy.old/interconn.bro deleted file mode 100644 index ff545d4eef..0000000000 --- a/policy.old/interconn.bro +++ /dev/null @@ -1,318 +0,0 @@ -# $Id: interconn.bro 3997 2007-02-23 00:31:19Z vern $ -# -# interconn - generic detection of interactive connections. - -@load port-name -@load demux - -# The following must be defined for the event engine to generate -# interconn events. -redef interconn_min_interarrival = 0.01 sec; -redef interconn_max_interarrival = 2.0 sec; -redef interconn_max_keystroke_pkt_size = 20; -redef interconn_default_pkt_size = 512; -redef interconn_stat_period = 15.0 sec; -redef interconn_stat_backoff = 1.5; - -const interconn_min_num_pkts = 10 &redef; # min num of pkts sent -const interconn_min_duration = 2.0 sec &redef; # min duration for the connection - -const interconn_ssh_len_disabled = T &redef; -const interconn_min_ssh_pkts_ratio = 0.6 &redef; - -const interconn_min_bytes = 10 &redef; -const interconn_min_7bit_ascii_ratio = 0.75 &redef; - -const interconn_min_num_lines = 2 &redef; -const interconn_min_normal_line_ratio = 0.5 &redef; - -# alpha: portion of interarrival times within range -# [interconn_min_interarrival, interconn_max_interarrival] -# -# alpha should be >= interconn_min_alpha -# -# gamma: num_keystrokes_two_in_row / num_pkts -# gamma indicates the portion of keystrokes in the overall traffic -# -# gamma should be >= interconn_min_gamma - -const interconn_min_alpha = 0.2 &redef; # minimum required alpha -const interconn_min_gamma = 0.2 &redef; # minimum required gamma - -const interconn_standard_ports = { telnet, rlogin, ftp, ssh, smtp, 143/tcp, 110/tcp } &redef; -const interconn_ignore_standard_ports = F &redef; - -const interconn_demux_disabled = T &redef; - -const INTERCONN_UNKNOWN = 0; # direction/interactivity is unknown - -const INTERCONN_FORWARD = 1; # forward: a conn's orig is true originator -const INTERCONN_BACKWARD = 2; # backward: a conn's resp is true originator - -const INTERCONN_INTERACTIVE = 1; # a conn is interactive -const INTERCONN_STANDARD_PORT = 2; # conn involves a standard port to ignore - -type conn_info : record { - interactive: count; # interactivity: unknown/interactive/standard_port - dir: count; # direction: unknown/forward/backward -}; - -global interconn_conns: table [conn_id] of conn_info; # table for all connections - -# Table for resp_endp's of those established (non-partial) conn's. -# If a partial conn connects to one of such resp's, we can infer -# its direction. -global interconn_resps: table [addr, port] of count &default = 0; - -global interconn_log = open_log_file("interconn") &redef; - -global num_interconns = 0; - -function interconn_conn_string(c: connection): string - { - return fmt("%.6f %s.%d > %s.%d", - c$start_time, - c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } - -function interconn_weird(c: connection, s: string) - { - print fmt("%s interconn_weird: %s %s", network_time(), interconn_conn_string(c), s); - } - -function get_direction(c: connection): count - { - local id = c$id; - - if ( interconn_conns[id]$dir != INTERCONN_UNKNOWN ) - return interconn_conns[id]$dir; - - # The connection is not established yet, but one endpoint - # is a known resp_endp - if ( [id$resp_h, id$resp_p] in interconn_resps ) - { - interconn_conns[id]$dir = INTERCONN_FORWARD; - ++interconn_resps[id$resp_h, id$resp_p]; - - return INTERCONN_FORWARD; - } - - else if ( [id$orig_h, id$orig_p] in interconn_resps ) - { - interconn_conns[id]$dir = INTERCONN_BACKWARD; - ++interconn_resps[id$orig_h, id$orig_p]; - - return INTERCONN_BACKWARD; - } - - return INTERCONN_UNKNOWN; - } - -function comp_gamma(s: interconn_endp_stats): double - { - return s$num_pkts >= interconn_min_num_pkts ? - (1.0 * s$num_keystrokes_two_in_row) / s$num_pkts : 0.0; - } - -function comp_alpha(s: interconn_endp_stats) : double - { - return ( s$num_keystrokes_two_in_row > 0 ) ? - (1.0 * s$num_normal_interarrivals / s$num_keystrokes_two_in_row) : 0.0; - } - -function skip_further_interconn_processing(c: connection) - { - # This used to call skip_further_processing() - # (if active_connection(c$id) returned T). But that's - # clearly wrong *if* we're also doing additional analysis - # on the connection. So do nothing. - } - -function log_interconn(c: connection, tag: string) - { - print interconn_log, fmt("%s %s", interconn_conn_string(c), tag); - - local id = c$id; - - if ( interconn_demux_disabled ) - skip_further_interconn_processing(c); - else - demux_conn(id, tag, "orig", "resp"); - } - -function is_interactive_endp(s: interconn_endp_stats): bool - { - # Criteria 1: num_pkts >= interconn_min_num_pkts. - if ( s$num_pkts < interconn_min_num_pkts ) - return F; - - # Criteria 2: gamma >= interconn_min_gamma. - if ( comp_gamma(s) < interconn_min_gamma ) - return F; - - # Criteria 3: alpha >= interconn_min_alpha. - if ( comp_alpha(s) < interconn_min_alpha ) - return F; - - return T; - } - -event connection_established(c: connection) - { - local id = c$id; - local dir = interconn_conns[id]$dir; - - if ( dir == INTERCONN_FORWARD ) - return; - - if ( dir == INTERCONN_BACKWARD ) - { - interconn_weird(c, "inconsistent direction"); - return; - } - - interconn_conns[id]$dir = INTERCONN_FORWARD; - ++interconn_resps[id$resp_h, id$resp_p]; - } - -event new_connection(c: connection) - { - local id = c$id; - - local info: conn_info; - info$dir = INTERCONN_UNKNOWN; - - if ( interconn_ignore_standard_ports && - (id$orig_p in interconn_standard_ports || - id$resp_p in interconn_standard_ports) ) - { - info$interactive = INTERCONN_STANDARD_PORT; - skip_further_interconn_processing(c); - } - - else - info$interactive = INTERCONN_UNKNOWN; - - interconn_conns[id] = info; - } - -event interconn_remove_conn(c: connection) - { - local id = c$id; - - if ( id !in interconn_conns ) - # This can happen for weird connections such as those - # with an initial SYN+FIN packet. - return; - - local dir = interconn_conns[id]$dir; - - delete interconn_conns[id]; - delete demuxed_conn[c$id]; - - if ( dir == INTERCONN_FORWARD ) - { - if ( --interconn_resps[id$resp_h, id$resp_p] == 0 ) - delete interconn_resps[id$resp_h, id$resp_p]; - } - - else if ( dir == INTERCONN_BACKWARD ) - { - if ( --interconn_resps[id$orig_h, id$orig_p] == 0 ) - delete interconn_resps[id$orig_h, id$orig_p]; - } - } - -event interconn_stats(c: connection, - os: interconn_endp_stats, rs: interconn_endp_stats) - { - local id = c$id; - - if ( id !in interconn_conns ) - return; - - if ( interconn_conns[id]$interactive != INTERCONN_UNKNOWN ) - return; # already classified - - if ( c$duration < interconn_min_duration ) - # forget about excessively short connections - return; - - local dir = get_direction(c); - - # Criteria: - # - # if ( dir == FORWARD ) - # (os) is interactive - # else if ( dir == BACKWARD ) - # (rs) is interactive - # else - # either (os) or (rs) is interactive - if ( dir == INTERCONN_FORWARD ) - { - if ( ! is_interactive_endp(os) ) - return; - } - - else if ( dir == INTERCONN_BACKWARD ) - { - if ( ! is_interactive_endp(rs) ) - return; - } - - else - { - if ( ! is_interactive_endp(os) && ! is_interactive_endp(rs) ) - return; - } - - local tag: string; - - if ( ! interconn_ssh_len_disabled && (os$is_partial || rs$is_partial) ) - { - local num_pkts = os$num_pkts + rs$num_pkts; - local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts; - local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts; - - if ( num_8k0_pkts > num_pkts * interconn_min_ssh_pkts_ratio ) - { - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - tag = fmt("interconn.%d.ssh2", ++num_interconns); - } - else if ( num_8k4_pkts > num_pkts * interconn_min_ssh_pkts_ratio ) - { - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - tag = fmt("interconn.%d.ssh1", ++num_interconns); - } - } - - # Criteria 4: num_7bit_ascii / num_bytes is big enough; AND - # enough number of normal lines - if ( interconn_conns[id]$interactive != INTERCONN_INTERACTIVE ) - { - local num_bytes = os$num_bytes + rs$num_bytes; - local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii; - - if ( num_bytes < interconn_min_bytes || - num_7bit_ascii < num_bytes * interconn_min_7bit_ascii_ratio ) - return; - - local num_lines = os$num_lines + rs$num_lines; - local num_normal_lines = os$num_normal_lines + - rs$num_normal_lines; - - if ( num_lines < interconn_min_num_lines || - num_normal_lines < num_lines * interconn_min_normal_line_ratio ) - return; - - # c now considered as interactive. - interconn_conns[id]$interactive = INTERCONN_INTERACTIVE; - - tag = fmt("interconn.%d", ++num_interconns); - } - - log_interconn(c, tag); - } diff --git a/policy.old/irc-bot-syslog.bro b/policy.old/irc-bot-syslog.bro deleted file mode 100644 index 6ca1281db3..0000000000 --- a/policy.old/irc-bot-syslog.bro +++ /dev/null @@ -1,79 +0,0 @@ -# $Id: irc-bot-syslog.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $ -# -# Passes current bot-state to syslog. -# -# - When a new server/client is found, we syslog it immediately. -# - Every IrcBot::summary_interval we dump the current set. - -@load irc-bot - -module IrcBotSyslog; - -export { - # Prefix for all messages for easy grepping. - const prefix = "irc-bots" &redef; -} - -# For debugging, everything which goes to syslog also goes here. -global syslog_file = open_log_file("irc-bots.syslog"); - -function fmt_time(t: time) : string - { - return strftime("%Y-%m-%d-%H-%M-%S", t); - } - -function log_server(ip: addr, new: bool) - { - local s = IrcBot::servers[ip]; - local ports = IrcBot::portset_to_str(s$p); - - local msg = fmt("%s ip=%s new=%d local=%d server=1 first_seen=%s last_seen=%s ports=%s", - prefix, ip, new, is_local_addr(ip), - fmt_time(s$first_seen), fmt_time(s$last_seen), ports); - - syslog(msg); - print syslog_file, fmt("%.6f %s", network_time(), msg); - } - -function log_client(ip: addr, new: bool) - { - local c = IrcBot::clients[ip]; - local servers = IrcBot::addrset_to_str(c$servers); - - local msg = fmt("%s ip=%s new=%d local=%d server=0 first_seen=%s last_seen=%s user=%s nick=%s realname=%s servers=%s", - prefix, ip, new, is_local_addr(ip), - fmt_time(c$first_seen), fmt_time(c$last_seen), - c$user, c$nick, c$realname, servers); - - syslog(msg); - print syslog_file, fmt("%.6f %s", network_time(), msg); - } - -event print_bot_state() - { - for ( s in IrcBot::confirmed_bot_servers ) - log_server(s, F); - - for ( c in IrcBot::confirmed_bot_clients ) - log_client(c, F); - } - -event bro_init() - { - set_buf(syslog_file, F); - } - -redef notice_policy += { - [$pred(a: notice_info) = - { - if ( a$note == IrcBot::IrcBotServerFound ) - log_server(a$src, T); - - if ( a$note == IrcBot::IrcBotClientFound ) - log_client(a$src, T); - - return F; - }, - $result = NOTICE_FILE, - $priority = 1] -}; diff --git a/policy.old/irc-bot.bro b/policy.old/irc-bot.bro deleted file mode 100644 index 4bbe072b7d..0000000000 --- a/policy.old/irc-bot.bro +++ /dev/null @@ -1,566 +0,0 @@ -# $Id:$ - -@load conn -@load notice -@load weird - -module IrcBot; - -export { - global detailed_log = open_log_file("irc.detailed") &redef; - global bot_log = open_log_file("irc-bots") &redef; - - global summary_interval = 1 min &redef; - - global detailed_logging = T &redef; - global content_dir = "irc-bots" &redef; - - global bot_nicks = - /^\[([^\]]+\|)+[0-9]{2,}]/ # [DEU|XP|L|00] - | /^\[[^ ]+\]([^ ]+\|)+([0-9a-zA-Z-]+)/ # [0]CHN|3436036 [DEU][1]3G-QE - | /^DCOM[0-9]+$/ # DCOM7845 - | /^\{[A-Z]+\}-[0-9]+/ # {XP}-5021040 - | /^\[[0-9]+-[A-Z0-9]+\][a-z]+/ # [0058-X2]wpbnlgwf - | /^\[[a-zA-Z0-9]\]-[a-zA-Z0-9]+$/ # [SD]-743056826 - | /^[a-z]+[A-Z]+-[0-9]{5,}$/ - | /^[A-Z]{3}-[0-9]{4}/ # ITD-1119 - ; - - global bot_cmds = - /(^| *)[.?#!][^ ]{0,5}(scan|ndcass|download|cvar\.|execute|update|dcom|asc|scanall) / - | /(^| +\]\[ +)\* (ipscan|wormride)/ - | /(^| *)asn1/ - ; - - global skip_msgs = - /.*AUTH .*/ - | /.*\*\*\* Your host is .*/ - | /.*\*\*\* If you are having problems connecting .*/ - ; - - redef enum Notice += { - IrcBotServerFound, - IrcBotClientFound, - }; - - type channel: record { - name: string; - passwords: set[string]; - topic: string &default=""; - topic_history: vector of string; - }; - - type bot_client: record { - host: addr; - p: port; - nick: string &default=""; - user: string &default=""; - realname: string &default=""; - channels: table[string] of channel; - servers: set[addr] &optional; - first_seen: time; - last_seen: time; - }; - - type bot_server: record { - host: addr; - p: set[port]; - clients: table[addr] of bot_client; - global_users: string &default=""; - passwords: set[string]; - channels: table[string] of channel; - first_seen: time; - last_seen: time; - }; - - type bot_conn: record { - client: bot_client; - server: bot_server; - conn: connection; - fd: file; - ircx: bool &default=F; - }; - - # We keep three sets of clients/servers: - # (1) tables containing all IRC clients/servers - # (2) sets containing potential bot hosts - # (3) sets containing confirmend bot hosts - # - # Hosts are confirmed when a connection is established between - # potential bot hosts. - # - # FIXME: (1) should really be moved into the general IRC script. - - global expire_server: - function(t: table[addr] of bot_server, idx: addr): interval; - global expire_client: - function(t: table[addr] of bot_client, idx: addr): interval; - - global servers: table[addr] of bot_server &write_expire=24 hrs - &expire_func=expire_server &persistent; - global clients: table[addr] of bot_client &write_expire=24 hrs - &expire_func=expire_client &persistent; - - global potential_bot_clients: set[addr] &persistent; - global potential_bot_servers: set[addr] &persistent; - global confirmed_bot_clients: set[addr] &persistent; - global confirmed_bot_servers: set[addr] &persistent; - - # All IRC connections. - global conns: table[conn_id] of bot_conn &persistent; - - # Connections between confirmed hosts. - global bot_conns: set[conn_id] &persistent; - - # Helper functions for readable output. - global strset_to_str: function(s: set[string]) : string; - global portset_to_str: function(s: set[port]) : string; - global addrset_to_str: function(s: set[addr]) : string; -} - -function strset_to_str(s: set[string]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("\"%s\"", i)); - } - - return r; - } - -function portset_to_str(s: set[port]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("%d", i)); - } - - return r; - } - -function addrset_to_str(s: set[addr]) : string - { - if ( |s| == 0 ) - return ""; - - local r = ""; - for ( i in s ) - { - if ( r != "" ) - r = cat(r, ","); - r = cat(r, fmt("%s", i)); - } - - return r; - } - -function fmt_time(t: time) : string - { - return strftime("%y-%m-%d-%H-%M-%S", t); - } - -event print_bot_state() - { - local bot_summary_log = open_log_file("irc-bots.summary"); - disable_print_hook(bot_summary_log); - - print bot_summary_log, "---------------------------"; - print bot_summary_log, strftime("%y-%m-%d-%H-%M-%S", network_time()); - print bot_summary_log, "---------------------------"; - print bot_summary_log; - print bot_summary_log, "Known servers"; - - for ( h in confirmed_bot_servers ) - { - local s = servers[h]; - - print bot_summary_log, - fmt(" %s %s - clients: %d ports %s password(s) %s last-seen %s first-seen %s global-users %s", - (is_local_addr(s$host) ? "L" : "R"), - s$host, length(s$clients), portset_to_str(s$p), - strset_to_str(s$passwords), - fmt_time(s$last_seen), fmt_time(s$first_seen), - s$global_users); - - for ( name in s$channels ) - { - local ch = s$channels[name]; - print bot_summary_log, - fmt(" channel %s: topic \"%s\", password(s) %s", - ch$name, ch$topic, - strset_to_str(ch$passwords)); - } - } - - print bot_summary_log, "\nKnown clients"; - - for ( h in confirmed_bot_clients ) - { - local c = clients[h]; - print bot_summary_log, - fmt(" %s %s - server(s) %s user %s nick %s realname %s last-seen %s first-seen %s", - (is_local_addr(h) ? "L" : "R"), h, - addrset_to_str(c$servers), - c$user, c$nick, c$realname, - fmt_time(c$last_seen), fmt_time(c$first_seen)); - } - - close(bot_summary_log); - - if ( summary_interval != 0 secs ) - schedule summary_interval { print_bot_state() }; - } - -event bro_init() - { - if ( summary_interval != 0 secs ) - schedule summary_interval { print_bot_state() }; - } - -function do_log_force(c: connection, msg: string) - { - local id = c$id; - print bot_log, fmt("%.6f %s:%d > %s:%d %s %s", - network_time(), id$orig_h, id$orig_p, - id$resp_h, id$resp_p, c$addl, msg); - } - -function do_log(c: connection, msg: string) - { - if ( c$id !in bot_conns ) - return; - - do_log_force(c, msg); - } - -function log_msg(c: connection, cmd: string, prefix: string, msg: string) - { - if ( skip_msgs in msg ) - return; - - do_log(c, fmt("MSG command=%s prefix=%s msg=\"%s\"", cmd, prefix, msg)); - } - -function update_timestamps(c: connection) : bot_conn - { - local conn = conns[c$id]; - - conn$client$last_seen = network_time(); - conn$server$last_seen = network_time(); - - # To prevent the set of entries from premature expiration, - # we need to make a write access (can't use read_expire as we - # iterate over the entries on a regular basis). - clients[c$id$orig_h] = conn$client; - servers[c$id$resp_h] = conn$server; - - return conn; - } - -function add_server(c: connection) : bot_server - { - local s_h = c$id$resp_h; - - if ( s_h in servers ) - return servers[s_h]; - - local empty_table1: table[addr] of bot_client; - local empty_table2: table[string] of channel; - local empty_set: set[string]; - local empty_set2: set[port]; - - local server = [$host=s_h, $p=empty_set2, $clients=empty_table1, - $channels=empty_table2, $passwords=empty_set, - $first_seen=network_time(), $last_seen=network_time()]; - servers[s_h] = server; - - return server; - } - -function add_client(c: connection) : bot_client - { - local c_h = c$id$orig_h; - - if ( c_h in clients ) - return clients[c_h]; - - local empty_table: table[string] of channel; - local empty_set: set[addr]; - local client = [$host=c_h, $p=c$id$resp_p, $servers=empty_set, - $channels=empty_table, $first_seen=network_time(), - $last_seen=network_time()]; - clients[c_h] = client; - - return client; - } - -function check_bot_conn(c: connection) - { - if ( c$id in bot_conns ) - return; - - local client = c$id$orig_h; - local server = c$id$resp_h; - - if ( client !in potential_bot_clients || server !in potential_bot_servers ) - return; - - # New confirmed bot_conn. - - add bot_conns[c$id]; - - if ( server !in confirmed_bot_servers ) - { - NOTICE([$note=IrcBotServerFound, $src=server, $p=c$id$resp_p, $conn=c, - $msg=fmt("ircbot server found: %s:%d", server, $p=c$id$resp_p)]); - add confirmed_bot_servers[server]; - } - - if ( client !in confirmed_bot_clients ) - { - NOTICE([$note=IrcBotClientFound, $src=client, $p=c$id$orig_p, $conn=c, - $msg=fmt("ircbot client found: %s:%d", client, $p=c$id$orig_p)]); - add confirmed_bot_clients[client]; - } - } - -function get_conn(c: connection) : bot_conn - { - local conn: bot_conn; - - if ( c$id in conns ) - { - check_bot_conn(c); - return update_timestamps(c); - } - - local c_h = c$id$orig_h; - local s_h = c$id$resp_h; - - local client : bot_client; - local server : bot_server; - - if ( c_h in clients ) - client = clients[c_h]; - else - client = add_client(c); - - if ( s_h in servers ) - server = servers[s_h]; - else - server = add_server(c); - - server$clients[c_h] = client; - add server$p[c$id$resp_p]; - add client$servers[s_h]; - - conn$server = server; - conn$client = client; - conn$conn = c; - conns[c$id] = conn; - update_timestamps(c); - - return conn; - } - -function expire_server(t: table[addr] of bot_server, idx: addr): interval - { - local server = t[idx]; - for ( c in server$clients ) - { - local client = server$clients[c]; - delete client$servers[idx]; - } - - delete potential_bot_servers[idx]; - delete confirmed_bot_servers[idx]; - return 0secs; - } - -function expire_client(t: table[addr] of bot_client, idx: addr): interval - { - local client = t[idx]; - for ( s in client$servers ) - if ( s in servers ) - delete servers[s]$clients[idx]; - delete potential_bot_clients[idx]; - delete confirmed_bot_clients[idx]; - return 0secs; - } - -function remove_connection(c: connection) - { - local conn = conns[c$id]; - delete conns[c$id]; - delete bot_conns[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in conns ) - return; - - remove_connection(c); - } - -event bro_init() - { - set_buf(detailed_log, F); - set_buf(bot_log, F); - } - -event irc_client(c: connection, prefix: string, data: string) - { - if ( detailed_logging ) - print detailed_log, fmt("%.6f %s > (%s) %s", network_time(), id_string(c$id), prefix, data); - - local conn = get_conn(c); - - if ( data == /^ *[iI][rR][cC][xX] *$/ ) - conn$ircx = T; - } - -event irc_server(c: connection, prefix: string, data: string) - { - if ( detailed_logging ) - print detailed_log, fmt("%.6f %s < (%s) %s", network_time(), id_string(c$id), prefix, data); - - local conn = get_conn(c); - } - -event irc_user_message(c: connection, user: string, host: string, server: string, real_name: string) - { - local conn = get_conn(c); - conn$client$user = user; - conn$client$realname = real_name; - - do_log(c, fmt("USER user=%s host=%s server=%s real_name=%s", user, host, server, real_name)); - } - -function get_channel(conn: bot_conn, channel: string) : channel - { - if ( channel in conn$server$channels ) - return conn$server$channels[channel]; - else - { - local empty_set: set[string]; - local empty_vec: vector of string; - local ch = [$name=channel, $passwords=empty_set, $topic_history=empty_vec]; - conn$server$channels[ch$name] = ch; - return ch; - } - } - -event irc_join_message(c: connection, info_list: irc_join_list) - { - local conn = get_conn(c); - - for ( i in info_list ) - { - local ch = get_channel(conn, i$channel); - - if ( i$password != "" ) - add ch$passwords[i$password]; - - conn$client$channels[ch$name] = ch; - - do_log(c, fmt("JOIN channel=%s password=%s", i$channel, i$password)); - } - } - -global urls: set[string] &read_expire = 7 days &persistent; - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - if ( original_URI in urls ) - do_log_force(c, fmt("Request for URL %s", original_URI)); - } - -event irc_channel_topic(c: connection, channel: string, topic: string) - { - if ( bot_cmds in topic ) - { - do_log_force(c, fmt("Matching TOPIC %s", topic)); - add potential_bot_servers[c$id$resp_h]; - } - - local conn = get_conn(c); - - local ch = get_channel(conn, channel); - ch$topic_history[|ch$topic_history|] = ch$topic; - ch$topic = topic; - - if ( c$id in bot_conns ) - { - do_log(c, fmt("TOPIC channel=%s topic=\"%s\"", channel, topic)); - - local s = split(topic, / /); - for ( i in s ) - { - local w = s[i]; - if ( w == /[a-zA-Z]+:\/\/.*/ ) - { - add urls[w]; - do_log(c, fmt("URL channel=%s url=\"%s\"", - channel, w)); - } - } - } - } - -event irc_nick_message(c: connection, who: string, newnick: string) - { - if ( bot_nicks in newnick ) - { - do_log_force(c, fmt("Matching NICK %s", newnick)); - add potential_bot_clients[c$id$orig_h]; - } - - local conn = get_conn(c); - conn$client$nick = newnick; - - do_log(c, fmt("NICK who=%s nick=%s", who, newnick)); - } - -event irc_password_message(c: connection, password: string) - { - local conn = get_conn(c); - add conn$server$passwords[password]; - - do_log(c, fmt("PASS password=%s", password)); - } - -event irc_privmsg_message(c: connection, source: string, target: string, - message: string) - { - log_msg(c, "privmsg", source, fmt("->%s %s", target, message)); - } - -event irc_notice_message(c: connection, source: string, target: string, - message: string) - { - log_msg(c, "notice", source, fmt("->%s %s", target, message)); - } - -event irc_global_users(c: connection, prefix: string, msg: string) - { - local conn = get_conn(c); - - # Better would be to parse the message to extract the counts. - conn$server$global_users = msg; - - log_msg(c, "globalusers", prefix, msg); - } diff --git a/policy.old/irc.bro b/policy.old/irc.bro deleted file mode 100644 index 27b905528a..0000000000 --- a/policy.old/irc.bro +++ /dev/null @@ -1,689 +0,0 @@ -# $Id: irc.bro 4758 2007-08-10 06:49:23Z vern $ - -@load conn-id -@load notice -@load weird - -@load signatures - -module IRC; - -export { - const log_file = open_log_file("irc") &redef; - - type irc_user: record { - u_nick: string; # nick name - u_real: string; # real name - u_host: string; # client host - u_channels: set[string]; # channels the user is member of - u_is_operator: bool; # user is server operator - u_conn: connection; # connection handle - }; - - type irc_channel: record { - c_name: string; # channel name - c_users: set[string]; # users in channel - c_ops: set[string]; # channel operators - c_type: string; # channel type - c_modes: string; # channel modes - c_topic: string; # channel topic - }; - - global expired_user: - function(t: table[string] of irc_user, idx: string): interval; - global expired_channel: - function(t: table[string] of irc_channel, idx: string): interval; - - # Commands to ignore in irc_request/irc_message. - const ignore_in_other_msgs = { "PING", "PONG", "ISON" } &redef; - - # Return codes to ignore in irc_response - const ignore_in_other_responses: set[count] = { - 303 # RPL_ISON - } &redef; - - # Active users, indexed by nick. - global active_users: table[string] of irc_user &read_expire = 6 hrs - &expire_func = expired_user &redef; - - # Active channels, indexed by channel name. - global active_channels: table[string] of irc_channel - &read_expire = 6 hrs - &expire_func = expired_channel &redef; - - # Strings that generate a notice if found in session dialog. - const hot_words = - /.*etc\/shadow.*/ - | /.*etc\/ldap.secret.*/ - | /.*phatbot.*/ - | /.*botnet.*/ - &redef; - - redef enum Notice += { - IRC_HotWord, - }; -} - - -# IRC ports. This could be widened to 6660-6669, say. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; - -# DPM configuration. -global irc_ports = { 6666/tcp, 6667/tcp } &redef; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef Weird::weird_action += { - ["irc_invalid_dcc_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_invite_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_kick_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_line"] = Weird::WEIRD_FILE, - ["irc_invalid_mode_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_names_line"] = Weird::WEIRD_FILE, - ["irc_invalid_njoin_line"] = Weird::WEIRD_FILE, - ["irc_invalid_notice_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_oper_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_privmsg_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_reply_number"] = Weird::WEIRD_FILE, - ["irc_invalid_squery_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_who_line"] = Weird::WEIRD_FILE, - ["irc_invalid_who_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_channel_line"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_message_format"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_operator_line"] = Weird::WEIRD_FILE, - ["irc_invalid_whois_user_line"] = Weird::WEIRD_FILE, - ["irc_line_size_exceeded"] = Weird::WEIRD_FILE, - ["irc_line_too_short"] = Weird::WEIRD_FILE, - ["irc_partial_request"] = Weird::WEIRD_FILE, - ["irc_too_many_invalid"] = Weird::WEIRD_FILE, -}; - -# # IRC servers to identify server-to-server connections. -# redef irc_servers = { -# # German IRCnet servers -# irc.leo.org, -# irc.fu-berlin.de, -# irc.uni-erlangen.de, -# irc.belwue.de, -# irc.freenet.de, -# irc.tu-ilmenau.de, -# irc.rz.uni-karlsruhe.de, -# }; - -global conn_list: table[conn_id] of count; -global conn_ID = 0; -global check_connection: function(c: connection); - -function irc_check_hot(c: connection, s: string, context: string) - { - if ( s == hot_words ) - NOTICE([$note=IRC_HotWord, $conn=c, - $msg=fmt("IRC hot word in: %s", context)]); - } - -function log_activity(c: connection, msg: string) - { - print log_file, fmt("%.6f #%s %s", - network_time(), conn_list[c$id], msg); - } - -event connection_state_remove(c: connection) - { - delete conn_list[c$id]; - } - -event irc_request(c: connection, prefix: string, - command: string, arguments: string) - { - check_connection(c); - - local context = fmt("%s %s", command, arguments); - irc_check_hot(c, command, context); - irc_check_hot(c, arguments, context); - - if ( command !in ignore_in_other_msgs ) - log_activity(c, fmt("other request%s%s: %s", - prefix == "" ? "" : " ", - prefix, context)); - } - -event irc_reply(c: connection, prefix: string, code: count, params: string) - { - check_connection(c); - - local context = fmt("%s %s", code, params); - irc_check_hot(c, params, context); - - if ( code !in ignore_in_other_responses ) - log_activity(c, fmt("other response from %s: %s", - prefix, context)); - } - -event irc_message(c: connection, prefix: string, - command: string, message: string) - { - check_connection(c); - - # Sanity checks whether this is indeed IRC. - # - # If we happen to parse an HTTP connection, the server "commands" will - # end with ":". - if ( command == /.*:$/ ) - { - local aid = current_analyzer(); - event protocol_violation(c, ANALYZER_IRC, aid, "broken server response"); - return; - } - - local context = fmt("%s %s", command, message); - irc_check_hot(c, command, context); - irc_check_hot(c, message, context); - - if ( command !in ignore_in_other_msgs ) - log_activity(c, fmt("other server message from %s: %s", - prefix, context)); - } - -event irc_user_message(c: connection, user: string, host: string, - server: string, real_name: string) - { - check_connection(c); - - log_activity(c, fmt("new user, user='%s', host='%s', server='%s', real = '%s'", - user, host, server, real_name)); - - if ( user in active_users ) - active_users[user]$u_conn = c; - else - { - local u: irc_user; - u$u_nick = user; - u$u_real = real_name; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = F; - active_users[user] = u; - } - } - -event irc_quit_message(c: connection, nick: string, message: string) - { - check_connection(c); - - log_activity(c, fmt("user '%s' leaving%s", nick, - message == "" ? "" : fmt(", \"%s\"", message))); - - # Remove from lists. - if ( nick in active_users ) - { - delete active_users[nick]; - for ( my_channel in active_channels ) - delete active_channels[my_channel]$c_users[nick]; - } - } - -function check_message(c: connection, source: string, target: string, - msg: string, msg_type: string) - { - check_connection(c); - irc_check_hot(c, msg, msg); - log_activity(c, fmt("%s%s to '%s': %s", msg_type, - source != "" ? fmt(" from '%s'", source) : "", - target, msg)); - } - -event irc_privmsg_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "message"); - } - -event irc_notice_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "notice"); - } - -event irc_squery_message(c: connection, source: string, target: string, - message: string) - { - check_message(c, source, target, message, "squery"); - } - -event irc_join_message(c: connection, info_list: irc_join_list) - { - check_connection(c); - - for ( l in info_list ) - { - log_activity(c, fmt("user '%s' joined '%s'%s", - l$nick, l$channel, - l$password != "" ? - fmt("with password '%s'", - l$password) : "")); - - if ( l$nick == "" ) - next; - - if ( l$nick in active_users ) - add (active_users[l$nick]$u_channels)[l$channel]; - else - { - local user: irc_user; - user$u_nick = l$nick; - user$u_real = ""; - user$u_conn = c; - user$u_host = ""; - user$u_is_operator = F; - add user$u_channels[l$channel]; - - active_users[l$nick] = user; - } - - # Add channel to lists. - if ( l$channel in active_channels ) - add (active_channels[l$channel]$c_users)[l$nick]; - else - { - local my_c: irc_channel; - my_c$c_name = l$channel; - add my_c$c_users[l$nick]; - - my_c$c_type = my_c$c_modes = ""; - - active_channels[l$channel] = my_c; - } - } - } - -event irc_part_message(c: connection, nick: string, - chans: string_set, message: string) - { - check_connection(c); - - local channel_str = ""; - for ( ch in chans ) - channel_str = channel_str == "" ? - ch : fmt("%s, %s", channel_str, ch); - - log_activity(c, fmt("%s channel '%s'%s", - nick == "" ? "leaving" : - fmt("user '%s' leaving", nick), - channel_str, - message == "" ? - "" : fmt("with message '%s'", message))); - - # Remove user from channel. - if ( nick == "" ) - return; - - for ( ch in active_channels ) - { - delete (active_channels[ch]$c_users)[nick]; - delete (active_channels[ch]$c_ops)[nick]; - if ( nick in active_users ) - delete (active_users[nick]$u_channels)[ch]; - } - } - -event irc_nick_message(c: connection, who: string, newnick: string) - { - check_connection(c); - - log_activity(c, fmt("%s nick name to '%s'", - who == "" ? "changing" : - fmt("user '%s' changing", who), - newnick)); - } - -event irc_invalid_nick(c: connection) - { - check_connection(c); - log_activity(c, "changing nick name failed"); - } - -event irc_network_info(c: connection, users: count, services: count, - servers: count) - { - check_connection(c); - log_activity(c, fmt("network includes %d users, %d services, %d servers", - users, services, servers)); - } - -event irc_server_info(c: connection, users: count, services: count, - servers: count) - { - check_connection(c); - log_activity(c, fmt("server includes %d users, %d services, %d peers", - users, services, servers)); - } - -event irc_channel_info(c: connection, chans: count) - { - check_connection(c); - log_activity(c, fmt("network includes %d channels", chans)); - } - -event irc_who_line(c: connection, target_nick: string, channel: string, - user: string, host: string, server: string, - nick: string, params: string, hops: count, - real_name: string) - { - check_connection(c); - - log_activity(c, fmt("channel '%s' includes '%s' on %s connected to %s with nick '%s', real name '%s', params %s", - channel, user, host, server, - nick, real_name, params)); - - if ( nick == "" || channel == "" ) - return; - - if ( nick in active_users ) - active_users[nick]$u_conn = c; - - else - { - local myuser: irc_user; - myuser$u_nick = nick; - myuser$u_real = real_name; - myuser$u_conn = c; - myuser$u_host = host; - myuser$u_is_operator = F; - add myuser$u_channels[channel]; - - active_users[nick] = myuser; - - if ( channel in active_channels ) - add (active_channels[channel]$c_users)[nick]; - else - { - local my_c: irc_channel; - my_c$c_name = channel; - add my_c$c_users[nick]; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[channel] = my_c; - } - } - } - -event irc_who_message(c: connection, mask: string, oper: bool) - { - check_connection(c); - - log_activity(c, fmt("WHO with mask %s%s", mask, - oper ? ", only operators" : "")); - } - -event irc_whois_message(c: connection, server: string, users: string) - { - check_connection(c); - - log_activity(c, fmt("WHOIS%s for user(s) %s", - server == "" ? - server : fmt(" to server %s", server), - users)); - } - -event irc_whois_user_line(c: connection, nick: string, - user: string, host: string, real_name: string) - { - check_connection(c); - - log_activity(c, fmt("user '%s' with nick '%s' on host %s has real name '%s'", - user, nick, host, real_name)); - - if ( nick in active_users ) - { - active_users[nick]$u_real = real_name; - active_users[nick]$u_host = host; - } - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = real_name; - u$u_conn = c; - u$u_host = host; - u$u_is_operator = F; - - active_users[nick] = u; - } - } - -event irc_whois_operator_line(c: connection, nick: string) - { - check_connection(c); - log_activity(c, fmt("user '%s' is an IRC operator", nick)); - - if ( nick in active_users ) - active_users[nick]$u_is_operator = T; - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = ""; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = T; - - active_users[nick] = u; - } - } - -event irc_whois_channel_line(c: connection, nick: string, chans: string_set) - { - check_connection(c); - - local message = fmt("user '%s' is on channels:", nick); - for ( channel in chans ) - message = fmt("%s %s", message, channel); - - log_activity(c, message); - - if ( nick in active_users ) - { - for ( ch in chans ) - add active_users[nick]$u_channels[ch]; - } - else - { - local u: irc_user; - u$u_nick = nick; - u$u_real = ""; - u$u_conn = c; - u$u_host = ""; - u$u_is_operator = F; - u$u_channels = chans; - - active_users[nick] = u; - } - - for ( ch in chans ) - { - if ( ch in active_channels ) - add (active_channels[ch]$c_users)[nick]; - else - { - local my_c: irc_channel; - my_c$c_name = ch; - add my_c$c_users[nick]; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[ch] = my_c; - } - } - } - -event irc_oper_message(c: connection, user: string, password: string) - { - check_connection(c); - log_activity(c, fmt("user requests operator status with name '%s', password '%s'", - user, password)); - } - -event irc_oper_response(c: connection, got_oper: bool) - { - check_connection(c); - log_activity(c, fmt("user %s operator status", - got_oper ? "received" : "did not receive")); - } - -event irc_kick_message(c: connection, prefix: string, chans: string, - users: string, comment: string) - { - check_connection(c); - log_activity(c, fmt("user '%s' requested to kick '%s' from channel(s) %s with comment %s", - prefix, users, chans, comment)); - } - -event irc_error_message(c: connection, prefix: string, message: string) - { - check_connection(c); - log_activity(c, fmt("error message%s: %s", - prefix == "" ? "" : fmt("from '%s'", prefix), - message)); - } - -event irc_invite_message(c: connection, prefix: string, - nickname: string, channel: string) - { - check_connection(c); - log_activity(c, fmt("'%s' invited to channel %s%s", - nickname, channel, - prefix == "" ? "" : fmt(" by %s", prefix))); - } - -event irc_mode_message(c: connection, prefix: string, params: string) - { - check_connection(c); - log_activity(c, fmt("mode command%s: %s", - prefix == "" ? "" : fmt(" from '%s'", prefix), - params)); - } - -event irc_squit_message(c: connection, prefix: string, - server: string, message: string) - { - check_connection(c); - - log_activity(c, fmt("server disconnect attempt%s for %s with comment %s", - prefix == "" ? "" : fmt(" from '%s'", prefix), - server, message)); - } - -event irc_names_info(c: connection, c_type: string, channel: string, - users: string_set) - { - check_connection(c); - - local chan_type = - c_type == "@" ? "secret" : - (c_type == "*" ? "private" : "public"); - - local message = fmt("channel '%s' (%s) contains users:", - channel, chan_type); - - for ( user in users ) - message = fmt("%s %s", message, user); - - log_activity(c, message); - - if ( channel in active_channels ) - { - for ( u in users ) - add (active_channels[channel]$c_users)[u]; - } - else - { - local my_c: irc_channel; - my_c$c_name = channel; - my_c$c_users = users; - my_c$c_type = ""; - my_c$c_modes = ""; - - active_channels[channel] = my_c; - } - - for ( nick in users ) - { - if ( nick in active_users ) - add (active_users[nick]$u_channels)[channel]; - else - { - local usr: irc_user; - usr$u_nick = nick; - usr$u_real = ""; - usr$u_conn = c; - usr$u_host = ""; - usr$u_is_operator = F; - add usr$u_channels[channel]; - - active_users[nick] = usr; - } - } - } - -event irc_dcc_message(c: connection, prefix: string, target: string, - dcc_type: string, argument: string, - address: addr, dest_port: count, size: count) - { - check_connection(c); - - log_activity(c, fmt("DCC %s invitation for '%s' to host %s on port %s%s", - dcc_type, target, address, dest_port, - dcc_type == "SEND" ? - fmt(" (%s: %s bytes)", argument, size) : - "")); - } - -event irc_channel_topic(c: connection, channel: string, topic: string) - { - check_connection(c); - log_activity(c, fmt("topic for %s is '%s'", channel, topic)); - } - -event irc_password_message(c: connection, password: string) - { - check_connection(c); - log_activity(c, fmt("password %s", password)); - } - -function expired_user(t: table[string] of irc_user, idx: string): interval - { - for ( my_c in active_users[idx]$u_channels ) - { - suspend_state_updates(); - delete active_channels[my_c]$c_users[idx]; - delete active_channels[my_c]$c_ops[idx]; - resume_state_updates(); - } - - return 0 secs; - } - -function expired_channel(t:table[string] of irc_channel, idx: string): interval - { - for ( my_u in active_channels[idx]$c_users ) - if ( my_u in active_users ) - delete active_users[my_u]$u_channels[idx]; - # Else is there a possible state leak? How could it not - # be in active_users? Yet sometimes it isn't, which - # is why we needed to add the above test. - - return 0 secs; - } - -function check_connection(c: connection) - { - if ( c$id !in conn_list ) - { - ++conn_ID; - append_addl(c, fmt("#%d", conn_ID)); - conn_list[c$id] = conn_ID; - - log_activity(c, fmt("new connection %s", id_string(c$id))); - } - } diff --git a/policy.old/large-conns.bro b/policy.old/large-conns.bro deleted file mode 100644 index 7c55c8ff1c..0000000000 --- a/policy.old/large-conns.bro +++ /dev/null @@ -1,336 +0,0 @@ -# $Id: large-conns.bro 1332 2005-09-07 17:39:17Z vern $ - -# Written by Chema Gonzalez. - - -# Estimates the size of large "flows" (i.e., each direction of a TCP -# connection) by noting when their sequence numbers cross a set of regions -# in the sequence space. This can be done using a static packet filter, -# so is very efficient. It works for (TCP) traffic that Bro otherwise doesn't -# see. - -# Usage -# -# 1) Set the appropriate number_of_regions and region_size: -# -# Modify the number_of_regions and (perhaps) region_size global -# variables. You do this *prior* to loading this script, so -# for example: -# -# const number_of_regions = 32; -# @load large-conns -# -# You do *not* redef them like you would with other script variables -# (this is because they need to be used directly in the initializations -# of other variables used by this script). -# -# Note that number_of_regions affects the granularity -# and definition of the script (see below). -# -# 2) To get an estimate of the true size of a flow, call: -# -# function estimate_flow_size_and_remove(cid: conn_id, orig: bool): -# flow_size_est -# -# If orig=T, then an estimate of the size of the forward (originator) -# direction is returned. If orig=F, then the reverse (responder) -# direction is returned. In both cases, what's returned is a -# flow_size_est, which includes a flag indicating whether there was -# any estimate formed, and, if the flag is T, a lower bound, an upper bound, -# and an inconsistency-count (which, if > 0, means that the estimates -# came from sequence numbers that were inconsistent, and thus something -# is wrong - perhaps packet drops by the secondary filter). Finally, -# calling this function causes the flow's record to be deleted. Perhaps -# at some point we'll need to add a version that just retrieves the -# estimate. - -type flow_size_est: record { - have_est: bool; - lower: double &optional; - upper: double &optional; - num_inconsistent: count &optional; -}; - -global estimate_flow_size_and_remove: - function(cid: conn_id, orig: bool): flow_size_est; - -module LargeConn; - - -# Rationale -# -# One of the mechanisms that Bro uses to detect large TCP flows is -# to calculate the difference in the sequence number (seq) field contents -# between the last packet (FIN or RST) and the first packet (SYN). This -# method may be wrong if a) the seq number is busted (which can happen -# frequently with RST termination), or b) the seq number wraps around -# the 4GB sequence number space (note that this is OK for TCP while -# there is no ambiguity on what a packet's sequence number means, -# due to its use of a window <= 2 GB in size). -# -# The purpose of this script is to resolve these ambiguities. In other -# words, help with differentiating truly large flows from flows with -# a busted seq, and detecting very large flows that wrap around the -# 4GB seq space. -# -# To do so, large-flow listens to a small group of thin regions in -# the sequence space, located at equal distances from each other. The idea -# is that a truly large flow will pass through the regions in -# an orderly fashion, maybe several times. This script keeps track of -# all packets that pass through any of the regions, counting the number -# of times a packet from a given flow passes through consecutive regions. -# -# Note that the exact number of regions, and the size of each region, can -# be controlled by redefining the global variables number_of_regions -# and region_size, respectively. Both should be powers of two (if not, -# they are rounded to be such), and default to 4 and 16KB, respectively. -# The effect of varying these parameters is the following: -# -# - Increasing number_of_regions will increase the granularity of the -# script, at the cost of elevating its cost in both processing (more -# packets will be seen) and memory (more flows will be seen). -# The granularity of the script is defined as the minimum variation -# in size the script can see. Its value is: -# -# granularity = (4GB / number_of_regions) -# -# For example, if we're using 4 regions, the minimum flow size difference -# that the script can see is 1GB. -# -# number_of_regions also affects the script definition, defined as the -# smallest size of a flow which ensures that the flow will be seen by -# the script. The script definition is: -# -# definition = (2 * granularity) -# -# The script sees no flow smaller than the granularity, some flows with -# size between granularity and definition, and all flows larger than -# definition. In our example, the script definition is 2GB (it will see -# for sure only flows bigger than 2GB). -# -# - Increasing region_size will only increase the resilience of the script -# to lost packets, at the cost of augmenting the cost in both processing -# and memory (see above). The default value of 16 KB is chosen to work -# in the presence of largish packets without too much additional work. - -# Set up defaults, unless the user has already specified these. Note that -# these variables are *not* redef'able, since they are used in initializations -# later in this script (so a redef wouldn't be "seen" in time). -@ifndef ( number_of_regions ) - const number_of_regions = 4; -@endif -@ifndef ( region_size ) - const region_size = 16 * 1024; # 16 KB -@endif - - -# Track the regions visited for each flow. -type t_info: record { - last_region: count; # last region visited - num_regions: count; # number of regions visited - num_inconsistent: count; # num. inconsistent region crossings -}; - -# The state expiration for this table needs to be generous, as it's -# for tracking very large flows, which could be quite long-lived. -global flow_region_info: table[conn_id] of t_info &write_expire = 6 hr; - - -# Returns the integer logarithm in base b. -function logarithm(base: count, x: count): count - { - if ( x < base ) - return 0; - else - return 1 + logarithm(base, x / base); - } - - -# Function used to get around Bro's lack of real ordered loop. -function do_while(i: count, max: count, total: count, - f: function(i: count, total: count): count): count - { - if ( i >= max ) - return total; - else - return do_while(++i, max, f(--i, total), f); - } - -function fn_mask_location(i: count, total: count): count - { - return total * 2 + 1; - } - -function fn_filter_location(i: count, total: count): count - { - # The location pattern is 1010101010... - return total * 2 + (i % 2 == 0 ? 1 : 0); - } - -function fn_common_region_size(i: count, total: count): count - { - return total * 2; - } - - -function get_interregion_distance(number_of_regions: count, - region_size: count): count - { - local bits_number_of_regions = logarithm(2, number_of_regions); - local bits_other = int_to_count(32 - bits_number_of_regions); - - return do_while(0, bits_other, 1, fn_common_region_size); - } - - -global interregion_distance = - get_interregion_distance(number_of_regions, region_size); - - -# Returns an estiamte of size of the flow (one direction of a TCP connection) -# that this script has seen. This is based on the number of consecutive -# regions a flow has visited, weighted with the distance between regions. -# -# We know that the full sequence number space accounts for 4GB. This -# space comprises number_of_regions regions, separated from each other -# a (4GB / number_of_regions) distance. If a flow has been seen -# in X consecutive regions, it means that the size of the flow is -# greater than ((X - 1) * distance_between_regions) GB. -# -# Note that seeing a flow in just one region is no different from -# not seeing it at all. -function estimate_flow_size_and_remove(cid: conn_id, orig: bool): flow_size_est - { - local id = orig ? cid : - [$orig_h = cid$resp_h, $orig_p = cid$resp_p, - $resp_h = cid$orig_h, $resp_p = cid$orig_p]; - - if ( id !in flow_region_info ) - return [$have_est = F]; - - local regions_crossed = - int_to_count(flow_region_info[id]$num_regions - 1); - - local lower = regions_crossed * interregion_distance * 1.0; - local upper = lower + interregion_distance * 2.0; - local num_inconsis = flow_region_info[id]$num_inconsistent; - - delete flow_region_info[id]; - - return [$have_est = T, $lower = lower, $upper = upper, - $num_inconsistent = num_inconsis]; - } - - -# Returns a tcpdump filter corresponding to the number of regions and -# region size requested by the user. -# -# How to calculate the tcpdump filter used to hook packet_event to the -# secondary filter system? We are interested only in TCP packets whose -# seq number belongs to any of the test slices. Let's focus on the case -# of 4 regions, 16KB per region. -# -# The mask should be: [ x x L L L ... L L L x x ... x ] -# <---><---------------><---------> -# | | | -# | | +-> suffix: region size -# | +-> location: remaining bits -# +-> prefix: number of equidistant regions -# -# The 32-bit seq number is masked as follows: -# -# - suffix: defines size of the regions (16KB implies log_2(16KB) = 14 bits) -# -# - location: defines the exact location of the 4 regions. Note that, to -# minimize the amount of data we keep, the location will be distinct from -# zero, so segments with seq == 0 are not in a valid region -# -# - prefix: defines number of regions (4 implies log_2(4) = 2 bits) -# -# E.g., the mask will be seq_number & 0011...1100..00_2 = 00LL..LL00..00_2, -# which, by setting the location to 1010101010101010, will finally be -# seq_number & 0011...1100..00_2 = 00101010101010101000..00_2, i.e., -# seq_number & 0x3fffc000 = 0x2aaa8000. -# -# For that particular parameterization, we'd like to wind up with a -# packet event filter of "(tcp[4:4] & 0x3fffc000) == 0x2aaa8000". - -function get_event_filter(number_of_regions: count, region_size: count): string - { - local bits_number_of_regions = logarithm(2, number_of_regions); - local bits_region_size = logarithm(2, region_size); - local bits_remaining = - int_to_count(32 - bits_number_of_regions - bits_region_size); - - # Set the bits corresponding to the location: - # i = 0; - # while ( i < bits_remaining ) - # { - # mask = (mask * 2) + 1; - # filter = (filter * 2) + (((i % 2) == 0) ? 1 : 0); - # ++i; - # } - local mask = do_while(0, bits_remaining, 0, fn_mask_location); - local filter = do_while(0, bits_remaining, 0, fn_filter_location); - - # Set the bits corrsponding to the region size - # i = 0; - # while ( i < bits_region_size ) - # { - # mask = mask * 2; - # filter = filter * 2; - # ++i; - # } - mask = do_while(0, bits_region_size, mask, fn_common_region_size); - filter = do_while(0, bits_region_size, filter, fn_common_region_size); - - return fmt("(tcp[4:4] & 0x%x) == 0x%x", mask, filter); - } - - -# packet_event -- -# -# This event is raised once per (TCP) packet falling into any of the regions. -# It updates the flow_region_info table. -event packet_event(filter: string, pkt: pkt_hdr) - { - # Distill the region from the seq number. - local region = pkt$tcp$seq / interregion_distance; - - # Get packet info and update global counters. - local cid = [$orig_h = pkt$ip$src, $orig_p = pkt$tcp$sport, - $resp_h = pkt$ip$dst, $resp_p = pkt$tcp$dport]; - - if ( cid !in flow_region_info ) - { - flow_region_info[cid] = - [$last_region = region, $num_regions = 1, - $num_inconsistent = 0]; - return; - } - - local info = flow_region_info[cid]; - local next_region = (info$last_region + 1) % number_of_regions; - - if ( region == next_region ) - { # flow seen in the next region - info$last_region = region; - ++info$num_regions; - } - - else if ( region == info$last_region ) - { # flow seen in the same region, ignore - } - else - { - # Flow seen in another region (not the next one). - info$last_region = region; - info$num_regions = 1; # restart accounting - ++info$num_inconsistent; - } - } - - -# Glue the filter into the secondary filter hookup. -global packet_event_filter = get_event_filter(number_of_regions, region_size); -redef secondary_filters += { [packet_event_filter] = packet_event }; diff --git a/policy.old/listen-clear.bro b/policy.old/listen-clear.bro deleted file mode 100644 index 0922bc053e..0000000000 --- a/policy.old/listen-clear.bro +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: listen-clear.bro 416 2004-09-17 03:52:28Z vern $ -# -# Listen for other Bros (non-SSL). - -@load remote - -# On which port to listen. -const listen_port_clear = Remote::default_port_clear &redef; - -# On which IP to bind (0.0.0.0 for any interface) -const listen_if_clear = 0.0.0.0 &redef; - -event bro_init() - { - listen(listen_if_clear, listen_port_clear, F); - } diff --git a/policy.old/listen-ssl.bro b/policy.old/listen-ssl.bro deleted file mode 100644 index fdf22a8e30..0000000000 --- a/policy.old/listen-ssl.bro +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: listen-ssl.bro 1015 2005-01-31 13:46:50Z kreibich $ -# -# Listen for other Bros (SSL). - -@load remote - -# On which port to listen. -const listen_port_ssl = Remote::default_port_ssl &redef; - -# On which IP to bind (0.0.0.0 for any interface) -const listen_if_ssl = 0.0.0.0 &redef; - -event bro_init() - { - listen(listen_if_ssl, listen_port_ssl, T); - } diff --git a/policy.old/load-level.bro b/policy.old/load-level.bro deleted file mode 100644 index b8f9730bde..0000000000 --- a/policy.old/load-level.bro +++ /dev/null @@ -1,194 +0,0 @@ -# $Id: load-level.bro 1904 2005-12-14 03:27:15Z vern $ -# -# Support for shedding/reinstating load. - -@load notice - -# If no load_level is given, a filter is always activated. -# -# If a level is given for a filter (using the same ID than in -# {capture,restrict}_filter), then: -# -# - a capture_filter is activated if current load_level is <= -# - a restrict_filter is activated if current load_level is >= - -global capture_load_levels: table[string] of PcapFilterID &redef; -global restrict_load_levels: table[string] of PcapFilterID &redef; - -redef enum PcapFilterID += { - LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5, - LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10, -}; - -const Levels = { - LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5, - LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10 -}; - -# The load-level cannot not leave this interval. -const MinLoad = LoadLevel1; -const MaxLoad = LoadLevel10; - -# The initial load-level. -global default_load_level = LoadLevel10 &redef; - -# Set to 0 to turn off any changes of the filter. -global can_adjust_filter = T &redef; - -global current_load_level = DefaultPcapFilter; - -global ll_file = open_log_file("load-level"); - -# Interface functions for switching load levels. - -function set_load_level(level: PcapFilterID): bool - { - if ( level == current_load_level ) - return T; - - if ( ! can_adjust_filter ) - { - print ll_file, fmt("%.6f can't set %s (load-levels are turned off)", network_time(), level); - return F; - } - - if ( ! install_pcap_filter(level) ) - { - print ll_file, fmt("%.6f can't set %s (install failed)", network_time(), level); - - # Don't try again. - can_adjust_filter = F; - return F; - } - - current_load_level = level; - - print ll_file, fmt("%.6f switched to %s", network_time(), level); - - return T; - } - -# Too bad that we can't use enums like integers... -const IncreaseLoadLevelTab = { - [LoadLevel1] = LoadLevel2, - [LoadLevel2] = LoadLevel3, - [LoadLevel3] = LoadLevel4, - [LoadLevel4] = LoadLevel5, - [LoadLevel5] = LoadLevel6, - [LoadLevel6] = LoadLevel7, - [LoadLevel7] = LoadLevel8, - [LoadLevel8] = LoadLevel9, - [LoadLevel9] = LoadLevel10, - [LoadLevel10] = LoadLevel10, -}; - -const DecreaseLoadLevelTab = { - [LoadLevel1] = LoadLevel1, - [LoadLevel2] = LoadLevel1, - [LoadLevel3] = LoadLevel2, - [LoadLevel4] = LoadLevel3, - [LoadLevel5] = LoadLevel4, - [LoadLevel6] = LoadLevel5, - [LoadLevel7] = LoadLevel6, - [LoadLevel8] = LoadLevel7, - [LoadLevel9] = LoadLevel8, - [LoadLevel10] = LoadLevel9, -}; - -const LoadLevelToInt = { - [DefaultPcapFilter] = 0, - [LoadLevel1] = 1, - [LoadLevel2] = 2, - [LoadLevel3] = 3, - [LoadLevel4] = 4, - [LoadLevel5] = 5, - [LoadLevel6] = 6, - [LoadLevel7] = 7, - [LoadLevel8] = 8, - [LoadLevel9] = 9, - [LoadLevel10] = 10, -}; - -function increase_load_level() - { - set_load_level(IncreaseLoadLevelTab[current_load_level]); - } - -function decrease_load_level() - { - set_load_level(DecreaseLoadLevelTab[current_load_level]); - } - - -# Internal functions. - -function load_level_error() - { - print ll_file, fmt("%.6f Error, switching back to DefaultPcapFilter", - network_time()); - - install_default_pcap_filter(); - - # Don't try changing the load level any more. - can_adjust_filter = F; - } - -function build_load_level_filter(level: PcapFilterID): string - { - # Build up capture_filter. - local cfilter = ""; - - for ( id in capture_filters ) - { - if ( id !in capture_load_levels || - LoadLevelToInt[level] <= LoadLevelToInt[capture_load_levels[id]] ) - cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or"); - } - - # Build up restrict_filter. - local rfilter = ""; - for ( id in restrict_filters ) - { - if ( id !in restrict_load_levels || - LoadLevelToInt[level] >= LoadLevelToInt[restrict_load_levels[id]] ) - rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and"); - } - - return join_filters(cfilter, rfilter); - } - -function precompile_load_level_filters(): bool - { - print ll_file, fmt("%.6f <<< Begin of precompilation", network_time() ); - - for ( i in Levels ) - { - local filter = build_load_level_filter(i); - - if ( ! precompile_pcap_filter(i, filter) ) - { - print ll_file, fmt("%.6f Level %d: %s", - network_time(), LoadLevelToInt[i], pcap_error()); - load_level_error(); - return F; - } - - print ll_file, fmt("%.6f Level %2d: %s", network_time(), LoadLevelToInt[i], filter); - } - - print ll_file, fmt("%.6f >>> End of precompilation", network_time() ); - - return T; - } - - -event bro_init() - { - set_buf(ll_file, F); - precompile_load_level_filters(); - set_load_level(default_load_level); - - # Don't adjust the filter when reading a trace. - if ( ! reading_live_traffic() ) - can_adjust_filter = F; - } diff --git a/policy.old/load-sample.bro b/policy.old/load-sample.bro deleted file mode 100644 index 16b26580ab..0000000000 --- a/policy.old/load-sample.bro +++ /dev/null @@ -1,43 +0,0 @@ -# $Id: load-sample.bro 1758 2005-11-22 00:58:10Z vern $ - -# A simple form of profiling based on sampling the work done per-packet. -# load_sample() is generated every load_sample_freq packets (roughly; -# it's randomized). For each sampled packet, "samples" contains a set -# of the functions, event handlers, and their source files that were accessed -# during the processing of that packet, along with an estimate of the -# CPU cost of processing the packet and (currently broken) memory allocated/ -# freed. - -global sampled_count: table[string] of count &default = 0; -global sampled_CPU: table[string] of interval &default = 0 sec; -global sampled_mem: table[string] of int &default = +0; - -global num_samples = 0; -global total_sampled_CPU = 0 sec; -global total_sampled_mem = +0; - -event load_sample(samples: load_sample_info, CPU: interval, dmem: int) - { - ++num_samples; - total_sampled_CPU += CPU; - total_sampled_mem += dmem; - - if ( |samples| == 0 ) - add samples[""]; - - for ( i in samples ) - { - ++sampled_count[i]; - sampled_CPU[i] += CPU; - sampled_mem[i] += dmem; - } - } - -event bro_done() - { - for ( i in sampled_CPU ) - print fmt("%s: %d%% pkts, %.1f%% CPU", - i, sampled_count[i] * 100 / num_samples, - sampled_CPU[i] * 100 / total_sampled_CPU); - # sampled_mem[i] / total_sampled_mem; - } diff --git a/policy.old/log-append.bro b/policy.old/log-append.bro deleted file mode 100644 index 440b78a894..0000000000 --- a/policy.old/log-append.bro +++ /dev/null @@ -1,10 +0,0 @@ -# $Id: log-append.bro 2797 2006-04-23 05:56:24Z vern $ - -# By default, logs are overwritten when opened, deleting the contents -# of any existing log of the same name. Loading this module changes the -# behavior to appending. - -function open_log_file(tag: string): file - { - return open_for_append(log_file_name(tag)); - } diff --git a/policy.old/login.bro b/policy.old/login.bro deleted file mode 100644 index 9d45249bb1..0000000000 --- a/policy.old/login.bro +++ /dev/null @@ -1,677 +0,0 @@ -# $Id: login.bro 6481 2008-12-15 00:47:57Z vern $ - -@load notice -@load weird -@load hot-ids -@load conn -# scan.bro is needed for "account_tried" event. -@load scan -@load demux -@load terminate-connection - -module Login; - -global telnet_ports = { 23/tcp } &redef; -redef dpd_config += { [ANALYZER_TELNET] = [$ports = telnet_ports] }; - -global rlogin_ports = { 513/tcp } &redef; -redef dpd_config += { [ANALYZER_RLOGIN] = [$ports = rlogin_ports] }; - -export { - redef enum Notice += { - SensitiveLogin, # interactive login using sensitive username - - # Interactive login seen using forbidden username, but the analyzer - # was confused in following the login dialog, so may be in error. - LoginForbiddenButConfused, - - # During a login dialog, a sensitive username (e.g., "rewt") was - # seen in the user's *password*. This is reported as a notice - # because it could be that the login analyzer didn't track the - # authentication dialog correctly, and in fact what it thinks is - # the user's password is instead the user's username. - SensitiveUsernameInPassword, - }; - - # If these patterns appear anywhere in the user's keystrokes, do a notice. - const input_trouble = - /rewt/ - | /eggdrop/ - | /\/bin\/eject/ - | /oir##t/ - | /ereeto/ - | /(shell|xploit)_?code/ - | /execshell/ - | /ff\.core/ - | /unset[ \t]+(histfile|history|HISTFILE|HISTORY)/ - | /neet\.tar/ - | /r0kk0/ - | /su[ \t]+(daemon|news|adm)/ - | /\.\/clean/ - | /rm[ \t]+-rf[ \t]+secure/ - | /cd[ \t]+\/dev\/[a-zA-Z]{3}/ - | /solsparc_lpset/ - | /\.\/[a-z]+[ \t]+passwd/ - | /\.\/bnc/ - | /bnc\.conf/ - | /\"\/bin\/ksh\"/ - | /LAST STAGE OF DELIRIUM/ - | /SNMPXDMID_PROG/ - | /snmpXdmid for solaris/ - | /\"\/bin\/uname/ - | /gcc[ \t]+1\.c/ - | />\/etc\/passwd/ - | /lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc)/ - | /gcc.*\/bin\/login/ - | /#define NOP.*0x/ - | /printf\(\"overflowing/ - | /exec[a-z]*\(\"\/usr\/openwin/ - | /perl[ \t]+.*x.*[0-9][0-9][0-9][0-9]/ - | /ping.*-s.*%d/ - &redef; - - # If this pattern appears anywhere in the user's input after applying - # / editing, do a notice ... - const edited_input_trouble = - /[ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t]))/ - &redef; - - # ... *unless* the corresponding output matches this: - const output_indicates_input_not_trouble = /No such file or directory/ &redef; - - # NOTICE on these, but only after waiting for the corresponding output, - # so it can be displayed at the same time. - const input_wait_for_output = edited_input_trouble &redef; - - # If the user's entire input matches this pattern, do a notice. Putting - # "loadmodule" here rather than in input_trouble is just to illustrate - # the idea, it could go in either. - const full_input_trouble = /.*loadmodule.*/ &redef; - - # If the following appears anywhere in the user's output, do a notice. - const output_trouble = - /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/ - | /Jumping to address/ - | /Jumping Address/ - | /smashdu\.c/ - | /PATH_UTMP/ - | /Log started at =/ - | /www\.anticode\.com/ - | /www\.uberhax0r\.net/ - | /smurf\.c by TFreak/ - | /Super Linux Xploit/ - | /^# \[root@/ - | /^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh)/ - | /invisibleX/ - | /PATH_(UTMP|WTMP|LASTLOG)/ - | /[0-9]{5,} bytes from/ - | /(PATH|STAT):\ .*=>/ - | /----- \[(FIN|RST|DATA LIMIT|Timed Out)\]/ - | /IDLE TIMEOUT/ - | /DATA LIMIT/ - | /-- TCP\/IP LOG --/ - | /STAT: (FIN|TIMED_OUT) / - | /(shell|xploit)_code/ - | /execshell/ - | /x86_bsd_compaexec/ - | /\\xbf\\xee\\xee\\xee\\x08\\xb8/ # from x.c worm - | /Coded by James Seter/ - | /Irc Proxy v/ - | /Daemon port\.\.\.\./ - | /BOT_VERSION/ - | /NICKCRYPT/ - | /\/etc\/\.core/ - | /exec.*\/bin\/newgrp/ - | /deadcafe/ - | /[ \/]snap\.sh/ - | /Secure atime,ctime,mtime/ - | /Can\'t fix checksum/ - | /Promisc Dectection/ - | /ADMsn0ofID/ - | /(cd \/; uname -a; pwd; id)/ - | /drw0rm/ - | /[Rr][Ee3][Ww][Tt][Ee3][Dd]/ - | /rpc\.sadmin/ - | /AbraxaS/ - | /\[target\]/ - | /ID_SENDSYN/ - | /ID_DISTROIT/ - | /by Mixter/ - | /rap(e?)ing.*using weapons/ - | /spsiod/ - | /[aA][dD][oO][rR][eE][bB][sS][dD]/ # rootkit - &redef; - - # Same, but must match entire output. - const full_output_trouble = /.*Trojaning in progress.*/ &redef; - - const backdoor_prompts = - /^[!-~]*( ?)[#%$] / - | /.*no job control/ - | /WinGate>/ - &redef; - - const non_backdoor_prompts = /^ *#.*#/ &redef; - const hot_terminal_types = /VT666|007/ &redef; - const hot_telnet_orig_ports = { 53982/tcp, } &redef; - const router_prompts: set[string] &redef; - const non_ASCII_hosts: set[addr] &redef; - const skip_logins_to = { non_ASCII_hosts, } &redef; - const always_hot_login_ids = { always_hot_ids } &redef; - const hot_login_ids = { hot_ids } &redef; - const rlogin_id_okay_if_no_password_exposed = { "root", } &redef; - - const BS = "\x08"; - const DEL = "\x7f"; - - global new_login_session: - function(c: connection, pid: peer_id, output_line: count); - global remove_login_session: function(c: connection, pid: peer_id); - global ext_set_login_state: - function(cid: conn_id, pid: peer_id, state: count); - global ext_get_login_state: - function(cid: conn_id, pid: peer_id): count; -} - -redef capture_filters += { ["login"] = "port telnet or tcp port 513" }; - -redef skip_authentication = { - "WELCOME TO THE BERKELEY PUBLIC LIBRARY", -}; - -redef direct_login_prompts = { "TERMINAL?", }; - -redef login_prompts = { - "Login:", "login:", "Name:", "Username:", "User:", "Member Name", - "User Access Verification", "Cisco Systems Console", - direct_login_prompts -}; - -redef login_non_failure_msgs = { - "Failures", "failures", # probably is " failures since last login" - "failure since last successful login", - "failures since last successful login", -}; - -redef login_non_failure_msgs = { - "Failures", "failures", # probably is " failures since last login" - "failure since last successful login", - "failures since last successful login", -} &redef; - -redef login_failure_msgs = { - "invalid", "Invalid", "incorrect", "Incorrect", "failure", "Failure", - # "Unable to authenticate", "unable to authenticate", - "User authorization failure", - "Login failed", - "INVALID", "Sorry.", "Sorry,", -}; - -redef login_success_msgs = { - "Last login", - "Last successful login", "Last successful login", - "checking for disk quotas", "unsuccessful login attempts", - "failure since last successful login", - "failures since last successful login", - router_prompts, -}; - -redef login_timeouts = { - "timeout", "timed out", "Timeout", "Timed out", - "Error reading command input", # VMS -}; - - -type check_info: record { - expanded_line: string; # line with all possible editing seqs - hot: bool; # whether any editing sequence was a hot user id - hot_id: string; # the ID considered hot - forbidden: bool; # same, but forbidden user id -}; - -type login_session_info: record { - user: string; - output_line: count; # number of lines seen - - # input string for which we want to match the output. - waiting_for_output: string; - waiting_for_output_line: count; # output line we want to match it to - state: count; # valid for external connections only -}; - -global login_sessions: table[peer_id, conn_id] of login_session_info; - - -# The next two functions are "external-to-the-event-engine", -# hence the ext_ prefix. They're used by the script to manage -# login state so that they can work with login sessions unknown -# to the event engine (such as those received from remote peers). - -function ext_get_login_state(cid: conn_id, pid: peer_id): count - { - if ( pid == PEER_ID_NONE ) - return get_login_state(cid); - - return login_sessions[pid, cid]$state; - } - -function ext_set_login_state(cid: conn_id, pid: peer_id, state: count) - { - if ( pid == PEER_ID_NONE ) - set_login_state(cid, state); - else - login_sessions[pid, cid]$state = state; - } - -function new_login_session(c: connection, pid: peer_id, output_line: count) - { - local s: login_session_info; - s$waiting_for_output = s$user = ""; - s$output_line = output_line; - s$state = LOGIN_STATE_AUTHENTICATE; - - login_sessions[pid, c$id] = s; - } - -function remove_login_session(c: connection, pid: peer_id) - { - delete login_sessions[pid, c$id]; - } - -function is_login_conn(c: connection): bool - { - return c$id$resp_p == telnet || c$id$resp_p == rlogin; - } - -function hot_login(c: connection, pid: peer_id, msg: string, tag: string) - { - if ( [pid, c$id] in login_sessions ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=login_sessions[pid, c$id]$user, $msg=msg]); - else - NOTICE([$note=SensitiveLogin, $conn=c, $msg=msg]); - - ++c$hot; - demux_conn(c$id, tag, "keys", service_name(c)); - } - -function is_hot_id(id: string, successful: bool, confused: bool): bool - { - return successful ? id in hot_login_ids : - (confused ? id in forbidden_ids : - id in always_hot_login_ids); - } - -function is_forbidden_id(id: string): bool - { - return id in forbidden_ids || id == forbidden_id_patterns; - } - -function edit_and_check_line(c: connection, pid: peer_id, line: string, - successful: bool): check_info - { - line = to_lower(line); - - local ctrl_H_edit = edit(line, BS); - local del_edit = edit(line, DEL); - - local confused = - (ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED); - local hot = is_hot_id(line, successful, confused); - local hot_id = hot ? line : ""; - local forbidden = is_forbidden_id(line); - - local eline = line; - - if ( ctrl_H_edit != line ) - { - eline = fmt("%s,%s", eline, ctrl_H_edit); - if ( ! hot && is_hot_id(ctrl_H_edit, successful, confused) ) - { - hot = T; - hot_id = ctrl_H_edit; - } - - forbidden = forbidden || is_forbidden_id(ctrl_H_edit); - } - - if ( del_edit != line ) - { - eline = fmt("%s,%s", eline, del_edit); - if ( ! hot && is_hot_id(del_edit, successful, confused) ) - { - hot = T; - hot_id = del_edit; - } - - forbidden = forbidden || is_forbidden_id(del_edit); - } - - local results: check_info; - results$expanded_line = eline; - results$hot = hot; - results$hot_id = hot_id; - results$forbidden = forbidden; - - return results; - } - -function edit_and_check_user(c: connection, pid: peer_id, user: string, - successful: bool, fmt_s: string): bool - { - local check = edit_and_check_line(c, pid, user, successful); - - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - login_sessions[pid, c$id]$user = check$expanded_line; - - c$addl = fmt(fmt_s, c$addl, check$expanded_line); - - if ( check$hot ) - { - ++c$hot; - demux_conn(c$id, check$hot_id, "keys", service_name(c)); - } - - if ( check$forbidden ) - { - if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED ) - NOTICE([$note=LoginForbiddenButConfused, $conn=c, - $user = user, - $msg=fmt("not terminating %s because confused about state", full_id_string(c))]); - else - TerminateConnection::terminate_connection(c); - } - - return c$hot > 0; - } - -function edit_and_check_password(c: connection, pid: peer_id, password: string) - { - local check = edit_and_check_line(c, pid, password, T); - if ( check$hot ) - { - ++c$hot; - NOTICE([$note=SensitiveUsernameInPassword, $conn=c, - $user=password, - $msg=fmt("%s password: \"%s\"", - id_string(c$id), check$expanded_line)]); - } - } - -event login_failure(c: connection, user: string, client_user: string, - password: string, line: string) - { - local pid = get_event_peer()$id; - - event account_tried(c, user, password); - edit_and_check_password(c, pid, password); - - if ( c$hot == 0 && password == "" && - ! edit_and_check_line(c, pid, user, F)$hot ) - # Don't both reporting it, this was clearly a half-hearted - # attempt and it's not a sensitive username. - return; - - local user_hot = edit_and_check_user(c, pid, user, F, "%sfail/%s "); - if ( client_user != "" && client_user != user && - edit_and_check_user(c, pid, client_user, F, "%s(%s) ") ) - user_hot = T; - - if ( user_hot || c$hot > 0 ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=user, $sub=client_user, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - } - -event login_success(c: connection, user: string, client_user: string, - password: string, line: string) - { - local pid = get_event_peer()$id; - - Hot::check_hot(c, Hot::APPL_ESTABLISHED); - event account_tried(c, user, password); - edit_and_check_password(c, pid, password); - - # Look for whether the user name is sensitive; but allow for - # some ids being okay if no password was exposed accessing them. - local user_hot = F; - if ( c$id$resp_p == rlogin && password == "" && - user in rlogin_id_okay_if_no_password_exposed ) - append_addl(c, fmt("\"%s\"", user)); - - else - user_hot = edit_and_check_user(c, pid, user, T, "%s\"%s\" "); - - if ( c$id$resp_p == rlogin && client_user in always_hot_login_ids ) - { - append_addl(c, fmt("(%s)", client_user)); - demux_conn(c$id, client_user, "keys", service_name(c)); - user_hot = T; - } - - if ( user_hot || c$hot > 0 ) - NOTICE([$note=SensitiveLogin, $conn=c, - $user=user, $sub=client_user, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - - # else if ( password == "" ) - # alarm fmt("%s %s ", id_string(c$id), c$addl); - -### use the following if no login_input_line/login_output_line -# else -# { -# set_record_packets(c$id, F); -# skip_further_processing(c$id); -# } - } - -event login_input_line(c: connection, line: string) - { - local pid = get_event_peer()$id; - local BS_line = edit(line, BS); - local DEL_line = edit(line, DEL); - if ( input_trouble in line || - ### need to merge input_trouble and edited_input_trouble here - ### ideally, match on input_trouble would tell whether we need - ### to invoke the edit functions, as an attribute of a .*(^H|DEL) - ### rule. - input_trouble in BS_line || input_trouble in DEL_line || - (edited_input_trouble in BS_line && - # If one is in but the other not, then the one that's not - # is presumably the correct edit, and the one that is, isn't - # in fact edited at all - edited_input_trouble in DEL_line) || - line == full_input_trouble ) - { - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - if ( edited_input_trouble in BS_line && - edited_input_trouble in DEL_line ) - { - login_sessions[pid, c$id]$waiting_for_output = line; - login_sessions[pid, c$id]$waiting_for_output_line = - # We don't want the *next* line, that's just - # the echo of this input. - login_sessions[pid, c$id]$output_line + 2; - } - - else if ( ++c$hot <= 2 ) - hot_login(c, pid, fmt("%s input \"%s\"", id_string(c$id), line), "trb"); - } - } - -event login_output_line(c: connection, line: string) - { - local pid = get_event_peer()$id; - if ( [pid, c$id] !in login_sessions ) - new_login_session(c, pid, 9999); - - local s = login_sessions[pid, c$id]; - - if ( line != "" && ++s$output_line == 1 ) - { - if ( byte_len(line) < 40 && - backdoor_prompts in line && non_backdoor_prompts !in line ) - hot_login(c, pid, fmt("%s possible backdoor \"%s\"", id_string(c$id), line), "trb"); - } - - if ( s$waiting_for_output != "" && - s$output_line >= s$waiting_for_output_line ) - { - if ( output_indicates_input_not_trouble !in line ) - hot_login(c, pid, - fmt("%s input \"%s\" yielded output \"%s\"", - id_string(c$id), - s$waiting_for_output, - line), - "trb"); - - s$waiting_for_output = ""; - } - - if ( byte_len(line) < 256 && - (output_trouble in line || line == full_output_trouble) && - ++c$hot <= 2 ) - hot_login(c, pid, fmt("%s output \"%s\"", id_string(c$id), line), "trb"); - } - -event login_confused(c: connection, msg: string, line: string) - { - Hot::check_hot(c, Hot::APPL_ESTABLISHED); - - append_addl(c, ""); - - event conn_weird_addl(msg, c, line); - - set_record_packets(c$id, T); - } - -event login_confused_text(c: connection, line: string) - { - local pid = get_event_peer()$id; - if ( c$hot == 0 && edit_and_check_line(c, pid, line, F)$hot ) - { - local ignore = - edit_and_check_user(c, pid, line, F, "%sconfused/%s "); - NOTICE([$note=SensitiveLogin, $conn=c, - $user=line, - $msg=fmt("%s %s", id_string(c$id), c$addl)]); - set_record_packets(c$id, T); - } - } - -event login_terminal(c: connection, terminal: string) - { - local pid = get_event_peer()$id; - if ( hot_terminal_types in terminal ) - hot_login(c, pid, - fmt("%s term %s", id_string(c$id), terminal), "trb"); - } - -event login_prompt(c: connection, prompt: string) - { - # Could check length >= 6, per Solaris exploit ... - local pid = get_event_peer()$id; - hot_login(c, pid, - fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb"); - } - -event excessive_line(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - - if ( ! c$hot && c$id$resp_h in non_ASCII_hosts ) - { - ext_set_login_state(c$id, pid, LOGIN_STATE_SKIP); - set_record_packets(c$id, F); - } - else if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_AUTHENTICATE ) - { - event login_confused(c, "excessive_line", ""); - ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED); - } - } - } - -event inconsistent_option(c: connection) - { - print Weird::weird_file, fmt("%.6f %s inconsistent option", network_time(), id_string(c$id)); - } - -event bad_option(c: connection) - { - print Weird::weird_file, fmt("%.6f %s bad option", network_time(), id_string(c$id)); - } - -event bad_option_termination(c: connection) - { - print Weird::weird_file, fmt("%.6f %s bad option termination", network_time(), id_string(c$id)); - } - -event authentication_accepted(name: string, c: connection) - { - local addl_msg = fmt("auth/%s", name); - append_addl(c, addl_msg); - } - -event authentication_rejected(name: string, c: connection) - { - append_addl(c, fmt("auth-failed/%s", name)); - } - -event authentication_skipped(c: connection) - { - append_addl(c, "(skipped)"); - skip_further_processing(c$id); - - if ( ! c$hot ) - set_record_packets(c$id, F); - } - -event connection_established(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - - new_login_session(c, pid, 0); - - if ( c$id$resp_h in skip_logins_to ) - event authentication_skipped(c); - - if ( c$id$resp_p == telnet && - c$id$orig_p in hot_telnet_orig_ports ) - hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig"); - } - } - -event partial_connection(c: connection) - { - if ( is_login_conn(c) ) - { - local pid = get_event_peer()$id; - new_login_session(c, pid, 9999); - ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED); - - if ( c$id$resp_p == telnet && - c$id$orig_p in hot_telnet_orig_ports ) - hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig"); - } - } - -event connection_finished(c: connection) - { - local pid = get_event_peer()$id; - remove_login_session(c, pid); - } - -event activating_encryption(c: connection) - { - if ( is_login_conn(c) ) - append_addl(c, "(encrypted)"); - } diff --git a/policy.old/mime-pop.bro b/policy.old/mime-pop.bro deleted file mode 100644 index eed2565036..0000000000 --- a/policy.old/mime-pop.bro +++ /dev/null @@ -1,180 +0,0 @@ -# $Id: mime-pop.bro 4758 2007-08-10 06:49:23Z vern $ -# -# A stripped-down version of mime.bro adapted to work on POP3 events. -# -# FIXME: What's the best way to merge mime.bro and mime-pop3.bro? - -@load pop3 - -module MIME_POP3; - -const mime_log = open_log_file("mime-pop") &redef; - -type mime_session_info: record { - id: count; - connection_id: conn_id; - level: count; - data_offset: count; -}; - -global mime_session_id = 0; -global mime_sessions: table[conn_id] of mime_session_info; - -function mime_session_string(session: mime_session_info): string - { - return fmt("#%s %s +%d", prefixed_id(session$id), - id_string(session$connection_id), session$level); - } - -function mime_log_warning(what: string) - { - print mime_log, fmt("%.6f warning: %s", network_time(), what); - } - -function mime_log_msg(session: mime_session_info, where: string, what: string) - { - print mime_log, fmt("%.6f %s: [%s] %s", - network_time(), - mime_session_string(session), - where, - what); - } - -function new_mime_session(c: connection) - { - local id = c$id; - local session_id = ++mime_session_id; - local info: mime_session_info; - - info$id = session_id; - info$connection_id = id; - info$level = 0; - info$data_offset = 0; - - mime_sessions[id] = info; - mime_log_msg(info, "start", ""); - } - -function get_mime_session(c: connection, new_session_ok: bool): mime_session_info - { - local id = c$id; - - if ( id !in mime_sessions ) - { - if ( ! new_session_ok ) - mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id))); - - new_mime_session(c); - } - - return mime_sessions[id]; - } - -function end_mime_session(session: mime_session_info) - { - mime_log_msg(session, "finish", ""); - delete mime_sessions[session$connection_id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local id = c$id; - - if ( id in mime_sessions ) - { - mime_log_msg(mime_sessions[id], "state remove", ""); - delete mime_sessions[id]; - } - } - -function do_mime_begin_entity(c: connection) - { - local session = get_mime_session(c, T); - - ++session$level; - session$data_offset = 0; - mime_log_msg(session, "begin entity", ""); - } - -event mime_begin_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_begin_entity(c); - } - -function do_mime_end_entity(c: connection) - { - local session = get_mime_session(c, T); - - mime_log_msg(session, "end entity", ""); - - if ( session$level > 0 ) - { - --session$level; - if ( session$level == 0 ) - end_mime_session(session); - } - else - mime_log_warning(fmt("unmatched end_entity for MIME session %s", - mime_session_string(session))); - } - -event mime_end_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_end_entity(c); - } - -event mime_next_entity(c: connection) - { - if ( c$id$resp_p != 110/tcp ) - return; - - do_mime_end_entity(c); - do_mime_begin_entity(c); - } - -event mime_all_headers(c: connection, hlist: mime_header_list) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - local i = 0; - - for ( i in hlist ) - { - local h = hlist[i]; - mime_log_msg(session, "header", - fmt("%s: \"%s\"", h$name, h$value)); - } - } - -event mime_segment_data(c: connection, length: count, data: string) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - - if ( session$data_offset < 256 ) - mime_log_msg(session, "data", fmt("%d: %s", length, data)); - - session$data_offset = session$data_offset + length; - } - -event mime_event(c: connection, event_type: string, detail: string) - { - if ( c$id$resp_p != 110/tcp ) - return; - - local session = get_mime_session(c, T); - mime_log_msg(session, "event", fmt("%s: %s", event_type, detail)); - } diff --git a/policy.old/mt.bro b/policy.old/mt.bro deleted file mode 100644 index 1a39bc1025..0000000000 --- a/policy.old/mt.bro +++ /dev/null @@ -1,15 +0,0 @@ -# $Id: mt.bro 340 2004-09-09 06:38:27Z vern $ - -@load dns-lookup -@load hot -@load frag -@load tcp -@load scan -@load weird -@load finger -@load ident -@load ftp -@load login -@load portmapper -@load ntp -@load tftp diff --git a/policy.old/ncp.bro b/policy.old/ncp.bro deleted file mode 100644 index 53a798eec3..0000000000 --- a/policy.old/ncp.bro +++ /dev/null @@ -1,101 +0,0 @@ -# $Id:$ - -@load conn-id - -module NCP; - -global ncp_log = open_log_file("ncp") &redef; - -redef capture_filters += {["ncp"] = "tcp port 524"}; - -export { - -const ncp_frame_type_name = { - [ 0x1111 ] = "NCP_ALLOC_SLOT", - [ 0x2222 ] = "NCP_REQUEST", - [ 0x3333 ] = "NCP_REPLY", - [ 0x5555 ] = "NCP_DEALLOC_SLOT", - [ 0x7777 ] = "NCP_BURST", - [ 0x9999 ] = "NCP_ACK", -} &default = function(code: count): string - { - return fmt("NCP_UNKNOWN_FRAME_TYPE(%x)", code); - }; - -const ncp_function_name = { - [ 0x01 ] = "NCP_FILE_SET_LOCK", - [ 0x02 ] = "NCP_FILE_RELEASE_LOCK", - [ 0x03 ] = "NCP_LOG_FILE", - [ 0x04 ] = "NCP_LOCK_FILE_SET", - [ 0x05 ] = "NCP_RELEASE_FILE", - [ 0x06 ] = "NCP_RELEASE_FILE_SET", - [ 0x07 ] = "NCP_CLEAR_FILE", - [ 0x08 ] = "NCP_CLEAR_FILE_SET", - [ 0x09 ] = "NCP_LOG_LOGICAL_RECORD", - [ 0x0a ] = "NCP_LOCK_LOGICAL_RECORD_SET", - [ 0x0b ] = "NCP_CLEAR_LOGICAL_RECORD", - [ 0x0c ] = "NCP_RELEASE_LOGICAL_RECORD", - [ 0x0d ] = "NCP_RELEASE_LOGICAL_RECORD_SET", - [ 0x0e ] = "NCP_CLEAR_LOGICAL_RECORD_SET", - [ 0x0f ] = "NCP_ALLOC_RESOURCE", - [ 0x10 ] = "NCP_DEALLOC_RESOURCE", - [ 0x11 ] = "NCP_PRINT", - [ 0x15 ] = "NCP_MESSAGE", - [ 0x16 ] = "NCP_DIRECTORY", - [ 0x17 ] = "NCP_BINDARY_AND_MISC", - [ 0x18 ] = "NCP_END_OF_JOB", - [ 0x19 ] = "NCP_LOGOUT", - [ 0x1a ] = "NCP_LOG_PHYSICAL_RECORD", - [ 0x1b ] = "NCP_LOCK_PHYSICAL_RECORD_SET", - [ 0x1c ] = "NCP_RELEASE_PHYSICAL_RECORD", - [ 0x1d ] = "NCP_RELEASE_PHYSICAL_RECORD_SET", - [ 0x1e ] = "NCP_CLEAR_PHYSICAL_RECORD", - [ 0x1f ] = "NCP_CLEAR_PHYSICAL_RECORD_SET", - [ 0x20 ] = "NCP_SEMAPHORE", - [ 0x22 ] = "NCP_TRANSACTION_TRACKING", - [ 0x23 ] = "NCP_AFP", - [ 0x42 ] = "NCP_CLOSE_FILE", - [ 0x47 ] = "NCP_GET_FILE_SIZE", - [ 0x48 ] = "NCP_READ_FILE", - [ 0x49 ] = "NCP_WRITE_FILE", - [ 0x56 ] = "NCP_EXT_ATTR", - [ 0x57 ] = "NCP_FILE_DIR", - [ 0x58 ] = "NCP_AUDITING", - [ 0x5a ] = "NCP_MIGRATION", - [ 0x60 ] = "NCP_PNW", - [ 0x61 ] = "NCP_GET_MAX_PACKET_SIZE", - [ 0x68 ] = "NCP_NDS", - [ 0x6f ] = "NCP_SEMAPHORE_NEW", - [ 0x7b ] = "NCP_7B", - - [ 0x5701 ] = "NCP_CREATE_FILE_DIR", - [ 0x5702 ] = "NCP_INIT_SEARCH", - [ 0x5703 ] = "NCP_SEARCH_FILE_DIR", - [ 0x5704 ] = "NCP_RENAME_FILE_DIR", - [ 0x5706 ] = "NCP_OBTAIN_FILE_DIR_INFO", - [ 0x5707 ] = "NCP_MODIFY_FILE_DIR_DOS_INFO", - [ 0x5708 ] = "NCP_DELETE_FILE_DIR", - [ 0x5709 ] = "NCP_SET_SHORT_DIR_HANDLE", - [ 0x5714 ] = "NCP_SEARCH_FOR_FILE_DIR_SET", - [ 0x5718 ] = "NCP_GET_NAME_SPACE_LOADED_LIST", - [ 0x5742 ] = "NCP_GET_CURRENT_SIZE_OF_FILE", - -} &default = function(code: count): string - { - return fmt("NCP_UNKNOWN_FUNCTION(%x)", code); - }; - -} # export - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - print ncp_log, fmt("%.6f %s NCP request type=%s function=%s", - network_time(), id_string(c$id), - ncp_frame_type_name[frame_type], - ncp_function_name[func]); - } - -event ncp_reply(c: connection, frame_type: count, length: count, - req_frame: count, req_func: count, completion_code: count) - { - } diff --git a/policy.old/netflow.bro b/policy.old/netflow.bro deleted file mode 100644 index 4fb1ac0fd0..0000000000 --- a/policy.old/netflow.bro +++ /dev/null @@ -1,106 +0,0 @@ -# $Id:$ -# -# Netflow data-dumper and proof-of-concept flow restitcher. -# Written by Bernhard Ager (2007). - -module NetFlow; - -export { - # Perform flow restitching? - global netflow_restitch = T &redef; - - # How long to wait for additional flow records after a RST or FIN, - # so we can compress multiple RST/FINs for the same flow rather than - # treating them as separate flows. It's not clear what's the best - # setting for this timer, but for now we use something larger - # than the NetFlow inactivity timeout (5 minutes). - global netflow_finished_conn_expire = 310 sec &redef; -} - -global netflow_log = open_log_file("netflow") &redef; - -# Should be larger than activity timeout. Setting only affects table -# declaration, therefore &redef useless. -const netflow_table_expire = 31 min; - -type flow: record { - cnt: count; - pkts: count; - octets: count; - syn: bool; - fin: bool; - first: time; - last: time; -}; - -function new_flow(r: nf_v5_record): flow - { - return [ $cnt = 1, - $pkts = r$pkts, - $octets = r$octets, - $syn = r$tcpflag_syn, - $fin = r$tcpflag_fin, - $first = r$first, - $last = r$last ]; - } - -function update_flow(f: flow, r: nf_v5_record) - { - f$pkts += r$pkts; - f$octets += r$octets; - ++f$cnt; - f$syn = f$syn || r$tcpflag_syn; - f$fin = f$fin || r$tcpflag_fin; - - if ( r$first < f$first ) - f$first = r$first; - if ( r$last > f$last ) - f$last = r$last; - } - -function print_flow(t: table[conn_id] of flow, idx: conn_id): interval - { - print netflow_log, fmt("%.6f flow %s: %s", network_time(), idx, t[idx]); - return -1 sec; - } - -event v5flow_finished(t: table[conn_id] of flow, idx: conn_id) - { - if ( idx in t ) - { - print_flow(t, idx); - delete t[idx]; - } - } - -global flows: table[conn_id] of flow &write_expire = netflow_table_expire - &expire_func = print_flow; - -event netflow_v5_header(h: nf_v5_header) - { - print netflow_log, fmt("%.6f header %s", network_time(), h); - } - -event netflow_v5_record (r: nf_v5_record) - { - if ( netflow_restitch ) - { - if ( r$id in flows ) - update_flow (flows[r$id], r); - else - flows[r$id] = new_flow (r); - - if ( r$tcpflag_fin || r$tcpflag_rst ) - schedule netflow_finished_conn_expire { - v5flow_finished (flows, r$id) - }; - } - - print netflow_log, fmt("%.6f record %s", network_time(), r); - } - -event bro_done () - { - for ( f_id in flows ) - print_flow(flows, f_id); - } diff --git a/policy.old/netstats.bro b/policy.old/netstats.bro deleted file mode 100644 index 606513bcd9..0000000000 --- a/policy.old/netstats.bro +++ /dev/null @@ -1,32 +0,0 @@ -# $Id: netstats.bro 564 2004-10-23 02:27:57Z vern $ - -@load notice - -redef enum Notice += { - DroppedPackets, # Bro reported packets dropped by the packet filter -}; - -const stats_collection_interval = 10secs; - -event net_stats_update(last_stat: NetStats) - { - local ns = net_stats(); - local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped; - if ( new_dropped > 0 ) - { - local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd; - local new_link = ns$pkts_link - last_stat$pkts_link; - NOTICE([$note=DroppedPackets, - $msg=fmt("%d packets dropped after filtering, %d received%s", - new_dropped, new_recvd + new_dropped, - new_link != 0 ? - fmt(", %d on link", new_link) : "")]); - } - - schedule stats_collection_interval { net_stats_update(ns) }; - } - -event bro_init() - { - schedule stats_collection_interval { net_stats_update(net_stats()) }; - } \ No newline at end of file diff --git a/policy.old/nfs.bro b/policy.old/nfs.bro deleted file mode 100644 index 0d572b52c7..0000000000 --- a/policy.old/nfs.bro +++ /dev/null @@ -1,408 +0,0 @@ - -@load udp - - -module NFS3; - -export { - global log_file = open_log_file("nfs") &redef; - global names_log_file = open_log_file("nfs-files") &redef; - global readdir_log = open_log_file("nfs-readdir") &redef; - - # We want to estimate how long it takes to lookup a chain of FH (directories) - # until we reach a FH that is used in a read or write operation. Whenever we - # get a new FH, we check how long ago we got the FH's parent. If this is less - # than fh_chain_maxtime, we assume that they belong to a lookup chain and set - # the dt value for the FH accordingly. - global fh_chain_maxtime = 100 msec; -} - - -redef capture_filters += { - ["nfs"] = "port 2049", - # NFS UDP packets are often fragmented. - ["nfs-frag"] = "(ip[6:2] & 0x3fff != 0) and udp", -}; - -global nfs_ports = { 2049/tcp, 2049/udp } &redef; -redef dpd_config += { [ANALYZER_NFS] = [$ports = nfs_ports] }; - -# Information about a filehandle -type fh_info : record { - id: count; # A unique ID (counter) for more readable representation of the FH - pathname: string &default="@"; # the path leading to this FH - basename: string &default=""; # the name of this FHs file or directory - mimetype: string &default=""; - t0: time &default=double_to_time(0); # time when we first saw this FH - dt: interval &default=0 sec; # time it took to get this FH (assuming a chain of - # procedures that ultimately yield the FH for the file - # a client is interested in - chainlen: count &default=0; - attr: fattr_t &optional; -}; - -# Maps opaque file handles to numbers for easier tracking. -global num_fhs = 0; -global fh_map: table[addr,string] of fh_info; - -# Maps connids to number for easier post processing -global num_nfs_conns = 0; -global nfs_conns: table[conn_id] of count; - - -# Get the FH info. Create a new info if it doesn't exists -function get_fh_info(c: connection, fh: string): fh_info - { - if ( [c$id$resp_h, fh] !in fh_map ) - { - # Don't have a mapping for this FH yet. E.g., a root FH - local newfhinfo: fh_info = [ $id=++num_fhs ]; - newfhinfo$pathname = fmt("@%d", newfhinfo$id); - newfhinfo$t0 = network_time(); - fh_map[c$id$resp_h, fh] = newfhinfo; - } - return fh_map[c$id$resp_h, fh]; - } - -function log_filename(proc: string, info: fh_info) - { - print names_log_file, fmt("%.6f %s path FH%d %s/%s", network_time(), proc, - info$id, info$pathname, info$basename); - ##print fmt("%.6f FH%d <%s> <%s>", network_time(), info$id, info$pathname, info$basename); - } - -function fmt_attr(a: fattr_t): string - { - local s = fmt("%s %s %d %d %d %d %d %d %d %d %d %.2f %.2f %.2f", - a$ftype, mode2string(a$mode), a$nlink, a$uid, a$gid, a$size, a$used, a$rdev1, a$rdev2, - a$fsid, a$fileid, a$atime, a$mtime, a$ctime); - return s; - } - -function log_attributes(c: connection, proc: string, fh: string, attr: fattr_t) - { - local info = get_fh_info(c,fh); - local did_change = F; - # check whether the attributes have changes - if (info?$attr) - { - # We can't compare records for equality :-(. So we use a hack. - # We add the two instance we want to compare to a set. If there - # are two elements in the set, the records are not equal... - local dummy: set[fattr_t]; - add dummy[info$attr]; - add dummy[attr]; - if (|dummy| > 1) - did_change = T; - } - else - did_change=T; - if (did_change) - { - info$attr = attr; - print names_log_file, fmt("%.6f %s attr FH%d %s", network_time(), proc, - info$id, fmt_attr(attr)); - } - } - -# Update (or add) a filehandle mapping. -# parentfh ... parent (directory) -# name ....... the name for this FH -# fh ......... the new FH -function add_update_fh(c: connection, proc: string, parentfh: string, name: string, fh: string) - { - local info = get_fh_info(c, fh); - - # TODO: we could/should check if we already have a pathname and/or basename - # for this FH and if so whether it matches the parent we just got! - if (name == ".") - return; - info$basename = name; - if (parentfh != "") - { - local parentinfo = get_fh_info(c, parentfh); - info$pathname = cat(parentinfo$pathname, "/", parentinfo$basename); - if ( (network_time() - parentinfo$t0) < fh_chain_maxtime - && info$dt < 0 sec ) - { - # The FH is part of lookup chain and it doesn't yet have a dt value - # TODO: this should probably be moved to get_fh_info(). But then get_fh_info() - # would need information about a FH's parent.... - # TODO: We are using network_time(), but we really should use request - # and reply time!!! - info$dt = parentinfo$dt + (network_time() - parentinfo$t0); - info$chainlen = parentinfo$chainlen + 1; - } - } - log_filename(proc, info); - } - -function set_fh_mimetype(c: connection, fh: string, proc:string, data: string) - { - local info = get_fh_info(c,fh); - local mimetype = identify_data(data, T); - if (info$mimetype != mimetype) - { - info$mimetype = mimetype; - print names_log_file, fmt("%.6f %s type FH%d %s/%s %s", network_time(), proc, - info$id, info$pathname, info$basename, (mimetype!="") ? mimetype : "X/X"); - } - } - -# Get the total time of the lookup chain for this FH to the -# current network time. Returns a negative interal if no -# lookup chain was found -function get_fh_chaintime_str(c:connection, fh:string): string - { - local info = get_fh_info(c, fh); - if ((network_time() - info$t0) < fh_chain_maxtime) - return fmt("%d %.6f", info$chainlen, info$dt + (network_time() - info$t0)); - else - return fmt("%d %.6f", 0, 0.0); - } - -# Get a FH ID -function get_fh_id(c:connection, fh: string): string - { - return cat("FH", get_fh_info(c, fh)$id); - } - -# Get the basename for the FH -function get_fh_basename(c:connection, fh: string): string - { - return get_fh_info(c, fh)$basename; - } - -# Get the fullname for the FH -function get_fh_fullname(c:connection, fh: string): string - { - local info = get_fh_info(c, fh); - return cat(info$pathname, "/", info$basename); - } - -function print_attr(attr: fattr_t): string - { - return fmt("%s", attr); - } - -function map_conn(cid: conn_id): count - { - if (cid !in nfs_conns) - nfs_conns[cid] = ++num_nfs_conns; - return nfs_conns[cid]; - } - - -function is_success(info: info_t): bool - { - return (info$rpc_stat == RPC_SUCCESS && info$nfs_stat == NFS3ERR_OK); - } - -function is_rpc_success(info: info_t): bool - { - return (info$rpc_stat == RPC_SUCCESS); - } - -function nfs_get_log_prefix(c: connection, info: info_t, proc: string): string - { - local nfs_stat_str = (info$rpc_stat == RPC_SUCCESS) ? fmt("%s", info$nfs_stat) : "X"; - return fmt("%.06f %.06f %d %.06f %.06f %d %s %s %d %s %s %s", - info$req_start, info$req_dur, info$req_len, - info$rep_start, info$rep_dur, info$rep_len, - id_string(c$id), get_port_transport_proto(c$id$orig_p), - map_conn(c$id), - proc, info$rpc_stat, nfs_stat_str); - } - - -event nfs_proc_not_implemented(c: connection, info: info_t, proc: proc_t) - { - local prefix = nfs_get_log_prefix(c, info, fmt("%s", proc)); - - print log_file, fmt("%s Not_implemented", prefix); - } - -event nfs_proc_null(c: connection, info: info_t) - { - local prefix = nfs_get_log_prefix(c, info, "null"); - - print log_file, prefix; - } - -event nfs_proc_getattr (c: connection, info: info_t, fh: string, attrs: fattr_t) - { - local prefix = nfs_get_log_prefix(c, info, "getattr"); - - if (is_success(info)) - log_attributes(c, "getattr", fh, attrs); - - print log_file, fmt("%s %s", prefix, get_fh_id(c,fh)); - } - -event nfs_proc_lookup(c: connection, info: info_t, req: diropargs_t, rep: lookup_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, "lookup"); - - if (! is_success(info) ) - { - print log_file, fmt("%s %s + %s", prefix, get_fh_id(c, req$dirfh), req$fname); - # could print dir_attr, if they are set .... - return; - } - if (rep?$dir_attr) - log_attributes(c, "lookup", req$dirfh, rep$dir_attr); - if (is_rpc_success(info) && rep?$obj_attr) - log_attributes(c, "lookup", rep$fh, rep$obj_attr); - add_update_fh(c, "lookup", req$dirfh, req$fname, rep$fh); - print log_file, fmt("%s %s + %s => %s", prefix, get_fh_id(c, req$dirfh), req$fname, get_fh_id(c, rep$fh)); - - } - -event nfs_proc_read(c: connection, info: info_t, req: readargs_t, rep: read_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "read"); - - msg = fmt("%s %s @%d: %d", msg, get_fh_id(c, req$fh), req$offset, req$size); - if (is_success(info)) - { - msg = fmt("%s got %d bytes %s %s", msg, rep$size, (rep$eof) ? "" : "x", - get_fh_chaintime_str(c, req$fh)); - if (rep?$data && req$offset==0 && rep$size>0) - set_fh_mimetype(c, req$fh, "read", rep$data); - if (is_rpc_success(info) && rep?$attr) - log_attributes(c, "read", req$fh, rep$attr); - } - - print log_file, msg; - } - -event nfs_proc_readlink(c: connection, info: info_t, fh: string, rep: readlink_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "readlink"); - - msg = fmt("%s %s", msg, get_fh_id(c, fh)); - if (is_success(info)) - { - msg = fmt("%s : %s", msg, rep$nfspath); - if (rep?$attr) - log_attributes(c, "readlink", fh, rep$attr); - } - - print log_file, msg; - } - -event nfs_proc_write(c: connection, info: info_t, req: writeargs_t, rep: write_reply_t) - { - local msg = nfs_get_log_prefix(c, info, "write"); - - msg = fmt("%s %s @%d: %d %s", msg, get_fh_id(c, req$fh), req$offset, req$size, req$stable); - if (is_success(info)) - { - msg = fmt("%s wrote %d bytes %s %s", msg, rep$size, rep$commited, - get_fh_chaintime_str(c, req$fh)); - if (req?$data && req$offset==0 && rep$size>0) - set_fh_mimetype(c, req$fh, "write", req$data); - if (rep?$postattr) - log_attributes(c, "write", req$fh, rep$postattr); - } - - print log_file, msg; - } - -function nfs_newobj(c: connection, info: info_t, proc: string, req: diropargs_t, rep: newobj_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, proc); - local newfh_str: string; - if (! is_success(info) ) - { - print log_file, fmt("%s %s + %s", prefix, get_fh_id(c, req$dirfh), req$fname); - # could print dir_attr, if they are set .... - return; - } - if (is_rpc_success(info) && rep?$dir_post_attr) - log_attributes(c, proc, req$dirfh, rep$dir_post_attr); - # TODO: could print dir_pre_attr - if (is_rpc_success(info) && rep?$obj_attr) - log_attributes(c, proc, rep$fh, rep$obj_attr); - add_update_fh(c, proc, req$dirfh, req$fname, rep$fh); - - newfh_str = (rep?$fh) ? get_fh_id(c, rep$fh) : "FH??"; - print log_file, fmt("%s %s + %s => %s", prefix, get_fh_id(c, req$dirfh), req$fname, get_fh_id(c, rep$fh)); - } - -event nfs_proc_create(c: connection, info: info_t, req: diropargs_t, rep: newobj_reply_t) - { - # TODO: create request attributes not implemented in core - nfs_newobj(c, info, "create", req, rep); - } - -event nfs_proc_mkdir(c: connection, info: info_t, req: diropargs_t, rep: newobj_reply_t) - { - # TODO: mkidir request attributes not implemented in core - nfs_newobj(c, info, "mkdir", req, rep); - } - -function nfs_delobj(c: connection, info: info_t, proc: string, req: diropargs_t, rep: delobj_reply_t) - { - local prefix = nfs_get_log_prefix(c, info, proc); - print log_file, fmt("%s %s - %s", prefix, get_fh_id(c, req$dirfh), req$fname); - if (is_rpc_success(info) && rep?$dir_post_attr) - log_attributes(c, proc, req$dirfh, rep$dir_post_attr); - # TODO: could print dir_pre_attr - } - -event nfs_proc_remove(c: connection, info: info_t, req: diropargs_t, rep: delobj_reply_t) - { - nfs_delobj(c, info, "remove", req, rep); - } - -event nfs_proc_rmdir(c: connection, info: info_t, req: diropargs_t, rep: delobj_reply_t) - { - nfs_delobj(c, info, "rmdir", req, rep); - } - -function fmt_direntry(c: connection, e: direntry_t): string - { - local rv = ""; - rv = fmt("%d %s %d", e$fileid, e$fname, e$cookie); - if (e?$fh) - rv = fmt("%s %s", rv, get_fh_id(c, e$fh)); - return rv; - - } - -event nfs_proc_readdir(c: connection, info: info_t, req: readdirargs_t, rep: readdir_reply_t) - { - local isplus = req$isplus; - local proc = (isplus) ? "readdirplus" : "readdir"; - local msg = nfs_get_log_prefix(c, info, proc); - msg = fmt("%s %s @%d (%x)", msg, get_fh_id(c, req$dirfh), req$cookie, req$cookieverf); - if (is_success(info)) - { - msg = fmt("%s %d entries %d", msg, |rep$entries|, rep$eof); - print readdir_log, msg; - for (i in rep$entries) - { - local curentry = rep$entries[i]; - if (curentry?$attr && curentry?$fh) - log_attributes(c, proc, curentry$fh, curentry$attr); - if (curentry?$fh) - add_update_fh(c, proc, req$dirfh, curentry$fname, curentry$fh); - print readdir_log,fmt(" %s", fmt_direntry(c, curentry)); - } - if (rep?$dir_attr) - log_attributes(c, proc, req$dirfh, rep$dir_attr); - } - else if (is_rpc_success(info) && rep?$dir_attr) - { - log_attributes(c, proc, req$dirfh, rep$dir_attr); - } - print log_file, msg; - } - -event connection_state_remove(c: connection) - { - if ( c$id !in nfs_conns ) - return; - delete nfs_conns[c$id]; - } diff --git a/policy.old/notice-policy.bro b/policy.old/notice-policy.bro deleted file mode 100644 index 78d26c26ed..0000000000 --- a/policy.old/notice-policy.bro +++ /dev/null @@ -1,72 +0,0 @@ -# $Id: notice-policy.bro 4758 2007-08-10 06:49:23Z vern $ - -# Examples of using notice_policy and other mechanisms to filter out -# alarms that are not interesting. - -# Note: this file is not self-contained, in that it refers to Notice -# names that will only be defined if you've loaded other files (e.g., -# print-resources for the ResourceSummary notice). The full list of -# policy files it needs is: -# -# blaster.bro -# conn.bro -# http-request.bro -# netstats.bro -# print-resources.bro -# trw.bro -# weird.bro - - -# Remove these notices from logging since they can be too noisy. -redef notice_action_filters += { - [[Weird::ContentGap, Weird::AckAboveHole]] = ignore_notice, -}; - -# Send these only to the notice log, not the alarm log. -redef notice_action_filters += { - [[Drop::AddressDropIgnored, DroppedPackets, - ResourceSummary, W32B_SourceRemote, - TRW::TRWScanSummary, Scan::BackscatterSeen, - Weird::WeirdActivity, - Weird::RetransmissionInconsistency]] = file_notice, -}; - -# Other example use of notice_action_filters: -# -# To just get a summary Notice when Bro is shutdown/checkpointed, use -# tally_notice_type, such as: -#redef notice_action_filters += { -# [[RetransmissionInconsistency, ContentGap, AckAboveHole]] = -# tally_notice_type, -#}; - -# To get a summary once every hour per originator, use notice_alarm_per_orig, -# such as: -#redef notice_action_filters += { -# [[ BackscatterSeen, RetransmissionInconsistency]] = -# notice_alarm_per_orig, -#}; - - -# Fine-grained filtering of specific alarms. -redef notice_policy += { - - # Connections to 2766/tcp ("Solaris listen service") appear - # nearly always actually due to P2P apps. - [$pred(n: notice_info) = - { - return n$note == SensitiveConnection && - /Solaris listen service/ in n$msg; - }, - $result = NOTICE_FILE, - $priority = 1], - - # Ignore sensitive URLs that end in .gif, .jpg, .png - [$pred(n: notice_info) = - { - return n$note == HTTP::HTTP_SensitiveURI && - n$URL == /.*\.(gif|GIF|png|PNG|jpg|JPG)/; - }, - $result = NOTICE_FILE, - $priority = 1], -}; diff --git a/policy.old/ntp.bro b/policy.old/ntp.bro deleted file mode 100644 index eb746bc830..0000000000 --- a/policy.old/ntp.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: ntp.bro 4758 2007-08-10 06:49:23Z vern $ - -@load udp-common - -redef capture_filters += { ["ntp"] = "udp port 123" }; - -module NTP; - -export { - const excessive_ntp_request = 48 &redef; - const allow_excessive_ntp_requests: set[addr] &redef; -} - -# DPM configuration. -global ntp_ports = { 123/udp } &redef; -redef dpd_config += { [ANALYZER_NTP] = [$ports = ntp_ports] }; - -const ntp_code: table[count] of string = { - [0] = "unspec", - [1] = "sym_act", - [2] = "sym_psv", - [3] = "client", - [4] = "server", - [5] = "bcast", - [6] = "rsv1", - [7] = "rsv2", -}; - -event ntp_message(u: connection, msg: ntp_msg, excess: string) - { - local id = u$id; - - if ( id !in udp_rep_count && id !in udp_req_count ) - { - Hot::check_hot(u, Hot::CONN_ATTEMPTED); - Scan::check_scan(u, F, F); - } - - if ( msg$code == 4 ) - # "server" - ++udp_rep_count[id]; - else - # anything else - ++udp_req_count[id]; - - local n_excess = byte_len(excess); - if ( n_excess > excessive_ntp_request && - id$orig_h !in allow_excessive_ntp_requests ) - { - append_addl_marker(u, fmt("%s", n_excess), ","); - ++u$hot; - } - } diff --git a/policy.old/passwords.bro b/policy.old/passwords.bro deleted file mode 100644 index 84e98ec3ff..0000000000 --- a/policy.old/passwords.bro +++ /dev/null @@ -1,29 +0,0 @@ -# $Id: passwords.bro 688 2004-11-02 23:59:55Z vern $ - -# Generates notices of exposed passwords. Currently just works -# on telnet/rlogin access. Should be extended to do FTP, HTTP, etc. - -@load login - -redef enum Notice += { - PasswordExposed, -}; - -# Usernames which we ignore. -global okay_usernames: set[string] &redef; - -# Passwords which we ignore. -global okay_passwords = { "", "" } &redef; - -event login_success(c:connection, user: string, client_user: string, - password: string, line: string) - { - if ( user in okay_usernames || password in okay_passwords ) - return; - - NOTICE([$note=PasswordExposed, - $conn=c, - $user=user, - $sub=password, - $msg="login exposed user's password"]); - } diff --git a/policy.old/peer-status.bro b/policy.old/peer-status.bro deleted file mode 100644 index 95189873fd..0000000000 --- a/policy.old/peer-status.bro +++ /dev/null @@ -1,84 +0,0 @@ -# $Id: peer-status.bro 5954 2008-07-15 00:07:50Z vern $ -# -# Emits process status "update" event periodically. - -module PeerStatus; - -export { - type peer_status: record { - res: bro_resources; - stats: net_stats; - current_time: time; - cpu: double; # average CPU load since last update - default_filter: string; # default capture filter - }; - - # Event sent periodically. - global update: event(status: peer_status); - - # Update interval. - const update_interval = 1 min; - - # This keeps track of all (local and remote) updates - # (indexed by peer ID). - global peers: table[peer_id] of peer_status; -} - -global start_time = 0; -global cpu_last_proc_time = 0 secs; -global cpu_last_wall_time: time = 0; -global stats: net_stats; -global default_filter : string; - -event net_stats_update(t: time, ns: net_stats) - { - stats = ns; - } - -event emit_update() - { - # Get CPU load. - local res = resource_usage(); - local proc_time = res$user_time + res$system_time; - local wall_time = current_time(); - local dproc = proc_time - cpu_last_proc_time; - local dwall = wall_time - cpu_last_wall_time; - local load = dproc / dwall * 100.0; - cpu_last_proc_time = proc_time; - cpu_last_wall_time = wall_time; - - local status: peer_status; - status$res = res; - status$stats = stats; - status$current_time = current_time(); - status$cpu = load; - status$default_filter = default_filter; - - event PeerStatus::update(status); - - schedule update_interval { emit_update() }; - } - -event bro_init() - { - default_filter = build_default_pcap_filter(); - - local res = resource_usage(); - cpu_last_proc_time = res$user_time + res$system_time; - cpu_last_wall_time = current_time(); - stats = [$pkts_recvd=0, $pkts_dropped=0, $pkts_link=0]; - - schedule update_interval { emit_update() }; - } - -event update(status: peer_status) - { - local peer = get_event_peer(); - peers[peer$id] = status; - } - -event remote_connection_closed(p: event_peer) - { - if ( p$id in peers ) - delete peers[p$id]; - } diff --git a/policy.old/pkt-profile.bro b/policy.old/pkt-profile.bro deleted file mode 100644 index a499ec2c6e..0000000000 --- a/policy.old/pkt-profile.bro +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: pkt-profile.bro 325 2004-09-03 01:33:15Z vern $ - -redef pkt_profile_file = open_log_file("pkt-prof"); -redef pkt_profile_mode = PKT_PROFILE_MODE_SECS; -redef pkt_profile_freq = 1.0; diff --git a/policy.old/pop3.bro b/policy.old/pop3.bro deleted file mode 100644 index 40ae3920a9..0000000000 --- a/policy.old/pop3.bro +++ /dev/null @@ -1,155 +0,0 @@ -# $Id: pop3.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Analyzer for Post Office Protocol, version 3. -# -# If you want to decode the mail itself, also load mime-pop.bro. - -@load login - -module POP3; - -export { - # Report if source triggers more ERR messages. - const error_threshold: count = 3 &redef; - # Don't log these commands. - const ignore_commands: set[string] = { "STAT" } &redef; -} - -redef capture_filters += { ["pop3"] = "port 110" }; - -global pop3_ports = { 110/tcp } &redef; -redef dpd_config += { [ANALYZER_POP3] = [$ports = pop3_ports] }; - -const log_file = open_log_file("pop3") &redef; - -type pop3_session_info: record { - id: count; # Unique session ID. - quit_sent: bool; # Client issued a QUIT. - last_command: string; # Last command of client. -}; - - -global pop_log: function(conn: pop3_session_info, - command: string, message: string); -global get_connection: function(id: conn_id): pop3_session_info; - - -global pop_connections: - table[conn_id] of pop3_session_info &read_expire = 60 mins; -global pop_connection_weirds: - table[addr] of count &default=0 &read_expire = 60 mins; -global pop_session_id = 0; - - -event pop3_request(c: connection, is_orig: bool, command: string, arg: string) - { - local conn = get_connection(c$id); - - pop_log(conn, command, fmt("%.6f #%s > %s %s", - network_time(), prefixed_id(conn$id), command, arg)); - - conn$last_command = command; - - if ( command == "QUIT" ) - conn$quit_sent = T; - } - -event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string) - { - local conn = get_connection(c$id); - - pop_log(conn, cmd, - fmt("%.6f #%s < %s %s", network_time(), prefixed_id(conn$id), cmd, msg)); - - if ( cmd == "OK" ) - { - if ( conn$quit_sent ) - delete pop_connections[c$id]; - } - - else if ( cmd == "ERR" ) - { - ++pop_connection_weirds[c$id$orig_h]; - if ( pop_connection_weirds[c$id$orig_h] > error_threshold ) - print log_file, fmt("%.6f #%s %s/%d > %s/%d WARNING: error count exceeds threshold", - network_time(), prefixed_id(conn$id), - c$id$orig_h, c$id$orig_p, - c$id$resp_h, c$id$resp_p); - } - } - -event pop3_login_success(c: connection, is_orig: bool, - user: string, password: string) - { - local conn = get_connection(c$id); - - local pw = byte_len(password) != 0 ? password : ""; - - print log_file, fmt("%.6f #%s > login successful: user %s password: %s", - network_time(), prefixed_id(conn$id), user, pw); - - event login_success(c, user, "", password, ""); - } - -event pop3_login_failure(c: connection, is_orig: bool, - user: string, password: string) - { - local conn = get_connection(c$id); - - print log_file, fmt("%.6f #%s > login failed: user %s password: %s", - network_time(), prefixed_id(conn$id), user, password); - - event login_failure(c, user, "", password, ""); - } - -# event pop3_data(c: connection, is_orig: bool, data: string) -# { -# # We could instantiate partial connections here if we wished, -# # but at considerable cost in terms of event counts. -# local conn = get_connection(c$id); -# } - -event pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string) - { - local conn = get_connection(c$id); - print log_file, fmt("%.6f #%s unexpected cmd: %s detail: %s", - network_time(), prefixed_id(conn$id), - msg, detail); - } - -event pop3_terminate(c: connection, is_orig: bool, msg: string) - { - delete pop_connections[c$id]; - } - - -function pop_log(conn: pop3_session_info, command: string, message: string) - { - if ( command !in ignore_commands ) - { - if ( (command == "OK" || command == "ERR") && - conn$last_command in ignore_commands ) - ; - else - print log_file, message; - } - } - -function get_connection(id: conn_id): pop3_session_info - { - if ( id in pop_connections ) - return pop_connections[id]; - - local conn: pop3_session_info; - - conn$id = ++pop_session_id; - conn$quit_sent = F; - conn$last_command = "INIT"; - pop_connections[id] = conn; - - print log_file, fmt("%.6f #%s %s/%d > %s/%d: new connection", - network_time(), prefixed_id(conn$id), - id$orig_h, id$orig_p, id$resp_h, id$resp_p); - - return conn; - } diff --git a/policy.old/port-name.bro b/policy.old/port-name.bro deleted file mode 100644 index c5b0f8c11f..0000000000 --- a/policy.old/port-name.bro +++ /dev/null @@ -1,63 +0,0 @@ -const port_names: table[port] of string = { - [0/icmp] = "icmp-echo", - [3/icmp] = "icmp-unreach", - [8/icmp] = "icmp-echo", - - [7/tcp] = "echo", - [9/tcp] = "discard", - [20/tcp] = "ftp-data", - [21/tcp] = "ftp", - [22/tcp] = "ssh", - [23/tcp] = "telnet", - [25/tcp] = "smtp", - [37/tcp] = "time", - [43/tcp] = "whois", - [53/tcp] = "dns", - [79/tcp] = "finger", - [80/tcp] = "http", - [109/tcp] = "pop-2", - [110/tcp] = "pop-3", - [111/tcp] = "portmap", - [113/tcp] = "ident", - [119/tcp] = "nntp", - [135/tcp] = "epmapper", - [139/tcp] = "netbios-ssn", - [143/tcp] = "imap4", - [179/tcp] = "bgp", - [389/tcp] = "ldap", - [443/tcp] = "https", - [445/tcp] = "smb", - [512/tcp] = "exec", - [513/tcp] = "rlogin", - [514/tcp] = "shell", - [515/tcp] = "printer", - [524/tcp] = "ncp", - [543/tcp] = "klogin", - [544/tcp] = "kshell", - [631/tcp] = "ipp", - [993/tcp] = "simap", - [995/tcp] = "spop", - [1521/tcp] = "oracle-sql", - [2049/tcp] = "nfs", - [6000/tcp] = "X11", - [6001/tcp] = "X11", - [6667/tcp] = "IRC", - - [53/udp] = "dns", - [69/udp] = "tftp", - [111/udp] = "portmap", - [123/udp] = "ntp", - [137/udp] = "netbios-ns", - [138/udp] = "netbios-dgm", - [161/udp] = "snmp", - [2049/udp] = "nfs", - -} &redef; - -function endpoint_id(h: addr, p: port): string - { - if ( p in port_names ) - return fmt("%s/%s", h, port_names[p]); - else - return fmt("%s/%d", h, p); - } diff --git a/policy.old/portmapper.bro b/policy.old/portmapper.bro deleted file mode 100644 index 4829812154..0000000000 --- a/policy.old/portmapper.bro +++ /dev/null @@ -1,468 +0,0 @@ -# $Id: portmapper.bro 4758 2007-08-10 06:49:23Z vern $ - -@load notice -@load hot -@load conn -@load weird -@load scan - -module Portmapper; - -export { - redef enum Notice += { - # Some combination of the service looked up, the host doing the - # request, and the server contacted is considered sensitive. - SensitivePortmapperAccess, - }; - - # Kudos to Job de Haas for a lot of these entries. - - const rpc_programs = { - [200] = "aarp", - - [100000] = "portmapper", [100001] = "rstatd", - [100002] = "rusersd", [100003] = "nfs", [100004] = "ypserv", - [100005] = "mountd", [100007] = "ypbind", [100008] = "walld", - [100009] = "yppasswdd", [100010] = "etherstatd", - [100011] = "rquotad", [100012] = "sprayd", - [100013] = "3270_mapper", [100014] = "rje_mapper", - [100015] = "selection_svc", [100016] = "database_svc", - [100017] = "rexd", [100018] = "alis", [100019] = "sched", - [100020] = "llockmgr", [100021] = "nlockmgr", - [100022] = "x25.inr", [100023] = "statmon", - [100024] = "status", [100026] = "bootparam", - [100028] = "ypupdate", [100029] = "keyserv", - [100033] = "sunlink_mapper", [100036] = "pwdauth", - [100037] = "tfsd", [100038] = "nsed", - [100039] = "nsemntd", [100041] = "pnpd", - [100042] = "ipalloc", [100043] = "filehandle", - [100055] = "ioadmd", [100062] = "NETlicense", - [100065] = "sunisamd", [100066] = "debug_svc", - [100068] = "cms", [100069] = "ypxfrd", - [100071] = "bugtraqd", [100078] = "kerbd", - [100083] = "tooltalkdb", [100087] = "admind", - [100099] = "autofsd", - - [100101] = "event", [100102] = "logger", [100104] = "sync", - [100105] = "diskinfo", [100106] = "iostat", - [100107] = "hostperf", [100109] = "activity", - [100111] = "lpstat", [100112] = "hostmem", - [100113] = "sample", [100114] = "x25", [100115] = "ping", - [100116] = "rpcnfs", [100117] = "hostif", [100118] = "etherif", - [100119] = "ippath", [100120] = "iproutes", - [100121] = "layers", [100122] = "snmp", [100123] = "traffic", - [100131] = "layers2", [100135] = "etherif2", - [100136] = "hostmem2", [100137] = "iostat2", - [100138] = "snmpv2", [100139] = "sender", - - [100221] = "kcms", [100227] = "nfs_acl", [100229] = "metad", - [100230] = "metamhd", [100232] = "sadmind", [100233] = "ufsd", - [100235] = "cachefsd", [100249] = "snmpXdmid", - - [100300] = "nisd", [100301] = "nis_cache", - [100302] = "nis_callback", [100303] = "nispasswd", - - [120126] = "nf_snmd", [120127] = "nf_snmd", - - [150001] = "pcnfsd", - - [300004] = "frameuser", [300009] = "stdfm", [300019] = "amd", - - [300433] = "bssd", [300434] = "drdd", - - [300598] = "dmispd", - - [390100] = "prestoctl_svc", - - [390600] = "arserverd", [390601] = "ntserverd", - [390604] = "arservtcd", - - [391000] = "SGI_snoopd", [391001] = "SGI_toolkitbus", - [391002] = "SGI_fam", [391003] = "SGI_notepad", - [391004] = "SGI_mountd", [391005] = "SGI_smtd", - [391006] = "SGI_pcsd", [391007] = "SGI_nfs", - [391008] = "SGI_rfind", [391009] = "SGI_pod", - [391010] = "SGI_iphone", [391011] = "SGI_videod", - [391012] = "SGI_testcd", [391013] = "SGI_ha_hb", - [391014] = "SGI_ha_nc", [391015] = "SGI_ha_appmon", - [391016] = "SGI_xfsmd", [391017] = "SGI_mediad", - - # 391018 - 391063 = "SGI_reserved" - - [545580417] = "bwnfsd", - - [555555554] = "inetray.start", [555555555] = "inetray", - [555555556] = "inetray", [555555557] = "inetray", - [555555558] = "inetray", [555555559] = "inetray", - [555555560] = "inetray", - - [600100069] = "fypxfrd", - - [1342177279] = "Solaris/CDE", # = 0x4fffffff - - # Some services that choose numbers but start often at these values. - [805306368] = "dmispd", - [824395111] = "cfsd", [1092830567] = "cfsd", - } &redef; - - const NFS_services = { - "mountd", "nfs", "pcnfsd", "nlockmgr", "rquotad", "status" - } &redef; - - # Indexed by the host providing the service, the host requesting it, - # and the service. - const RPC_okay: set[addr, addr, string] &redef; - const RPC_okay_nets: set[subnet] &redef; - const RPC_okay_services: set[string] &redef; - const NFS_world_servers: set[addr] &redef; - - # Indexed by the portmapper request and a boolean that's T if - # the request was answered, F it was attempted but not answered. - # If there's an entry in the set, then the access won't lead to a - # NOTICE (unless the connection is hot for some other reason). - const RPC_do_not_complain: set[string, bool] = { - ["pm_null", [T, F]], - } &redef; - - # Indexed by the host requesting the dump and the host from which it's - # requesting it. - const RPC_dump_okay: set[addr, addr] &redef; - - # Indexed by the host providing the service - any host can request it. - const any_RPC_okay = { - [NFS_world_servers, NFS_services], - [sun-rpc.mcast.net, "ypserv"], # sigh - } &redef; - - # Logs all portmapper activity as readable "messages" - # Format: timestamp orig_p resp_h resp_p proto localInit PortmapProcedure success details - const log_file = open_log_file("portmapper") &redef; - # Logs all portmapper mappings that we observe (i.e., getport and - # dump replies. Format: - # timestamp orig_h orig_p resp_h resp_p proto localInit PortmapProcedure RPCprogram version port proto - # the mapping is then: accepts with - # calls on . We learned this mapping via - const mapping_log_file = open_log_file("portmapper-maps") &redef; -} - -redef capture_filters += { ["portmapper"] = "port 111" }; - -const portmapper_ports = { 111/tcp, 111/udp } &redef; -redef dpd_config += { [ANALYZER_PORTMAPPER] = [$ports = portmapper_ports] }; - -# Indexed by source and destination addresses, plus the portmapper service. -# If the tuple is in the set, then we already created a NOTICE for it and -# shouldn't do so again. -global did_pm_notice: set[addr, addr, string]; - -# Indexed by source and portmapper service. If set, we already created -# a notice and shouldn't do so again. -global suppress_pm_notice: set[addr, string]; - - -function RPC_weird_action_filter(c: connection): Weird::WeirdAction - { - if ( c$id$orig_h in RPC_okay_nets ) - return Weird::WEIRD_FILE; - else - return Weird::WEIRD_UNSPECIFIED; - } - -redef Weird::weird_action_filters += { - [["bad_RPC", "excess_RPC", "multiple_RPCs", "partial_RPC"]] = - RPC_weird_action_filter, -}; - - -function rpc_prog(p: count): string - { - if ( p in rpc_programs ) - return rpc_programs[p]; - else - return fmt("unknown-%d", p); - } - - -function pm_get_conn_string(cid: conn_id) : string - { - return fmt("%s %d %s %d %s %s", - cid$orig_h, cid$orig_p, - cid$resp_h, cid$resp_p, - get_port_transport_proto(cid$resp_p), - is_local_addr(cid$orig_h) ? "L" : "X" - ); - } - -# Log a pm_request or pm_attempt to the log file -function pm_log(r: connection, proc: string, msg: string, success: bool) - { - print log_file, fmt("%f %s %s %s %s", network_time(), - pm_get_conn_string(r$id), - proc, success, msg); - } - -# Log portmapper mappings received from a dump procedure -function pm_log_mapping_dump(r: connection, m: pm_mappings) - { - # TODO: sort by program and version - for ( mp in m ) - { - local prog = rpc_prog(m[mp]$program); - local ver = m[mp]$version; - local p = m[mp]$p; - - print mapping_log_file, fmt("%f %s pm_dump %s %d %d %s", network_time(), - pm_get_conn_string(r$id), - prog, ver, p, get_port_transport_proto(p)); - } - } - -# Log portmapper mappings received from a getport procedure -# Unfortunately, pm_request_getport doesn't return pm_mapping, -# but returns the parameters separately .... -function pm_log_mapping_getport(r: connection, pr: pm_port_request, p: port) - { - local prog = rpc_prog(pr$program); - local ver = pr$version; - - print mapping_log_file, fmt("%f %s pm_getport %s %d %d %s", network_time(), - pm_get_conn_string(r$id), - prog, ver, p, get_port_transport_proto(p)); - } - - - -function pm_check_getport(r: connection, prog: string): bool - { - if ( prog in RPC_okay_services || - [r$id$resp_h, prog] in any_RPC_okay || - [r$id$resp_h, r$id$orig_h, prog] in RPC_okay ) - return F; - - if ( r$id$orig_h in RPC_okay_nets ) - return F; - - return T; - } - -function pm_activity(r: connection, do_notice: bool, proc: string) - { - local id = r$id; - - if ( do_notice && - [id$orig_h, id$resp_h, proc] !in did_pm_notice && - [id$orig_h, proc] !in suppress_pm_notice ) - { - NOTICE([$note=SensitivePortmapperAccess, $conn=r, - $msg=fmt("rpc: %s %s: %s", - id_string(r$id), proc, r$addl)]); - add did_pm_notice[id$orig_h, id$resp_h, proc]; - } - } - -function pm_request(r: connection, proc: string, addl: string, do_notice: bool) - { - if ( [proc, T] in RPC_do_not_complain ) - do_notice = F; - - if ( ! is_tcp_port(r$id$orig_p) ) - { - # It's UDP, so no connection_established event - check for - # scanning, hot access, here, instead. - Scan::check_scan(r, T, F); - Hot::check_hot(r, Hot::CONN_ESTABLISHED); - } - - if ( r$addl == "" ) - r$addl = addl; - - else - { - if ( byte_len(r$addl) > 80 ) - { - # r already has a lot of annotation. We can sometimes - # get *zillions* of successive pm_request's with the - # same connection ID, depending on how the RPC client - # behaves. For those, don't add any further, except - # add an ellipses if we don't already have one. - append_addl(r, "..."); - } - else - append_addl_marker(r, addl, ", "); - } - - add r$service[proc]; - Hot::check_hot(r, Hot::CONN_FINISHED); - pm_activity(r, do_notice || r$hot > 0, proc); - pm_log(r, proc, addl, T); - } - - -event pm_request_null(r: connection) - { - pm_request(r, "pm_null", "", F); - } - -event pm_request_set(r: connection, m: pm_mapping, success: bool) - { - pm_request(r, "pm_set", fmt("%s %d (%s)", - rpc_prog(m$program), m$p, success ? "ok" : "failed"), T); - } - -event pm_request_unset(r: connection, m: pm_mapping, success: bool) - { - pm_request(r, "pm_unset", fmt("%s %d (%s)", - rpc_prog(m$program), m$p, success ? "ok" : "failed"), T); - } - -function update_RPC_server_map(server: addr, p: port, prog: string) - { - if ( [server, p] in RPC_server_map ) - { - if ( prog !in RPC_server_map[server, p] ) - { - RPC_server_map[server, p] = - fmt("%s/%s", RPC_server_map[server, p], prog); - } - } - else - RPC_server_map[server, p] = prog; - } - -event pm_request_getport(r: connection, pr: pm_port_request, p: port) - { - local prog = rpc_prog(pr$program); - local do_notice = pm_check_getport(r, prog); - - update_RPC_server_map(r$id$resp_h, p, prog); - - pm_request(r, "pm_getport", fmt("%s -> %s", prog, p), do_notice); - pm_log_mapping_getport(r, pr, p); - } - -# Note, this function has the side effect of updating the -# RPC_server_map -function pm_mapping_to_text(server: addr, m: pm_mappings): string - { - # Used to suppress multiple entries for multiple versions. - local mapping_seen: set[count, port]; - local addls: vector of string; - local num_addls = 0; - - for ( mp in m ) - { - local prog = m[mp]$program; - local p = m[mp]$p; - - if ( [prog, p] !in mapping_seen ) - { - add mapping_seen[prog, p]; - addls[num_addls] = fmt("%s -> %s", rpc_prog(prog), p); - ++num_addls; - update_RPC_server_map(server, p, rpc_prog(prog)); - } - } - - local addl_str = fmt("%s", sort(addls, strcmp)); - - # Lop off surrounding []'s for compatibility with previous - # format. - addl_str = sub(addl_str, /^\[/, ""); - addl_str = sub(addl_str, /\]$/, ""); - - return addl_str; - } - -event pm_request_dump(r: connection, m: pm_mappings) - { - local do_notice = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay; - # pm_mapping_to_text has the side-effect of updating RPC_server_map - pm_request(r, "pm_dump", - length(m) == 0 ? "(nil)" : pm_mapping_to_text(r$id$resp_h, m), - do_notice); - pm_log_mapping_dump(r, m); - } - -event pm_request_callit(r: connection, call: pm_callit_request, p: port) - { - local orig_h = r$id$orig_h; - local prog = rpc_prog(call$program); - local do_notice = [orig_h, prog] !in suppress_pm_notice; - - pm_request(r, "pm_callit", fmt("%s/%d (%d bytes) -> %s", - prog, call$proc, call$arg_size, p), do_notice); - - if ( prog == "walld" ) - add suppress_pm_notice[orig_h, prog]; - } - - -function pm_attempt(r: connection, proc: string, status: rpc_status, - addl: string, do_notice: bool) - { - if ( [proc, F] in RPC_do_not_complain ) - do_notice = F; - - if ( ! is_tcp_port(r$id$orig_p) ) - { - # It's UDP, so no connection_attempt event - check for - # scanning here, instead. - Scan::check_scan(r, F, F); - Hot::check_hot(r, Hot::CONN_ATTEMPTED); - } - - add r$service[proc]; - append_addl(r, fmt("(%s)", RPC_status[status])); - - # Current policy is ignore any failed attempts. - pm_activity(r, F, proc); - pm_log(r, proc, addl, F); - } - -event pm_attempt_null(r: connection, status: rpc_status) - { - pm_attempt(r, "pm_null", status, "", T); - } - -event pm_attempt_set(r: connection, status: rpc_status, m: pm_mapping) - { - pm_attempt(r, "pm_set", status, fmt("%s %d", rpc_prog(m$program), m$p), T); - } - -event pm_attempt_unset(r: connection, status: rpc_status, m: pm_mapping) - { - pm_attempt(r, "pm_unset", status, fmt("%s %d", rpc_prog(m$program), m$p), T); - } - -event pm_attempt_getport(r: connection, status: rpc_status, pr: pm_port_request) - { - local prog = rpc_prog(pr$program); - local do_notice = pm_check_getport(r, prog); - pm_attempt(r, "pm_getport", status, prog, do_notice); - } - -event pm_attempt_dump(r: connection, status: rpc_status) - { - local do_notice = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay; - pm_attempt(r, "pm_dump", status, "", do_notice); - } - -event pm_attempt_callit(r: connection, status: rpc_status, - call: pm_callit_request) - { - local orig_h = r$id$orig_h; - local prog = rpc_prog(call$program); - local do_notice = [orig_h, prog] !in suppress_pm_notice; - - pm_attempt(r, "pm_callit", status, - fmt("%s/%d (%d bytes)", prog, call$proc, call$arg_size), - do_notice); - - if ( prog == "walld" ) - add suppress_pm_notice[orig_h, prog]; - } - -event pm_bad_port(r: connection, bad_p: count) - { - event conn_weird_addl("bad_pm_port", r, fmt("port %d", bad_p)); - } diff --git a/policy.old/print-filter.bro b/policy.old/print-filter.bro deleted file mode 100644 index 5d8d03b80a..0000000000 --- a/policy.old/print-filter.bro +++ /dev/null @@ -1,26 +0,0 @@ -# $Id: print-filter.bro 4506 2007-06-27 14:40:34Z vern $ - -module PrintFilter; - -export { - # If true, terminate Bro after printing the filter. - const terminate_bro = T &redef; - - # If true, write to log file instead of stdout. - const to_file = F &redef; - } - -event bro_init() - { - if ( to_file ) - { - local f = open_log_file("pcap_filter"); - print f, build_default_pcap_filter(); - close(f); - } - else - print build_default_pcap_filter(); - - if ( terminate_bro ) - exit(); - } diff --git a/policy.old/print-globals.bro b/policy.old/print-globals.bro deleted file mode 100644 index 994ea17eba..0000000000 --- a/policy.old/print-globals.bro +++ /dev/null @@ -1,4 +0,0 @@ -event bro_done() - { - print global_sizes(); - } diff --git a/policy.old/print-resources.bro b/policy.old/print-resources.bro deleted file mode 100644 index 7b069f9415..0000000000 --- a/policy.old/print-resources.bro +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: print-resources.bro 6703 2009-05-13 22:27:44Z vern $ - -# Logs Bro resource usage information upon termination. - -@load notice - -redef enum Notice += { - ResourceSummary, # Notice type for this event -}; - -event bro_done() - { - local res = resource_usage(); - - NOTICE([$note=ResourceSummary, - $msg=fmt("elapsed time = %s, total CPU = %s, maximum memory = %d KB, peak connections = %d, peak timers = %d, peak fragments = %d", - res$real_time, res$user_time + res$system_time, - res$mem / 1024, - res$max_TCP_conns + res$max_UDP_conns + res$max_ICMP_conns, - res$max_timers, res$max_fragments)]); - } diff --git a/policy.old/print-sig-states.bro b/policy.old/print-sig-states.bro deleted file mode 100644 index c13677f6ca..0000000000 --- a/policy.old/print-sig-states.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: print-sig-states.bro 491 2004-10-05 05:44:59Z vern $ -# -# Simple profiling script for periodicaly dumping out signature-matching -# statistics. - -global sig_state_stats_interval = 5 mins; -global sig_state_file = open_log_file("sig-states"); - -event dump_sig_state_stats() - { - dump_rule_stats(sig_state_file); - schedule sig_state_stats_interval { dump_sig_state_stats() }; - } - -event bro_init() - { - schedule sig_state_stats_interval { dump_sig_state_stats() }; - } diff --git a/policy.old/profiling.bro b/policy.old/profiling.bro deleted file mode 100644 index a8aef46440..0000000000 --- a/policy.old/profiling.bro +++ /dev/null @@ -1,17 +0,0 @@ -# $Id: profiling.bro 1102 2005-03-17 09:17:46Z vern $ -# -# Turns on profiling of Bro resource consumption. - -redef profiling_file = open_log_file("prof"); - -# Cheap profiling every 15 seconds. -redef profiling_interval = 15 secs &redef; - -# Expensive profiling every 5 minutes. -redef expensive_profiling_multiple = 20; - -event bro_init() - { - set_buf(profiling_file, F); - } - diff --git a/policy.old/proxy.bro b/policy.old/proxy.bro deleted file mode 100644 index 1f43308f3a..0000000000 --- a/policy.old/proxy.bro +++ /dev/null @@ -1,99 +0,0 @@ -# $Id: proxy.bro,v 1.1.4.2 2006/05/31 00:16:22 sommer Exp $ -# -# Finds open proxies by matching incoming HTTP requests with outgoing ones. - -@load notice - -module Proxy; - -export { - const KnownProxies: set[addr] = { }; - - redef enum Notice += { - HTTPProxyFound, - }; -} - - -type request: record { - p: port; - paths: set[string]; -}; - -# Maps the address of the potential proxy to the paths that -# have been requested from it. -global requests: table[addr] of request; - -# A parsed URL. -type url: record { - host: string; - path: string; -}; - -global found_proxies: set[addr] &create_expire = 24 hrs; - -function parse_url(u: string) : url - { - # The URL parsing is imperfect, but should work sufficiently well. - local a = split1(u, /:\/\//); - if ( |a| == 1 ) - return [$host="", $path=a[1]]; - - local b = split1(a[2], /\//); - return [$host=b[1], $path=(|b| == 2 ? cat("/", b[2]) : "/")]; - } - -event http_request(c: connection, method: string, original_URI: string, - unescaped_URI: string, version: string) - { - if ( method != "GET" && method != "CONNECT" ) - return; - - local client = c$id$orig_h; - local server = c$id$resp_h; - - if ( server in KnownProxies ) - return; - - # FIXME: Which one? original_URI or unescaped_URI? - local u = parse_url(original_URI); - - if ( client in requests ) - { - # We have already seen requests to this host. Let's see - # any matches the one we're very currently seeing. - local r = requests[client]; - if ( u$path in r$paths ) - { - if ( client !in found_proxies ) - { - NOTICE([$note=HTTPProxyFound, - $conn=c, $src=client, - $p=r$p, $URL=original_URI, - $msg=fmt("HTTP proxy found %s:%d (%s)", - client, r$p, original_URI)]); - add found_proxies[client]; - } - - return; - } - } - - if ( u$host == "" ) - # A relative URL. That's fine. - return; - - # An absolute URL. Remember path for later. - # - # Note: using "when", could even lookup the destination - # host and remember that one, too! - - if ( server !in requests ) - { - local empty_set: set[string] &read_expire = 15 secs; - local req = [$p=c$id$resp_p, $paths=empty_set]; - requests[server] = req; - } - - add requests[server]$paths[u$path]; - } diff --git a/policy.old/remote-pcap.bro b/policy.old/remote-pcap.bro deleted file mode 100644 index 18b124707e..0000000000 --- a/policy.old/remote-pcap.bro +++ /dev/null @@ -1,52 +0,0 @@ -# $Id: remote-pcap.bro 2704 2006-04-04 07:35:46Z vern $ -# -# Allows remote peers to set our capture filter. - -@load remote - -# We install a filter which (hopefully) doesn't match anything to avoid Bro's -# default "tcp or udp" when no other script/peers adds a filter. - -## FIXME: We need non-blocking pacp for this to work. -## -## ##redef capture_filters["match-nothing"] = "ether src 0:0:0:0:0:0"; - -function build_capture_filter_index(p: event_peer): string - { - return fmt("remote-%d", p$id); - } - -event remote_capture_filter(p: event_peer, filter: string) - { - # If we send a capture filter to a peer and are subscribed to all - # of its events, we will get a remote_capture_filter event back. - if ( is_remote_event() ) - return; - - Remote::do_script_log(p, fmt("received capture filter: %s", filter)); - - capture_filters[build_capture_filter_index(p)] = filter; - - # This will recompile the filter, which may take some time. - # Thus, setting a new capture_filter may cost us some packets :-(. - update_default_pcap_filter(); - - Remote::do_script_log(p, fmt("new default pcap filter: %s", - default_pcap_filter)); - } - -event remote_connection_closed(p: event_peer) - { - local i = build_capture_filter_index(p); - - if ( i in capture_filters ) - { - Remote::do_script_log(p, fmt("removed capture filter: %s", - capture_filters[i])); - delete capture_filters[i]; - update_default_pcap_filter(); - } - - Remote::do_script_log(p, fmt("new default pcap filter: %s", - default_pcap_filter)); - } diff --git a/policy.old/remote-ping.bro b/policy.old/remote-ping.bro deleted file mode 100644 index c27c8884d2..0000000000 --- a/policy.old/remote-ping.bro +++ /dev/null @@ -1,49 +0,0 @@ -# $Id: remote-ping.bro 2704 2006-04-04 07:35:46Z vern $ -# -# Exchanges periodic pings between communicating Bro's to measure their -# processing times. - -@load remote - -module RemotePing; - -export { - const ping_interval = 1 secs; -} - -global pings: table[event_peer] of count; - -event remote_connection_established(p: event_peer) - { - pings[p] = 0; - } - -event remote_connection_closed(p: event_peer) - { - delete pings[p]; - } - -event ping() - { - for ( p in pings ) - send_ping(p, ++pings[p]); - - schedule ping_interval { ping() }; - } - -event remote_pong(p: event_peer, seq: count, - d1: interval, d2: interval, d3: interval) - { - # We log three times: "time= [/]" - # t1: round-trip between the two parent processes. - # t2: round-trip between the two child processes. - # t3: sum of time spent in client<->parent communication on - # either side - Remote::do_script_log(p, fmt("ping seq=%d time=%.3fs [%.3fs/%.3fs]", seq, - d1, d2 - d3, d1 - d2 + d3)); - } - -event bro_init() - { - schedule ping_interval { ping() }; - } diff --git a/policy.old/remote-print-id-reply.bro b/policy.old/remote-print-id-reply.bro deleted file mode 100644 index 81d0efe35e..0000000000 --- a/policy.old/remote-print-id-reply.bro +++ /dev/null @@ -1,17 +0,0 @@ -# $Id:$ -# -# Load this script to support remote printing of variables. The remote -# peer accesses these by loading remote-print-id.bro. - -module PrintID; - -global request_id_response: event(id: string, content: string); - -event request_id(id: string) - { - if ( ! is_remote_event() ) - return; - - local val = lookup_ID(id); - event request_id_response(id, fmt("%s", val)); - } diff --git a/policy.old/remote-print-id.bro b/policy.old/remote-print-id.bro deleted file mode 100644 index 550ff8b8b8..0000000000 --- a/policy.old/remote-print-id.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id:$ -# -# Requests the current value of a variable (identifier) from a remote -# peer, prints it, and then terminates. The other side must load -# remote-print-id-reply.bro. -# -# Intended to be used from the command line as in: -# -# bro -e 'redef PrintID::dst="" PrintID::id=""' -# remote-print-id -# -# The other scripts must set up the connection. is an index into -# Remote::destinations corresponding to the destination. - -module PrintID; - -@load remote -@load remote-print-id-reply - -export { - const dst = "" &redef; - const id = "" &redef; -} - -event remote_connection_handshake_done(p: event_peer) - { - local peer = Remote::destinations[dst]; - - if ( peer$host == p$host ) - { - print fmt("Requesting %s from %s at %s:%d", - id, dst, p$host, p$p); - event request_id(id); - } - } - -event request_id_response(id: string, content: string) - { - print fmt("%s = %s", id, content); - terminate_communication(); - } - -event bro_init() - { - if ( dst !in Remote::destinations ) - { - print fmt("Unknown destination %s", dst); - terminate(); - return; - } - - Remote::connect_peer(dst); - } diff --git a/policy.old/remote-print.bro b/policy.old/remote-print.bro deleted file mode 100644 index e0d29259c6..0000000000 --- a/policy.old/remote-print.bro +++ /dev/null @@ -1,9 +0,0 @@ -# $Id: remote-print.bro 415 2004-09-17 03:25:12Z vern $ -# -# Write remote print messages into local files. - -event print_hook(f: file, s: string) - { - if ( is_remote_event() ) - print f, s; - } diff --git a/policy.old/remote-report-notices.bro b/policy.old/remote-report-notices.bro deleted file mode 100644 index b70baf59c4..0000000000 --- a/policy.old/remote-report-notices.bro +++ /dev/null @@ -1,14 +0,0 @@ -# $Id:$ -# -# Forward remote notices to our local system. - -event notice_action(n: notice_info, action: NoticeAction) - { - if ( is_remote_event() ) - { - # Don't raise this event recursively. - suppress_notice_action = T; - NOTICE(n); - suppress_notice_action = F; - } - } diff --git a/policy.old/remote-send-id.bro b/policy.old/remote-send-id.bro deleted file mode 100644 index 15c1df5f75..0000000000 --- a/policy.old/remote-send-id.bro +++ /dev/null @@ -1,45 +0,0 @@ -# $Id:$ -# -# Sends the current value of an ID to a remote Bro and then terminates -# processing. -# -# Intended to be used from the command line as in: -# -# bro -e "redef Send::dst="" Send::id="" -# remote-send-id -# -# The other scripts must set up the connection. is an index into -# Remote::destinations corresponding to the destination. - -module Send; - -@load remote - -export { - const dst = "" &redef; - const id = "" &redef; -} - -event remote_connection_handshake_done(p: event_peer) - { - local peer = Remote::destinations[dst]; - - if ( peer$host == p$host ) - { - print fmt("Sending %s to %s at %s:%d", id, dst, p$host, p$p); - send_id(p, id); - terminate_communication(); - } - } - -event bro_init() - { - if ( dst !in Remote::destinations ) - { - print fmt("Unknown destination %s", dst); - terminate(); - return; - } - - Remote::connect_peer(dst); - } diff --git a/policy.old/remote.bro b/policy.old/remote.bro deleted file mode 100644 index 294c8fcd1e..0000000000 --- a/policy.old/remote.bro +++ /dev/null @@ -1,272 +0,0 @@ -# $Id: remote.bro 5101 2007-11-29 07:02:27Z vern $ -# -# Connect to remote Bros and request some of their events. - -module Remote; - -export { - const default_port_ssl = 47756/tcp &redef; - const default_port_clear = 47757/tcp &redef; - - # Default compression level. - global default_compression = 0 &redef; - - # A remote peer to which we would like to talk. - # If there's no entry for a peer, it may still connect - # and request state, but not send us any. - type Destination : record { - # Destination endpoint. - host: addr; - p: port &optional; - - # When accepting a connection, the configuration only - # applies if the class matches the one transmitted by - # the peer. - # - # When initiating a connection, the class is sent to - # the other side. - class: string &optional; - - # Events requested from remote side. - events: pattern &optional; - - # Whether we are going to connect (rather than waiting - # for the other sie to connect to us). - connect: bool &default = F; - - # If disconnected, reconnect after this many seconds. - retry: interval &default = 0 secs; - - # Whether to accept remote events. - accept_input: bool &default = T; - - # Whether to perform state synchronization with peer. - sync: bool &default = T; - - # Whether to request logs from the peer. - request_logs: bool &default = F; - - # When performing state synchronization, whether we consider - # our state to be authoritative. If so, we will send the peer - # our current set when the connection is set up. - # (Only one side can be authoritative.) - auth: bool &default = F; - - # If not set, no capture filter is sent. - # If set to "", the default cature filter is sent. - capture_filter: string &optional; - - # Whether to use SSL-based communication. - ssl: bool &default = F; - - # Take-over state from this host - # (activated by loading hand-over.bro) - hand_over: bool &default = F; - - # Compression level is 0-9, with 0 = no compression. - compression: count &default = default_compression; - - # Set when connected. - peer: event_peer &optional; - connected: bool &default = F; - }; - - const destinations: table[string] of Destination &redef; - - # redef destinations += { - # ["foo"] = [$host = foo.bar.com, $events = /.*/, $connect=T, $retry = 60 secs, $ssl=T] - # }; - - # Write log message into remote.log - global do_script_log: function(p: event_peer, msg: string); - - global pending_peers: table[peer_id] of Destination; - global connected_peers: table[peer_id] of Destination; - - # Connect to destionations[dst], independent of its "connect" flag. - global connect_peer: function(peer: string); -} - -# Called rm_log rather than remote_log because there's an event by that name. -global rm_log = open_log_file("remote"); - -global src_names = { - [REMOTE_SRC_CHILD] = "[child] ", - [REMOTE_SRC_PARENT] = "[parent]", - [REMOTE_SRC_SCRIPT] = "[script]", -}; - -function do_script_log_common(level: count, src: count, msg: string) - { - print rm_log, - fmt("%.6f %s %s %s", current_time(), - (level == REMOTE_LOG_INFO ? "[info] " : "[error]"), - src_names[src], msg); - } - -event remote_log(level: count, src: count, msg: string) - { - do_script_log_common(level, src, msg); - } - -function do_script_log(p: event_peer, msg: string) - { - do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, - fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg)); - } - -function connect_peer(peer: string) - { - local dst = destinations[peer]; - local p = dst$ssl ? default_port_ssl : default_port_clear; - - if ( dst?$p ) - p = dst$p; - - local class = dst?$class ? dst$class : ""; - local id = connect(dst$host, p, class ,dst$retry, dst$ssl); - - if ( id == PEER_ID_NONE ) - print rm_log, - fmt("%.6f %s/%d can't trigger connect", - current_time(), dst$host, p); - - pending_peers[id] = dst; - } - -event bro_init() &priority = -10 # let others modify destinations - { - set_buf(rm_log, F); - - for ( tag in destinations ) - { - if ( ! destinations[tag]$connect ) - next; - - connect_peer(tag); - } - } - -function setup_peer(p: event_peer, dst: Destination) - { - if ( dst?$events ) - { - do_script_log(p, fmt("requesting events matching %s", dst$events)); - request_remote_events(p, dst$events); - } - - if ( dst?$capture_filter ) - { - local filter = dst$capture_filter; - if ( filter == "" ) - filter = default_pcap_filter; - - do_script_log(p, fmt("sending capture_filter: %s", filter)); - send_capture_filter(p, filter); - } - - if ( dst$accept_input ) - { - do_script_log(p, "accepting state"); - set_accept_state(p, T); - } - - set_compression_level(p, dst$compression); - - if ( dst$sync ) - { - do_script_log(p, "requesting synchronized state"); - request_remote_sync(p, dst$auth); - } - - if ( dst$request_logs ) - { - do_script_log(p, "requesting logs"); - request_remote_logs(p); - } - - dst$peer = p; - dst$connected = T; - connected_peers[p$id] = dst; - } - -event remote_connection_established(p: event_peer) - { - if ( is_remote_event() ) - return; - - do_script_log(p, "connection established"); - - if ( p$id in pending_peers ) - { - # We issued the connect. - local dst = pending_peers[p$id]; - setup_peer(p, dst); - delete pending_peers[p$id]; - } - else - { # The other side connected to us. - local found = F; - for ( i in destinations ) - { - dst = destinations[i]; - if ( dst$host == p$host ) - { - local c = 0; - - # See if classes match = either both have - # the same class, or neither of them has - # a class. - if ( p?$class && p$class != "" ) - ++c; - - if ( dst?$class && dst$class != "" ) - ++c; - - if ( c == 1 || - (c == 2 && p$class != dst$class) ) - next; - - found = T; - setup_peer(p, dst); - break; - } - } - - if ( ! found ) - set_compression_level(p, default_compression); - } - - complete_handshake(p); - } - -event remote_connection_closed(p: event_peer) - { - if ( is_remote_event() ) - return; - - do_script_log(p, "connection closed"); - - if ( p$id in connected_peers ) - { - local dst = connected_peers[p$id]; - dst$connected = F; - - delete connected_peers[p$id]; - - if ( dst$retry != 0secs ) - # The core will retry. - pending_peers[p$id] = dst; - } - } - -event remote_state_inconsistency(operation: string, id: string, - expected_old: string, real_old: string) - { - if ( is_remote_event() ) - return; - - print rm_log, - fmt("%.6f state inconsistency: %s should be %s but is %s before %s", - network_time(), id, expected_old, real_old, operation); - } diff --git a/policy.old/rotate-logs.bro b/policy.old/rotate-logs.bro deleted file mode 100644 index 92ab4cf455..0000000000 --- a/policy.old/rotate-logs.bro +++ /dev/null @@ -1,160 +0,0 @@ -# $Id: rotate-logs.bro 4685 2007-07-30 23:50:26Z vern $ - -module RotateLogs; - -export { - # Maps file names to postprocessors. - global postprocessors: table[string] of string &redef; - - # Default postprocessor. - global default_postprocessor = "" &redef; - - # Files which are to be rotated according to log_rotate_interval - # and log_max_size, but aren't represented by a file object. - global aux_files: set[string] &redef; - - # For aux_files, the time interval in which we check the files' sizes. - global aux_check_size_interval = 30 secs &redef; - - # Callback to provide name for rotated file. - global build_name: function(info: rotate_info): string &redef; - - # Default naming suffix format. - global date_format = "%y-%m-%d_%H.%M.%S" &redef; - - # Whether to rotate files when shutting down. - global rotate_on_shutdown = T &redef; - - # If set, postprocessors get this tag as an additional argument. - global tag = "" &redef; -} - -# Default rotation is once per hour. -redef log_rotate_interval = 1 hr; - -# There are other variables that are defined in bro.init. Here are -# some example of how these might be redefined. -# redef log_rotate_base_time = "0:00"; -# redef log_max_size = 1e7; -# redef log_encryption_key = "mybigsecret"; - -# Given a rotate info record, returns new rotated filename. -function build_name(info: rotate_info): string - { - return fmt("%s-%s", info$old_name, strftime(date_format, info$open)); - } - -# Run post-processor on file. If there isn't any postprocessor defined, -# we move the file to a nicer name. -function run_pp(info: rotate_info) - { - local pp = default_postprocessor; - - if ( info$old_name in postprocessors ) - pp = postprocessors[info$old_name]; - - if ( pp != "" ) - # The date format is hard-coded here to provide a standardized - # script interface. - system(fmt("%s %s %s %s %s %s %s", - pp, info$new_name, info$old_name, - strftime("%y-%m-%d_%H.%M.%S", info$open), - strftime("%y-%m-%d_%H.%M.%S", info$close), - bro_is_terminating() ? "1" : "0", - tag)); - else - system(fmt("/bin/mv %s %s %s", - info$new_name, build_name(info), tag)); - } - -# Rotate file. -function rotate(f: file) - { - local info = rotate_file(f); - if ( info$old_name == "" ) - # Error. - return; - - run_pp(info); - } - -# Rotate file, but only if we know the name. -function rotate_by_name(f: string) - { - local info = rotate_file_by_name(f); - if ( info$old_name == "" ) - # Error. - return; - - run_pp(info); - } - -function make_nice_timestamp(i: interval) : time - { - # To get nice timestamps, we round the time up to - # the next multiple of the rotation interval. - - local nt = time_to_double(network_time()); - local ri = interval_to_double(i); - - return double_to_time(floor(nt / ri) * ri + ri); - } - -# Raised when a &rotate_interval expires. -event rotate_interval(f: file) - { - if ( bro_is_terminating() && ! rotate_on_shutdown ) - return; - - rotate(f); - } - -# Raised when a &rotate_size is reached. -event rotate_size(f: file) - { - rotate(f); - } - -# Raised for aux_files when log_rotate_inverval expires. - -global first_aux_rotate_interval = T; - -event aux_rotate_interval() - { - if ( bro_is_terminating() && ! rotate_on_shutdown ) - return; - - if ( ! first_aux_rotate_interval ) - for ( f in aux_files ) - rotate_by_name(f); - - first_aux_rotate_interval = F; - - if ( ! bro_is_terminating() ) - schedule calc_next_rotate(log_rotate_interval) - { aux_rotate_interval() }; - } - -# Regularly raised to check aux_files' sizes. -event aux_check_size() - { - for ( f in aux_files ) - if ( file_size(f) > log_max_size ) - rotate_by_name(f); - - if ( ! bro_is_terminating() ) - schedule aux_check_size_interval { aux_check_size() }; - } - -event bro_init() - { - if ( length(aux_files) != 0 ) - { - if ( log_rotate_interval != 0 secs ) - schedule calc_next_rotate(log_rotate_interval) - { aux_rotate_interval() }; - - if ( log_max_size != 0 ) - schedule aux_check_size_interval { aux_check_size() }; - } - } diff --git a/policy.old/rsh.bro b/policy.old/rsh.bro deleted file mode 100644 index 933d765dc7..0000000000 --- a/policy.old/rsh.bro +++ /dev/null @@ -1,105 +0,0 @@ -# $Id: rsh.bro 4758 2007-08-10 06:49:23Z vern $ - -@load conn -@load login - -module RSH; - -export { - redef enum Notice += { - # RSH client username and server username differ. - DifferentRSH_Usernames, - - # Attempt to authenticate via RSH failed. - FailedRSH_Authentication, - - # RSH session appears to be interactive - multiple lines of - # user commands. - InteractiveRSH, - - SensitiveRSH_Input, - SensitiveRSH_Output, - }; - - const failure_msgs = - /^Permission denied/ - | /Login failed/ - &redef; -} - -redef capture_filters += { ["rsh"] = "tcp port 514" }; - -global rsh_ports = { 514/tcp } &redef; -redef dpd_config += { [ANALYZER_RSH] = [$ports = rsh_ports] }; - -type rsh_session_info: record { - client_user: string; - server_user: string; - initial_cmd: string; - output_line: count; # number of lines seen -}; - -global rsh_sessions: table[conn_id] of rsh_session_info; - -function new_rsh_session(c: connection, client_user: string, - server_user: string, line: string) - { - if ( c$id in rsh_sessions ) - delete rsh_sessions[c$id]; - - local s: rsh_session_info; - s$client_user = client_user; - s$server_user = server_user; - s$initial_cmd = line; - s$output_line = 0; - - rsh_sessions[c$id] = s; - } - -event rsh_request(c: connection, client_user: string, server_user: string, - line: string, new_session: bool) - { - local id = c$id; - - local BS_line = edit(line, Login::BS); - local DEL_line = edit(line, Login::DEL); - - if ( new_session ) - { - new_rsh_session(c, client_user, server_user, line); - - if ( client_user != server_user ) - NOTICE([$note=DifferentRSH_Usernames, $conn=c, - $msg=fmt("differing client/server usernames (%s/%s)", - client_user, server_user), - $sub=client_user, $user=server_user]); - } - - local s = rsh_sessions[c$id]; - if ( s$output_line > 0 ) - NOTICE([$note=InteractiveRSH, $conn=c, - $msg="interactive RSH session, input following output", - $sub=s$client_user, $user=s$server_user]); - - if ( Login::input_trouble in line || - Login::input_trouble in BS_line || - Login::input_trouble in DEL_line || - line == Login::full_input_trouble ) - NOTICE([$note=SensitiveRSH_Input, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - } - -event rsh_reply(c: connection, client_user: string, server_user: string, - line: string) - { - local s = rsh_sessions[c$id]; - - if ( line != "" && ++s$output_line == 1 && failure_msgs in line ) - NOTICE([$note=FailedRSH_Authentication, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - - if ( Login::output_trouble in line || - line == Login::full_output_trouble ) - NOTICE([$note=SensitiveRSH_Output, $conn=c, - $msg=line, $sub=s$client_user, $user=s$server_user]); - } diff --git a/policy.old/save-peer-status.bro b/policy.old/save-peer-status.bro deleted file mode 100644 index 26481bc093..0000000000 --- a/policy.old/save-peer-status.bro +++ /dev/null @@ -1,53 +0,0 @@ -# $Id$ -# -# Writes a summary of our peer's status into a file. - -@load peer-status - -event PeerStatus::update(status: PeerStatus::peer_status) &priority = -5 - { - local f = open_log_file("peer_status"); - - for ( id in PeerStatus::peers ) - { - local stat = PeerStatus::peers[id]; - local host: string; - - if ( id != 0 ) - { - if ( id !in Remote::connected_peers ) - next; - - host = Remote::connected_peers[id]$peer$descr; - } - else - host = get_local_event_peer()$descr; - - print f, fmt("%18s %s%s %D %D %02.0f%% %4dM #%d %dK/%dK/%dK (%.1f%%)", - host, stat$res$version, stat$res$debug ? "-DEBUG" : "", - stat$res$start_time, stat$current_time, stat$cpu, - stat$res$mem / 1024 / 1024, - stat$res$num_TCP_conns + stat$res$num_UDP_conns + stat$res$num_ICMP_conns, - stat$stats$pkts_dropped / 1024, - stat$stats$pkts_recvd / 1024, - stat$stats$pkts_link / 1024, - 100.0 * stat$stats$pkts_dropped / (stat$stats$pkts_dropped + stat$stats$pkts_recvd)); - } - - print f, "###"; - -# for ( id in PeerStatus::peers ) -# { -# stat = PeerStatus::peers[id]; -# -# if ( id != 0 ) -# host = Remote::connected_peers[id]$peer$descr; -# else -# host = get_local_event_peer()$descr; -# -# print f, fmt("%10s %s", host, stat$default_filter); -# print f; -# } - - close(f); - } diff --git a/policy.old/scan.bro b/policy.old/scan.bro deleted file mode 100644 index d3ee0574c3..0000000000 --- a/policy.old/scan.bro +++ /dev/null @@ -1,706 +0,0 @@ -# $Id: scan.bro 7073 2010-09-13 00:45:02Z vern $ - -@load conn -@load notice -@load port-name -@load hot -@load drop -@load trw-impl - -module Scan; - -export { - redef enum Notice += { - PortScan, # the source has scanned a number of ports - AddressScan, # the source has scanned a number of addrs - BackscatterSeen, - # apparent flooding backscatter seen from source - - ScanSummary, # summary of scanning activity - PortScanSummary, # summary of distinct ports per scanner - LowPortScanSummary, # summary of distinct low ports per scanner - - PasswordGuessing, # source tried many user/password combinations - SuccessfulPasswordGuessing, # same, but a login succeeded - - Landmine, # source touched a landmine destination - ShutdownThresh, # source reached shut_down_thresh - LowPortTrolling, # source touched privileged ports - }; - - # If true, we suppress scan-checking (we still do account-tried - # accounting). This is provided because scan-checking can consume - # a lot of memory. - const suppress_scan_checks = F &redef; - - # Whether to consider UDP "connections" for scan detection. - # Can lead to false positives due to UDP fanout from some P2P apps. - const suppress_UDP_scan_checks = F &redef; - - const activate_priv_port_check = T &redef; - const activate_landmine_check = F &redef; - const landmine_thresh_trigger = 5 &redef; - - const landmine_address: set[addr] &redef; - - const scan_summary_trigger = 25 &redef; - const port_summary_trigger = 20 &redef; - const lowport_summary_trigger = 10 &redef; - - # Raise ShutdownThresh after this many failed attempts - const shut_down_thresh = 100 &redef; - - # Which services should be analyzed when detecting scanning - # (not consulted if analyze_all_services is set). - const analyze_services: set[port] &redef; - const analyze_all_services = T &redef; - - # Track address scaners only if at least these many hosts contacted. - const addr_scan_trigger = 0 &redef; - - # Ignore address scanners for further scan detection after - # scanning this many hosts. - # 0 disables. - const ignore_scanners_threshold = 0 &redef; - - # Report a scan of peers at each of these points. - const report_peer_scan: vector of count = { - 20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000, - } &redef; - - const report_outbound_peer_scan: vector of count = { - 100, 1000, 10000, - } &redef; - - # Report a scan of ports at each of these points. - const report_port_scan: vector of count = { - 50, 250, 1000, 5000, 10000, 25000, 65000, - } &redef; - - # Once a source has scanned this many different ports (to however many - # different remote hosts), start tracking its per-destination access. - const possible_port_scan_thresh = 20 &redef; - - # Threshold for scanning privileged ports. - const priv_scan_trigger = 5 &redef; - const troll_skip_service = { - smtp, ftp, ssh, 20/tcp, http, - } &redef; - - const report_accounts_tried: vector of count = { - 20, 100, 1000, 10000, 100000, 1000000, - } &redef; - - const report_remote_accounts_tried: vector of count = { - 100, 500, - } &redef; - - # Report a successful password guessing if the source attempted - # at least this many. - const password_guessing_success_threshhold = 20 &redef; - - const skip_accounts_tried: set[addr] &redef; - - const addl_web = { - 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, } - &redef; - - const skip_services = { ident, } &redef; - const skip_outbound_services = { Hot::allow_services, ftp, addl_web, } - &redef; - - const skip_scan_sources = { - 255.255.255.255, # who knows why we see these, but we do - - # AltaVista. Here just as an example of what sort of things - # you might list. - test-scooter.av.pa-x.dec.com, - } &redef; - - const skip_scan_nets: set[subnet] = {} &redef; - - # List of well known local server/ports to exclude for scanning - # purposes. - const skip_dest_server_ports: set[addr, port] = {} &redef; - - # Reverse (SYN-ack) scans seen from these ports are considered - # to reflect possible SYN-flooding backscatter, and not true - # (stealth) scans. - const backscatter_ports = { - http, 53/tcp, 53/udp, bgp, 6666/tcp, 6667/tcp, - } &redef; - - const report_backscatter: vector of count = { - 20, - } &redef; - - global check_scan: - function(c: connection, established: bool, reverse: bool): bool; - - # The following tables are defined here so that we can redef - # the expire timeouts. - # FIXME: should we allow redef of attributes on IDs which - # are not exported? - - # How many different hosts connected to with a possible - # backscatter signature. - global distinct_backscatter_peers: table[addr] of table[addr] of count - &read_expire = 15 min; - - # Expire functions that trigger summaries. - global scan_summary: - function(t: table[addr] of set[addr], orig: addr): interval; - global port_summary: - function(t: table[addr] of set[port], orig: addr): interval; - global lowport_summary: - function(t: table[addr] of set[port], orig: addr): interval; - - # Indexed by scanner address, yields # distinct peers scanned. - # pre_distinct_peers tracks until addr_scan_trigger hosts first. - global pre_distinct_peers: table[addr] of set[addr] - &read_expire = 15 mins &redef; - - global distinct_peers: table[addr] of set[addr] - &read_expire = 15 mins &expire_func=scan_summary &redef; - global distinct_ports: table[addr] of set[port] - &read_expire = 15 mins &expire_func=port_summary &redef; - global distinct_low_ports: table[addr] of set[port] - &read_expire = 15 mins &expire_func=lowport_summary &redef; - - # Indexed by scanner address, yields a table with scanned hosts - # (and ports). - global scan_triples: table[addr] of table[addr] of set[port]; - - global remove_possible_source: - function(s: set[addr], idx: addr): interval; - global possible_scan_sources: set[addr] - &expire_func=remove_possible_source &read_expire = 15 mins; - - # Indexed by source address, yields user name & password tried. - global accounts_tried: table[addr] of set[string, string] - &read_expire = 1 days; - - global ignored_scanners: set[addr] &create_expire = 1 day &redef; - - # These tables track whether a threshold has been reached. - # More precisely, the counter is the next index of threshold vector. - global shut_down_thresh_reached: table[addr] of bool &default=F; - global rb_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rps_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rops_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rpts_idx: table[addr,addr] of count - &default=0 &read_expire = 1 days &redef; - global rat_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; - global rrat_idx: table[addr] of count - &default=0 &read_expire = 1 days &redef; -} - -global thresh_check: function(v: vector of count, idx: table[addr] of count, - orig: addr, n: count): bool; -global thresh_check_2: function(v: vector of count, - idx: table[addr,addr] of count, orig: addr, - resp: addr, n: count): bool; - -function scan_summary(t: table[addr] of set[addr], orig: addr): interval - { - local num_distinct_peers = orig in t ? |t[orig]| : 0; - - if ( num_distinct_peers >= scan_summary_trigger ) - NOTICE([$note=ScanSummary, $src=orig, $n=num_distinct_peers, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_distinct_peers)]); - - return 0 secs; - } - -function port_summary(t: table[addr] of set[port], orig: addr): interval - { - local num_distinct_ports = orig in t ? |t[orig]| : 0; - - if ( num_distinct_ports >= port_summary_trigger ) - NOTICE([$note=PortScanSummary, $src=orig, $n=num_distinct_ports, - $msg=fmt("%s scanned a total of %d ports", - orig, num_distinct_ports)]); - - return 0 secs; - } - -function lowport_summary(t: table[addr] of set[port], orig: addr): interval - { - local num_distinct_lowports = orig in t ? |t[orig]| : 0; - - if ( num_distinct_lowports >= lowport_summary_trigger ) - NOTICE([$note=LowPortScanSummary, $src=orig, - $n=num_distinct_lowports, - $msg=fmt("%s scanned a total of %d low ports", - orig, num_distinct_lowports)]); - - return 0 secs; - } - -function clear_addr(a: addr) - { - delete distinct_peers[a]; - delete distinct_ports[a]; - delete distinct_low_ports[a]; - delete scan_triples[a]; - delete possible_scan_sources[a]; - delete distinct_backscatter_peers[a]; - delete pre_distinct_peers[a]; - delete rb_idx[a]; - delete rps_idx[a]; - delete rops_idx[a]; - delete rat_idx[a]; - delete rrat_idx[a]; - delete shut_down_thresh_reached[a]; - delete ignored_scanners[a]; - } - -function ignore_addr(a: addr) - { - clear_addr(a); - add ignored_scanners[a]; - } - -function check_scan(c: connection, established: bool, reverse: bool): bool - { - if ( suppress_scan_checks ) - return F; - - local id = c$id; - - local service = "ftp-data" in c$service ? 20/tcp - : (reverse ? id$orig_p : id$resp_p); - local rev_service = reverse ? id$resp_p : id$orig_p; - local orig = reverse ? id$resp_h : id$orig_h; - local resp = reverse ? id$orig_h : id$resp_h; - local outbound = is_local_addr(orig); - - # The following works better than using get_conn_transport_proto() - # because c might not correspond to an active connection (which - # causes the function to fail). - if ( suppress_UDP_scan_checks && - service >= 0/udp && service <= 65535/udp ) - return F; - - if ( service in skip_services && ! outbound ) - return F; - - if ( outbound && service in skip_outbound_services ) - return F; - - if ( orig in skip_scan_sources ) - return F; - - if ( orig in skip_scan_nets ) - return F; - - # Don't include well known server/ports for scanning purposes. - if ( ! outbound && [resp, service] in skip_dest_server_ports ) - return F; - - if ( orig in ignored_scanners) - return F; - - if ( (! established || service !in Hot::allow_services) && - # not established, service not expressly allowed - - # not known peer set - (orig !in distinct_peers || resp !in distinct_peers[orig]) && - - # want to consider service for scan detection - (analyze_all_services || service in analyze_services) ) - { - if ( reverse && rev_service in backscatter_ports && - # reverse, non-priv backscatter port - service >= 1024/tcp ) - { - if ( orig !in distinct_backscatter_peers ) - { - local empty_bs_table: - table[addr] of count &default=0; - distinct_backscatter_peers[orig] = - empty_bs_table; - } - - if ( ++distinct_backscatter_peers[orig][resp] <= 2 && - # The test is <= 2 because we get two check_scan() - # calls, once on connection attempt and once on - # tear-down. - - distinct_backscatter_peers[orig][resp] == 1 && - - # Looks like backscatter, and it's not scanning - # a privileged port. - - thresh_check(report_backscatter, rb_idx, orig, - |distinct_backscatter_peers[orig]|) - ) - { - local rev_svc = rev_service in port_names ? - port_names[rev_service] : - fmt("%s", rev_service); - - NOTICE([$note=BackscatterSeen, $src=orig, - $p=rev_service, - $msg=fmt("backscatter seen from %s (%d hosts; %s)", - orig, |distinct_backscatter_peers[orig]|, rev_svc)]); - } - - if ( ignore_scanners_threshold > 0 && - |distinct_backscatter_peers[orig]| > - ignore_scanners_threshold ) - ignore_addr(orig); - } - - else - { # done with backscatter check - local ignore = F; - - local svc = service in port_names ? - port_names[service] : fmt("%s", service); - - if ( orig !in distinct_peers && addr_scan_trigger > 0 ) - { - if ( orig !in pre_distinct_peers ) - pre_distinct_peers[orig] = set(); - - add pre_distinct_peers[orig][resp]; - if ( |pre_distinct_peers[orig]| < addr_scan_trigger ) - ignore = T; - } - - if ( ! ignore ) - { # XXXXX - - if ( orig !in distinct_peers ) - distinct_peers[orig] = set() &mergeable; - - if ( resp !in distinct_peers[orig] ) - add distinct_peers[orig][resp]; - - local n = |distinct_peers[orig]|; - - if ( activate_landmine_check && - n >= landmine_thresh_trigger && - mask_addr(resp, 24) in landmine_address ) - { - local msg2 = fmt("landmine address trigger %s%s ", orig, svc); - NOTICE([$note=Landmine, $src=orig, - $p=service, $msg=msg2]); - } - - # Check for threshold if not outbound. - if ( ! shut_down_thresh_reached[orig] && - n >= shut_down_thresh && - ! outbound && orig !in neighbor_nets ) - { - shut_down_thresh_reached[orig] = T; - local msg = fmt("shutdown threshold reached for %s", orig); - NOTICE([$note=ShutdownThresh, $src=orig, - $p=service, $msg=msg]); - } - - else - { - local address_scan = F; - if ( outbound && - # inside host scanning out? - thresh_check(report_outbound_peer_scan, rops_idx, orig, n) ) - address_scan = T; - - if ( ! outbound && - thresh_check(report_peer_scan, rps_idx, orig, n) ) - address_scan = T; - - if ( address_scan ) - NOTICE([$note=AddressScan, - $src=orig, $p=service, - $n=n, - $msg=fmt("%s has scanned %d hosts (%s)", - orig, n, svc)]); - - if ( address_scan && - ignore_scanners_threshold > 0 && - n > ignore_scanners_threshold ) - ignore_addr(orig); - } - } - } # XXXX - } - - if ( established ) - # Don't consider established connections for port scanning, - # it's too easy to be mislead by FTP-like applications that - # legitimately gobble their way through the port space. - return F; - - # Coarse search for port-scanning candidates: those that have made - # connections (attempts) to possible_port_scan_thresh or more - # distinct ports. - if ( orig !in distinct_ports || service !in distinct_ports[orig] ) - { - if ( orig !in distinct_ports ) - distinct_ports[orig] = set() &mergeable; - - if ( service !in distinct_ports[orig] ) - add distinct_ports[orig][service]; - - if ( |distinct_ports[orig]| >= possible_port_scan_thresh && - orig !in scan_triples ) - { - scan_triples[orig] = table() &mergeable; - add possible_scan_sources[orig]; - } - } - - # Check for low ports. - if ( activate_priv_port_check && ! outbound && service < 1024/tcp && - service !in troll_skip_service ) - { - if ( orig !in distinct_low_ports || - service !in distinct_low_ports[orig] ) - { - if ( orig !in distinct_low_ports ) - distinct_low_ports[orig] = set() &mergeable; - - add distinct_low_ports[orig][service]; - - if ( |distinct_low_ports[orig]| == priv_scan_trigger && - orig !in neighbor_nets ) - { - local s = service in port_names ? port_names[service] : - fmt("%s", service); - local svrc_msg = fmt("low port trolling %s %s", orig, s); - NOTICE([$note=LowPortTrolling, $src=orig, - $p=service, $msg=svrc_msg]); - } - - if ( ignore_scanners_threshold > 0 && - |distinct_low_ports[orig]| > - ignore_scanners_threshold ) - ignore_addr(orig); - } - } - - # For sources that have been identified as possible scan sources, - # keep track of per-host scanning. - if ( orig in possible_scan_sources ) - { - if ( orig !in scan_triples ) - scan_triples[orig] = table() &mergeable; - - if ( resp !in scan_triples[orig] ) - scan_triples[orig][resp] = set() &mergeable; - - if ( service !in scan_triples[orig][resp] ) - { - add scan_triples[orig][resp][service]; - - if ( thresh_check_2(report_port_scan, rpts_idx, - orig, resp, - |scan_triples[orig][resp]|) ) - { - local m = |scan_triples[orig][resp]|; - NOTICE([$note=PortScan, $n=m, $src=orig, - $p=service, - $msg=fmt("%s has scanned %d ports of %s", - orig, m, resp)]); - } - } - } - - return T; - } - - -event account_tried(c: connection, user: string, passwd: string) - { - local src = c$id$orig_h; - - if ( src !in accounts_tried ) - accounts_tried[src] = set(); - - if ( [user, passwd] in accounts_tried[src] ) - return; - - local threshold_check = F; - - if ( is_local_addr(src) ) - { - if ( thresh_check(report_remote_accounts_tried, rrat_idx, src, - |accounts_tried[src]|) ) - threshold_check = T; - } - else - { - if ( thresh_check(report_accounts_tried, rat_idx, src, - |accounts_tried[src]|) ) - threshold_check = T; - } - - if ( threshold_check && src !in skip_accounts_tried ) - { - local m = |accounts_tried[src]|; - NOTICE([$note=PasswordGuessing, $src=src, $n=m, - $user=user, $sub=passwd, $p=c$id$resp_p, - $msg=fmt("%s has tried %d username/password combinations (latest: %s@%s)", - src, m, user, c$id$resp_h)]); - } - - add accounts_tried[src][user, passwd]; - } - -# Check for a successful login attempt from a scan. -event login_successful(c: connection, user: string) - { - local id = c$id; - local src = id$orig_h; - - if ( src in accounts_tried && - |accounts_tried[src]| >= password_guessing_success_threshhold ) - NOTICE([$note=SuccessfulPasswordGuessing, $src=src, $conn=c, - $msg=fmt("%s successfully logged in user '%s' after trying %d username/password combinations", - src, user, |accounts_tried[src]|)]); - } - - -# Hook into the catch&release dropping. When an address gets restored, we reset -# the source to allow dropping it again. -event Drop::address_restored(a: addr) - { - Drop::debug_log(fmt("received restored for %s (scan.bro)", a)); - clear_addr(a); - } - -event Drop::address_cleared(a: addr) - { - Drop::debug_log(fmt("received cleared for %s (scan.bro)", a)); - clear_addr(a); - } - -# When removing a possible scan source, we automatically delete its scanned -# hosts and ports. But we do not want the deletion propagated, because every -# peer calls the expire_function on its own (and thus applies the delete -# operation on its own table). -function remove_possible_source(s: set[addr], idx: addr): interval - { - suspend_state_updates(); - delete scan_triples[idx]; - resume_state_updates(); - - return 0 secs; - } - -# To recognize whether a certain threshhold vector (e.g. report_peer_scans) -# has been transgressed, a global variable containing the next vector index -# (idx) must be incremented. This cumbersome mechanism is necessary because -# values naturally don't increment by one (e.g. replayed table merges). -function thresh_check(v: vector of count, idx: table[addr] of count, - orig: addr, n: count): bool - { - if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) - { - ignore_addr(orig); - return F; - } - - if ( idx[orig] < |v| && n >= v[idx[orig]] ) - { - ++idx[orig]; - return T; - } - else - return F; - } - -# Same as above, except the index has a different type signature. -function thresh_check_2(v: vector of count, idx: table[addr, addr] of count, - orig: addr, resp: addr, n: count): bool - { - if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold ) - { - ignore_addr(orig); - return F; - } - - if ( idx[orig,resp] < |v| && n >= v[idx[orig, resp]] ) - { - ++idx[orig,resp]; - return T; - } - else - return F; - } - -event connection_established(c: connection) - { - local is_reverse_scan = (c$orig$state == TCP_INACTIVE); - Scan::check_scan(c, T, is_reverse_scan); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && ! is_reverse_scan && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), F); - } - -event partial_connection(c: connection) - { - Scan::check_scan(c, T, F); - } - -event connection_attempt(c: connection) - { - Scan::check_scan(c, F, c$orig$state == TCP_INACTIVE); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), F); - } - -event connection_half_finished(c: connection) - { - # Half connections never were "established", so do scan-checking here. - Scan::check_scan(c, F, F); - } - -event connection_rejected(c: connection) - { - local is_reverse_scan = c$orig$state == TCP_RESET; - - Scan::check_scan(c, F, is_reverse_scan); - - local trans = get_port_transport_proto(c$id$orig_p); - if ( trans == tcp && TRW::use_TRW_algorithm ) - TRW::check_TRW_scan(c, conn_state(c, trans), is_reverse_scan); - } - -event connection_reset(c: connection) - { - if ( c$orig$state == TCP_INACTIVE || c$resp$state == TCP_INACTIVE ) - # We never heard from one side - that looks like a scan. - Scan::check_scan(c, c$orig$size + c$resp$size > 0, - c$orig$state == TCP_INACTIVE); - } - -event connection_pending(c: connection) - { - if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE ) - Scan::check_scan(c, F, F); - } - -# Report the remaining entries in the tables. -event bro_done() - { - for ( orig in distinct_peers ) - scan_summary(distinct_peers, orig); - - for ( orig in distinct_ports ) - port_summary(distinct_ports, orig); - - for ( orig in distinct_low_ports ) - lowport_summary(distinct_low_ports, orig); - } diff --git a/policy.old/secondary-filter.bro b/policy.old/secondary-filter.bro deleted file mode 100644 index 025e450225..0000000000 --- a/policy.old/secondary-filter.bro +++ /dev/null @@ -1,44 +0,0 @@ -# $Id: secondary-filter.bro 6022 2008-07-25 19:15:00Z vern $ - -# Examples of using the secondary-filter matching path. - -event rst_syn_fin_flag(filter: string, pkt: pkt_hdr) - { - print "rst_syn_fin_flag()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport, - pkt$ip$dst, pkt$tcp$dport); - } - -event a_udp_event(filter: string, pkt: pkt_hdr) - { - print "a_udp_event()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$udp$sport, - pkt$ip$dst, pkt$udp$dport); - } - -event a_tcp_event(filter: string, pkt: pkt_hdr) - { - print "a_tcp_event()"; - print fmt(" %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport, - pkt$ip$dst, pkt$tcp$dport); - } - -event sampled_1_in_1024_packet(filter: string, pkt: pkt_hdr) - { - print "sampled packet:"; - print "ip", pkt$ip; - - if ( pkt?$tcp ) - print "tcp", pkt$tcp; - if ( pkt?$udp ) - print "udp", pkt$udp; - if ( pkt?$icmp ) - print "icmp", pkt$icmp; - } - -redef secondary_filters += { - ["tcp[13] & 7 != 0"] = rst_syn_fin_flag, - ["udp"] = a_udp_event, - ["tcp"] = a_tcp_event, - ["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet, -}; diff --git a/policy.old/sensor-sshd.bro b/policy.old/sensor-sshd.bro deleted file mode 100644 index 060f0cef68..0000000000 --- a/policy.old/sensor-sshd.bro +++ /dev/null @@ -1,276 +0,0 @@ -# $Id: sensor-sshd.bro 4758 2007-08-10 06:49:23Z vern $ -# -# sshd sensor input, i.e., events received from instrumented SSH servers -# that communicate with Bro via the Broccoli library. - -# We leverage the login analyzer: -@load login -@load remote - -# To prevent requesting sshd events from any peering Bro that connects, -# here is a list of our sshds. List the IP addresses of the hosts your -# sshds are running on here: -# -redef Remote::destinations += { - ["sshd1"] = [$host = 127.0.0.1, $events = /sensor_sshd.*/, $connect=F, $ssl=F] -}; - -# A big log file for all kinds of notes: -# -global sshd_log: file = open_log_file("sshd"); - -# A record gathering everything we need to know per connection -# from an ssh client to the sshd: -# -type sshd_conn: record { - - # Connection record we create for connections to sshd - conn: connection; - - # A table indexed by channel numbers, yielding files. - # For each channel that contains a shell session this - # table contains a file to which the session content is - # logged. - sessions: table[count] of file; -}; - -# To avoid reporting IP/port quadruples repeatedly, connections in -# sshd are identified through a globally unique identifier for the -# sshd server (a string) plus an numerical identifier for each -# connection to that sshd. -# -global sshd_conns: table[string, count] of sshd_conn; - - -function sshd_conn_new(src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port, - ts: time): sshd_conn - { - local id: conn_id; - id$orig_h = src_ip; - id$orig_p = src_p; - id$resp_h = dst_ip; - id$resp_p = dst_p; - - local orig: endpoint; - local resp: endpoint; - orig$size = resp$size = 0; - orig$state = resp$state = 0; - - local c: connection; - c$id = id; - c$orig = orig; - c$resp = resp; - c$start_time = ts; - c$duration = 0 sec; - - # We mark this connection so the login analyzer can - # understand that it is a login session. - add c$service["ssh-login"]; - - c$addl = ""; - c$hot = 0; - - local sc: sshd_conn; - sc$conn = c; - - return sc; - } - - -event sensor_sshd_listen(ts: time, sid: string, - server_ip: addr, server_p: port) - { - print sshd_log, fmt("[%D][%s:%s] sshd listening at %s:%d", - ts, get_event_peer()$host, sid, server_ip, server_p); - } - - -event sensor_sshd_restart(ts: time, sid: string) - { - print sshd_log, fmt("[%D][%s:%s] sshd %s restarted", - ts, get_event_peer()$host, sid, sid); - } - - -event sensor_sshd_exit(ts: time, sid: string) - { - print sshd_log, fmt("[%D][%s:%s] sshd %s exiting", - ts, get_event_peer()$host, sid, sid); - } - - -event sensor_sshd_conn_new(ts: time, sid: string, cid: count, - src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port) - { - local sc = sshd_conn_new(src_ip, src_p, dst_ip, dst_p, ts); - sshd_conns[sid, cid] = sc; - print sshd_log, fmt("[%D][%s:%s:%d] conn attempt from %s:%d to %s:%d", - ts, get_event_peer()$host, sid, cid, src_ip, sc$conn$id$orig_p, - dst_ip, sc$conn$id$resp_p); - - Login::new_login_session(sc$conn, get_event_peer()$id, 0); - } - - -event sensor_sshd_conn_end(ts: time, sid: string, cid: count) - { - local pid = get_event_peer()$id; - local sc = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d] conn terminated", - ts, get_event_peer()$host, sid, cid); - - Login::remove_login_session(sc$conn, pid); - delete sshd_conns[sid, cid]; - } - - -event sensor_sshd_auth_ok(ts: time, sid: string, cid: count, - user: string, uid: int, gid: int) - { - local pid = get_event_peer()$id; - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth ok: %s (%d/%d)", - ts, get_event_peer()$host, sid, cid, user, uid, gid); - - Login::ext_set_login_state(sc$conn$id, pid, LOGIN_STATE_LOGGED_IN); - event authentication_accepted(user, sc$conn); - } - - -event sensor_sshd_auth_failed(ts: time, sid: string, cid: count, user: string) - { - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth reject: user %s from %s:%d", - ts, get_event_peer()$host, sid, cid, user, - sc$conn$id$orig_h, sc$conn$id$orig_p); - - event authentication_rejected(user, sc$conn); - } - - -event sensor_sshd_auth_timeout(ts: time, sid: string, cid: count) - { - local sc = sshd_conns[sid, cid]; - print sshd_log, fmt("[%D][%s:%s:%d] auth timeout", ts, - sid, get_event_peer()$host, cid); - } - - -event sensor_sshd_auth_password_attempt(ts: time, sid: string, cid: count, - user: string, password: string, - valid: bool) - { - local sc = sshd_conns[sid, cid]; - - if ( ! valid ) - { - print sshd_log, fmt("[%D][%s:%s:%d] password bad: user %s, password '%s'", - ts, get_event_peer()$host, sid, cid, user, password); - event login_failure(sc$conn, user, "", password, ""); - } - else - { - print sshd_log, fmt("[%D][%s:%s:%d] password ok: user %s, password '%s'", - ts, get_event_peer()$host, sid, cid, user, password); - event login_success(sc$conn, user, "", password, ""); - } - } - - -event sensor_sshd_channel_new_session(ts: time, sid: string, cid: count, - chan_id: count, stype: string) - { - local sc = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d:%d] new session: type %s", - ts, get_event_peer()$host, sid, cid, chan_id, stype); - - if ( stype == "shell" ) - { - local filename = - fmt("sshd-%s-%s-%d-%d.log", - get_event_peer()$host, sid, cid, chan_id); - sc$sessions[chan_id] = open(filename); - } - } - - -event sensor_sshd_channel_new_forward(ts: time, sid: string, - cid: count, chan_id: count, - src_ip: addr, src_p: port, - dst_ip: addr, dst_p: port, - s2h: bool) - { - if ( s2h ) - print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d -> c -> s -> %s:%d", - ts, get_event_peer()$host, sid, cid, - chan_id, src_ip, src_p, dst_ip, dst_p); - else - print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d <- c <- s <- %s:%d", - ts, get_event_peer()$host, sid, cid, - chan_id, dst_ip, dst_p, src_ip, src_p); - } - - -event sensor_sshd_data_rx(ts: time, sid: string, cid: count, chan_id: count, - line: string) - { - local sc = sshd_conns[sid, cid]; - - if ( chan_id in sc$sessions ) - { - print sc$sessions[chan_id], - fmt("[%D][%s:%s:%d:%d] rx: %s", ts, - get_event_peer()$host, sid, cid, chan_id, line); - event login_output_line(sc$conn, line); - } - } - - -event sensor_sshd_data_tx(ts: time, sid: string, cid: count, - chan_id: count, line: string) - { - local sc: sshd_conn = sshd_conns[sid, cid]; - - if ( chan_id in sc$sessions ) - { - print sc$sessions[chan_id], - fmt("[%D][%s:%s:%d:%d] tx: %s", ts, - get_event_peer()$host, sid, cid, chan_id, line); - event login_input_line(sc$conn, line); - } - } - - -event sensor_sshd_exec(ts: time, sid: string, cid: count, - chan_id: count, command: string) - { - print sshd_log, - fmt("[%D][%s:%s:%d:%d] exec: '%s'", ts, get_event_peer()$host, - sid, cid, chan_id, command); - } - - -event sensor_sshd_channel_exit(ts: time, sid: string, cid: count, - chan_id: count, status: int) - { - print sshd_log, - fmt("[%D][%s:%s:%d:%d] channel exit, code %d", ts, - get_event_peer()$host, sid, cid, chan_id, status); - } - - -event sensor_sshd_channel_cleanup(ts: time, sid: string, cid: count, - chan_id: count) - { - local sc: sshd_conn = sshd_conns[sid, cid]; - - print sshd_log, fmt("[%D][%s:%s:%d:%d] channel cleanup", - ts, get_event_peer()$host, sid, cid, chan_id); - - if ( chan_id in sc$sessions ) - delete sc$sessions[chan_id]; - } diff --git a/policy.old/service-probe.bro b/policy.old/service-probe.bro deleted file mode 100644 index 2cb02a3463..0000000000 --- a/policy.old/service-probe.bro +++ /dev/null @@ -1,97 +0,0 @@ -# $Id: service-probe.bro 5892 2008-07-01 02:37:03Z vern $ -# -# Detects hosts that continually bang away at a particular service -# of a local host, for example for brute-forcing passwords. -# -# Written by Jim Mellander, LBNL. -# Updated by Robin Sommer, ICSI. - -@load conn - -module ServiceProbe; - -export { - redef enum Notice += { ServiceProbe }; - - # No work gets done unless this is set. - global detect_probes = F &redef; - - # By default, look for service probes targeting MySQL and SSH. - global probe_ports = { 1433/tcp, 22/tcp, } &redef; - - # They have to connect to this many to be flagged. - global connect_threshold: table[port] of count &default=100 &redef; - - # How many bytes the connection must have to be considered potentially - # a probe. If missing, then there's no lower/upper bound. - # - # Note, the attack that motivated including these was SSH password - # guessing, where it was empirically determined that connections - # with > 1KB and < 2KB bytes transferred appear to be unsuccessful - # password guesses. - # - global min_bytes: table[port] of int &default=-1 &redef; - global max_bytes: table[port] of int &default=-1 &redef; - - # How many tries a given originator host has made against a given - # port on a given responder host. - global tries: table[addr, addr, port] of count - &default=0 &read_expire = 10 min; -} - -global reported_hosts: set[addr] &read_expire = 1 day; - -function service_probe_check(c: connection) - { - if ( ! detect_probes ) - return; - - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local service = (port_names[20/tcp] in c$service) ? 20/tcp : id$resp_p; - - if ( orig in reported_hosts ) - # We've already blocked them. - return; - - if ( is_local_addr(orig) ) - # We only analyze probes of local servers. - return; - - if ( service !in probe_ports ) - # Not a port we care about. - return; - - local enough_bytes = T; - local bytes_xferred = c$orig$size + c$resp$size; - - if ( service in min_bytes && bytes_xferred < min_bytes[service] ) - enough_bytes = F; - - if ( service in max_bytes && bytes_xferred > max_bytes[service] ) - enough_bytes = F; - - if ( ! enough_bytes ) - return; - - local cnt = ++tries[orig, resp, service]; - if ( cnt == connect_threshold[service] ) - { - local svc = service_name(c); - - NOTICE([$note=ServiceProbe, $src=orig, - $msg=fmt("service probing %s -> %s %s", - orig, resp, svc)]); - - # Since we've dropped this host, we can now release the space. - delete tries[orig, resp, service]; - add reported_hosts[orig]; - } - } - - -event connection_state_remove(c: connection) - { - service_probe_check(c); - } diff --git a/policy.old/sigs/http-bots.sig b/policy.old/sigs/http-bots.sig deleted file mode 100644 index 26f61c7d45..0000000000 --- a/policy.old/sigs/http-bots.sig +++ /dev/null @@ -1,93 +0,0 @@ -# $Id:$ -# -# Some signatures for detecting certain HTTP-based botnet activity. - -signature nethell { - http-request /.*php\?userid=/ - http-request-body /userid=[0-9]{8}_/ - event "Nethell request" -} - -signature bzub { - http-request /.*ver=.*&lg=.*&phid=.*&r=/ - http-request-body /phid=[A-F0-9]{64}/ - event "bzub request" -} - -signature iebho { - http-request /.*ver=.*&lg=.*&phid=/ - http-request-body /phid=[A-F0-9]{32}/ - event "IEBHO request" -} - -signature bebloh { - payload /^GET/ - http-request /.*get\.php\?type=slg&id=/ - event "Bebloh request" -} - -signature black_enery { - payload /^POST/ - http-request-header /Cache-Control: no-cache/ - http-request-body /.*id=.*&build_id=.*id=x.+_[0-9A-F]{8}&build_id=.+/ - event "Black energy request" -} - -signature waledec { - payload /^POST/ - http-request /\/[A-Za-z0-9]+\.[pP][nN][gG]/ - event "Waledec request" -} - -signature silentbanker { - payload /^POST/ - http-request /.*\/getcfg\.php/ - event "SilentBanker request" -} - -signature icepack { - payload /^GET/ - http-request /.*\/exe\.php/ - event "Icepack request" -} - -signature torpig { - payload /^POST/ - http-request /.*\/gate\.php/ - event "Torpig request" -} - -signature peed { - http-request /.*\/controller\.php\?action=/ - http-request /.*&entity/ - http-request /.*&rnd=/ - event "Peed request" -} - -signature gozi { - payload /^GET/ - http-request /.*\?user_id=/ - http-request /.*&version_id=/ - http-request /.*&crc=/ - event "Gozi request" -} - -signature wsnpoem { - payload /^GET/ - http-request /.*\/((cfg|config)[0-9]*)\.bin$/ - event "wsnpoem request" -} - -signature pinch { - payload /^POST/ - http-request /.*\?act=online&.*s4=.*&s5=.*&nickname=/ - http-request-body /.*msg_out=/ - event "pinch request" -} - -signature grum { - payload /^GET/ - http-request /.*s_alive\.php/ - event "Grum request" -} - diff --git a/policy.old/sigs/p0fsyn.osf b/policy.old/sigs/p0fsyn.osf deleted file mode 100644 index 8767265819..0000000000 --- a/policy.old/sigs/p0fsyn.osf +++ /dev/null @@ -1,773 +0,0 @@ -# -# p0f - SYN fingerprints -# ---------------------- -# -# .-------------------------------------------------------------------------. -# | The purpose of this file is to cover signatures for incoming TCP/IP | -# | connections (SYN packets). This is the default mode of operation for | -# | p0f. This is also the biggest and most up-to-date set of signatures | -# | shipped with this project. The file also contains a detailed discussion | -# | of all metrics examined by p0f, and some practical notes on how to | -# | add new signatures. | -# `-------------------------------------------------------------------------' -# -# (C) Copyright 2000-2003 by Michal Zalewski -# -# Each line in this file specifies a single fingerprint. Please read the -# information below carefully before attempting to append any signatures -# reported by p0f as UNKNOWN to this file to avoid mistakes. Note that -# this file is compatible only with the default operation mode, and not -# with -R or -A options (SYN+ACK and RST+ modes). -# -# We use the following set metrics for fingerprinting: -# -# - Window size (WSS) - a highly OS dependent setting used for TCP/IP -# performance control (max. amount of data to be sent without ACK). -# Some systems use a fixed value for initial packets. On other -# systems, it is a multiple of MSS or MTU (MSS+40). In some rare -# cases, the value is just arbitrary. -# -# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number -# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' -# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the -# value of nn is not fixed (unlikely), just copy the Snn or Tnn token -# literally. If you know this device has a simple stack and a fixed -# MTU, you can however multiply S value by MSS, or T value by MSS+40, -# and put it instead of Snn or Tnn. One system may exhibit several T -# or S values. In some situations, this might be a source of some -# additional information about the setup if you have some time to dig -# thru the kernel sources; in some other cases, like Windows, there seem -# to be a multitude of variants and WSS selection algorithms, but it's -# rather difficult to find a pattern without having the source. -# -# If WSS looks like a regular fixed value (for example is a power of two), -# or if you can confirm the value is fixed by looking at several -# fingerprints, please quote it literaly. If there's no apparent pattern -# in WSS chosen, you should consider wildcarding this value - but this -# should be the last option. -# -# NOTE: Some NAT devices, such as Linux iptables with --set-mss, will -# modify MSS, but not WSS. As a result, MSS is changed to reflect -# the MTU of the NAT device, but WSS remains a multiple of the original -# MSS. Fortunately for us, the source device would almost always be -# hooked up to Ethernet. P0f handles it automatically for the original -# MSS of 1460, by adding "NAT!" tag to the result. -# -# In certain configurations, Linux erratically (?) uses MTU from another -# interface on the default gw interface. This only happens on systems with -# two network interfaces. Thus, some Linux systems that do not go thru NAT, -# but have multiple interfaces instead, will be also tagged this way. -# -# P0f recognizes and automatically wildcards WSS of 12345, as generated -# by sendack and sendsyn utilities shipped with the program, when -# reporting a new signature. See test/sendack.c and test/sendsyn.c for more -# information about this. -# -# - Overall packet size - a function of all IP and TCP options and bugs. -# While this is partly redundant in the real world, we record this value -# to capture rare cases when there are IP options (which we do not currently -# examine) or packet data past the headers. Both situations are rare. -# -# Packet size MAY be wildcarded, but the meaning of the wildcard is -# very special, and means the packet must be larger than PACKET_BIG -# (defined in config.h as 100). This is usually not necessary, except -# for some really broken implementations in RST+ mode. For more information, -# see p0fr.fp. P0f automatically wildcards big packets when reporting -# new signatures. -# -# NEW SIGNATURE: Copy this value literally. -# -# - Initial TTL - We check the actual TTL of a received packet. It can't -# be higher than the initial TTL, and also shouldn't be dramatically -# lower (maximum distance is defined in config.h as 40 hops). -# -# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. -# You need to determine the initial TTL. The best way to do it is to -# check the documentation for a remote system, or check its settings. -# A fairly good method is to simply round the observed TTL up to -# 32, 64, 128, or 255, but it should be noted that some obscure devices -# might not use round TTLs (in particular, some shoddy appliances and -# IRIX and Tru64 are known to use "original" initial TTL settings). If not -# sure, use traceroute or mtr to see how far you are from the host. -# -# Note that -F option overrides this check if no signature can be found. -# -# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU -# discovery. Others do not bother. -# -# NEW SIGNATURE: Copy this value literally. Note: this setting is -# sometimes cleared by firewalls and/or certain connectivity clients. -# Try to find out what's the actual state for a given OS if you see both, -# and add the right one. P0f will automatically detect a case when a -# firewall removed the DF flag and will append "(firewall!)" suffix to -# the signature, so if the DF version is the right one, don't add no-DF -# variant, unless it has a different meaning. -# -# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f -# uses it to determine link type of the remote host. -# -# NEW SIGNATURE: Always wildcard this value, except for rare cases when -# you have an appliance with a fixed value, know the system supports only -# a very limited number of network interface types, or know the system -# is using a value it pulled out of nowhere. I use specific unique MSS -# to tell Google crawlbots from the rest of Linux population, for example. -# -# If a specific MSS/MTU is unique to a certain link type, be sure to -# add it to mtu.h instead of creating several variants of each signature. -# -# - Window scaling (WSCALE) - this feature is used to scale WSS. -# It extends the size of a TCP/IP window to 32 bits, of sorts. Some modern -# systems implement this feature. -# -# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set -# to zero or other low value. There's usually no need to wildcard this -# parameter. -# -# - Timestamp - some systems that implement timestamps set them to -# zero in the initial SYN. This case is detected and handled appropriately. -# -# NEW SIGNATURE: Copy T or T0 option literally. -# -# - Selective ACK permitted - a flag set by systems that implement -# selective ACK functionality, -# -# NEW SIGNATURE: copy S option literally. -# -# - NOP option - its presence, count and sequence is a useful OS-dependent -# characteristic, -# -# NEW SIGNATURE: copy N options literally. -# -# - Other and unrecognized options (TTCP-related and such) - implemented by -# some eccentric or very buggy TCP/IP stacks ;-), -# -# NEW SIGNATURE: copy ? options literally. -# -# - EOL option. Contrary to the popular belief, the presence of EOL -# option is actually quite rare, most systems just NOP-pad to the -# packet boundary. -# -# NEW SIGNATURE: copy E option literally. -# -# - The sequence of TCP all options mentioned above - this is very -# specific to the implementation, -# -# NEW SIGNATURE: Copy the sequence literally. -# -# - Quirks. Some buggy stacks set certain values that should be zeroed in a -# TCP packet to non-zero values. This has no effect as of today, but is -# a valuable source of information. Some systems actually seem to leak -# memory there. Other systems just exhibit harmful but very specific -# behavior. This section captures all unusual yes-no properties not -# related to the main and expected header layout. We detect the following: -# -# - Data past the headers. Neither SYN nor SYN+ACK packets are supposed -# to carry any payload. If they do, we should take notice. The actual -# payload is not examined, but will be displayed if use the -X option. -# Note that payload is not unusual in RST+ mode (see p0fr.fp), very -# rare otherwise. -# -# - Options past EOL. Some systems have some trailing data past EOL -# in the options section of TCP/IP headers. P0f does not examine this -# data as of today, simply detects its presence. If there is a -# confirmed sizable population of systems that have data past EOL, it -# might be a good idea to look at it. Until then, you have to recompile -# p0f with DEBUG_EXTRAS set or use -x to display this data, -# -# - Zero IP ID. This again is a (mostly) harmless setting to use a fixed -# IP ID for packets with DF set. Some systems reportedly use zero ID, -# most OSes do not. There is a very slight probability of a false -# positive when IP ID is "naturally" chosen to be zero on a system -# that otherwise does set proper values, but the probability is -# neglible (if it becomes a problem, recompile p0f with IGNORE_ZEROID -# set in the sources). -# -# - IP options specified. Usually, packets do not have any IP options -# set, but there can be some. Until there is a confirmed sizable -# population of systems that do have IP options in a packet, p0f -# does not examine those in detail, but it might change (use -# DEBUG_EXTRAS or -x to display IP options if any found), -# -# - URG pointer value. SYN packets do not have URG flag set, so the -# value in URG pointer in TCP header is ignored. Most systems set it -# to zero, but some OSes (some versions of Windows, for example) do -# not zero this field or even simply leak memory; the actual value is -# not examined, because most cases seem to be just random garbage -# (you can use DEBUG_EXTRAS or -x to report this information though); -# see doc/win-memleak.txt for more information, -# -# - "Unused" field value. This should be always zero, but some systems -# forget to clear it. This might result in some funny issues in the -# future. P0f checks for non-zero value (and will display it if -# DEBUG_EXTRAS is set, or you can use -x), -# -# - ACK number non-zero. ACK value in SYN packets with no ACK flag -# is disregarded and is usually set to zero (just like with URG -# pointer), but some systems forget to do it. The exact value is -# not examined (but will be displayed with DEBUG_EXTRAS, or you can -# use -x). Note that this is not an anomaly in SYN+ACK and RST+ modes, -# -# - Non-zero second timestamp. The initial SYN packet should have the -# second timestamp always zeroed. SYN+ACK and RST+ may "legally" have -# this quirk though, -# -# - Unusual flags. If, in addition to SYN (or SYN+ACK), there are some -# auxilinary flags that do not modify the very meaning of a packet, -# p0f records this (this can be URG, PUSH, or something else). -# -# Note: ECN flags (ECE and CWR) are ignored and denoted in a separate -# way. ECN is never by default, because some systems can't handle it, -# and it probably does not make much sense to include it in signatures -# right now. -# -# - TCP option segment parsing problems. If p0f fails to decode options -# because of a badly broken packet, it records this fact. -# -# There are several other quirks valid only in RST+ mode, see p0fr.fp for -# more information. Those quirks are unheard of in SYN and SYN+ACK -# modes. -# -# NEW SIGNATURE: Copy "quirks" section literally. -# -# We DO NOT use ToS for fingerprinting. While the original TCP/IP -# fingerprinting research believed this value would be useful for this -# purpose, it is not. The setting is way too often tweaked by network -# devices. -# -# To wildcard MSS, WSS or WSCALE, replace it with '*'. You can also use a -# modulo operator to match any values that divide by nnn - '%nnn' (and, -# as stated above, WSS also supports special values Snn and Tnn). -# -# Fingerprint entry format: -# -# wwww:ttt:D:ss:OOO...:QQ:OS:Details -# -# wwww - window size (can be * or %nnn or Sxx or Txx) -# "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed. -# ttt - initial TTL -# D - don't fragment bit (0 - not set, 1 - set) -# ss - overall SYN packet size (* has a special meaning) -# OOO - option value and order specification (see below) -# QQ - quirks list (see below) -# OS - OS genre (Linux, Solaris, Windows) -# details - OS description (2.0.27 on x86, etc) -# -# If OS genre starts with '*', p0f will not show distance, link type -# and timestamp data. It is useful for userland TCP/IP stacks of -# network scanners and so on, where many settings are randomized or -# bogus. -# -# If OS genre starts with @, it denotes an approximate hit for a group -# of operating systems (signature reporting still enabled in this case). -# Use this feature at the end of this file to catch cases for which -# you don't have a precise match, but can tell it's Windows or FreeBSD -# or whatnot by looking at, say, flag layout alone. -# -# If OS genre starts with - (which can prefix @ or *), the entry is -# not considered to be a real operating system (but userland stack -# instead). It is important to mark all scanners and so on with -, -# so that they are not used for masquerade detection (also add this -# prefix for signatures of application-induced behavior, such as -# increased window size with Opera browser). -# -# Option block description is a list of comma or space separated -# options in the order they appear in the packet: -# -# N - NOP option -# E - EOL option -# Wnnn - window scaling option, value nnn (or * or %nnn) -# Mnnn - maximum segment size option, value nnn (or * or %nnn) -# S - selective ACK OK -# T - timestamp -# T0 - timestamp with zero value -# ?n - unrecognized option number n. -# -# P0f can sometimes report ?nn among the options. This means it couldn't -# recognize this option (option number nn). It's either a bug in p0f, or -# a faulty TCP/IP stack, or, if the number is listed here: -# -# http://www.iana.org/assignments/tcp-parameters -# -# ...the stack might be simply quite exotic. -# -# To denote no TCP options, use a single '.'. -# -# Quirks section is usually an empty list ('.') of oddities or bugs of this -# particular stack. List items are not separated in any way. Possible values: -# -# P - options past EOL, -# Z - zero IP ID, -# I - IP options specified, -# U - urg pointer non-zero, -# X - unused (x2) field non-zero, -# A - ACK number non-zero, -# T - non-zero second timestamp, -# F - unusual flags (PUSH, URG, etc), -# D - data payload, -# ! - broken options segment. -# -# WARNING WARNING WARNING -# ----------------------- -# -# Do not add a system X as OS Y just because NMAP says so. It is often -# the case that X is a NAT firewall. While nmap is talking to the -# device itself, p0f is fingerprinting the guy behind the firewall -# instead. -# -# When in doubt, use common sense, don't add something that looks like -# a completely different system as Linux or FreeBSD or LinkSys router. -# Check DNS name, establish a connection to the remote host and look -# at SYN+ACK (p0f -A -S should do) - does it look similar? -# -# Some users tweak their TCP/IP settings - enable or disable RFC1323, -# RFC1644 or RFC2018 support, disable PMTU discovery, change MTU, initial -# TTL and so on. Always compare a new rule to other fingerprints for -# this system, and verify the system isn't "customized". It is OK to -# add signature variants caused by commonly used software (PFs, security -# packages, etc), but it makes no sense to try to add every single -# possible /proc/sys/net/ipv4/* tweak on Linux or so. -# -# KEEP IN MIND: Some packet firewalls configured to normalize outgoing -# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, -# normalize packets. Signatures will not correspond to the originating -# system (and probably not quite to the firewall either). -# -# NOTE: Try to keep this file in some reasonable order, from most to -# least likely systems. This will speed up operation. Also keep most -# generic and broad rules near ehe end. -# -# Still decided to add signature? Let us know - mail a copy of your discovery -# to lcamtuf@coredump.cx. You can help make p0f better, and I can help you -# make your signature more accurate. -# - -########################## -# Standard OS signatures # -########################## - -# ----------------- AIX --------------------- - -# AIX is first because its signatures are close to NetBSD, MacOS X and -# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... -# This is a shoddy hack, though. - -45046:64:0:44:M*:.:AIX:4.3 - -16384:64:0:44:M512:.:AIX:4.3.2 and earlier - -16384:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (1) -32768:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (2) -65535:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (3) - -65535:64:0:64:M*,N,W1,N,N,T,N,N,S:.:AIX:5.3 ML1 - -# ----------------- Linux ------------------- - -512:64:0:44:M*:.:Linux:2.0.3x (1) -16384:64:0:44:M*:.:Linux:2.0.3x (2) - -# Endian snafu! Nelson says "ha-ha": -2:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (1) -64:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (2) - -S4:64:1:60:M1360,S,T,N,W0:.:Linux:2.4 (Google crawlbot) - -# Linux 2.6.0-test has an identical footprint as 2.4. I -# wouldn't put it here until 2.6 gets a bit more, err, -# mature (and perhaps starts to differ ;-), but many -# people keep submitting 2.6.0-tests. - -S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (big boy) -S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4.18 and newer -S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4/2.6 - -S3:64:1:60:M*,S,T,N,W1:.:Linux:2.5 (sometimes 2.4) (1) -S4:64:1:60:M*,S,T,N,W1:.:Linux:2.5/2.6 (sometimes 2.4) (2) -S3:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (3) -S4:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (4) - -S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2.20 and newer -S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1) -S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2) - -# Popular cluster config scripts disable timestamps and -# selective ACK: - -S4:64:1:48:M1460,N,W0:.:Linux:2.4 in cluster - -# This needs to be investigated. On some systems, WSS -# is selected as a multiple of MTU instead of MSS. I got -# many submissions for this for many late versions of 2.4: - -T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (late, uncommon) - -# This happens only over loopback, but let's make folks happy: -32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (local) -S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (local) - -# Opera visitors: -16384:64:1:60:M*,S,T,N,W0:.:-Linux:2.2 (Opera?) -32767:64:1:60:M*,S,T,N,W0:.:-Linux:2.4 (Opera?) - -# Some fairly common mods: -S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 w/o timestamps -S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 w/o timestamps - -# ----------------- FreeBSD ----------------- - -16384:64:1:44:M*:.:FreeBSD:2.0-4.1 -16384:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (1) - -1024:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (2) - -57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (no RFC1323) -57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.8 - -32768:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.8-5.1 (or MacOS X 10.2-10.3) -65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (1) -65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (2) - -65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-current (1) -65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-current (2) -65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-current (3) - -# 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (w/o timestamps) - -# ----------------- NetBSD ------------------ - -16384:64:0:60:M*,N,W0,N,N,T:.:NetBSD:1.3 -65535:64:0:60:M*,N,W0,N,N,T0:.:-NetBSD:1.6 (Opera) -16384:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6 -65535:64:1:60:M*,N,W1,N,N,T0:.:NetBSD:1.6W-current (DF) -65535:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6X (DF) - -# ----------------- OpenBSD ----------------- - -16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 -57344:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.3-3.4 -16384:64:0:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 (scrub) -65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera) - -# ----------------- Solaris ----------------- - -S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:.:Solaris:8 (RFC1323 on) -S17:64:1:48:N,N,S,M*:.:Solaris:8 (1) -S17:255:1:44:M*:.:Solaris:2.5 to 7 - -# Sometimes, just sometimes, Solaris feels like coming up with -# rather arbitrary MSS values ;-) - -S6:255:1:44:M*:.:Solaris:2.5-7 -S23:64:1:48:N,N,S,M*:.:Solaris:8 (2) -S34:64:1:48:M*,N,N,S:.:Solaris:9 -S44:255:1:44:M*:.:Solaris:7 - -4096:64:0:44:M1460:.:SunOS:4.1.x - -S34:64:1:52:M*,N,W0,N,N,S:.:Solaris:10 (beta) - -# ----------------- IRIX -------------------- - -49152:60:0:44:M*:.:IRIX:6.2-6.4 -61440:60:0:44:M*:.:IRIX:6.2-6.5 -49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323) (1) -49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323) (2) - -61440:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (1) -49152:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (2) - -# ----------------- Tru64 ------------------- -# Tru64 and OpenVMS share the same stack on occassions. -# Relax. - -32768:60:1:48:M*,N,W0:.:Tru64:4.0 (or OS/2 Warp 4) -32768:60:0:48:M*,N,W0:.:Tru64:5.0 (or OpenVMS 7.x on Compaq 5.0 stack) -8192:60:0:44:M1460:.:Tru64:5.1 (no RFC1323) (or QNX 6) -61440:60:0:48:M*,N,W0:.:Tru64:v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) - -# ----------------- OpenVMS ----------------- - -6144:64:1:60:M*,N,W0,N,N,T:.:OpenVMS:7.2 (Multinet 4.3-4.4 stack) - -# ----------------- MacOS ------------------- - -S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic - -16616:255:1:48:M*,W0,E:.:MacOS:7.3-8.6 (OTTCP) -16616:255:1:48:M*,N,N,N,E:.:MacOS:8.1-8.6 (OTTCP) -32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2 - -32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (1) (OT 2.7.4) -65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (2) (OT 2.7.4) - -# ----------------- Windows ----------------- - -# Windows TCP/IP stack is a mess. For most recent XP, 2000 and -# even 98, the pathlevel, not the actual OS version, is more -# relevant to the signature. They share the same code, so it would -# seem. Luckily for us, almost all Windows 9x boxes have an -# awkward MSS of 536, which I use to tell one from another -# in most difficult cases. - -8192:32:1:44:M*:.:Windows:3.11 (Tucows) -S44:64:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95 -8192:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95b - -# There were so many tweaking tools and so many stack versions for -# Windows 98 it is no longer possible to tell them from each other -# without some very serious research. Until then, there's an insane -# number of signatures, for your amusement: - -S44:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (1) -8192:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (2) -%8192:64:1:48:M536,N,N,S:.:Windows:98 (13) -%8192:128:1:48:M536,N,N,S:.:Windows:98 (15) -S4:64:1:48:M*,N,N,S:.:Windows:98 (1) -S6:64:1:48:M*,N,N,S:.:Windows:98 (2) -S12:64:1:48:M*,N,N,S:.:Windows:98 (3 -T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:.:Windows:98 (16) -32767:64:1:48:M*,N,N,S:.:Windows:98 (4) -37300:64:1:48:M*,N,N,S:.:Windows:98 (5) -46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323) -65535:64:1:44:M*:.:Windows:98 (no sack) -S16:128:1:48:M*,N,N,S:.:Windows:98 (6) -S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:98 (7) -S26:128:1:48:M*,N,N,S:.:Windows:98 (8) -T30:128:1:48:M*,N,N,S:.:Windows:98 (9) -32767:128:1:52:M*,N,W0,N,N,S:.:Windows:98 (10) -60352:128:1:48:M*,N,N,S:.:Windows:98 (11) -60352:128:1:64:M*,N,W2,N,N,T0,N,N,S:.:Windows:98 (12) - -# What's with 1414 on NT? -T31:128:1:44:M1414:.:Windows:NT 4.0 SP6a (1) -64512:128:1:44:M1414:.:Windows:NT 4.0 SP6a (2) -8192:128:1:44:M*:.:Windows:NT 4.0 (older) - -# Windows XP and 2000. Most of the signatures that were -# either dubious or non-specific (no service pack data) -# were deleted and replaced with generics at the end. - -65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1 -%8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1 (seldom 98 4.10.2222) -S20:128:1:48:M*,N,N,S:.:Windows:SP3 -S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP 1 (2) -40320:128:1:48:M*,N,N,S:.:Windows:2000 SP4 - -S6:128:1:48:M*,N,N,S:.:Windows:XP, 2000 SP2+ -S12:128:1:48:M*,N,N,S:.:Windows:XP SP1 (1) -S44:128:1:48:M*,N,N,S:.:Windows:XP Pro SP1, 2000 SP3 -64512:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP3 (2) -32767:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP4 (3) - -# Odds, ends, mods: - -S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco -65520:128:1:48:M*,N,N,S:.:Windows:XP bare-bone -16384:128:1:52:M536,N,W0,N,N,S:.:Windows:2000 w/ZoneAlarm? -2048:255:0:40:.:.:Windows:.NET Enterprise Server - -# No need to be more specific, it passes: -*:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) - -# ----------------- HP/UX ------------------- - -32768:64:1:44:M*:.:HP-UX:B.10.20 -32768:64:1:48:M*,W0,N:.:HP-UX:11.00-11.11 - -# Whoa. Hardcore WSS. -0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323) - -# ----------------- RiscOS ------------------ - -16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:.:RISC OS:3.70-4.36 (inet 5.04) -12288:32:0:44:M536:.:RISC OS:3.70 inet 4.10 -4096:64:1:56:M1460,N,N,T:T:.:RISC OS:3.70 freenet 2.00 - -# ----------------- BSD/OS ------------------ - -8192:64:1:60:M1460,N,W0,N,N,T:.:BSD/OS:3.1-4.3 (or MacOS X 10.2) - -# ---------------- NetwonOS ----------------- - -4096:64:0:44:M1420:.:NewtonOS:2.1 - -# ---------------- NeXTSTEP ----------------- - -S8:64:0:44:M512:.:NeXTSTEP:3.3 - -# ------------------ BeOS ------------------- - -1024:255:0:48:M*,N,W0:.:BeOS:5.0-5.1 -12288:255:0:44:M*:.:BeOS:5.0.x - -# ------------------ OS/400 ----------------- - -8192:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R4/R5 -8192:64:0:44:M536:.:OS/400:V4R3/M0 -4096:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R5 + CF67032 - -28672:64:0:44:M1460:A:OS/390:? - -# ------------------ ULTRIX ----------------- - -16384:64:0:40:.:.:ULTRIX:4.5 - -# ------------------- QNX ------------------- - -S16:64:0:44:M512:.:QNX:demodisk - -# ------------------ Novell ----------------- - -16384:128:1:44:M1460:.:Novell:NetWare 5.0 -6144:128:1:44:M1460:.:Novell:IntranetWare 4.11 -6144:128:1:44:M1368:.:Novell:BorderManager ? - -# According to rfp: -6144:128:1:52:M*,W0,N,S,N,N:.:Novell:Netware 6 SP3 - -# -------------- SCO UnixWare --------------- - -S3:64:1:60:M1460,N,W0,N,N,T:.:SCO:UnixWare 7.1 -S23:64:1:44:M1380:.:SCO:OpenServer 5.0 - -# ------------------- DOS ------------------- - -2048:255:0:44:M536:.:DOS:Arachne via WATTCP/1.05 - -# ------------------ OS/2 ------------------- - -S56:64:0:44:M512:.:OS/2:4 - -# ----------------- TOPS-20 ----------------- - -# Another hardcore MSS, one of the ACK leakers hunted down. -0:64:0:44:M1460:A:TOPS-20:version 7 - -# ------------------ AMIGA ------------------ - -S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack - -# ------------------ Minix ------------------ - -# Not quite sure. -# 8192:210:0:44:M1460:X:@Minix:? - -# ------------------ Plan9 ------------------ - -65535:255:0:48:M1460,W0,N:.:Plan9:edition 4 - -# ----------------- AMIGAOS ----------------- - -16384:64:1:48:M1560,N,N,S:.:AMIGAOS:3.9 BB2 MiamiDX - -########################################### -# Appliance / embedded / other signatures # -########################################### - -# ---------- Firewalls / routers ------------ - -S12:64:1:44:M1460:.:@Checkpoint:(unknown 1) -S12:64:1:48:N,N,S,M1460:.:@Checkpoint:(unknown 2) -4096:32:0:44:M1460:.:ExtremeWare:4.x -60352:64:0:52:M1460,N,W2,N,N,S:.:Clavister:firewall 7.x - -S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 -S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 - -S4:64:1:60:W0,N,S,T,M1460:.:FortiNet:FortiGate 50 - -8192:64:1:44:M1460:.:@Eagle:Secure Gateway - -# ------- Switches and other stuff ---------- - -4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, et -S8:255:0:44:M*:.:Cisco:12008 -60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:.:Alteon:ACEswitch -64512:128:1:44:M1370:.:Nortel:Contivity Client - -# ---------- Caches and whatnots ------------ - -8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.2 -16384:64:1:64:M1460,N,N,S,N,W0,N:.:NetCache:5.3 -65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5 -20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:4.1 - -32850:64:1:64:N,W1,N,N,T,N,N,S,M*:.:NetCache:Data OnTap 5.x - -65535:64:0:60:M1460,N,W0,N,N,T:.:CacheFlow:CacheOS 4.1 -8192:64:0:60:M1380,N,N,N,N,N,N,T:.:CacheFlow:CacheOS 1.1 - -S4:64:0:48:M1460,N,N,S:.:Cisco:Content Engine - -27085:128:0:40:.:.:Dell:PowerApp cache (Linux-based) - -65535:255:1:48:N,W1,M1460:.:Inktomi:crawler -S1:255:1:60:M1460,S,T,N,W0:.:LookSmart:ZyBorg - -16384:255:0:40:.:.:Proxyblocker:(what's this?) - -# ----------- Embedded systems -------------- - -S9:255:0:44:M536:.:PalmOS:Tungsten C -S5:255:0:44:M536:.:PalmOS:3/4 -S4:255:0:44:M536:.:PalmOS:3.5 -2948:255:0:44:M536:.:PalmOS:3.5.3 (Handera) -S29:255:0:44:M536:.:PalmOS:5.0 - -S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:.:SymbianOS:7 -8192:255:0:44:M1460:.:SymbianOS:6048 (on Nokia 7650?) -8192:255:0:44:M536:.:SymbianOS:(on Nokia 9210?) - -32768:32:1:44:M1460:.:Windows:CE 3 - -# Perhaps S4? -5840:64:1:60:M1452,S,T,N,W1:.:Zaurus:3.10 - -32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S:.:PocketPC:2002 - -S1:255:0:44:M346:.:Contiki:1.1-rc0 - -4096:128:0:44:M1460:.:Sega:Dreamcast Dreamkey 3.0 -T5:64:0:44:M536:.:Sega:Dreamcast HKT-3020 (browser disc 51027) -S22:64:1:44:M1460:.:Sony:Playstation 2 (SOCOM?) - -S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64 - -#################### -# Fancy signatures # -#################### - -1024:64:0:40:.:.:-*NMAP:syn scan (1) -2048:64:0:40:.:.:-*NMAP:syn scan (2) -3072:64:0:40:.:.:-*NMAP:syn scan (3) -4096:64:0:40:.:.:-*NMAP:syn scan (4) - -1024:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (1) -2048:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (2) -3072:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (3) -4096:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (4) - -1024:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (1) -2048:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (2) -3072:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (3) -4096:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (4) - -12345:255:0:40:.:A:-p0f:sendsyn utility - -# UFO - see tmp/*: -56922:128:0:40:.:A:-@Mysterious:port scanner (?) -5792:64:1:60:M1460,S,T,N,W0:T:-@Mysterious:NAT device (2nd tstamp) -S12:128:1:48:M1460,E:P:@Mysterious:Chello proxy (?) -S23:64:1:64:N,W1,N,N,T,N,N,S,M1380:.:@Mysterious:GPRS gateway (?) - -##################################### -# Generic signatures - just in case # -##################################### - -*:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323 no tstamp) -*:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323) -*:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP (RFC1323, w+) -*:128:1:48:M536,N,N,S:.:@Windows:98 -*:128:1:48:M*,N,N,S:.:@Windows:XP/2000 - - diff --git a/policy.old/smb.bro b/policy.old/smb.bro deleted file mode 100644 index 4d31393a13..0000000000 --- a/policy.old/smb.bro +++ /dev/null @@ -1,8 +0,0 @@ -# $Id:$ - -redef capture_filters += { ["smb"] = "port 445" }; - -global smb_ports = { 445/tcp } &redef; -redef dpd_config += { [ANALYZER_SMB] = [$ports = smb_ports] }; - -# No default implementation for events. diff --git a/policy.old/smtp-relay.bro b/policy.old/smtp-relay.bro deleted file mode 100644 index 0a7f84e7ad..0000000000 --- a/policy.old/smtp-relay.bro +++ /dev/null @@ -1,192 +0,0 @@ -# $Id: smtp-relay.bro 5911 2008-07-03 22:59:01Z vern $ -# -# Tracks email relaying. - -@load smtp -@load mime - -module SMTP; - -redef process_smtp_relay = T; - -export { - const relay_log = open_log_file("relay") &redef; -} - -global print_smtp_relay: function(t: table[count] of smtp_session_info, - idx: count): interval; - -global smtp_relay_table: table[count] of smtp_session_info - &write_expire = 5 min &expire_func = print_smtp_relay; - -global smtp_session_by_recipient: table[string] of smtp_session_info - &write_expire = 5 min; -global smtp_session_by_message_id: table[string] of smtp_session_info - &write_expire = 5 min; -global smtp_session_by_content_hash: table[string] of smtp_session_info - &write_expire = 5 min; - - -function add_to_smtp_relay_table(session: smtp_session_info) - { - if ( session$id !in smtp_relay_table ) - smtp_relay_table[session$id] = session; - } - -function check_relay_1(session: smtp_session_info, rcpt: string) - { - if ( session$external_orig && rcpt != local_mail_addr ) - { - smtp_message(session, - fmt("relaying(1) message (from %s, to %s) to address %s", - session$connection_id$orig_h, - session$connection_id$resp_h, - rcpt)); - - if ( session$relay_1_rcpt != "" ) - session$relay_1_rcpt = cat(session$relay_1_rcpt, ","); - - session$relay_1_rcpt = cat(session$relay_1_rcpt, rcpt); - add_to_smtp_relay_table(session); - } - } - -function check_relay_2(session: smtp_session_info, rcpt: string) - { - if ( rcpt in smtp_session_by_recipient ) - { - local prev_session = smtp_session_by_recipient[rcpt]; - - # Should only check the first condition only (external - # followed by internal) but let's include the second one - # for testing purposes for now. - if ( (prev_session$external_orig && ! session$external_orig) || - (! prev_session$external_orig && session$external_orig) ) - { - smtp_message(session, - fmt("relaying(2) message (seen during #%d) to address %s (%s -> %s, %s -> %s)", - prev_session$id, rcpt, - prev_session$connection_id$orig_h, - prev_session$connection_id$resp_h, - session$connection_id$orig_h, - session$connection_id$resp_h)); - - session$relay_2_from = prev_session$id; - ++prev_session$relay_2_to; - - add_to_smtp_relay_table(session); - add_to_smtp_relay_table(prev_session); - } - } - - smtp_session_by_recipient[rcpt] = session; - } - -function check_relay_3(session: MIME::mime_session_info, msg_id: string) - { - local smtp_session = session$smtp_session; - - if ( msg_id in smtp_session_by_message_id ) - { - local prev_smtp_session = smtp_session_by_message_id[msg_id]; - - smtp_message(smtp_session, - fmt("relaying(3) message (seen during #%d) with id %s (%s -> %s, %s -> %s)", - prev_smtp_session$id, msg_id, - prev_smtp_session$connection_id$orig_h, - prev_smtp_session$connection_id$resp_h, - smtp_session$connection_id$orig_h, - smtp_session$connection_id$resp_h)); - - smtp_session$relay_3_from = prev_smtp_session$id; - ++prev_smtp_session$relay_3_to; - - add_to_smtp_relay_table(smtp_session); - add_to_smtp_relay_table(prev_smtp_session); - } - else - smtp_session_by_message_id[msg_id] = smtp_session; - } - -function check_relay_4(session: MIME::mime_session_info, content_hash: string) - { - local smtp_session = session$smtp_session; - smtp_session$content_hash = content_hash; - - if ( content_hash in smtp_session_by_content_hash ) - { - local prev_smtp_session = smtp_session_by_content_hash[content_hash]; - smtp_message(smtp_session, - fmt("relaying(4) message (seen during #%d) with hash %s (%s -> %s, %s -> %s)", - prev_smtp_session$id, - string_to_ascii_hex(content_hash), - prev_smtp_session$connection_id$orig_h, - prev_smtp_session$connection_id$resp_h, - smtp_session$connection_id$orig_h, - smtp_session$connection_id$resp_h)); - - smtp_session$relay_4_from = prev_smtp_session$id; - ++prev_smtp_session$relay_4_to; - - add_to_smtp_relay_table(smtp_session); - add_to_smtp_relay_table(prev_smtp_session); - } - else - smtp_session_by_content_hash[content_hash] = smtp_session; - } - -# event mime_all_data(c: connection, length: count, data: string) -# { -# local session = get_mime_session(c, T); -# session$content_hash = md5_hash(data); -# if ( process_smtp_relay ) -# check_relay_4(session, session$content_hash); -# # mime_log_msg(session, "all data", fmt("%s", data)); -# } - -event mime_content_hash(c: connection, content_len: count, hash_value: string) - { - local session = MIME::get_session(c, T); - session$content_hash = hash_value; - if ( process_smtp_relay && content_len > 0 ) - check_relay_4(session, session$content_hash); - } - -function relay_flow(from: count, to: count): string - { - if ( from > 0 ) - return fmt("<#%d", from); - - if ( to > 0 ) - return fmt(">%d", to); - - return "-"; - } - -function print_smtp_relay(t: table[count] of smtp_session_info, - idx: count): interval - { - local session = t[idx]; - - print relay_log, fmt("#%d: %s", - session$id, - directed_id_string(session$connection_id, T)); - - print relay_log, fmt("#%d: RCPT: <%s>, Subject: %s", - session$id, - session$recipients, session$subject); - - print relay_log, fmt("#%d: detected: [%s %s %s %s] %s", - session$id, - session$relay_1_rcpt == "" ? "-" : "1", - relay_flow(session$relay_2_from, session$relay_2_to), - relay_flow(session$relay_3_from, session$relay_3_to), - relay_flow(session$relay_4_from, session$relay_4_to), - session$content_gap ? "(content gap)" : ""); - - print relay_log, fmt("#%d: relay 1: <%s>", - session$id, - session$relay_1_rcpt); - - return 0 sec; - } diff --git a/policy.old/smtp.bro b/policy.old/smtp.bro deleted file mode 100644 index cddb926456..0000000000 --- a/policy.old/smtp.bro +++ /dev/null @@ -1,557 +0,0 @@ -# $Id: smtp.bro 5230 2008-01-14 01:38:18Z vern $ - -@load conn - -module SMTP; - -export { - redef enum Notice += { HotEmailRecipient, }; - - const process_smtp_relay = F &redef; - - const smtp_log = open_log_file("smtp") &redef; - - # Used to detect relaying. - const local_mail_addr = /.*@.*lbl.gov/ &redef; - - const hot_recipients = /@/ &redef; - - const smtp_legal_cmds: set[string] = { - ">", "EHLO", "HELO", "MAIL", - "RCPT", "DATA", ".", "QUIT", - "RSET", "VRFY", "EXPN", "HELP", "NOOP", - "SEND", "SOML", "SAML", "TURN", - "STARTTLS", - "BDAT", - "ETRN", - "AUTH", - "***", - } &redef; - - const smtp_hot_cmds: table[string] of pattern = { - ["MAIL"] = /.*<.*@.*:.*>.*/, # relay path - ["RCPT"] = /.*<.*@.*:.*>.*/, # relay path - ["VRFY"] = /.*/, - ["EXPN"] = /.*/, - ["TURN"] = /.*/, - } &redef; - - const smtp_sensitive_cmds: set[string] = { - "VRFY", "EXPN", "TURN", - } &redef; - - const smtp_expected_reply: set[string, count] = { - [">", 220], - ["EHLO", 250], - ["HELO", 250], - ["MAIL", 250], - ["RCPT", 250], - ["RCPT", 554], # transaction failed - ["QUIT", 221], - ["DATA", 354], - [".", 250], # end of data - ["RSET", 250], - ["VRFY", 250], - ["EXPN", 250], - ["HELP", 250], - ["HELP", 502], # help command not supported - ["NOOP", 250], - ["AUTH", 334], # two round authentication - ["AUTH", 235], # one round authentication - ["AUTH_ANSWER", 334], # multiple step authentication - ["AUTH_ANSWER", 235], # authentication successful - ["STARTTLS", 220], # Willing to do TLS - ["TURN", 502], # TURN is expected to be rejected - }; - - type smtp_cmd_info: record { - cmd: string; - cmd_arg: string; - reply: count; - reply_arg: string; - cont_reply: bool; - log_reply: bool; - }; - - type smtp_cmd_info_list: table[count] of smtp_cmd_info; - - type smtp_session_info: record { - id: count; - connection_id: conn_id; - external_orig: bool; - in_data: bool; - num_cmds: count; - num_replies: count; - cmds: smtp_cmd_info_list; - in_header: bool; - keep_current_header: bool; # hack till MIME rewriter ready - recipients: string; - subject: string; - content_hash: string; - num_lines_in_body: count; - # lines in RFC 822 body before MIME decoding - num_bytes_in_body: count; - # bytes in entity bodies after MIME decoding - content_gap: bool; # whether content gap in conversation - - relay_1_rcpt: string; # external recipients - relay_2_from: count; # session id of same recipient - relay_2_to: count; - relay_3_from: count; # session id of same msg id - relay_3_to: count; - relay_4_from: count; # session id of same content hash - relay_4_to: count; - }; - - global smtp_sessions: table[conn_id] of smtp_session_info; - global smtp_session_id = 0; - - global new_smtp_session: function(c: connection); -} - -redef capture_filters += { ["smtp"] = "tcp port smtp or tcp port 587" }; - -# DPM configuration. -global smtp_ports = { 25/tcp, 587/tcp } &redef; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = smtp_ports] }; - -function is_smtp_connection(c: connection): bool - { - return c$id$resp_p == smtp; - } - -event bro_init() - { - have_SMTP = T; - } - -global add_to_smtp_relay_table: function(session: smtp_session_info); - -function new_smtp_command(session: smtp_session_info, cmd: string, arg: string) - { - ++session$num_cmds; - - local cmd_info: smtp_cmd_info; - cmd_info$cmd = cmd; - cmd_info$cmd_arg = arg; - cmd_info$reply = 0; - cmd_info$reply_arg = ""; - cmd_info$cont_reply = F; - cmd_info$log_reply = F; - - session$cmds[session$num_cmds] = cmd_info; - } - -function new_smtp_session(c: connection) - { - local session = c$id; - local new_id = ++smtp_session_id; - - local info: smtp_session_info; - local cmds: smtp_cmd_info_list; - - info$id = new_id; - info$connection_id = session; - info$in_data = F; - info$num_cmds = 0; - info$num_replies = 0; - info$cmds = cmds; - info$in_header = F; - info$keep_current_header = T; - info$external_orig = !is_local_addr(session$orig_h); - - info$subject = ""; - info$recipients = ""; - info$content_hash = ""; - info$num_lines_in_body = info$num_bytes_in_body = 0; - info$content_gap = F; - - info$relay_1_rcpt = ""; - info$relay_2_from = info$relay_2_to = info$relay_3_from = - info$relay_3_to = info$relay_4_from = info$relay_4_to = 0; - - new_smtp_command(info, ">", ""); - - smtp_sessions[session] = info; - append_addl(c, fmt("#%s", prefixed_id(new_id))); - - print smtp_log, fmt("%.6f #%s %s start %s", c$start_time, - prefixed_id(new_id), id_string(session), info$external_orig ? - "external" : "internal" ); - } - -function smtp_message(session: smtp_session_info, msg: string) - { - print smtp_log, fmt("%.6f #%s %s", - network_time(), prefixed_id(session$id), msg); - } - -function smtp_log_msg(session: smtp_session_info, is_orig: bool, msg: string) - { - print smtp_log, fmt("%.6f #%s %s: %s", - network_time(), - prefixed_id(session$id), - directed_id_string(session$connection_id, is_orig), - msg); - } - -function smtp_log_reject_recipient(session: smtp_session_info, rcpt: string) - { - if ( rcpt == "" ) - rcpt = ""; - - smtp_message(session, fmt("Recipient addresses rejected: %s", rcpt)); - } - -function smtp_log_command(session: smtp_session_info, is_orig: bool, - msg: string, cmd_info: smtp_cmd_info) - { - smtp_log_msg(session, is_orig, fmt("%s: %s(%s)", - msg, cmd_info$cmd, cmd_info$cmd_arg)); - } - -function smtp_log_reply(session: smtp_session_info, is_orig: bool, - msg: string, cmd_info: smtp_cmd_info) - { - smtp_log_msg(session, is_orig, fmt("%s: %s(%s) --> %d(%s)", - msg, - cmd_info$cmd, cmd_info$cmd_arg, - cmd_info$reply, cmd_info$reply_arg)); - } - -event smtp_request(c: connection, is_orig: bool, command: string, arg: string) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - new_smtp_command(session, command, arg); - local cmd_info = session$cmds[session$num_cmds]; - - # Store the command in session record. - local log_this_cmd = F; - - if ( command in smtp_hot_cmds && arg == smtp_hot_cmds[command] ) - { - log_this_cmd = T; - cmd_info$log_reply = T; - } - - if ( command in smtp_sensitive_cmds ) - { - log_this_cmd = T; - cmd_info$log_reply = T; - } - - if ( log_this_cmd ) - smtp_log_command(session, is_orig, "unusual command", cmd_info); - - if ( command == "DATA" ) - { - session$in_data = T; - session$in_header = T; - } - - else if ( command == "." ) - session$in_data = F; - } - -function check_cmd_info(session: smtp_session_info): bool - { - if ( session$num_replies == 0 ) - return T; - - if ( session$num_replies <= session$num_cmds && - session$num_replies in session$cmds ) - return T; - - smtp_message(session, fmt("error: invalid num_replies: %d (num_cmds = %d)", - session$num_replies, session$num_cmds)); - return F; - } - -function smtp_command_mail(session: smtp_session_info, cmd_info: smtp_cmd_info) - { - local tokens = split(cmd_info$cmd_arg, /(<|:|>)*/); - - local i = 0; - for ( i in tokens ) - smtp_log_msg(session, T, fmt("%d: \"%s\"", i, tokens[i])); - } - -function extract_recipient(session: smtp_session_info, rcpt_cmd_arg: string): string - { - local pair: string_array; - local s: string; - - s = rcpt_cmd_arg; - - pair = split1(s, /<( |\t)*/); - if ( length(pair) != 2 ) - { - smtp_message(session, fmt("error: '<' not found in argument to RCPT: %s", - rcpt_cmd_arg)); - return ""; - } - - s = pair[2]; - # smtp_message(session, fmt("%s<%s", pair[1], pair[2])); - - pair = split1(s, /( |\t)*>/); - if ( length(pair) != 2 ) - { - smtp_message(session, fmt("error: '>' not found in argument to RCPT: %s", - rcpt_cmd_arg)); - return ""; - } - - s = pair[1]; - # smtp_message(session, fmt("%s>%s", pair[1], pair[2])); - - pair = split1(s, /:/); - if ( length(pair) == 2 ) - { - smtp_message(session, fmt("RCPT address is source route path: %s", - rcpt_cmd_arg)); - s = pair[2]; - } - - # Actually the local part of an address might be case-sensitive, - # but in most cases it is not. - - s = to_lower(s); - - return s; - } - -global check_relay_1: function(session: smtp_session_info, rcpt: string); -global check_relay_2: function(session: smtp_session_info, rcpt: string); - -function smtp_command_rcpt(c: connection, session: smtp_session_info, - cmd_info: smtp_cmd_info) - { - local rcpt = extract_recipient(session, cmd_info$cmd_arg); - - if ( cmd_info$reply == 554 ) - smtp_log_reject_recipient(session, rcpt); - - else if ( rcpt != "" ) - { - smtp_message(session, fmt("recipient: <%s>", rcpt)); - - if ( session$recipients != "" ) - session$recipients = cat(session$recipients, ","); - - session$recipients = cat(session$recipients, rcpt); - - if ( process_smtp_relay ) - { - check_relay_1(session, rcpt); - check_relay_2(session, rcpt); - } - - if ( rcpt == hot_recipients ) - { - local src = session$connection_id$orig_h; - local dst = session$connection_id$resp_h; - - NOTICE([$note=HotEmailRecipient, $src=src, $conn=c, - $user=rcpt, - $msg=fmt("hot email recipient %s -> %s@%s", - src, rcpt, dst)]); - } - } - } - -event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, - msg: string, cont_resp: bool) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - local new_reply = F; - - # Check entry before indexing. - if ( ! check_cmd_info(session) ) - return; - - if ( session$num_replies == 0 || - ! session$cmds[session$num_replies]$cont_reply ) - { - ++session$num_replies; - if ( session$num_replies !in session$cmds ) - { - smtp_message(session, fmt("error: unmatched reply: %d %s (%s)", - code, msg, cmd)); - return; - } - - new_reply = T; - } - - if ( ! check_cmd_info(session) ) - return; - - local cmd_info = session$cmds[session$num_replies]; - - if ( cmd_info$cmd != cmd ) - { - smtp_message(session, - fmt("error: command mismatch: %s(%d) %s(%d), %s (%d %s)", - cmd_info$cmd, session$num_replies, - session$cmds[session$num_cmds], session$num_cmds, - cmd, code, msg)); - return; - } - - cmd_info$reply = code; - if ( new_reply ) - cmd_info$reply_arg = msg; - else - cmd_info$reply_arg = cat(cmd_info$reply_arg, "\r\n", msg); - - cmd_info$cont_reply = cont_resp; - - local log_this_reply = cmd_info$log_reply; - - if ( [cmd, code] !in smtp_expected_reply ) - log_this_reply = T; - - if ( log_this_reply && ! cont_resp ) - smtp_log_reply(session, is_orig, "unusual command/reply", cmd_info); - - # else if ( cmd == "MAIL" && code == 250 ) - # smtp_command_mail(session, cmd_info); - - else if ( cmd == "RCPT" ) - { - if ( code == 250 || code == 554 ) - smtp_command_rcpt(c, session, cmd_info); - } - - else if ( cmd == "STARTTLS" && code == 220 ) - { # it'll now go encrypted - no more we can do. - skip_further_processing(c$id); - smtp_message(session, cmd); - } - } - -function reset_on_gap(session: smtp_session_info) - { - local i: count; - - clear_table(session$cmds); - - session$num_cmds = session$num_replies = 0; - session$in_data = F; - } - -event smtp_unexpected(c: connection, is_orig: bool, msg: string, detail: string) - { - local id = c$id; - - if ( id !in smtp_sessions ) - new_smtp_session(c); - - local session = smtp_sessions[id]; - - smtp_log_msg(session, is_orig, fmt("unexpected: %s: %s", msg, detail)); - } - -function clear_smtp_session(session: smtp_session_info) - { - clear_table(session$cmds); - } - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - if ( is_smtp_connection(c) ) - { - local id = c$id; - if ( id !in smtp_sessions ) - new_smtp_session(c); - local session = smtp_sessions[id]; - session$content_gap = T; - reset_on_gap(session); - } - } - -event connection_finished(c: connection) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - smtp_message(session, "finish"); - clear_smtp_session(session); - delete smtp_sessions[id]; - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - smtp_message(session, "state remove"); - clear_smtp_session(session); - delete smtp_sessions[id]; - } - } - -global rewrite_smtp_header_line: - function(c: connection, is_orig: bool, - session: smtp_session_info, line: string); - -function smtp_header_line(c: connection, is_orig: bool, - session: smtp_session_info, line: string) - { - if ( rewriting_smtp_trace ) - rewrite_smtp_header_line(c, is_orig, session, line); - } - -function smtp_body_line(c: connection, is_orig: bool, - session: smtp_session_info, line: string) - { - ++session$num_lines_in_body; - session$num_bytes_in_body = - session$num_bytes_in_body + byte_len(line) + 2; # including CRLF - } - -event smtp_data(c: connection, is_orig: bool, data: string) - { - local id = c$id; - if ( id in smtp_sessions ) - { - local session = smtp_sessions[id]; - # smtp_log_msg(session, is_orig, fmt("data: %s", data)); - if ( session$in_header ) - { - if ( data == "" ) - { - session$in_header = F; - skip_smtp_data(c); - } - else - { - smtp_header_line(c, is_orig, session, data); - # smtp_log_msg(session, T, fmt("header: %s", data)); - } - } - else - { - # smtp_body_line(c, is_orig, session, data); - } - } - } - -event bro_done() - { - clear_table(smtp_sessions); - } diff --git a/policy.old/snort.bro b/policy.old/snort.bro deleted file mode 100644 index 16a173de13..0000000000 --- a/policy.old/snort.bro +++ /dev/null @@ -1,21 +0,0 @@ -# $Id: snort.bro 720 2004-11-12 16:45:48Z rwinslow $ -# -# Definitions needed for signatures converted by snort2bro. - -# Servers for some services. -const dns_servers: set[subnet] = { local_nets } &redef; -const http_servers: set[subnet] = { local_nets } &redef; -const smtp_servers: set[subnet] = { local_nets } &redef; -const telnet_servers: set[subnet] = { local_nets } &redef; -const sql_servers: set[subnet] = { local_nets } &redef; - -const aim_servers: set[subnet] = { - 64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, - 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, - 205.188.9.0/24 -} &redef; - -# Ports for some services. -const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp }; -const oracle_ports = { 1521/tcp }; -const non_shellcode_ports = { 80/tcp }; diff --git a/policy.old/ssh-stepping.bro b/policy.old/ssh-stepping.bro deleted file mode 100644 index 5658a56043..0000000000 --- a/policy.old/ssh-stepping.bro +++ /dev/null @@ -1,45 +0,0 @@ -@load stepping - -redef capture_filters += { ["ssh-stepping"] = "tcp port 22" }; - -module SSH_Stepping; - -# Keeps track of how many connections each source is responsible for. -global ssh_src_cnt: table[addr] of count &default=0 &write_expire=15sec; - -export { - # Threshold above which we stop analyzing a source. - # Use 0 to never stop. - global src_fanout_no_stp_analysis_thresh = 100 &redef; -} - -event connection_established(c: connection) - { - if ( c$id$resp_p == ssh ) - { - # No point recording these, and they're potentially huge - # due to use of ssh for file transfers. - set_record_packets(c$id, F); - - # Keep track of sources that create lots of connections - # so we can skip analyzing them - they're very likely - # uninteresting for stepping stones, and can present - # a large state burden. - local src = c$id$orig_h; - if ( ++ssh_src_cnt[src] == src_fanout_no_stp_analysis_thresh ) - add stp_skip_src[src]; - - if ( ssh_src_cnt[src] == 1 ) - # First entry. It's possible this entry was set - # before and has now expired. If so, stop skipping it. - delete stp_skip_src[src]; - } - } - -event partial_connection(c: connection) - { - if ( c$id$orig_p == ssh || c$id$resp_p == ssh ) - # No point recording these, and they're potentially huge - # due to use of ssh for file transfers. - set_record_packets(c$id, F); - } diff --git a/policy.old/ssl-alerts.bro b/policy.old/ssl-alerts.bro deleted file mode 100644 index 1a0d65dead..0000000000 --- a/policy.old/ssl-alerts.bro +++ /dev/null @@ -1,120 +0,0 @@ -# $Id: ssl-alerts.bro 416 2004-09-17 03:52:28Z vern $ -# -# Interface for SSL/TLS support. - -# --- constant definitions of the SSL/TLS alert/error records --- - -# --- Error descriptions for SSLv2. -const SSLv2_PE_NO_CIPHER = 0x0001; -const SSLv2_PE_NO_CERTIFICATE = 0x0002; -const SSLv2_PE_BAD_CERTIFICATE = 0x0004; -const SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006; - -# --- Alert descriptions in SSLv3.0 and SSLv3.1. -const SSLv3x_ALERT_DESCR_CLOSE_NOTIFY = 0; -const SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE = 10; -const SSLv3x_ALERT_DESCR_BAD_RECORD_MAC = 20; -const SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE = 30; -const SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE = 40; -const SSLv3x_ALERT_DESCR_BAD_CERTIFICATE = 42; -const SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE = 43; -const SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED = 44; -const SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED = 45; -const SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN = 46; - -# --- Alert descriptions only in SSLv3.0. -const SSLv30_ALERT_DESCR_NO_CERTIFICATE = 41; - -# --- Alert descriptions only in SSLv3.1. -const SSLv31_ALERT_DESCR_DESCRYPTION_FAILED = 21; -const SSLv31_ALERT_DESCR_RECORD_OVERFLOW = 22; -const SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER = 47; -const SSLv31_ALERT_DESCR_UNKNOWN_CA = 48; -const SSLv31_ALERT_DESCR_ACCESS_DENIED = 49; -const SSLv31_ALERT_DESCR_DECODE_ERROR = 50; -const SSLv31_ALERT_DESCR_DECRYPT_ERROR = 51; -const SSLv31_ALERT_DESCR_EXPORT_RESTRICTION = 60; -const SSLv31_ALERT_DESCR_PROTOCOL_VERSION = 70; -const SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY = 71; -const SSLv31_ALERT_DESCR_INTERNAL_ERROR = 80; -const SSLv31_ALERT_DESCR_USER_CANCELED = 90; -const SSLv31_ALERT_DESCR_NO_RENEGOTIATION = 100; - -# --- This is a table of all known alert descriptions. -# --- It can be used for detecting unknown alerts and for -# --- converting the alert descriptions constants into a human readable format. - -const ssl_alert_desc: table[count] of string = { - # --- SSLv2 - [SSLv2_PE_NO_CIPHER] = "SSLv2_PE_NO_CIPHER", - [SSLv2_PE_NO_CERTIFICATE] = "SSLv2_PE_NO_CERTIFICATE", - [SSLv2_PE_BAD_CERTIFICATE] = "SSLv2_PE_BAD_CERTIFICATE", - [SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE] = - "SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE", - - # --- sslv30 - [SSLv30_ALERT_DESCR_NO_CERTIFICATE] = - "SSLv30_ALERT_DESCR_NO_CERTIFICATE", - - # --- sslv31 - [SSLv31_ALERT_DESCR_DESCRYPTION_FAILED] = - "SSLv31_ALERT_DESCR_DESCRYPTION_FAILED", - [SSLv31_ALERT_DESCR_RECORD_OVERFLOW] = - "SSLv31_ALERT_DESCR_RECORD_OVERFLOW", - [SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER] = - "SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER", - [SSLv31_ALERT_DESCR_UNKNOWN_CA] = "SSLv31_ALERT_DESCR_UNKNOWN_CA", - [SSLv31_ALERT_DESCR_ACCESS_DENIED] = "SSLv31_ALERT_DESCR_ACCESS_DENIED", - [SSLv31_ALERT_DESCR_DECODE_ERROR] = "SSLv31_ALERT_DESCR_DECODE_ERROR", - [SSLv31_ALERT_DESCR_DECRYPT_ERROR] = "SSLv31_ALERT_DESCR_DECRYPT_ERROR", - [SSLv31_ALERT_DESCR_EXPORT_RESTRICTION] = - "SSLv31_ALERT_DESCR_EXPORT_RESTRICTION", - [SSLv31_ALERT_DESCR_PROTOCOL_VERSION] = - "SSLv31_ALERT_DESCR_PROTOCOL_VERSION", - [SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY] = - "SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY", - [SSLv31_ALERT_DESCR_INTERNAL_ERROR] = - "SSLv31_ALERT_DESCR_INTERNAL_ERROR", - [SSLv31_ALERT_DESCR_USER_CANCELED] = - "SSLv31_ALERT_DESCR_USER_CANCELED", - [SSLv31_ALERT_DESCR_NO_RENEGOTIATION] = - "SSLv31_ALERT_DESCR_NO_RENEGOTIATION", - - # -- sslv3.0 and sslv3.1 - [SSLv3x_ALERT_DESCR_CLOSE_NOTIFY] = "SSLv3x_ALERT_DESCR_CLOSE_NOTIFY", - [SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE] = - "SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE", - [SSLv3x_ALERT_DESCR_BAD_RECORD_MAC] = - "SSLv3x_ALERT_DESCR_BAD_RECORD_MAC", - [SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE] = - "SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE", - [SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE] = - "SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE", - [SSLv3x_ALERT_DESCR_BAD_CERTIFICATE] = - "SSLv3x_ALERT_DESCR_BAD_CERTIFICATE", - [SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE] = - "SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE", - [SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED", - [SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED", - [SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN] = - "SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN", -}; - -# --- definitions for SSLv2 error levels: -# NOTE: We currently use the SSLv3x alert levels "WARNING" and "FATAL" -# for SSLv2, since SSLv2 does not support an explicit error level. - -# --- definitions for SSLv3.0/SSLv3.1 alert levels -const SSLv3x_ALERT_LEVEL_WARNING = 1; -const SSLv3x_ALERT_LEVEL_FATAL = 2; - -# --- This is a table of all known alert levels. -# --- It can be used for detecting unknown alert levels and for -# --- converting the alert level constants into a human readable format. - -const ssl_alert_level: table[count] of string = { - [SSLv3x_ALERT_LEVEL_WARNING] = "SSLv3x_ALERT_LEVEL_WARNING", - [SSLv3x_ALERT_LEVEL_FATAL] = "SSLv3x_ALERT_LEVEL_FATAL", -}; diff --git a/policy.old/ssl-worm.bro b/policy.old/ssl-worm.bro deleted file mode 100644 index 40c9ce432e..0000000000 --- a/policy.old/ssl-worm.bro +++ /dev/null @@ -1,58 +0,0 @@ -# $Id: ssl-worm.bro 340 2004-09-09 06:38:27Z vern $ - -@load signatures -@load software - -redef signature_files += "ssl-worm.sig"; - -redef capture_filters += { - ["ssl-worm"] = "udp port 2002 and src net 134.96" -}; - -function sslworm_is_server_vulnerable(state: signature_state): bool - { - local ip = state$conn$id$resp_h; - - if ( ip !in software_table ) - return F; - - local softset = software_table[ip]; - - if ( "Apache" !in softset ) - return F; - - if ( "OpenSSL" !in softset ) - return F; - - local safe_version: software_version = - [$major = +0, $minor = +9, $minor2 = +6, $addl = "e"]; - - if ( software_cmp_version(softset["OpenSSL"]$version, safe_version) >= 0 ) - return F; - - return T; - } - -function sslworm_has_server_been_probed(state: signature_state): bool - { - # FIXME: Bro segfaults without the tmp variable - local result = - has_signature_matched("sslworm-probe", - state$conn$id$orig_h, state$conn$id$resp_h); - - return result; - } - -function sslworm_has_server_been_exploited(state: signature_state): bool - { - # FIXME: I don't know which side starts the UDP conversation - local result = - has_signature_matched("sslworm-exploit", - state$conn$id$orig_h, state$conn$id$resp_h); - - if ( ! result ) - result = has_signature_matched("sslworm-exploit", - state$conn$id$resp_h, state$conn$id$orig_h); - - return result; - } diff --git a/policy.old/stats.bro b/policy.old/stats.bro deleted file mode 100644 index a4a4d7a8ac..0000000000 --- a/policy.old/stats.bro +++ /dev/null @@ -1,80 +0,0 @@ -# $Id: stats.bro 4011 2007-02-28 07:01:12Z vern $ - -# Track memory/lag statistics. Differs from profiling.bro in that this -# is lighter-weight (much less info, and less load to generate). - -@load notice - -redef enum Notice += { - ResourceStats, # generated when running live packet capture - OfflineResourceStats, # generated when reading trace files -}; - -# ResourceStats should by default be sent to the notice file -redef notice_action_filters += { - [[ResourceStats, OfflineResourceStats]] = file_notice -}; - -# Interval in which the results are sent as a notice. If this is less -# than heartbeat_interval, then it is set to heartbeat_interval, since -# some of the reported statistics are only gathered via the heartbeat. -global stats_report_interval = 10 sec &redef; - -event check_stats(last_time: time, last_ns: NetStats, last_res: bro_resources) - { - local now = current_time(); - local lag = now - network_time(); - local report_delta = now - last_time; - - local res = resource_usage(); - local ns = net_stats(); - - local total_CPU_time = res$user_time + res$system_time; - local last_CPU_time = last_res$user_time + last_res$system_time; - local CPU_util = ((total_CPU_time - last_CPU_time) / report_delta) * 100.0; - - local pkts_recvd = ns$pkts_recvd - last_ns$pkts_recvd; - local pkts_dropped = ns$pkts_dropped - last_ns$pkts_dropped; - local pkts_link = ns$pkts_link - last_ns$pkts_link; - - if ( bro_is_terminating() ) - # No more stats will be written or scheduled when Bro is - # shutting down. - return; - - local delta_pkts_processed = res$num_packets - last_res$num_packets; - local delta_events = res$num_events_dispatched - last_res$num_events_dispatched; - local delta_queued = res$num_events_queued - last_res$num_events_queued; - - local stat_msg = - fmt("mem=%dMB pkts_proc=%d events_proc=%d events_queued=%d", - res$mem / 1000000, delta_pkts_processed, - delta_events, delta_queued); - - if ( reading_live_traffic() ) - { - stat_msg = fmt("%s et=%.2f lag=%fsec util=%.01f%% pkts_rcv=%d pkts_drp=%d pkts_link=%d", - stat_msg, report_delta, lag, CPU_util, - pkts_recvd, pkts_dropped, pkts_link); - NOTICE([$note=ResourceStats, $msg=stat_msg]); - } - - else if ( reading_traces() ) - NOTICE([$note=OfflineResourceStats, $msg=stat_msg]); - - else - { - # Remote communication only. - stat_msg = fmt("mem=%dMB events_proc=%d events_queued=%d lag=%fsec util=%.01f%%", - res$mem / 1000000, delta_events, delta_queued, - lag, CPU_util); - NOTICE([$note=ResourceStats, $msg=stat_msg]); - } - - schedule stats_report_interval { check_stats(now, ns, res) }; - } - -event bro_init() - { - schedule stats_report_interval { check_stats(current_time(), net_stats(), resource_usage()) }; - } diff --git a/policy.old/stepping.bro b/policy.old/stepping.bro deleted file mode 100644 index 9b7fe23031..0000000000 --- a/policy.old/stepping.bro +++ /dev/null @@ -1,484 +0,0 @@ -# $Id: stepping.bro 6481 2008-12-15 00:47:57Z vern $ - -@load notice -@load port-name -@load demux -@load login - -module Stepping; - -export { - redef enum Notice += { - # A stepping stone was seen in which the first part of - # the chain is a clear-text connection but the second part - # is encrypted. This often means that a password or - # passphrase has been exposed in the clear, and may also - # mean that the user has an incomplete notion that their - # connection is protected from eavesdropping. - ClearToEncrypted_SS, - }; -} - -global step_log = open_log_file("step") &redef; - -# The following must be defined for the event engine to generate -# stepping stone events. -redef stp_delta = 0.08 sec; -redef stp_idle_min = 0.5 sec; - -global stepping_stone: event(c1: connection, c2: connection, method: string); - -#### First, tag-based schemes - $DISPLAY, Last Login #### - -# If was a login to propagating a $DISPLAY of , -# then we make an entry of [, ] = . -global display_pairs: table[addr, string] of connection; - -# Maps login tags like "Last login ..." to connections. -global tag_to_conn_map: table[string] of connection; - -type tag_info: record { - display: string; # $DISPLAY, if any - tag: string; # login tag, e.g. "Last login ..." -}; - -global conn_tag_info: table[conn_id] of tag_info; - -const STONE_DISPLAY = 1; -const STONE_LOGIN_BANNER = 2; -const STONE_TIMING = 4; -### fixme -global detected_stones: table[addr, port, addr, port, addr, port, addr, port] - of count &default = 0; -global did_stone_summary: table[addr, port, addr, port, addr, port, addr, port] - of count &default = 0; - -function new_tag_info(c: connection) - { - local ti: tag_info; - ti$tag = ti$display = ""; - conn_tag_info[c$id] = ti; - } - -event login_display(c: connection, display: string) - { - local id = c$id; - if ( id !in conn_tag_info ) - new_tag_info(c); - - conn_tag_info[id]$display = display; - display_pairs[id$resp_h, display] = c; - - if ( [id$orig_h, display] in display_pairs ) - event Stepping::stepping_stone(display_pairs[id$orig_h, display], c, "display"); - } - -event login_output_line(c: connection, line: string) - { - if ( /^([Ll]ast +(successful)? *login)/ | /^Last interactive login/ - !in line || - # Some finger output includes "Last login ..." but luckily - # appears to be terminated by ctrl-A. - /\001/ in line ) - return; - - if ( c$id !in conn_tag_info ) - new_tag_info(c); - - local ti = conn_tag_info[c$id]; - local tag = line; - - if ( ti$tag == "" ) - ti$tag = tag; - - if ( tag in tag_to_conn_map ) - { - local c2 = tag_to_conn_map[tag]; - - ### Would really like this taken care of by having - # tag_to_conn_map[tag] deleted when c2 goes away. - if ( active_connection(c2$id) ) - event Stepping::stepping_stone(c2, c, "login-tag"); - } - else - tag_to_conn_map[tag] = c; - } - -event connection_finished(c: connection) - { - ### would really like some automatic destructors invoked - ### whenever a connection goes away - local id = c$id; - if ( id in conn_tag_info ) - { - local ti = conn_tag_info[id]; - delete display_pairs[id$resp_h, ti$display]; - delete tag_to_conn_map[ti$tag]; - delete conn_tag_info[id]; - } - } - - -#### Now, timing-based correlation #### - -const stp_ratio_thresh = 0.3 &redef; # prop. of idle times that must coincide - -# Time scale to which following thresholds apply. -const stp_scale = 100.0 &redef; - -const stp_common_host_thresh = 2 &redef; # must be <= stp_random_pair_thresh -const stp_random_pair_thresh = 4 &redef; - -const stp_demux_disabled = T &redef; - -# Indexed by the center host (or destination of the first connection, -# for ABCD stepping stones) and the $addl information associated with -# the connection (i.e., often username). If present in the set, then -# we shouldn't bother generating a report for a clear->ssh stepping stone. -const skip_clear_ssh_reports: set[addr, string] &redef; - -global num_stp_pairs = 0; - -type endp_info: record { - conn: connection; - id: conn_id; - resume_time: time; # time when resuming from most recent idle period - old_resume_time: time; # time when resuming from penultimate idle period - idle_cnt: count; # number of idle periods for this endpoint (flow) -}; - -type pair_info: record { - is_stp: bool; # true if flow pair considered a stepping stone pair - hit: count; # number of coincidences - hit_two_in_row: count; # number of coincidences two-in-row -}; - -# For connection k: -# stp_endps[2k] is the orig endpoint -# stp_endps[2k+1] is the resp endpoint -global stp_endps: table[int] of endp_info; - -# Some endpoint pairs are weird, e.g., when two endp's share a common port. -# Such weird endp pairs may be correlated, but are unlikely to be stepping -# stone pairs. -global stp_weird_pairs: set[int, int]; - -# Normal (i.e., not weird) endp pairs. -global stp_normal_pairs: table[int, int] of pair_info; - -function is_orig(e: int): bool - { - return (e % 2) == 0; - } - -function peer(e: int): int - { - return (e % 2) == 0 ? (e + 1): (e - 1); - } - -function orig_host(e: int): addr - { - return stp_endps[e]$id$orig_h; - } - -function resp_host(e: int): addr - { - return stp_endps[e]$id$resp_h; - } - -function orig_port(e: int): port - { - return stp_endps[e]$id$orig_p; - } - -function resp_port(e: int): port - { - return stp_endps[e]$id$resp_p; - } - -function build_conn(e: int): connection - { # return the id of the orig, not the resp - return stp_endps[e]$conn; - } - -function stp_id_string(id: conn_id): string - { - return fmt("%s.%d > %s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p); - } - -function stp_create_weird_pair(e1: int, e2: int) - { - add stp_weird_pairs[e1, e2]; - } - -function stp_create_normal_pair(e1: int, e2: int) - { - local pair: pair_info; - - pair$is_stp = F; - pair$hit = pair$hit_two_in_row = 0; - - stp_normal_pairs[e1, e2] = pair; - } - -function stp_correlate_weird_pair(e1: int, e2: int) - { # do nothing right now - } - -global stp_check_normal_pair: function(e1: int, e2: int): bool; - -function stp_correlate_normal_pair(e1: int, e2: int) - { - if ( stp_normal_pairs[e1, e2]$is_stp ) - return; # already classified as stepping stone pair - - ++stp_normal_pairs[e1, e2]$hit; - - if ( stp_endps[e1]$old_resume_time != 0.0 && - stp_endps[e2]$old_resume_time != 0.0 ) - { - local dt = stp_endps[e2]$old_resume_time - - stp_endps[e1]$old_resume_time; - if ( dt >= 0.0 sec && dt <= stp_delta ) - ++stp_normal_pairs[e1, e2]$hit_two_in_row; - } - stp_check_normal_pair(e1, e2); - } - -function stp_check_weird_pair(e1: int, e2: int) - { # do nothing right now - } - -function stp_check_normal_pair(e1: int, e2: int): bool - { - if ( stp_normal_pairs[e1, e2]$is_stp ) - return T; # already classified as stepping stone pair - - local p1 = peer(e1); - local p2 = peer(e2); - local reverse_exists = [p2, p1] in stp_normal_pairs; - - if ( reverse_exists && stp_normal_pairs[p2, p1]$is_stp ) - { # already classified as stepping stone pair - stp_normal_pairs[e1, e2]$is_stp = T; - return T; - } - - local hit_two_in_row = stp_normal_pairs[e1, e2]$hit_two_in_row; - if ( reverse_exists ) - hit_two_in_row = hit_two_in_row + - stp_normal_pairs[p2, p1]$hit_two_in_row; - - # Criteria 1: - # if ( e1 and e2 share a common host ) - # hit_two_in_row >= stp_common_host_thresh - # else - # hit_two_in_row >= stp_random_pair_thresh - - local factor = max_double(1.0, - min_count(stp_endps[e1]$idle_cnt, - stp_endps[e2]$idle_cnt) / stp_scale); - - if ( hit_two_in_row < factor * stp_common_host_thresh ) - return F; - - if ( hit_two_in_row < factor * stp_random_pair_thresh && - orig_host(e1) != orig_host(e2) && orig_host(e1) != resp_host(e2) && - resp_host(e1) != orig_host(e2) && resp_host(e1) != resp_host(e2) ) - return F; - - # Criteria 2: - # hit_ratio >= stp_ratio_thresh - - local hit_ratio: double; - if ( reverse_exists && - stp_normal_pairs[p2, p1]$hit > stp_normal_pairs[e1, e2]$hit ) - hit_ratio = (1.0 * stp_normal_pairs[p2, p1]$hit) / - min_count(stp_endps[p1]$idle_cnt, - stp_endps[p2]$idle_cnt); - else - hit_ratio = (1.0 * stp_normal_pairs[e1, e2]$hit) / - min_count(stp_endps[e1]$idle_cnt, - stp_endps[e2]$idle_cnt); - - if ( hit_ratio < stp_ratio_thresh ) - return F; - - stp_normal_pairs[e1, e2]$is_stp = T; - event Stepping::stepping_stone(build_conn(e1), build_conn(e2), "timing"); - - return T; - } - -function reverse_id(id: conn_id): conn_id - { - local rid: conn_id; - - rid$orig_h = id$resp_h; - rid$orig_p = id$resp_p; - rid$resp_h = id$orig_h; - rid$resp_p = id$orig_p; - - return rid; - } - -event stp_create_endp(c: connection, e: int, is_orig: bool) - { - local end_i: endp_info; - - end_i$conn = c; - end_i$id = is_orig ? c$id : reverse_id(c$id); - end_i$resume_time = end_i$old_resume_time = 0.0; - end_i$idle_cnt = 0; - - stp_endps[e] = end_i; - } - -event stp_resume_endp(e: int) - { - stp_endps[e]$old_resume_time = stp_endps[e]$resume_time; - stp_endps[e]$resume_time = network_time(); - ++stp_endps[e]$idle_cnt; - } - -event stp_correlate_pair(e1: int, e2: int) - { - local normal = T; - - if ( [e1, e2] in stp_normal_pairs ) - ; - - else if ( [e1, e2] in stp_weird_pairs ) - normal = F; - - else - { - # An endpoint pair is considered weird, iff: - # the two flows both originated at same host, or - # both terminated at same host, or - # at least one flow is within a single host, or - # two flows share an endpoint (host, port) - - if ( orig_host(e1) == orig_host(e2) || resp_host(e1) == resp_host(e2) || - orig_host(e1) == resp_host(e1) || orig_host(e2) == resp_host(e2) || - (orig_host(e1) == resp_host(e2) && orig_port(e1) == resp_port(e2)) || - (resp_host(e1) == orig_host(e2) && resp_port(e1) == orig_port(e2)) ) - { - stp_create_weird_pair(e1, e2); - normal = F; - } - else - stp_create_normal_pair(e1, e2); - } - - if ( normal ) - stp_correlate_normal_pair(e1, e2); - else - stp_correlate_weird_pair(e1, e2); - } - -event stp_remove_pair(e1: int, e2: int) - { - delete stp_normal_pairs[e1, e2]; - delete stp_weird_pairs[e1, e2]; - } - -event stp_remove_endp(e: int) - { - delete stp_endps[e]; - } - - -function report_stone(id1: conn_id, addl1: string, id2: conn_id, addl2: string) -: string - { - if ( id1$resp_h == id2$orig_h ) - # A single-intermediary stepping stone. - return fmt("%s -> %s %s-> %s %s", - id1$orig_h, - endpoint_id(id1$resp_h, id1$resp_p), addl1, - endpoint_id(id2$resp_h, id2$resp_p), addl2); - else - # A multi-intermediary stepping stone. - return fmt("%s -> %s %s... %s -> %s %s", - id1$orig_h, - endpoint_id(id1$resp_h, id1$resp_p), addl1, - id2$orig_h, - endpoint_id(id2$resp_h, id2$resp_p), addl2); - } - -event stone_summary(id1: conn_id, id2: conn_id) - { - if ( ++did_stone_summary[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] > 1 ) - return; - - local detection_type = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p]; - - local report: string; - - if ( detection_type == STONE_DISPLAY ) - report = "only-display"; - else if ( detection_type == STONE_LOGIN_BANNER ) - report = "only-banner"; - else if ( detection_type == STONE_TIMING ) - report = "only-timing"; - else if ( detection_type == STONE_LOGIN_BANNER + STONE_TIMING ) - report = "stone-both"; - else - report = fmt("stone-other-%d", detection_type); - - print step_log, fmt("%s detected %s %s %d %s %d %s %d %s %d", - network_time(), report, id1$orig_h, id1$orig_p, id1$resp_h, - id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p); - } - -event stepping_stone(c1: connection, c2: connection, method: string) - { - # Put into canonical form: make #1 be the earlier of the two - # connections. - local id1 = c1$start_time < c2$start_time ? c1$id : c2$id; - local id2 = c1$start_time < c2$start_time ? c2$id : c1$id; - - local addl1 = c1$start_time < c2$start_time ? c1$addl : c2$addl; - local addl2 = c1$start_time < c2$start_time ? c2$addl : c1$addl; - - if ( id1$orig_h == id2$orig_h || id1$resp_h == id2$resp_h ) - # of the form A->B, A->C ; or B->A, C->A ; uninteresting. - return; - - local tag = fmt("stp.%d", ++num_stp_pairs); - local prelude = fmt("%.6f step %s (%s)", network_time(), num_stp_pairs, method); - - local stone_type = (method == "display" ? STONE_DISPLAY : - (method == "login-tag" ? STONE_LOGIN_BANNER : - STONE_TIMING)); - - local current_stones = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p]; - - if ( (current_stones / stone_type) % 2 == 0 ) - detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] = current_stones + stone_type; - - schedule 1 day { stone_summary(id1, id2) }; - - print step_log, fmt("%s: %s", prelude, report_stone(id1, addl1, id2, addl2)); - - local is_ssh1 = id1$orig_p == ssh || id1$resp_p == ssh; - local is_ssh2 = id2$orig_p == ssh || id2$resp_p == ssh; - - if ( ! is_ssh1 && is_ssh2 ) - { # Inbound clear-text, outbound ssh. - if ( [id1$resp_h, addl1] !in skip_clear_ssh_reports ) - NOTICE([$note=ClearToEncrypted_SS, - # The following isn't sufficient for - # A->(B->C)->D stepping stones, only A->B->C. - $src=c1$id$orig_h, $conn=c2, - $user=addl1, $sub=addl2, - $msg=fmt("clear -> ssh: %s", report_stone(id1, addl1, id2, addl2))]); - } - - if ( ! stp_demux_disabled ) - { - demux_conn(id1, tag, "keys", "server"); - demux_conn(id2, tag, "keys", "server"); - } - } diff --git a/policy.old/summaries/app-summary.bro b/policy.old/summaries/app-summary.bro deleted file mode 100644 index 5be50f661a..0000000000 --- a/policy.old/summaries/app-summary.bro +++ /dev/null @@ -1,57 +0,0 @@ -@load conn-util -@load conn-app-reduced - -global conn_size_table: table[conn_id] of count; -global conn_size_log = open_log_file("conn-size") &redef; - -function add_to_conn_size(id: conn_id, size: count) - { - if ( id !in conn_size_table ) - conn_size_table[id] = 0; - local previous_size = conn_size_table[id]; - conn_size_table[id] = conn_size_table[id] + size; - if ( conn_size_table[id] < previous_size ) - { - print conn_size_log, fmt("ERROR: %.6f size wrapping around: %s, prev_size = %d, add = %d", - network_time(), conn_id_string(id), previous_size, size); - } - } - -event after_connections_state_remove(c: connection) - { - local id = c$id; - local app_size: count; - local transport_size: count; - if ( id !in conn_size_table ) - conn_size_table[id] = 0; - app_size = conn_size_table[id]; - transport_size = c$orig$size + c$resp$size; - local size_delta: int = transport_size - app_size; - local annotation: string = "none"; - if ( app_size > transport_size ) - annotation = "negative_transport_overhead"; - else if ( size_delta > 1000 && 1.0 * size_delta / transport_size > 0.3 ) - annotation = "suspicious_transport_overhead"; - - print conn_size_log, fmt("conn %s app_size %d conn_size %d annotation %s", conn_id_string(id), app_size, transport_size, annotation); - - delete conn_size_table[id]; - } - -event connection_state_remove(c: connection) - { - event after_connections_state_remove(c); - } - -function print_app_summary(log: file, - id: conn_id, conn_start: time, func: string, start: time, - num_req: count, req_size: count, num_resp: count, resp_size: count, - extra: string) - { - add_to_conn_size(id, req_size + resp_size); - print log, fmt("conn %s conn_start %.6f app %s app_func %s start %.6f req %d pyld_^ %d reply %d pyld_v %d%s", - conn_id_string(id), conn_start, conn_app[id], func, start, - num_req, req_size, - num_resp, resp_size, - byte_len(extra) > 0 ? cat(" ", extra) : ""); - } diff --git a/policy.old/summaries/conn-app-reduced.bro b/policy.old/summaries/conn-app-reduced.bro deleted file mode 100644 index 74cce70dee..0000000000 --- a/policy.old/summaries/conn-app-reduced.bro +++ /dev/null @@ -1,37 +0,0 @@ -@load port-name - -# Used to annotate apps for connections on ephemeral ports -global conn_app: table[conn_id] of string &default = - function(id: conn_id): string - { - local p = is_icmp_port(id$resp_p) ? id$orig_p : id$resp_p; - if ( p in port_names ) - return port_names[p]; - else - return fmt("%s", p); - }; - -redef port_names += { - [0/icmp] = "icmp-echo", - [8/icmp] = "icmp-echo", - [3/icmp] = "icmp-unreach", - - [497/tcp] = "dantz", - [554/tcp] = "rtsp", - [5730/tcp] = "steltor", # calendar - [[7501/tcp, 7502/tcp, 7503/tcp, 7504/tcp, 7505/tcp, - 7506/tcp, 7507/tcp, 7508/tcp, 7509/tcp, 7510/tcp]] - = "hpss", - [[3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp]] = "http", - [8443/tcp] = "https", - [3396/tcp] = "printer-agent", - [13782/tcp] = "veritas-backup-ctrl", - [16384/tcp] = "connected-backup", - - [67/udp] = "dhcp-s", # bootstrap for diskless hosts - [68/udp] = "dhcp-c", # reply-port - [427/udp] = "srvloc", - [11001/udp] = "metasys", # cardkey - [38293/udp] = "nav-ping", # norton anti-virus host discovery -}; - diff --git a/policy.old/summaries/conn-app.bro b/policy.old/summaries/conn-app.bro deleted file mode 100644 index 243ad03f36..0000000000 --- a/policy.old/summaries/conn-app.bro +++ /dev/null @@ -1,21 +0,0 @@ -@load conn-app-reduced - -@load ftp -@load dce-rpc - -event new_connection(c: connection) - { - local id = c$id; - if ( [id$resp_h, id$resp_p] in DCE_RPC::dce_rpc_endpoint ) - { - # local uuid = DCE_RPC::dce_rpc_endpoint[id$resp_h, id$resp_p]; - # conn_app[id] = fmt("dce-rpc-%s", - # ( uuid in DCE_RPC::dce_rpc_uuid_name ) ? - # DCE_RPC::dce_rpc_uuid_name[uuid] : "unknown"); - conn_app[id] = "dce-rpc"; - } - else if ( FTP::is_ftp_data_connection(c) ) - { - conn_app[id] = "ftp-data"; - } - } diff --git a/policy.old/summaries/conn-size.bro b/policy.old/summaries/conn-size.bro deleted file mode 100644 index 8001911ed6..0000000000 --- a/policy.old/summaries/conn-size.bro +++ /dev/null @@ -1,83 +0,0 @@ -# const number_of_regions = 32; -const region_size = 1024 * 1024; # 1MB -@load large-conns - -global conn_size_log = open_log_file("conn-size") &redef; - -function conn_id_string(id: conn_id): string - { - return fmt("%s/%d=>%s/%s", - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - } - -function report_size_error(c: connection, msg: string) - { - print conn_size_log, fmt("conn %s start %.6f duration %.6f pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d size_error [%s]", - conn_id_string(c$id), - c$start_time, - c$duration, - c$orig$num_pkts, c$orig$size, - c$resp$num_pkts, c$resp$size, - msg); - } - -function conn_size(c: connection, is_orig: bool): string - { - local endp = is_orig ? c$orig : c$resp; - local endp_name = is_orig ? "orig" : "resp"; - local size = endp$size; - - if ( is_tcp_port(c$id$resp_p) ) - # double check TCP sizes - { - local est = estimate_flow_size_and_remove(c$id, is_orig); - if ( est$have_est ) - { - print conn_size_log, - fmt("conn %s endpoint %s size %d low %.0fMB high %.0fMB inconsistent %d", - conn_id_string(c$id), endp_name, - endp$size, - est$lower / 1e6, - est$upper / 1e6, - est$num_inconsistent); - - if ( est$num_inconsistent > 0 ) - { - report_size_error(c, - fmt("%s size error inconsistent %d", - endp_name, - est$num_inconsistent)); - return "-"; - } - - if ( size < est$lower || size > est$upper ) - { - report_size_error(c, - fmt("%s size error estimates: %.0fMB - %.0fMB", - endp_name, - est$lower / 1e6, - est$upper / 1e6)); - return "-"; - } - } - } - else if ( is_udp_port(c$id$resp_p) ) - { - if ( endp$num_pkts > size && size != 0 ) - { - report_size_error(c, - fmt("%s size error: pkt > size", - endp_name)); - return "-"; - } - } - - return fmt("%d", size); - } - -event connection_state_remove(c: connection) - { - local orig_size = conn_size(c, T); - local resp_size = conn_size(c, F); - } diff --git a/policy.old/summaries/conn-summary.bro b/policy.old/summaries/conn-summary.bro deleted file mode 100644 index dc89e49acc..0000000000 --- a/policy.old/summaries/conn-summary.bro +++ /dev/null @@ -1,99 +0,0 @@ -@load conn-util -# @load conn-app -# @load smb-tag -# @load dce-rpc-tag - -module ConnSummary; - -# redef capture_filters += { ["TUI"] = "tcp or udp or icmp" }; -redef capture_filters = { ["ip"] = "ip" }; # to also capture IP fragments -# redef SMB_tag::log_smb_tags = F; -# redef DCE_RPC_tag::log_dce_rpc_tags = F; - -global conn_summary_log = open_log_file("conn-summary") &redef; - -global conn_annotation: table[conn_id] of string &default = ""; - -function add_to_conn_annotation(cid: conn_id, new_annotation: string) - { - local a: string; - if ( cid in conn_annotation ) - conn_annotation[cid] = - cat(conn_annotation[cid], ",", new_annotation); - else - conn_annotation[cid] = new_annotation; - } - -# II. Annotation events -event new_connection(c: connection) - { - if ( is_tcp_port(c$id$resp_p) ) - { - if ( c$orig$state != TCP_SYN_SENT ) - { - # add_to_conn_annotation(c$id, "partial"); - } - } - } - -event partial_connection(c: connection) - { - add_to_conn_annotation(c$id, "partial"); - } - -event connection_established(c: connection) - { - if ( c$orig$state == TCP_ESTABLISHED && c$resp$state == TCP_ESTABLISHED ) - { - add_to_conn_annotation(c$id, "established"); - } - } - -event connection_rejected(c: connection) - { - add_to_conn_annotation(c$id, "rejected"); - } - -event connection_reset(c: connection) - { - add_to_conn_annotation(c$id, "reset"); - } - -event connection_attempt(c: connection) - { - add_to_conn_annotation(c$id, "attempt"); - } - -event connection_finished(c: connection) - { - add_to_conn_annotation(c$id, "finished"); - } - -event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) - { - add_to_conn_annotation(context$id, "unreach"); - } - -event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) - { - add_to_conn_annotation(context$id, "time_exceeded"); - } - -event connection_state_remove(c: connection) - { - # local tag_smb = get_smb_tag(c$id); - # local tag_dce_rpc = get_dce_rpc_tag(c$id); - - print conn_summary_log, fmt("conn %s start %.6f duration %.6f app %s pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d state %s notes [%s]", - conn_id_string(c$id), - c$start_time, - c$duration, - conn_app[c$id], - c$orig$num_pkts, c$orig$size, - c$resp$num_pkts, c$resp$size, - conn_state(c, get_port_transport_proto(c$id$resp_p)), - conn_annotation[c$id]); - - delete conn_annotation[c$id]; - delete conn_app[c$id]; - } diff --git a/policy.old/summaries/conn-util.bro b/policy.old/summaries/conn-util.bro deleted file mode 100644 index 623ca04955..0000000000 --- a/policy.old/summaries/conn-util.bro +++ /dev/null @@ -1,55 +0,0 @@ -function conn_id_string(id: conn_id): string - { - return fmt("%s/%d=>%s/%s", - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - } - -function connection_state(c: connection, trans: transport_proto): string - { - local os = c$orig$state; - local rs = c$resp$state; - - local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL; - local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL; - - if ( trans == tcp ) - { - if ( rs == TCP_RESET ) - { - if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT || - (os == TCP_RESET && - c$orig$size == 0 && c$resp$size == 0) ) - return "REJ"; - else if ( o_inactive ) - return "RSTRH"; - else - return "RSTR"; - } - else if ( os == TCP_RESET ) - return r_inactive ? "RSTOS0" : "RSTO"; - else if ( rs == TCP_CLOSED && os == TCP_CLOSED ) - return "SF"; - else if ( os == TCP_CLOSED ) - return r_inactive ? "SH" : "S2"; - else if ( rs == TCP_CLOSED ) - return o_inactive ? "SHR" : "S3"; - else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE ) - return "S0"; - else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED ) - return "S1"; - else - return "OTH"; - } - - else if ( trans == udp ) - { - if ( os == UDP_ACTIVE ) - return rs == UDP_ACTIVE ? "SF" : "S0"; - else - return rs == UDP_ACTIVE ? "SHR" : "OTH"; - } - - else - return "OTH"; - } diff --git a/policy.old/summaries/dce-rpc-summary.bro b/policy.old/summaries/dce-rpc-summary.bro deleted file mode 100644 index 0d6ffecf96..0000000000 --- a/policy.old/summaries/dce-rpc-summary.bro +++ /dev/null @@ -1,93 +0,0 @@ -@load conn-util -@load dce-rpc -@load app-summary - -module DCE_RPC_summary; - -global log = open_log_file("dce-rpc-summary") &redef; - -type dce_rpc_transaction: record { - connection_id: conn_id; - conn_start: time; - uuid: string; - opnum: count; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; -}; - -global conn_uuid: table[conn_id] of string &default = DCE_RPC::null_uuid; -global dce_rpc_trans_table: table[conn_id] of dce_rpc_transaction; -# global msg_size: table[conn_id, bool] of count; - -function end_dce_rpc_transaction(id: conn_id) - { - if ( id !in dce_rpc_trans_table ) - return; - - local t = dce_rpc_trans_table[id]; - local ifname = DCE_RPC::dce_rpc_uuid_name[t$uuid]; - local func_name = DCE_RPC::dce_rpc_func_name[ifname, t$opnum]; - print_app_summary(log, - t$connection_id, - t$conn_start, - fmt("%s/%s", ifname, func_name), - t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("ifname %s", ifname)); - - delete dce_rpc_trans_table[id]; - } - -function new_dce_rpc_transaction(c: connection, uuid: string, opnum: count): dce_rpc_transaction - { - local id = c$id; - - # End any previous trans - end_dce_rpc_transaction(id); - - local t = [ - $connection_id = id, $conn_start = c$start_time, - $uuid = uuid, $opnum = opnum, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0]; - - dce_rpc_trans_table[id] = t; - return t; - } - -event dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string) - { - # msg_size[c$id, is_orig] = byte_len(msg); - } - -event dce_rpc_bind(c: connection, uuid: string) - { - conn_uuid[c$id] = uuid; - } - -event dce_rpc_request(c: connection, opnum: count, stub: string) - { - local t = new_dce_rpc_transaction(c, conn_uuid[c$id], opnum); - ++t$num_req; - t$req_size = t$req_size + byte_len(stub); - # t$req_size = t$req_size + msg_size[c$id, T]; - } - -event dce_rpc_response(c: connection, opnum: count, stub: string) - { - local t = dce_rpc_trans_table[c$id]; - ++t$num_resp; - t$resp_size = t$resp_size + byte_len(stub); - # t$resp_size = t$resp_size + msg_size[c$id, F]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in dce_rpc_trans_table ) - end_dce_rpc_transaction(c$id); - } diff --git a/policy.old/summaries/dce-rpc-tag.bro b/policy.old/summaries/dce-rpc-tag.bro deleted file mode 100644 index b74aaa704b..0000000000 --- a/policy.old/summaries/dce-rpc-tag.bro +++ /dev/null @@ -1,68 +0,0 @@ -@load conn-util -@load dce-rpc - -redef capture_filters += { - ["dce-rpc"] = "tcp or udp", -}; - -global dce_rpc_tag: table[conn_id] of string &default = ""; - -const log_dce_rpc_tags = T &redef; -function get_dce_rpc_tag(id: conn_id): string - { - if ( id in dce_rpc_tag ) - return dce_rpc_tag[id]; - else - return ""; - } - -module DCE_RPC_tag; - -global log = open_log_file("dce_rpc-tag") &redef; - -function add_to_dce_rpc_tag(c: connection, name: string): bool - { - local id = c$id; - local orig_tag = dce_rpc_tag[id]; - - if ( orig_tag == "" ) - { - dce_rpc_tag[id] = name; - } - else if ( strstr(orig_tag, name) == 0 ) - { - dce_rpc_tag[id] = cat(orig_tag, ",", name); - } - - return T; - } - -# Deficiency: it only looks at the bind request, but not the reply, so we -# do not know if the bind is successful. - -event dce_rpc_bind(c: connection, uuid: string) - { - local if_name = DCE_RPC::dce_rpc_uuid_name[uuid]; - if ( log_dce_rpc_tags ) - print log, fmt("%.6f %s DCE_RPC_Bind: %s", - network_time(), id_string(c$id), if_name); - add_to_dce_rpc_tag(c, if_name); - } - -event delete_dce_rpc_tag(c: connection) - { - delete dce_rpc_tag[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in dce_rpc_tag ) - { - if ( log_dce_rpc_tags ) - print log, fmt("conn %s start %.6f DCE/RPC [%s]", - conn_id_string(c$id), - c$start_time, - dce_rpc_tag[c$id]); - event delete_dce_rpc_tag(c); - } - } diff --git a/policy.old/summaries/dns-common-summary.bro b/policy.old/summaries/dns-common-summary.bro deleted file mode 100644 index 14d4187d3f..0000000000 --- a/policy.old/summaries/dns-common-summary.bro +++ /dev/null @@ -1,245 +0,0 @@ -@load conn-util -@load app-summary -@load dns-info - -module DNS_common_summary; - - -export { - - global dns_summary_log = open_log_file("dns-common-summary") &redef; - - const server_ports = { - 53/udp, 53/tcp, 137/udp, - } &redef; -} - -redef capture_filters += { - ["dns"] = "port 53", - ["netbios-ns"] = "udp port 137", -}; - -const dns_op_name = { - [0] = "QUERY", - [1] = "IQUERY", - [2] = "STATUS", - [5] = "NB_REGISTER", - [6] = "NB_RELEASE", - [7] = "NB_WACK", - [8] = "NB_REFRESH", -} &default = function(op: count): string - { - return fmt("op-%d", op); - }; - -function dns_qtype(qtype: int, server_port: port): string - { - if ( qtype < 0 ) - return "none"; - - if ( server_port == 137/udp ) - { - if ( qtype == 32 ) - return "NB"; - if ( qtype == 33 ) - return "NBSTAT"; - } - - return query_types[int_to_count(qtype)]; - } - -function dns_rcode(rcode: int): string - { - return ( rcode < 0 ) ? "none" : - base_error[int_to_count(rcode)]; - } - -const netbios_host_type = { - ["00"] = "workstation", - ["03"] = "messenger", - ["1b"] = "domain_master_browser", - ["20"] = "server", - ["1c"] = "domain_group", - ["1d"] = "master_browser_group", - ["1e"] = "group", -} &default = function(t: string): string { return t; }; - -const dns_transaction_timeout = 30 sec &redef; - -type dns_transaction: record { - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - num_q: count; - qtype: string; - query: string; - host_type: string; - rcode: string; - resp_time: time; # of the first resp -}; - -# Use only the client addr and transaction id for index, because -# Netbios/NS clients sometimes send to broadcast address -type dns_trans_index: record { - client: addr; - client_port: port; - id: count; - server: addr; - server_port: port; -}; -global dns_trans_table: table[dns_trans_index] of dns_transaction; - -function fmt_list(x: string): string - { - if ( strstr(x, ",") > 0 ) - return cat("[", x, "]"); - else - return x; - } - -event expire_DNS_transaction(ind: dns_trans_index) - { - if ( ind !in dns_trans_table ) - return; - - local t = dns_trans_table[ind]; - if ( ind$server_port in server_ports ) - { - print_app_summary(dns_summary_log, - t$connection_id, - t$conn_start, - t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("qtype %s return %s query '%s' host_type %s latency %.6f", - fmt_list(t$qtype), fmt_list(t$rcode), - fmt_list(gsub(t$query, / /, "_")), - fmt_list(t$host_type), - t$resp_time >= t$start ? t$resp_time - t$start : -1 sec)); - } - delete dns_trans_table[ind]; - } - -function lookup_dns_transaction(c: connection, msg: dns_msg, is_orig: bool): dns_transaction - { - local id = c$id; - local client: addr; - local server: addr; - local client_port: port; - local server_port: port; - - if ( ( ! msg$QR && is_orig ) || ( msg$QR && ! is_orig ) ) - { - client = id$orig_h; - client_port = id$orig_p; - server = id$resp_h; - server_port = id$resp_p; - } - else - { - client = id$resp_h; - client_port = id$resp_p; - server = id$orig_h; - server_port = id$orig_p; - } - - # print fmt("%.6f client %s server %s", network_time(), client, server); - - # Netbios queries are sometimes sent to broadcast addresses, - # so we ignore the server part - if ( server_port == 137/udp ) - server = 0.0.0.0; - - local ind = [$client = client, $client_port = client_port, - $id = msg$id, - $server = server, $server_port = server_port]; - - if ( ind !in dns_trans_table ) - { - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $func = dns_op_name[msg$opcode], - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $num_q = 0, - $qtype = "none", - $query = "none", $host_type = "none", - $rcode = "none", - $resp_time = network_time() - 1 sec]; - dns_trans_table[ind] = t; - } - - schedule dns_transaction_timeout { - expire_DNS_transaction(ind) - }; - - return dns_trans_table[ind]; - } - -event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) - { - local t = lookup_dns_transaction(c, msg, is_orig); - if ( ! msg$QR ) - { - ++t$num_req; - t$req_size = t$req_size + len; - } - else - { - local rcode = dns_rcode(msg$rcode); - if ( t$rcode == "none" ) - t$rcode = rcode; - else if ( t$rcode != rcode ) - t$rcode = cat(t$rcode, ",", rcode); - ++t$num_resp; - t$resp_size = t$resp_size + len; - if ( t$num_resp == 1 ) - t$resp_time = network_time(); - } - } - -function append_query(t: dns_transaction, query: string, host_type: string, qtype: string) - { - ++t$num_q; - if ( t$num_q == 1 ) - { - t$qtype = qtype; - t$query = query; - t$host_type = host_type; - } - else - { - if ( qtype != t$qtype ) - t$qtype = cat(t$qtype, ",", qtype); - if ( query != t$query ) - t$query = cat(t$query, ",", query); - if ( host_type != t$host_type ) - t$host_type = cat(t$host_type, ",", host_type); - } - } - -event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) - { - local host_type = "n/a"; - if ( c$id$resp_p == 137/udp ) - { - query = decode_netbios_name(query); - local last_byte = sub_bytes(query, byte_len(query) - 2, 2); - host_type = netbios_host_type[last_byte]; - } - - # print log, fmt("conn %s start %.6f op %d qtype 0x%x name [%s]", - # conn_id_string(c$id), network_time(), - # msg$opcode, qtype, query); - - local t = lookup_dns_transaction(c, msg, T); - append_query(t, query, host_type, dns_qtype(qtype, c$id$resp_p)); - } diff --git a/policy.old/summaries/dns-summary.bro b/policy.old/summaries/dns-summary.bro deleted file mode 100644 index 327f2f5032..0000000000 --- a/policy.old/summaries/dns-summary.bro +++ /dev/null @@ -1,8 +0,0 @@ -@load dns-common-summary - -redef DNS_common_summary::log = open_log_file("dns-summary"); -redef DNS_common_summary::server_ports = { 53/udp, 53/tcp }; - -redef capture_filters = { - ["dns"] = "port 53", -}; diff --git a/policy.old/summaries/http-rps-summary.bro b/policy.old/summaries/http-rps-summary.bro deleted file mode 100644 index 0241a886b7..0000000000 --- a/policy.old/summaries/http-rps-summary.bro +++ /dev/null @@ -1,171 +0,0 @@ -# $Id:$ - -@load http -@load app-summary - -redef capture_filters = { - ["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128", -}; - -module HTTP_req_per_session; - -export { - global log = open_log_file("http-rps-summary") &redef; - const http_session_idle_timeout = 1 sec &redef; -} - -type http_session: record { - # standard stuff - connection_id: conn_id; # of the first conn - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - # for timeout - unfinished_req: count; - unfinished_resp: count; - last_time: time; -}; - -global expire_http_session: function( - tbl: table[addr] of http_session, index: addr): interval; - -global http_ssn_table: table[addr] of http_session - &read_expire = http_session_idle_timeout - &expire_func = expire_http_session; - -function new_http_session(c: connection): http_session - { - local t = [ - $connection_id = c$id, - $conn_start = c$start_time, - $func = "unknown", - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $unfinished_req = 0, $unfinished_resp = 0, - $last_time = network_time()]; - - return t; - } - -function lookup_http_session(c: connection, is_orig: bool): http_session - { - local id = c$id; - local index = id$orig_h; - - if ( index !in http_ssn_table ) - { - if ( ! is_orig ) - print fmt("%.6f HTTP session not found for a resposne", - network_time(), conn_id_string(id)); - - http_ssn_table[index] = new_http_session(c); - } - - return http_ssn_table[index]; - } - -function end_http_session(t: http_session) - { - print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("duration %.6f", t$last_time - t$start)); - } - -function check_expiration(t: http_session): bool - { - print fmt("%.6f check expiration http_session %s: %.6f %d,%d %d,%d", - network_time(), conn_id_string(t$connection_id), - t$last_time, - t$num_req, t$num_resp, - t$unfinished_req, t$unfinished_resp); - - if ( network_time() - t$last_time < http_session_idle_timeout - || ( t$unfinished_req + t$unfinished_resp > 0 && - network_time() - t$last_time < 15 min && - ! done_with_network ) ) - { - print fmt("do not expire"); - return F; - } - - end_http_session(t); - return T; - } - -function expire_http_session(tbl: table[addr] of http_session, - index: addr): interval - { - local t = tbl[index]; - if ( ! check_expiration(t) ) - { - print fmt("... no, wait one more second: %d, %d", - t$unfinished_req, t$unfinished_resp); - return 1 sec; - } - return 0 sec; - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - local t = lookup_http_session(c, T); - if ( check_expiration(t) ) - { - delete http_ssn_table[c$id$orig_h]; - t = lookup_http_session(c, T); - } - t$func = method; - ++t$num_req; - ++t$unfinished_req; - t$last_time = network_time(); - } - -event http_reply(c: connection, version: string, code: count, reason: string) - { - # print fmt("http reply"); - local t = lookup_http_session(c, F); - ++t$num_resp; - ++t$unfinished_resp; - t$last_time = network_time(); - } - -function http_request_done(c: connection, stat: http_message_stat) - { - # print fmt("http request done"); - local t = lookup_http_session(c, T); - t$req_size = t$req_size + stat$body_length; - if ( t$unfinished_req > 0 ) - --t$unfinished_req; - t$last_time = network_time(); - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - local t = lookup_http_session(c, F); - t$resp_size = t$resp_size + stat$body_length; - if ( t$unfinished_resp > 0 ) - --t$unfinished_resp; - t$last_time = network_time(); - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -event bro_done() - { - for ( index in http_ssn_table ) - { - end_http_session(http_ssn_table[index]); - } - } diff --git a/policy.old/summaries/http-summary.bro b/policy.old/summaries/http-summary.bro deleted file mode 100644 index 1f6c1219e4..0000000000 --- a/policy.old/summaries/http-summary.bro +++ /dev/null @@ -1,281 +0,0 @@ -@load http -@load app-summary - -redef capture_filters = { - ["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128", - ["ipp"] = "tcp port 631", -}; - -module HTTP_summary; - -global log = open_log_file("http-summary") &redef; - -type http_transaction: record { - # standard stuff - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - - # for tracking the state - req_done: bool; - resp_done: bool; - done: bool; - - # http-specific stuff - code: count; - req_content_type: string; - resp_content_type: string; - conditional_get: string; - user_agent: string; - cache_control: string; - last_modified: string; - etag: string; -}; - -type http_trans_group: record { - trans: table[count] of http_transaction; - first_req: count; - last_req: count; -}; - -global http_trans_table: table[conn_id] of http_trans_group; - -function lookup_http_trans_group(id: conn_id, create: bool): http_trans_group - { - if ( id !in http_trans_table ) - { - if ( create ) - { - local trans: table[count] of http_transaction; - http_trans_table[id] = [ - $trans = trans, $first_req = 1, $last_req = 0]; - } - else - print fmt("HTTP trans_group not found: %s", conn_id_string(id)); - } - - return http_trans_table[id]; - } - -function new_http_transaction(c: connection, func: string): http_transaction - { - # print fmt("new http trans: %.6f %s", network_time(), func); - local g = lookup_http_trans_group(c$id, T); - - local t = [ - $connection_id = c$id, - $conn_start = c$start_time, - $func = func, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $req_done = F, $resp_done = F, $done = F, - $code = 0, - $req_content_type = "none", - $resp_content_type = "none", - $conditional_get = "no", - $user_agent = "none", - $cache_control = "none", - $last_modified = "none", - $etag = "none"]; - - ++g$last_req; - g$trans[g$last_req] = t; - - return t; - } - -function lookup_http_transaction(id: conn_id, is_orig: bool): http_transaction - { - local g = lookup_http_trans_group(id, F); - local index = is_orig ? g$last_req : g$first_req; - - if ( index !in g$trans ) - { - print fmt("HTTP transaction not found: %s : %d-%d", - conn_id_string(id), g$first_req, g$last_req); - } - - return g$trans[index]; - } - -function end_http_transaction(t: http_transaction) - { - if ( t$req_done && t$resp_done ) - { - if ( t$done ) - return; - t$done = T; - print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("code %d content_type_^ %s content_type_v %s conditional_get %s user_agent %s cache_control %s last_modified %s etag %s", - t$code, - t$req_content_type, t$resp_content_type, - t$conditional_get, - subst_string(t$user_agent, " ", "_"), - subst_string(t$cache_control, " ", ""), - t$last_modified == "none" ? "none" : "present", - t$etag == "none" ? "none" : "present" - )); - } - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - # print fmt("http request"); - local t = new_http_transaction(c, method); - ++t$num_req; - t$req_done = F; - } - -event http_reply(c: connection, version: string, code: count, reason: string) - { - # print fmt("http reply"); - local id = c$id; - local g = lookup_http_trans_group(id, T); - local t: http_transaction; - if ( g$first_req in g$trans ) - t = g$trans[g$first_req]; - else - t = new_http_transaction(c, "none"); - - ++t$num_resp; - t$code = code; - t$resp_done = F; - } - -function http_request_done(c: connection, stat: http_message_stat) - { - # print fmt("http request done"); - local t = lookup_http_transaction(c$id, T); - t$req_size = t$req_size + stat$body_length; - t$req_done = T; - end_http_transaction(t); - } - -function http_reply_done(c: connection, stat: http_message_stat) - { - # print fmt("http reply done"); - local t = lookup_http_transaction(c$id, F); - t$resp_size = t$resp_size + stat$body_length; - if ( t$code >= 200 ) - { - t$resp_done = T; - end_http_transaction(t); - local g = lookup_http_trans_group(t$connection_id, F); - ++g$first_req; - } - } - -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( is_orig ) - http_request_done(c, stat); - else - http_reply_done(c, stat); - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - local t = lookup_http_transaction(c$id, is_orig); - local type_str = fmt("%s/%s", ty, subty); - if ( is_orig ) - t$req_content_type = type_str; - else - t$resp_content_type = type_str; - } - -function http_conditional_get(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$conditional_get = h$name; - } - -function http_user_agent(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$user_agent = h$value; - } - -function http_cache_control(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$cache_control = h$value; - } - -function http_last_modified(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$last_modified = h$value; - } - -function http_etag(c: connection, is_orig: bool, h: mime_header_rec) - { - local t = lookup_http_transaction(c$id, is_orig); - t$etag = h$value; - } - -# type mime_header_rec: record { -# name: string; -# value: string; -# }; -# type mime_header_list: table[count] of mime_header_rec; - -const conditional_get_headers = { - "IF-MODIFIED-SINCE", - "IF-UNMODIFIED-SINCE", - "IF-MATCH", - "IF-NONE-MATCH", - "IF-RANGE", -}; - -event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list) - { - if ( ! is_orig ) - return; - - for ( i in hlist ) - { - local h = hlist[i]; - if ( h$name in conditional_get_headers ) - http_conditional_get(c, is_orig, h); - if ( h$name == "USER-AGENT" ) - http_user_agent(c, is_orig, h); - if ( h$name == "CACHE-CONTROL" ) - http_cache_control(c, is_orig, h); - if ( h$name == "LAST-MODIFIED" ) - http_last_modified(c, is_orig, h); - if ( h$name == "ETAG" ) - http_etag(c, is_orig, h); - } - } - -function end_http_trans_group(g: http_trans_group, index: count) - { - if ( index !in g$trans ) - return; - local t = g$trans[index]; - - t$req_done = T; - t$resp_done = T; - end_http_transaction(t); - - delete g$trans[index]; - end_http_trans_group(g, index + 1); - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( id in http_trans_table ) - { - end_http_trans_group(http_trans_table[id], 1); - delete http_trans_table[id]; - } - } diff --git a/policy.old/summaries/ipp-summary.bro b/policy.old/summaries/ipp-summary.bro deleted file mode 100644 index 5bc4c3df86..0000000000 --- a/policy.old/summaries/ipp-summary.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load http-summary - -redef HTTP_summary::log = open_log_file("ipp-summary") &redef; diff --git a/policy.old/summaries/ncp-summary.bro b/policy.old/summaries/ncp-summary.bro deleted file mode 100644 index 89c19c6713..0000000000 --- a/policy.old/summaries/ncp-summary.bro +++ /dev/null @@ -1,78 +0,0 @@ -@load ncp -@load app-summary - -module NCP_summary; - -global ncp_summary_log = open_log_file("ncp-summary") &redef; - -type ncp_transaction: record { - connection_id: conn_id; - conn_start: time; - func: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - completion_code: int; # ... of the first reply -}; - -global ncp_trans_table: table[conn_id] of ncp_transaction; - -function end_ncp_transaction(id: conn_id) - { - if ( id !in ncp_trans_table ) - return; - - local t = ncp_trans_table[id]; - print_app_summary(ncp_summary_log, t$connection_id, t$conn_start, t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("completion_code %d", t$completion_code)); - } - -function new_ncp_transaction(c: connection, func: string): ncp_transaction - { - local id = c$id; - - # End any previous trans - end_ncp_transaction(id); - - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $func = func, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $completion_code = -1]; - - ncp_trans_table[id] = t; - return t; - } - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - local f = ( frame_type == 0x2222 ) ? - NCP::ncp_function_name[func] : - NCP::ncp_frame_type_name[frame_type]; - - local t = new_ncp_transaction(c, f); - ++t$num_req; - t$req_size = t$req_size + length; - } - -event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count) - { - local t = ncp_trans_table[c$id]; - ++t$num_resp; - if ( t$num_resp == 1 ) - t$completion_code = completion_code; - t$resp_size = t$resp_size + length; - } - -event connection_state_remove(c: connection) - { - if ( c$id in ncp_trans_table ) - end_ncp_transaction(c$id); - } diff --git a/policy.old/summaries/ncp-tag.bro b/policy.old/summaries/ncp-tag.bro deleted file mode 100644 index 61c63a2f3f..0000000000 --- a/policy.old/summaries/ncp-tag.bro +++ /dev/null @@ -1,26 +0,0 @@ -@load conn-id -@load ncp - -module NCP_tag; - -global log = open_log_file("ncp-tag") &redef; - -const ncp_request_type = { -[ 0x11 ] = "print", -[ 0x16, 0x68 ] = "directory", -} &default = function(code: count): string - { - return fmt("unknown(%x)", code); - }; - -event ncp_request(c: connection, frame_type: count, length: count, func: count) - { - print log, fmt("%.6f %s NCP request type=%s function=%s", - network_time(), id_string(c$id), - NCP::ncp_frame_type_name[frame_type], - NCP::ncp_function_name[func]); - } - -event ncp_reply(c: connection, frame_type: count, length: count, completion_code: count) - { - } diff --git a/policy.old/summaries/netbios-ns-summary.bro b/policy.old/summaries/netbios-ns-summary.bro deleted file mode 100644 index 3587b9a954..0000000000 --- a/policy.old/summaries/netbios-ns-summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load dns-common-summary - -redef DNS_common_summary::dns_summary_log = open_log_file("netbios-ns-summary"); -redef DNS_common_summary::server_ports = { 137/udp }; - -redef capture_filters += { - ["netbios-ns"] = "udp port 137", -}; - diff --git a/policy.old/summaries/netbios-ssn-summary.bro b/policy.old/summaries/netbios-ssn-summary.bro deleted file mode 100644 index 5166e56baa..0000000000 --- a/policy.old/summaries/netbios-ssn-summary.bro +++ /dev/null @@ -1,112 +0,0 @@ -@load app-summary - -redef capture_filters = { - ["netbios-ssn"] = "tcp port 139", -}; - -module NetbiosSSN_summary; - -global netbios_log = open_log_file("netbios-ssn-summary") &redef; - -const netbios_msg_types = { - [0x0] = "ssn_message", - [0x81] = "ssn_request", - [0x82] = "positive_resp", - [0x83] = "negative_resp", - [0x84] = "retarget_resp", - [0x85] = "keep_alive", -} &default = function(msg_type: count): string - { - return fmt("unknown-0x%x", msg_type); - }; - -type netbios_ssn_transaction: record { - connection_id: conn_id; - conn_start: time; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; - req_type: string; - resp_type: string; # ... of the first reply - raw_ssn_msg: count; -}; - -global netbios_ssn_trans_table: table[conn_id] of netbios_ssn_transaction; - -function end_netbios_ssn_transaction(id: conn_id) - { - if ( id !in netbios_ssn_trans_table ) - return; - - local t = netbios_ssn_trans_table[id]; - print_app_summary(netbios_log, t$connection_id, t$conn_start, - t$req_type, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("req_type %s resp_type %s raw %d", - t$req_type, t$resp_type, t$raw_ssn_msg)); - - delete netbios_ssn_trans_table[id]; - } - -function lookup_netbios_ssn_transaction(c: connection, new_trans: bool): netbios_ssn_transaction - { - local id = c$id; - - if ( new_trans ) - { - # End any previous trans - end_netbios_ssn_transaction(id); - } - - if ( id !in netbios_ssn_trans_table ) - { - local t = [ - $connection_id = id, - $conn_start = c$start_time, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0, - $req_type = "none", $resp_type = "none", - $raw_ssn_msg = 0]; - netbios_ssn_trans_table[c$id] = t; - } - - return netbios_ssn_trans_table[c$id]; - } - -event netbios_ssn_message(c: connection, is_orig: bool, msg_type: count, data_len: count) - { - local msg_type_name = netbios_msg_types[msg_type]; - local t: netbios_ssn_transaction; - if ( is_orig ) - { - t = lookup_netbios_ssn_transaction(c, T); - ++t$num_req; - if ( t$num_req == 1 ) - t$req_type = msg_type_name; - t$req_size = t$req_size + data_len; - } - else - { - t = lookup_netbios_ssn_transaction(c, F); - ++t$num_resp; - if ( t$num_resp == 1 ) - t$resp_type = msg_type_name; - t$resp_size = t$resp_size + data_len; - } - } - -event netbios_session_raw_message(c: connection, is_orig: bool, msg: string) - { - local t = lookup_netbios_ssn_transaction(c, F); - ++t$raw_ssn_msg; - } - -event connection_state_remove(c: connection) - { - if ( c$id in netbios_ssn_trans_table ) - end_netbios_ssn_transaction(c$id); - } diff --git a/policy.old/summaries/nfs-summary.bro b/policy.old/summaries/nfs-summary.bro deleted file mode 100644 index ad1979b33b..0000000000 --- a/policy.old/summaries/nfs-summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load sun-rpc-summary - -redef SUN_RPC_summary::log = open_log_file("nfs-summary"); - -redef capture_filters = { - ["nfs"] = "port 2049", - # UDP packets are often fragmented - ["nfs-frag"] = "ip[6:2] & 0x1fff != 0", -}; diff --git a/policy.old/summaries/rexmit-summary.bro b/policy.old/summaries/rexmit-summary.bro deleted file mode 100644 index 9f5c1ef0c9..0000000000 --- a/policy.old/summaries/rexmit-summary.bro +++ /dev/null @@ -1,26 +0,0 @@ -# Statistical analysis of TCP connection in terms of the packet streams -# in each direction. - -@load conn-util - -redef capture_filters = { ["tcp"] = "tcp" }; -redef ignore_keep_alive_rexmit = T; - -global log = open_log_file("rexmit-summary") &redef; - -const min_num_pkts = 0; - -event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats) - { - if ( os$num_pkts < min_num_pkts && rs$num_pkts < min_num_pkts ) - return; - - print log, fmt("conn %s start %.6f duration %.6f pkt_^ %d rexmit_pkt_^ %d pyld_^ %d rexmit_pyld_^ %d pkt_v %d rexmit_pkt_v %d pyld_v %d rexmit_pyld_v %d", - conn_id_string(c$id), c$start_time, c$duration, - os$num_pkts, os$num_rxmit, - # os$num_pkts == 0 ? 0.0 : 1.0 * os$num_rxmit / os$num_pkts, - c$orig$size, os$num_rxmit_bytes, - rs$num_pkts, rs$num_rxmit, - # rs$num_pkts == 0 ? 0.0 : 1.0 * rs$num_rxmit / rs$num_pkts, - c$resp$size, rs$num_rxmit_bytes); - } diff --git a/policy.old/summaries/smb-summary.bro b/policy.old/summaries/smb-summary.bro deleted file mode 100644 index 4ba9c575a0..0000000000 --- a/policy.old/summaries/smb-summary.bro +++ /dev/null @@ -1,251 +0,0 @@ -@load app-summary - -redef capture_filters += { - ["netbios-dgm"] = "udp port 138", - ["netbios-ssn"] = "tcp port 139", - ["microsft-ds"] = "tcp port 445", -}; - -module SMB_summary; - -global smb_log = open_log_file("smb-summary") &redef; -global chris_log = open_log_file("chris-summary") &redef; - -#const smb_transaction_func = { -# ["SMB_COM_TRANSACTION", 0x0 ] = "\\PIPE\\LANMAN\\", -# ["SMB_COM_TRANSACTION", 0x1 ] = "\\MAILSLOT\\", -# ["SMB_COM_TRANSACTION", 0x54] = "CallNamedPipe", -# ["SMB_COM_TRANSACTION", 0x53] = "WaitNamedPipe", -# ["SMB_COM_TRANSACTION", 0x26] = "TransactNmPipe", -# -# ["SMB_COM_TRANSACTION2", 0x0] = "TRANS2_OPEN2", -# ["SMB_COM_TRANSACTION2", 0x1] = "TRANS2_FIND_FIRST2", -# ["SMB_COM_TRANSACTION2", 0x2] = "TRANS2_FIND_NEXT2", -# ["SMB_COM_TRANSACTION2", 0x3] = "TRANS2_QUERY_FS_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x5] = "TRANS2_QUERY_PATH_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x6] = "TRANS2_SET_PATH_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x7] = "TRANS2_QUERY_FILE_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x8] = "TRANS2_SET_FILE_INFORMATION", -# ["SMB_COM_TRANSACTION2", 0x0d] = "TRANS2_CREATE_DIRECTORY", -# ["SMB_COM_TRANSACTION2", 0x0e] = "TRANS2_SESSION_SETUP", -# ["SMB_COM_TRANSACTION2", 0x10] = "TRANS2_GET_DFS_REFERRAL", -#} &default = function(cmd: string, subcmd: count): string -# { -# return fmt("%s/%d", cmd, subcmd); -# }; - -type smb_req_resp: record { - connection_id: conn_id; - conn_start: time; - func: string; - cmd: string; - start: time; - num_req: count; - req_size: count; - num_resp: count; - resp_size: count; -}; - -type smb_req_reply_group: record { - trans: table[count] of smb_req_resp; - first_req: count; - last_req: count; -}; - -global smb_trans_table: table[conn_id] of smb_req_reply_group; - -function lookup_smb_req_reply_group(id: conn_id, create: bool): smb_req_reply_group - { - if ( id !in smb_trans_table ) - { - if ( create ) - { - local trans: table[count] of smb_req_resp; - smb_trans_table[id] = [ - $trans = trans, $first_req = 1, $last_req = 0]; - } - else - print fmt("SMB req_reply_group not found: %s", - conn_id_string(id)); - } - - return smb_trans_table[id]; - } - -function new_smb_req_resp(c: connection, cmd: string): smb_req_resp - { - local id = c$id; - local g = lookup_smb_req_reply_group(id, T); - - if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) ) - print fmt("%.6f %s a new req_resp was triggered on a UDP connection!: %s", - network_time(), conn_id_string(id), cmd); - - local t = [ - $connection_id = id, $conn_start = c$start_time, - $cmd = cmd, $func = cmd, - $start = network_time(), - $num_req = 0, $req_size = 0, - $num_resp = 0, $resp_size = 0 - ]; - - ++g$last_req; - g$trans[g$last_req] = t; - - return g$trans[g$last_req]; - } - -function end_smb_req_resp(t: smb_req_resp) - { - print_app_summary(smb_log, t$connection_id, t$conn_start, - t$func, t$start, - t$num_req, t$req_size, - t$num_resp, t$resp_size, - fmt("cmd %s", t$cmd)); - } - -function lookup_smb_req_resp(c: connection, is_orig: bool, cmd: string): smb_req_resp - { - local id = c$id; - local g = lookup_smb_req_reply_group(id, T); - - if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) ) - print fmt("%.6f %s a lookup was triggered on a UDP connection!: %s", - network_time(), conn_id_string(id), cmd); - - if ( g$first_req > g$last_req ) - { - print fmt("%.6f %s request missing: %s", - network_time(), conn_id_string(id), cmd); - return new_smb_req_resp(c, cmd); - } - - if ( is_orig ) - { - return g$trans[g$last_req]; - } - else if ( cmd == "(current)" ) - { - return g$trans[g$first_req]; - } - else - { - local t = g$trans[g$first_req]; - if ( g$first_req < g$last_req ) - { - end_smb_req_resp(t); - ++g$first_req; - t = g$trans[g$first_req]; - } - if ( t$cmd != cmd ) - { - if ( g$first_req < g$last_req ) - return lookup_smb_req_resp(c, is_orig, cmd); - print fmt("%.6f %s SMB command-reply mismatch", - network_time(), conn_id_string(id)); - } - return t; - } - } - -event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: - string, body_length: count, body : string) - { - print chris_log, fmt("%.6f %s %s", network_time(), conn_id_string(c$id), cmd); - - local t: smb_req_resp; - - if ( is_udp_port( c$id$orig_p ) || is_udp_port ( c$id$resp_p ) ) - { - # dont need to keep track of UDP smb commands - print_app_summary(smb_log, c$id, network_time(), - cmd, network_time(), - 0, 0, 0, 0, - fmt("cmd %s", cmd)); - } - else if ( is_orig ) - { - t = new_smb_req_resp(c, cmd); - ++t$num_req; - t$req_size = t$req_size + body_length; - } - else - { - t = lookup_smb_req_resp(c, is_orig, cmd); - ++t$num_resp; - t$resp_size = t$resp_size + body_length; - } - } - -event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string) - { - print chris_log, fmt("%.6f %s SMB_ERROR:%s", network_time(), conn_id_string(c$id), cmd_str); - } - -event dce_rpc_bind(c: connection, uuid: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, T, "(current)"); - t$func = "DCE_RPC_BIND"; - } - -event dce_rpc_request(c: connection, opnum: count, stub: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, T, "(current)"); - t$func = "DCE_RPC_CALL"; - } - -event dce_rpc_response(c: connection, opnum: count, stub: string) - { - local id = c$id; - if ( id !in smb_trans_table ) - return; - local t = lookup_smb_req_resp(c, F, "(current)"); - t$func = "DCE_RPC_CALL"; - } - -event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool) - { - if ( is_orig && !is_udp_port( c$id$orig_p ) ) - { - local t = lookup_smb_req_resp(c, T, "(current)"); - } - } - -event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool) - { - if ( is_orig && !is_udp_port( c$id$orig_p ) ) - { - local t = lookup_smb_req_resp(c, T, "(current)"); - } - } - -function end_smb_req_reply_group(g: smb_req_reply_group, index: count) - { - if ( index > g$last_req ) - return; - - if ( index >= g$first_req && index in g$trans ) - end_smb_req_resp(g$trans[index]); - - if( index in g$trans ) - { - delete g$trans[index]; - end_smb_req_reply_group(g, index + 1); - } - } - -event connection_state_remove(c: connection) - { - local id = c$id; - if ( !is_udp_port( id$orig_p ) && id in smb_trans_table ) - { - local g = smb_trans_table[id]; - end_smb_req_reply_group(g, 1); - } - } diff --git a/policy.old/summaries/smb-tag.bro b/policy.old/summaries/smb-tag.bro deleted file mode 100644 index 82813b5284..0000000000 --- a/policy.old/summaries/smb-tag.bro +++ /dev/null @@ -1,160 +0,0 @@ -@load conn-util - -redef capture_filters += { - ["smb"] = "tcp port 445", - ["netbios-ss"] = "tcp port 139", -}; - -global smb_filename_tag: table[conn_id] of string &default = ""; - -const log_smb_tags = T &redef; -function get_smb_tag(id: conn_id): string - { - if ( id in smb_filename_tag ) - return smb_filename_tag[id]; - else - return ""; - } - -module SMB_tag; - -global log = open_log_file("smb-tag") &redef; - -const well_known_files = { - "\\IPC$", - "\\print$", - "\\LANMAN", - "\\atsvc", - "\\AudioSrv", - "\\browser", - "\\cert", - "\\Ctx_Winstation_API_Service", - "\\DAV", - "\\dnsserver", - "\\epmapper", - "\\eventlog", - "\\HydraLsPipe", - "\\InitShutdown", - "\\keysvc", - "\\locator", - "\\llsrpc", - "\\lsarpc", - "\\msgsvc", - "\\netdfs", - "\\netlogon", - "\\ntsvcs", - "\\policyagent", - "\\ipsec", - "\\ProfMapApi", - "\\protected_storage", - "\\ROUTER", - "\\samr", - "\\scerpc", - "\\SECLOGON", - "\\SfcApi", - "\\spoolss", - "\\srvsvc", - "\\ssdpsrv", - "\\svcctl", - "\\tapsrv", - "\\trkwks", - "\\W32TIME", - "\\W32TIME_ALT", - "\\winlogonrpc", - "\\winreg", - "\\winspipe", - "\\wkssvc", - "\\lbl.gov", - "\\LBL" -}; - -function well_known_file(n: string): string - { - n = to_lower(n); - local a = ""; - for ( p in well_known_files ) - { - if ( strstr(n, to_lower(p)) > 0 ) - if ( byte_len(p) > byte_len(a) ) - a = p; - } - return a; - } - -function add_to_smb_filename_tag(c: connection, name: string): bool - { - if ( name == "\\PIPE\\" || name == "" ) - return F; - - local id = c$id; - local orig_tag = smb_filename_tag[id]; - - local n = well_known_file(name); - if ( n == "" ) - { - if ( log_smb_tags ) - print log, fmt("%.6f %s regular file: \"%s\"", - network_time(), conn_id_string(c$id), name); - n = ""; - } - - n = fmt("\"%s\"", n); - - if ( orig_tag == "" ) - { - smb_filename_tag[id] = n; - } - else if ( strstr(orig_tag, n) == 0 ) - { - smb_filename_tag[id] = cat(orig_tag, ",", n); - } - - return T; - } - -event smb_com_nt_create_andx(c: connection, name: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_com_transaction(c: connection, is_orig: bool, subcmd: count, - name: string, data: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_com_transaction2(c: connection, is_orig: bool, subcmd: count, - name: string, data: string) - { - add_to_smb_filename_tag(c, name); - } - -event smb_get_dfs_referral(c: connection, max_referral_level: count, file_name: string) - { - add_to_smb_filename_tag(c, file_name); - } - -event smb_com_tree_connect_andx(c: connection, path: string, service: string) - { - local basic = sub(path, /.*\\/, "\\"); - if ( /\$$/ in basic ) - add_to_smb_filename_tag(c, basic); - } - -event delete_smb_tag(c: connection) - { - delete smb_filename_tag[c$id]; - } - -event connection_state_remove(c: connection) - { - if ( c$id in smb_filename_tag ) - { - if ( log_smb_tags ) - print log, fmt("conn %s start %.6f SMB [%s]", - conn_id_string(c$id), - c$start_time, - smb_filename_tag[c$id]); - event delete_smb_tag(c); - } - } diff --git a/policy.old/summaries/sun-rpc-summary.bro b/policy.old/summaries/sun-rpc-summary.bro deleted file mode 100644 index 9f0f376cfd..0000000000 --- a/policy.old/summaries/sun-rpc-summary.bro +++ /dev/null @@ -1,46 +0,0 @@ -@load app-summary -@load rpc - -redef capture_filters += { - ["port-map"] = "port 111", - ["nfs"] = "port 2049", - # UDP packets are often fragmented - ["nfs-frag"] = "ip[6:2] & 0x1fff != 0", -}; - -module SUN_RPC_summary; - -export { - global log = open_log_file("sun-rpc-summary") &redef; -} - -global nfs_status: table[conn_id] of count; - -event nfs_reply_status(n: connection, status: count) - { - # print fmt("%.6f status = %d", network_time(), status); - nfs_status[n$id] = status; - } - -event rpc_call(c: connection, prog: count, ver: count, proc: count, status: count, - start_time: time, call_len: count, reply_len: count) - { - # print fmt("%.6f rpc_call", network_time()); - local prog_name = RPC::program_name(prog); - local nfs_st = "n/a"; - if ( c$id in nfs_status ) - { - nfs_st = fmt("%d", nfs_status[c$id]); - # print fmt("%.6f get_status = %s", network_time(), nfs_st); - delete nfs_status[c$id]; - } - - print_app_summary(log, c$id, c$start_time, - fmt("%sv%d/%s", - prog_name, - ver, - RPC::procedure_name(prog, ver, proc)), - start_time, - 1, call_len, status == RPC_TIMEOUT ? 0 : 1, reply_len, - fmt("rpc_status %s nfs_status %s", status, nfs_st)); - } diff --git a/policy.old/synflood.bro b/policy.old/synflood.bro deleted file mode 100644 index 3c2ecde4b7..0000000000 --- a/policy.old/synflood.bro +++ /dev/null @@ -1,131 +0,0 @@ -# $Id: synflood.bro 4054 2007-03-05 21:45:58Z vern $ - -@load notice - -redef enum Notice += { - SynFloodStart, # start of syn-flood against a certain victim - SynFloodEnd, # end of syn-flood against a certain victim - SynFloodStatus, # report of ongoing syn-flood -}; - -# We report a syn-flood if more than SYNFLOOD_THRESHOLD new connections -# have been reported within the last SYNFLOOD_INTERVAL for a certain IP. -# (We sample the conns by one out of SYNFLOOD_SAMPLE_RATE, so the attempt -# counter is an estimated value.). If a victim is identified, we install a -# filter via install_dst_filter and sample the packets targeting it by -# SYNFLOOD_VICTIM_SAMPLE_RATE. -# -# Ongoing syn-floods are reported every SYNFLOOD_REPORT_INTERVAL. - -global SYNFLOOD_THRESHOLD = 15000 &redef; -global SYNFLOOD_INTERVAL = 60 secs &redef; -global SYNFLOOD_REPORT_INTERVAL = 1 mins &redef; - -# Sample connections by one out of x. -global SYNFLOOD_SAMPLE_RATE = 100 &redef; - -# Sample packets to known victims with probability x. -global SYNFLOOD_VICTIM_SAMPLE_RATE = 0.01 &redef; - -global conn_attempts: table[addr] of count &default = 0; -global victim_attempts: table[addr,addr] of count - &default = 0 &read_expire = 5mins; - -# We remember up to this many number of sources per victim. -global max_sources = 100; -global current_victims: table[addr] of set[addr] &read_expire = 60mins; -global accumulated_conn_attempts: table[addr] of count &default = 0; - -global sample_count = 0; -global interval_start: time = 0; - -# Using new_connection() can be quite expensive but connection_attempt() has -# a rather large lag that may lead to detecting flood too late. Additionally, -# it does not cover UDP/ICMP traffic. -event new_connection(c: connection) - { - if ( c$id$resp_h in current_victims ) - { - ++conn_attempts[c$id$resp_h]; - - local srcs = current_victims[c$id$resp_h]; - if ( length(srcs) < max_sources ) - add srcs[c$id$orig_h]; - return; - } - - if ( ++sample_count % SYNFLOOD_SAMPLE_RATE == 0 ) - { - local ip = c$id$resp_h; - - if ( ++conn_attempts[ip] * SYNFLOOD_SAMPLE_RATE > - SYNFLOOD_THRESHOLD ) - { - NOTICE([$note=SynFloodStart, $src=ip, - $msg=fmt("start of syn-flood against %s; sampling packets now", ip)]); - - add current_victims[ip][c$id$orig_h]; - - # Drop most packets to victim. - install_dst_addr_filter(ip, 0, - 1 - SYNFLOOD_VICTIM_SAMPLE_RATE); - # Drop all packets from victim. - install_src_addr_filter(ip, 0, 1.0); - } - } - } - -event check_synflood() - { - for ( ip in current_victims ) - { - accumulated_conn_attempts[ip] = - accumulated_conn_attempts[ip] + conn_attempts[ip]; - - if ( conn_attempts[ip] * (1 / SYNFLOOD_VICTIM_SAMPLE_RATE) < - SYNFLOOD_THRESHOLD ) - { - NOTICE([$note=SynFloodEnd, $src=ip, $n=length(current_victims[ip]), - $msg=fmt("end of syn-flood against %s; stopping sampling", - ip)]); - - delete current_victims[ip]; - uninstall_dst_addr_filter(ip); - uninstall_src_addr_filter(ip); - } - } - - clear_table(conn_attempts); - schedule SYNFLOOD_INTERVAL { check_synflood() }; - } - -event report_synflood() - { - for ( ip in current_victims ) - { - local est_num_conn = accumulated_conn_attempts[ip] * - (1 / SYNFLOOD_VICTIM_SAMPLE_RATE); - - local interv: interval; - - if ( interval_start != 0 ) - interv = network_time() - interval_start; - else - interv = SYNFLOOD_INTERVAL; - - NOTICE([$note=SynFloodStatus, $src=ip, $n=length(current_victims[ip]), - $msg=fmt("syn-flood against %s; estimated %.0f connections in last %s", - ip, est_num_conn, interv)]); - } - - clear_table(accumulated_conn_attempts); - - schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() }; - interval_start = network_time(); - } - -event bro_init() - { - schedule SYNFLOOD_INTERVAL { check_synflood() }; - schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() }; - } diff --git a/policy.old/targeted-scan.bro b/policy.old/targeted-scan.bro deleted file mode 100644 index 09922644ba..0000000000 --- a/policy.old/targeted-scan.bro +++ /dev/null @@ -1,114 +0,0 @@ -# $Id:$ -# -# Drop external hosts that continually bang away on a particular open port. -# -# Note that we time out identified scanners to avoid excessive memory -# utilitization in the event of a wide scan across address space. - -@load notice -@load site - -module TargetedScan; - -export { - redef enum Notice += { TargetedScan, }; - - # If true, then only consider traffic from external sources. - global external_only = T &redef; - - # Which ports to consider. - const ports = { 1433/tcp, } &redef; - - # If set, at least/most this many bytes need to be transferred for - # a connection using the given port. These are useful for example - # for inferring that SSH connections reflect password-guessing - # attempts. - const min_bytes: table[port] of count &redef; - const max_bytes: table[port] of count &redef; - - # If set, then this is the threshold for reportin accessing - # for a given service. - const port_threshold: table[port] of count &redef; - - # Otherwise, this is the threshold. - const general_threshold = 1000 &redef; - - # The data structure we use to track targeted probing. - # It's exported to enable redef'ing the &write_expire value. - global targeted_tries: table[addr, addr, port] of count - &default=0 &write_expire=10 min &redef; -} - -function delete_targeted_data(orig: addr, resp: addr, service: port) - { - delete targeted_tries[orig, resp, service]; - } - -function targeted_check(c: connection) - { - local id = c$id; - local orig = id$orig_h; - local resp = id$resp_h; - local service = ("ftp-data" in c$service) ? 20/tcp : id$resp_p; - - if ( service !in ports || (external_only && is_local_addr(orig)) ) - return; - - local bytes_xferred = c$orig$size + c$resp$size; - - if ( service in min_bytes && bytes_xferred < min_bytes[service] ) - return; - if ( service in max_bytes && bytes_xferred > max_bytes[service] ) - return; - - local cnt = ++targeted_tries[orig, resp, service]; - - if ( service in port_threshold ) - { - if ( cnt != port_threshold[service] ) - return; - } - - else if ( cnt != general_threshold ) - return; - - local svc = service in port_names ? - port_names[service] : fmt("%s", service); - - NOTICE([$note=TargetedScan, $src=orig, $dst=resp, $p=service, - $msg=fmt("targeted attack on service %s, count = %d", svc, cnt)]); - - # Since we've reported this host, we can stop tracking it. - delete targeted_tries[orig, resp, service]; - } - - -event connection_finished(c: connection) - { - targeted_check(c); - } - -event connection_rejected(c: connection) - { - targeted_check(c); - } - -event connection_half_finished(c: connection) - { - targeted_check(c); - } - -event connection_reset(c: connection) - { - targeted_check(c); - } - -event connection_partial_close(c: connection) - { - targeted_check(c); - } - -event connection_state_remove(c: connection) - { - targeted_check(c); - } diff --git a/policy.old/tcp.bro b/policy.old/tcp.bro deleted file mode 100644 index fd561180bb..0000000000 --- a/policy.old/tcp.bro +++ /dev/null @@ -1,6 +0,0 @@ -# Generic TCP connection processing. - -@load conn - -redef capture_filters += { ["tcp"] = "tcp[13] & 7 != 0" }; -# redef capture_filters += { ["tcp"] = "(tcp[13] & 7 != 0) or (ip6[53] & 7 != 0)" }; diff --git a/policy.old/terminate-connection.bro b/policy.old/terminate-connection.bro deleted file mode 100644 index 5242afaf6d..0000000000 --- a/policy.old/terminate-connection.bro +++ /dev/null @@ -1,77 +0,0 @@ -# $Id$ - -@load site -@load notice - -# Ugly: we need the following from conn.bro, but we can't soundly load -# it because it in turn loads us. -global full_id_string: function(c: connection): string; - -# TODO: this is a notice action filter but it shouldn't cause this -# script to be come a dependency on notice-action-filters.bro -# Figure out where to put this! -function drop_source_and_terminate(n: Notice::Info, a: Notice::Action): Notice::Action - { - if ( n?$conn ) - TerminateConnection::terminate_connection(n$conn); - - return NOTICE_DROP; - } - - -module TerminateConnection; - -export { - redef enum Notice += { - TerminatingConnection, # connection will be terminated - TerminatingConnectionIgnored, # connection terminated disabled - }; - - # Whether we're allowed (and/or are capable) to terminate connections - # using "rst". - const activate_terminate_connection = F &redef; - - # Terminate the given connection. - global terminate_connection: function(c: connection); - -} - -function terminate_connection(c: connection) - { - local id = c$id; - - if ( activate_terminate_connection ) - { - local local_init = is_local_addr(id$orig_h); - - local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d", - local_init ? "-R" : "", - id$orig_h, id$orig_p, get_orig_seq(id), - id$resp_h, id$resp_p, get_resp_seq(id)); - - if ( reading_live_traffic() ) - system(term_cmd); - else - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=term_cmd, $sub="first termination command"]); - - term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d", - local_init ? "-R" : "", - id$orig_h, id$orig_p, get_orig_seq(id), - id$resp_h, id$resp_p, get_resp_seq(id)); - - if ( reading_live_traffic() ) - system(term_cmd); - else - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=term_cmd, $sub="second termination command"]); - - NOTICE([$note=TerminatingConnection, $conn=c, - $msg=fmt("terminating %s", full_id_string(c))]); - } - - else - NOTICE([$note=TerminatingConnectionIgnored, $conn=c, - $msg=fmt("ignoring request to terminate %s", - full_id_string(c))]); - } diff --git a/policy.old/tftp.bro b/policy.old/tftp.bro deleted file mode 100644 index d1f3e43746..0000000000 --- a/policy.old/tftp.bro +++ /dev/null @@ -1,33 +0,0 @@ -# $Id: tftp.bro 4758 2007-08-10 06:49:23Z vern $ - -# Very simplistic - doesn't pick up the replies. - -@load notice -@load udp-common -@load site - -module TFTP; - -export { - redef enum Notice += { - OutboundTFTP, # outbound TFTP seen - }; -} - -redef capture_filters += { ["tftp"] = "udp port 69" }; - -global tftp_notice_count: table[addr] of count &default = 0 &read_expire = 7 days; - -event udp_request(u: connection) - { - if ( u$id$resp_p == 69/udp && u$id$orig_p >= 1024/udp ) - { - local src = u$id$orig_h; - local dst = u$id$resp_h; - - if ( is_local_addr(src) && ! is_local_addr(dst) && - ++tftp_notice_count[src] == 1 ) - NOTICE([$note=OutboundTFTP, $conn=u, - $msg=fmt("outbound TFTP: %s -> %s", src, dst)]); - } - } diff --git a/policy.old/time-machine/time-machine.bro b/policy.old/time-machine/time-machine.bro deleted file mode 100644 index 98e37437ae..0000000000 --- a/policy.old/time-machine/time-machine.bro +++ /dev/null @@ -1,278 +0,0 @@ -# $Id: time-machine.bro,v 1.1.2.8 2006/01/06 01:51:37 sommer Exp $ -# -# Low-level time-machine interface. - -@load notice - -module TimeMachine; - -export { - # Request to send us a connection. Automatically subscribes - # and suspends cut-off. - # - # start : time where to start searching (0 for as early as possible). - # in_mem: only scan TM's memory-buffer but not any on-disk data. - # descr: description to be written to log file to identify the query - # - # Returns tag of this query. - global request_connection: - function(c: connection, in_mem: bool, descr: string) : string; - - # id$orig_p = 0/tcp acts as wildcard. - global request_connection_id: - function(id: conn_id, start: time, in_mem: bool, descr: string) - : string; - - # Request to save connection to file in TM host. Automatically - # suspends cut-off. - # - # filename: destination file on TM host. - # start : time where to start searching (0 = as early as possible). - # in_mem : only scan TM's memory-buffer, but not any on-disk data. - global capture_connection: - function(filename: string, c: connection, in_mem: bool, - descr: string); - - # id$orig_p = 0/tcp acts as wildcard. - global capture_connection_id: - function(filename: string, id: conn_id, start: time, - in_mem: bool, descr: string); - - # Request to send everything involving a certain host to us. - # Always searches mem and disk buffers. - # - # host : address of host - # start: time where to start searching (0 for as early as possible). - # - # Returns tag of this query. - global request_addr: function(host: addr, start: time, - in_mem: bool, descr: string) : string; - - # Don't issue duplicate queries. Should be on for normal use; - # only need to turn off for benchmarking. - global filter_duplicates = T &redef; - - # Automatically issue suspend_cutoff as specified above. - # Should be on for normal use; off only used for benchmarking. - global auto_suspend_cutoff = T &redef; - - # Automatically subscribe as specified above. - # Should be on for normal use; off only used for benchmarking. - global auto_subscribe = F &redef; - - # Automatically set start time for query. - # Should be on for normal use; off only used for benchmarking. - global auto_set_start = T &redef; - - # Request to save everything involving a certain host. - # Always searches mem and disk buffers. - # - # filename: destination file on TM host. - # host : address of host - # start: time where to start searching (0 for as early as possible). - # - global capture_addr: function(filename: string, host: addr, - start: time, in_mem: bool, - descr: string); - - # Prevent the TM from cutting the connection off. - global suspend_cut_off: function(c: connection, descr: string); - - # id$orig_p = 0/tcp acts as wildcard. - global suspend_cut_off_id: function(id: conn_id, descr: string); - - type Direction: enum { - ORIG, # connections originating from host - RESP, # connections responded to by host - BOTH # independent of direction - }; - - # Change the TM class for given IP. - global set_class: function(host: addr, class: string, dir: Direction, - descr: string); - - # Revoke class assignment for IP. - global unset_class: function(host: addr, descr: string); - - # ID of this Bro instance for TM queries. Automatically set. - global feed_id = ""; -} - -global tag = 0; - -global cmds: table[string] of string &read_expire = 1 day; - -global command: event(cmd: string); -global descrs: table[string] of string; - -global profile: file; -global logfile = open_log_file("tm"); - -function id2str(id: conn_id, include_index: bool) : string - { - local index = ""; - if ( include_index ) - index = id$orig_p != 0/tcp ? "connection4 " : "connection3 "; - - if ( id$orig_p != 0/tcp) - return fmt("%s\"%s %s:%d %s:%d\"", index, - get_port_transport_proto(id$resp_p), - id$orig_h, id$orig_p, - id$resp_h, id$resp_p); - else - return fmt("%s\"%s %s %s:%d\"", index, - get_port_transport_proto(id$resp_p), - id$orig_h, - id$resp_h, id$resp_p); - } - -function issue_query(result: string, add_tag: bool, cmd: string, - start: time, in_mem: bool, sub: bool, descr: string) : string - { - local key = fmt("%s %s", result, cmd); - local qtag = ""; - - if ( key in cmds && filter_duplicates ) - return cmds[key]; - - if ( add_tag ) - { - qtag = fmt("t%x", ++tag); - result = fmt("%s tag %s", result, qtag); - } - - local range = ""; - - if ( time_to_double(start) > 0.0 && auto_set_start ) - { # We subtract a few seconds to allow for clock skew. - start = start - 2 secs; - range += fmt("start %.6f end 9876543210 ", start); - } - - if ( in_mem ) - range += "mem_only "; - - if ( sub ) - range += "subscribe "; - - local c = fmt("query %s %s %s", result, cmd, range); - descrs[c] = descr; - - if ( time_machine_profiling ) - print profile, fmt("%.6f %s %s", current_time(), - (qtag != "" ? qtag : "-"), c); - - event TimeMachine::command(c); - - cmds[key] = qtag; - - return qtag; - } - -function issue_command(cmd: string, descr: string) - { - if ( cmd in cmds && filter_duplicates ) - return; - - descrs[cmd] = descr; - event TimeMachine::command(cmd); - - cmds[cmd] = ""; - } - -function request_connection(c: connection, in_mem: bool, descr: string) : string - { - return request_connection_id(c$id, c$start_time, in_mem, descr); - } - -function request_connection_id(id: conn_id, start: time, in_mem: bool, - descr: string) : string - { - if ( auto_suspend_cutoff ) - suspend_cut_off_id(id, descr); - return issue_query(fmt("feed %s", feed_id), T, - fmt("index %s", id2str(id, T)), start, in_mem, - auto_subscribe, descr); - } - -function capture_connection(filename: string, c: connection, - in_mem: bool, descr: string) - { - capture_connection_id(filename, c$id, c$start_time, in_mem, descr); - } - -function capture_connection_id(filename: string, id: conn_id, start: time, - in_mem: bool, descr: string) - { - if ( auto_suspend_cutoff ) - suspend_cut_off_id(id, descr); - - issue_query(fmt("to_file \"%s\"", filename), F, - fmt("index %s", id2str(id, T)), - start, in_mem, auto_subscribe, descr); - } - -function request_addr(host: addr, start: time, in_mem: bool, descr: string) -: string - { - return issue_query(fmt("feed %s", feed_id), T, - fmt("index ip \"%s\"", host), start, in_mem, F, descr); - } - -function capture_addr(filename: string, host: addr, start: time, - in_mem: bool, descr: string) - { - issue_query(fmt("to_file \"%s\"", filename), F, - fmt("index ip \"%s\"", host), start, in_mem, F, descr); - } - -function suspend_cut_off(c: connection, descr: string) - { - suspend_cut_off_id(c$id, descr); - } - -function suspend_cut_off_id(id: conn_id, descr: string) - { - issue_command(fmt("suspend_cutoff %s", id2str(id, F)), descr); - } - -function set_class(host: addr, class: string, dir: Direction, descr: string) - { - local d = ""; - - if ( dir == ORIG ) - d = " orig"; - else if ( dir == RESP ) - d = " resp"; - - issue_command(fmt("set_dyn_class %s %s%s", host, class, d), descr); - } - -function unset_class(host: addr, descr: string) - { - issue_command(fmt("unset_dyn_class %s", host), descr); - } - -event command(cmd: string) - { - # We might not know the command if we're just relaying the event - # from external. - if ( cmd in descrs ) - { - local descr = descrs[cmd]; - delete descrs[cmd]; - - print logfile, fmt("%.6f %.6f [%s] %s", network_time(), current_time(), descr, cmd); - } - } - -event bro_init() - { - set_buf(logfile, F); - - # Create a feed ID that's unique across restarts w/ high probability. - feed_id = fmt("%s-%d-%d", gethostname(), getpid(), rand(100)); - - if ( time_machine_profiling ) - profile = open_log_file("tm-prof.queries"); - } diff --git a/policy.old/time-machine/tm-capture.bro b/policy.old/time-machine/tm-capture.bro deleted file mode 100644 index a322f25263..0000000000 --- a/policy.old/time-machine/tm-capture.bro +++ /dev/null @@ -1,91 +0,0 @@ -# $Id: tm-capture.bro,v 1.1.2.1 2006/01/04 03:52:02 sommer Exp $ -# -# For each non-scan alert, we can -# (a) tell the time-machine to permanently store the connection's packets -# (b) request the connection, to store the (reassembled) payload ourselves -# (c) request all other traffic from that IP within the last X hours -# (d) store all other traffic from that IP within the last X hours - -@load time-machine -@load tm-contents -@load notice -@load scan - -module TimeMachineCapture; - -export { - # Request past traffic. Set to 0 to disable. - # This does on-disk queries, potentially expensive. - const history_interval = 0 hrs &redef; - - # Capture past traffic. Set to 0 to disable. - # This does on-disk queries, potentially expensive. - const history_capture_interval = 0 hrs &redef; - - const ignore_notices: set[Notice] = { - Scan::AddressScan, - Scan::PortScan, - } &redef; -} - -@ifdef ( TimeMachineGap::ContentGapTmAndLink ) -redef ignore_notices += { - TimeMachineGap::ContentGapTmAndLink, - TimeMachineGap::ContentGapSolved, -}; -@endif - -global hosts: set[addr] &create_expire = history_capture_interval; - -global dbg = open_log_file("tm-capture"); - -event notice_alarm(n: notice_info, action: NoticeAction) - { - if ( n$note in ignore_notices ) - return; - - if ( ! n?$id ) - return; - - if ( n?$conn && is_external_connection(n$conn) ) - return; - - local id = n$id; - local start: time; - - if ( n?$conn ) - start = n$conn$start_time; - else if ( connection_exists(id) ) - start = lookup_connection(id)$start_time; - else - start = network_time() - 5 min; # shouldn't usually get here - - local tag = fmt("conn.%s", n$tag); - n$captured = tag; - - # It should be in the TM's memory. - TimeMachine::capture_connection_id(fmt("%s.pcap", tag), id, start, - T, "tm-capture"); - - if ( get_port_transport_proto(id$resp_p) == tcp ) - { - n$captured += " (contents)"; - TimeMachine::save_contents_id(tag, id, start, T, "tm-capture"); - } - - if ( n$src !in hosts ) - { - if ( history_interval != 0 sec ) - TimeMachine::request_addr(n$src, - network_time() - history_interval, F, - "tm-capture"); - - if ( history_capture_interval != 0secs ) - TimeMachine::capture_addr(fmt("host.%s.%s.pcap", - n$src, n$tag), n$src, - network_time() - history_capture_interval, F, - "tm-capture"); - - add hosts[n$src]; - } - } diff --git a/policy.old/time-machine/tm-class.bro b/policy.old/time-machine/tm-class.bro deleted file mode 100644 index 4d69308517..0000000000 --- a/policy.old/time-machine/tm-class.bro +++ /dev/null @@ -1,22 +0,0 @@ -# $Id:$ -# -# Changes the class for addresses that have generated alerts. - -@load time-machine -@load notice -@load scan - -event notice_alarm(n: notice_info, action: NoticeAction) - { - if ( ! n?$src ) - return; - - if ( n?$conn && is_external_connection(n$conn) ) - return; - - local class = "alarm"; - if ( n$note == Scan::AddressScan || n$note == Scan::PortScan ) - class = "scanner"; - - TimeMachine::set_class(n$src, class, TimeMachine::BOTH, "tm-class"); - } diff --git a/policy.old/time-machine/tm-contents.bro b/policy.old/time-machine/tm-contents.bro deleted file mode 100644 index ea921342ae..0000000000 --- a/policy.old/time-machine/tm-contents.bro +++ /dev/null @@ -1,111 +0,0 @@ -# $Id:$ -# -# Provides a function that requests a particular connection from the -# Time Machine and stores the subsequent reassembled payload into a -# local file. - -@load time-machine - -module TimeMachine; - -export { - global save_contents: - function(filename_prefix: string, c: connection, - in_mem: bool, descr: string); - - global save_contents_id: - function(filename_prefix: string, id: conn_id, start: time, - in_mem: bool, descr: string); - - # Raised when contents have been fully saved. - global contents_saved: - event(c: connection, orig_file: string, resp_file: string); - - const contents_dir = "tm-contents" &redef; - } - -# Table associating TM tag with filename. -global requested_conns: table[string] of string; - -type fnames: record { - orig: string; - resp: string; - orig_f: file; - resp_f: file; - }; - -global external_conns: table[conn_id] of fnames; - -function save_contents(filename_prefix: string, c: connection, - in_mem: bool, descr: string) - { - if ( is_external_connection(c) ) - return; - - save_contents_id(filename_prefix, c$id, c$start_time, in_mem, descr); - } - -function save_contents_id(filename_prefix: string, id: conn_id, start: time, - in_mem: bool, descr: string) - { - TimeMachine::suspend_cut_off_id(id, descr); - local qtag = TimeMachine::request_connection_id(id, start, in_mem, descr); - if ( qtag == "" ) - return; - - requested_conns[qtag] = filename_prefix; - } - -event connection_external(c: connection, tag: string) - { - if ( tag !in requested_conns ) - return; - - local fn = requested_conns[tag]; - local id = c$id; - local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p); - - local orig_fn = fmt("%s/%s.%s.orig.dat", contents_dir, fn, idstr); - local resp_fn = fmt("%s/%s.%s.resp.dat", contents_dir, fn, idstr); - local orig_f = open(orig_fn); - local resp_f = open(resp_fn); - - set_contents_file(c$id, CONTENTS_ORIG, orig_f); - set_contents_file(c$id, CONTENTS_RESP, resp_f); - - delete requested_conns[tag]; - external_conns[c$id] = - [$orig=orig_fn, $resp=resp_fn, $orig_f=orig_f, $resp_f=resp_f]; - } - -event delayed_contents_saved(c: connection, orig_file: string, resp_file: string) - { - schedule 2 min { TimeMachine::contents_saved(c, orig_file, resp_file) }; - } - -event connection_state_remove(c: connection) - { - if ( ! is_external_connection(c) ) - return; - - if ( c$id !in external_conns ) - return; - - local fn = external_conns[c$id]; - - close(fn$orig_f); - close(fn$resp_f); - - # FIXME: We delay this a bit as there seems to be some race-condition - # with the file's data being flushed to disk. Not sure why, though. - # However, we need to delay indirectly through another event to - # install it into the global timer manager. - event delayed_contents_saved(c, fn$orig, fn$resp); - - delete external_conns[c$id]; - } - -event bro_init() - { - mkdir(contents_dir); - } diff --git a/policy.old/time-machine/tm-ftp.bro b/policy.old/time-machine/tm-ftp.bro deleted file mode 100644 index cc09fc8328..0000000000 --- a/policy.old/time-machine/tm-ftp.bro +++ /dev/null @@ -1,42 +0,0 @@ -# $Id: tm-ftp.bro,v 1.1.2.1 2006/01/04 03:55:48 sommer Exp $ -# -# For sensitive FTP connections, request the data connection from the TM. -# When we get it, we store the reassembled payload and run the file-analyzer -# (the latter is automatically done by ftp.bro). - -@load time-machine -@load tm-contents -@load ftp - -module TimeMachineFTP; - -global data_conns: table[count] of conn_id; - -event ftp_sensitive_file(c: connection, session: FTP::ftp_session_info, - filename: string) - { - if ( is_external_connection(c) ) - return; - - if ( session$id !in data_conns ) - # Should not happen, as transfer parameters need to be - # negotiated first. We let ftp.bro deal with this, though. - return; - - local id = data_conns[session$id]; - TimeMachine::save_contents(fmt("ftp.%s", session$id), c, T, "tm-ftp"); - } - -event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr, - resp_p: port, session: FTP::ftp_session_info) - { - data_conns[session$id] = - [$orig_h=orig_h, $orig_p=0/tcp, $resp_h=resp_h, $resp_p=resp_p]; - } - -event connection_state_remove(c: connection) - &priority = 5 # to be called before FTP's handler - { - if ( c$id in FTP::ftp_sessions ) - delete data_conns[FTP::ftp_sessions[c$id]$id]; - } diff --git a/policy.old/time-machine/tm-gap.bro b/policy.old/time-machine/tm-gap.bro deleted file mode 100644 index e97d6a848a..0000000000 --- a/policy.old/time-machine/tm-gap.bro +++ /dev/null @@ -1,127 +0,0 @@ -# $Id: tm-gap.bro,v 1.1.2.1 2006/01/05 22:38:37 sommer Exp $ -# -# When we see a content gap, we request the same connection from the TM. -# If we get it from there completely, fine. If not, we check whether the -# gap is at the same place as before, which would indicate that the packet -# was indeed missing on the link. - -@load conn-id -@load time-machine - -module TimeMachineGap; - -export { - # If true, we assume a BPF filter that includes *all* data packets. - const seeing_all_packets = F &redef; - - # Exclude these ports. - const ignore_ports = { 80/tcp, 22/tcp, 443/tcp }; - - redef enum Notice += { - # A connection has at least one gap that matches a gap - # on the link. - ContentGapTmAndLink, - - # A connection that had a gap on the link has been fully - # received from the TM. - ContentGapSolved, - }; -} - -type gap : record { - is_orig: bool; - seq: count; - length: count; -}; - -# Remembers the first gap per connection. -# (FIXME: Would it make sense to remember all gaps?) -global conns: table[conn_id] of gap; - -global f = open_log_file("gap"); - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - if ( ! is_external_connection(c) ) - { - if ( c$id in conns ) - # We already requested the conn. - return; - - if ( c$id$resp_p in ignore_ports ) - return; - - # It only makes sense to request the connection if we are - # not just analyzing TCP control packets for it. There's - # no perfect way to determine whether we do so but, as a - # heuristic, we assume that we are supposed to see data - # packets if: - # - # (1) the service port is well-known for one of our analyzers - # (because then the analyzer script is loaded which extends - # the capture filter accordingly; or - # (2) the user explicitly tells us they are using a filter that - # includes all packets (e.g., DPD); or - # (3) (special case) it's an HTTP reply, but we only - # load http-request. - - if ( ! seeing_all_packets ) - { - if ( c$id$resp_p !in dpd_analyzer_ports ) - return; - - if ( c$id$resp_p in dpd_analyzer_ports && ! is_orig && - ANALYZER_HTTP in dpd_analyzer_ports[c$id$resp_p]) - { -@ifdef ( process_HTTP_replies ) - if ( ! process_HTTP_replies ) -@endif - return; - } - } - - local g: gap = [$is_orig=is_orig, $seq=seq, $length=length]; - conns[c$id] = g; - - # Should be in TM's memory. - TimeMachine::request_connection(c, T, "tm-gap"); - - print f, "ask", id_string(c$id); - } - - else - { # a gap in a connection from the TM - if ( c$id !in conns ) - # Will be reported as ContentGap by weird.bro. - return; - - local h = conns[c$id]; - - if ( h$is_orig == is_orig && h$seq == seq && h$length == length ) - { - NOTICE([$note=ContentGapTmAndLink, $conn=c, - $msg=fmt("%s same content gap on link and from time-machine (%s %d/%d)", - id_string(c$id), - is_orig ? ">" : "<", seq, length)]); - } - - delete conns[c$id]; - } - } - -event connection_external(c: connection, tag: string) - { - if ( c$id in conns ) - print f, "got", id_string(c$id); - } - -event connection_state_remove(c: connection) - { - if ( c$id in conns && is_external_connection(c) ) - { # It's still in the table, so we got it completely. Yippie! - NOTICE([$note=ContentGapSolved, $conn=c, - $msg=fmt("%s content gap(s) solved by time-machine", - id_string(c$id))]); - delete conns[c$id]; - } - } diff --git a/policy.old/time-machine/tm-http.bro b/policy.old/time-machine/tm-http.bro deleted file mode 100644 index ad9d997ffc..0000000000 --- a/policy.old/time-machine/tm-http.bro +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: tm-http.bro,v 1.1.2.1 2005/11/29 21:39:05 sommer Exp $ -# -# Requests connections from time-machine for which we have seen a sensitive URI. - -@load http -@load time-machine - -redef notice_policy += { - [$pred(a: notice_info) = - { - if ( a$note == HTTP::HTTP_SensitiveURI && - a?$conn && ! is_external_connection(a$conn) ) - TimeMachine::request_connection(a$conn, T, "tm-http"); - return F; - }, - $result = NOTICE_FILE, # irrelevant, since we always return F - $priority = 1] -}; diff --git a/policy.old/trw-impl.bro b/policy.old/trw-impl.bro deleted file mode 100644 index a93782d11c..0000000000 --- a/policy.old/trw-impl.bro +++ /dev/null @@ -1,191 +0,0 @@ -# $Id: trw.bro 2911 2006-05-06 17:58:43Z vern $ - -@load notice -@load port-name -@load hot - -module TRW; - -export { - redef enum Notice += { - TRWAddressScan, # source flagged as scanner by TRW algorithm - TRWScanSummary, # summary of scanning activities reported by TRW - }; - - # Activate TRW if T. - global use_TRW_algorithm = F &redef; - - # Tell TRW not to flag a friendly remote. - global do_not_flag_friendly_remotes = T &redef; - - # Set of services for outbound connections that are possibly triggered - # by incoming connections. - const triggered_outbound_services = { ident, finger, 20/tcp, } &redef; - - # The following correspond to P_D and P_F in the TRW paper, i.e., the - # desired detection and false positive probabilities. - global target_detection_prob = 0.99 &redef; - global target_false_positive_prob = 0.01 &redef; - - # Given a legitimate remote, the probability that its connection - # attempt will succeed. - global theta_zero = 0.8 &redef; - - # Given a scanner, the probability that its connection attempt - # will succeed. - global theta_one = 0.2 &redef; - - - # These variables the user usually won't alter, except they - # might want to adjust the expiration times, which is why - # they're exported here. - global scan_sources: set[addr] &write_expire = 1 hr; - global benign_sources: set[addr] &write_expire = 1 hr; - - global failed_locals: set[addr, addr] &write_expire = 30 mins; - global successful_locals: set[addr, addr] &write_expire = 30 mins; - - global lambda: table[addr] of double - &default = 1.0 &write_expire = 30 mins; - global num_scanned_locals: - table[addr] of count &default = 0 &write_expire = 30 mins; - - # Function called to perform TRW analysis. - global check_TRW_scan: function(c: connection, state: string, - reverse: bool): bool; -} - -# Set of remote hosts that have been successfully accessed by local hosts. -global friendly_remotes: set[addr] &read_expire = 30 mins; - -# Set of local honeypot hosts - for internal use at LBL. -global honeypot: set[addr]; - -# Approximate solutions for upper and lower thresholds. -global eta_zero: double; # initialized when Bro starts -global eta_one: double; - -event bro_init() - { - eta_zero = - (1 - target_detection_prob) / (1 - target_false_positive_prob); - eta_one = target_detection_prob / target_false_positive_prob; - } - - -event TRW_scan_summary(orig: addr) - { - NOTICE([$note=TRWScanSummary, $src=orig, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_scanned_locals[orig])]); - } - -function check_TRW_scan(c: connection, state: string, reverse: bool): bool - { - local id = c$id; - - local service = "ftp-data" in c$service ? 20/tcp - : (reverse ? id$orig_p : id$resp_p); - local orig = reverse ? id$resp_h : id$orig_h; - local resp = reverse ? id$orig_h : id$resp_h; - local outbound = is_local_addr(orig); - - # Mark a remote as friendly if it is successfully accessed by - # a local with protocols other than triggered_outbound_services. - # XXX There is an ambiguity to determine who initiated a - # connection when the status is "OTH". - if ( outbound ) - { - if ( resp !in scan_sources && - service !in triggered_outbound_services && - orig !in honeypot && state != "OTH" ) - add friendly_remotes[resp]; - - return F; - } - - if ( orig in scan_sources ) - return T; - - if ( orig in benign_sources ) - return F; - - if ( do_not_flag_friendly_remotes && orig in friendly_remotes ) - return F; - - # Start TRW evaluation. - local flag = +0; - local resp_byte = reverse ? c$orig$size : c$resp$size; - local established = T; - - if ( state == "S0" || state == "REJ" || state == "OTH" || - (state == "RSTOS0" && resp_byte <= 0) ) - established = F; - - if ( ! established || resp in honeypot ) - { - if ( [orig, resp] !in failed_locals ) - { - flag = 1; - add failed_locals[orig, resp]; - } - } - - else if ( [orig, resp] !in successful_locals ) - { - flag = -1; - add successful_locals[orig, resp]; - } - - if ( flag == 0 ) - return F; - - local ratio = 1.0; - - # Update the corresponding likelihood ratio of orig. - if ( theta_zero <= 0 || theta_zero >= 1 || theta_one <= 0 || - theta_one >= 1 || theta_one >= theta_zero ) - { - # Error: theta_zero should be between 0 and 1. - # Log::error("bad theta_zero/theta_one in check_TRW_scan"); - use_TRW_algorithm = F; - return F; - } - - if ( flag == 1 ) - ratio = (1 - theta_one) / (1 - theta_zero); - - if ( flag == -1 ) - ratio = theta_one / theta_zero; - - ++num_scanned_locals[orig]; - - lambda[orig] = lambda[orig] * ratio; - local updated_lambda = lambda[orig]; - - if ( target_detection_prob <= 0 || - target_detection_prob >= 1 || - target_false_positive_prob <= 0 || - target_false_positive_prob >= 1 ) - { - # Error: target probabilities should be between 0 and 1 - # Log::error("bad target probabilities in check_TRW_scan"); - use_TRW_algorithm = F; - return F; - } - - if ( updated_lambda > eta_one ) - { - add scan_sources[orig]; - NOTICE([$note=TRWAddressScan, $src=orig, - $msg=fmt("%s scanned a total of %d hosts", - orig, num_scanned_locals[orig])]); - schedule 1 day { TRW_scan_summary(orig) }; - return T; - } - - if ( updated_lambda < eta_zero ) - add benign_sources[orig]; - - return F; - } diff --git a/policy.old/trw.bro b/policy.old/trw.bro deleted file mode 100644 index 0ffe6246f7..0000000000 --- a/policy.old/trw.bro +++ /dev/null @@ -1,7 +0,0 @@ -# $Id: trw.bro 3297 2006-06-18 00:56:58Z vern $ -# -# Load this file to actiate TRW analysis. - -@load trw-impl - -redef TRW::use_TRW_algorithm = T; diff --git a/policy.old/udp-common.bro b/policy.old/udp-common.bro deleted file mode 100644 index a6ca5a647b..0000000000 --- a/policy.old/udp-common.bro +++ /dev/null @@ -1,46 +0,0 @@ -# $Id: udp-common.bro 4758 2007-08-10 06:49:23Z vern $ -# -# Performs generic UDP request/reply processing, but doesn't set -# the packet filter to capture all UDP traffic (use udp.bro for that). - -@load hot -@load conn -@load scan - -global udp_req_count: table[conn_id] of count &default = 0; -global udp_rep_count: table[conn_id] of count &default = 0; - -event udp_request(u: connection) - { - Scan::check_scan(u, F, F); -# if ( TRW::use_TRW_algorithm ) -# TRW::check_TRW_scan(u, conn_state(u, udp), F); - - Hot::check_hot(u, Hot::CONN_ATTEMPTED); - } - -event udp_reply(u: connection) - { - Scan::check_scan(u, T, F); -# if ( TRW::use_TRW_algorithm ) -# TRW::check_TRW_scan(u, conn_state(u, udp), F); - - Hot::check_hot(u, Hot::CONN_ESTABLISHED); - Hot::check_hot(u, Hot::CONN_FINISHED); - } - -function add_req_rep_addl(u: connection) - { - local id = u$id; - if ( udp_req_count[id] > 1 || udp_rep_count[id] > 1 ) - append_addl(u, fmt("[%d/%d]", udp_req_count[id], udp_rep_count[id])); - - delete udp_req_count[id]; - delete udp_rep_count[id]; - } - -event udp_session_done(u: connection) - { - add_req_rep_addl(u); - Hot::check_hot(u, Hot::CONN_FINISHED); - } diff --git a/policy.old/udp.bro b/policy.old/udp.bro deleted file mode 100644 index ae5f1834ad..0000000000 --- a/policy.old/udp.bro +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: udp.bro 1103 2005-03-17 09:18:28Z vern $ - -@load udp-common - -redef capture_filters += { ["udp"] = "udp" }; diff --git a/policy.old/weird.bro b/policy.old/weird.bro deleted file mode 100644 index 245f6b79ac..0000000000 --- a/policy.old/weird.bro +++ /dev/null @@ -1,424 +0,0 @@ -# $Id: weird.bro 6452 2008-12-07 01:19:13Z vern $ - -@load notice -@load port-name - -module Weird; - -export { - redef enum Notice += { - WeirdActivity, # generic unusual, alarm-worthy activity - RetransmissionInconsistency, - # possible evasion; usually just chud - AckAboveHole, - # could mean packet drop; could also be chud - ContentGap, - # data has sequence hole; perhaps due to filtering - }; - - const weird_file = open_log_file("weird") &redef; - - type WeirdAction: enum { - WEIRD_UNSPECIFIED, WEIRD_IGNORE, WEIRD_FILE, - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, - }; - - # Which of the above actions lead to logging. For internal use. - const notice_actions = { - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, - }; - - const weird_action: table[string] of WeirdAction = { - # tcp_weird - ["above_hole_data_without_any_acks"] = WEIRD_FILE, - ["active_connection_reuse"] = WEIRD_FILE, - ["bad_HTTP_reply"] = WEIRD_FILE, - ["bad_HTTP_version"] = WEIRD_FILE, - ["bad_ICMP_checksum"] = WEIRD_FILE, - ["bad_ident_port"] = WEIRD_FILE, - ["bad_ident_reply"] = WEIRD_FILE, - ["bad_ident_request"] = WEIRD_FILE, - ["bad_rlogin_prolog"] = WEIRD_FILE, - ["bad_rsh_prolog"] = WEIRD_FILE, - ["rsh_text_after_rejected"] = WEIRD_FILE, - ["bad_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["bad_RPC_program"] = WEIRD_FILE, - ["bad_SYN_ack"] = WEIRD_FILE, - ["bad_TCP_checksum"] = WEIRD_FILE, - ["bad_UDP_checksum"] = WEIRD_FILE, - ["baroque_SYN"] = WEIRD_FILE, - ["base64_illegal_encoding"] = WEIRD_FILE, - ["connection_originator_SYN_ack"] = WEIRD_FILE, - ["corrupt_tcp_options"] = WEIRD_FILE, - ["crud_trailing_HTTP_request"] = WEIRD_FILE, - ["data_after_reset"] = WEIRD_FILE, - ["data_before_established"] = WEIRD_FILE, - ["data_without_SYN_ACK"] = WEIRD_FILE, - ["DHCP_no_type_option"] = WEIRD_FILE, - ["DHCP_wrong_msg_type"] = WEIRD_FILE, - ["DHCP_wrong_op_type"] = WEIRD_FILE, - ["DNS_AAAA_neg_length"] = WEIRD_FILE, - ["DNS_Conn_count_too_large"] = WEIRD_FILE, - ["DNS_NAME_too_long"] = WEIRD_FILE, - ["DNS_RR_bad_length"] = WEIRD_FILE, - ["DNS_RR_length_mismatch"] = WEIRD_FILE, - ["DNS_RR_unknown_type"] = WEIRD_FILE, - ["DNS_label_forward_compress_offset"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_name_len"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_pkt"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_too_long"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_truncated_RR_rdlength_lt_len"] = WEIRD_FILE, - ["DNS_truncated_ans_too_short"] = WEIRD_FILE, - ["DNS_truncated_len_lt_hdr_len"] = WEIRD_FILE, - ["DNS_truncated_quest_too_short"] = WEIRD_FILE, - ["excessive_data_without_further_acks"] = WEIRD_FILE, - ["excess_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["excessive_RPC_len"] = WEIRD_NOTICE_PER_ORIG, - ["FIN_advanced_last_seq"] = WEIRD_FILE, - ["FIN_after_reset"] = WEIRD_IGNORE, - ["FIN_storm"] = WEIRD_NOTICE_ALWAYS, - ["HTTP_bad_chunk_size"] = WEIRD_FILE, - ["HTTP_chunked_transfer_for_multipart_message"] = WEIRD_FILE, - ["HTTP_overlapping_messages"] = WEIRD_FILE, - ["HTTP_unknown_method"] = WEIRD_FILE, - ["HTTP_version_mismatch"] = WEIRD_FILE, - ["ident_request_addendum"] = WEIRD_FILE, - ["inappropriate_FIN"] = WEIRD_FILE, - ["inflate_data_failed"] = WEIRD_FILE, - ["inflate_failed"] = WEIRD_FILE, - ["invalid_irc_global_users_reply"] = WEIRD_FILE, - ["irc_invalid_command"] = WEIRD_FILE, - ["irc_invalid_dcc_message_format"] = WEIRD_FILE, - ["irc_invalid_invite_message_format"] = WEIRD_FILE, - ["irc_invalid_join_line"] = WEIRD_FILE, - ["irc_invalid_kick_message_format"] = WEIRD_FILE, - ["irc_invalid_line"] = WEIRD_FILE, - ["irc_invalid_mode_message_format"] = WEIRD_FILE, - ["irc_invalid_names_line"] = WEIRD_FILE, - ["irc_invalid_njoin_line"] = WEIRD_FILE, - ["irc_invalid_notice_message_format"] = WEIRD_FILE, - ["irc_invalid_oper_message_format"] = WEIRD_FILE, - ["irc_invalid_privmsg_message_format"] = WEIRD_FILE, - ["irc_invalid_reply_number"] = WEIRD_FILE, - ["irc_invalid_squery_message_format"] = WEIRD_FILE, - ["irc_invalid_topic_reply"] = WEIRD_FILE, - ["irc_invalid_who_line"] = WEIRD_FILE, - ["irc_invalid_who_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_channel_line"] = WEIRD_FILE, - ["irc_invalid_whois_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_operator_line"] = WEIRD_FILE, - ["irc_invalid_whois_user_line"] = WEIRD_FILE, - ["irc_line_size_exceeded"] = WEIRD_FILE, - ["irc_line_too_short"] = WEIRD_FILE, - ["irc_too_many_invalid"] = WEIRD_FILE, - ["line_terminated_with_single_CR"] = WEIRD_FILE, - ["line_terminated_with_single_LF"] = WEIRD_FILE, - ["malformed_ssh_identification"] = WEIRD_FILE, - ["malformed_ssh_version"] = WEIRD_FILE, - ["matching_undelivered_data"] = WEIRD_FILE, - ["multiple_HTTP_request_elements"] = WEIRD_FILE, - ["multiple_RPCs"] = WEIRD_NOTICE_PER_ORIG, - ["non_IPv4_packet"] = WEIRD_NOTICE_ONCE, - ["NUL_in_line"] = WEIRD_FILE, - ["originator_RPC_reply"] = WEIRD_NOTICE_PER_ORIG, - ["partial_finger_request"] = WEIRD_FILE, - ["partial_ftp_request"] = WEIRD_FILE, - ["partial_ident_request"] = WEIRD_FILE, - ["partial_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["partial_RPC_request"] = WEIRD_FILE, - ["pending_data_when_closed"] = WEIRD_FILE, - ["pop3_bad_base64_encoding"] = WEIRD_FILE, - ["pop3_client_command_unknown"] = WEIRD_FILE, - ["pop3_client_sending_server_commands"] = WEIRD_FILE, - ["pop3_malformed_auth_plain"] = WEIRD_FILE, - ["pop3_server_command_unknown"] = WEIRD_FILE, - ["pop3_server_sending_client_commands"] = WEIRD_FILE, - ["possible_split_routing"] = WEIRD_FILE, - ["premature_connection_reuse"] = WEIRD_FILE, - ["repeated_SYN_reply_wo_ack"] = WEIRD_FILE, - ["repeated_SYN_with_ack"] = WEIRD_FILE, - ["responder_RPC_call"] = WEIRD_NOTICE_PER_ORIG, - ["rlogin_text_after_rejected"] = WEIRD_FILE, - ["RPC_rexmit_inconsistency"] = WEIRD_FILE, - ["RPC_underflow"] = WEIRD_FILE, - ["RST_storm"] = WEIRD_NOTICE_ALWAYS, - ["RST_with_data"] = WEIRD_FILE, # PC's do this - ["simultaneous_open"] = WEIRD_NOTICE_PER_CONN, - ["spontaneous_FIN"] = WEIRD_IGNORE, - ["spontaneous_RST"] = WEIRD_IGNORE, - ["SMB_parsing_error"] = WEIRD_FILE, - ["no_smb_session_using_parsesambamsg"] = WEIRD_FILE, - ["smb_andx_command_failed_to_parse"] = WEIRD_FILE, - ["transaction_subcmd_missing"] = WEIRD_FILE, - ["SSLv3_data_without_full_handshake"] = WEIRD_FILE, - ["unexpected_SSLv3_record"] = WEIRD_FILE, - ["successful_RPC_reply_to_invalid_request"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_close"] = WEIRD_FILE, - ["SYN_after_partial"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_reset"] = WEIRD_FILE, - ["SYN_inside_connection"] = WEIRD_FILE, - ["SYN_seq_jump"] = WEIRD_FILE, - ["SYN_with_data"] = WEIRD_FILE, - ["TCP_christmas"] = WEIRD_FILE, - ["truncated_ARP"] = WEIRD_FILE, - ["truncated_NTP"] = WEIRD_FILE, - ["UDP_datagram_length_mismatch"] = WEIRD_NOTICE_PER_ORIG, - ["unexpected_client_HTTP_data"] = WEIRD_FILE, - ["unexpected_multiple_HTTP_requests"] = WEIRD_FILE, - ["unexpected_server_HTTP_data"] = WEIRD_FILE, - ["unmatched_HTTP_reply"] = WEIRD_FILE, - ["unpaired_RPC_response"] = WEIRD_FILE, - ["unsolicited_SYN_response"] = WEIRD_IGNORE, - ["window_recision"] = WEIRD_FILE, - ["double_%_in_URI"] = WEIRD_FILE, - ["illegal_%_at_end_of_URI"] = WEIRD_FILE, - ["unescaped_%_in_URI"] = WEIRD_FILE, - ["unescaped_special_URI_char"] = WEIRD_FILE, - - ["UDP_zone_transfer"] = WEIRD_NOTICE_ONCE, - - ["deficit_netbios_hdr_len"] = WEIRD_FILE, - ["excess_netbios_hdr_len"] = WEIRD_FILE, - ["netbios_client_session_reply"] = WEIRD_FILE, - ["netbios_raw_session_msg"] = WEIRD_FILE, - ["netbios_server_session_request"] = WEIRD_FILE, - ["unknown_netbios_type"] = WEIRD_FILE, - - # flow_weird - ["excessively_large_fragment"] = WEIRD_NOTICE_ALWAYS, - - # Code Red generates slews ... - ["excessively_small_fragment"] = WEIRD_NOTICE_PER_ORIG, - - ["fragment_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_overlap"] = WEIRD_NOTICE_ALWAYS, - ["fragment_protocol_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_size_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_with_DF"] = WEIRD_FILE, # these do indeed happen! - ["incompletely_captured_fragment"] = WEIRD_NOTICE_ALWAYS, - - # net_weird - ["bad_IP_checksum"] = WEIRD_FILE, - ["bad_TCP_header_len"] = WEIRD_FILE, - ["internally_truncated_header"] = WEIRD_NOTICE_ALWAYS, - ["truncated_IP"] = WEIRD_FILE, - ["truncated_header"] = WEIRD_FILE, - - # generated by policy script - ["Land_attack"] = WEIRD_NOTICE_PER_ORIG, - ["bad_pm_port"] = WEIRD_NOTICE_PER_ORIG, - } &redef; - - # table that maps weird types into a function that should be called - # to determine the action. - const weird_action_filters: - table[string] of function(c: connection): WeirdAction &redef; - - const weird_ignore_host: set[addr, string] &redef; - - # But don't ignore these (for the weird file), it's handy keeping - # track of clustered checksum errors. - const weird_do_not_ignore_repeats = { - "bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum", - "bad_ICMP_checksum", - } &redef; -} - -# id/msg pairs that should be ignored (because the problem has already -# been reported). -global weird_ignore: table[string] of set[string] &write_expire = 10 min; - -# For WEIRD_NOTICE_PER_CONN. -global did_notice_conn: set[addr, port, addr, port, string] - &read_expire = 1 day; - -# For WEIRD_NOTICE_PER_ORIG. -global did_notice_orig: set[addr, string] &read_expire = 1 day; - -# For WEIRD_NOTICE_ONCE. -global did_weird_log: set[string] &read_expire = 1 day; - -global did_inconsistency_msg: set[conn_id]; - -function weird_id_string(id: conn_id): string - { - return fmt("%s > %s", - endpoint_id(id$orig_h, id$orig_p), - endpoint_id(id$resp_h, id$resp_p)); - } - -# Used to pass the optional connection into report_weird(). -global current_conn: connection; - -function report_weird(t: time, name: string, id: string, have_conn: bool, - addl: string, action: WeirdAction, no_log: bool) - { - if ( action == WEIRD_IGNORE || - (id in weird_ignore && name in weird_ignore[id]) ) - return; - - local msg = id; - - if ( action == WEIRD_UNSPECIFIED ) - { - if ( name in weird_action ) - { - action = weird_action[name]; - if ( action == WEIRD_IGNORE ) - return; - - msg = fmt("%s: %s", msg, name); - } - else - { - action = WEIRD_NOTICE_ALWAYS; - msg = fmt("** %s: %s", msg, name); - } - } - else - msg = fmt("%s: %s", msg, name); - - if ( addl != "" ) - msg = fmt("%s (%s)", msg, addl); - - if ( action in notice_actions && ! no_log ) - { - if ( have_conn ) - NOTICE([$note=WeirdActivity, $conn=current_conn, - $msg=msg]); - else - NOTICE([$note=WeirdActivity, $msg=msg]); - } - - else if ( id != "" && name !in weird_do_not_ignore_repeats ) - { - if ( id !in weird_ignore ) - weird_ignore[id] = set() &mergeable; - - add weird_ignore[id][name]; - } - - print weird_file, fmt("%.6f %s", t, msg); - } - -function report_weird_conn(t: time, name: string, id: string, addl: string, - c: connection) - { - if ( [c$id$orig_h, name] in weird_ignore_host || - [c$id$resp_h, name] in weird_ignore_host ) - return; - - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - if ( name in weird_action_filters ) - action = weird_action_filters[name](c); - - if ( action == WEIRD_UNSPECIFIED ) - action = weird_action[name]; - - local cid = c$id; - - if ( action == WEIRD_NOTICE_PER_CONN ) - { - if ( [cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name] in did_notice_conn ) - no_log = T; - else - add did_notice_conn[cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name]; - } - - else if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [c$id$orig_h, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[c$id$orig_h, name]; - } - - else if ( action == WEIRD_NOTICE_ONCE ) - { - if ( name in did_weird_log ) - no_log = T; - else - add did_weird_log[name]; - } - } - - current_conn = c; - report_weird(t, name, id, T, addl, action, no_log); - } - -function report_weird_orig(t: time, name: string, id: string, orig: addr) - { - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - action = weird_action[name]; - if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [orig, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[orig, name]; - } - } - - report_weird(t, name, id, F, "", action, no_log); - } - -event conn_weird(name: string, c: connection) - { - report_weird_conn(network_time(), name, weird_id_string(c$id), "", c); - } - -event conn_weird_addl(name: string, c: connection, addl: string) - { - report_weird_conn(network_time(), name, weird_id_string(c$id), addl, c); - } - -event flow_weird(name: string, src: addr, dst: addr) - { - report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src); - } - -event net_weird(name: string) - { - report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F); - } - -event rexmit_inconsistency(c: connection, t1: string, t2: string) - { - if ( c$id !in did_inconsistency_msg ) - { - NOTICE([$note=RetransmissionInconsistency, $conn=c, - $msg=fmt("%s rexmit inconsistency (%s) (%s)", - weird_id_string(c$id), t1, t2)]); - add did_inconsistency_msg[c$id]; - } - } - -event ack_above_hole(c: connection) - { - NOTICE([$note=AckAboveHole, $conn=c, - $msg=fmt("%s ack above a hole", weird_id_string(c$id))]); - } - -event content_gap(c: connection, is_orig: bool, seq: count, length: count) - { - NOTICE([$note=ContentGap, $conn=c, - $msg=fmt("%s content gap (%s %d/%d)%s", - weird_id_string(c$id), is_orig ? ">" : "<", seq, length, - is_external_connection(c) ? " [external]" : "")]); - } - -event connection_state_remove(c: connection) - { - delete weird_ignore[weird_id_string(c$id)]; - delete did_inconsistency_msg[c$id]; - } diff --git a/policy.old/worm.bro b/policy.old/worm.bro deleted file mode 100644 index 18e9649096..0000000000 --- a/policy.old/worm.bro +++ /dev/null @@ -1,117 +0,0 @@ -# $Id: worm.bro 4758 2007-08-10 06:49:23Z vern $ - -@load notice -@load site - -# signatures.bro needs this. -global is_worm_infectee: function(ip: addr) : bool; - -@load signatures - -redef enum Notice += { - LocalWorm, # worm seen in local host - RemoteWorm, # worm seen in remote host -}; - -# redef capture_filters += { ["worm"] = "tcp dst port 80" }; - -const worm_log = open_log_file("worm") &redef; - -# Maps types of worms to URI patterns. -const worm_types: table[string] of pattern = { - ["Code Red 1"] = /\.id[aq]\?.*NNNNNNNNNNNNN/, - ["Code Red 2"] = /\.id[aq]\?.*XXXXXXXXXXXXX/, - ["Nimda"] = /\/scripts\/root\.exe\?\/c\+tftp/ | - /\/MSADC\/root.exe\?\/c\+dir/ | - /cool\.dll.*httpodbc\.dll/, # 29Oct01 Nimda variant -} &redef; - -# Maps signatures to worm types. -const worm_sigs: table[string] of string = { - ["slammer"] = "Slammer", - ["nimda"] = "Nimda", - ["bagle-bc"] = "Bagle.bc" -}; - -# We handle these ourselves. -redef signature_actions += { - ["codered1"] = SIG_IGNORE, - ["codered2"] = SIG_IGNORE, - ["slammer"] = SIG_IGNORE, - ["nimda"] = SIG_IGNORE, - ["bagle-bc"] = SIG_IGNORE -}; - -# Indexed by infectee. -global worm_list: table[addr] of count &default=0 &read_expire = 2 days; - -# Indexed by infectee and type of worm. -global worm_type_list: table[addr, string] of count - &default=0 &read_expire = 2 days; - -# Invoked each time a new infectee (or a new type of worm for an existing -# infectee) is seen. For the first instance of any type for a new infectee, -# two events will be generated, one with worm_type of "first instance", -# and another with the particular worm type. -global worm_infectee_seen: event(c: connection, is_local: bool, worm_type: string); - -# Invoked whenever connection c has included a URI of worm type "worm_type". -event worm_instance(c: connection, worm_type: string) - { - local id = c$id; - local src = id$orig_h; - local is_local = is_local_addr(src); - - if ( ++worm_list[src] == 1 ) - event worm_infectee_seen(c, is_local, "first instance"); - - if ( ++worm_type_list[src, worm_type] == 1 ) - event worm_infectee_seen(c, is_local, worm_type); - } - -event worm_infectee_seen(c: connection, is_local: bool, worm_type: string) - { - if ( worm_type == "first instance" ) - return; # just do the reporting for the specific type - - local infectee = c$id$orig_h; - local where = is_local ? "local" : "remote"; - local msg = fmt("%s %s worm source: %s", where, worm_type, infectee); - - if ( is_local ) - NOTICE([$note=LocalWorm, $conn=c, $src=infectee, - $msg=msg, $sub=worm_type]); - else - NOTICE([$note=RemoteWorm, $conn=c, $src=infectee, - $msg=msg, $sub=worm_type]); - - print worm_log, fmt("%.6f %s", network_time(), msg); - } - -event http_request(c: connection, method: string, - original_URI: string, unescaped_URI: string, version: string) - { - # It's a pity to do this as a loop. Better would be if Bro could - # search the patterns as one large RE and note which matched. - - for ( wt in worm_types ) - if ( worm_types[wt] in unescaped_URI ) - event worm_instance(c, wt); - } - -event signature_match(state: signature_state, msg: string, data: string) - { - if ( state$id in worm_sigs ) - event worm_instance(state$conn, worm_sigs[state$id]); - } - -# Ignore "weird" events, we get some due to the capture_filter above that -# only captures the client side of an HTTP session. -event conn_weird(name: string, c: connection) - { - } - -function is_worm_infectee(ip: addr): bool - { - return ip in worm_list; - } diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro index 22422eb51d..5aabaa4bac 100644 --- a/scripts/base/frameworks/control/main.bro +++ b/scripts/base/frameworks/control/main.bro @@ -1,11 +1,11 @@ -##! This is a utility script that sends the current values of all &redef'able +##! This is a utility script that sends the current values of all &redef'able ##! consts to a remote Bro then sends the :bro:id:`configuration_update` event ##! and terminates processing. ##! ##! Intended to be used from the command line like this when starting a controller:: ##! ##! bro frameworks/control/controller Control::host= Control::port= Control::cmd= [Control::arg=] -##! +##! ##! A controllee only needs to load the controllee script in addition ##! to the specific analysis scripts desired. It may also need a node ##! configured as a controller node in the communications nodes configuration:: @@ -22,52 +22,50 @@ module Control; export { ## This is the address of the host that will be controlled. const host = 0.0.0.0 &redef; - + ## This is the port of the host that will be controlled. const host_port = 0/tcp &redef; - ## This is the command that is being done. It's typically set on the + ## This is the command that is being done. It's typically set on the ## command line and influences whether this instance starts up as a ## controller or controllee. const cmd = "" &redef; - + ## This can be used by commands that take an argument. const arg = "" &redef; - + const controller_events = /Control::.*_request/ &redef; const controllee_events = /Control::.*_response/ &redef; ## These are the commands that can be given on the command line for ## remote control. - const commands: set[string] = { + const commands: set[string] = { "id_value", "peer_status", "net_stats", "configuration_update", "shutdown", }; - + ## Variable IDs that are to be ignored by the update process. const ignore_ids: set[string] = { - # FIXME: Bro crashes if it tries to send this ID. - "Log::rotation_control", }; - + ## Event for requesting the value of an ID (a variable). global id_value_request: event(id: string); ## Event for returning the value of an ID after an :bro:id:`id_request` event. global id_value_response: event(id: string, val: string); - + ## Requests the current communication status. global peer_status_request: event(); ## Returns the current communication status. global peer_status_response: event(s: string); - + ## Requests the current net_stats. global net_stats_request: event(); ## Returns the current net_stats. global net_stats_response: event(s: string); - + ## Inform the remote Bro instance that it's configuration may have been updated. global configuration_update_request: event(); ## This event is a wrapper and alias for the :bro:id:`configuration_update_request` event. @@ -75,7 +73,7 @@ export { global configuration_update: event(); ## Message in response to a configuration update request. global configuration_update_response: event(); - + ## Requests that the Bro instance begins shutting down. global shutdown_request: event(); ## Message in response to a shutdown request. diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index cb2696dde7..44ece46735 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -32,14 +32,41 @@ export { ## to derive a name. ## ## id: The log stream. - ## path: A suggested path value, which may be either the filter's ``path`` - ## if defined or a fall-back generated internally. + ## path: A suggested path value, which may be either the filter's + ## ``path`` if defined, else a previous result from the function. + ## If no ``path`` is defined for the filter, then the first call + ## to the function will contain an empty string. ## rec: An instance of the streams's ``columns`` type with its ## fields set to the values to logged. ## ## Returns: The path to be used for the filter. global default_path_func: function(id: ID, path: string, rec: any) : string &redef; + # Log rotation support. + + ## Information passed into rotation callback functions. + type RotationInfo: record { + writer: Writer; ##< Writer. + fname: string; ##< Full name of the rotated file. + path: string; ##< Original path value. + open: time; ##< Time when opened. + close: time; ##< Time when closed. + terminating: bool; ##< True if rotation occured due to Bro shutting down. + }; + + ## Default rotation interval. Zero disables rotation. + const default_rotation_interval = 0secs &redef; + + ## Default naming format for timestamps embedded into filenames. Uses a strftime() style. + const default_rotation_date_format = "%Y-%m-%d-%H-%M-%S" &redef; + + ## Default shell command to run on rotated files. Empty for none. + const default_rotation_postprocessor_cmd = "" &redef; + + ## Specifies the default postprocessor function per writer type. Entries in this + ## table are initialized by each writer type. + const default_rotation_postprocessors: table[Writer] of function(info: RotationInfo) : bool &redef; + ## Filter customizing logging. type Filter: record { ## Descriptive name to reference this filter. @@ -75,8 +102,10 @@ export { ## connection ... ## ## id: The log stream. - ## path: A suggested path value, which may be either the filter's ``path`` - ## if defined or a fall-back generated internally. + ## path: A suggested path value, which may be either the filter's + ## ``path`` if defined, else a previous result from the function. + ## If no ``path`` is defined for the filter, then the first call + ## to the function will contain an empty string. ## rec: An instance of the streams's ``columns`` type with its ## fields set to the values to logged. ## @@ -96,47 +125,15 @@ export { ## If true, entries are passed on to remote peers. log_remote: bool &default=enable_remote_logging; - }; - # Log rotation support. - - ## Information passed into rotation callback functions. - type RotationInfo: record { - writer: Writer; ##< Writer. - fname: string; ##< Full name of the rotated file. - path: string; ##< Original path value. - open: time; ##< Time when opened. - close: time; ##< Time when closed. - terminating: bool; ##< True if rotation occured due to Bro shutting down. - }; - - ## Default rotation interval. Zero disables rotation. - const default_rotation_interval = 0secs &redef; - - ## Default naming format for timestamps embedded into filenames. Uses a strftime() style. - const default_rotation_date_format = "%Y-%m-%d-%H-%M-%S" &redef; - - ## Default shell command to run on rotated files. Empty for none. - const default_rotation_postprocessor_cmd = "" &redef; - - ## Specifies the default postprocessor function per writer type. Entries in this - ## table are initialized by each writer type. - const default_rotation_postprocessors: table[Writer] of function(info: RotationInfo) : bool &redef; - - ## Type for controlling file rotation. - type RotationControl: record { ## Rotation interval. interv: interval &default=default_rotation_interval; - ## Callback function to trigger for rotated files. If not set, the default - ## comes out of default_rotation_postprocessors. + + ## Callback function to trigger for rotated files. If not set, + ## the default comes out of default_rotation_postprocessors. postprocessor: function(info: RotationInfo) : bool &optional; }; - ## Specifies rotation parameters per ``(id, path)`` tuple. - ## If a pair is not found in this table, default values defined in - ## ``RotationControl`` are used. - const rotation_control: table[Writer, string] of RotationControl &default=[] &redef; - ## Sentinel value for indicating that a filter was not found when looked up. const no_filter: Filter = [$name=""]; # Sentinel. @@ -177,10 +174,9 @@ function default_path_func(id: ID, path: string, rec: any) : string local parts = split1(id_str, /::/); if ( |parts| == 2 ) { - # TODO: the core shouldn't be suggesting paths anymore. Only - # statically defined paths should be sent into here. This - # is only to cope with the core generated paths. - if ( to_lower(parts[2]) != path ) + # The suggested path value is a previous result of this function + # or a filter path explicitly set by the user, so continue using it. + if ( path != "" ) return path; # Example: Notice::LOG -> "notice" diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index b3b8ca9c53..c639b5e7e1 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -289,18 +289,6 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool return T; } -# This extra export section here is just because this redefinition should -# be documented as part of the "public API" of this script, but the redef -# needs to occur after the postprocessor function implementation. -export { - ## By default, an ASCII version of the the alarm log is emailed daily to any - ## configured :bro:id:`Notice::mail_dest` if not operating on trace files. - redef Log::rotation_control += { - [Log::WRITER_ASCII, "alarm-mail"] = - [$interv=24hrs, $postprocessor=log_mailing_postprocessor] - }; -} - event bro_init() &priority=5 { Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice]); @@ -311,9 +299,9 @@ event bro_init() &priority=5 # Make sure that this alarm log is also output as text so that it can # be packaged up and emailed later. if ( ! reading_traces() && mail_dest != "" ) - Log::add_filter(Notice::ALARM_LOG, [$name="alarm-mail", - $path="alarm-mail", - $writer=Log::WRITER_ASCII]); + Log::add_filter(Notice::ALARM_LOG, + [$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII, + $interv=24hrs, $postprocessor=log_mailing_postprocessor]); } # TODO: fix this. diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index e2bb40b7aa..e3c89ff36c 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -69,6 +69,11 @@ export { ## The on-disk prefix for files to be extracted from MIME entity bodies. const extraction_prefix = "smtp-entity" &redef; + ## If set, never generate MD5s. This is mainly for testing purposes to create + ## reproducable output in the case that the decision whether to create + ## checksums depends on environment specifics. + const never_calc_md5 = F &redef; + global log_mime: event(rec: EntityInfo); } @@ -121,7 +126,7 @@ event mime_segment_data(c: connection, length: count, data: string) &priority=-5 if ( c$smtp$current_entity$content_len == 0 ) { - if ( generate_md5 in c$smtp$current_entity$mime_type ) + if ( generate_md5 in c$smtp$current_entity$mime_type && ! never_calc_md5 ) c$smtp$current_entity$calc_md5 = T; if ( c$smtp$current_entity$calc_md5 ) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index cfc513120d..50c4150c0a 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -12,22 +12,28 @@ export { version: string &log &optional; cipher: string &log &optional; server_name: string &log &optional; + session_id: string &log &optional; subject: string &log &optional; not_valid_before: time &log &optional; not_valid_after: time &log &optional; cert: string &optional; cert_chain: vector of string &optional; + + ## This stores the analyzer id used for the analyzer instance attached + ## to each connection. It is not used for logging since it's a + ## meaningless arbitrary number. + analyzer_id: count &optional; }; ## This is where the default root CA bundle is defined. By loading the ## mozilla-ca-list.bro script it will be set to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; - - ## This determines if the c$ssl record is deleted after the record is - ## logged. You probably want this to be deleted since it contains - ## the full certificate and all of the chain certificates in it. - const delete_certs_after_logging = T &redef; + + ## If true, detach the SSL analyzer from the connection to prevent + ## continuing to process encrypted traffic. Helps with performance + ## (especially with large file transfers). + const disable_analyzer_after_detection = T &redef; global log_ssl: event(rec: Info); @@ -71,23 +77,21 @@ function set_session(c: connection) c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()]; } -function finish(c: connection, violation: bool) +function finish(c: connection) { Log::write(SSL::LOG, c$ssl); - if ( delete_certs_after_logging ) - { - if ( c$ssl?$cert ) - delete c$ssl$cert; - if ( c$ssl?$cert_chain ) - delete c$ssl$cert_chain; - } - if ( violation ) - delete c$ssl; + if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id ) + disable_analyzer(c$id, c$ssl$analyzer_id); + delete c$ssl; } event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5 { set_session(c); + + # Save the session_id if there is one set. + if ( session_id != /^\x00{32}$/ ) + c$ssl$session_id = bytestring_to_hexstr(session_id); } event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5 @@ -134,12 +138,19 @@ event ssl_established(c: connection) &priority=5 event ssl_established(c: connection) &priority=-5 { - finish(c, F); + finish(c); } - + +event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5 + { + # Check by checking for existence of c$ssl record. + if ( c?$ssl && analyzer_name(atype) == "SSL" ) + c$ssl$analyzer_id = aid; + } + event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5 { if ( c?$ssl ) - finish(c, T); + finish(c); } \ No newline at end of file diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro index dab8461806..d49066dc5b 100644 --- a/scripts/base/protocols/ssl/mozilla-ca-list.bro +++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro @@ -1,5 +1,5 @@ # Don't edit! This file is automatically generated. -# Generated at: Wed Jun 29 07:52:38 -0400 2011 +# Generated at: Tue Sep 20 13:18:23 -0400 2011 @load base/protocols/ssl module SSL; redef root_certs += { @@ -83,7 +83,6 @@ redef root_certs += { ["SecureTrust CA"] = "\x30\x82\x03\xB8\x30\x82\x02\xA0\xA0\x03\x02\x01\x02\x02\x10\x0C\xF0\x8E\x5C\x08\x16\xA5\xAD\x42\x7F\xF0\xEB\x27\x18\x59\xD0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x33\x31\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x34\x30\x35\x35\x5A\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\xA4\x81\xE5\x95\xCD\xF5\xF6\x14\x8E\xC2\x4F\xCA\xD4\xE2\x78\x95\x58\x9C\x41\xE1\x0D\x99\x40\x24\x17\x39\x91\x33\x66\xE9\xBE\xE1\x83\xAF\x62\x5C\x89\xD1\xFC\x24\x5B\x61\xB3\xE0\x11\x11\x41\x1C\x1D\x6E\xF0\xB8\xBB\xF8\xDE\xA7\x81\xBA\xA6\x48\xC6\x9F\x1D\xBD\xBE\x8E\xA9\x41\x3E\xB8\x94\xED\x29\x1A\xD4\x8E\xD2\x03\x1D\x03\xEF\x6D\x0D\x67\x1C\x57\xD7\x06\xAD\xCA\xC8\xF5\xFE\x0E\xAF\x66\x25\x48\x04\x96\x0B\x5D\xA3\xBA\x16\xC3\x08\x4F\xD1\x46\xF8\x14\x5C\xF2\xC8\x5E\x01\x99\x6D\xFD\x88\xCC\x86\xA8\xC1\x6F\x31\x42\x6C\x52\x3E\x68\xCB\xF3\x19\x34\xDF\xBB\x87\x18\x56\x80\x26\xC4\xD0\xDC\xC0\x6F\xDF\xDE\xA0\xC2\x91\x16\xA0\x64\x11\x4B\x44\xBC\x1E\xF6\xE7\xFA\x63\xDE\x66\xAC\x76\xA4\x71\xA3\xEC\x36\x94\x68\x7A\x77\xA4\xB1\xE7\x0E\x2F\x81\x7A\xE2\xB5\x72\x86\xEF\xA2\x6B\x8B\xF0\x0F\xDB\xD3\x59\x3F\xBA\x72\xBC\x44\x24\x9C\xE3\x73\xB3\xF7\xAF\x57\x2F\x42\x26\x9D\xA9\x74\xBA\x00\x52\xF2\x4B\xCD\x53\x7C\x47\x0B\x36\x85\x0E\x66\xA9\x08\x97\x16\x34\x57\xC1\x66\xF7\x80\xE3\xED\x70\x54\xC7\x93\xE0\x2E\x28\x15\x59\x87\xBA\xBB\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x42\x32\xB6\x16\xFA\x04\xFD\xFE\x5D\x4B\x7A\xC3\xFD\xF7\x4C\x40\x1D\x5A\x43\xAF\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x54\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x30\xED\x4F\x4A\xE1\x58\x3A\x52\x72\x5B\xB5\xA6\xA3\x65\x18\xA6\xBB\x51\x3B\x77\xE9\x9D\xEA\xD3\x9F\x5C\xE0\x45\x65\x7B\x0D\xCA\x5B\xE2\x70\x50\xB2\x94\x05\x14\xAE\x49\xC7\x8D\x41\x07\x12\x73\x94\x7E\x0C\x23\x21\xFD\xBC\x10\x7F\x60\x10\x5A\x72\xF5\x98\x0E\xAC\xEC\xB9\x7F\xDD\x7A\x6F\x5D\xD3\x1C\xF4\xFF\x88\x05\x69\x42\xA9\x05\x71\xC8\xB7\xAC\x26\xE8\x2E\xB4\x8C\x6A\xFF\x71\xDC\xB8\xB1\xDF\x99\xBC\x7C\x21\x54\x2B\xE4\x58\xA2\xBB\x57\x29\xAE\x9E\xA9\xA3\x19\x26\x0F\x99\x2E\x08\xB0\xEF\xFD\x69\xCF\x99\x1A\x09\x8D\xE3\xA7\x9F\x2B\xC9\x36\x34\x7B\x24\xB3\x78\x4C\x95\x17\xA4\x06\x26\x1E\xB6\x64\x52\x36\x5F\x60\x67\xD9\x9C\xC5\x05\x74\x0B\xE7\x67\x23\xD2\x08\xFC\x88\xE9\xAE\x8B\x7F\xE1\x30\xF4\x37\x7E\xFD\xC6\x32\xDA\x2D\x9E\x44\x30\x30\x6C\xEE\x07\xDE\xD2\x34\xFC\xD2\xFF\x40\xF6\x4B\xF4\x66\x46\x06\x54\xA6\xF2\x32\x0A\x63\x26\x30\x6B\x9B\xD1\xDC\x8B\x47\xBA\xE1\xB9\xD5\x62\xD0\xA2\xA0\xF4\x67\x05\x78\x29\x63\x1A\x6F\x04\xD6\xF8\xC6\x4C\xA3\x9A\xB1\x37\xB4\x8D\xE5\x28\x4B\x1D\x9E\x2C\xC2\xB8\x68\xBC\xED\x02\xEE\x31", ["Secure Global CA"] = "\x30\x82\x03\xBC\x30\x82\x02\xA4\xA0\x03\x02\x01\x02\x02\x10\x07\x56\x22\xA4\xE8\xD4\x8A\x89\x4D\xF4\x13\xC8\xF0\xF8\xEA\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x34\x32\x32\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x35\x32\x30\x36\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x35\x2E\xD8\xAC\x6C\x55\x69\x06\x71\xE5\x13\x68\x24\xB3\x4F\xD8\xCC\x21\x47\xF8\xF1\x60\x38\x89\x89\x03\xE9\xBD\xEA\x5E\x46\x53\x09\xDC\x5C\xF5\x5A\xE8\xF7\x45\x2A\x02\xEB\x31\x61\xD7\x29\x33\x4C\xCE\xC7\x7C\x0A\x37\x7E\x0F\xBA\x32\x98\xE1\x1D\x97\xAF\x8F\xC7\xDC\xC9\x38\x96\xF3\xDB\x1A\xFC\x51\xED\x68\xC6\xD0\x6E\xA4\x7C\x24\xD1\xAE\x42\xC8\x96\x50\x63\x2E\xE0\xFE\x75\xFE\x98\xA7\x5F\x49\x2E\x95\xE3\x39\x33\x64\x8E\x1E\xA4\x5F\x90\xD2\x67\x3C\xB2\xD9\xFE\x41\xB9\x55\xA7\x09\x8E\x72\x05\x1E\x8B\xDD\x44\x85\x82\x42\xD0\x49\xC0\x1D\x60\xF0\xD1\x17\x2C\x95\xEB\xF6\xA5\xC1\x92\xA3\xC5\xC2\xA7\x08\x60\x0D\x60\x04\x10\x96\x79\x9E\x16\x34\xE6\xA9\xB6\xFA\x25\x45\x39\xC8\x1E\x65\xF9\x93\xF5\xAA\xF1\x52\xDC\x99\x98\x3D\xA5\x86\x1A\x0C\x35\x33\xFA\x4B\xA5\x04\x06\x15\x1C\x31\x80\xEF\xAA\x18\x6B\xC2\x7B\xD7\xDA\xCE\xF9\x33\x20\xD5\xF5\xBD\x6A\x33\x2D\x81\x04\xFB\xB0\x5C\xD4\x9C\xA3\xE2\x5C\x1D\xE3\xA9\x42\x75\x5E\x7B\xD4\x77\xEF\x39\x54\xBA\xC9\x0A\x18\x1B\x12\x99\x49\x2F\x88\x4B\xFD\x50\x62\xD1\x73\xE7\x8F\x7A\x43\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAF\x44\x04\xC2\x41\x7E\x48\x83\xDB\x4E\x39\x02\xEC\xEC\x84\x7A\xE6\xCE\xC9\xA4\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x63\x1A\x08\x40\x7D\xA4\x5E\x53\x0D\x77\xD8\x7A\xAE\x1F\x0D\x0B\x51\x16\x03\xEF\x18\x7C\xC8\xE3\xAF\x6A\x58\x93\x14\x60\x91\xB2\x84\xDC\x88\x4E\xBE\x39\x8A\x3A\xF3\xE6\x82\x89\x5D\x01\x37\xB3\xAB\x24\xA4\x15\x0E\x92\x35\x5A\x4A\x44\x5E\x4E\x57\xFA\x75\xCE\x1F\x48\xCE\x66\xF4\x3C\x40\x26\x92\x98\x6C\x1B\xEE\x24\x46\x0C\x17\xB3\x52\xA5\xDB\xA5\x91\x91\xCF\x37\xD3\x6F\xE7\x27\x08\x3A\x4E\x19\x1F\x3A\xA7\x58\x5C\x17\xCF\x79\x3F\x8B\xE4\xA7\xD3\x26\x23\x9D\x26\x0F\x58\x69\xFC\x47\x7E\xB2\xD0\x8D\x8B\x93\xBF\x29\x4F\x43\x69\x74\x76\x67\x4B\xCF\x07\x8C\xE6\x02\xF7\xB5\xE1\xB4\x43\xB5\x4B\x2D\x14\x9F\xF9\xDC\x26\x0D\xBF\xA6\x47\x74\x06\xD8\x88\xD1\x3A\x29\x30\x84\xCE\xD2\x39\x80\x62\x1B\xA8\xC7\x57\x49\xBC\x6A\x55\x51\x67\x15\x4A\xBE\x35\x07\xE4\xD5\x75\x98\x37\x79\x30\x14\xDB\x29\x9D\x6C\xC5\x69\xCC\x47\x55\xA2\x30\xF7\xCC\x5C\x7F\xC2\xC3\x98\x1C\x6B\x4E\x16\x80\xEB\x7A\x78\x65\x45\xA2\x00\x1A\xAF\x0C\x0D\x55\x64\x34\x48\xB8\x92\xB9\xF1\xB4\x50\x29\xF2\x4F\x23\x1F\xDA\x6C\xAC\x1F\x44\xE1\xDD\x23\x78\x51\x5B\xC7\x16", ["COMODO Certification Authority"] = "\x30\x82\x04\x1D\x30\x82\x03\x05\xA0\x03\x02\x01\x02\x02\x10\x4E\x81\x2D\x8A\x82\x65\xE0\x0B\x02\xEE\x3E\x35\x02\x46\xE5\x3D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x40\x8B\x8B\x72\xE3\x91\x1B\xF7\x51\xC1\x1B\x54\x04\x98\xD3\xA9\xBF\xC1\xE6\x8A\x5D\x3B\x87\xFB\xBB\x88\xCE\x0D\xE3\x2F\x3F\x06\x96\xF0\xA2\x29\x50\x99\xAE\xDB\x3B\xA1\x57\xB0\x74\x51\x71\xCD\xED\x42\x91\x4D\x41\xFE\xA9\xC8\xD8\x6A\x86\x77\x44\xBB\x59\x66\x97\x50\x5E\xB4\xD4\x2C\x70\x44\xCF\xDA\x37\x95\x42\x69\x3C\x30\xC4\x71\xB3\x52\xF0\x21\x4D\xA1\xD8\xBA\x39\x7C\x1C\x9E\xA3\x24\x9D\xF2\x83\x16\x98\xAA\x16\x7C\x43\x9B\x15\x5B\xB7\xAE\x34\x91\xFE\xD4\x62\x26\x18\x46\x9A\x3F\xEB\xC1\xF9\xF1\x90\x57\xEB\xAC\x7A\x0D\x8B\xDB\x72\x30\x6A\x66\xD5\xE0\x46\xA3\x70\xDC\x68\xD9\xFF\x04\x48\x89\x77\xDE\xB5\xE9\xFB\x67\x6D\x41\xE9\xBC\x39\xBD\x32\xD9\x62\x02\xF1\xB1\xA8\x3D\x6E\x37\x9C\xE2\x2F\xE2\xD3\xA2\x26\x8B\xC6\xB8\x55\x43\x88\xE1\x23\x3E\xA5\xD2\x24\x39\x6A\x47\xAB\x00\xD4\xA1\xB3\xA9\x25\xFE\x0D\x3F\xA7\x1D\xBA\xD3\x51\xC1\x0B\xA4\xDA\xAC\x38\xEF\x55\x50\x24\x05\x65\x46\x93\x34\x4F\x2D\x8D\xAD\xC6\xD4\x21\x19\xD2\x8E\xCA\x05\x61\x71\x07\x73\x47\xE5\x8A\x19\x12\xBD\x04\x4D\xCE\x4E\x9C\xA5\x48\xAC\xBB\x26\xF7\x02\x03\x01\x00\x01\xA3\x81\x8E\x30\x81\x8B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0B\x58\xE5\x8B\xC6\x4C\x15\x37\xA4\x40\xA9\x30\xA9\x21\xBE\x47\x36\x5A\x56\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x49\x06\x03\x55\x1D\x1F\x04\x42\x30\x40\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x43\x4F\x4D\x4F\x44\x4F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\x98\x9E\x9B\xF6\x1B\xE9\xD7\x39\xB7\x78\xAE\x1D\x72\x18\x49\xD3\x87\xE4\x43\x82\xEB\x3F\xC9\xAA\xF5\xA8\xB5\xEF\x55\x7C\x21\x52\x65\xF9\xD5\x0D\xE1\x6C\xF4\x3E\x8C\x93\x73\x91\x2E\x02\xC4\x4E\x07\x71\x6F\xC0\x8F\x38\x61\x08\xA8\x1E\x81\x0A\xC0\x2F\x20\x2F\x41\x8B\x91\xDC\x48\x45\xBC\xF1\xC6\xDE\xBA\x76\x6B\x33\xC8\x00\x2D\x31\x46\x4C\xED\xE7\x9D\xCF\x88\x94\xFF\x33\xC0\x56\xE8\x24\x86\x26\xB8\xD8\x38\x38\xDF\x2A\x6B\xDD\x12\xCC\xC7\x3F\x47\x17\x4C\xA2\xC2\x06\x96\x09\xD6\xDB\xFE\x3F\x3C\x46\x41\xDF\x58\xE2\x56\x0F\x3C\x3B\xC1\x1C\x93\x35\xD9\x38\x52\xAC\xEE\xC8\xEC\x2E\x30\x4E\x94\x35\xB4\x24\x1F\x4B\x78\x69\xDA\xF2\x02\x38\xCC\x95\x52\x93\xF0\x70\x25\x59\x9C\x20\x67\xC4\xEE\xF9\x8B\x57\x61\xF4\x92\x76\x7D\x3F\x84\x8D\x55\xB7\xE8\xE5\xAC\xD5\xF1\xF5\x19\x56\xA6\x5A\xFB\x90\x1C\xAF\x93\xEB\xE5\x1C\xD4\x67\x97\x5D\x04\x0E\xBE\x0B\x83\xA6\x17\x83\xB9\x30\x12\xA0\xC5\x33\x15\x05\xB9\x0D\xFB\xC7\x05\x76\xE3\xD8\x4A\x8D\xFC\x34\x17\xA3\xC6\x21\x28\xBE\x30\x45\x31\x1E\xC7\x78\xBE\x58\x61\x38\xAC\x3B\xE2\x01\x65", - ["DigiNotar Root CA"] = "\x30\x82\x05\x8A\x30\x82\x03\x72\xA0\x03\x02\x01\x02\x02\x10\x0C\x76\xDA\x9C\x91\x0C\x4E\x2C\x9E\xFE\x15\xD0\x58\x93\x3C\x4C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x44\x69\x67\x69\x4E\x6F\x74\x61\x72\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x44\x69\x67\x69\x4E\x6F\x74\x61\x72\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x64\x69\x67\x69\x6E\x6F\x74\x61\x72\x2E\x6E\x6C\x30\x1E\x17\x0D\x30\x37\x30\x35\x31\x36\x31\x37\x31\x39\x33\x36\x5A\x17\x0D\x32\x35\x30\x33\x33\x31\x31\x38\x31\x39\x32\x31\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x44\x69\x67\x69\x4E\x6F\x74\x61\x72\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x44\x69\x67\x69\x4E\x6F\x74\x61\x72\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x64\x69\x67\x69\x6E\x6F\x74\x61\x72\x2E\x6E\x6C\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAC\xB0\x58\xC1\x00\xBD\xD8\x21\x08\x0B\x2B\x9A\xFE\x6E\x56\x30\x05\x9F\x1B\x77\x90\x10\x41\x5C\xC3\x0D\x87\x11\x77\x8E\x81\xF1\xCA\x7C\xE9\x8C\x6A\xED\x38\x74\x35\xBB\xDA\xDF\xF9\xBB\xC0\x09\x37\xB4\x96\x73\x81\x7D\x33\x1A\x98\x39\xF7\x93\x6F\x95\x7F\x3D\xB9\xB1\x75\x87\xBA\x51\x48\xE8\x8B\x70\x3E\x95\x04\xC5\xD8\xB6\xC3\x16\xD9\x88\xB0\xB1\x87\x1D\x70\xDA\x86\xB4\x0F\x14\x8B\x7A\xCF\x10\xD1\x74\x36\xA2\x12\x7B\x77\x86\x4A\x79\xE6\x7B\xDF\x02\x11\x68\xA5\x4E\x86\xAE\x34\x58\x9B\x24\x13\x78\x56\x22\x25\x1E\x01\x8B\x4B\x51\x71\xFB\x82\xCC\x59\x96\x69\x88\x5A\x68\x53\xC5\xB9\x0D\x02\x37\xCB\x4B\xBC\x66\x4A\x90\x7E\x2A\x0B\x05\x07\xED\x16\x5F\x55\x90\x75\xD8\x46\xC9\x1B\x83\xE2\x08\xBE\xF1\x23\xCC\x99\x1D\xD6\x2A\x0F\x83\x20\x15\x58\x27\x82\x2E\xFA\xE2\x22\xC2\x49\xB1\xB9\x01\x81\x6A\x9D\x6D\x9D\x40\x77\x68\x76\x4E\x21\x2A\x6D\x84\x40\x85\x4E\x76\x99\x7C\x82\xF3\xF3\xB7\x02\x59\xD4\x26\x01\x1B\x8E\xDF\xAD\x53\x06\xD1\xAE\x18\xDD\xE2\xB2\x3A\xCB\xD7\x88\x38\x8E\xAC\x5B\x29\xB9\x19\xD3\x98\xF9\x18\x03\xCF\x48\x82\x86\x66\x0B\x1B\x69\x0F\xC9\xEB\x38\x88\x7A\x26\x1A\x05\x4C\x92\xD7\x24\xD4\x96\xF2\xAC\x52\x2D\xA3\x47\xD5\x52\xF6\x3F\xFE\xCE\x84\x06\x70\xA6\xAA\x3E\xA2\xF2\xB6\x56\x34\x18\x57\xA2\xE4\x81\x6D\xE7\xCA\xF0\x6A\xD3\xC7\x91\x6B\x02\x83\x41\x7C\x15\xEF\x6B\x9A\x64\x5E\xE3\xD0\x3C\xE5\xB1\xEB\x7B\x5D\x86\xFB\xCB\xE6\x77\x49\xCD\xA3\x65\xDC\xF7\xB9\x9C\xB8\xE4\x0B\x5F\x93\xCF\xCC\x30\x1A\x32\x1C\xCE\x1C\x63\x95\xA5\xF9\xEA\xE1\x74\x8B\x9E\xE9\x2B\xA9\x30\x7B\xA0\x18\x1F\x0E\x18\x0B\xE5\x5B\xA9\xD3\xD1\x6C\x1E\x07\x67\x8F\x91\x4B\xA9\x8A\xBC\xD2\x66\xAA\x93\x01\x88\xB2\x91\xFA\x31\x5C\xD5\xA6\xC1\x52\x08\x09\xCD\x0A\x63\xA2\xD3\x22\xA6\xE8\xA1\xD9\x39\x06\x97\xF5\x6E\x8D\x02\x90\x8C\x14\x7B\x3F\x80\xCD\x1B\x9C\xBA\xC4\x58\x72\x23\xAF\xB6\x56\x9F\xC6\x7A\x42\x33\x29\x07\x3F\x82\xC9\xE6\x1F\x05\x0D\xCD\x4C\x28\x36\x8B\xD3\xC8\x3E\x1C\xC6\x88\xEF\x5E\xEE\x89\x64\xE9\x1D\xEB\xDA\x89\x7E\x32\xA6\x69\xD1\xDD\xCC\x88\x9F\xD1\xD0\xC9\x66\x21\xDC\x06\x67\xC5\x94\x7A\x9A\x6D\x62\x4C\x7D\xCC\xE0\x64\x80\xB2\x9E\x47\x8E\xA3\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x88\x68\xBF\xE0\x8E\x35\xC4\x3B\x38\x6B\x62\xF7\x28\x3B\x84\x81\xC8\x0C\xD7\x4D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x3B\x02\x8D\xCB\x3C\x30\xE8\x6E\xA0\xAD\xF2\x73\xB3\x5F\x9E\x25\x13\x04\x05\xD3\xF6\xE3\x8B\xBB\x0B\x79\xCE\x53\xDE\xE4\x96\xC5\xD1\xAF\x73\xBC\xD5\xC3\xD0\x40\x55\x7C\x40\x7F\xCD\x1B\x5F\x09\xD5\xF2\x7C\x9F\x68\x1D\xBB\x5D\xCE\x7A\x39\xC2\x8C\xD6\x98\x7B\xC5\x83\x55\xA8\xD5\x7D\x40\xCA\xE0\x1E\xF7\x89\x5E\x63\x5D\xA1\x13\xC2\x5D\x8A\xB6\x8A\x7C\x00\xF3\x23\xC3\xED\x85\x5F\x71\x76\xF0\x68\x63\xAA\x45\x21\x39\x48\x61\x78\x36\xDC\xF1\x43\x93\xD4\x25\xC7\xF2\x80\x65\xE1\x53\x02\x75\x51\xFC\x7A\x3A\xEF\x37\xAB\x84\x28\x57\x0C\xD8\xD4\xD4\x99\x56\x6C\xE3\xA2\xFE\x59\x84\xB4\x31\xE8\x33\xF8\x64\x94\x94\x51\x97\xAB\x39\xC5\x4B\xED\xDA\xDD\x80\x0B\x6F\x7C\x29\x0D\xC4\x8E\x8A\x72\x0D\xE7\x53\x14\xB2\x60\x41\x3D\x84\x91\x31\x68\x3D\x27\x44\xDB\xE5\xDE\xF4\xFA\x63\x45\xC8\x4C\x3E\x98\xF5\x3F\x41\xBA\x4E\xCB\x37\x0D\xBA\x66\x98\xF1\xDD\xCB\x9F\x5C\xF7\x54\x36\x82\x6B\x2C\xBC\x13\x61\x97\x42\xF8\x78\xBB\xCC\xC8\xA2\x9F\xCA\xF0\x68\xBD\x6B\x1D\xB2\xDF\x8D\x6F\x07\x9D\xDA\x8E\x67\xC7\x47\x1E\xCA\xB9\xBF\x2A\x42\x91\xB7\x63\x53\x66\xF1\x42\xA3\xE1\xF4\x5A\x4D\x58\x6B\xB5\xE4\xA4\x33\xAD\x5C\x70\x1D\xDC\xE0\xF2\xEB\x73\x14\x91\x9A\x03\xC1\xEA\x00\x65\xBC\x07\xFC\xCF\x12\x11\x22\x2C\xAE\xA0\xBD\x3A\xE0\xA2\x2A\xD8\x59\xE9\x29\xD3\x18\x35\xA4\xAC\x11\x5F\x19\xB5\xB5\x1B\xFF\x22\x4A\x5C\xC6\x7A\xE4\x17\xEF\x20\xA9\xA7\xF4\x3F\xAD\x8A\xA7\x9A\x04\x25\x9D\x0E\xCA\x37\xE6\x50\xFD\x8C\x42\x29\x04\x9A\xEC\xB9\xCF\x4B\x72\xBD\xE2\x08\x36\xAF\x23\x2F\x62\xE5\xCA\x01\xD3\x70\xDB\x7C\x82\x23\x2C\x16\x31\x0C\xC6\x36\x07\x90\x7A\xB1\x1F\x67\x58\xC4\x3B\x58\x59\x89\xB0\x8C\x8C\x50\xB3\xD8\x86\xCB\x68\xA3\xC4\x0A\xE7\x69\x4B\x20\xCE\xC1\x1E\x56\x4B\x95\xA9\x23\x68\xD8\x30\xD8\xC3\xEB\xB0\x55\x51\xCD\xE5\xFD\x2B\xB8\xF5\xBB\x11\x9F\x53\x54\xF6\x34\x19\x8C\x79\x09\x36\xCA\x61\x17\x25\x17\x0B\x82\x98\x73\x0C\x77\x74\xC3\xD5\x0D\xC7\xA8\x12\x4C\xC7\xA7\x54\x71\x47\x2E\x2C\x1A\x7D\xC9\xE3\x2B\x3B\x48\xDE\x27\x84\xA7\x63\x36\xB3\x7D\x8F\xA0\x64\x39\x24\x0D\x3D\x7B\x87\xAF\x66\x5C\x74\x1B\x4B\x73\xB2\xE5\x8C\xF0\x86\x99\xB8\xE5\xC5\xDF\x84\xC1\xB7\xEB", ["Network Solutions Certificate Authority"] = "\x30\x82\x03\xE6\x30\x82\x02\xCE\xA0\x03\x02\x01\x02\x02\x10\x57\xCB\x33\x6F\xC2\x5C\x16\xE6\x47\x16\x17\xE3\x90\x31\x68\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\xBC\x7E\x92\x30\x6D\xC6\xD8\x8E\x2B\x0B\xBC\x46\xCE\xE0\x27\x96\xDE\xDE\xF9\xFA\x12\xD3\x3C\x33\x73\xB3\x04\x2F\xBC\x71\x8C\xE5\x9F\xB6\x22\x60\x3E\x5F\x5D\xCE\x09\xFF\x82\x0C\x1B\x9A\x51\x50\x1A\x26\x89\xDD\xD5\x61\x5D\x19\xDC\x12\x0F\x2D\x0A\xA2\x43\x5D\x17\xD0\x34\x92\x20\xEA\x73\xCF\x38\x2C\x06\x26\x09\x7A\x72\xF7\xFA\x50\x32\xF8\xC2\x93\xD3\x69\xA2\x23\xCE\x41\xB1\xCC\xE4\xD5\x1F\x36\xD1\x8A\x3A\xF8\x8C\x63\xE2\x14\x59\x69\xED\x0D\xD3\x7F\x6B\xE8\xB8\x03\xE5\x4F\x6A\xE5\x98\x63\x69\x48\x05\xBE\x2E\xFF\x33\xB6\xE9\x97\x59\x69\xF8\x67\x19\xAE\x93\x61\x96\x44\x15\xD3\x72\xB0\x3F\xBC\x6A\x7D\xEC\x48\x7F\x8D\xC3\xAB\xAA\x71\x2B\x53\x69\x41\x53\x34\xB5\xB0\xB9\xC5\x06\x0A\xC4\xB0\x45\xF5\x41\x5D\x6E\x89\x45\x7B\x3D\x3B\x26\x8C\x74\xC2\xE5\xD2\xD1\x7D\xB2\x11\xD4\xFB\x58\x32\x22\x9A\x80\xC9\xDC\xFD\x0C\xE9\x7F\x5E\x03\x97\xCE\x3B\x00\x14\x87\x27\x70\x38\xA9\x8E\x6E\xB3\x27\x76\x98\x51\xE0\x05\xE3\x21\xAB\x1A\xD5\x85\x22\x3C\x29\xB5\x9A\x16\xC5\x80\xA8\xF4\xBB\x6B\x30\x8F\x2F\x46\x02\xA2\xB1\x0C\x22\xE0\xD3\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x21\x30\xC9\xFB\x00\xD7\x4E\x98\xDA\x87\xAA\x2A\xD0\xA7\x2E\xB1\x40\x31\xA7\x4C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x1F\x04\x4B\x30\x49\x30\x47\xA0\x45\xA0\x43\x86\x41\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6E\x65\x74\x73\x6F\x6C\x73\x73\x6C\x2E\x63\x6F\x6D\x2F\x4E\x65\x74\x77\x6F\x72\x6B\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xBB\xAE\x4B\xE7\xB7\x57\xEB\x7F\xAA\x2D\xB7\x73\x47\x85\x6A\xC1\xE4\xA5\x1D\xE4\xE7\x3C\xE9\xF4\x59\x65\x77\xB5\x7A\x5B\x5A\x8D\x25\x36\xE0\x7A\x97\x2E\x38\xC0\x57\x60\x83\x98\x06\x83\x9F\xB9\x76\x7A\x6E\x50\xE0\xBA\x88\x2C\xFC\x45\xCC\x18\xB0\x99\x95\x51\x0E\xEC\x1D\xB8\x88\xFF\x87\x50\x1C\x82\xC2\xE3\xE0\x32\x80\xBF\xA0\x0B\x47\xC8\xC3\x31\xEF\x99\x67\x32\x80\x4F\x17\x21\x79\x0C\x69\x5C\xDE\x5E\x34\xAE\x02\xB5\x26\xEA\x50\xDF\x7F\x18\x65\x2C\xC9\xF2\x63\xE1\xA9\x07\xFE\x7C\x71\x1F\x6B\x33\x24\x6A\x1E\x05\xF7\x05\x68\xC0\x6A\x12\xCB\x2E\x5E\x61\xCB\xAE\x28\xD3\x7E\xC2\xB4\x66\x91\x26\x5F\x3C\x2E\x24\x5F\xCB\x58\x0F\xEB\x28\xEC\xAF\x11\x96\xF3\xDC\x7B\x6F\xC0\xA7\x88\xF2\x53\x77\xB3\x60\x5E\xAE\xAE\x28\xDA\x35\x2C\x6F\x34\x45\xD3\x26\xE1\xDE\xEC\x5B\x4F\x27\x6B\x16\x7C\xBD\x44\x04\x18\x82\xB3\x89\x79\x17\x10\x71\x3D\x7A\xA2\x16\x4E\xF5\x01\xCD\xA4\x6C\x65\x68\xA1\x49\x76\x5C\x43\xC9\xD8\xBC\x36\x67\x6C\xA5\x94\xB5\xD4\xCC\xB9\xBD\x6A\x35\x56\x21\xDE\xD8\xC3\xEB\xFB\xCB\xA4\x60\x4C\xB0\x55\xA0\xA0\x7B\x57\xB2", ["WellsSecure Public Root Certificate Authority"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x33\x31\x37\x30\x37\x35\x34\x5A\x17\x0D\x32\x32\x31\x32\x31\x34\x30\x30\x30\x37\x35\x34\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEE\x6F\xB4\xBD\x79\xE2\x8F\x08\x21\x9E\x38\x04\x41\x25\xEF\xAB\x5B\x1C\x53\x92\xAC\x6D\x9E\xDD\xC2\xC4\x2E\x45\x94\x03\x35\x88\x67\x74\x57\xE3\xDF\x8C\xB8\xA7\x76\x8F\x3B\xF7\xA8\xC4\xDB\x29\x63\x0E\x91\x68\x36\x8A\x97\x8E\x8A\x71\x68\x09\x07\xE4\xE8\xD4\x0E\x4F\xF8\xD6\x2B\x4C\xA4\x16\xF9\xEF\x43\x98\x8F\xB3\x9E\x52\xDF\x6D\x91\x39\x8F\x38\xBD\x77\x8B\x43\x63\xEB\xB7\x93\xFC\x30\x4C\x1C\x01\x93\xB6\x13\xFB\xF7\xA1\x1F\xBF\x25\xE1\x74\x37\x2C\x1E\xA4\x5E\x3C\x68\xF8\x4B\xBF\x0D\xB9\x1E\x2E\x36\xE8\xA9\xE4\xA7\xF8\x0F\xCB\x82\x75\x7C\x35\x2D\x22\xD6\xC2\xBF\x0B\xF3\xB4\xFC\x6C\x95\x61\x1E\x57\xD7\x04\x81\x32\x83\x52\x79\xE6\x83\x63\xCF\xB7\xCB\x63\x8B\x11\xE2\xBD\x5E\xEB\xF6\x8D\xED\x95\x72\x28\xB4\xAC\x12\x62\xE9\x4A\x33\xE6\x83\x32\xAE\x05\x75\x95\xBD\x84\x95\xDB\x2A\x5C\x9B\x8E\x2E\x0C\xB8\x81\x2B\x41\xE6\x38\x56\x9F\x49\x9B\x6C\x76\xFA\x8A\x5D\xF7\x01\x79\x81\x7C\xC1\x83\x40\x05\xFE\x71\xFD\x0C\x3F\xCC\x4E\x60\x09\x0E\x65\x47\x10\x2F\x01\xC0\x05\x3F\x8F\xF8\xB3\x41\xEF\x5A\x42\x7E\x59\xEF\xD2\x97\x0C\x65\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x70\x6B\x69\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x77\x73\x70\x72\x63\x61\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\x30\x81\xB2\x06\x03\x55\x1D\x23\x04\x81\xAA\x30\x81\xA7\x80\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\xA1\x81\x8B\xA4\x81\x88\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB9\x15\xB1\x44\x91\xCC\x23\xC8\x2B\x4D\x77\xE3\xF8\x9A\x7B\x27\x0D\xCD\x72\xBB\x99\x00\xCA\x7C\x66\x19\x50\xC6\xD5\x98\xED\xAB\xBF\x03\x5A\xE5\x4D\xE5\x1E\xC8\x4F\x71\x97\x86\xD5\xE3\x1D\xFD\x90\xC9\x3C\x75\x77\x57\x7A\x7D\xF8\xDE\xF4\xD4\xD5\xF7\x95\xE6\x74\x6E\x1D\x3C\xAE\x7C\x9D\xDB\x02\x03\x05\x2C\x71\x4B\x25\x3E\x07\xE3\x5E\x9A\xF5\x66\x17\x29\x88\x1A\x38\x9F\xCF\xAA\x41\x03\x84\x97\x6B\x93\x38\x7A\xCA\x30\x44\x1B\x24\x44\x33\xD0\xE4\xD1\xDC\x28\x38\xF4\x13\x43\x35\x35\x29\x63\xA8\x7C\xA2\xB5\xAD\x38\xA4\xED\xAD\xFD\xC6\x9A\x1F\xFF\x97\x73\xFE\xFB\xB3\x35\xA7\x93\x86\xC6\x76\x91\x00\xE6\xAC\x51\x16\xC4\x27\x32\x5C\xDB\x73\xDA\xA5\x93\x57\x8E\x3E\x6D\x35\x26\x08\x59\xD5\xE7\x44\xD7\x76\x20\x63\xE7\xAC\x13\x67\xC3\x6D\xB1\x70\x46\x7C\xD5\x96\x11\x3D\x89\x6F\x5D\xA8\xA1\xEB\x8D\x0A\xDA\xC3\x1D\x33\x6C\xA3\xEA\x67\x19\x9A\x99\x7F\x4B\x3D\x83\x51\x2A\x1D\xCA\x2F\x86\x0C\xA2\x7E\x10\x2D\x2B\xD4\x16\x95\x0B\x07\xAA\x2E\x14\x92\x49\xB7\x29\x6F\xD8\x6D\x31\x7D\xF5\xFC\xA1\x10\x07\x87\xCE\x2F\x59\xDC\x3E\x58\xDB", ["COMODO ECC Certification Authority"] = "\x30\x82\x02\x89\x30\x82\x02\x0F\xA0\x03\x02\x01\x02\x02\x10\x1F\x47\xAF\xAA\x62\x00\x70\x50\x54\x4C\x01\x9E\x9B\x63\x99\x2A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x33\x30\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x03\x47\x7B\x2F\x75\xC9\x82\x15\x85\xFB\x75\xE4\x91\x16\xD4\xAB\x62\x99\xF5\x3E\x52\x0B\x06\xCE\x41\x00\x7F\x97\xE1\x0A\x24\x3C\x1D\x01\x04\xEE\x3D\xD2\x8D\x09\x97\x0C\xE0\x75\xE4\xFA\xFB\x77\x8A\x2A\xF5\x03\x60\x4B\x36\x8B\x16\x23\x16\xAD\x09\x71\xF4\x4A\xF4\x28\x50\xB4\xFE\x88\x1C\x6E\x3F\x6C\x2F\x2F\x09\x59\x5B\xA5\x5B\x0B\x33\x99\xE2\xC3\x3D\x89\xF9\x6A\x2C\xEF\xB2\xD3\x06\xE9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x75\x71\xA7\x19\x48\x19\xBC\x9D\x9D\xEA\x41\x47\xDF\x94\xC4\x48\x77\x99\xD3\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xEF\x03\x5B\x7A\xAC\xB7\x78\x0A\x72\xB7\x88\xDF\xFF\xB5\x46\x14\x09\x0A\xFA\xA0\xE6\x7D\x08\xC6\x1A\x87\xBD\x18\xA8\x73\xBD\x26\xCA\x60\x0C\x9D\xCE\x99\x9F\xCF\x5C\x0F\x30\xE1\xBE\x14\x31\xEA\x02\x30\x14\xF4\x93\x3C\x49\xA7\x33\x7A\x90\x46\x47\xB3\x63\x7D\x13\x9B\x4E\xB7\x6F\x18\x37\x80\x53\xFE\xDD\x20\xE0\x35\x9A\x36\xD1\xC7\x01\xB9\xE6\xDC\xDD\xF3\xFF\x1D\x2C\x3A\x16\x57\xD9\x92\x39\xD6", @@ -137,4 +136,8 @@ redef root_certs += { ["AffirmTrust Premium"] = "\x30\x82\x05\x46\x30\x82\x03\x2E\xA0\x03\x02\x01\x02\x02\x08\x6D\x8C\x14\x46\xB1\xA6\x0A\xEE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x31\x30\x33\x36\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x31\x30\x33\x36\x5A\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\x12\xDF\xA9\x5F\xFE\x41\xDD\xDD\xF5\x9F\x8A\xE3\xF6\xAC\xE1\x3C\x78\x9A\xBC\xD8\xF0\x7F\x7A\xA0\x33\x2A\xDC\x8D\x20\x5B\xAE\x2D\x6F\xE7\x93\xD9\x36\x70\x6A\x68\xCF\x8E\x51\xA3\x85\x5B\x67\x04\xA0\x10\x24\x6F\x5D\x28\x82\xC1\x97\x57\xD8\x48\x29\x13\xB6\xE1\xBE\x91\x4D\xDF\x85\x0C\x53\x18\x9A\x1E\x24\xA2\x4F\x8F\xF0\xA2\x85\x0B\xCB\xF4\x29\x7F\xD2\xA4\x58\xEE\x26\x4D\xC9\xAA\xA8\x7B\x9A\xD9\xFA\x38\xDE\x44\x57\x15\xE5\xF8\x8C\xC8\xD9\x48\xE2\x0D\x16\x27\x1D\x1E\xC8\x83\x85\x25\xB7\xBA\xAA\x55\x41\xCC\x03\x22\x4B\x2D\x91\x8D\x8B\xE6\x89\xAF\x66\xC7\xE9\xFF\x2B\xE9\x3C\xAC\xDA\xD2\xB3\xC3\xE1\x68\x9C\x89\xF8\x7A\x00\x56\xDE\xF4\x55\x95\x6C\xFB\xBA\x64\xDD\x62\x8B\xDF\x0B\x77\x32\xEB\x62\xCC\x26\x9A\x9B\xBB\xAA\x62\x83\x4C\xB4\x06\x7A\x30\xC8\x29\xBF\xED\x06\x4D\x97\xB9\x1C\xC4\x31\x2B\xD5\x5F\xBC\x53\x12\x17\x9C\x99\x57\x29\x66\x77\x61\x21\x31\x07\x2E\x25\x49\x9D\x18\xF2\xEE\xF3\x2B\x71\x8C\xB5\xBA\x39\x07\x49\x77\xFC\xEF\x2E\x92\x90\x05\x8D\x2D\x2F\x77\x7B\xEF\x43\xBF\x35\xBB\x9A\xD8\xF9\x73\xA7\x2C\xF2\xD0\x57\xEE\x28\x4E\x26\x5F\x8F\x90\x68\x09\x2F\xB8\xF8\xDC\x06\xE9\x2E\x9A\x3E\x51\xA7\xD1\x22\xC4\x0A\xA7\x38\x48\x6C\xB3\xF9\xFF\x7D\xAB\x86\x57\xE3\xBA\xD6\x85\x78\x77\xBA\x43\xEA\x48\x7F\xF6\xD8\xBE\x23\x6D\x1E\xBF\xD1\x36\x6C\x58\x5C\xF1\xEE\xA4\x19\x54\x1A\xF5\x03\xD2\x76\xE6\xE1\x8C\xBD\x3C\xB3\xD3\x48\x4B\xE2\xC8\xF8\x7F\x92\xA8\x76\x46\x9C\x42\x65\x3E\xA4\x1E\xC1\x07\x03\x5A\x46\x2D\xB8\x97\xF3\xB7\xD5\xB2\x55\x21\xEF\xBA\xDC\x4C\x00\x97\xFB\x14\x95\x27\x33\xBF\xE8\x43\x47\x46\xD2\x08\x99\x16\x60\x3B\x9A\x7E\xD2\xE6\xED\x38\xEA\xEC\x01\x1E\x3C\x48\x56\x49\x09\xC7\x4C\x37\x00\x9E\x88\x0E\xC0\x73\xE1\x6F\x66\xE9\x72\x47\x30\x3E\x10\xE5\x0B\x03\xC9\x9A\x42\x00\x6C\xC5\x94\x7E\x61\xC4\x8A\xDF\x7F\x82\x1A\x0B\x59\xC4\x59\x32\x77\xB3\xBC\x60\x69\x56\x39\xFD\xB4\x06\x7B\x2C\xD6\x64\x36\xD9\xBD\x48\xED\x84\x1F\x7E\xA5\x22\x8F\x2A\xB8\x42\xF4\x82\xB7\xD4\x53\x90\x78\x4E\x2D\x1A\xFD\x81\x6F\x44\xD7\x3B\x01\x74\x96\x42\xE0\x00\xE2\x2E\x6B\xEA\xC5\xEE\x72\xAC\xBB\xBF\xFE\xEA\xAA\xA8\xF8\xDC\xF6\xB2\x79\x8A\xB6\x67\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9D\xC0\x67\xA6\x0C\x22\xD9\x26\xF5\x45\xAB\xA6\x65\x52\x11\x27\xD8\x45\xAC\x63\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xB3\x57\x4D\x10\x62\x4E\x3A\xE4\xAC\xEA\xB8\x1C\xAF\x32\x23\xC8\xB3\x49\x5A\x51\x9C\x76\x28\x8D\x79\xAA\x57\x46\x17\xD5\xF5\x52\xF6\xB7\x44\xE8\x08\x44\xBF\x18\x84\xD2\x0B\x80\xCD\xC5\x12\xFD\x00\x55\x05\x61\x87\x41\xDC\xB5\x24\x9E\x3C\xC4\xD8\xC8\xFB\x70\x9E\x2F\x78\x96\x83\x20\x36\xDE\x7C\x0F\x69\x13\x88\xA5\x75\x36\x98\x08\xA6\xC6\xDF\xAC\xCE\xE3\x58\xD6\xB7\x3E\xDE\xBA\xF3\xEB\x34\x40\xD8\xA2\x81\xF5\x78\x3F\x2F\xD5\xA5\xFC\xD9\xA2\xD4\x5E\x04\x0E\x17\xAD\xFE\x41\xF0\xE5\xB2\x72\xFA\x44\x82\x33\x42\xE8\x2D\x58\xF7\x56\x8C\x62\x3F\xBA\x42\xB0\x9C\x0C\x5C\x7E\x2E\x65\x26\x5C\x53\x4F\x00\xB2\x78\x7E\xA1\x0D\x99\x2D\x8D\xB8\x1D\x8E\xA2\xC4\xB0\xFD\x60\xD0\x30\xA4\x8E\xC8\x04\x62\xA9\xC4\xED\x35\xDE\x7A\x97\xED\x0E\x38\x5E\x92\x2F\x93\x70\xA5\xA9\x9C\x6F\xA7\x7D\x13\x1D\x7E\xC6\x08\x48\xB1\x5E\x67\xEB\x51\x08\x25\xE9\xE6\x25\x6B\x52\x29\x91\x9C\xD2\x39\x73\x08\x57\xDE\x99\x06\xB4\x5B\x9D\x10\x06\xE1\xC2\x00\xA8\xB8\x1C\x4A\x02\x0A\x14\xD0\xC1\x41\xCA\xFB\x8C\x35\x21\x7D\x82\x38\xF2\xA9\x54\x91\x19\x35\x93\x94\x6D\x6A\x3A\xC5\xB2\xD0\xBB\x89\x86\x93\xE8\x9B\xC9\x0F\x3A\xA7\x7A\xB8\xA1\xF0\x78\x46\xFA\xFC\x37\x2F\xE5\x8A\x84\xF3\xDF\xFE\x04\xD9\xA1\x68\xA0\x2F\x24\xE2\x09\x95\x06\xD5\x95\xCA\xE1\x24\x96\xEB\x7C\xF6\x93\x05\xBB\xED\x73\xE9\x2D\xD1\x75\x39\xD7\xE7\x24\xDB\xD8\x4E\x5F\x43\x8F\x9E\xD0\x14\x39\xBF\x55\x70\x48\x99\x57\x31\xB4\x9C\xEE\x4A\x98\x03\x96\x30\x1F\x60\x06\xEE\x1B\x23\xFE\x81\x60\x23\x1A\x47\x62\x85\xA5\xCC\x19\x34\x80\x6F\xB3\xAC\x1A\xE3\x9F\xF0\x7B\x48\xAD\xD5\x01\xD9\x67\xB6\xA9\x72\x93\xEA\x2D\x66\xB5\xB2\xB8\xE4\x3D\x3C\xB2\xEF\x4C\x8C\xEA\xEB\x07\xBF\xAB\x35\x9A\x55\x86\xBC\x18\xA6\xB5\xA8\x5E\xB4\x83\x6C\x6B\x69\x40\xD3\x9F\xDC\xF1\xC3\x69\x6B\xB9\xE1\x6D\x09\xF4\xF1\xAA\x50\x76\x0A\x7A\x7D\x7A\x17\xA1\x55\x96\x42\x99\x31\x09\xDD\x60\x11\x8D\x05\x30\x7E\xE6\x8E\x46\xD1\x9D\x14\xDA\xC7\x17\xE4\x05\x96\x8C\xC4\x24\xB5\x1B\xCF\x14\x07\xB2\x40\xF8\xA3\x9E\x41\x86\xBC\x04\xD0\x6B\x96\xC8\x2A\x80\x34\xFD\xBF\xEF\x06\xA3\xDD\x58\xC5\x85\x3D\x3E\x8F\xFE\x9E\x29\xE0\xB6\xB8\x09\x68\x19\x1C\x18\x43", ["AffirmTrust Premium ECC"] = "\x30\x82\x01\xFE\x30\x82\x01\x85\xA0\x03\x02\x01\x02\x02\x08\x74\x97\x25\x8A\xC7\x3F\x7A\x54\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x32\x30\x32\x34\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x32\x30\x32\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x0D\x30\x5E\x1B\x15\x9D\x03\xD0\xA1\x79\x35\xB7\x3A\x3C\x92\x7A\xCA\x15\x1C\xCD\x62\xF3\x9C\x26\x5C\x07\x3D\xE5\x54\xFA\xA3\xD6\xCC\x12\xEA\xF4\x14\x5F\xE8\x8E\x19\xAB\x2F\x2E\x48\xE6\xAC\x18\x43\x78\xAC\xD0\x37\xC3\xBD\xB2\xCD\x2C\xE6\x47\xE2\x1A\xE6\x63\xB8\x3D\x2E\x2F\x78\xC4\x4F\xDB\xF4\x0F\xA4\x68\x4C\x55\x72\x6B\x95\x1D\x4E\x18\x42\x95\x78\xCC\x37\x3C\x91\xE2\x9B\x65\x2B\x29\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xAF\x29\x7A\xC0\x11\x35\x35\x26\x51\x30\x00\xC3\x6A\xFE\x40\xD5\xAE\xD6\x3C\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x17\x09\xF3\x87\x88\x50\x5A\xAF\xC8\xC0\x42\xBF\x47\x5F\xF5\x6C\x6A\x86\xE0\xC4\x27\x74\xE4\x38\x53\xD7\x05\x7F\x1B\x34\xE3\xC6\x2F\xB3\xCA\x09\x3C\x37\x9D\xD7\xE7\xB8\x46\xF1\xFD\xA1\xE2\x71\x02\x30\x42\x59\x87\x43\xD4\x51\xDF\xBA\xD3\x09\x32\x5A\xCE\x88\x7E\x57\x3D\x9C\x5F\x42\x6B\xF5\x07\x2D\xB5\xF0\x82\x93\xF9\x59\x6F\xAE\x64\xFA\x58\xE5\x8B\x1E\xE3\x63\xBE\xB5\x81\xCD\x6F\x02\x8C\x79", ["Certum Trusted Network CA"] = "\x30\x82\x03\xBB\x30\x82\x02\xA3\xA0\x03\x02\x01\x02\x02\x03\x04\x44\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x32\x31\x32\x30\x37\x33\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x32\x30\x37\x33\x37\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE3\xFB\x7D\xA3\x72\xBA\xC2\xF0\xC9\x14\x87\xF5\x6B\x01\x4E\xE1\x6E\x40\x07\xBA\x6D\x27\x5D\x7F\xF7\x5B\x2D\xB3\x5A\xC7\x51\x5F\xAB\xA4\x32\xA6\x61\x87\xB6\x6E\x0F\x86\xD2\x30\x02\x97\xF8\xD7\x69\x57\xA1\x18\x39\x5D\x6A\x64\x79\xC6\x01\x59\xAC\x3C\x31\x4A\x38\x7C\xD2\x04\xD2\x4B\x28\xE8\x20\x5F\x3B\x07\xA2\xCC\x4D\x73\xDB\xF3\xAE\x4F\xC7\x56\xD5\x5A\xA7\x96\x89\xFA\xF3\xAB\x68\xD4\x23\x86\x59\x27\xCF\x09\x27\xBC\xAC\x6E\x72\x83\x1C\x30\x72\xDF\xE0\xA2\xE9\xD2\xE1\x74\x75\x19\xBD\x2A\x9E\x7B\x15\x54\x04\x1B\xD7\x43\x39\xAD\x55\x28\xC5\xE2\x1A\xBB\xF4\xC0\xE4\xAE\x38\x49\x33\xCC\x76\x85\x9F\x39\x45\xD2\xA4\x9E\xF2\x12\x8C\x51\xF8\x7C\xE4\x2D\x7F\xF5\xAC\x5F\xEB\x16\x9F\xB1\x2D\xD1\xBA\xCC\x91\x42\x77\x4C\x25\xC9\x90\x38\x6F\xDB\xF0\xCC\xFB\x8E\x1E\x97\x59\x3E\xD5\x60\x4E\xE6\x05\x28\xED\x49\x79\x13\x4B\xBA\x48\xDB\x2F\xF9\x72\xD3\x39\xCA\xFE\x1F\xD8\x34\x72\xF5\xB4\x40\xCF\x31\x01\xC3\xEC\xDE\x11\x2D\x17\x5D\x1F\xB8\x50\xD1\x5E\x19\xA7\x69\xDE\x07\x33\x28\xCA\x50\x95\xF9\xA7\x54\xCB\x54\x86\x50\x45\xA9\xF9\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x08\x76\xCD\xCB\x07\xFF\x24\xF6\xC5\xCD\xED\xBB\x90\xBC\xE2\x84\x37\x46\x75\xF7\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA6\xA8\xAD\x22\xCE\x01\x3D\xA6\xA3\xFF\x62\xD0\x48\x9D\x8B\x5E\x72\xB0\x78\x44\xE3\xDC\x1C\xAF\x09\xFD\x23\x48\xFA\xBD\x2A\xC4\xB9\x55\x04\xB5\x10\xA3\x8D\x27\xDE\x0B\x82\x63\xD0\xEE\xDE\x0C\x37\x79\x41\x5B\x22\xB2\xB0\x9A\x41\x5C\xA6\x70\xE0\xD4\xD0\x77\xCB\x23\xD3\x00\xE0\x6C\x56\x2F\xE1\x69\x0D\x0D\xD9\xAA\xBF\x21\x81\x50\xD9\x06\xA5\xA8\xFF\x95\x37\xD0\xAA\xFE\xE2\xB3\xF5\x99\x2D\x45\x84\x8A\xE5\x42\x09\xD7\x74\x02\x2F\xF7\x89\xD8\x99\xE9\xBC\x27\xD4\x47\x8D\xBA\x0D\x46\x1C\x77\xCF\x14\xA4\x1C\xB9\xA4\x31\xC4\x9C\x28\x74\x03\x34\xFF\x33\x19\x26\xA5\xE9\x0D\x74\xB7\x3E\x97\xC6\x76\xE8\x27\x96\xA3\x66\xDD\xE1\xAE\xF2\x41\x5B\xCA\x98\x56\x83\x73\x70\xE4\x86\x1A\xD2\x31\x41\xBA\x2F\xBE\x2D\x13\x5A\x76\x6F\x4E\xE8\x4E\x81\x0E\x3F\x5B\x03\x22\xA0\x12\xBE\x66\x58\x11\x4A\xCB\x03\xC4\xB4\x2A\x2A\x2D\x96\x17\xE0\x39\x54\xBC\x48\xD3\x76\x27\x9D\x9A\x2D\x06\xA6\xC9\xEC\x39\xD2\xAB\xDB\x9F\x9A\x0B\x27\x02\x35\x29\xB1\x40\x95\xE7\xF9\xE8\x9C\x55\x88\x19\x46\xD6\xB7\x34\xF5\x7E\xCE\x39\x9A\xD9\x38\xF1\x51\xF7\x4F\x2C", + ["Certinomis - Autorité Racine"] = "\x30\x82\x05\x9C\x30\x82\x03\x84\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x1E\x17\x0D\x30\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x17\x0D\x32\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9D\x85\x9F\x86\xD3\xE3\xAF\xC7\xB2\x6B\x6E\x33\xE0\x9E\xB7\x42\x34\x55\x9D\xF9\x81\xBE\x63\xD8\x23\x76\x0E\x97\x54\xCD\x99\x4C\x1A\xF1\x39\xC7\x88\xD8\x17\x50\x0C\x9E\x61\xDA\xC0\x4E\x55\xDE\xE7\x5A\xB8\x7A\x4E\x77\x87\x0D\xE5\xB8\xEB\xFA\x9E\x5E\x7B\x1E\xC4\xCF\x28\x74\xC7\x93\xF5\x14\xC6\x22\x28\x04\xF9\x91\xC3\xAB\x27\x73\x6A\x0E\x2E\x4D\xF3\x2E\x28\x1F\x70\xDF\x55\x2F\x4E\xED\xC7\x71\x6F\x09\x72\x2E\xED\xD5\x32\x97\xD0\xF1\x58\x77\xD1\x60\xBC\x4E\x5E\xDB\x9A\x84\xF6\x47\x61\x45\x2B\xF6\x50\xA6\x7F\x6A\x71\x27\x48\x84\x35\x9E\xAC\xFE\x69\xA9\x9E\x7A\x5E\x35\x25\xFA\xB4\xA7\x49\x35\x77\x96\xA7\x36\x5B\xE1\xCD\xDF\x23\x70\xD8\x5D\x4C\xA5\x08\x83\xF1\xA6\x24\x38\x13\xA8\xEC\x2F\xA8\xA1\x67\xC7\xA6\x2D\x86\x47\xEE\x8A\xFC\xEC\x9B\x0E\x74\xF4\x2B\x49\x02\x7B\x90\x75\x8C\xFC\x99\x39\x01\x39\xD6\x4A\x89\xE5\x9E\x76\xAB\x3E\x96\x28\x38\x26\x8B\xDD\x8D\x8C\xC0\xF6\x01\x1E\x6F\xA5\x31\x12\x38\x7D\x95\xC2\x71\xEE\xED\x74\xAE\xE4\x36\xA2\x43\x75\xD5\xF1\x00\x9B\xE2\xE4\xD7\xCC\x42\x03\x4B\x78\x7A\xE5\x7D\xBB\xB8\xAE\x2E\x20\x93\xD3\xE4\x61\xDF\x71\xE1\x76\x67\x97\x3F\xB6\xDF\x6A\x73\x5A\x64\x22\xE5\x42\xDB\xCF\x81\x03\x93\xD8\xF4\xE3\x10\xE0\x72\xF6\x00\x70\xAC\xF0\xC1\x7A\x0F\x05\x7F\xCF\x34\x69\x45\xB5\x93\xE4\x19\xDB\x52\x16\x23\x05\x89\x0E\x8D\x48\xE4\x25\x6F\xB3\x78\xBF\x62\xF5\x07\xFA\x95\x24\xC2\x96\xB2\xE8\xA3\x23\xC2\x5D\x03\xFC\xC3\xD3\xE5\x7C\xC9\x75\x23\xD7\xF4\xF5\xBC\xDE\xE4\xDF\xCD\x80\xBF\x91\x88\x7D\xA7\x13\xB4\x39\xBA\x2C\xBA\xBD\xD1\x6B\xCC\xF3\xA5\x28\xED\x44\x9E\x7D\x52\xA3\x6F\x96\x2E\x19\x7E\x1C\xF3\x5B\xC7\x16\x8E\xBB\x60\x7D\x77\x66\x47\x54\x82\x00\x11\x60\x6C\x32\xC1\xA8\x38\x1B\xEB\x6E\x98\x13\xD6\xEE\x38\xF5\xF0\x9F\x0E\xEF\xFE\x31\x81\xC1\xD2\x24\x95\x2F\x53\x7A\x69\xA2\xF0\x0F\x86\x45\x8E\x58\x82\x2B\x4C\x22\xD4\x5E\xA0\xE7\x7D\x26\x27\x48\xDF\x25\x46\x8D\x4A\x28\x7C\x86\x9E\xF9\x9B\x1A\x59\xB9\x65\xBF\x05\xDD\xB6\x42\x5D\x3D\xE6\x00\x48\x82\x5E\x20\xF7\x11\x82\xDE\xCA\xD8\x9F\xE6\x37\x47\x26\x1E\xEB\x78\xF7\x61\xC3\x41\x64\x58\x02\x41\xF9\xDA\xE0\xD1\xF8\xF9\xE8\xFD\x52\x38\xB6\xF5\x89\xDF\x02\x03\x01\x00\x01\xA3\x5B\x30\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0D\x8C\xB6\x61\xDA\x44\xB8\xD1\x14\x7D\xC3\xBE\x7D\x5E\x48\xF0\xCE\xCA\x6A\xB0\x30\x17\x06\x03\x55\x1D\x20\x04\x10\x30\x0E\x30\x0C\x06\x0A\x2A\x81\x7A\x01\x56\x02\x02\x00\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x24\x3E\x60\x06\x7E\x1D\xEF\x3A\x3E\xDB\xEA\xAF\x1C\x9A\x2C\x01\x0B\xF4\xC5\xB5\xD9\x49\x31\xF4\x5D\x41\x8D\x89\x0C\x4E\xFF\x6C\xA2\xFD\xFF\xE2\x06\xC8\x39\x9F\xF1\x5A\xA9\xDD\x22\x58\x15\xA8\x8A\xD3\xB1\xE6\x32\x09\x82\x03\x6C\xD7\x3F\x08\xC7\xF8\xB9\xBA\x00\x6D\xB9\xD6\xFC\x52\x32\x5D\xA4\x7F\xA4\x31\x94\xBB\xB6\x4C\x38\x7F\x28\x30\x35\xFF\x9F\x23\x53\xB7\xB6\xEE\x14\x70\x00\x40\x2B\xDA\x47\xAB\x34\x7E\x5E\xA7\x56\x30\x61\x2B\x8B\x43\xAC\xFD\xB6\x88\x28\xF5\x6B\xB6\x3E\x60\x4A\xBA\x42\x90\x34\x67\x8D\xEA\xEB\x5F\x45\x54\x3B\x17\xAC\x8B\xE4\xC6\x65\x0F\xEE\xD0\x8C\x5D\x66\x39\xCE\x32\xA7\xD8\x10\x97\xC0\x7E\x34\x9C\x9F\x94\xF3\xF6\x86\x1F\xCF\x1B\x73\xAD\x94\x79\x87\x68\x70\xC3\x33\xA5\x70\xE7\xD8\xD5\x38\x94\x6F\x63\x79\xEB\xBF\x0A\x0E\x08\xE7\xC5\x2F\x0F\x42\xA0\x2B\x14\x40\xFF\x21\xE0\x05\xC5\x27\xE1\x84\x11\x13\xBA\xD6\x86\x1D\x41\x0B\x13\x23\x89\xD3\xC9\x0B\xE8\x8A\xBA\x7A\xA3\xA3\x73\x37\x35\x80\x7D\x12\xB8\x33\x77\x40\x38\xC0\xFA\x5E\x30\xD2\xF2\xB6\xA3\xB1\xD6\xA2\x95\x97\x81\x9B\x52\xED\x69\x4C\xFF\x80\xE4\x53\xDB\x54\x5B\x03\x6D\x54\x5F\xB1\xB8\xEF\x24\xBD\x6F\x9F\x11\xC3\xC7\x64\xC2\x0F\x28\x62\x85\x66\x5E\x1A\x7B\xB2\xB7\xEF\xAE\x35\xC9\x19\x33\xA8\xB8\x27\xDB\x33\x55\xBF\x68\xE1\x75\x48\x44\x56\xFB\xCD\xD3\x48\xBB\x47\x89\x3A\xAC\x69\xF5\x80\xC6\xE4\x44\x50\x2F\x54\xC4\xAA\x43\xC5\x31\x31\x58\xBD\x96\xC5\xEA\x75\x6C\x9A\x75\xB1\x4D\xF8\xF7\x97\xFF\x96\x16\xF2\x97\x4D\xE8\xF6\xF3\x11\xF9\x3A\x7D\x8A\x38\x6E\x04\xCB\xE1\xD3\x45\x15\xAA\xA5\xD1\x1D\x9D\x5D\x63\xE8\x24\xE6\x36\x14\xE2\x87\xAD\x1B\x59\xF5\x44\x9B\xFB\xD7\x77\x7C\x1F\x01\x70\x62\xA1\x20\x1A\xA2\xC5\x1A\x28\xF4\x21\x03\xEE\x2E\xD9\xC1\x80\xEA\xB9\xD9\x82\xD6\x5B\x76\xC2\xCB\x3B\xB5\xD2\x00\xF0\xA3\x0E\xE1\xAD\x6E\x40\xF7\xDB\xA0\xB4\xD0\x46\xAE\x15\xD7\x44\xC2\x4D\x35\xF9\xD2\x0B\xF2\x17\xF6\xAC\x66\xD5\x24\xB2\x4F\xD1\x1C\x99\xC0\x6E\xF5\x7D\xEB\x74\x04\xB8\xF9\x4D\x77\x09\xD7\xB4\xCF\x07\x30\x09\xF1\xB8\x00\x56\xD9\x17\x16\x16\x0A\x2B\x86\xDF\x8F\x01\x19\x1A\xE5\xBB\x82\x63\xFF\xBE\x0B\x76\x16\x5E\x37\x37\xE6\xD8\x74\x97\xA2\x99\x45\x79", + ["Root CA Generalitat Valenciana"] = "\x30\x82\x06\x8B\x30\x82\x05\x73\xA0\x03\x02\x01\x02\x02\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x1E\x17\x0D\x30\x31\x30\x37\x30\x36\x31\x36\x32\x32\x34\x37\x5A\x17\x0D\x32\x31\x30\x37\x30\x31\x31\x35\x32\x32\x34\x37\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\x2A\xAB\x57\x11\x37\x2F\x22\x8A\xCA\x03\x74\x1D\xCA\xED\x2D\xA2\x0B\xBC\x33\x52\x40\x26\x47\xBE\x5A\x69\xA6\x3B\x72\x36\x17\x4C\xE8\xDF\xB8\xBB\x2F\x76\xE1\x40\x46\x74\x65\x02\x90\x52\x08\xB4\xFF\xA8\x8C\xC1\xE0\xC7\x89\x56\x10\x39\x33\xEF\x68\xB4\x5F\x5F\xDA\x6D\x23\xA1\x89\x5E\x22\xA3\x4A\x06\xF0\x27\xF0\x57\xB9\xF8\xE9\x4E\x32\x77\x0A\x3F\x41\x64\xF3\xEB\x65\xEE\x76\xFE\x54\xAA\x7D\x1D\x20\xAE\xF3\xD7\x74\xC2\x0A\x5F\xF5\x08\x28\x52\x08\xCC\x55\x5D\xD2\x0F\xDB\x9A\x81\xA5\xBB\xA1\xB3\xC1\x94\xCD\x54\xE0\x32\x75\x31\x91\x1A\x62\xB2\xDE\x75\xE2\xCF\x4F\x89\xD9\x91\x90\x0F\x41\x1B\xB4\x5A\x4A\x77\xBD\x67\x83\xE0\x93\xE7\x5E\xA7\x0C\xE7\x81\xD3\xF4\x52\xAC\x53\xB2\x03\xC7\x44\x26\xFB\x79\xE5\xCB\x34\x60\x50\x10\x7B\x1B\xDB\x6B\xD7\x47\xAB\x5F\x7C\x68\xCA\x6E\x9D\x41\x03\x10\xEE\x6B\x99\x7B\x5E\x25\xA8\xC2\xAB\xE4\xC0\xF3\x5C\x9C\xE3\xBE\xCE\x31\x4C\x64\x1E\x5E\x80\xA2\xF5\x83\x7E\x0C\xD6\xCA\x8C\x55\x8E\xBE\xE0\xBE\x49\x07\x0F\xA3\x24\x41\x7A\x58\x1D\x84\xEA\x58\x12\xC8\xE1\xB7\xED\xEF\x93\xDE\x94\x08\x31\x02\x03\x01\x00\x01\xA3\x82\x03\x3B\x30\x82\x03\x37\x30\x32\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x26\x30\x24\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x16\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x02\x30\x82\x02\x34\x06\x03\x55\x1D\x20\x04\x82\x02\x2B\x30\x82\x02\x27\x30\x82\x02\x23\x06\x0A\x2B\x06\x01\x04\x01\xBF\x55\x02\x01\x00\x30\x82\x02\x13\x30\x82\x01\xE8\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\xDA\x1E\x82\x01\xD6\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x47\x00\x65\x00\x6E\x00\x65\x00\x72\x00\x61\x00\x6C\x00\x69\x00\x74\x00\x61\x00\x74\x00\x20\x00\x56\x00\x61\x00\x6C\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x61\x00\x2E\x00\x0D\x00\x0A\x00\x4C\x00\x61\x00\x20\x00\x44\x00\x65\x00\x63\x00\x6C\x00\x61\x00\x72\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x64\x00\x65\x00\x20\x00\x50\x00\x72\x00\xE1\x00\x63\x00\x74\x00\x69\x00\x63\x00\x61\x00\x73\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x71\x00\x75\x00\x65\x00\x20\x00\x72\x00\x69\x00\x67\x00\x65\x00\x20\x00\x65\x00\x6C\x00\x20\x00\x66\x00\x75\x00\x6E\x00\x63\x00\x69\x00\x6F\x00\x6E\x00\x61\x00\x6D\x00\x69\x00\x65\x00\x6E\x00\x74\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x70\x00\x72\x00\x65\x00\x73\x00\x65\x00\x6E\x00\x74\x00\x65\x00\x20\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x73\x00\x65\x00\x20\x00\x65\x00\x6E\x00\x63\x00\x75\x00\x65\x00\x6E\x00\x74\x00\x72\x00\x61\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x64\x00\x69\x00\x72\x00\x65\x00\x63\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x77\x00\x65\x00\x62\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x70\x00\x6B\x00\x69\x00\x2E\x00\x67\x00\x76\x00\x61\x00\x2E\x00\x65\x00\x73\x00\x2F\x00\x63\x00\x70\x00\x73\x30\x25\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x19\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x2F\x63\x70\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\x30\x81\x95\x06\x03\x55\x1D\x23\x04\x81\x8D\x30\x81\x8A\x80\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x82\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x24\x61\x4E\xF5\xB5\xC8\x42\x02\x2A\xB3\x5C\x75\xAD\xC5\x6D\xCA\xE7\x94\x3F\xA5\x68\x95\x88\xC1\x54\xC0\x10\x69\xA2\x12\x2F\x18\x3F\x25\x50\xA8\x7C\x4A\xEA\xC6\x09\xD9\xF4\x75\xC6\x40\xDA\xAF\x50\x9D\x3D\xA5\x16\xBB\x6D\x31\xC6\xC7\x73\x0A\x48\xFE\x20\x72\xED\x6F\xCC\xE8\x83\x61\x16\x46\x90\x01\x95\x4B\x7D\x8E\x9A\x52\x09\x2F\xF6\x6F\x1C\xE4\xA1\x71\xCF\x8C\x2A\x5A\x17\x73\x83\x47\x4D\x0F\x36\xFB\x04\x4D\x49\x51\xE2\x14\xC9\x64\x61\xFB\xD4\x14\xE0\xF4\x9E\xB7\x34\x8F\x0A\x26\xBD\x97\x5C\xF4\x79\x3A\x4A\x30\x19\xCC\xAD\x4F\xA0\x98\x8A\xB4\x31\x97\x2A\xE2\x73\x6D\x7E\x78\xB8\xF8\x88\x89\x4F\xB1\x22\x91\x64\x4B\xF5\x50\xDE\x03\xDB\xE5\xC5\x76\xE7\x13\x66\x75\x7E\x65\xFB\x01\x9F\x93\x87\x88\x9D\xF9\x46\x57\x7C\x4D\x60\xAF\x98\x73\x13\x23\xA4\x20\x91\x81\xFA\xD0\x61\x66\xB8\x7D\xD1\xAF\xD6\x6F\x1E\x6C\x3D\xE9\x11\xFD\xA9\xF9\x82\x22\x86\x99\x33\x71\x5A\xEA\x19\x57\x3D\x91\xCD\xA9\xC0\xA3\x6E\x07\x13\xA6\xC9\xED\xF8\x68\xA3\x9E\xC3\x5A\x72\x09\x87\x28\xD1\xC4\x73\xC4\x73\x18\x5F\x50\x75\x16\x31\x9F\xB7\xE8\x7C\xC3", + ["A-Trust-nQual-03"] = "\x30\x82\x03\xCF\x30\x82\x02\xB7\xA0\x03\x02\x01\x02\x02\x03\x01\x6C\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x41\x54\x31\x48\x30\x46\x06\x03\x55\x04\x0A\x0C\x3F\x41\x2D\x54\x72\x75\x73\x74\x20\x47\x65\x73\x2E\x20\x66\x2E\x20\x53\x69\x63\x68\x65\x72\x68\x65\x69\x74\x73\x73\x79\x73\x74\x65\x6D\x65\x20\x69\x6D\x20\x65\x6C\x65\x6B\x74\x72\x2E\x20\x44\x61\x74\x65\x6E\x76\x65\x72\x6B\x65\x68\x72\x20\x47\x6D\x62\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x37\x32\x32\x30\x30\x30\x30\x5A\x17\x0D\x31\x35\x30\x38\x31\x37\x32\x32\x30\x30\x30\x30\x5A\x30\x81\x8D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x41\x54\x31\x48\x30\x46\x06\x03\x55\x04\x0A\x0C\x3F\x41\x2D\x54\x72\x75\x73\x74\x20\x47\x65\x73\x2E\x20\x66\x2E\x20\x53\x69\x63\x68\x65\x72\x68\x65\x69\x74\x73\x73\x79\x73\x74\x65\x6D\x65\x20\x69\x6D\x20\x65\x6C\x65\x6B\x74\x72\x2E\x20\x44\x61\x74\x65\x6E\x76\x65\x72\x6B\x65\x68\x72\x20\x47\x6D\x62\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x41\x2D\x54\x72\x75\x73\x74\x2D\x6E\x51\x75\x61\x6C\x2D\x30\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x3D\x61\x6E\x03\xF3\x90\x3B\xC0\x41\x0B\x84\x80\xCD\xEC\x2A\xA3\x9D\x6B\xBB\x6E\xC2\x42\x84\xF7\x51\x14\xE1\xA0\xA8\x2D\x51\xA3\x51\xF2\xDE\x23\xF0\x34\x44\xFF\x94\xEB\xCC\x05\x23\x95\x40\xB9\x07\x78\xA5\x25\xF6\x0A\xBD\x45\x86\xE8\xD9\xBD\xC0\x04\x8E\x85\x44\x61\xEF\x7F\xA7\xC9\xFA\xC1\x25\xCC\x85\x2C\x63\x3F\x05\x60\x73\x49\x05\xE0\x60\x78\x95\x10\x4B\xDC\xF9\x11\x59\xCE\x71\x7F\x40\x9B\x8A\xAA\x24\xDF\x0B\x42\xE2\xDB\x56\xBC\x4A\xD2\xA5\x0C\x9B\xB7\x43\x3E\xDD\x83\xD3\x26\x10\x02\xCF\xEA\x23\xC4\x49\x4E\xE5\xD3\xE9\xB4\x88\xAB\x0C\xAE\x62\x92\xD4\x65\x87\xD9\x6A\xD7\xF4\x85\x9F\xE4\x33\x22\x25\xA5\xE5\xC8\x33\xBA\xC3\xC7\x41\xDC\x5F\xC6\x6A\xCC\x00\x0E\x6D\x32\xA8\xB6\x87\x36\x00\x62\x77\x9B\x1E\x1F\x34\xCB\x90\x3C\x78\x88\x74\x05\xEB\x79\xF5\x93\x71\x65\xCA\x9D\xC7\x6B\x18\x2D\x3D\x5C\x4E\xE7\xD5\xF8\x3F\x31\x7D\x8F\x87\xEC\x0A\x22\x2F\x23\xE9\xFE\xBB\x7D\xC9\xE0\xF4\xEC\xEB\x7C\xC4\xB0\xC3\x2D\x62\xB5\x9A\x71\xD6\xB1\x6A\xE8\xEC\xD9\xED\xD5\x72\xEC\xBE\x57\x01\xCE\x05\x55\x9F\xDE\xD1\x60\x88\x10\xB3\x02\x03\x01\x00\x01\xA3\x36\x30\x34\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x11\x06\x03\x55\x1D\x0E\x04\x0A\x04\x08\x44\x6A\x95\x67\x55\x79\x11\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x55\xD4\x54\xD1\x59\x48\x5C\xB3\x93\x85\xAA\xBF\x63\x2F\xE4\x80\xCE\x34\xA3\x34\x62\x3E\xF6\xD8\xEE\x67\x88\x31\x04\x03\x6F\x0B\xD4\x07\xFB\x4E\x75\x0F\xD3\x2E\xD3\xC0\x17\xC7\xC6\x28\xEC\x06\x0D\x11\x24\x0E\x0E\xA5\x5D\xBF\x8C\xB2\x13\x96\x71\xDC\xD4\xCE\x0E\x0D\x0A\x68\x32\x6C\xB9\x41\x31\x19\xAB\xB1\x07\x7B\x4D\x98\xD3\x5C\xB0\xD1\xF0\xA7\x42\xA0\xB5\xC4\x8E\xAF\xFE\xF1\x3F\xF4\xEF\x4F\x46\x00\x76\xEB\x02\xFB\xF9\x9D\xD2\x40\x96\xC7\x88\x3A\xB8\x9F\x11\x79\xF3\x80\x65\xA8\xBD\x1F\xD3\x78\x81\xA0\x51\x4C\x37\xB4\xA6\x5D\x25\x70\xD1\x66\xC9\x68\xF9\x2E\x11\x14\x68\xF1\x54\x98\x08\xAC\x26\x92\x0F\xDE\x89\x9E\xD4\xFA\xB3\x79\x2B\xD2\xA3\x79\xD4\xEC\x8B\xAC\x87\x53\x68\x42\x4C\x51\x51\x74\x1E\x1B\x27\x2E\xE3\xF5\x1F\x29\x74\x4D\xED\xAF\xF7\xE1\x92\x99\x81\xE8\xBE\x3A\xC7\x17\x50\xF6\xB7\xC6\xFC\x9B\xB0\x8A\x6B\xD6\x88\x03\x91\x8F\x06\x77\x3A\x85\x02\xDD\x98\xD5\x43\x78\x3F\xC6\x30\x15\xAC\x9B\x6B\xCB\x57\xB7\x89\x51\x8B\x3A\xE8\xC9\x84\x0C\xDB\xB1\x50\x20\x0A\x1A\x4A\xBA\x6A\x1A\xBD\xEC\x1B\xC8\xC5\x84\x9A\xCD", + ["TWCA Root Certification Authority"] = "\x30\x82\x03\x7B\x30\x82\x02\x63\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x38\x32\x38\x30\x37\x32\x34\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB0\x7E\x72\xB8\xA4\x03\x94\xE6\xA7\xDE\x09\x38\x91\x4A\x11\x40\x87\xA7\x7C\x59\x64\x14\x7B\xB5\x11\x10\xDD\xFE\xBF\xD5\xC0\xBB\x56\xE2\x85\x25\xF4\x35\x72\x0F\xF8\x53\xD0\x41\xE1\x44\x01\xC2\xB4\x1C\xC3\x31\x42\x16\x47\x85\x33\x22\x76\xB2\x0A\x6F\x0F\xE5\x25\x50\x4F\x85\x86\xBE\xBF\x98\x2E\x10\x67\x1E\xBE\x11\x05\x86\x05\x90\xC4\x59\xD0\x7C\x78\x10\xB0\x80\x5C\xB7\xE1\xC7\x2B\x75\xCB\x7C\x9F\xAE\xB5\xD1\x9D\x23\x37\x63\xA7\xDC\x42\xA2\x2D\x92\x04\x1B\x50\xC1\x7B\xB8\x3E\x1B\xC9\x56\x04\x8B\x2F\x52\x9B\xAD\xA9\x56\xE9\xC1\xFF\xAD\xA9\x58\x87\x30\xB6\x81\xF7\x97\x45\xFC\x19\x57\x3B\x2B\x6F\xE4\x47\xF4\x99\x45\xFE\x1D\xF1\xF8\x97\xA3\x88\x1D\x37\x1C\x5C\x8F\xE0\x76\x25\x9A\x50\xF8\xA0\x54\xFF\x44\x90\x76\x23\xD2\x32\xC6\xC3\xAB\x06\xBF\xFC\xFB\xBF\xF3\xAD\x7D\x92\x62\x02\x5B\x29\xD3\x35\xA3\x93\x9A\x43\x64\x60\x5D\xB2\xFA\x32\xFF\x3B\x04\xAF\x4D\x40\x6A\xF9\xC7\xE3\xEF\x23\xFD\x6B\xCB\xE5\x0F\x8B\x38\x0D\xEE\x0A\xFC\xFE\x0F\x98\x9F\x30\x31\xDD\x6C\x52\x65\xF9\x8B\x81\xBE\x22\xE1\x1C\x58\x03\xBA\x91\x1B\x89\x07\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x38\x5B\x26\x8D\xDE\x8B\x5A\xF2\x4F\x7A\x54\x83\x19\x18\xE3\x08\x35\xA6\xBA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\xD5\x77\x3D\xDA\xDF\x89\xBA\x87\x0C\x08\x54\x6A\x20\x50\x92\xBE\xB0\x41\x3D\xB9\x26\x64\x83\x0A\x2F\xE8\x40\xC0\x97\x28\x27\x82\x30\x4A\xC9\x93\xFF\x6A\xE7\xA6\x00\x7F\x89\x42\x9A\xD6\x11\xE5\x53\xCE\x2F\xCC\xF2\xDA\x05\xC4\xFE\xE2\x50\xC4\x3A\x86\x7D\xCC\xDA\x7E\x10\x09\x3B\x92\x35\x2A\x53\xB2\xFE\xEB\x2B\x05\xD9\x6C\x5D\xE6\xD0\xEF\xD3\x6A\x66\x9E\x15\x28\x85\x7A\xE8\x82\x00\xAC\x1E\xA7\x09\x69\x56\x42\xD3\x68\x51\x18\xBE\x54\x9A\xBF\x44\x41\xBA\x49\xBE\x20\xBA\x69\x5C\xEE\xB8\x77\xCD\xCE\x6C\x1F\xAD\x83\x96\x18\x7D\x0E\xB5\x14\x39\x84\xF1\x28\xE9\x2D\xA3\x9E\x7B\x1E\x7A\x72\x5A\x83\xB3\x79\x6F\xEF\xB4\xFC\xD0\x0A\xA5\x58\x4F\x46\xDF\xFB\x6D\x79\x59\xF2\x84\x22\x52\xAE\x0F\xCC\xFB\x7C\x3B\xE7\x6A\xCA\x47\x61\xC3\x7A\xF8\xD3\x92\x04\x1F\xB8\x20\x84\xE1\x36\x54\x16\xC7\x40\xDE\x3B\x8A\x73\xDC\xDF\xC6\x09\x4C\xDF\xEC\xDA\xFF\xD4\x53\x42\xA1\xC9\xF2\x62\x1D\x22\x83\x3C\x97\xC5\xF9\x19\x62\x27\xAC\x65\x22\xD7\xD3\x3C\xC6\xE5\x8E\xB2\x53\xCC\x49\xCE\xBC\x30\xFE\x7B\x0E\x33\x90\xFB\xED\xD2\x14\x91\x1F\x07\xAF", }; diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 0e47543404..0cc92e7e29 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -37,7 +37,6 @@ @load protocols/http/detect-MHR.bro @load protocols/http/detect-sqli.bro @load protocols/http/detect-webapps.bro -@load protocols/http/headers.bro @load protocols/http/software.bro @load protocols/http/var-extraction-cookies.bro @load protocols/http/var-extraction-uri.bro diff --git a/src/ARP.cc b/src/ARP.cc index cdf0baa170..3606ed66d5 100644 --- a/src/ARP.cc +++ b/src/ARP.cc @@ -1,5 +1,3 @@ -// $Id: ARP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/ARP.h b/src/ARP.h index c7765eb9a9..6b84dbd587 100644 --- a/src/ARP.h +++ b/src/ARP.h @@ -1,5 +1,3 @@ -// $Id: ARP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef arp_h diff --git a/src/Analyzer.cc b/src/Analyzer.cc index b995c2f74b..9e7407e8b9 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -1,5 +1,3 @@ -// $Id: Analyzer.cc,v 1.1.4.28 2006/06/01 17:18:10 sommer Exp $ - #include #include "Analyzer.h" diff --git a/src/Analyzer.h b/src/Analyzer.h index 4a3ead5844..9eec49c233 100644 --- a/src/Analyzer.h +++ b/src/Analyzer.h @@ -1,5 +1,3 @@ -// $Id:$ -// // Main analyzer interface. #ifndef ANALYZER_H diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index e64a4ec76e..fd31773120 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -1,5 +1,3 @@ -// $Id: AnalyzerTags.h,v 1.1.2.5 2006/06/01 01:55:42 sommer Exp $ - #ifndef ANALYZERTAGS_H #define ANALYZERTAGS_H diff --git a/src/Anon.cc b/src/Anon.cc index bd29b3cfe9..440f8600d5 100644 --- a/src/Anon.cc +++ b/src/Anon.cc @@ -1,5 +1,3 @@ -// $Id: Anon.cc 7075 2010-09-13 02:39:38Z vern $ - #include #include #include diff --git a/src/Anon.h b/src/Anon.h index 2f138c36d7..ce234f4680 100644 --- a/src/Anon.h +++ b/src/Anon.h @@ -1,5 +1,3 @@ -// $Id: Anon.h 416 2004-09-17 03:52:28Z vern $ - // The prefix-preserving IP address anonymization code is largely // based on (and sometimes directly copied from) Eddie Kohler's // ipsumdump-1.20 code, per: diff --git a/src/Attr.cc b/src/Attr.cc index 22b4337405..a5a350f452 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -1,5 +1,3 @@ -// $Id: Attr.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Attr.h b/src/Attr.h index 89a81428e5..6c835dc61c 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -1,5 +1,3 @@ -// $Id: Attr.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef attr_h diff --git a/src/BPF_Program.cc b/src/BPF_Program.cc index 7796ccce81..a6d3d80c05 100644 --- a/src/BPF_Program.cc +++ b/src/BPF_Program.cc @@ -1,5 +1,3 @@ -// $Id: BPF_Program.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BPF_Program.h b/src/BPF_Program.h index 4c6e090cda..88ed669da2 100644 --- a/src/BPF_Program.h +++ b/src/BPF_Program.h @@ -1,5 +1,3 @@ -// $Id: BPF_Program.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef bpf_program_h diff --git a/src/BackDoor.cc b/src/BackDoor.cc index 493fd9ae00..c218a98ce2 100644 --- a/src/BackDoor.cc +++ b/src/BackDoor.cc @@ -1,5 +1,3 @@ -// $Id: BackDoor.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BackDoor.h b/src/BackDoor.h index 50d97514ef..40ea3bbaa3 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -1,5 +1,3 @@ -// $Id: BackDoor.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef backdoor_h diff --git a/src/Base64.cc b/src/Base64.cc index 2585debf5e..9008837f35 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -1,5 +1,3 @@ -// $Id: Base64.cc 6024 2008-07-26 19:20:47Z vern $ - #include "config.h" #include "Base64.h" diff --git a/src/Base64.h b/src/Base64.h index 5bf5d4e2bc..0fe7e04910 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -1,5 +1,3 @@ -// $Id: Base64.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef base64_h #define base64_h diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc index e99047beb1..c58eb4cf65 100644 --- a/src/BitTorrent.cc +++ b/src/BitTorrent.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #include "BitTorrent.h" diff --git a/src/BitTorrent.h b/src/BitTorrent.h index 7f745d48c8..191b4c50d7 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #ifndef bittorrent_h diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc index f0b290751d..995a01dd63 100644 --- a/src/BitTorrentTracker.cc +++ b/src/BitTorrentTracker.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index 167c9d0d10..d57665d104 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -1,5 +1,3 @@ -// $Id:$ -// // This code contributed by Nadi Sarrar. #ifndef bittorrenttracker_h diff --git a/src/BroList.h b/src/BroList.h index b71615a18a..6168bf7bda 100644 --- a/src/BroList.h +++ b/src/BroList.h @@ -1,5 +1,3 @@ -// $Id: BroList.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef brolist_h diff --git a/src/BroString.cc b/src/BroString.cc index 8677cd9533..e05995b156 100644 --- a/src/BroString.cc +++ b/src/BroString.cc @@ -1,5 +1,3 @@ -// $Id: BroString.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/BroString.h b/src/BroString.h index 48471cb99e..58991d78af 100644 --- a/src/BroString.h +++ b/src/BroString.h @@ -1,5 +1,3 @@ -// $Id: BroString.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef brostring_h diff --git a/src/CCL.cc b/src/CCL.cc index 326dcc7320..6c4ec5ea2e 100644 --- a/src/CCL.cc +++ b/src/CCL.cc @@ -1,5 +1,3 @@ -// $Id: CCL.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/CCL.h b/src/CCL.h index 760e64b6f9..2870acf53a 100644 --- a/src/CCL.h +++ b/src/CCL.h @@ -1,5 +1,3 @@ -// $Id: CCL.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ccl_h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 99b905d4af..996dfc2b20 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -248,10 +248,6 @@ set(dns_SRCS nb_dns.c) set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS -fno-strict-aliasing) -if (USE_NMALLOC) - set(malloc_SRCS malloc.c) -endif () - set(bro_SRCS ${CMAKE_CURRENT_BINARY_DIR}/version.c ${BIF_SRCS} @@ -410,7 +406,6 @@ set(bro_SRCS PacketDumper.cc strsep.c ${dns_SRCS} - ${malloc_SRCS} ${openssl_SRCS} ) diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc index d54b4eb70b..ff84a343c7 100644 --- a/src/ChunkedIO.cc +++ b/src/ChunkedIO.cc @@ -1,5 +1,3 @@ -// $Id: ChunkedIO.cc 6888 2009-08-20 18:23:11Z vern $ - #include #include #include diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h index 1f946c18ba..ca95f4b40b 100644 --- a/src/ChunkedIO.h +++ b/src/ChunkedIO.h @@ -1,5 +1,3 @@ -// $Id: ChunkedIO.h 6888 2009-08-20 18:23:11Z vern $ -// // Implements non-blocking chunk-wise I/O. #ifndef CHUNKEDIO_H diff --git a/src/CompHash.cc b/src/CompHash.cc index 763e5da463..916ca124ac 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -1,5 +1,3 @@ -// $Id: CompHash.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" @@ -169,7 +167,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, { char* kp = kp0; RecordVal* rv = v->AsRecordVal(); - RecordType* rt = v->Type()->AsRecordType(); + RecordType* rt = bt->AsRecordType(); int num_fields = rt->NumFields(); for ( int i = 0; i < num_fields; ++i ) diff --git a/src/CompHash.h b/src/CompHash.h index 0e12cbf9a8..1a02114358 100644 --- a/src/CompHash.h +++ b/src/CompHash.h @@ -1,5 +1,3 @@ -// $Id: CompHash.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef comphash_h diff --git a/src/Conn.cc b/src/Conn.cc index bab032cbd0..df59b1037a 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -1,5 +1,3 @@ -// $Id: Conn.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Conn.h b/src/Conn.h index 8f817fd003..8e90d6a9c3 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -1,5 +1,3 @@ -// $Id: Conn.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef conn_h diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc index 2bf28fe06a..7a04cb4f0b 100644 --- a/src/ConnCompressor.cc +++ b/src/ConnCompressor.cc @@ -1,5 +1,3 @@ -// $Id: ConnCompressor.cc 7008 2010-03-25 02:42:20Z vern $ - #include #include "ConnCompressor.h" diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h index e2140526d0..36959b615c 100644 --- a/src/ConnCompressor.h +++ b/src/ConnCompressor.h @@ -1,5 +1,3 @@ -// $Id: ConnCompressor.h 6008 2008-07-23 00:24:22Z vern $ -// // The ConnCompressor keeps track of the first packet seen for a conn_id using // only a minimal amount of memory. This helps us to avoid instantiating // full Connection objects for never-established sessions. diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index c98a9f6827..a1b892f4db 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -1,5 +1,3 @@ -// $Id$ -// // See the file "COPYING" in the main distribution directory for copyright. // // See ConnSize.h for more extensive comments. diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 38446b0763..1fdd57bb15 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -1,5 +1,3 @@ -// $Id$ -// // See the file "COPYING" in the main distribution directory for copyright. // diff --git a/src/ContentLine.cc b/src/ContentLine.cc index e9f0856462..5601694e1d 100644 --- a/src/ContentLine.cc +++ b/src/ContentLine.cc @@ -1,5 +1,3 @@ -// $Id: ContentLine.cc,v 1.1.2.8 2006/06/01 01:55:42 sommer Exp $ - #include #include "ContentLine.h" diff --git a/src/ContentLine.h b/src/ContentLine.h index 25482ecc2f..5e9f01945f 100644 --- a/src/ContentLine.h +++ b/src/ContentLine.h @@ -1,5 +1,3 @@ -// $Id: ContentLine.h,v 1.1.2.9 2006/06/01 01:55:42 sommer Exp $ -// // Support-analyzer to split a reassembled stream into lines. #ifndef CONTENTLINE_H diff --git a/src/Continuation.h b/src/Continuation.h index bde07203a9..009d2a87f3 100644 --- a/src/Continuation.h +++ b/src/Continuation.h @@ -1,5 +1,3 @@ -// $Id: Continuation.h 2698 2006-04-03 05:50:52Z vern $ -// // Helper class to implement continuation-like mechanisms for // suspending/resuming tasks for incremental operation. // diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 4e21ecd545..1d9acaf1fa 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -1,5 +1,3 @@ -// $Id: DCE_RPC.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index a856599b19..63237a151b 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -1,5 +1,3 @@ -// $Id: DCE_RPC.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dce_rpc_h diff --git a/src/DFA.cc b/src/DFA.cc index 43e719f24a..e58ea260e5 100644 --- a/src/DFA.cc +++ b/src/DFA.cc @@ -1,5 +1,3 @@ -// $Id: DFA.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DFA.h b/src/DFA.h index 6fa4d85f0d..0f6c7d2f25 100644 --- a/src/DFA.h +++ b/src/DFA.h @@ -1,5 +1,3 @@ -// $Id: DFA.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc index 23149b7837..2aec6e6e9f 100644 --- a/src/DHCP-binpac.cc +++ b/src/DHCP-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "DHCP-binpac.h" DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index d0e93dcfc2..06ddff3bb6 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef dhcp_binpac_h #define dhcp_binpac_h diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc index e06ef1ab19..eb95ac2e1c 100644 --- a/src/DNS-binpac.cc +++ b/src/DNS-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "DNS-binpac.h" #include "TCP_Reassembler.h" diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h index b43e3b6aae..9e8cb16f69 100644 --- a/src/DNS-binpac.h +++ b/src/DNS-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef dns_binpac_h #define dns_binpac_h diff --git a/src/DNS.cc b/src/DNS.cc index d13f184ca5..8259a547bb 100644 --- a/src/DNS.cc +++ b/src/DNS.cc @@ -1,5 +1,3 @@ -// $Id: DNS.cc 6885 2009-08-20 04:37:55Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DNS.h b/src/DNS.h index ca9261c008..83ca80911e 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -1,5 +1,3 @@ -// $Id: DNS.h 6885 2009-08-20 04:37:55Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dns_h diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc index 87d0db4dac..3c0d00c43c 100644 --- a/src/DNS_Mgr.cc +++ b/src/DNS_Mgr.cc @@ -1,5 +1,3 @@ -// $Id: DNS_Mgr.cc 7073 2010-09-13 00:45:02Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h index 151c05289f..c4abb93525 100644 --- a/src/DNS_Mgr.h +++ b/src/DNS_Mgr.h @@ -1,5 +1,3 @@ -// $Id: DNS_Mgr.h 6915 2009-09-22 05:04:17Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dnsmgr_h diff --git a/src/DPM.cc b/src/DPM.cc index 69b859a9e1..345741dfc8 100644 --- a/src/DPM.cc +++ b/src/DPM.cc @@ -1,5 +1,3 @@ -// $Id: DPM.cc,v 1.1.4.14 2006/06/01 17:18:10 sommer Exp $ - #include "DPM.h" #include "PIA.h" #include "Hash.h" diff --git a/src/DPM.h b/src/DPM.h index 056f6b25cc..4bacbfbeea 100644 --- a/src/DPM.h +++ b/src/DPM.h @@ -1,5 +1,3 @@ -// $Id:$ -// // The central management unit for dynamic analyzer selection. #ifndef DPM_H diff --git a/src/DbgBreakpoint.cc b/src/DbgBreakpoint.cc index 7205a78521..11847fc4dc 100644 --- a/src/DbgBreakpoint.cc +++ b/src/DbgBreakpoint.cc @@ -1,5 +1,3 @@ -// $Id: DbgBreakpoint.cc 1345 2005-09-08 07:42:11Z vern $ - // Implementation of breakpoints. #include "config.h" diff --git a/src/DbgBreakpoint.h b/src/DbgBreakpoint.h index 505d1389a4..5fadfe0474 100644 --- a/src/DbgBreakpoint.h +++ b/src/DbgBreakpoint.h @@ -1,5 +1,3 @@ -// $Id: DbgBreakpoint.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing breakpoints in the Bro debugger. #ifndef DbgBreakpoint_h diff --git a/src/DbgDisplay.h b/src/DbgDisplay.h index 033dac79e9..1c83d84ec4 100644 --- a/src/DbgDisplay.h +++ b/src/DbgDisplay.h @@ -1,5 +1,3 @@ -// $Id: DbgDisplay.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing watches in the Bro debugger. #ifndef dbg_display_h diff --git a/src/DbgWatch.h b/src/DbgWatch.h index ed85e88748..e3359f53ad 100644 --- a/src/DbgWatch.h +++ b/src/DbgWatch.h @@ -1,5 +1,3 @@ -// $Id: DbgWatch.h 80 2004-07-14 20:15:50Z jason $ - // Structures and methods for implementing watches in the Bro debugger. #ifndef dbgwatch_h diff --git a/src/Debug.h b/src/Debug.h index ad82337b12..a83e05c224 100644 --- a/src/Debug.h +++ b/src/Debug.h @@ -1,5 +1,3 @@ -// $Id: Debug.h 80 2004-07-14 20:15:50Z jason $ - // Debugging support for Bro policy files. #ifndef debug_h diff --git a/src/DebugCmds.h b/src/DebugCmds.h index a14990b918..e7b9c6a4c1 100644 --- a/src/DebugCmds.h +++ b/src/DebugCmds.h @@ -1,5 +1,3 @@ -// $Id: DebugCmds.h 80 2004-07-14 20:15:50Z jason $ -// // Support routines to help deal with Bro debugging commands and // implementation of most commands. diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index adf06b7d67..6d189a3303 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -1,5 +1,3 @@ -// $Id: DebugLogger.cc 4771 2007-08-11 05:50:24Z vern $ - #ifdef DEBUG #include diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 49c875a5c4..a2dece5b3c 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -1,5 +1,3 @@ -// $Id: DebugLogger.h 4771 2007-08-11 05:50:24Z vern $ -// // A logger for (selective) debugging output. Only compiled in if DEBUG is // defined. diff --git a/src/Desc.cc b/src/Desc.cc index d7106a5b6a..8c161e07b2 100644 --- a/src/Desc.cc +++ b/src/Desc.cc @@ -1,5 +1,3 @@ -// $Id: Desc.cc 6245 2008-10-07 00:56:59Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Desc.h b/src/Desc.h index a9758d764b..5849736cbf 100644 --- a/src/Desc.h +++ b/src/Desc.h @@ -1,5 +1,3 @@ -// $Id: Desc.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef descriptor_h diff --git a/src/Dict.cc b/src/Dict.cc index 6bef17ad3e..c0e2d0e4d2 100644 --- a/src/Dict.cc +++ b/src/Dict.cc @@ -1,5 +1,3 @@ -// $Id: Dict.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Dict.h b/src/Dict.h index 75ac82c827..c7b3a21eac 100644 --- a/src/Dict.h +++ b/src/Dict.h @@ -1,5 +1,3 @@ -// $Id: Dict.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef dict_h diff --git a/src/Discard.cc b/src/Discard.cc index fcee23e5e0..2705aa55be 100644 --- a/src/Discard.cc +++ b/src/Discard.cc @@ -1,5 +1,3 @@ -// $Id: Discard.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/Discard.h b/src/Discard.h index 4ffcab39d1..16f7a58e6e 100644 --- a/src/Discard.h +++ b/src/Discard.h @@ -1,5 +1,3 @@ -// $Id: Discard.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef discard_h diff --git a/src/EquivClass.cc b/src/EquivClass.cc index ff5dc88603..6ab667b146 100644 --- a/src/EquivClass.cc +++ b/src/EquivClass.cc @@ -1,5 +1,3 @@ -// $Id: EquivClass.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/EquivClass.h b/src/EquivClass.h index 9b35a9bb64..e5193cde47 100644 --- a/src/EquivClass.h +++ b/src/EquivClass.h @@ -1,5 +1,3 @@ -// $Id: EquivClass.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef equiv_class_h diff --git a/src/Event.cc b/src/Event.cc index 0ba5b68a21..97f29000d6 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -1,5 +1,3 @@ -// $Id: Event.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Event.h b/src/Event.h index ce498ae9cc..805396a488 100644 --- a/src/Event.h +++ b/src/Event.h @@ -1,5 +1,3 @@ -// $Id: Event.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef event_h diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 9a06763bc0..55f9902079 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -1,5 +1,3 @@ -// $Id: EventHandler.cc 5911 2008-07-03 22:59:01Z vern $ - #include "Event.h" #include "EventHandler.h" #include "Func.h" diff --git a/src/EventHandler.h b/src/EventHandler.h index 6a9438fd4c..2aebe87584 100644 --- a/src/EventHandler.h +++ b/src/EventHandler.h @@ -1,5 +1,3 @@ -// $Id: EventHandler.h 5911 2008-07-03 22:59:01Z vern $ -// // Capsulates local and remote event handlers. #ifndef EVENTHANDLER diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc index 1982d78c11..246c9dc8aa 100644 --- a/src/EventLauncher.cc +++ b/src/EventLauncher.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "Val.h" #include "Analyzer.h" #include "EventLauncher.h" diff --git a/src/EventLauncher.h b/src/EventLauncher.h index 276f28ef75..6a57c59391 100644 --- a/src/EventLauncher.h +++ b/src/EventLauncher.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef event_launcher_h #define event_launcher_h diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index f5691ab448..4d29c5d95f 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -1,5 +1,3 @@ -// $Id: EventRegistry.cc 6829 2009-07-09 09:12:59Z vern $ - #include "EventRegistry.h" #include "RE.h" #include "RemoteSerializer.h" diff --git a/src/EventRegistry.h b/src/EventRegistry.h index bd9e0cd185..6ee5e3bcbd 100644 --- a/src/EventRegistry.h +++ b/src/EventRegistry.h @@ -1,5 +1,3 @@ -// $Id: EventRegistry.h 6829 2009-07-09 09:12:59Z vern $ -// // Each event raised/handled by Bro is registered in the EventRegistry. #ifndef EVENT_REGISTRY diff --git a/src/Expr.cc b/src/Expr.cc index cc93c47be0..bb5a1273fb 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -1,5 +1,3 @@ -// $Id: Expr.cc 6864 2009-08-16 23:30:39Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Expr.h b/src/Expr.h index 2e5d5b637a..95016a8d13 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -1,5 +1,3 @@ -// $Id: Expr.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef expr_h diff --git a/src/FTP.cc b/src/FTP.cc index 3dcf5722d8..588348ea8d 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -1,5 +1,3 @@ -// $Id: FTP.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/FTP.h b/src/FTP.h index c50d463b65..4ef6c44d83 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -1,5 +1,3 @@ -// $Id: FTP.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ftp_h diff --git a/src/File.cc b/src/File.cc index c8390c9bb5..437370205a 100644 --- a/src/File.cc +++ b/src/File.cc @@ -1,5 +1,3 @@ -// $Id: File.cc 6942 2009-11-16 03:54:08Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/File.h b/src/File.h index dad0d6da8b..444d6209e2 100644 --- a/src/File.h +++ b/src/File.h @@ -1,5 +1,3 @@ -// $Id: File.h 6888 2009-08-20 18:23:11Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef file_h diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 16bf003775..1abe88caec 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -1,5 +1,3 @@ -// $Id: FileAnalyzer.cc,v 1.1.4.2 2006/06/01 17:18:10 sommer Exp $ - #include #include "FileAnalyzer.h" diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index f343547210..8c1890bb85 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -1,5 +1,3 @@ -// $Id:$ -// // Analyzer for connections that transfer binary data. #ifndef FILEANALYZER_H diff --git a/src/Finger.cc b/src/Finger.cc index 9a0fda8985..be0f3754b5 100644 --- a/src/Finger.cc +++ b/src/Finger.cc @@ -1,5 +1,3 @@ -// $Id: Finger.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Finger.h b/src/Finger.h index 98738765a3..3c61c4ad2a 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -1,5 +1,3 @@ -// $Id: Finger.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef finger_h diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc index 6f31cf2c3e..fe6998ea79 100644 --- a/src/FlowSrc.cc +++ b/src/FlowSrc.cc @@ -1,5 +1,3 @@ -/// $Id: FlowSrc.cc 4621 2007-07-10 13:37:13Z bager $ -// // See the file "COPYING" in the main distribution directory for copyright. // // Written by Bernhard Ager, TU Berlin (2006/2007). diff --git a/src/FlowSrc.h b/src/FlowSrc.h index 3173badf66..7b0b14ad15 100644 --- a/src/FlowSrc.h +++ b/src/FlowSrc.h @@ -1,5 +1,3 @@ -// $Id: FlowSrc.h 4618 2007-07-09 18:12:32Z bager $ -// // See the file "COPYING" in the main distribution directory for copyright. // // Written by Bernhard Ager, TU Berlin (2006/2007). diff --git a/src/Frag.cc b/src/Frag.cc index abf68baa14..b72fac4b16 100644 --- a/src/Frag.cc +++ b/src/Frag.cc @@ -1,5 +1,3 @@ -// $Id: Frag.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Frag.h b/src/Frag.h index ddd5f73144..92bf1b3bbd 100644 --- a/src/Frag.h +++ b/src/Frag.h @@ -1,5 +1,3 @@ -// $Id: Frag.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef frag_h diff --git a/src/Frame.cc b/src/Frame.cc index 4eeb7e1fcc..f86fa32805 100644 --- a/src/Frame.cc +++ b/src/Frame.cc @@ -1,5 +1,3 @@ -// $Id: Frame.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Frame.h b/src/Frame.h index 34a4f63f89..85e1dbec2e 100644 --- a/src/Frame.h +++ b/src/Frame.h @@ -1,5 +1,3 @@ -// $Id: Frame.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef frame_h diff --git a/src/Func.cc b/src/Func.cc index 4a495904bd..8f26ea27df 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -1,5 +1,3 @@ -// $Id: Func.cc 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" @@ -276,6 +274,8 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const { // Can only happen for events. assert(IsEvent()); + loop_over_list(*args, i) + Unref((*args)[i]); return 0 ; } diff --git a/src/Func.h b/src/Func.h index 6e1ea8597c..b9f6ffe808 100644 --- a/src/Func.h +++ b/src/Func.h @@ -1,5 +1,3 @@ -// $Id: Func.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef func_h diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 9787147400..448c8dcb3b 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -1,5 +1,3 @@ -// $Id: Gnutella.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Gnutella.h b/src/Gnutella.h index c390f418f4..f06c816c90 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -1,5 +1,3 @@ -// $Id: Gnutella.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef gnutella_h diff --git a/src/H3.h b/src/H3.h index b4eab3a727..9e6f1c5c35 100644 --- a/src/H3.h +++ b/src/H3.h @@ -1,5 +1,3 @@ -// $Id: H3.h 3230 2006-06-08 02:19:25Z vern $ - // Copyright 2004, 2005 // The Regents of the University of California // All Rights Reserved diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc index 003d74d8e2..70cf37457b 100644 --- a/src/HTTP-binpac.cc +++ b/src/HTTP-binpac.cc @@ -1,5 +1,3 @@ -// $Id:$ - #include "HTTP-binpac.h" #include "TCP_Reassembler.h" diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h index 9352515dc8..62b6fd0db3 100644 --- a/src/HTTP-binpac.h +++ b/src/HTTP-binpac.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef http_binpac_h #define http_binpac_h diff --git a/src/HTTP.cc b/src/HTTP.cc index 54613bb9e1..0d154f1873 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -1,5 +1,3 @@ -// $Id: HTTP.cc 7073 2010-09-13 00:45:02Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/HTTP.h b/src/HTTP.h index 7512f368a9..6614886e44 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -1,5 +1,3 @@ -// $Id: HTTP.h 6942 2009-11-16 03:54:08Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef http_h diff --git a/src/Hash.cc b/src/Hash.cc index 1902af4f37..7873e398c3 100644 --- a/src/Hash.cc +++ b/src/Hash.cc @@ -1,5 +1,3 @@ -// $Id: Hash.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. // The hash function works as follows: diff --git a/src/Hash.h b/src/Hash.h index d9659b442a..3a1b42084c 100644 --- a/src/Hash.h +++ b/src/Hash.h @@ -1,5 +1,3 @@ -// $Id: Hash.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef hash_h diff --git a/src/ICMP.cc b/src/ICMP.cc index 4e11583651..bc081ace51 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -1,5 +1,3 @@ -// $Id: ICMP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/ICMP.h b/src/ICMP.h index 62b859beba..ad43d7b948 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -1,5 +1,3 @@ -// $Id: ICMP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef icmp_h diff --git a/src/ID.cc b/src/ID.cc index 2decef725f..3f5c76ca1d 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -1,5 +1,3 @@ -// $Id: ID.cc 6724 2009-06-07 09:23:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/ID.h b/src/ID.h index 49d844ebc3..9c1f56e80f 100644 --- a/src/ID.h +++ b/src/ID.h @@ -1,5 +1,3 @@ -// $Id: ID.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef id_h diff --git a/src/IOSource.cc b/src/IOSource.cc index 83f4ef15f2..d47007caad 100644 --- a/src/IOSource.cc +++ b/src/IOSource.cc @@ -1,5 +1,3 @@ -// $Id: IOSource.cc 4771 2007-08-11 05:50:24Z vern $ - #include #include #include diff --git a/src/IOSource.h b/src/IOSource.h index 53057f3583..db50bbd2a9 100644 --- a/src/IOSource.h +++ b/src/IOSource.h @@ -1,5 +1,3 @@ -// $Id: IOSource.h 6888 2009-08-20 18:23:11Z vern $ -// // Interface for classes providing/consuming data during Bro's main loop. #ifndef iosource_h diff --git a/src/IP.h b/src/IP.h index 4f76ef50ed..73ac4ee5c7 100644 --- a/src/IP.h +++ b/src/IP.h @@ -1,5 +1,3 @@ -// $Id: IP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ip_h diff --git a/src/IRC.cc b/src/IRC.cc index 0e3705a97d..caf7c492b6 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -1,5 +1,3 @@ -// $Id: IRC.cc 4582 2007-07-04 01:14:09Z vern $ - // An IRC analyzer contributed by Roland Gruber. #include diff --git a/src/IRC.h b/src/IRC.h index fb6e9869ae..0fe36957de 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -1,5 +1,3 @@ -// $Id: IRC.h 4582 2007-07-04 01:14:09Z vern $ - // An IRC analyzer contributed by Roland Gruber. #ifndef irc_h diff --git a/src/Ident.cc b/src/Ident.cc index 2231c50ae8..b2e82e5f12 100644 --- a/src/Ident.cc +++ b/src/Ident.cc @@ -1,5 +1,3 @@ -// $Id: Ident.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Ident.h b/src/Ident.h index c87e98c6d4..a848d233e1 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -1,5 +1,3 @@ -// $Id: Ident.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ident_h diff --git a/src/IntSet.cc b/src/IntSet.cc index a6c176f829..fb198f0e25 100644 --- a/src/IntSet.cc +++ b/src/IntSet.cc @@ -1,5 +1,3 @@ -// $Id: IntSet.cc 80 2004-07-14 20:15:50Z jason $ - #include "config.h" #ifdef HAVE_MEMORY_H diff --git a/src/IntSet.h b/src/IntSet.h index 412b06d418..ef58e8b12f 100644 --- a/src/IntSet.h +++ b/src/IntSet.h @@ -1,5 +1,3 @@ -// $Id: IntSet.h 80 2004-07-14 20:15:50Z jason $ - // A simple but fast data structure for sets of integers. // Only supported operations are insert, remove and membership test. // diff --git a/src/InterConn.cc b/src/InterConn.cc index 664982fd02..403081181a 100644 --- a/src/InterConn.cc +++ b/src/InterConn.cc @@ -1,5 +1,3 @@ -// $Id: InterConn.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/InterConn.h b/src/InterConn.h index 1f9ee12f62..d9cd10de27 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -1,5 +1,3 @@ -// $Id: InterConn.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef interconn_h diff --git a/src/List.cc b/src/List.cc index 2a28d4ae00..9a1af3fe4f 100644 --- a/src/List.cc +++ b/src/List.cc @@ -1,5 +1,3 @@ -// $Id: List.cc 1905 2005-12-14 03:27:33Z vern $ - #include "config.h" #include diff --git a/src/List.h b/src/List.h index 38afad35c9..bf87ade67d 100644 --- a/src/List.h +++ b/src/List.h @@ -1,5 +1,3 @@ -// $Id: List.h 463 2004-09-26 21:04:20Z vern $ - #ifndef list_h #define list_h diff --git a/src/LogMgr.cc b/src/LogMgr.cc index 700237e693..171d0532d7 100644 --- a/src/LogMgr.cc +++ b/src/LogMgr.cc @@ -36,6 +36,8 @@ struct LogMgr::Filter { EnumVal* writer; bool local; bool remote; + double interval; + Func* postprocessor; int num_fields; LogField** fields; @@ -52,7 +54,9 @@ struct LogMgr::WriterInfo { EnumVal* type; double open_time; Timer* rotation_timer; - LogWriter *writer; + double interval; + Func* postprocessor; + LogWriter* writer; }; struct LogMgr::Stream { @@ -732,6 +736,8 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) Val* path_func = fval->LookupWithDefault(rtype->FieldOffset("path_func")); Val* log_local = fval->LookupWithDefault(rtype->FieldOffset("log_local")); Val* log_remote = fval->LookupWithDefault(rtype->FieldOffset("log_remote")); + Val* interv = fval->LookupWithDefault(rtype->FieldOffset("interv")); + Val* postprocessor = fval->LookupWithDefault(rtype->FieldOffset("postprocessor")); Filter* filter = new Filter; filter->name = name->AsString()->CheckString(); @@ -741,12 +747,16 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) filter->writer = writer->Ref()->AsEnumVal(); filter->local = log_local->AsBool(); filter->remote = log_remote->AsBool(); + filter->interval = interv->AsInterval(); + filter->postprocessor = postprocessor ? postprocessor->AsFunc() : 0; Unref(name); Unref(pred); Unref(path_func); Unref(log_local); Unref(log_remote); + Unref(interv); + Unref(postprocessor); // Build the list of fields that the filter wants included, including // potentially rolling out fields. @@ -772,20 +782,9 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) else { - // If no path is given, use the Stream ID as the default but - // strip the namespace. - const char* s = stream->name.c_str(); - const char* e = s + strlen(s); - - const char* t = strstr(s, "::"); - if ( t ) - s = t + 2; - - string path(s, e); - std::transform(path.begin(), path.end(), path.begin(), ::tolower); - - filter->path = path; - filter->path_val = new StringVal(path.c_str()); + // If no path is given, it's derived based upon the value returned by + // the first call to the filter's path_func (during first write). + filter->path_val = 0; } // Remove any filter with the same name we might already have. @@ -901,8 +900,26 @@ bool LogMgr::Write(EnumVal* id, RecordVal* columns) { val_list vl(3); vl.append(id->Ref()); - vl.append(filter->path_val->Ref()); - vl.append(columns->Ref()); + + Val* path_arg; + if ( filter->path_val ) + path_arg = filter->path_val; + else + path_arg = new StringVal(""); + + vl.append(path_arg->Ref()); + + Val* rec_arg; + BroType* rt = filter->path_func->FType()->Args()->FieldType("rec"); + + if ( rt->Tag() == TYPE_RECORD ) + rec_arg = columns->CoerceTo(rt->AsRecordType(), true); + else + // Can be TYPE_ANY here. + rec_arg = columns->Ref(); + + vl.append(rec_arg); + Val* v = filter->path_func->Call(&vl); if ( ! v->Type()->Tag() == TYPE_STRING ) @@ -912,6 +929,13 @@ bool LogMgr::Write(EnumVal* id, RecordVal* columns) return false; } + if ( ! filter->path_val ) + { + Unref(path_arg); + filter->path = v->AsString()->CheckString(); + filter->path_val = v->Ref(); + } + path = v->AsString()->CheckString(); Unref(v); @@ -1238,6 +1262,24 @@ LogWriter* LogMgr::CreateWriter(EnumVal* id, EnumVal* writer, string path, winfo->writer = writer_obj; winfo->open_time = network_time; winfo->rotation_timer = 0; + winfo->interval = 0; + winfo->postprocessor = 0; + + // Search for a corresponding filter for the writer/path pair and use its + // rotation settings. + list::const_iterator it; + for ( it = stream->filters.begin(); it != stream->filters.end(); ++it ) + { + Filter* f = *it; + if ( f->writer->AsEnum() == writer->AsEnum() && + f->path == winfo->writer->Path() ) + { + winfo->interval = f->interval; + winfo->postprocessor = f->postprocessor; + break; + } + } + InstallRotationTimer(winfo); stream->writers.insert( @@ -1415,22 +1457,6 @@ void RotationTimer::Dispatch(double t, int is_expire) } } -RecordVal* LogMgr::LookupRotationControl(EnumVal* writer, string path) - { - TableVal* rc = BifConst::Log::rotation_control->AsTableVal(); - - ListVal* index = new ListVal(TYPE_ANY); - index->Append(writer->Ref()); - index->Append(new StringVal(path.c_str())); - - Val* r = rc->Lookup(index); - assert(r); - - Unref(index); - - return r->AsRecordVal(); - } - void LogMgr::InstallRotationTimer(WriterInfo* winfo) { if ( terminating ) @@ -1442,13 +1468,7 @@ void LogMgr::InstallRotationTimer(WriterInfo* winfo) winfo->rotation_timer = 0; } - RecordVal* rc = - LookupRotationControl(winfo->type, winfo->writer->Path()); - - assert(rc); - - int idx = rc->Type()->AsRecordType()->FieldOffset("interv"); - double rotation_interval = rc->LookupWithDefault(idx)->AsInterval(); + double rotation_interval = winfo->interval; if ( rotation_interval ) { @@ -1509,11 +1529,6 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam if ( ! winfo ) return true; - RecordVal* rc = - LookupRotationControl(winfo->type, winfo->writer->Path()); - - assert(rc); - // Create the RotationInfo record. RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo); info->Assign(0, winfo->type->Ref()); @@ -1523,15 +1538,12 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam info->Assign(4, new Val(close, TYPE_TIME)); info->Assign(5, new Val(terminating, TYPE_BOOL)); - int idx = rc->Type()->AsRecordType()->FieldOffset("postprocessor"); - assert(idx >= 0); - - Val* func = rc->Lookup(idx); + Func* func = winfo->postprocessor; if ( ! func ) { ID* id = global_scope()->Lookup("Log::__default_rotation_postprocessor"); assert(id); - func = id->ID_Val(); + func = id->ID_Val()->AsFunc(); } assert(func); @@ -1539,7 +1551,7 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam // Call the postprocessor function. val_list vl(1); vl.append(info); - Val* v = func->AsFunc()->Call(&vl); + Val* v = func->Call(&vl); int result = v->AsBool(); Unref(v); return result; diff --git a/src/LogMgr.h b/src/LogMgr.h index 033a6ba3fd..10530960cb 100644 --- a/src/LogMgr.h +++ b/src/LogMgr.h @@ -129,7 +129,6 @@ private: void RemoveDisabledWriters(Stream* stream); void InstallRotationTimer(WriterInfo* winfo); void Rotate(WriterInfo* info); - RecordVal* LookupRotationControl(EnumVal* writer, string path); Filter* FindFilter(EnumVal* id, StringVal* filter); WriterInfo* FindWriter(LogWriter* writer); diff --git a/src/Login.cc b/src/Login.cc index 0a3849ccd0..56efd12f53 100644 --- a/src/Login.cc +++ b/src/Login.cc @@ -1,5 +1,3 @@ -// $Id: Login.cc 6724 2009-06-07 09:23:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/MIME.cc b/src/MIME.cc index 3fe652d4cc..109b897b88 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -1,5 +1,3 @@ -// $Id: MIME.cc 5906 2008-07-03 19:52:50Z vern $ - #include "config.h" #include "NetVar.h" diff --git a/src/MIME.h b/src/MIME.h index b5cdf556ac..c8c70cf65b 100644 --- a/src/MIME.h +++ b/src/MIME.h @@ -1,5 +1,3 @@ -// $Id: MIME.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef mime_h #define mime_h diff --git a/src/NCP.cc b/src/NCP.cc index c065e48e87..83378a09a7 100644 --- a/src/NCP.cc +++ b/src/NCP.cc @@ -1,5 +1,3 @@ -// $Id: NCP.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NCP.h b/src/NCP.h index 714d1879f8..1e783ee3ab 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -1,5 +1,3 @@ -// $Id: NCP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ncp_h diff --git a/src/NFA.cc b/src/NFA.cc index 74958823dc..4849755941 100644 --- a/src/NFA.cc +++ b/src/NFA.cc @@ -1,5 +1,3 @@ -// $Id: NFA.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NFA.h b/src/NFA.h index 9dcb435d61..9877b8787c 100644 --- a/src/NFA.h +++ b/src/NFA.h @@ -1,5 +1,3 @@ -// $Id: NFA.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nfa_h diff --git a/src/NFS.cc b/src/NFS.cc index 2951361baf..2911ee7f59 100644 --- a/src/NFS.cc +++ b/src/NFS.cc @@ -1,5 +1,3 @@ -// $Id: NFS.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/NFS.h b/src/NFS.h index 28a1d5c4ac..6a65143808 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -1,5 +1,3 @@ -// $Id: NFS.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nfs_h diff --git a/src/NTP.cc b/src/NTP.cc index ac7d12fb6d..60b7e6202d 100644 --- a/src/NTP.cc +++ b/src/NTP.cc @@ -1,5 +1,3 @@ -// $Id: NTP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NTP.h b/src/NTP.h index c4ccdd644a..a22a7b231b 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -1,5 +1,3 @@ -// $Id: NTP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ntp_h diff --git a/src/NVT.cc b/src/NVT.cc index ad5e321595..5ba12ac32a 100644 --- a/src/NVT.cc +++ b/src/NVT.cc @@ -1,5 +1,3 @@ -// $Id: NVT.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NVT.h b/src/NVT.h index 63c0cc6620..61aa1ef740 100644 --- a/src/NVT.h +++ b/src/NVT.h @@ -1,5 +1,3 @@ -// $Id: NVT.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef nvt_h diff --git a/src/Net.cc b/src/Net.cc index df91521eee..2d8ee85353 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -1,5 +1,3 @@ -// $Id: Net.cc 6915 2009-09-22 05:04:17Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Net.h b/src/Net.h index 3569e85336..9e68cc025b 100644 --- a/src/Net.h +++ b/src/Net.h @@ -1,5 +1,3 @@ -// $Id: Net.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef net_h diff --git a/src/NetVar.cc b/src/NetVar.cc index cc40681494..25e4f7a0bc 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -1,5 +1,3 @@ -// $Id: NetVar.cc 6887 2009-08-20 05:17:33Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NetVar.h b/src/NetVar.h index b9667a19c9..f8def230c0 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -1,5 +1,3 @@ -// $Id: NetVar.h 6887 2009-08-20 05:17:33Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netvar_h diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc index 0bb135f59d..274e76f137 100644 --- a/src/NetbiosSSN.cc +++ b/src/NetbiosSSN.cc @@ -1,5 +1,3 @@ -// $Id: NetbiosSSN.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index ba724fa2fb..7c4dd91b90 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -1,5 +1,3 @@ -// $Id: NetbiosSSN.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netbios_ssn_h diff --git a/src/OSFinger.cc b/src/OSFinger.cc index e8fd929885..70504e8422 100644 --- a/src/OSFinger.cc +++ b/src/OSFinger.cc @@ -1,5 +1,3 @@ -// $Id: OSFinger.cc 5857 2008-06-26 23:00:03Z vern $ - /* Taken with permission from: diff --git a/src/OSFinger.h b/src/OSFinger.h index f1f9e492f2..1e745505eb 100644 --- a/src/OSFinger.h +++ b/src/OSFinger.h @@ -1,5 +1,3 @@ -// $Id: OSFinger.h 5857 2008-06-26 23:00:03Z vern $ - // Taken with permission from: // // p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE) diff --git a/src/Obj.cc b/src/Obj.cc index dfa8ed0148..91aea0989b 100644 --- a/src/Obj.cc +++ b/src/Obj.cc @@ -1,5 +1,3 @@ -// $Id: Obj.cc 6752 2009-06-14 04:24:52Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Obj.h b/src/Obj.h index d5a60aa972..be0d91b398 100644 --- a/src/Obj.h +++ b/src/Obj.h @@ -1,5 +1,3 @@ -// $Id: Obj.h 6781 2009-06-28 00:50:04Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef obj_h diff --git a/src/Op.h b/src/Op.h index 7c8d4afe38..a628a6bb68 100644 --- a/src/Op.h +++ b/src/Op.h @@ -1,5 +1,3 @@ -// $Id: Op.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef op_h diff --git a/src/PIA.cc b/src/PIA.cc index 32c0b40fc5..6a00e7e1d0 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -1,5 +1,3 @@ -// $Id: PIA.cc,v 1.1.2.14 2006/05/31 23:19:07 sommer Exp $ - #include "PIA.h" #include "RuleMatcher.h" #include "TCP_Reassembler.h" diff --git a/src/PIA.h b/src/PIA.h index 8a1079f617..907350bbdf 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -1,5 +1,3 @@ -// $Id:$ -// // An analyzer for application-layer protocol-detection. #ifndef PIA_H diff --git a/src/POP3.cc b/src/POP3.cc index b364541be1..4ffe67ef48 100644 --- a/src/POP3.cc +++ b/src/POP3.cc @@ -1,5 +1,3 @@ -// $Id: POP3.cc 6782 2009-06-28 02:19:03Z vern $ - // This code contributed to Bro by Florian Schimandl, Hugh Dollman and // Robin Sommer. diff --git a/src/POP3.h b/src/POP3.h index 6ad0a7e755..8d09d5e686 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -1,5 +1,3 @@ -// $Id: POP3.h 3526 2006-09-12 07:32:21Z vern $ - // This code contributed to Bro by Florian Schimandl and Hugh Dollman. // // An analyser for the POP3 protocol. diff --git a/src/PacketDumper.cc b/src/PacketDumper.cc index d401cd63cb..84b22ff17c 100644 --- a/src/PacketDumper.cc +++ b/src/PacketDumper.cc @@ -1,5 +1,3 @@ -// $Id:$ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/PacketDumper.h b/src/PacketDumper.h index b0d5943b36..baace47876 100644 --- a/src/PacketDumper.h +++ b/src/PacketDumper.h @@ -1,5 +1,3 @@ -// $Id:$ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef packetdumper_h diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc index fa88350713..9b6b881ce5 100644 --- a/src/PacketFilter.cc +++ b/src/PacketFilter.cc @@ -1,5 +1,3 @@ -// $Id: PacketFilter.cc 967 2005-01-03 07:19:06Z vern $ - #include "PacketFilter.h" void PacketFilter::AddSrc(addr_type src, uint32 tcp_flags, double probability) diff --git a/src/PacketFilter.h b/src/PacketFilter.h index 6a70504280..ed8000f40f 100644 --- a/src/PacketFilter.h +++ b/src/PacketFilter.h @@ -1,5 +1,3 @@ -// $Id: PacketFilter.h 80 2004-07-14 20:15:50Z jason $ -// // Provides some very limited but fast packet filter mechanisms #ifndef PACKETFILTER_H diff --git a/src/PacketSort.cc b/src/PacketSort.cc index 8beaa51474..0ff08b3280 100644 --- a/src/PacketSort.cc +++ b/src/PacketSort.cc @@ -1,5 +1,3 @@ -// $Id: PacketSort.cc 3228 2006-06-08 02:12:03Z vern $ - #include "IP.h" #include "PacketSort.h" diff --git a/src/PacketSort.h b/src/PacketSort.h index 6c6a4f4994..199da0732f 100644 --- a/src/PacketSort.h +++ b/src/PacketSort.h @@ -1,5 +1,3 @@ -// $Id: PacketSort.h 3228 2006-06-08 02:12:03Z vern $ - #ifndef packetsort_h #define packetsort_h diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc index 60247c7519..c72f59c0dd 100644 --- a/src/PersistenceSerializer.cc +++ b/src/PersistenceSerializer.cc @@ -1,5 +1,3 @@ -// $Id: PersistenceSerializer.cc 6752 2009-06-14 04:24:52Z vern $ - #include #include #include diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h index 572ab0238e..dcd712bf84 100644 --- a/src/PersistenceSerializer.h +++ b/src/PersistenceSerializer.h @@ -1,5 +1,3 @@ -// $Id: PersistenceSerializer.h 2698 2006-04-03 05:50:52Z vern $ -// // Implements persistance for Bro's data structures. #ifndef persistence_serializer_h diff --git a/src/PktSrc.cc b/src/PktSrc.cc index c3f47d651f..014f611e59 100644 --- a/src/PktSrc.cc +++ b/src/PktSrc.cc @@ -1,5 +1,3 @@ -// $Id: PktSrc.cc 6951 2009-12-04 22:23:28Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/PktSrc.h b/src/PktSrc.h index 04524ec405..70eef4dd00 100644 --- a/src/PktSrc.h +++ b/src/PktSrc.h @@ -1,5 +1,3 @@ -// $Id: PktSrc.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef pktsrc_h diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc index 22a6a96cb6..53b115048a 100644 --- a/src/PolicyFile.cc +++ b/src/PolicyFile.cc @@ -1,5 +1,3 @@ -// $Id: PolicyFile.cc 1473 2005-10-06 21:32:45Z vern $ - #include "config.h" #include diff --git a/src/PolicyFile.h b/src/PolicyFile.h index ac040d5584..62c475a98b 100644 --- a/src/PolicyFile.h +++ b/src/PolicyFile.h @@ -1,5 +1,3 @@ -// $Id: PolicyFile.h 80 2004-07-14 20:15:50Z jason $ - // Functions for displaying the contents of policy files. // Mostly useful for debugging code that wants to show context. // diff --git a/src/Portmap.cc b/src/Portmap.cc index e806acdc7a..dd1049a361 100644 --- a/src/Portmap.cc +++ b/src/Portmap.cc @@ -1,5 +1,3 @@ -// $Id: Portmap.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Portmap.h b/src/Portmap.h index cb2cb1293c..62e954bc80 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -1,5 +1,3 @@ -// $Id: Portmap.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef portmap_h diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc index 03e1495957..e04c3f9294 100644 --- a/src/PrefixTable.cc +++ b/src/PrefixTable.cc @@ -1,5 +1,3 @@ -// $Id: PrefixTable.cc 1016 2005-01-31 21:23:50Z vern $ - #include "PrefixTable.h" #include "Reporter.h" diff --git a/src/PrefixTable.h b/src/PrefixTable.h index b718b3c561..78596c7f35 100644 --- a/src/PrefixTable.h +++ b/src/PrefixTable.h @@ -1,5 +1,3 @@ -// $Id: PrefixTable.h 969 2005-01-04 06:36:21Z vern $ - #ifndef PREFIXTABLE_H #define PREFIXTABLE_H diff --git a/src/PriorityQueue.cc b/src/PriorityQueue.cc index d94ccba7d6..8db161b10a 100644 --- a/src/PriorityQueue.cc +++ b/src/PriorityQueue.cc @@ -1,5 +1,3 @@ -// $Id: PriorityQueue.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h index 45028553ce..87e10aa7ac 100644 --- a/src/PriorityQueue.h +++ b/src/PriorityQueue.h @@ -1,5 +1,3 @@ -// $Id: PriorityQueue.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef __PriorityQueue__ diff --git a/src/Queue.cc b/src/Queue.cc index a0de35777b..28bcb92405 100644 --- a/src/Queue.cc +++ b/src/Queue.cc @@ -1,5 +1,3 @@ -// $Id: Queue.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Queue.h b/src/Queue.h index 293d74ba7a..c9a69ad926 100644 --- a/src/Queue.h +++ b/src/Queue.h @@ -1,5 +1,3 @@ -// $Id: Queue.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef queue_h diff --git a/src/RE.cc b/src/RE.cc index af72d84519..b6f1a1361f 100644 --- a/src/RE.cc +++ b/src/RE.cc @@ -1,5 +1,3 @@ -// $Id: RE.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/RE.h b/src/RE.h index f46f835649..a2fc709c88 100644 --- a/src/RE.h +++ b/src/RE.h @@ -1,5 +1,3 @@ -// $Id: RE.h 6781 2009-06-28 00:50:04Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef re_h diff --git a/src/RPC.cc b/src/RPC.cc index 02fb20a436..81fd6709b1 100644 --- a/src/RPC.cc +++ b/src/RPC.cc @@ -1,5 +1,3 @@ -// $Id: RPC.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/RPC.h b/src/RPC.h index 1b75b6cc48..0eee423460 100644 --- a/src/RPC.h +++ b/src/RPC.h @@ -1,5 +1,3 @@ -// $Id: RPC.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef rpc_h diff --git a/src/RSH.cc b/src/RSH.cc index cbbce944f5..ceef3ba7a4 100644 --- a/src/RSH.cc +++ b/src/RSH.cc @@ -1,5 +1,3 @@ -// $Id: RSH.cc 6219 2008-10-01 05:39:07Z vern $ - // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/RSH.h b/src/RSH.h index 8a6c5fde6f..136d0b07f1 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -1,5 +1,3 @@ -// $Id: RSH.h 6219 2008-10-01 05:39:07Z vern $ - // See the file "COPYING" in the main distribution directory for copyright. #ifndef rsh_h diff --git a/src/Reassem.cc b/src/Reassem.cc index 319fcbff3b..89fe29e7d4 100644 --- a/src/Reassem.cc +++ b/src/Reassem.cc @@ -1,5 +1,3 @@ -// $Id: Reassem.cc 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/Reassem.h b/src/Reassem.h index 1563732180..06d1e28f40 100644 --- a/src/Reassem.h +++ b/src/Reassem.h @@ -1,5 +1,3 @@ -// $Id: Reassem.h 6703 2009-05-13 22:27:44Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef reassem_h diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 814f387718..f9694f597e 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1,5 +1,3 @@ -// $Id: RemoteSerializer.cc 6951 2009-12-04 22:23:28Z vern $ -// // Processes involved in the communication: // // (Local-Parent) <-> (Local-Child) <-> (Remote-Child) <-> (Remote-Parent) diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h index 5374e6f931..395cca2ad9 100644 --- a/src/RemoteSerializer.h +++ b/src/RemoteSerializer.h @@ -1,5 +1,3 @@ -// $Id: RemoteSerializer.h 6951 2009-12-04 22:23:28Z vern $ -// // Communication between two Bro's. #ifndef REMOTE_SERIALIZER diff --git a/src/Reporter.cc b/src/Reporter.cc index b3dfe9765d..b2bffd3432 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -303,6 +303,12 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Conne s += "\n"; fprintf(out, "%s", s.c_str()); + + if ( addl ) + { + loop_over_list(*addl, i) + Unref((*addl)[i]); + } } if ( alloced ) diff --git a/src/Rlogin.cc b/src/Rlogin.cc index 6dd1cc362d..1ad3f16d7e 100644 --- a/src/Rlogin.cc +++ b/src/Rlogin.cc @@ -1,5 +1,3 @@ -// $Id: Rlogin.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Rlogin.h b/src/Rlogin.h index ae1946369c..f8ad480630 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -1,5 +1,3 @@ -// $Id: Rlogin.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef rlogin_h diff --git a/src/Rule.cc b/src/Rule.cc index f54a725320..e9847c1721 100644 --- a/src/Rule.cc +++ b/src/Rule.cc @@ -1,5 +1,3 @@ -// $Id: Rule.cc 6914 2009-09-22 00:35:24Z vern $ - #include "config.h" #include "Rule.h" diff --git a/src/Rule.h b/src/Rule.h index e95dadc074..959008fbf9 100644 --- a/src/Rule.h +++ b/src/Rule.h @@ -1,5 +1,3 @@ -// $Id: Rule.h 6914 2009-09-22 00:35:24Z vern $ - #ifndef rule_h #define rule_h diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 9fe807ffb2..bf90c0681e 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -1,5 +1,3 @@ -// $Id: RuleAction.cc 5906 2008-07-03 19:52:50Z vern $ - #include using std::string; diff --git a/src/RuleAction.h b/src/RuleAction.h index 33d37bc6e2..a9feb0c314 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -1,5 +1,3 @@ -// $Id: RuleAction.h 5880 2008-06-30 17:42:45Z vern $ - #ifndef ruleaction_h #define ruleaction_h diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 78dbee39cd..1b94fcffe6 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,5 +1,3 @@ -// $Id: RuleCondition.cc 6008 2008-07-23 00:24:22Z vern $ - #include "config.h" #include "RuleCondition.h" diff --git a/src/RuleCondition.h b/src/RuleCondition.h index a092543d62..b859930581 100644 --- a/src/RuleCondition.h +++ b/src/RuleCondition.h @@ -1,5 +1,3 @@ -// $Id: RuleCondition.h 80 2004-07-14 20:15:50Z jason $ - #ifndef rulecondition_h #define rulecondition_h diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 1ca891883d..311d9814f3 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -1,5 +1,3 @@ -// $Id: RuleMatcher.cc 6724 2009-06-07 09:23:03Z vern $ - #include #include "config.h" diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 085253c16e..5bba69e130 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -1,5 +1,3 @@ -// $Id: RuleMatcher.h 3526 2006-09-12 07:32:21Z vern $ - #ifndef sigs_h #define sigs_h diff --git a/src/SMB.cc b/src/SMB.cc index 5b3db68db9..edce2a69b8 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -1,5 +1,3 @@ -// $Id: SMB.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "NetVar.h" diff --git a/src/SMB.h b/src/SMB.h index 408fa91068..f7287efb79 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -1,5 +1,3 @@ -// $Id: SMB.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smb_h diff --git a/src/SMTP.cc b/src/SMTP.cc index 5822d9d75f..3af8af3b7b 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -1,5 +1,3 @@ -// $Id: SMTP.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SMTP.h b/src/SMTP.h index 69a5bc3e24..5b15dc44c0 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -1,5 +1,3 @@ -// $Id: SMTP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smtp_h diff --git a/src/SMTP_cmd.def b/src/SMTP_cmd.def index 79667ba7bd..545136048d 100644 --- a/src/SMTP_cmd.def +++ b/src/SMTP_cmd.def @@ -1,5 +1,3 @@ -// $Id: SMTP_cmd.def 80 2004-07-14 20:15:50Z jason $ -// // Definitions of SMTP commands. SMTP_CMD_DEF(EHLO) diff --git a/src/SSH.cc b/src/SSH.cc index b4ca9aa153..c07aad3dd1 100644 --- a/src/SSH.cc +++ b/src/SSH.cc @@ -1,5 +1,3 @@ -// $Id: SSH.cc 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SSH.h b/src/SSH.h index 503b1abcbe..ccdcd76929 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -1,5 +1,3 @@ -// $Id: SSH.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef ssh_h diff --git a/src/SSLv2.cc b/src/SSLv2.cc index f699b7bfdb..9fa654048d 100644 --- a/src/SSLv2.cc +++ b/src/SSLv2.cc @@ -1,5 +1,3 @@ -// $Id: SSLv2.cc 5988 2008-07-19 07:02:12Z vern $ - #include "SSLv2.h" #include "SSLv3.h" diff --git a/src/Scope.cc b/src/Scope.cc index 297446a9f0..081a9e3333 100644 --- a/src/Scope.cc +++ b/src/Scope.cc @@ -1,5 +1,3 @@ -// $Id: Scope.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Scope.h b/src/Scope.h index 1ed8d6da42..1ef58d871c 100644 --- a/src/Scope.h +++ b/src/Scope.h @@ -1,5 +1,3 @@ -// $Id: Scope.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef scope_h diff --git a/src/ScriptAnaly.cc b/src/ScriptAnaly.cc index 700c0ed4e8..bca75cc800 100644 --- a/src/ScriptAnaly.cc +++ b/src/ScriptAnaly.cc @@ -1,5 +1,3 @@ -// $Id: ScriptAnaly.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Dict.h" diff --git a/src/ScriptAnaly.h b/src/ScriptAnaly.h index 180971e769..0561ecd389 100644 --- a/src/ScriptAnaly.h +++ b/src/ScriptAnaly.h @@ -1,5 +1,3 @@ -// $Id: ScriptAnaly.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef scriptanaly_h diff --git a/src/SerialInfo.h b/src/SerialInfo.h index 3ed2e91d26..d322aa4b37 100644 --- a/src/SerialInfo.h +++ b/src/SerialInfo.h @@ -1,5 +1,3 @@ -// $Id: SerialInfo.h 6752 2009-06-14 04:24:52Z vern $ -// // Helper classes to pass data between serialization methods. #ifndef serialinfo_h diff --git a/src/SerialObj.cc b/src/SerialObj.cc index cddb0b0963..6921115c56 100644 --- a/src/SerialObj.cc +++ b/src/SerialObj.cc @@ -1,5 +1,3 @@ -// $Id: SerialObj.cc 7075 2010-09-13 02:39:38Z vern $ - #include "SerialObj.h" #include "Serializer.h" diff --git a/src/SerialObj.h b/src/SerialObj.h index 4a12d53fe6..c3dc65684c 100644 --- a/src/SerialObj.h +++ b/src/SerialObj.h @@ -1,5 +1,3 @@ -// $Id: SerialObj.h 6752 2009-06-14 04:24:52Z vern $ -// // Infrastructure for serializable objects. // // How to make objects of class Foo serializable: diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 4d9b7a5880..0ba48f89a9 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -1,5 +1,3 @@ -// $Id: SerialTypes.h 6752 2009-06-14 04:24:52Z vern $ - #ifndef serialtypes_h #define serialtypes_h diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc index b229cbbc87..5e3a68a42e 100644 --- a/src/SerializationFormat.cc +++ b/src/SerializationFormat.cc @@ -1,5 +1,3 @@ -// $Id: SerializationFormat.cc 5873 2008-06-28 19:25:03Z vern $ - #include #include "net_util.h" diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h index b9c7ec1549..2067456bf1 100644 --- a/src/SerializationFormat.h +++ b/src/SerializationFormat.h @@ -1,5 +1,3 @@ -// $Id: SerializationFormat.h 5873 2008-06-28 19:25:03Z vern $ -// // Implements different data formats for serialization. #ifndef SERIALIZATION_FORMAT diff --git a/src/Serializer.cc b/src/Serializer.cc index 96821408a5..a29cb93b77 100644 --- a/src/Serializer.cc +++ b/src/Serializer.cc @@ -1,5 +1,3 @@ -// $Id: Serializer.cc 6752 2009-06-14 04:24:52Z vern $ - #include #include #include diff --git a/src/Serializer.h b/src/Serializer.h index 857abc0980..eabdbc62c1 100644 --- a/src/Serializer.h +++ b/src/Serializer.h @@ -1,5 +1,3 @@ -// $Id: Serializer.h 6752 2009-06-14 04:24:52Z vern $ - #ifndef SERIALIZER_H #define SERIALIZER_H diff --git a/src/Sessions.cc b/src/Sessions.cc index 1678f6798f..3825f35f62 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1,5 +1,3 @@ -// $Id: Sessions.cc 7075 2010-09-13 02:39:38Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/Sessions.h b/src/Sessions.h index 6adc333282..452de874db 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -1,5 +1,3 @@ -// $Id: Sessions.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef sessions_h diff --git a/src/SmithWaterman.cc b/src/SmithWaterman.cc index 3f27018550..ef329e49a5 100644 --- a/src/SmithWaterman.cc +++ b/src/SmithWaterman.cc @@ -1,5 +1,3 @@ -// $Id: SmithWaterman.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h index c8c80d09af..6ea191f5d9 100644 --- a/src/SmithWaterman.h +++ b/src/SmithWaterman.h @@ -1,5 +1,3 @@ -// $Id: SmithWaterman.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef smith_waterman_h diff --git a/src/StateAccess.cc b/src/StateAccess.cc index ef4c257f6b..e62904469c 100644 --- a/src/StateAccess.cc +++ b/src/StateAccess.cc @@ -1,5 +1,3 @@ -// $Id: StateAccess.cc 6888 2009-08-20 18:23:11Z vern $ - #include "Val.h" #include "StateAccess.h" #include "Serializer.h" diff --git a/src/StateAccess.h b/src/StateAccess.h index 1154756c83..bc5064602b 100644 --- a/src/StateAccess.h +++ b/src/StateAccess.h @@ -1,5 +1,3 @@ -// $Id: StateAccess.h 6781 2009-06-28 00:50:04Z vern $ -// // A class describing a state-modyfing access to a Value or an ID. #ifndef STATEACESSS_H diff --git a/src/Stats.cc b/src/Stats.cc index 28c0b38c22..4798a789a7 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -1,5 +1,3 @@ -// $Id: Stats.cc 7008 2010-03-25 02:42:20Z vern $ - #include "Conn.h" #include "File.h" #include "Event.h" diff --git a/src/Stats.h b/src/Stats.h index 8acb7ef190..eeebfe2213 100644 --- a/src/Stats.h +++ b/src/Stats.h @@ -1,5 +1,3 @@ -// $Id: Stats.h 6703 2009-05-13 22:27:44Z vern $ -// // Classes that collect and report statistics. #ifndef STATS_H diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc index 96652456bf..32850d82c6 100644 --- a/src/SteppingStone.cc +++ b/src/SteppingStone.cc @@ -1,5 +1,3 @@ -// $Id: SteppingStone.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/SteppingStone.h b/src/SteppingStone.h index 15165387f9..a47b268c83 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -1,5 +1,3 @@ -// $Id: SteppingStone.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef steppingstone_h diff --git a/src/Stmt.cc b/src/Stmt.cc index 80603a717b..6a83940b3b 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1,5 +1,3 @@ -// $Id: Stmt.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Stmt.h b/src/Stmt.h index bbfdd98bfd..8e3a4b4118 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -1,5 +1,3 @@ -// $Id: Stmt.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef stmt_h diff --git a/src/StmtEnums.h b/src/StmtEnums.h index c00b16112f..f431e3fea1 100644 --- a/src/StmtEnums.h +++ b/src/StmtEnums.h @@ -1,5 +1,3 @@ -// $Id: StmtEnums.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/TCP.cc b/src/TCP.cc index 4c56eb7ff9..0fae07a24d 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1,5 +1,3 @@ -// $Id: TCP.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/TCP.h b/src/TCP.h index 1db8c1ed68..65f437856a 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -1,5 +1,3 @@ -// $Id: TCP.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef TCP_H diff --git a/src/TCP_Endpoint.cc b/src/TCP_Endpoint.cc index 6d74a1d818..5a65a18d7c 100644 --- a/src/TCP_Endpoint.cc +++ b/src/TCP_Endpoint.cc @@ -1,5 +1,3 @@ -// $Id: TCP_Endpoint.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Net.h" diff --git a/src/TCP_Endpoint.h b/src/TCP_Endpoint.h index baae2037c4..758a504ff5 100644 --- a/src/TCP_Endpoint.h +++ b/src/TCP_Endpoint.h @@ -1,5 +1,3 @@ -// $Id: TCP_Endpoint.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef tcpendpoint_h diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc index bbde905320..ba31ab68d0 100644 --- a/src/TCP_Reassembler.cc +++ b/src/TCP_Reassembler.cc @@ -1,5 +1,3 @@ -// $Id: TCP_Reassembler.cc,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $ - #include #include "Analyzer.h" diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h index 772c5f6f9c..cb1750e2a2 100644 --- a/src/TCP_Reassembler.h +++ b/src/TCP_Reassembler.h @@ -1,5 +1,3 @@ -// $Id: TCP_Reassembler.h,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $ - #ifndef TCP_REASSEMBLER_H #define TCP_REASSEMBLER_H diff --git a/src/Telnet.cc b/src/Telnet.cc index 91151fe735..62c7d7b500 100644 --- a/src/Telnet.cc +++ b/src/Telnet.cc @@ -1,5 +1,3 @@ -// $Id: Telnet.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Telnet.h b/src/Telnet.h index 89150bcbc7..5675775789 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -1,5 +1,3 @@ -// $Id: Telnet.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef telnet_h diff --git a/src/Timer.cc b/src/Timer.cc index c7feb0bbd8..2e2fb09c6b 100644 --- a/src/Timer.cc +++ b/src/Timer.cc @@ -1,5 +1,3 @@ -// $Id: Timer.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Timer.h b/src/Timer.h index c98aeefc22..bb6b8d56ae 100644 --- a/src/Timer.h +++ b/src/Timer.h @@ -1,5 +1,3 @@ -// $Id: Timer.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef timer_h diff --git a/src/Traverse.cc b/src/Traverse.cc index 733ceb450c..78eed27800 100644 --- a/src/Traverse.cc +++ b/src/Traverse.cc @@ -1,5 +1,3 @@ -// $Id: Traverse.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "Scope.h" diff --git a/src/Traverse.h b/src/Traverse.h index ea300fad18..3791a9bbdc 100644 --- a/src/Traverse.h +++ b/src/Traverse.h @@ -1,5 +1,3 @@ -// $Id: Traverse.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef traverse_h diff --git a/src/TraverseTypes.h b/src/TraverseTypes.h index 0cba17a5a9..b0528f34be 100644 --- a/src/TraverseTypes.h +++ b/src/TraverseTypes.h @@ -1,5 +1,3 @@ -// $Id: TraverseTypes.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef statictypes_h diff --git a/src/Trigger.cc b/src/Trigger.cc index 45d1959ee7..272d03a859 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -1,5 +1,3 @@ -// $Id: Trigger.cc 2359 2005-12-21 23:55:32Z vern $ - #include #include "Trigger.h" diff --git a/src/Trigger.h b/src/Trigger.h index 7f9931b033..8001308bce 100644 --- a/src/Trigger.h +++ b/src/Trigger.h @@ -1,5 +1,3 @@ -// $Id: Trigger.h 2359 2005-12-21 23:55:32Z vern $ - #ifndef TRIGGER_H #define TRIGGER_H diff --git a/src/Type.cc b/src/Type.cc index c2ab7e85df..2bee9c50b2 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1,5 +1,3 @@ -// $Id: Type.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Type.h b/src/Type.h index 1d7637828d..5ebc5761a3 100644 --- a/src/Type.h +++ b/src/Type.h @@ -1,5 +1,3 @@ -// $Id: Type.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef type_h diff --git a/src/UDP.cc b/src/UDP.cc index 5331560eff..35e9f58388 100644 --- a/src/UDP.cc +++ b/src/UDP.cc @@ -1,5 +1,3 @@ -// $Id: UDP.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/UDP.h b/src/UDP.h index b04c5e3ef0..5124adf4cd 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -1,5 +1,3 @@ -// $Id: UDP.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef udp_h diff --git a/src/Val.cc b/src/Val.cc index 0285cba645..43288e99e2 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1,5 +1,3 @@ -// $Id: Val.cc 6945 2009-11-27 19:25:10Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" @@ -2865,7 +2863,7 @@ Val* RecordVal::LookupWithDefault(int field) const return record_type->FieldDefault(field); } -RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr) const +RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr, bool allow_orphaning) const { if ( ! record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) ) return 0; @@ -2885,6 +2883,9 @@ RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr) const if ( t_i < 0 ) { + if ( allow_orphaning ) + continue; + char buf[512]; safe_snprintf(buf, sizeof(buf), "orphan field \"%s\" in initialization", @@ -2918,7 +2919,7 @@ RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr) const return ar; } -RecordVal* RecordVal::CoerceTo(RecordType* t) +RecordVal* RecordVal::CoerceTo(RecordType* t, bool allow_orphaning) { if ( same_type(Type(), t) ) { @@ -2926,7 +2927,7 @@ RecordVal* RecordVal::CoerceTo(RecordType* t) return this; } - return CoerceTo(t, 0); + return CoerceTo(t, 0, allow_orphaning); } void RecordVal::Describe(ODesc* d) const diff --git a/src/Val.h b/src/Val.h index c9f780a738..6ba16114db 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1,5 +1,3 @@ -// $Id: Val.h 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef val_h @@ -909,8 +907,11 @@ public: // *aggr* is optional; if non-zero, we add to it. See // Expr::InitVal(). We leave it out in the non-const version to make // the choice unambigious. - RecordVal* CoerceTo(const RecordType* other, Val* aggr) const; - RecordVal* CoerceTo(RecordType* other); + // + // The *allow_orphaning* parameter allows for a record to be demoted + // down to a record type that contains less fields. + RecordVal* CoerceTo(const RecordType* other, Val* aggr, bool allow_orphaning = false) const; + RecordVal* CoerceTo(RecordType* other, bool allow_orphaning = false); unsigned int MemoryAllocation() const; void DescribeReST(ODesc* d) const; diff --git a/src/Var.cc b/src/Var.cc index 390b6b3684..897a454670 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -1,5 +1,3 @@ -// $Id: Var.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/Var.h b/src/Var.h index 6b4ddaece2..8b9866ed2d 100644 --- a/src/Var.h +++ b/src/Var.h @@ -1,5 +1,3 @@ -// $Id: Var.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef var_h diff --git a/src/X509.cc b/src/X509.cc index 783bccdad1..55b6b78f04 100644 --- a/src/X509.cc +++ b/src/X509.cc @@ -1,5 +1,3 @@ -// $Id: X509.cc 6724 2009-06-07 09:23:03Z vern $ - #include #include "X509.h" diff --git a/src/XDR.cc b/src/XDR.cc index 53e9a4b2dd..96d855ddbd 100644 --- a/src/XDR.cc +++ b/src/XDR.cc @@ -1,5 +1,3 @@ -// $Id: XDR.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/XDR.h b/src/XDR.h index 2c6e1d69ac..65192d6067 100644 --- a/src/XDR.h +++ b/src/XDR.h @@ -1,5 +1,3 @@ -// $Id: XDR.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef xdr_h diff --git a/src/ZIP.cc b/src/ZIP.cc index 84643c2874..26095d1f11 100644 --- a/src/ZIP.cc +++ b/src/ZIP.cc @@ -1,5 +1,3 @@ -// $Id: ZIP.cc,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "ZIP.h" diff --git a/src/ZIP.h b/src/ZIP.h index 3debb6c3c8..ab5d2ce68b 100644 --- a/src/ZIP.h +++ b/src/ZIP.h @@ -1,5 +1,3 @@ -// $Id: ZIP.h,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef zip_h diff --git a/src/bif_arg.cc b/src/bif_arg.cc index 5900c117eb..a4772e4d73 100644 --- a/src/bif_arg.cc +++ b/src/bif_arg.cc @@ -1,5 +1,3 @@ -// $Id: bif_arg.cc 3234 2006-06-08 02:38:11Z vern $ - #include "config.h" #include diff --git a/src/bif_arg.h b/src/bif_arg.h index 0462f6e173..4ba6fa0c4f 100644 --- a/src/bif_arg.h +++ b/src/bif_arg.h @@ -1,5 +1,3 @@ -// $Id: bif_arg.h 3234 2006-06-08 02:38:11Z vern $ - #ifndef bif_arg_h #define bif_arg_h diff --git a/src/bif_type.def b/src/bif_type.def index e9bf22eafc..4e206ceea2 100644 --- a/src/bif_type.def +++ b/src/bif_type.def @@ -1,5 +1,3 @@ -// $Id: bif_type.def 5083 2007-11-28 17:42:58Z vern $ - // DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) DEFINE_BIF_TYPE(TYPE_ADDR, "addr", "addr", "addr_type", "%s->AsAddr()", "new AddrVal(%s)") diff --git a/src/binpac-lib.pac b/src/binpac-lib.pac index 4e95a1a3db..2c501d90a4 100644 --- a/src/binpac-lib.pac +++ b/src/binpac-lib.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include diff --git a/src/binpac.pac b/src/binpac.pac index 8704fb5a61..ae601ce6b9 100644 --- a/src/binpac.pac +++ b/src/binpac.pac @@ -1,5 +1,3 @@ -# $Id:$ - # Prototypes for functions implemented in binpac-lib.pac. function bytestring_to_int(s: const_bytestring, base: int): int; diff --git a/src/binpac_bro-lib.pac b/src/binpac_bro-lib.pac index 20648e2d4f..c7cee6dc98 100644 --- a/src/binpac_bro-lib.pac +++ b/src/binpac_bro-lib.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "util.h" %} diff --git a/src/binpac_bro.h b/src/binpac_bro.h index ffeb4ff28d..dcdbe94f57 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -1,5 +1,3 @@ -// $Id:$ - #ifndef binpac_bro_h #define binpac_bro_h diff --git a/src/bittorrent-analyzer.pac b/src/bittorrent-analyzer.pac index 7e8678b7de..ee7a70ea21 100644 --- a/src/bittorrent-analyzer.pac +++ b/src/bittorrent-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ -# # This code contributed by Nadi Sarrar. connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) { diff --git a/src/bittorrent-protocol.pac b/src/bittorrent-protocol.pac index 8bd1652cfa..d3a147f157 100644 --- a/src/bittorrent-protocol.pac +++ b/src/bittorrent-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ -# # This code contributed by Nadi Sarrar. enum BitTorrent_peer_msg_type { diff --git a/src/bro.bif b/src/bro.bif index 5629805ec5..03ed17a449 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1,5 +1,3 @@ -# $Id: bro.bif 7075 2010-09-13 02:39:38Z vern $ -# # Definitions of Bro built-in functions. %%{ // C segment diff --git a/src/bro.pac b/src/bro.pac index 169f7c27ef..b622041c12 100644 --- a/src/bro.pac +++ b/src/bro.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "binpac_bro.h" %} diff --git a/src/bsd-getopt-long.c b/src/bsd-getopt-long.c index 5b3cc093b0..7ecb064fc8 100644 --- a/src/bsd-getopt-long.c +++ b/src/bsd-getopt-long.c @@ -1,5 +1,3 @@ -/* $Id: bsd-getopt-long.c 1362 2005-09-12 19:49:08Z vern $ */ - /* $OpenBSD: getopt_long.c,v 1.17 2004/06/03 18:46:52 millert Exp $ */ /* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ diff --git a/src/bsd-getopt-long.h b/src/bsd-getopt-long.h index e2c381f3b7..c94589afaa 100644 --- a/src/bsd-getopt-long.h +++ b/src/bsd-getopt-long.h @@ -1,5 +1,3 @@ -/* $Id: bsd-getopt-long.h 1361 2005-09-12 19:48:26Z vern $ */ - /* $OpenBSD: getopt_long.c,v 1.13 2003/06/03 01:52:40 millert Exp $ */ /* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ diff --git a/src/builtin-func.l b/src/builtin-func.l index 9e69adc69d..1d61f31734 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -1,6 +1,4 @@ %{ -// $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $ - #include #include #include "bif_arg.h" diff --git a/src/const.bif b/src/const.bif index 825c21e7a5..96630e300b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -1,5 +1,3 @@ -# $Id: const.bif 3929 2007-01-14 00:37:59Z vern $ - # Documentation and default values for these are located in policy/bro.init. const ignore_keep_alive_rexmit: bool; diff --git a/src/cq.c b/src/cq.c index b669dabd35..c5405e526a 100644 --- a/src/cq.c +++ b/src/cq.c @@ -2,11 +2,6 @@ * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: cq.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif - #include #include diff --git a/src/cq.h b/src/cq.h index 38c5204f0c..540cccde74 100644 --- a/src/cq.h +++ b/src/cq.h @@ -1,5 +1,3 @@ -/* @(#) $Id: cq.h 80 2004-07-14 20:15:50Z jason $ (LBL) */ - struct cq_handle *cq_init(double, double); void cq_destroy(struct cq_handle *); int cq_enqueue(struct cq_handle *, double, void *); diff --git a/src/dce_rpc-analyzer.pac b/src/dce_rpc-analyzer.pac index 353c9f3795..ddc99abd8e 100644 --- a/src/dce_rpc-analyzer.pac +++ b/src/dce_rpc-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - # DCE/RPC protocol data unit. type DCE_RPC_PDU = record { diff --git a/src/dce_rpc-protocol.pac b/src/dce_rpc-protocol.pac index 77c7aaff62..a7bfcb5368 100644 --- a/src/dce_rpc-protocol.pac +++ b/src/dce_rpc-protocol.pac @@ -1,5 +1,3 @@ -# $Id: dce_rpc-protocol.pac,v 1.1.4.2 2006/06/02 15:13:09 rpang Exp $ -# # Definitions for DCE RPC. enum dce_rpc_ptype { diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac index 58c2250c26..cbcd0cbdc4 100644 --- a/src/dce_rpc.pac +++ b/src/dce_rpc.pac @@ -1,5 +1,3 @@ -# $Id: dce_rpc.pac 4608 2007-07-05 18:23:58Z vern $ - %include binpac.pac %include bro.pac diff --git a/src/dce_rpc_simple.pac b/src/dce_rpc_simple.pac index ff495a2e2b..f31c2a078b 100644 --- a/src/dce_rpc_simple.pac +++ b/src/dce_rpc_simple.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DCE_RPC_Simple withcontext {}; diff --git a/src/dhcp-analyzer.pac b/src/dhcp-analyzer.pac index ef8b888330..a9f1c6bab0 100644 --- a/src/dhcp-analyzer.pac +++ b/src/dhcp-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - connection DHCP_Conn(bro_analyzer: BroAnalyzer) { upflow = DHCP_Flow(true); downflow = DHCP_Flow(false); diff --git a/src/dhcp-protocol.pac b/src/dhcp-protocol.pac index 46cceb56c6..d77780b1b3 100644 --- a/src/dhcp-protocol.pac +++ b/src/dhcp-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - # DHCP Message Type according to RFC 1533. # Refer to RFC 2131 for op types. diff --git a/src/dhcp.pac b/src/dhcp.pac index 852433a410..9e9d7755a4 100644 --- a/src/dhcp.pac +++ b/src/dhcp.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DHCP withcontext { diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac index 72bda3165f..0c2dc1b491 100644 --- a/src/dns-analyzer.pac +++ b/src/dns-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include %} diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac index d5b8036e11..fbeb9d0fa3 100644 --- a/src/dns-protocol.pac +++ b/src/dns-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - enum DNS_answer_type { DNS_QUESTION, DNS_ANSWER, diff --git a/src/dns.pac b/src/dns.pac index dc5ca586f8..aeffdf0bc7 100644 --- a/src/dns.pac +++ b/src/dns.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include bro.pac analyzer DNS withcontext { diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac index f2c7f5f523..d31ff58c6e 100644 --- a/src/dns_tcp.pac +++ b/src/dns_tcp.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include "dns_pac.h" // for DNS_Conn %} diff --git a/src/epmapper.pac b/src/epmapper.pac index c9eea3c139..7fbaf47418 100644 --- a/src/epmapper.pac +++ b/src/epmapper.pac @@ -1,5 +1,3 @@ -# $Id:$ - type epmapper_lookup_req = record { inquiry_type : uint32; # object : uuid_p_t; diff --git a/src/event.bif b/src/event.bif index c3c11b6a7e..d953ac78fe 100644 --- a/src/event.bif +++ b/src/event.bif @@ -1,5 +1,3 @@ -# $Id: event.bif 6942 2009-11-16 03:54:08Z vern $ - event bro_init%(%); event bro_done%(%); diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac index c1a4dd7b26..e12be59438 100644 --- a/src/http-analyzer.pac +++ b/src/http-analyzer.pac @@ -1,5 +1,3 @@ -# $Id:$ - %extern{ #include diff --git a/src/http-protocol.pac b/src/http-protocol.pac index 1c9f4b4c17..e4487a75e3 100644 --- a/src/http-protocol.pac +++ b/src/http-protocol.pac @@ -1,5 +1,3 @@ -# $Id:$ - enum ExpectBody { BODY_EXPECTED, BODY_NOT_EXPECTED, diff --git a/src/http.pac b/src/http.pac index 217215e998..38e6ad0b5e 100644 --- a/src/http.pac +++ b/src/http.pac @@ -1,5 +1,3 @@ -# $Id:$ - %include binpac.pac %include bro.pac diff --git a/src/input.h b/src/input.h index 8af7a35445..8fcceb256b 100644 --- a/src/input.h +++ b/src/input.h @@ -1,5 +1,3 @@ -// $Id: input.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef input_h diff --git a/src/logging.bif b/src/logging.bif index 0e48633d5a..501eb899d9 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -10,9 +10,6 @@ module Log; type Filter: record; type Stream: record; type RotationInfo: record; -type RotationControl: record; - -const Log::rotation_control: RotationControl; function Log::__create_stream%(id: Log::ID, stream: Log::Stream%) : bool %{ diff --git a/src/main.cc b/src/main.cc index 139fc802c5..5ec5423ce6 100644 --- a/src/main.cc +++ b/src/main.cc @@ -1,5 +1,3 @@ -// $Id: main.cc 6829 2009-07-09 09:12:59Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/make_dbg_constants.pl b/src/make_dbg_constants.pl index d4781dccf6..29efac8050 100644 --- a/src/make_dbg_constants.pl +++ b/src/make_dbg_constants.pl @@ -1,5 +1,3 @@ -# $Id: make_dbg_constants.pl 80 2004-07-14 20:15:50Z jason $ -# # Build the DebugCmdConstants.h and DebugCmdInfoConstants.h files from the # DebugCmdInfoConstants.in file. # diff --git a/src/malloc.c b/src/malloc.c deleted file mode 100644 index 809e19aa4e..0000000000 --- a/src/malloc.c +++ /dev/null @@ -1,5061 +0,0 @@ -/* - This is a version (aka dlmalloc) of malloc/free/realloc written by - Doug Lea and released to the public domain, as explained at - http://creativecommons.org/licenses/publicdomain. Send questions, - comments, complaints, performance data, etc to dl@cs.oswego.edu - -* Version 2.8.3 Thu Sep 22 11:16:15 2005 Doug Lea (dl at gee) - - Note: There may be an updated version of this malloc obtainable at - ftp://gee.cs.oswego.edu/pub/misc/malloc.c - Check before installing! - -* Quickstart - - This library is all in one file to simplify the most common usage: - ftp it, compile it (-O3), and link it into another program. All of - the compile-time options default to reasonable values for use on - most platforms. You might later want to step through various - compile-time and dynamic tuning options. - - For convenience, an include file for code using this malloc is at: - ftp://gee.cs.oswego.edu/pub/misc/malloc-2.8.3.h - You don't really need this .h file unless you call functions not - defined in your system include files. The .h file contains only the - excerpts from this file needed for using this malloc on ANSI C/C++ - systems, so long as you haven't changed compile-time options about - naming and tuning parameters. If you do, then you can create your - own malloc.h that does include all settings by cutting at the point - indicated below. Note that you may already by default be using a C - library containing a malloc that is based on some version of this - malloc (for example in linux). You might still want to use the one - in this file to customize settings or to avoid overheads associated - with library versions. - -* Vital statistics: - - Supported pointer/size_t representation: 4 or 8 bytes - size_t MUST be an unsigned type of the same width as - pointers. (If you are using an ancient system that declares - size_t as a signed type, or need it to be a different width - than pointers, you can use a previous release of this malloc - (e.g. 2.7.2) supporting these.) - - Alignment: 8 bytes (default) - This suffices for nearly all current machines and C compilers. - However, you can define MALLOC_ALIGNMENT to be wider than this - if necessary (up to 128bytes), at the expense of using more space. - - Minimum overhead per allocated chunk: 4 or 8 bytes (if 4byte sizes) - 8 or 16 bytes (if 8byte sizes) - Each malloced chunk has a hidden word of overhead holding size - and status information, and additional cross-check word - if FOOTERS is defined. - - Minimum allocated size: 4-byte ptrs: 16 bytes (including overhead) - 8-byte ptrs: 32 bytes (including overhead) - - Even a request for zero bytes (i.e., malloc(0)) returns a - pointer to something of the minimum allocatable size. - The maximum overhead wastage (i.e., number of extra bytes - allocated than were requested in malloc) is less than or equal - to the minimum size, except for requests >= mmap_threshold that - are serviced via mmap(), where the worst case wastage is about - 32 bytes plus the remainder from a system page (the minimal - mmap unit); typically 4096 or 8192 bytes. - - Security: static-safe; optionally more or less - The "security" of malloc refers to the ability of malicious - code to accentuate the effects of errors (for example, freeing - space that is not currently malloc'ed or overwriting past the - ends of chunks) in code that calls malloc. This malloc - guarantees not to modify any memory locations below the base of - heap, i.e., static variables, even in the presence of usage - errors. The routines additionally detect most improper frees - and reallocs. All this holds as long as the static bookkeeping - for malloc itself is not corrupted by some other means. This - is only one aspect of security -- these checks do not, and - cannot, detect all possible programming errors. - - If FOOTERS is defined nonzero, then each allocated chunk - carries an additional check word to verify that it was malloced - from its space. These check words are the same within each - execution of a program using malloc, but differ across - executions, so externally crafted fake chunks cannot be - freed. This improves security by rejecting frees/reallocs that - could corrupt heap memory, in addition to the checks preventing - writes to statics that are always on. This may further improve - security at the expense of time and space overhead. (Note that - FOOTERS may also be worth using with MSPACES.) - - By default detected errors cause the program to abort (calling - "abort()"). You can override this to instead proceed past - errors by defining PROCEED_ON_ERROR. In this case, a bad free - has no effect, and a malloc that encounters a bad address - caused by user overwrites will ignore the bad address by - dropping pointers and indices to all known memory. This may - be appropriate for programs that should continue if at all - possible in the face of programming errors, although they may - run out of memory because dropped memory is never reclaimed. - - If you don't like either of these options, you can define - CORRUPTION_ERROR_ACTION and USAGE_ERROR_ACTION to do anything - else. And if if you are sure that your program using malloc has - no errors or vulnerabilities, you can define INSECURE to 1, - which might (or might not) provide a small performance improvement. - - Thread-safety: NOT thread-safe unless USE_LOCKS defined - When USE_LOCKS is defined, each public call to malloc, free, - etc is surrounded with either a pthread mutex or a win32 - spinlock (depending on WIN32). This is not especially fast, and - can be a major bottleneck. It is designed only to provide - minimal protection in concurrent environments, and to provide a - basis for extensions. If you are using malloc in a concurrent - program, consider instead using ptmalloc, which is derived from - a version of this malloc. (See http://www.malloc.de). - - System requirements: Any combination of MORECORE and/or MMAP/MUNMAP - This malloc can use unix sbrk or any emulation (invoked using - the CALL_MORECORE macro) and/or mmap/munmap or any emulation - (invoked using CALL_MMAP/CALL_MUNMAP) to get and release system - memory. On most unix systems, it tends to work best if both - MORECORE and MMAP are enabled. On Win32, it uses emulations - based on VirtualAlloc. It also uses common C library functions - like memset. - - Compliance: I believe it is compliant with the Single Unix Specification - (See http://www.unix.org). Also SVID/XPG, ANSI C, and probably - others as well. - -* Overview of algorithms - - This is not the fastest, most space-conserving, most portable, or - most tunable malloc ever written. However it is among the fastest - while also being among the most space-conserving, portable and - tunable. Consistent balance across these factors results in a good - general-purpose allocator for malloc-intensive programs. - - In most ways, this malloc is a best-fit allocator. Generally, it - chooses the best-fitting existing chunk for a request, with ties - broken in approximately least-recently-used order. (This strategy - normally maintains low fragmentation.) However, for requests less - than 256bytes, it deviates from best-fit when there is not an - exactly fitting available chunk by preferring to use space adjacent - to that used for the previous small request, as well as by breaking - ties in approximately most-recently-used order. (These enhance - locality of series of small allocations.) And for very large requests - (>= 256Kb by default), it relies on system memory mapping - facilities, if supported. (This helps avoid carrying around and - possibly fragmenting memory used only for large chunks.) - - All operations (except malloc_stats and mallinfo) have execution - times that are bounded by a constant factor of the number of bits in - a size_t, not counting any clearing in calloc or copying in realloc, - or actions surrounding MORECORE and MMAP that have times - proportional to the number of non-contiguous regions returned by - system allocation routines, which is often just 1. - - The implementation is not very modular and seriously overuses - macros. Perhaps someday all C compilers will do as good a job - inlining modular code as can now be done by brute-force expansion, - but now, enough of them seem not to. - - Some compilers issue a lot of warnings about code that is - dead/unreachable only on some platforms, and also about intentional - uses of negation on unsigned types. All known cases of each can be - ignored. - - For a longer but out of date high-level description, see - http://gee.cs.oswego.edu/dl/html/malloc.html - -* MSPACES - If MSPACES is defined, then in addition to malloc, free, etc., - this file also defines mspace_malloc, mspace_free, etc. These - are versions of malloc routines that take an "mspace" argument - obtained using create_mspace, to control all internal bookkeeping. - If ONLY_MSPACES is defined, only these versions are compiled. - So if you would like to use this allocator for only some allocations, - and your system malloc for others, you can compile with - ONLY_MSPACES and then do something like... - static mspace mymspace = create_mspace(0,0); // for example - #define mymalloc(bytes) mspace_malloc(mymspace, bytes) - - (Note: If you only need one instance of an mspace, you can instead - use "USE_DL_PREFIX" to relabel the global malloc.) - - You can similarly create thread-local allocators by storing - mspaces as thread-locals. For example: - static __thread mspace tlms = 0; - void* tlmalloc(size_t bytes) { - if (tlms == 0) tlms = create_mspace(0, 0); - return mspace_malloc(tlms, bytes); - } - void tlfree(void* mem) { mspace_free(tlms, mem); } - - Unless FOOTERS is defined, each mspace is completely independent. - You cannot allocate from one and free to another (although - conformance is only weakly checked, so usage errors are not always - caught). If FOOTERS is defined, then each chunk carries around a tag - indicating its originating mspace, and frees are directed to their - originating spaces. - - ------------------------- Compile-time options --------------------------- - -Be careful in setting #define values for numerical constants of type -size_t. On some systems, literal values are not automatically extended -to size_t precision unless they are explicitly casted. - -WIN32 default: defined if _WIN32 defined - Defining WIN32 sets up defaults for MS environment and compilers. - Otherwise defaults are for unix. - -MALLOC_ALIGNMENT default: (size_t)8 - Controls the minimum alignment for malloc'ed chunks. It must be a - power of two and at least 8, even on machines for which smaller - alignments would suffice. It may be defined as larger than this - though. Note however that code and data structures are optimized for - the case of 8-byte alignment. - -MSPACES default: 0 (false) - If true, compile in support for independent allocation spaces. - This is only supported if HAVE_MMAP is true. - -ONLY_MSPACES default: 0 (false) - If true, only compile in mspace versions, not regular versions. - -USE_LOCKS default: 0 (false) - Causes each call to each public routine to be surrounded with - pthread or WIN32 mutex lock/unlock. (If set true, this can be - overridden on a per-mspace basis for mspace versions.) - -FOOTERS default: 0 - If true, provide extra checking and dispatching by placing - information in the footers of allocated chunks. This adds - space and time overhead. - -INSECURE default: 0 - If true, omit checks for usage errors and heap space overwrites. - -USE_DL_PREFIX default: NOT defined - Causes compiler to prefix all public routines with the string 'dl'. - This can be useful when you only want to use this malloc in one part - of a program, using your regular system malloc elsewhere. - -ABORT default: defined as abort() - Defines how to abort on failed checks. On most systems, a failed - check cannot die with an "assert" or even print an informative - message, because the underlying print routines in turn call malloc, - which will fail again. Generally, the best policy is to simply call - abort(). It's not very useful to do more than this because many - errors due to overwriting will show up as address faults (null, odd - addresses etc) rather than malloc-triggered checks, so will also - abort. Also, most compilers know that abort() does not return, so - can better optimize code conditionally calling it. - -PROCEED_ON_ERROR default: defined as 0 (false) - Controls whether detected bad addresses cause them to bypassed - rather than aborting. If set, detected bad arguments to free and - realloc are ignored. And all bookkeeping information is zeroed out - upon a detected overwrite of freed heap space, thus losing the - ability to ever return it from malloc again, but enabling the - application to proceed. If PROCEED_ON_ERROR is defined, the - static variable malloc_corruption_error_count is compiled in - and can be examined to see if errors have occurred. This option - generates slower code than the default abort policy. - -DEBUG default: NOT defined - The DEBUG setting is mainly intended for people trying to modify - this code or diagnose problems when porting to new platforms. - However, it may also be able to better isolate user errors than just - using runtime checks. The assertions in the check routines spell - out in more detail the assumptions and invariants underlying the - algorithms. The checking is fairly extensive, and will slow down - execution noticeably. Calling malloc_stats or mallinfo with DEBUG - set will attempt to check every non-mmapped allocated and free chunk - in the course of computing the summaries. - -ABORT_ON_ASSERT_FAILURE default: defined as 1 (true) - Debugging assertion failures can be nearly impossible if your - version of the assert macro causes malloc to be called, which will - lead to a cascade of further failures, blowing the runtime stack. - ABORT_ON_ASSERT_FAILURE cause assertions failures to call abort(), - which will usually make debugging easier. - -MALLOC_FAILURE_ACTION default: sets errno to ENOMEM, or no-op on win32 - The action to take before "return 0" when malloc fails to be able to - return memory because there is none available. - -HAVE_MORECORE default: 1 (true) unless win32 or ONLY_MSPACES - True if this system supports sbrk or an emulation of it. - -MORECORE default: sbrk - The name of the sbrk-style system routine to call to obtain more - memory. See below for guidance on writing custom MORECORE - functions. The type of the argument to sbrk/MORECORE varies across - systems. It cannot be size_t, because it supports negative - arguments, so it is normally the signed type of the same width as - size_t (sometimes declared as "intptr_t"). It doesn't much matter - though. Internally, we only call it with arguments less than half - the max value of a size_t, which should work across all reasonable - possibilities, although sometimes generating compiler warnings. See - near the end of this file for guidelines for creating a custom - version of MORECORE. - -MORECORE_CONTIGUOUS default: 1 (true) - If true, take advantage of fact that consecutive calls to MORECORE - with positive arguments always return contiguous increasing - addresses. This is true of unix sbrk. It does not hurt too much to - set it true anyway, since malloc copes with non-contiguities. - Setting it false when definitely non-contiguous saves time - and possibly wasted space it would take to discover this though. - -MORECORE_CANNOT_TRIM default: NOT defined - True if MORECORE cannot release space back to the system when given - negative arguments. This is generally necessary only if you are - using a hand-crafted MORECORE function that cannot handle negative - arguments. - -HAVE_MMAP default: 1 (true) - True if this system supports mmap or an emulation of it. If so, and - HAVE_MORECORE is not true, MMAP is used for all system - allocation. If set and HAVE_MORECORE is true as well, MMAP is - primarily used to directly allocate very large blocks. It is also - used as a backup strategy in cases where MORECORE fails to provide - space from system. Note: A single call to MUNMAP is assumed to be - able to unmap memory that may have be allocated using multiple calls - to MMAP, so long as they are adjacent. - -HAVE_MREMAP default: 1 on linux, else 0 - If true realloc() uses mremap() to re-allocate large blocks and - extend or shrink allocation spaces. - -MMAP_CLEARS default: 1 on unix - True if mmap clears memory so calloc doesn't need to. This is true - for standard unix mmap using /dev/zero. - -USE_BUILTIN_FFS default: 0 (i.e., not used) - Causes malloc to use the builtin ffs() function to compute indices. - Some compilers may recognize and intrinsify ffs to be faster than the - supplied C version. Also, the case of x86 using gcc is special-cased - to an asm instruction, so is already as fast as it can be, and so - this setting has no effect. (On most x86s, the asm version is only - slightly faster than the C version.) - -malloc_getpagesize default: derive from system includes, or 4096. - The system page size. To the extent possible, this malloc manages - memory from the system in page-size units. This may be (and - usually is) a function rather than a constant. This is ignored - if WIN32, where page size is determined using getSystemInfo during - initialization. - -USE_DEV_RANDOM default: 0 (i.e., not used) - Causes malloc to use /dev/random to initialize secure magic seed for - stamping footers. Otherwise, the current time is used. - -NO_MALLINFO default: 0 - If defined, don't compile "mallinfo". This can be a simple way - of dealing with mismatches between system declarations and - those in this file. - -MALLINFO_FIELD_TYPE default: size_t - The type of the fields in the mallinfo struct. This was originally - defined as "int" in SVID etc, but is more usefully defined as - size_t. The value is used only if HAVE_USR_INCLUDE_MALLOC_H is not set - -REALLOC_ZERO_BYTES_FREES default: not defined - This should be set if a call to realloc with zero bytes should - be the same as a call to free. Some people think it should. Otherwise, - since this malloc returns a unique pointer for malloc(0), so does - realloc(p, 0). - -LACKS_UNISTD_H, LACKS_FCNTL_H, LACKS_SYS_PARAM_H, LACKS_SYS_MMAN_H -LACKS_STRINGS_H, LACKS_STRING_H, LACKS_SYS_TYPES_H, LACKS_ERRNO_H -LACKS_STDLIB_H default: NOT defined unless on WIN32 - Define these if your system does not have these header files. - You might need to manually insert some of the declarations they provide. - -DEFAULT_GRANULARITY default: page size if MORECORE_CONTIGUOUS, - system_info.dwAllocationGranularity in WIN32, - otherwise 64K. - Also settable using mallopt(M_GRANULARITY, x) - The unit for allocating and deallocating memory from the system. On - most systems with contiguous MORECORE, there is no reason to - make this more than a page. However, systems with MMAP tend to - either require or encourage larger granularities. You can increase - this value to prevent system allocation functions to be called so - often, especially if they are slow. The value must be at least one - page and must be a power of two. Setting to 0 causes initialization - to either page size or win32 region size. (Note: In previous - versions of malloc, the equivalent of this option was called - "TOP_PAD") - -DEFAULT_TRIM_THRESHOLD default: 2MB - Also settable using mallopt(M_TRIM_THRESHOLD, x) - The maximum amount of unused top-most memory to keep before - releasing via malloc_trim in free(). Automatic trimming is mainly - useful in long-lived programs using contiguous MORECORE. Because - trimming via sbrk can be slow on some systems, and can sometimes be - wasteful (in cases where programs immediately afterward allocate - more large chunks) the value should be high enough so that your - overall system performance would improve by releasing this much - memory. As a rough guide, you might set to a value close to the - average size of a process (program) running on your system. - Releasing this much memory would allow such a process to run in - memory. Generally, it is worth tuning trim thresholds when a - program undergoes phases where several large chunks are allocated - and released in ways that can reuse each other's storage, perhaps - mixed with phases where there are no such chunks at all. The trim - value must be greater than page size to have any useful effect. To - disable trimming completely, you can set to MAX_SIZE_T. Note that the trick - some people use of mallocing a huge space and then freeing it at - program startup, in an attempt to reserve system memory, doesn't - have the intended effect under automatic trimming, since that memory - will immediately be returned to the system. - -DEFAULT_MMAP_THRESHOLD default: 256K - Also settable using mallopt(M_MMAP_THRESHOLD, x) - The request size threshold for using MMAP to directly service a - request. Requests of at least this size that cannot be allocated - using already-existing space will be serviced via mmap. (If enough - normal freed space already exists it is used instead.) Using mmap - segregates relatively large chunks of memory so that they can be - individually obtained and released from the host system. A request - serviced through mmap is never reused by any other request (at least - not directly; the system may just so happen to remap successive - requests to the same locations). Segregating space in this way has - the benefits that: Mmapped space can always be individually released - back to the system, which helps keep the system level memory demands - of a long-lived program low. Also, mapped memory doesn't become - `locked' between other chunks, as can happen with normally allocated - chunks, which means that even trimming via malloc_trim would not - release them. However, it has the disadvantage that the space - cannot be reclaimed, consolidated, and then used to service later - requests, as happens with normal chunks. The advantages of mmap - nearly always outweigh disadvantages for "large" chunks, but the - value of "large" may vary across systems. The default is an - empirically derived value that works well in most systems. You can - disable mmap by setting to MAX_SIZE_T. - -*/ - -#ifndef WIN32 -#ifdef _WIN32 -#define WIN32 1 -#endif /* _WIN32 */ -#endif /* WIN32 */ -#ifdef WIN32 -#define WIN32_LEAN_AND_MEAN -#include -#define HAVE_MMAP 1 -#define HAVE_MORECORE 0 -#define LACKS_UNISTD_H -#define LACKS_SYS_PARAM_H -#define LACKS_SYS_MMAN_H -#define LACKS_STRING_H -#define LACKS_STRINGS_H -#define LACKS_SYS_TYPES_H -#define LACKS_ERRNO_H -#define MALLOC_FAILURE_ACTION -#define MMAP_CLEARS 0 /* WINCE and some others apparently don't clear */ -#endif /* WIN32 */ - -#if defined(DARWIN) || defined(_DARWIN) -/* Mac OSX docs advise not to use sbrk; it seems better to use mmap */ -#ifndef HAVE_MORECORE -#define HAVE_MORECORE 0 -#define HAVE_MMAP 1 -#endif /* HAVE_MORECORE */ -#endif /* DARWIN */ - -#ifndef LACKS_SYS_TYPES_H -#include /* For size_t */ -#endif /* LACKS_SYS_TYPES_H */ - -/* The maximum possible size_t value has all bits set */ -#define MAX_SIZE_T (~(size_t)0) - -#ifndef ONLY_MSPACES -#define ONLY_MSPACES 0 -#endif /* ONLY_MSPACES */ -#ifndef MSPACES -#if ONLY_MSPACES -#define MSPACES 1 -#else /* ONLY_MSPACES */ -#define MSPACES 0 -#endif /* ONLY_MSPACES */ -#endif /* MSPACES */ -#ifndef MALLOC_ALIGNMENT -#define MALLOC_ALIGNMENT ((size_t)8U) -#endif /* MALLOC_ALIGNMENT */ -#ifndef FOOTERS -#define FOOTERS 0 -#endif /* FOOTERS */ -#ifndef ABORT -#define ABORT abort() -#endif /* ABORT */ -#ifndef ABORT_ON_ASSERT_FAILURE -#define ABORT_ON_ASSERT_FAILURE 1 -#endif /* ABORT_ON_ASSERT_FAILURE */ -#ifndef PROCEED_ON_ERROR -#define PROCEED_ON_ERROR 0 -#endif /* PROCEED_ON_ERROR */ -#ifndef USE_LOCKS -#define USE_LOCKS 0 -#endif /* USE_LOCKS */ -#ifndef INSECURE -#define INSECURE 0 -#endif /* INSECURE */ -#ifndef HAVE_MMAP -#define HAVE_MMAP 1 -#endif /* HAVE_MMAP */ -#ifndef MMAP_CLEARS -#define MMAP_CLEARS 1 -#endif /* MMAP_CLEARS */ -#ifndef HAVE_MREMAP -#ifdef linux -#define HAVE_MREMAP 1 -#else /* linux */ -#define HAVE_MREMAP 0 -#endif /* linux */ -#endif /* HAVE_MREMAP */ -#ifndef MALLOC_FAILURE_ACTION -#define MALLOC_FAILURE_ACTION errno = ENOMEM; -#endif /* MALLOC_FAILURE_ACTION */ -#ifndef HAVE_MORECORE -#if ONLY_MSPACES -#define HAVE_MORECORE 0 -#else /* ONLY_MSPACES */ -#define HAVE_MORECORE 1 -#endif /* ONLY_MSPACES */ -#endif /* HAVE_MORECORE */ -#if !HAVE_MORECORE -#define MORECORE_CONTIGUOUS 0 -#else /* !HAVE_MORECORE */ -#ifndef MORECORE -#define MORECORE sbrk -#endif /* MORECORE */ -#ifndef MORECORE_CONTIGUOUS -#define MORECORE_CONTIGUOUS 1 -#endif /* MORECORE_CONTIGUOUS */ -#endif /* HAVE_MORECORE */ -#ifndef DEFAULT_GRANULARITY -#if MORECORE_CONTIGUOUS -#define DEFAULT_GRANULARITY (0) /* 0 means to compute in init_mparams */ -#else /* MORECORE_CONTIGUOUS */ -#define DEFAULT_GRANULARITY ((size_t)64U * (size_t)1024U) -#endif /* MORECORE_CONTIGUOUS */ -#endif /* DEFAULT_GRANULARITY */ -#ifndef DEFAULT_TRIM_THRESHOLD -#ifndef MORECORE_CANNOT_TRIM -#define DEFAULT_TRIM_THRESHOLD ((size_t)2U * (size_t)1024U * (size_t)1024U) -#else /* MORECORE_CANNOT_TRIM */ -#define DEFAULT_TRIM_THRESHOLD MAX_SIZE_T -#endif /* MORECORE_CANNOT_TRIM */ -#endif /* DEFAULT_TRIM_THRESHOLD */ -#ifndef DEFAULT_MMAP_THRESHOLD -#if HAVE_MMAP -#define DEFAULT_MMAP_THRESHOLD ((size_t)256U * (size_t)1024U) -#else /* HAVE_MMAP */ -#define DEFAULT_MMAP_THRESHOLD MAX_SIZE_T -#endif /* HAVE_MMAP */ -#endif /* DEFAULT_MMAP_THRESHOLD */ -#ifndef USE_BUILTIN_FFS -#define USE_BUILTIN_FFS 0 -#endif /* USE_BUILTIN_FFS */ -#ifndef USE_DEV_RANDOM -#define USE_DEV_RANDOM 0 -#endif /* USE_DEV_RANDOM */ -#ifndef NO_MALLINFO -#define NO_MALLINFO 0 -#endif /* NO_MALLINFO */ -#ifndef MALLINFO_FIELD_TYPE -#define MALLINFO_FIELD_TYPE size_t -#endif /* MALLINFO_FIELD_TYPE */ - -/* - mallopt tuning options. SVID/XPG defines four standard parameter - numbers for mallopt, normally defined in malloc.h. None of these - are used in this malloc, so setting them has no effect. But this - malloc does support the following options. -*/ - -#define M_TRIM_THRESHOLD (-1) -#define M_GRANULARITY (-2) -#define M_MMAP_THRESHOLD (-3) - -/* ------------------------ Mallinfo declarations ------------------------ */ - -#if !NO_MALLINFO -/* - This version of malloc supports the standard SVID/XPG mallinfo - routine that returns a struct containing usage properties and - statistics. It should work on any system that has a - /usr/include/malloc.h defining struct mallinfo. The main - declaration needed is the mallinfo struct that is returned (by-copy) - by mallinfo(). The malloinfo struct contains a bunch of fields that - are not even meaningful in this version of malloc. These fields are - are instead filled by mallinfo() with other numbers that might be of - interest. - - HAVE_USR_INCLUDE_MALLOC_H should be set if you have a - /usr/include/malloc.h file that includes a declaration of struct - mallinfo. If so, it is included; else a compliant version is - declared below. These must be precisely the same for mallinfo() to - work. The original SVID version of this struct, defined on most - systems with mallinfo, declares all fields as ints. But some others - define as unsigned long. If your system defines the fields using a - type of different width than listed here, you MUST #include your - system version and #define HAVE_USR_INCLUDE_MALLOC_H. -*/ - -/* #define HAVE_USR_INCLUDE_MALLOC_H */ - -#ifdef HAVE_USR_INCLUDE_MALLOC_H -#include "/usr/include/malloc.h" -#else /* HAVE_USR_INCLUDE_MALLOC_H */ - -struct mallinfo { - MALLINFO_FIELD_TYPE arena; /* non-mmapped space allocated from system */ - MALLINFO_FIELD_TYPE ordblks; /* number of free chunks */ - MALLINFO_FIELD_TYPE smblks; /* always 0 */ - MALLINFO_FIELD_TYPE hblks; /* always 0 */ - MALLINFO_FIELD_TYPE hblkhd; /* space in mmapped regions */ - MALLINFO_FIELD_TYPE usmblks; /* maximum total allocated space */ - MALLINFO_FIELD_TYPE fsmblks; /* always 0 */ - MALLINFO_FIELD_TYPE uordblks; /* total allocated space */ - MALLINFO_FIELD_TYPE fordblks; /* total free space */ - MALLINFO_FIELD_TYPE keepcost; /* releasable (via malloc_trim) space */ -}; - -#endif /* HAVE_USR_INCLUDE_MALLOC_H */ -#endif /* NO_MALLINFO */ - -#ifdef __cplusplus -extern "C" { -#endif /* __cplusplus */ - -#if !ONLY_MSPACES - -/* ------------------- Declarations of public routines ------------------- */ - -#ifndef USE_DL_PREFIX -#define dlcalloc calloc -#define dlfree free -#define dlmalloc malloc -#define dlmemalign memalign -#define dlrealloc realloc -#define dlvalloc valloc -#define dlpvalloc pvalloc -#define dlmallinfo mallinfo -#define dlmallopt mallopt -#define dlmalloc_trim malloc_trim -#define dlmalloc_stats malloc_stats -#define dlmalloc_usable_size malloc_usable_size -#define dlmalloc_footprint malloc_footprint -#define dlmalloc_max_footprint malloc_max_footprint -#define dlindependent_calloc independent_calloc -#define dlindependent_comalloc independent_comalloc -#endif /* USE_DL_PREFIX */ - - -/* - malloc(size_t n) - Returns a pointer to a newly allocated chunk of at least n bytes, or - null if no space is available, in which case errno is set to ENOMEM - on ANSI C systems. - - If n is zero, malloc returns a minimum-sized chunk. (The minimum - size is 16 bytes on most 32bit systems, and 32 bytes on 64bit - systems.) Note that size_t is an unsigned type, so calls with - arguments that would be negative if signed are interpreted as - requests for huge amounts of space, which will often fail. The - maximum supported value of n differs across systems, but is in all - cases less than the maximum representable value of a size_t. -*/ -void* dlmalloc(size_t); - -/* - free(void* p) - Releases the chunk of memory pointed to by p, that had been previously - allocated using malloc or a related routine such as realloc. - It has no effect if p is null. If p was not malloced or already - freed, free(p) will by default cause the current program to abort. -*/ -void dlfree(void*); - -/* - calloc(size_t n_elements, size_t element_size); - Returns a pointer to n_elements * element_size bytes, with all locations - set to zero. -*/ -void* dlcalloc(size_t, size_t); - -/* - realloc(void* p, size_t n) - Returns a pointer to a chunk of size n that contains the same data - as does chunk p up to the minimum of (n, p's size) bytes, or null - if no space is available. - - The returned pointer may or may not be the same as p. The algorithm - prefers extending p in most cases when possible, otherwise it - employs the equivalent of a malloc-copy-free sequence. - - If p is null, realloc is equivalent to malloc. - - If space is not available, realloc returns null, errno is set (if on - ANSI) and p is NOT freed. - - if n is for fewer bytes than already held by p, the newly unused - space is lopped off and freed if possible. realloc with a size - argument of zero (re)allocates a minimum-sized chunk. - - The old unix realloc convention of allowing the last-free'd chunk - to be used as an argument to realloc is not supported. -*/ - -void* dlrealloc(void*, size_t); - -/* - memalign(size_t alignment, size_t n); - Returns a pointer to a newly allocated chunk of n bytes, aligned - in accord with the alignment argument. - - The alignment argument should be a power of two. If the argument is - not a power of two, the nearest greater power is used. - 8-byte alignment is guaranteed by normal malloc calls, so don't - bother calling memalign with an argument of 8 or less. - - Overreliance on memalign is a sure way to fragment space. -*/ -void* dlmemalign(size_t, size_t); - -/* - valloc(size_t n); - Equivalent to memalign(pagesize, n), where pagesize is the page - size of the system. If the pagesize is unknown, 4096 is used. -*/ -void* dlvalloc(size_t); - -/* - mallopt(int parameter_number, int parameter_value) - Sets tunable parameters The format is to provide a - (parameter-number, parameter-value) pair. mallopt then sets the - corresponding parameter to the argument value if it can (i.e., so - long as the value is meaningful), and returns 1 if successful else - 0. SVID/XPG/ANSI defines four standard param numbers for mallopt, - normally defined in malloc.h. None of these are use in this malloc, - so setting them has no effect. But this malloc also supports other - options in mallopt. See below for details. Briefly, supported - parameters are as follows (listed defaults are for "typical" - configurations). - - Symbol param # default allowed param values - M_TRIM_THRESHOLD -1 2*1024*1024 any (MAX_SIZE_T disables) - M_GRANULARITY -2 page size any power of 2 >= page size - M_MMAP_THRESHOLD -3 256*1024 any (or 0 if no MMAP support) -*/ -int dlmallopt(int, int); - -/* - malloc_footprint(); - Returns the number of bytes obtained from the system. The total - number of bytes allocated by malloc, realloc etc., is less than this - value. Unlike mallinfo, this function returns only a precomputed - result, so can be called frequently to monitor memory consumption. - Even if locks are otherwise defined, this function does not use them, - so results might not be up to date. -*/ -size_t dlmalloc_footprint(void); - -/* - malloc_max_footprint(); - Returns the maximum number of bytes obtained from the system. This - value will be greater than current footprint if deallocated space - has been reclaimed by the system. The peak number of bytes allocated - by malloc, realloc etc., is less than this value. Unlike mallinfo, - this function returns only a precomputed result, so can be called - frequently to monitor memory consumption. Even if locks are - otherwise defined, this function does not use them, so results might - not be up to date. -*/ -size_t dlmalloc_max_footprint(void); - -#if !NO_MALLINFO -/* - mallinfo() - Returns (by copy) a struct containing various summary statistics: - - arena: current total non-mmapped bytes allocated from system - ordblks: the number of free chunks - smblks: always zero. - hblks: current number of mmapped regions - hblkhd: total bytes held in mmapped regions - usmblks: the maximum total allocated space. This will be greater - than current total if trimming has occurred. - fsmblks: always zero - uordblks: current total allocated space (normal or mmapped) - fordblks: total free space - keepcost: the maximum number of bytes that could ideally be released - back to system via malloc_trim. ("ideally" means that - it ignores page restrictions etc.) - - Because these fields are ints, but internal bookkeeping may - be kept as longs, the reported values may wrap around zero and - thus be inaccurate. -*/ -struct mallinfo dlmallinfo(void); -#endif /* NO_MALLINFO */ - -/* - independent_calloc(size_t n_elements, size_t element_size, void* chunks[]); - - independent_calloc is similar to calloc, but instead of returning a - single cleared space, it returns an array of pointers to n_elements - independent elements that can hold contents of size elem_size, each - of which starts out cleared, and can be independently freed, - realloc'ed etc. The elements are guaranteed to be adjacently - allocated (this is not guaranteed to occur with multiple callocs or - mallocs), which may also improve cache locality in some - applications. - - The "chunks" argument is optional (i.e., may be null, which is - probably the most typical usage). If it is null, the returned array - is itself dynamically allocated and should also be freed when it is - no longer needed. Otherwise, the chunks array must be of at least - n_elements in length. It is filled in with the pointers to the - chunks. - - In either case, independent_calloc returns this pointer array, or - null if the allocation failed. If n_elements is zero and "chunks" - is null, it returns a chunk representing an array with zero elements - (which should be freed if not wanted). - - Each element must be individually freed when it is no longer - needed. If you'd like to instead be able to free all at once, you - should instead use regular calloc and assign pointers into this - space to represent elements. (In this case though, you cannot - independently free elements.) - - independent_calloc simplifies and speeds up implementations of many - kinds of pools. It may also be useful when constructing large data - structures that initially have a fixed number of fixed-sized nodes, - but the number is not known at compile time, and some of the nodes - may later need to be freed. For example: - - struct Node { int item; struct Node* next; }; - - struct Node* build_list() { - struct Node** pool; - int n = read_number_of_nodes_needed(); - if (n <= 0) return 0; - pool = (struct Node**)(independent_calloc(n, sizeof(struct Node), 0); - if (pool == 0) die(); - // organize into a linked list... - struct Node* first = pool[0]; - for (i = 0; i < n-1; ++i) - pool[i]->next = pool[i+1]; - free(pool); // Can now free the array (or not, if it is needed later) - return first; - } -*/ -void** dlindependent_calloc(size_t, size_t, void**); - -/* - independent_comalloc(size_t n_elements, size_t sizes[], void* chunks[]); - - independent_comalloc allocates, all at once, a set of n_elements - chunks with sizes indicated in the "sizes" array. It returns - an array of pointers to these elements, each of which can be - independently freed, realloc'ed etc. The elements are guaranteed to - be adjacently allocated (this is not guaranteed to occur with - multiple callocs or mallocs), which may also improve cache locality - in some applications. - - The "chunks" argument is optional (i.e., may be null). If it is null - the returned array is itself dynamically allocated and should also - be freed when it is no longer needed. Otherwise, the chunks array - must be of at least n_elements in length. It is filled in with the - pointers to the chunks. - - In either case, independent_comalloc returns this pointer array, or - null if the allocation failed. If n_elements is zero and chunks is - null, it returns a chunk representing an array with zero elements - (which should be freed if not wanted). - - Each element must be individually freed when it is no longer - needed. If you'd like to instead be able to free all at once, you - should instead use a single regular malloc, and assign pointers at - particular offsets in the aggregate space. (In this case though, you - cannot independently free elements.) - - independent_comallac differs from independent_calloc in that each - element may have a different size, and also that it does not - automatically clear elements. - - independent_comalloc can be used to speed up allocation in cases - where several structs or objects must always be allocated at the - same time. For example: - - struct Head { ... } - struct Foot { ... } - - void send_message(char* msg) { - int msglen = strlen(msg); - size_t sizes[3] = { sizeof(struct Head), msglen, sizeof(struct Foot) }; - void* chunks[3]; - if (independent_comalloc(3, sizes, chunks) == 0) - die(); - struct Head* head = (struct Head*)(chunks[0]); - char* body = (char*)(chunks[1]); - struct Foot* foot = (struct Foot*)(chunks[2]); - // ... - } - - In general though, independent_comalloc is worth using only for - larger values of n_elements. For small values, you probably won't - detect enough difference from series of malloc calls to bother. - - Overuse of independent_comalloc can increase overall memory usage, - since it cannot reuse existing noncontiguous small chunks that - might be available for some of the elements. -*/ -void** dlindependent_comalloc(size_t, size_t*, void**); - - -/* - pvalloc(size_t n); - Equivalent to valloc(minimum-page-that-holds(n)), that is, - round up n to nearest pagesize. - */ -void* dlpvalloc(size_t); - -/* - malloc_trim(size_t pad); - - If possible, gives memory back to the system (via negative arguments - to sbrk) if there is unused memory at the `high' end of the malloc - pool or in unused MMAP segments. You can call this after freeing - large blocks of memory to potentially reduce the system-level memory - requirements of a program. However, it cannot guarantee to reduce - memory. Under some allocation patterns, some large free blocks of - memory will be locked between two used chunks, so they cannot be - given back to the system. - - The `pad' argument to malloc_trim represents the amount of free - trailing space to leave untrimmed. If this argument is zero, only - the minimum amount of memory to maintain internal data structures - will be left. Non-zero arguments can be supplied to maintain enough - trailing space to service future expected allocations without having - to re-obtain memory from the system. - - Malloc_trim returns 1 if it actually released any memory, else 0. -*/ -int dlmalloc_trim(size_t); - -/* - malloc_usable_size(void* p); - - Returns the number of bytes you can actually use in - an allocated chunk, which may be more than you requested (although - often not) due to alignment and minimum size constraints. - You can use this many bytes without worrying about - overwriting other allocated objects. This is not a particularly great - programming practice. malloc_usable_size can be more useful in - debugging and assertions, for example: - - p = malloc(n); - assert(malloc_usable_size(p) >= 256); -*/ -size_t dlmalloc_usable_size(void*); - -/* - malloc_stats(); - Prints on stderr the amount of space obtained from the system (both - via sbrk and mmap), the maximum amount (which may be more than - current if malloc_trim and/or munmap got called), and the current - number of bytes allocated via malloc (or realloc, etc) but not yet - freed. Note that this is the number of bytes allocated, not the - number requested. It will be larger than the number requested - because of alignment and bookkeeping overhead. Because it includes - alignment wastage as being in use, this figure may be greater than - zero even when no user-level chunks are allocated. - - The reported current and maximum system memory can be inaccurate if - a program makes other calls to system memory allocation functions - (normally sbrk) outside of malloc. - - malloc_stats prints only the most commonly interesting statistics. - More information can be obtained by calling mallinfo. -*/ -void dlmalloc_stats(void); - -#endif /* ONLY_MSPACES */ - -#if MSPACES - -/* - mspace is an opaque type representing an independent - region of space that supports mspace_malloc, etc. -*/ -typedef void* mspace; - -/* - create_mspace creates and returns a new independent space with the - given initial capacity, or, if 0, the default granularity size. It - returns null if there is no system memory available to create the - space. If argument locked is non-zero, the space uses a separate - lock to control access. The capacity of the space will grow - dynamically as needed to service mspace_malloc requests. You can - control the sizes of incremental increases of this space by - compiling with a different DEFAULT_GRANULARITY or dynamically - setting with mallopt(M_GRANULARITY, value). -*/ -mspace create_mspace(size_t capacity, int locked); - -/* - destroy_mspace destroys the given space, and attempts to return all - of its memory back to the system, returning the total number of - bytes freed. After destruction, the results of access to all memory - used by the space become undefined. -*/ -size_t destroy_mspace(mspace msp); - -/* - create_mspace_with_base uses the memory supplied as the initial base - of a new mspace. Part (less than 128*sizeof(size_t) bytes) of this - space is used for bookkeeping, so the capacity must be at least this - large. (Otherwise 0 is returned.) When this initial space is - exhausted, additional memory will be obtained from the system. - Destroying this space will deallocate all additionally allocated - space (if possible) but not the initial base. -*/ -mspace create_mspace_with_base(void* base, size_t capacity, int locked); - -/* - mspace_malloc behaves as malloc, but operates within - the given space. -*/ -void* mspace_malloc(mspace msp, size_t bytes); - -/* - mspace_free behaves as free, but operates within - the given space. - - If compiled with FOOTERS==1, mspace_free is not actually needed. - free may be called instead of mspace_free because freed chunks from - any space are handled by their originating spaces. -*/ -void mspace_free(mspace msp, void* mem); - -/* - mspace_realloc behaves as realloc, but operates within - the given space. - - If compiled with FOOTERS==1, mspace_realloc is not actually - needed. realloc may be called instead of mspace_realloc because - realloced chunks from any space are handled by their originating - spaces. -*/ -void* mspace_realloc(mspace msp, void* mem, size_t newsize); - -/* - mspace_calloc behaves as calloc, but operates within - the given space. -*/ -void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size); - -/* - mspace_memalign behaves as memalign, but operates within - the given space. -*/ -void* mspace_memalign(mspace msp, size_t alignment, size_t bytes); - -/* - mspace_independent_calloc behaves as independent_calloc, but - operates within the given space. -*/ -void** mspace_independent_calloc(mspace msp, size_t n_elements, - size_t elem_size, void* chunks[]); - -/* - mspace_independent_comalloc behaves as independent_comalloc, but - operates within the given space. -*/ -void** mspace_independent_comalloc(mspace msp, size_t n_elements, - size_t sizes[], void* chunks[]); - -/* - mspace_footprint() returns the number of bytes obtained from the - system for this space. -*/ -size_t mspace_footprint(mspace msp); - -/* - mspace_max_footprint() returns the peak number of bytes obtained from the - system for this space. -*/ -size_t mspace_max_footprint(mspace msp); - - -#if !NO_MALLINFO -/* - mspace_mallinfo behaves as mallinfo, but reports properties of - the given space. -*/ -struct mallinfo mspace_mallinfo(mspace msp); -#endif /* NO_MALLINFO */ - -/* - mspace_malloc_stats behaves as malloc_stats, but reports - properties of the given space. -*/ -void mspace_malloc_stats(mspace msp); - -/* - mspace_trim behaves as malloc_trim, but - operates within the given space. -*/ -int mspace_trim(mspace msp, size_t pad); - -/* - An alias for mallopt. -*/ -int mspace_mallopt(int, int); - -#endif /* MSPACES */ - -#ifdef __cplusplus -}; /* end of extern "C" */ -#endif /* __cplusplus */ - -/* - ======================================================================== - To make a fully customizable malloc.h header file, cut everything - above this line, put into file malloc.h, edit to suit, and #include it - on the next line, as well as in programs that use this malloc. - ======================================================================== -*/ - -/* #include "malloc.h" */ - -/*------------------------------ internal #includes ---------------------- */ - -#ifdef WIN32 -#pragma warning( disable : 4146 ) /* no "unsigned" warnings */ -#endif /* WIN32 */ - -#include /* for printing in malloc_stats */ - -#ifndef LACKS_ERRNO_H -#include /* for MALLOC_FAILURE_ACTION */ -#endif /* LACKS_ERRNO_H */ -#if FOOTERS -#include /* for magic initialization */ -#endif /* FOOTERS */ -#ifndef LACKS_STDLIB_H -#include /* for abort() */ -#endif /* LACKS_STDLIB_H */ -#ifdef DEBUG -#if ABORT_ON_ASSERT_FAILURE -#define assert(x) if(!(x)) ABORT -#else /* ABORT_ON_ASSERT_FAILURE */ -#include -#endif /* ABORT_ON_ASSERT_FAILURE */ -#else /* DEBUG */ -#define assert(x) -#endif /* DEBUG */ -#ifndef LACKS_STRING_H -#include /* for memset etc */ -#endif /* LACKS_STRING_H */ -#if USE_BUILTIN_FFS -#ifndef LACKS_STRINGS_H -#include /* for ffs */ -#endif /* LACKS_STRINGS_H */ -#endif /* USE_BUILTIN_FFS */ -#if HAVE_MMAP -#ifndef LACKS_SYS_MMAN_H -#include /* for mmap */ -#endif /* LACKS_SYS_MMAN_H */ -#ifndef LACKS_FCNTL_H -#include -#endif /* LACKS_FCNTL_H */ -#endif /* HAVE_MMAP */ -#if HAVE_MORECORE -#ifndef LACKS_UNISTD_H -#include /* for sbrk */ -#else /* LACKS_UNISTD_H */ -#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) -extern void* sbrk(ptrdiff_t); -#endif /* FreeBSD etc */ -#endif /* LACKS_UNISTD_H */ -#endif /* HAVE_MMAP */ - -#ifndef WIN32 -#ifndef malloc_getpagesize -# ifdef _SC_PAGESIZE /* some SVR4 systems omit an underscore */ -# ifndef _SC_PAGE_SIZE -# define _SC_PAGE_SIZE _SC_PAGESIZE -# endif -# endif -# ifdef _SC_PAGE_SIZE -# define malloc_getpagesize sysconf(_SC_PAGE_SIZE) -# else -# if defined(BSD) || defined(DGUX) || defined(HAVE_GETPAGESIZE) - extern size_t getpagesize(); -# define malloc_getpagesize getpagesize() -# else -# ifdef WIN32 /* use supplied emulation of getpagesize */ -# define malloc_getpagesize getpagesize() -# else -# ifndef LACKS_SYS_PARAM_H -# include -# endif -# ifdef EXEC_PAGESIZE -# define malloc_getpagesize EXEC_PAGESIZE -# else -# ifdef NBPG -# ifndef CLSIZE -# define malloc_getpagesize NBPG -# else -# define malloc_getpagesize (NBPG * CLSIZE) -# endif -# else -# ifdef NBPC -# define malloc_getpagesize NBPC -# else -# ifdef PAGESIZE -# define malloc_getpagesize PAGESIZE -# else /* just guess */ -# define malloc_getpagesize ((size_t)4096U) -# endif -# endif -# endif -# endif -# endif -# endif -# endif -#endif -#endif - -/* ------------------- size_t and alignment properties -------------------- */ - -/* The byte and bit size of a size_t */ -#define SIZE_T_SIZE (sizeof(size_t)) -#define SIZE_T_BITSIZE (sizeof(size_t) << 3) - -/* Some constants coerced to size_t */ -/* Annoying but necessary to avoid errors on some plaftorms */ -#define SIZE_T_ZERO ((size_t)0) -#define SIZE_T_ONE ((size_t)1) -#define SIZE_T_TWO ((size_t)2) -#define TWO_SIZE_T_SIZES (SIZE_T_SIZE<<1) -#define FOUR_SIZE_T_SIZES (SIZE_T_SIZE<<2) -#define SIX_SIZE_T_SIZES (FOUR_SIZE_T_SIZES+TWO_SIZE_T_SIZES) -#define HALF_MAX_SIZE_T (MAX_SIZE_T / 2U) - -/* The bit mask value corresponding to MALLOC_ALIGNMENT */ -#define CHUNK_ALIGN_MASK (MALLOC_ALIGNMENT - SIZE_T_ONE) - -/* True if address a has acceptable alignment */ -#define is_aligned(A) (((size_t)((A)) & (CHUNK_ALIGN_MASK)) == 0) - -/* the number of bytes to offset an address to align it */ -#define align_offset(A)\ - ((((size_t)(A) & CHUNK_ALIGN_MASK) == 0)? 0 :\ - ((MALLOC_ALIGNMENT - ((size_t)(A) & CHUNK_ALIGN_MASK)) & CHUNK_ALIGN_MASK)) - -/* -------------------------- MMAP preliminaries ------------------------- */ - -/* - If HAVE_MORECORE or HAVE_MMAP are false, we just define calls and - checks to fail so compiler optimizer can delete code rather than - using so many "#if"s. -*/ - - -/* MORECORE and MMAP must return MFAIL on failure */ -#define MFAIL ((void*)(MAX_SIZE_T)) -#define CMFAIL ((char*)(MFAIL)) /* defined for convenience */ - -#if !HAVE_MMAP -#define IS_MMAPPED_BIT (SIZE_T_ZERO) -#define USE_MMAP_BIT (SIZE_T_ZERO) -#define CALL_MMAP(s) MFAIL -#define CALL_MUNMAP(a, s) (-1) -#define DIRECT_MMAP(s) MFAIL - -#else /* HAVE_MMAP */ -#define IS_MMAPPED_BIT (SIZE_T_ONE) -#define USE_MMAP_BIT (SIZE_T_ONE) - -#ifndef WIN32 -#define CALL_MUNMAP(a, s) munmap((a), (s)) -#define MMAP_PROT (PROT_READ|PROT_WRITE) -#if !defined(MAP_ANONYMOUS) && defined(MAP_ANON) -#define MAP_ANONYMOUS MAP_ANON -#endif /* MAP_ANON */ -#ifdef MAP_ANONYMOUS -#define MMAP_FLAGS (MAP_PRIVATE|MAP_ANONYMOUS) -#define CALL_MMAP(s) mmap(0, (s), MMAP_PROT, MMAP_FLAGS, -1, 0) -#else /* MAP_ANONYMOUS */ -/* - Nearly all versions of mmap support MAP_ANONYMOUS, so the following - is unlikely to be needed, but is supplied just in case. -*/ -#define MMAP_FLAGS (MAP_PRIVATE) -static int dev_zero_fd = -1; /* Cached file descriptor for /dev/zero. */ -#define CALL_MMAP(s) ((dev_zero_fd < 0) ? \ - (dev_zero_fd = open("/dev/zero", O_RDWR), \ - mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0)) : \ - mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0)) -#endif /* MAP_ANONYMOUS */ - -#define DIRECT_MMAP(s) CALL_MMAP(s) -#else /* WIN32 */ - -/* Win32 MMAP via VirtualAlloc */ -static void* win32mmap(size_t size) { - void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); - return (ptr != 0)? ptr: MFAIL; -} - -/* For direct MMAP, use MEM_TOP_DOWN to minimize interference */ -static void* win32direct_mmap(size_t size) { - void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, - PAGE_READWRITE); - return (ptr != 0)? ptr: MFAIL; -} - -/* This function supports releasing coalesed segments */ -static int win32munmap(void* ptr, size_t size) { - MEMORY_BASIC_INFORMATION minfo; - char* cptr = ptr; - while (size) { - if (VirtualQuery(cptr, &minfo, sizeof(minfo)) == 0) - return -1; - if (minfo.BaseAddress != cptr || minfo.AllocationBase != cptr || - minfo.State != MEM_COMMIT || minfo.RegionSize > size) - return -1; - if (VirtualFree(cptr, 0, MEM_RELEASE) == 0) - return -1; - cptr += minfo.RegionSize; - size -= minfo.RegionSize; - } - return 0; -} - -#define CALL_MMAP(s) win32mmap(s) -#define CALL_MUNMAP(a, s) win32munmap((a), (s)) -#define DIRECT_MMAP(s) win32direct_mmap(s) -#endif /* WIN32 */ -#endif /* HAVE_MMAP */ - -#if HAVE_MMAP && HAVE_MREMAP -#define CALL_MREMAP(addr, osz, nsz, mv) mremap((addr), (osz), (nsz), (mv)) -#else /* HAVE_MMAP && HAVE_MREMAP */ -#define CALL_MREMAP(addr, osz, nsz, mv) MFAIL -#endif /* HAVE_MMAP && HAVE_MREMAP */ - -#if HAVE_MORECORE -#define CALL_MORECORE(S) MORECORE(S) -#else /* HAVE_MORECORE */ -#define CALL_MORECORE(S) MFAIL -#endif /* HAVE_MORECORE */ - -/* mstate bit set if continguous morecore disabled or failed */ -#define USE_NONCONTIGUOUS_BIT (4U) - -/* segment bit set in create_mspace_with_base */ -#define EXTERN_BIT (8U) - - -/* --------------------------- Lock preliminaries ------------------------ */ - -#if USE_LOCKS - -/* - When locks are defined, there are up to two global locks: - - * If HAVE_MORECORE, morecore_mutex protects sequences of calls to - MORECORE. In many cases sys_alloc requires two calls, that should - not be interleaved with calls by other threads. This does not - protect against direct calls to MORECORE by other threads not - using this lock, so there is still code to cope the best we can on - interference. - - * magic_init_mutex ensures that mparams.magic and other - unique mparams values are initialized only once. -*/ - -#ifndef WIN32 -/* By default use posix locks */ -#include -#define MLOCK_T pthread_mutex_t -#define INITIAL_LOCK(l) pthread_mutex_init(l, NULL) -#define ACQUIRE_LOCK(l) pthread_mutex_lock(l) -#define RELEASE_LOCK(l) pthread_mutex_unlock(l) - -#if HAVE_MORECORE -static MLOCK_T morecore_mutex = PTHREAD_MUTEX_INITIALIZER; -#endif /* HAVE_MORECORE */ - -static MLOCK_T magic_init_mutex = PTHREAD_MUTEX_INITIALIZER; - -#else /* WIN32 */ -/* - Because lock-protected regions have bounded times, and there - are no recursive lock calls, we can use simple spinlocks. -*/ - -#define MLOCK_T long -static int win32_acquire_lock (MLOCK_T *sl) { - for (;;) { -#ifdef InterlockedCompareExchangePointer - if (!InterlockedCompareExchange(sl, 1, 0)) - return 0; -#else /* Use older void* version */ - if (!InterlockedCompareExchange((void**)sl, (void*)1, (void*)0)) - return 0; -#endif /* InterlockedCompareExchangePointer */ - Sleep (0); - } -} - -static void win32_release_lock (MLOCK_T *sl) { - InterlockedExchange (sl, 0); -} - -#define INITIAL_LOCK(l) *(l)=0 -#define ACQUIRE_LOCK(l) win32_acquire_lock(l) -#define RELEASE_LOCK(l) win32_release_lock(l) -#if HAVE_MORECORE -static MLOCK_T morecore_mutex; -#endif /* HAVE_MORECORE */ -static MLOCK_T magic_init_mutex; -#endif /* WIN32 */ - -#define USE_LOCK_BIT (2U) -#else /* USE_LOCKS */ -#define USE_LOCK_BIT (0U) -#define INITIAL_LOCK(l) -#endif /* USE_LOCKS */ - -#if USE_LOCKS && HAVE_MORECORE -#define ACQUIRE_MORECORE_LOCK() ACQUIRE_LOCK(&morecore_mutex); -#define RELEASE_MORECORE_LOCK() RELEASE_LOCK(&morecore_mutex); -#else /* USE_LOCKS && HAVE_MORECORE */ -#define ACQUIRE_MORECORE_LOCK() -#define RELEASE_MORECORE_LOCK() -#endif /* USE_LOCKS && HAVE_MORECORE */ - -#if USE_LOCKS -#define ACQUIRE_MAGIC_INIT_LOCK() ACQUIRE_LOCK(&magic_init_mutex); -#define RELEASE_MAGIC_INIT_LOCK() RELEASE_LOCK(&magic_init_mutex); -#else /* USE_LOCKS */ -#define ACQUIRE_MAGIC_INIT_LOCK() -#define RELEASE_MAGIC_INIT_LOCK() -#endif /* USE_LOCKS */ - - -/* ----------------------- Chunk representations ------------------------ */ - -/* - (The following includes lightly edited explanations by Colin Plumb.) - - The malloc_chunk declaration below is misleading (but accurate and - necessary). It declares a "view" into memory allowing access to - necessary fields at known offsets from a given base. - - Chunks of memory are maintained using a `boundary tag' method as - originally described by Knuth. (See the paper by Paul Wilson - ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a survey of such - techniques.) Sizes of free chunks are stored both in the front of - each chunk and at the end. This makes consolidating fragmented - chunks into bigger chunks fast. The head fields also hold bits - representing whether chunks are free or in use. - - Here are some pictures to make it clearer. They are "exploded" to - show that the state of a chunk can be thought of as extending from - the high 31 bits of the head field of its header through the - prev_foot and PINUSE_BIT bit of the following chunk header. - - A chunk that's in use looks like: - - chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Size of previous chunk (if P = 1) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P| - | Size of this chunk 1| +-+ - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - +- -+ - | | - +- -+ - | : - +- size - sizeof(size_t) available payload bytes -+ - : | - chunk-> +- -+ - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| - | Size of next chunk (may or may not be in use) | +-+ - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - And if it's free, it looks like this: - - chunk-> +- -+ - | User payload (must be in use, or we would have merged!) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P| - | Size of this chunk 0| +-+ - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Next pointer | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Prev pointer | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | : - +- size - sizeof(struct chunk) unused bytes -+ - : | - chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Size of this chunk | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| - | Size of next chunk (must be in use, or we would have merged)| +-+ - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | : - +- User payload -+ - : | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - |0| - +-+ - Note that since we always merge adjacent free chunks, the chunks - adjacent to a free chunk must be in use. - - Given a pointer to a chunk (which can be derived trivially from the - payload pointer) we can, in O(1) time, find out whether the adjacent - chunks are free, and if so, unlink them from the lists that they - are on and merge them with the current chunk. - - Chunks always begin on even word boundaries, so the mem portion - (which is returned to the user) is also on an even word boundary, and - thus at least double-word aligned. - - The P (PINUSE_BIT) bit, stored in the unused low-order bit of the - chunk size (which is always a multiple of two words), is an in-use - bit for the *previous* chunk. If that bit is *clear*, then the - word before the current chunk size contains the previous chunk - size, and can be used to find the front of the previous chunk. - The very first chunk allocated always has this bit set, preventing - access to non-existent (or non-owned) memory. If pinuse is set for - any given chunk, then you CANNOT determine the size of the - previous chunk, and might even get a memory addressing fault when - trying to do so. - - The C (CINUSE_BIT) bit, stored in the unused second-lowest bit of - the chunk size redundantly records whether the current chunk is - inuse. This redundancy enables usage checks within free and realloc, - and reduces indirection when freeing and consolidating chunks. - - Each freshly allocated chunk must have both cinuse and pinuse set. - That is, each allocated chunk borders either a previously allocated - and still in-use chunk, or the base of its memory arena. This is - ensured by making all allocations from the the `lowest' part of any - found chunk. Further, no free chunk physically borders another one, - so each free chunk is known to be preceded and followed by either - inuse chunks or the ends of memory. - - Note that the `foot' of the current chunk is actually represented - as the prev_foot of the NEXT chunk. This makes it easier to - deal with alignments etc but can be very confusing when trying - to extend or adapt this code. - - The exceptions to all this are - - 1. The special chunk `top' is the top-most available chunk (i.e., - the one bordering the end of available memory). It is treated - specially. Top is never included in any bin, is used only if - no other chunk is available, and is released back to the - system if it is very large (see M_TRIM_THRESHOLD). In effect, - the top chunk is treated as larger (and thus less well - fitting) than any other available chunk. The top chunk - doesn't update its trailing size field since there is no next - contiguous chunk that would have to index off it. However, - space is still allocated for it (TOP_FOOT_SIZE) to enable - separation or merging when space is extended. - - 3. Chunks allocated via mmap, which have the lowest-order bit - (IS_MMAPPED_BIT) set in their prev_foot fields, and do not set - PINUSE_BIT in their head fields. Because they are allocated - one-by-one, each must carry its own prev_foot field, which is - also used to hold the offset this chunk has within its mmapped - region, which is needed to preserve alignment. Each mmapped - chunk is trailed by the first two fields of a fake next-chunk - for sake of usage checks. - -*/ - -struct malloc_chunk { - size_t prev_foot; /* Size of previous chunk (if free). */ - size_t head; /* Size and inuse bits. */ - struct malloc_chunk* fd; /* double links -- used only if free. */ - struct malloc_chunk* bk; -}; - -typedef struct malloc_chunk mchunk; -typedef struct malloc_chunk* mchunkptr; -typedef struct malloc_chunk* sbinptr; /* The type of bins of chunks */ -typedef unsigned int bindex_t; /* Described below */ -typedef unsigned int binmap_t; /* Described below */ -typedef unsigned int flag_t; /* The type of various bit flag sets */ - -/* ------------------- Chunks sizes and alignments ----------------------- */ - -#define MCHUNK_SIZE (sizeof(mchunk)) - -#if FOOTERS -#define CHUNK_OVERHEAD (TWO_SIZE_T_SIZES) -#else /* FOOTERS */ -#define CHUNK_OVERHEAD (SIZE_T_SIZE) -#endif /* FOOTERS */ - -/* MMapped chunks need a second word of overhead ... */ -#define MMAP_CHUNK_OVERHEAD (TWO_SIZE_T_SIZES) -/* ... and additional padding for fake next-chunk at foot */ -#define MMAP_FOOT_PAD (FOUR_SIZE_T_SIZES) - -/* The smallest size we can malloc is an aligned minimal chunk */ -#define MIN_CHUNK_SIZE\ - ((MCHUNK_SIZE + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK) - -/* conversion from malloc headers to user pointers, and back */ -#define chunk2mem(p) ((void*)((char*)(p) + TWO_SIZE_T_SIZES)) -#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - TWO_SIZE_T_SIZES)) -/* chunk associated with aligned address A */ -#define align_as_chunk(A) (mchunkptr)((A) + align_offset(chunk2mem(A))) - -/* Bounds on request (not chunk) sizes. */ -#define MAX_REQUEST ((-MIN_CHUNK_SIZE) << 2) -#define MIN_REQUEST (MIN_CHUNK_SIZE - CHUNK_OVERHEAD - SIZE_T_ONE) - -/* pad request bytes into a usable size */ -#define pad_request(req) \ - (((req) + CHUNK_OVERHEAD + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK) - -/* pad request, checking for minimum (but not maximum) */ -#define request2size(req) \ - (((req) < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(req)) - - -/* ------------------ Operations on head and foot fields ----------------- */ - -/* - The head field of a chunk is or'ed with PINUSE_BIT when previous - adjacent chunk in use, and or'ed with CINUSE_BIT if this chunk is in - use. If the chunk was obtained with mmap, the prev_foot field has - IS_MMAPPED_BIT set, otherwise holding the offset of the base of the - mmapped region to the base of the chunk. -*/ - -#define PINUSE_BIT (SIZE_T_ONE) -#define CINUSE_BIT (SIZE_T_TWO) -#define INUSE_BITS (PINUSE_BIT|CINUSE_BIT) - -/* Head value for fenceposts */ -#define FENCEPOST_HEAD (INUSE_BITS|SIZE_T_SIZE) - -/* extraction of fields from head words */ -#define cinuse(p) ((p)->head & CINUSE_BIT) -#define pinuse(p) ((p)->head & PINUSE_BIT) -#define chunksize(p) ((p)->head & ~(INUSE_BITS)) - -#define clear_pinuse(p) ((p)->head &= ~PINUSE_BIT) -#define clear_cinuse(p) ((p)->head &= ~CINUSE_BIT) - -/* Treat space at ptr +/- offset as a chunk */ -#define chunk_plus_offset(p, s) ((mchunkptr)(((char*)(p)) + (s))) -#define chunk_minus_offset(p, s) ((mchunkptr)(((char*)(p)) - (s))) - -/* Ptr to next or previous physical malloc_chunk. */ -#define next_chunk(p) ((mchunkptr)( ((char*)(p)) + ((p)->head & ~INUSE_BITS))) -#define prev_chunk(p) ((mchunkptr)( ((char*)(p)) - ((p)->prev_foot) )) - -/* extract next chunk's pinuse bit */ -#define next_pinuse(p) ((next_chunk(p)->head) & PINUSE_BIT) - -/* Get/set size at footer */ -#define get_foot(p, s) (((mchunkptr)((char*)(p) + (s)))->prev_foot) -#define set_foot(p, s) (((mchunkptr)((char*)(p) + (s)))->prev_foot = (s)) - -/* Set size, pinuse bit, and foot */ -#define set_size_and_pinuse_of_free_chunk(p, s)\ - ((p)->head = (s|PINUSE_BIT), set_foot(p, s)) - -/* Set size, pinuse bit, foot, and clear next pinuse */ -#define set_free_with_pinuse(p, s, n)\ - (clear_pinuse(n), set_size_and_pinuse_of_free_chunk(p, s)) - -#define is_mmapped(p)\ - (!((p)->head & PINUSE_BIT) && ((p)->prev_foot & IS_MMAPPED_BIT)) - -/* Get the internal overhead associated with chunk p */ -#define overhead_for(p)\ - (is_mmapped(p)? MMAP_CHUNK_OVERHEAD : CHUNK_OVERHEAD) - -/* Return true if malloced space is not necessarily cleared */ -#if MMAP_CLEARS -#define calloc_must_clear(p) (!is_mmapped(p)) -#else /* MMAP_CLEARS */ -#define calloc_must_clear(p) (1) -#endif /* MMAP_CLEARS */ - -/* ---------------------- Overlaid data structures ----------------------- */ - -/* - When chunks are not in use, they are treated as nodes of either - lists or trees. - - "Small" chunks are stored in circular doubly-linked lists, and look - like this: - - chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Size of previous chunk | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - `head:' | Size of chunk, in bytes |P| - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Forward pointer to next chunk in list | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Back pointer to previous chunk in list | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Unused space (may be 0 bytes long) . - . . - . | -nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - `foot:' | Size of chunk, in bytes | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Larger chunks are kept in a form of bitwise digital trees (aka - tries) keyed on chunksizes. Because malloc_tree_chunks are only for - free chunks greater than 256 bytes, their size doesn't impose any - constraints on user chunk sizes. Each node looks like: - - chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Size of previous chunk | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - `head:' | Size of chunk, in bytes |P| - mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Forward pointer to next chunk of same size | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Back pointer to previous chunk of same size | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Pointer to left child (child[0]) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Pointer to right child (child[1]) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Pointer to parent | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | bin index of this chunk | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Unused space . - . | -nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - `foot:' | Size of chunk, in bytes | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Each tree holding treenodes is a tree of unique chunk sizes. Chunks - of the same size are arranged in a circularly-linked list, with only - the oldest chunk (the next to be used, in our FIFO ordering) - actually in the tree. (Tree members are distinguished by a non-null - parent pointer.) If a chunk with the same size an an existing node - is inserted, it is linked off the existing node using pointers that - work in the same way as fd/bk pointers of small chunks. - - Each tree contains a power of 2 sized range of chunk sizes (the - smallest is 0x100 <= x < 0x180), which is is divided in half at each - tree level, with the chunks in the smaller half of the range (0x100 - <= x < 0x140 for the top nose) in the left subtree and the larger - half (0x140 <= x < 0x180) in the right subtree. This is, of course, - done by inspecting individual bits. - - Using these rules, each node's left subtree contains all smaller - sizes than its right subtree. However, the node at the root of each - subtree has no particular ordering relationship to either. (The - dividing line between the subtree sizes is based on trie relation.) - If we remove the last chunk of a given size from the interior of the - tree, we need to replace it with a leaf node. The tree ordering - rules permit a node to be replaced by any leaf below it. - - The smallest chunk in a tree (a common operation in a best-fit - allocator) can be found by walking a path to the leftmost leaf in - the tree. Unlike a usual binary tree, where we follow left child - pointers until we reach a null, here we follow the right child - pointer any time the left one is null, until we reach a leaf with - both child pointers null. The smallest chunk in the tree will be - somewhere along that path. - - The worst case number of steps to add, find, or remove a node is - bounded by the number of bits differentiating chunks within - bins. Under current bin calculations, this ranges from 6 up to 21 - (for 32 bit sizes) or up to 53 (for 64 bit sizes). The typical case - is of course much better. -*/ - -struct malloc_tree_chunk { - /* The first four fields must be compatible with malloc_chunk */ - size_t prev_foot; - size_t head; - struct malloc_tree_chunk* fd; - struct malloc_tree_chunk* bk; - - struct malloc_tree_chunk* child[2]; - struct malloc_tree_chunk* parent; - bindex_t index; -}; - -typedef struct malloc_tree_chunk tchunk; -typedef struct malloc_tree_chunk* tchunkptr; -typedef struct malloc_tree_chunk* tbinptr; /* The type of bins of trees */ - -/* A little helper macro for trees */ -#define leftmost_child(t) ((t)->child[0] != 0? (t)->child[0] : (t)->child[1]) - -/* ----------------------------- Segments -------------------------------- */ - -/* - Each malloc space may include non-contiguous segments, held in a - list headed by an embedded malloc_segment record representing the - top-most space. Segments also include flags holding properties of - the space. Large chunks that are directly allocated by mmap are not - included in this list. They are instead independently created and - destroyed without otherwise keeping track of them. - - Segment management mainly comes into play for spaces allocated by - MMAP. Any call to MMAP might or might not return memory that is - adjacent to an existing segment. MORECORE normally contiguously - extends the current space, so this space is almost always adjacent, - which is simpler and faster to deal with. (This is why MORECORE is - used preferentially to MMAP when both are available -- see - sys_alloc.) When allocating using MMAP, we don't use any of the - hinting mechanisms (inconsistently) supported in various - implementations of unix mmap, or distinguish reserving from - committing memory. Instead, we just ask for space, and exploit - contiguity when we get it. It is probably possible to do - better than this on some systems, but no general scheme seems - to be significantly better. - - Management entails a simpler variant of the consolidation scheme - used for chunks to reduce fragmentation -- new adjacent memory is - normally prepended or appended to an existing segment. However, - there are limitations compared to chunk consolidation that mostly - reflect the fact that segment processing is relatively infrequent - (occurring only when getting memory from system) and that we - don't expect to have huge numbers of segments: - - * Segments are not indexed, so traversal requires linear scans. (It - would be possible to index these, but is not worth the extra - overhead and complexity for most programs on most platforms.) - * New segments are only appended to old ones when holding top-most - memory; if they cannot be prepended to others, they are held in - different segments. - - Except for the top-most segment of an mstate, each segment record - is kept at the tail of its segment. Segments are added by pushing - segment records onto the list headed by &mstate.seg for the - containing mstate. - - Segment flags control allocation/merge/deallocation policies: - * If EXTERN_BIT set, then we did not allocate this segment, - and so should not try to deallocate or merge with others. - (This currently holds only for the initial segment passed - into create_mspace_with_base.) - * If IS_MMAPPED_BIT set, the segment may be merged with - other surrounding mmapped segments and trimmed/de-allocated - using munmap. - * If neither bit is set, then the segment was obtained using - MORECORE so can be merged with surrounding MORECORE'd segments - and deallocated/trimmed using MORECORE with negative arguments. -*/ - -struct malloc_segment { - char* base; /* base address */ - size_t size; /* allocated size */ - struct malloc_segment* next; /* ptr to next segment */ - flag_t sflags; /* mmap and extern flag */ -}; - -#define is_mmapped_segment(S) ((S)->sflags & IS_MMAPPED_BIT) -#define is_extern_segment(S) ((S)->sflags & EXTERN_BIT) - -typedef struct malloc_segment msegment; -typedef struct malloc_segment* msegmentptr; - -/* ---------------------------- malloc_state ----------------------------- */ - -/* - A malloc_state holds all of the bookkeeping for a space. - The main fields are: - - Top - The topmost chunk of the currently active segment. Its size is - cached in topsize. The actual size of topmost space is - topsize+TOP_FOOT_SIZE, which includes space reserved for adding - fenceposts and segment records if necessary when getting more - space from the system. The size at which to autotrim top is - cached from mparams in trim_check, except that it is disabled if - an autotrim fails. - - Designated victim (dv) - This is the preferred chunk for servicing small requests that - don't have exact fits. It is normally the chunk split off most - recently to service another small request. Its size is cached in - dvsize. The link fields of this chunk are not maintained since it - is not kept in a bin. - - SmallBins - An array of bin headers for free chunks. These bins hold chunks - with sizes less than MIN_LARGE_SIZE bytes. Each bin contains - chunks of all the same size, spaced 8 bytes apart. To simplify - use in double-linked lists, each bin header acts as a malloc_chunk - pointing to the real first node, if it exists (else pointing to - itself). This avoids special-casing for headers. But to avoid - waste, we allocate only the fd/bk pointers of bins, and then use - repositioning tricks to treat these as the fields of a chunk. - - TreeBins - Treebins are pointers to the roots of trees holding a range of - sizes. There are 2 equally spaced treebins for each power of two - from TREE_SHIFT to TREE_SHIFT+16. The last bin holds anything - larger. - - Bin maps - There is one bit map for small bins ("smallmap") and one for - treebins ("treemap). Each bin sets its bit when non-empty, and - clears the bit when empty. Bit operations are then used to avoid - bin-by-bin searching -- nearly all "search" is done without ever - looking at bins that won't be selected. The bit maps - conservatively use 32 bits per map word, even if on 64bit system. - For a good description of some of the bit-based techniques used - here, see Henry S. Warren Jr's book "Hacker's Delight" (and - supplement at http://hackersdelight.org/). Many of these are - intended to reduce the branchiness of paths through malloc etc, as - well as to reduce the number of memory locations read or written. - - Segments - A list of segments headed by an embedded malloc_segment record - representing the initial space. - - Address check support - The least_addr field is the least address ever obtained from - MORECORE or MMAP. Attempted frees and reallocs of any address less - than this are trapped (unless INSECURE is defined). - - Magic tag - A cross-check field that should always hold same value as mparams.magic. - - Flags - Bits recording whether to use MMAP, locks, or contiguous MORECORE - - Statistics - Each space keeps track of current and maximum system memory - obtained via MORECORE or MMAP. - - Locking - If USE_LOCKS is defined, the "mutex" lock is acquired and released - around every public call using this mspace. -*/ - -/* Bin types, widths and sizes */ -#define NSMALLBINS (32U) -#define NTREEBINS (32U) -#define SMALLBIN_SHIFT (3U) -#define SMALLBIN_WIDTH (SIZE_T_ONE << SMALLBIN_SHIFT) -#define TREEBIN_SHIFT (8U) -#define MIN_LARGE_SIZE (SIZE_T_ONE << TREEBIN_SHIFT) -#define MAX_SMALL_SIZE (MIN_LARGE_SIZE - SIZE_T_ONE) -#define MAX_SMALL_REQUEST (MAX_SMALL_SIZE - CHUNK_ALIGN_MASK - CHUNK_OVERHEAD) - -struct malloc_state { - binmap_t smallmap; - binmap_t treemap; - size_t dvsize; - size_t topsize; - char* least_addr; - mchunkptr dv; - mchunkptr top; - size_t trim_check; - size_t magic; - mchunkptr smallbins[(NSMALLBINS+1)*2]; - tbinptr treebins[NTREEBINS]; - size_t footprint; - size_t max_footprint; - flag_t mflags; -#if USE_LOCKS - MLOCK_T mutex; /* locate lock among fields that rarely change */ -#endif /* USE_LOCKS */ - msegment seg; -}; - -typedef struct malloc_state* mstate; - -/* ------------- Global malloc_state and malloc_params ------------------- */ - -/* - malloc_params holds global properties, including those that can be - dynamically set using mallopt. There is a single instance, mparams, - initialized in init_mparams. -*/ - -struct malloc_params { - size_t magic; - size_t page_size; - size_t granularity; - size_t mmap_threshold; - size_t trim_threshold; - flag_t default_mflags; -}; - -static struct malloc_params mparams; - -/* The global malloc_state used for all non-"mspace" calls */ -static struct malloc_state _gm_; -#define gm (&_gm_) -#define is_global(M) ((M) == &_gm_) -#define is_initialized(M) ((M)->top != 0) - -/* -------------------------- system alloc setup ------------------------- */ - -/* Operations on mflags */ - -#define use_lock(M) ((M)->mflags & USE_LOCK_BIT) -#define enable_lock(M) ((M)->mflags |= USE_LOCK_BIT) -#define disable_lock(M) ((M)->mflags &= ~USE_LOCK_BIT) - -#define use_mmap(M) ((M)->mflags & USE_MMAP_BIT) -#define enable_mmap(M) ((M)->mflags |= USE_MMAP_BIT) -#define disable_mmap(M) ((M)->mflags &= ~USE_MMAP_BIT) - -#define use_noncontiguous(M) ((M)->mflags & USE_NONCONTIGUOUS_BIT) -#define disable_contiguous(M) ((M)->mflags |= USE_NONCONTIGUOUS_BIT) - -#define set_lock(M,L)\ - ((M)->mflags = (L)?\ - ((M)->mflags | USE_LOCK_BIT) :\ - ((M)->mflags & ~USE_LOCK_BIT)) - -/* page-align a size */ -#define page_align(S)\ - (((S) + (mparams.page_size)) & ~(mparams.page_size - SIZE_T_ONE)) - -/* granularity-align a size */ -#define granularity_align(S)\ - (((S) + (mparams.granularity)) & ~(mparams.granularity - SIZE_T_ONE)) - -#define is_page_aligned(S)\ - (((size_t)(S) & (mparams.page_size - SIZE_T_ONE)) == 0) -#define is_granularity_aligned(S)\ - (((size_t)(S) & (mparams.granularity - SIZE_T_ONE)) == 0) - -/* True if segment S holds address A */ -#define segment_holds(S, A)\ - ((char*)(A) >= S->base && (char*)(A) < S->base + S->size) - -/* Return segment holding given address */ -static msegmentptr segment_holding(mstate m, char* addr) { - msegmentptr sp = &m->seg; - for (;;) { - if (addr >= sp->base && addr < sp->base + sp->size) - return sp; - if ((sp = sp->next) == 0) - return 0; - } -} - -/* Return true if segment contains a segment link */ -static int has_segment_link(mstate m, msegmentptr ss) { - msegmentptr sp = &m->seg; - for (;;) { - if ((char*)sp >= ss->base && (char*)sp < ss->base + ss->size) - return 1; - if ((sp = sp->next) == 0) - return 0; - } -} - -#ifndef MORECORE_CANNOT_TRIM -#define should_trim(M,s) ((s) > (M)->trim_check) -#else /* MORECORE_CANNOT_TRIM */ -#define should_trim(M,s) (0) -#endif /* MORECORE_CANNOT_TRIM */ - -/* - TOP_FOOT_SIZE is padding at the end of a segment, including space - that may be needed to place segment records and fenceposts when new - noncontiguous segments are added. -*/ -#define TOP_FOOT_SIZE\ - (align_offset(chunk2mem(0))+pad_request(sizeof(struct malloc_segment))+MIN_CHUNK_SIZE) - - -/* ------------------------------- Hooks -------------------------------- */ - -/* - PREACTION should be defined to return 0 on success, and nonzero on - failure. If you are not using locking, you can redefine these to do - anything you like. -*/ - -#if USE_LOCKS - -/* Ensure locks are initialized */ -#define GLOBALLY_INITIALIZE() (mparams.page_size == 0 && init_mparams()) - -#define PREACTION(M) ((GLOBALLY_INITIALIZE() || use_lock(M))? ACQUIRE_LOCK(&(M)->mutex) : 0) -#define POSTACTION(M) { if (use_lock(M)) RELEASE_LOCK(&(M)->mutex); } -#else /* USE_LOCKS */ - -#ifndef PREACTION -#define PREACTION(M) (0) -#endif /* PREACTION */ - -#ifndef POSTACTION -#define POSTACTION(M) -#endif /* POSTACTION */ - -#endif /* USE_LOCKS */ - -/* - CORRUPTION_ERROR_ACTION is triggered upon detected bad addresses. - USAGE_ERROR_ACTION is triggered on detected bad frees and - reallocs. The argument p is an address that might have triggered the - fault. It is ignored by the two predefined actions, but might be - useful in custom actions that try to help diagnose errors. -*/ - -#if PROCEED_ON_ERROR - -/* A count of the number of corruption errors causing resets */ -int malloc_corruption_error_count; - -/* default corruption action */ -static void reset_on_error(mstate m); - -#define CORRUPTION_ERROR_ACTION(m) reset_on_error(m) -#define USAGE_ERROR_ACTION(m, p) - -#else /* PROCEED_ON_ERROR */ - -#ifndef CORRUPTION_ERROR_ACTION -#define CORRUPTION_ERROR_ACTION(m) ABORT -#endif /* CORRUPTION_ERROR_ACTION */ - -#ifndef USAGE_ERROR_ACTION -#define USAGE_ERROR_ACTION(m,p) ABORT -#endif /* USAGE_ERROR_ACTION */ - -#endif /* PROCEED_ON_ERROR */ - -/* -------------------------- Debugging setup ---------------------------- */ - -#if ! DEBUG - -#define check_free_chunk(M,P) -#define check_inuse_chunk(M,P) -#define check_malloced_chunk(M,P,N) -#define check_mmapped_chunk(M,P) -#define check_malloc_state(M) -#define check_top_chunk(M,P) - -#else /* DEBUG */ -#define check_free_chunk(M,P) do_check_free_chunk(M,P) -#define check_inuse_chunk(M,P) do_check_inuse_chunk(M,P) -#define check_top_chunk(M,P) do_check_top_chunk(M,P) -#define check_malloced_chunk(M,P,N) do_check_malloced_chunk(M,P,N) -#define check_mmapped_chunk(M,P) do_check_mmapped_chunk(M,P) -#define check_malloc_state(M) do_check_malloc_state(M) - -static void do_check_any_chunk(mstate m, mchunkptr p); -static void do_check_top_chunk(mstate m, mchunkptr p); -static void do_check_mmapped_chunk(mstate m, mchunkptr p); -static void do_check_inuse_chunk(mstate m, mchunkptr p); -static void do_check_free_chunk(mstate m, mchunkptr p); -static void do_check_malloced_chunk(mstate m, void* mem, size_t s); -static void do_check_tree(mstate m, tchunkptr t); -static void do_check_treebin(mstate m, bindex_t i); -static void do_check_smallbin(mstate m, bindex_t i); -static void do_check_malloc_state(mstate m); -static int bin_find(mstate m, mchunkptr x); -static size_t traverse_and_check(mstate m); -#endif /* DEBUG */ - -/* ---------------------------- Indexing Bins ---------------------------- */ - -#define is_small(s) (((s) >> SMALLBIN_SHIFT) < NSMALLBINS) -#define small_index(s) ((s) >> SMALLBIN_SHIFT) -#define small_index2size(i) ((i) << SMALLBIN_SHIFT) -#define MIN_SMALL_INDEX (small_index(MIN_CHUNK_SIZE)) - -/* addressing by index. See above about smallbin repositioning */ -#define smallbin_at(M, i) ((sbinptr)((char*)&((M)->smallbins[(i)<<1]))) -#define treebin_at(M,i) (&((M)->treebins[i])) - -/* assign tree index for size S to variable I */ -#if defined(__GNUC__) && defined(i386) -#define compute_tree_index(S, I)\ -{\ - size_t X = S >> TREEBIN_SHIFT;\ - if (X == 0)\ - I = 0;\ - else if (X > 0xFFFF)\ - I = NTREEBINS-1;\ - else {\ - unsigned int K;\ - __asm__("bsrl %1,%0\n\t" : "=r" (K) : "rm" (X));\ - I = (bindex_t)((K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1)));\ - }\ -} -#else /* GNUC */ -#define compute_tree_index(S, I)\ -{\ - size_t X = S >> TREEBIN_SHIFT;\ - if (X == 0)\ - I = 0;\ - else if (X > 0xFFFF)\ - I = NTREEBINS-1;\ - else {\ - unsigned int Y = (unsigned int)X;\ - unsigned int N = ((Y - 0x100) >> 16) & 8;\ - unsigned int K = (((Y <<= N) - 0x1000) >> 16) & 4;\ - N += K;\ - N += K = (((Y <<= K) - 0x4000) >> 16) & 2;\ - K = 14 - N + ((Y <<= K) >> 15);\ - I = (K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1));\ - }\ -} -#endif /* GNUC */ - -/* Bit representing maximum resolved size in a treebin at i */ -#define bit_for_tree_index(i) \ - (i == NTREEBINS-1)? (SIZE_T_BITSIZE-1) : (((i) >> 1) + TREEBIN_SHIFT - 2) - -/* Shift placing maximum resolved bit in a treebin at i as sign bit */ -#define leftshift_for_tree_index(i) \ - ((i == NTREEBINS-1)? 0 : \ - ((SIZE_T_BITSIZE-SIZE_T_ONE) - (((i) >> 1) + TREEBIN_SHIFT - 2))) - -/* The size of the smallest chunk held in bin with index i */ -#define minsize_for_tree_index(i) \ - ((SIZE_T_ONE << (((i) >> 1) + TREEBIN_SHIFT)) | \ - (((size_t)((i) & SIZE_T_ONE)) << (((i) >> 1) + TREEBIN_SHIFT - 1))) - - -/* ------------------------ Operations on bin maps ----------------------- */ - -/* bit corresponding to given index */ -#define idx2bit(i) ((binmap_t)(1) << (i)) - -/* Mark/Clear bits with given index */ -#define mark_smallmap(M,i) ((M)->smallmap |= idx2bit(i)) -#define clear_smallmap(M,i) ((M)->smallmap &= ~idx2bit(i)) -#define smallmap_is_marked(M,i) ((M)->smallmap & idx2bit(i)) - -#define mark_treemap(M,i) ((M)->treemap |= idx2bit(i)) -#define clear_treemap(M,i) ((M)->treemap &= ~idx2bit(i)) -#define treemap_is_marked(M,i) ((M)->treemap & idx2bit(i)) - -/* index corresponding to given bit */ - -#if defined(__GNUC__) && defined(i386) -#define compute_bit2idx(X, I)\ -{\ - unsigned int J;\ - __asm__("bsfl %1,%0\n\t" : "=r" (J) : "rm" (X));\ - I = (bindex_t)J;\ -} - -#else /* GNUC */ -#if USE_BUILTIN_FFS -#define compute_bit2idx(X, I) I = ffs(X)-1 - -#else /* USE_BUILTIN_FFS */ -#define compute_bit2idx(X, I)\ -{\ - unsigned int Y = X - 1;\ - unsigned int K = Y >> (16-4) & 16;\ - unsigned int N = K; Y >>= K;\ - N += K = Y >> (8-3) & 8; Y >>= K;\ - N += K = Y >> (4-2) & 4; Y >>= K;\ - N += K = Y >> (2-1) & 2; Y >>= K;\ - N += K = Y >> (1-0) & 1; Y >>= K;\ - I = (bindex_t)(N + Y);\ -} -#endif /* USE_BUILTIN_FFS */ -#endif /* GNUC */ - -/* isolate the least set bit of a bitmap */ -#define least_bit(x) ((x) & -(x)) - -/* mask with all bits to left of least bit of x on */ -#define left_bits(x) ((x<<1) | -(x<<1)) - -/* mask with all bits to left of or equal to least bit of x on */ -#define same_or_left_bits(x) ((x) | -(x)) - - -/* ----------------------- Runtime Check Support ------------------------- */ - -/* - For security, the main invariant is that malloc/free/etc never - writes to a static address other than malloc_state, unless static - malloc_state itself has been corrupted, which cannot occur via - malloc (because of these checks). In essence this means that we - believe all pointers, sizes, maps etc held in malloc_state, but - check all of those linked or offsetted from other embedded data - structures. These checks are interspersed with main code in a way - that tends to minimize their run-time cost. - - When FOOTERS is defined, in addition to range checking, we also - verify footer fields of inuse chunks, which can be used guarantee - that the mstate controlling malloc/free is intact. This is a - streamlined version of the approach described by William Robertson - et al in "Run-time Detection of Heap-based Overflows" LISA'03 - http://www.usenix.org/events/lisa03/tech/robertson.html The footer - of an inuse chunk holds the xor of its mstate and a random seed, - that is checked upon calls to free() and realloc(). This is - (probablistically) unguessable from outside the program, but can be - computed by any code successfully malloc'ing any chunk, so does not - itself provide protection against code that has already broken - security through some other means. Unlike Robertson et al, we - always dynamically check addresses of all offset chunks (previous, - next, etc). This turns out to be cheaper than relying on hashes. -*/ - -#if !INSECURE -/* Check if address a is at least as high as any from MORECORE or MMAP */ -#define ok_address(M, a) ((char*)(a) >= (M)->least_addr) -/* Check if address of next chunk n is higher than base chunk p */ -#define ok_next(p, n) ((char*)(p) < (char*)(n)) -/* Check if p has its cinuse bit on */ -#define ok_cinuse(p) cinuse(p) -/* Check if p has its pinuse bit on */ -#define ok_pinuse(p) pinuse(p) - -#else /* !INSECURE */ -#define ok_address(M, a) (1) -#define ok_next(b, n) (1) -#define ok_cinuse(p) (1) -#define ok_pinuse(p) (1) -#endif /* !INSECURE */ - -#if (FOOTERS && !INSECURE) -/* Check if (alleged) mstate m has expected magic field */ -#define ok_magic(M) ((M)->magic == mparams.magic) -#else /* (FOOTERS && !INSECURE) */ -#define ok_magic(M) (1) -#endif /* (FOOTERS && !INSECURE) */ - - -/* In gcc, use __builtin_expect to minimize impact of checks */ -#if !INSECURE -#if defined(__GNUC__) && __GNUC__ >= 3 -#define RTCHECK(e) __builtin_expect(e, 1) -#else /* GNUC */ -#define RTCHECK(e) (e) -#endif /* GNUC */ -#else /* !INSECURE */ -#define RTCHECK(e) (1) -#endif /* !INSECURE */ - -/* macros to set up inuse chunks with or without footers */ - -#if !FOOTERS - -#define mark_inuse_foot(M,p,s) - -/* Set cinuse bit and pinuse bit of next chunk */ -#define set_inuse(M,p,s)\ - ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\ - ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT) - -/* Set cinuse and pinuse of this chunk and pinuse of next chunk */ -#define set_inuse_and_pinuse(M,p,s)\ - ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\ - ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT) - -/* Set size, cinuse and pinuse bit of this chunk */ -#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\ - ((p)->head = (s|PINUSE_BIT|CINUSE_BIT)) - -#else /* FOOTERS */ - -/* Set foot of inuse chunk to be xor of mstate and seed */ -#define mark_inuse_foot(M,p,s)\ - (((mchunkptr)((char*)(p) + (s)))->prev_foot = ((size_t)(M) ^ mparams.magic)) - -#define get_mstate_for(p)\ - ((mstate)(((mchunkptr)((char*)(p) +\ - (chunksize(p))))->prev_foot ^ mparams.magic)) - -#define set_inuse(M,p,s)\ - ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\ - (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT), \ - mark_inuse_foot(M,p,s)) - -#define set_inuse_and_pinuse(M,p,s)\ - ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\ - (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT),\ - mark_inuse_foot(M,p,s)) - -#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\ - ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\ - mark_inuse_foot(M, p, s)) - -#endif /* !FOOTERS */ - -/* ---------------------------- setting mparams -------------------------- */ - -/* Initialize mparams */ -static int init_mparams(void) { - if (mparams.page_size == 0) { - size_t s; - - mparams.mmap_threshold = DEFAULT_MMAP_THRESHOLD; - mparams.trim_threshold = DEFAULT_TRIM_THRESHOLD; -#if MORECORE_CONTIGUOUS - mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT; -#else /* MORECORE_CONTIGUOUS */ - mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT|USE_NONCONTIGUOUS_BIT; -#endif /* MORECORE_CONTIGUOUS */ - -#if (FOOTERS && !INSECURE) - { -#if USE_DEV_RANDOM - int fd; - unsigned char buf[sizeof(size_t)]; - /* Try to use /dev/urandom, else fall back on using time */ - if ((fd = open("/dev/urandom", O_RDONLY)) >= 0 && - read(fd, buf, sizeof(buf)) == sizeof(buf)) { - s = *((size_t *) buf); - close(fd); - } - else -#endif /* USE_DEV_RANDOM */ - s = (size_t)(time(0) ^ (size_t)0x55555555U); - - s |= (size_t)8U; /* ensure nonzero */ - s &= ~(size_t)7U; /* improve chances of fault for bad values */ - - } -#else /* (FOOTERS && !INSECURE) */ - s = (size_t)0x58585858U; -#endif /* (FOOTERS && !INSECURE) */ - ACQUIRE_MAGIC_INIT_LOCK(); - if (mparams.magic == 0) { - mparams.magic = s; - /* Set up lock for main malloc area */ - INITIAL_LOCK(&gm->mutex); - gm->mflags = mparams.default_mflags; - } - RELEASE_MAGIC_INIT_LOCK(); - -#ifndef WIN32 - mparams.page_size = malloc_getpagesize; - mparams.granularity = ((DEFAULT_GRANULARITY != 0)? - DEFAULT_GRANULARITY : mparams.page_size); -#else /* WIN32 */ - { - SYSTEM_INFO system_info; - GetSystemInfo(&system_info); - mparams.page_size = system_info.dwPageSize; - mparams.granularity = system_info.dwAllocationGranularity; - } -#endif /* WIN32 */ - - /* Sanity-check configuration: - size_t must be unsigned and as wide as pointer type. - ints must be at least 4 bytes. - alignment must be at least 8. - Alignment, min chunk size, and page size must all be powers of 2. - */ - if ((sizeof(size_t) != sizeof(char*)) || - (MAX_SIZE_T < MIN_CHUNK_SIZE) || - (sizeof(int) < 4) || - (MALLOC_ALIGNMENT < (size_t)8U) || - ((MALLOC_ALIGNMENT & (MALLOC_ALIGNMENT-SIZE_T_ONE)) != 0) || - ((MCHUNK_SIZE & (MCHUNK_SIZE-SIZE_T_ONE)) != 0) || - ((mparams.granularity & (mparams.granularity-SIZE_T_ONE)) != 0) || - ((mparams.page_size & (mparams.page_size-SIZE_T_ONE)) != 0)) - ABORT; - } - return 0; -} - -/* support for mallopt */ -static int change_mparam(int param_number, int value) { - size_t val = (size_t)value; - init_mparams(); - switch(param_number) { - case M_TRIM_THRESHOLD: - mparams.trim_threshold = val; - return 1; - case M_GRANULARITY: - if (val >= mparams.page_size && ((val & (val-1)) == 0)) { - mparams.granularity = val; - return 1; - } - else - return 0; - case M_MMAP_THRESHOLD: - mparams.mmap_threshold = val; - return 1; - default: - return 0; - } -} - -#if DEBUG -/* ------------------------- Debugging Support --------------------------- */ - -/* Check properties of any chunk, whether free, inuse, mmapped etc */ -static void do_check_any_chunk(mstate m, mchunkptr p) { - assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD)); - assert(ok_address(m, p)); -} - -/* Check properties of top chunk */ -static void do_check_top_chunk(mstate m, mchunkptr p) { - msegmentptr sp = segment_holding(m, (char*)p); - size_t sz = chunksize(p); - assert(sp != 0); - assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD)); - assert(ok_address(m, p)); - assert(sz == m->topsize); - assert(sz > 0); - assert(sz == ((sp->base + sp->size) - (char*)p) - TOP_FOOT_SIZE); - assert(pinuse(p)); - assert(!next_pinuse(p)); -} - -/* Check properties of (inuse) mmapped chunks */ -static void do_check_mmapped_chunk(mstate m, mchunkptr p) { - size_t sz = chunksize(p); - size_t len = (sz + (p->prev_foot & ~IS_MMAPPED_BIT) + MMAP_FOOT_PAD); - assert(is_mmapped(p)); - assert(use_mmap(m)); - assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD)); - assert(ok_address(m, p)); - assert(!is_small(sz)); - assert((len & (mparams.page_size-SIZE_T_ONE)) == 0); - assert(chunk_plus_offset(p, sz)->head == FENCEPOST_HEAD); - assert(chunk_plus_offset(p, sz+SIZE_T_SIZE)->head == 0); -} - -/* Check properties of inuse chunks */ -static void do_check_inuse_chunk(mstate m, mchunkptr p) { - do_check_any_chunk(m, p); - assert(cinuse(p)); - assert(next_pinuse(p)); - /* If not pinuse and not mmapped, previous chunk has OK offset */ - assert(is_mmapped(p) || pinuse(p) || next_chunk(prev_chunk(p)) == p); - if (is_mmapped(p)) - do_check_mmapped_chunk(m, p); -} - -/* Check properties of free chunks */ -static void do_check_free_chunk(mstate m, mchunkptr p) { - size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT); - mchunkptr next = chunk_plus_offset(p, sz); - do_check_any_chunk(m, p); - assert(!cinuse(p)); - assert(!next_pinuse(p)); - assert (!is_mmapped(p)); - if (p != m->dv && p != m->top) { - if (sz >= MIN_CHUNK_SIZE) { - assert((sz & CHUNK_ALIGN_MASK) == 0); - assert(is_aligned(chunk2mem(p))); - assert(next->prev_foot == sz); - assert(pinuse(p)); - assert (next == m->top || cinuse(next)); - assert(p->fd->bk == p); - assert(p->bk->fd == p); - } - else /* markers are always of size SIZE_T_SIZE */ - assert(sz == SIZE_T_SIZE); - } -} - -/* Check properties of malloced chunks at the point they are malloced */ -static void do_check_malloced_chunk(mstate m, void* mem, size_t s) { - if (mem != 0) { - mchunkptr p = mem2chunk(mem); - size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT); - do_check_inuse_chunk(m, p); - assert((sz & CHUNK_ALIGN_MASK) == 0); - assert(sz >= MIN_CHUNK_SIZE); - assert(sz >= s); - /* unless mmapped, size is less than MIN_CHUNK_SIZE more than request */ - assert(is_mmapped(p) || sz < (s + MIN_CHUNK_SIZE)); - } -} - -/* Check a tree and its subtrees. */ -static void do_check_tree(mstate m, tchunkptr t) { - tchunkptr head = 0; - tchunkptr u = t; - bindex_t tindex = t->index; - size_t tsize = chunksize(t); - bindex_t idx; - compute_tree_index(tsize, idx); - assert(tindex == idx); - assert(tsize >= MIN_LARGE_SIZE); - assert(tsize >= minsize_for_tree_index(idx)); - assert((idx == NTREEBINS-1) || (tsize < minsize_for_tree_index((idx+1)))); - - do { /* traverse through chain of same-sized nodes */ - do_check_any_chunk(m, ((mchunkptr)u)); - assert(u->index == tindex); - assert(chunksize(u) == tsize); - assert(!cinuse(u)); - assert(!next_pinuse(u)); - assert(u->fd->bk == u); - assert(u->bk->fd == u); - if (u->parent == 0) { - assert(u->child[0] == 0); - assert(u->child[1] == 0); - } - else { - assert(head == 0); /* only one node on chain has parent */ - head = u; - assert(u->parent != u); - assert (u->parent->child[0] == u || - u->parent->child[1] == u || - *((tbinptr*)(u->parent)) == u); - if (u->child[0] != 0) { - assert(u->child[0]->parent == u); - assert(u->child[0] != u); - do_check_tree(m, u->child[0]); - } - if (u->child[1] != 0) { - assert(u->child[1]->parent == u); - assert(u->child[1] != u); - do_check_tree(m, u->child[1]); - } - if (u->child[0] != 0 && u->child[1] != 0) { - assert(chunksize(u->child[0]) < chunksize(u->child[1])); - } - } - u = u->fd; - } while (u != t); - assert(head != 0); -} - -/* Check all the chunks in a treebin. */ -static void do_check_treebin(mstate m, bindex_t i) { - tbinptr* tb = treebin_at(m, i); - tchunkptr t = *tb; - int empty = (m->treemap & (1U << i)) == 0; - if (t == 0) - assert(empty); - if (!empty) - do_check_tree(m, t); -} - -/* Check all the chunks in a smallbin. */ -static void do_check_smallbin(mstate m, bindex_t i) { - sbinptr b = smallbin_at(m, i); - mchunkptr p = b->bk; - unsigned int empty = (m->smallmap & (1U << i)) == 0; - if (p == b) - assert(empty); - if (!empty) { - for (; p != b; p = p->bk) { - size_t size = chunksize(p); - mchunkptr q; - /* each chunk claims to be free */ - do_check_free_chunk(m, p); - /* chunk belongs in bin */ - assert(small_index(size) == i); - assert(p->bk == b || chunksize(p->bk) == chunksize(p)); - /* chunk is followed by an inuse chunk */ - q = next_chunk(p); - if (q->head != FENCEPOST_HEAD) - do_check_inuse_chunk(m, q); - } - } -} - -/* Find x in a bin. Used in other check functions. */ -static int bin_find(mstate m, mchunkptr x) { - size_t size = chunksize(x); - if (is_small(size)) { - bindex_t sidx = small_index(size); - sbinptr b = smallbin_at(m, sidx); - if (smallmap_is_marked(m, sidx)) { - mchunkptr p = b; - do { - if (p == x) - return 1; - } while ((p = p->fd) != b); - } - } - else { - bindex_t tidx; - compute_tree_index(size, tidx); - if (treemap_is_marked(m, tidx)) { - tchunkptr t = *treebin_at(m, tidx); - size_t sizebits = size << leftshift_for_tree_index(tidx); - while (t != 0 && chunksize(t) != size) { - t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1]; - sizebits <<= 1; - } - if (t != 0) { - tchunkptr u = t; - do { - if (u == (tchunkptr)x) - return 1; - } while ((u = u->fd) != t); - } - } - } - return 0; -} - -/* Traverse each chunk and check it; return total */ -static size_t traverse_and_check(mstate m) { - size_t sum = 0; - if (is_initialized(m)) { - msegmentptr s = &m->seg; - sum += m->topsize + TOP_FOOT_SIZE; - while (s != 0) { - mchunkptr q = align_as_chunk(s->base); - mchunkptr lastq = 0; - assert(pinuse(q)); - while (segment_holds(s, q) && - q != m->top && q->head != FENCEPOST_HEAD) { - sum += chunksize(q); - if (cinuse(q)) { - assert(!bin_find(m, q)); - do_check_inuse_chunk(m, q); - } - else { - assert(q == m->dv || bin_find(m, q)); - assert(lastq == 0 || cinuse(lastq)); /* Not 2 consecutive free */ - do_check_free_chunk(m, q); - } - lastq = q; - q = next_chunk(q); - } - s = s->next; - } - } - return sum; -} - -/* Check all properties of malloc_state. */ -static void do_check_malloc_state(mstate m) { - bindex_t i; - size_t total; - /* check bins */ - for (i = 0; i < NSMALLBINS; ++i) - do_check_smallbin(m, i); - for (i = 0; i < NTREEBINS; ++i) - do_check_treebin(m, i); - - if (m->dvsize != 0) { /* check dv chunk */ - do_check_any_chunk(m, m->dv); - assert(m->dvsize == chunksize(m->dv)); - assert(m->dvsize >= MIN_CHUNK_SIZE); - assert(bin_find(m, m->dv) == 0); - } - - if (m->top != 0) { /* check top chunk */ - do_check_top_chunk(m, m->top); - assert(m->topsize == chunksize(m->top)); - assert(m->topsize > 0); - assert(bin_find(m, m->top) == 0); - } - - total = traverse_and_check(m); - assert(total <= m->footprint); - assert(m->footprint <= m->max_footprint); -} -#endif /* DEBUG */ - -/* ----------------------------- statistics ------------------------------ */ - -#if !NO_MALLINFO -static struct mallinfo internal_mallinfo(mstate m) { - struct mallinfo nm = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; - if (!PREACTION(m)) { - check_malloc_state(m); - if (is_initialized(m)) { - size_t nfree = SIZE_T_ONE; /* top always free */ - size_t mfree = m->topsize + TOP_FOOT_SIZE; - size_t sum = mfree; - msegmentptr s = &m->seg; - while (s != 0) { - mchunkptr q = align_as_chunk(s->base); - while (segment_holds(s, q) && - q != m->top && q->head != FENCEPOST_HEAD) { - size_t sz = chunksize(q); - sum += sz; - if (!cinuse(q)) { - mfree += sz; - ++nfree; - } - q = next_chunk(q); - } - s = s->next; - } - - nm.arena = sum; - nm.ordblks = nfree; - nm.hblkhd = m->footprint - sum; - nm.usmblks = m->max_footprint; - nm.uordblks = m->footprint - mfree; - nm.fordblks = mfree; - nm.keepcost = m->topsize; - } - - POSTACTION(m); - } - return nm; -} -#endif /* !NO_MALLINFO */ - -static void internal_malloc_stats(mstate m) { - if (!PREACTION(m)) { - size_t maxfp = 0; - size_t fp = 0; - size_t used = 0; - check_malloc_state(m); - if (is_initialized(m)) { - msegmentptr s = &m->seg; - maxfp = m->max_footprint; - fp = m->footprint; - used = fp - (m->topsize + TOP_FOOT_SIZE); - - while (s != 0) { - mchunkptr q = align_as_chunk(s->base); - while (segment_holds(s, q) && - q != m->top && q->head != FENCEPOST_HEAD) { - if (!cinuse(q)) - used -= chunksize(q); - q = next_chunk(q); - } - s = s->next; - } - } - - fprintf(stderr, "max system bytes = %10lu\n", (unsigned long)(maxfp)); - fprintf(stderr, "system bytes = %10lu\n", (unsigned long)(fp)); - fprintf(stderr, "in use bytes = %10lu\n", (unsigned long)(used)); - - POSTACTION(m); - } -} - -/* ----------------------- Operations on smallbins ----------------------- */ - -/* - Various forms of linking and unlinking are defined as macros. Even - the ones for trees, which are very long but have very short typical - paths. This is ugly but reduces reliance on inlining support of - compilers. -*/ - -/* Link a free chunk into a smallbin */ -#define insert_small_chunk(M, P, S) {\ - bindex_t I = small_index(S);\ - mchunkptr B = smallbin_at(M, I);\ - mchunkptr F = B;\ - assert(S >= MIN_CHUNK_SIZE);\ - if (!smallmap_is_marked(M, I))\ - mark_smallmap(M, I);\ - else if (RTCHECK(ok_address(M, B->fd)))\ - F = B->fd;\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - B->fd = P;\ - F->bk = P;\ - P->fd = F;\ - P->bk = B;\ -} - -/* Unlink a chunk from a smallbin */ -#define unlink_small_chunk(M, P, S) {\ - mchunkptr F = P->fd;\ - mchunkptr B = P->bk;\ - bindex_t I = small_index(S);\ - assert(P != B);\ - assert(P != F);\ - assert(chunksize(P) == small_index2size(I));\ - if (F == B)\ - clear_smallmap(M, I);\ - else if (RTCHECK((F == smallbin_at(M,I) || ok_address(M, F)) &&\ - (B == smallbin_at(M,I) || ok_address(M, B)))) {\ - F->bk = B;\ - B->fd = F;\ - }\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - }\ -} - -/* Unlink the first chunk from a smallbin */ -#define unlink_first_small_chunk(M, B, P, I) {\ - mchunkptr F = P->fd;\ - assert(P != B);\ - assert(P != F);\ - assert(chunksize(P) == small_index2size(I));\ - if (B == F)\ - clear_smallmap(M, I);\ - else if (RTCHECK(ok_address(M, F))) {\ - B->fd = F;\ - F->bk = B;\ - }\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - }\ -} - -/* Replace dv node, binning the old one */ -/* Used only when dvsize known to be small */ -#define replace_dv(M, P, S) {\ - size_t DVS = M->dvsize;\ - if (DVS != 0) {\ - mchunkptr DV = M->dv;\ - assert(is_small(DVS));\ - insert_small_chunk(M, DV, DVS);\ - }\ - M->dvsize = S;\ - M->dv = P;\ -} - -/* ------------------------- Operations on trees ------------------------- */ - -/* Insert chunk into tree */ -#define insert_large_chunk(M, X, S) {\ - tbinptr* H;\ - bindex_t I;\ - compute_tree_index(S, I);\ - H = treebin_at(M, I);\ - X->index = I;\ - X->child[0] = X->child[1] = 0;\ - if (!treemap_is_marked(M, I)) {\ - mark_treemap(M, I);\ - *H = X;\ - X->parent = (tchunkptr)H;\ - X->fd = X->bk = X;\ - }\ - else {\ - tchunkptr T = *H;\ - size_t K = S << leftshift_for_tree_index(I);\ - for (;;) {\ - if (chunksize(T) != S) {\ - tchunkptr* C = &(T->child[(K >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1]);\ - K <<= 1;\ - if (*C != 0)\ - T = *C;\ - else if (RTCHECK(ok_address(M, C))) {\ - *C = X;\ - X->parent = T;\ - X->fd = X->bk = X;\ - break;\ - }\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - break;\ - }\ - }\ - else {\ - tchunkptr F = T->fd;\ - if (RTCHECK(ok_address(M, T) && ok_address(M, F))) {\ - T->fd = F->bk = X;\ - X->fd = F;\ - X->bk = T;\ - X->parent = 0;\ - break;\ - }\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - break;\ - }\ - }\ - }\ - }\ -} - -/* - Unlink steps: - - 1. If x is a chained node, unlink it from its same-sized fd/bk links - and choose its bk node as its replacement. - 2. If x was the last node of its size, but not a leaf node, it must - be replaced with a leaf node (not merely one with an open left or - right), to make sure that lefts and rights of descendents - correspond properly to bit masks. We use the rightmost descendent - of x. We could use any other leaf, but this is easy to locate and - tends to counteract removal of leftmosts elsewhere, and so keeps - paths shorter than minimally guaranteed. This doesn't loop much - because on average a node in a tree is near the bottom. - 3. If x is the base of a chain (i.e., has parent links) relink - x's parent and children to x's replacement (or null if none). -*/ - -#define unlink_large_chunk(M, X) {\ - tchunkptr XP = X->parent;\ - tchunkptr R;\ - if (X->bk != X) {\ - tchunkptr F = X->fd;\ - R = X->bk;\ - if (RTCHECK(ok_address(M, F))) {\ - F->bk = R;\ - R->fd = F;\ - }\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - }\ - else {\ - tchunkptr* RP;\ - if (((R = *(RP = &(X->child[1]))) != 0) ||\ - ((R = *(RP = &(X->child[0]))) != 0)) {\ - tchunkptr* CP;\ - while ((*(CP = &(R->child[1])) != 0) ||\ - (*(CP = &(R->child[0])) != 0)) {\ - R = *(RP = CP);\ - }\ - if (RTCHECK(ok_address(M, RP)))\ - *RP = 0;\ - else {\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - }\ - }\ - if (XP != 0) {\ - tbinptr* H = treebin_at(M, X->index);\ - if (X == *H) {\ - if ((*H = R) == 0) \ - clear_treemap(M, X->index);\ - }\ - else if (RTCHECK(ok_address(M, XP))) {\ - if (XP->child[0] == X) \ - XP->child[0] = R;\ - else \ - XP->child[1] = R;\ - }\ - else\ - CORRUPTION_ERROR_ACTION(M);\ - if (R != 0) {\ - if (RTCHECK(ok_address(M, R))) {\ - tchunkptr C0, C1;\ - R->parent = XP;\ - if ((C0 = X->child[0]) != 0) {\ - if (RTCHECK(ok_address(M, C0))) {\ - R->child[0] = C0;\ - C0->parent = R;\ - }\ - else\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - if ((C1 = X->child[1]) != 0) {\ - if (RTCHECK(ok_address(M, C1))) {\ - R->child[1] = C1;\ - C1->parent = R;\ - }\ - else\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - }\ - else\ - CORRUPTION_ERROR_ACTION(M);\ - }\ - }\ -} - -/* Relays to large vs small bin operations */ - -#define insert_chunk(M, P, S)\ - if (is_small(S)) insert_small_chunk(M, P, S)\ - else { tchunkptr TP = (tchunkptr)(P); insert_large_chunk(M, TP, S); } - -#define unlink_chunk(M, P, S)\ - if (is_small(S)) unlink_small_chunk(M, P, S)\ - else { tchunkptr TP = (tchunkptr)(P); unlink_large_chunk(M, TP); } - - -/* Relays to internal calls to malloc/free from realloc, memalign etc */ - -#if ONLY_MSPACES -#define internal_malloc(m, b) mspace_malloc(m, b) -#define internal_free(m, mem) mspace_free(m,mem); -#else /* ONLY_MSPACES */ -#if MSPACES -#define internal_malloc(m, b)\ - (m == gm)? dlmalloc(b) : mspace_malloc(m, b) -#define internal_free(m, mem)\ - if (m == gm) dlfree(mem); else mspace_free(m,mem); -#else /* MSPACES */ -#define internal_malloc(m, b) dlmalloc(b) -#define internal_free(m, mem) dlfree(mem) -#endif /* MSPACES */ -#endif /* ONLY_MSPACES */ - -/* ----------------------- Direct-mmapping chunks ----------------------- */ - -/* - Directly mmapped chunks are set up with an offset to the start of - the mmapped region stored in the prev_foot field of the chunk. This - allows reconstruction of the required argument to MUNMAP when freed, - and also allows adjustment of the returned chunk to meet alignment - requirements (especially in memalign). There is also enough space - allocated to hold a fake next chunk of size SIZE_T_SIZE to maintain - the PINUSE bit so frees can be checked. -*/ - -/* Malloc using mmap */ -static void* mmap_alloc(mstate m, size_t nb) { - size_t mmsize = granularity_align(nb + SIX_SIZE_T_SIZES + CHUNK_ALIGN_MASK); - if (mmsize > nb) { /* Check for wrap around 0 */ - char* mm = (char*)(DIRECT_MMAP(mmsize)); - if (mm != CMFAIL) { - size_t offset = align_offset(chunk2mem(mm)); - size_t psize = mmsize - offset - MMAP_FOOT_PAD; - mchunkptr p = (mchunkptr)(mm + offset); - p->prev_foot = offset | IS_MMAPPED_BIT; - (p)->head = (psize|CINUSE_BIT); - mark_inuse_foot(m, p, psize); - chunk_plus_offset(p, psize)->head = FENCEPOST_HEAD; - chunk_plus_offset(p, psize+SIZE_T_SIZE)->head = 0; - - if (mm < m->least_addr) - m->least_addr = mm; - if ((m->footprint += mmsize) > m->max_footprint) - m->max_footprint = m->footprint; - assert(is_aligned(chunk2mem(p))); - check_mmapped_chunk(m, p); - return chunk2mem(p); - } - } - return 0; -} - -/* Realloc using mmap */ -static mchunkptr mmap_resize(mstate m, mchunkptr oldp, size_t nb) { - size_t oldsize = chunksize(oldp); - if (is_small(nb)) /* Can't shrink mmap regions below small size */ - return 0; - /* Keep old chunk if big enough but not too big */ - if (oldsize >= nb + SIZE_T_SIZE && - (oldsize - nb) <= (mparams.granularity << 1)) - return oldp; - else { - size_t offset = oldp->prev_foot & ~IS_MMAPPED_BIT; - size_t oldmmsize = oldsize + offset + MMAP_FOOT_PAD; - size_t newmmsize = granularity_align(nb + SIX_SIZE_T_SIZES + - CHUNK_ALIGN_MASK); - char* cp = (char*)CALL_MREMAP((char*)oldp - offset, - oldmmsize, newmmsize, 1); - if (cp != CMFAIL) { - mchunkptr newp = (mchunkptr)(cp + offset); - size_t psize = newmmsize - offset - MMAP_FOOT_PAD; - newp->head = (psize|CINUSE_BIT); - mark_inuse_foot(m, newp, psize); - chunk_plus_offset(newp, psize)->head = FENCEPOST_HEAD; - chunk_plus_offset(newp, psize+SIZE_T_SIZE)->head = 0; - - if (cp < m->least_addr) - m->least_addr = cp; - if ((m->footprint += newmmsize - oldmmsize) > m->max_footprint) - m->max_footprint = m->footprint; - check_mmapped_chunk(m, newp); - return newp; - } - } - return 0; -} - -/* -------------------------- mspace management -------------------------- */ - -/* Initialize top chunk and its size */ -static void init_top(mstate m, mchunkptr p, size_t psize) { - /* Ensure alignment */ - size_t offset = align_offset(chunk2mem(p)); - p = (mchunkptr)((char*)p + offset); - psize -= offset; - - m->top = p; - m->topsize = psize; - p->head = psize | PINUSE_BIT; - /* set size of fake trailing chunk holding overhead space only once */ - chunk_plus_offset(p, psize)->head = TOP_FOOT_SIZE; - m->trim_check = mparams.trim_threshold; /* reset on each update */ -} - -/* Initialize bins for a new mstate that is otherwise zeroed out */ -static void init_bins(mstate m) { - /* Establish circular links for smallbins */ - bindex_t i; - for (i = 0; i < NSMALLBINS; ++i) { - sbinptr bin = smallbin_at(m,i); - bin->fd = bin->bk = bin; - } -} - -#if PROCEED_ON_ERROR - -/* default corruption action */ -static void reset_on_error(mstate m) { - int i; - ++malloc_corruption_error_count; - /* Reinitialize fields to forget about all memory */ - m->smallbins = m->treebins = 0; - m->dvsize = m->topsize = 0; - m->seg.base = 0; - m->seg.size = 0; - m->seg.next = 0; - m->top = m->dv = 0; - for (i = 0; i < NTREEBINS; ++i) - *treebin_at(m, i) = 0; - init_bins(m); -} -#endif /* PROCEED_ON_ERROR */ - -/* Allocate chunk and prepend remainder with chunk in successor base. */ -static void* prepend_alloc(mstate m, char* newbase, char* oldbase, - size_t nb) { - mchunkptr p = align_as_chunk(newbase); - mchunkptr oldfirst = align_as_chunk(oldbase); - size_t psize = (char*)oldfirst - (char*)p; - mchunkptr q = chunk_plus_offset(p, nb); - size_t qsize = psize - nb; - set_size_and_pinuse_of_inuse_chunk(m, p, nb); - - assert((char*)oldfirst > (char*)q); - assert(pinuse(oldfirst)); - assert(qsize >= MIN_CHUNK_SIZE); - - /* consolidate remainder with first chunk of old base */ - if (oldfirst == m->top) { - size_t tsize = m->topsize += qsize; - m->top = q; - q->head = tsize | PINUSE_BIT; - check_top_chunk(m, q); - } - else if (oldfirst == m->dv) { - size_t dsize = m->dvsize += qsize; - m->dv = q; - set_size_and_pinuse_of_free_chunk(q, dsize); - } - else { - if (!cinuse(oldfirst)) { - size_t nsize = chunksize(oldfirst); - unlink_chunk(m, oldfirst, nsize); - oldfirst = chunk_plus_offset(oldfirst, nsize); - qsize += nsize; - } - set_free_with_pinuse(q, qsize, oldfirst); - insert_chunk(m, q, qsize); - check_free_chunk(m, q); - } - - check_malloced_chunk(m, chunk2mem(p), nb); - return chunk2mem(p); -} - - -/* Add a segment to hold a new noncontiguous region */ -static void add_segment(mstate m, char* tbase, size_t tsize, flag_t mmapped) { - /* Determine locations and sizes of segment, fenceposts, old top */ - char* old_top = (char*)m->top; - msegmentptr oldsp = segment_holding(m, old_top); - char* old_end = oldsp->base + oldsp->size; - size_t ssize = pad_request(sizeof(struct malloc_segment)); - char* rawsp = old_end - (ssize + FOUR_SIZE_T_SIZES + CHUNK_ALIGN_MASK); - size_t offset = align_offset(chunk2mem(rawsp)); - char* asp = rawsp + offset; - char* csp = (asp < (old_top + MIN_CHUNK_SIZE))? old_top : asp; - mchunkptr sp = (mchunkptr)csp; - msegmentptr ss = (msegmentptr)(chunk2mem(sp)); - mchunkptr tnext = chunk_plus_offset(sp, ssize); - mchunkptr p = tnext; - int nfences = 0; - - /* reset top to new space */ - init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE); - - /* Set up segment record */ - assert(is_aligned(ss)); - set_size_and_pinuse_of_inuse_chunk(m, sp, ssize); - *ss = m->seg; /* Push current record */ - m->seg.base = tbase; - m->seg.size = tsize; - m->seg.sflags = mmapped; - m->seg.next = ss; - - /* Insert trailing fenceposts */ - for (;;) { - mchunkptr nextp = chunk_plus_offset(p, SIZE_T_SIZE); - p->head = FENCEPOST_HEAD; - ++nfences; - if ((char*)(&(nextp->head)) < old_end) - p = nextp; - else - break; - } - assert(nfences >= 2); - - /* Insert the rest of old top into a bin as an ordinary free chunk */ - if (csp != old_top) { - mchunkptr q = (mchunkptr)old_top; - size_t psize = csp - old_top; - mchunkptr tn = chunk_plus_offset(q, psize); - set_free_with_pinuse(q, psize, tn); - insert_chunk(m, q, psize); - } - - check_top_chunk(m, m->top); -} - -/* -------------------------- System allocation -------------------------- */ - -/* Get memory from system using MORECORE or MMAP */ -static void* sys_alloc(mstate m, size_t nb) { - char* tbase = CMFAIL; - size_t tsize = 0; - flag_t mmap_flag = 0; - - init_mparams(); - - /* Directly map large chunks */ - if (use_mmap(m) && nb >= mparams.mmap_threshold) { - void* mem = mmap_alloc(m, nb); - if (mem != 0) - return mem; - } - - /* - Try getting memory in any of three ways (in most-preferred to - least-preferred order): - 1. A call to MORECORE that can normally contiguously extend memory. - (disabled if not MORECORE_CONTIGUOUS or not HAVE_MORECORE or - or main space is mmapped or a previous contiguous call failed) - 2. A call to MMAP new space (disabled if not HAVE_MMAP). - Note that under the default settings, if MORECORE is unable to - fulfill a request, and HAVE_MMAP is true, then mmap is - used as a noncontiguous system allocator. This is a useful backup - strategy for systems with holes in address spaces -- in this case - sbrk cannot contiguously expand the heap, but mmap may be able to - find space. - 3. A call to MORECORE that cannot usually contiguously extend memory. - (disabled if not HAVE_MORECORE) - */ - - if (MORECORE_CONTIGUOUS && !use_noncontiguous(m)) { - char* br = CMFAIL; - msegmentptr ss = (m->top == 0)? 0 : segment_holding(m, (char*)m->top); - size_t asize = 0; - ACQUIRE_MORECORE_LOCK(); - - if (ss == 0) { /* First time through or recovery */ - char* base = (char*)CALL_MORECORE(0); - if (base != CMFAIL) { - asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE); - /* Adjust to end on a page boundary */ - if (!is_page_aligned(base)) - asize += (page_align((size_t)base) - (size_t)base); - /* Can't call MORECORE if size is negative when treated as signed */ - if (asize < HALF_MAX_SIZE_T && - (br = (char*)(CALL_MORECORE(asize))) == base) { - tbase = base; - tsize = asize; - } - } - } - else { - /* Subtract out existing available top space from MORECORE request. */ - asize = granularity_align(nb - m->topsize + TOP_FOOT_SIZE + SIZE_T_ONE); - /* Use mem here only if it did continuously extend old space */ - if (asize < HALF_MAX_SIZE_T && - (br = (char*)(CALL_MORECORE(asize))) == ss->base+ss->size) { - tbase = br; - tsize = asize; - } - } - - if (tbase == CMFAIL) { /* Cope with partial failure */ - if (br != CMFAIL) { /* Try to use/extend the space we did get */ - if (asize < HALF_MAX_SIZE_T && - asize < nb + TOP_FOOT_SIZE + SIZE_T_ONE) { - size_t esize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE - asize); - if (esize < HALF_MAX_SIZE_T) { - char* end = (char*)CALL_MORECORE(esize); - if (end != CMFAIL) - asize += esize; - else { /* Can't use; try to release */ - CALL_MORECORE(-asize); - br = CMFAIL; - } - } - } - } - if (br != CMFAIL) { /* Use the space we did get */ - tbase = br; - tsize = asize; - } - else - disable_contiguous(m); /* Don't try contiguous path in the future */ - } - - RELEASE_MORECORE_LOCK(); - } - - if (HAVE_MMAP && tbase == CMFAIL) { /* Try MMAP */ - size_t req = nb + TOP_FOOT_SIZE + SIZE_T_ONE; - size_t rsize = granularity_align(req); - if (rsize > nb) { /* Fail if wraps around zero */ - char* mp = (char*)(CALL_MMAP(rsize)); - if (mp != CMFAIL) { - tbase = mp; - tsize = rsize; - mmap_flag = IS_MMAPPED_BIT; - } - } - } - - if (HAVE_MORECORE && tbase == CMFAIL) { /* Try noncontiguous MORECORE */ - size_t asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE); - if (asize < HALF_MAX_SIZE_T) { - char* br = CMFAIL; - char* end = CMFAIL; - ACQUIRE_MORECORE_LOCK(); - br = (char*)(CALL_MORECORE(asize)); - end = (char*)(CALL_MORECORE(0)); - RELEASE_MORECORE_LOCK(); - if (br != CMFAIL && end != CMFAIL && br < end) { - size_t ssize = end - br; - if (ssize > nb + TOP_FOOT_SIZE) { - tbase = br; - tsize = ssize; - } - } - } - } - - if (tbase != CMFAIL) { - - if ((m->footprint += tsize) > m->max_footprint) - m->max_footprint = m->footprint; - - if (!is_initialized(m)) { /* first-time initialization */ - m->seg.base = m->least_addr = tbase; - m->seg.size = tsize; - m->seg.sflags = mmap_flag; - m->magic = mparams.magic; - init_bins(m); - if (is_global(m)) - init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE); - else { - /* Offset top by embedded malloc_state */ - mchunkptr mn = next_chunk(mem2chunk(m)); - init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) -TOP_FOOT_SIZE); - } - } - - else { - /* Try to merge with an existing segment */ - msegmentptr sp = &m->seg; - while (sp != 0 && tbase != sp->base + sp->size) - sp = sp->next; - if (sp != 0 && - !is_extern_segment(sp) && - (sp->sflags & IS_MMAPPED_BIT) == mmap_flag && - segment_holds(sp, m->top)) { /* append */ - sp->size += tsize; - init_top(m, m->top, m->topsize + tsize); - } - else { - if (tbase < m->least_addr) - m->least_addr = tbase; - sp = &m->seg; - while (sp != 0 && sp->base != tbase + tsize) - sp = sp->next; - if (sp != 0 && - !is_extern_segment(sp) && - (sp->sflags & IS_MMAPPED_BIT) == mmap_flag) { - char* oldbase = sp->base; - sp->base = tbase; - sp->size += tsize; - return prepend_alloc(m, tbase, oldbase, nb); - } - else - add_segment(m, tbase, tsize, mmap_flag); - } - } - - if (nb < m->topsize) { /* Allocate from new or extended top space */ - size_t rsize = m->topsize -= nb; - mchunkptr p = m->top; - mchunkptr r = m->top = chunk_plus_offset(p, nb); - r->head = rsize | PINUSE_BIT; - set_size_and_pinuse_of_inuse_chunk(m, p, nb); - check_top_chunk(m, m->top); - check_malloced_chunk(m, chunk2mem(p), nb); - return chunk2mem(p); - } - } - - MALLOC_FAILURE_ACTION; - return 0; -} - -/* ----------------------- system deallocation -------------------------- */ - -/* Unmap and unlink any mmapped segments that don't contain used chunks */ -static size_t release_unused_segments(mstate m) { - size_t released = 0; - msegmentptr pred = &m->seg; - msegmentptr sp = pred->next; - while (sp != 0) { - char* base = sp->base; - size_t size = sp->size; - msegmentptr next = sp->next; - if (is_mmapped_segment(sp) && !is_extern_segment(sp)) { - mchunkptr p = align_as_chunk(base); - size_t psize = chunksize(p); - /* Can unmap if first chunk holds entire segment and not pinned */ - if (!cinuse(p) && (char*)p + psize >= base + size - TOP_FOOT_SIZE) { - tchunkptr tp = (tchunkptr)p; - assert(segment_holds(sp, (char*)sp)); - if (p == m->dv) { - m->dv = 0; - m->dvsize = 0; - } - else { - unlink_large_chunk(m, tp); - } - if (CALL_MUNMAP(base, size) == 0) { - released += size; - m->footprint -= size; - /* unlink obsoleted record */ - sp = pred; - sp->next = next; - } - else { /* back out if cannot unmap */ - insert_large_chunk(m, tp, psize); - } - } - } - pred = sp; - sp = next; - } - return released; -} - -static int sys_trim(mstate m, size_t pad) { - size_t released = 0; - if (pad < MAX_REQUEST && is_initialized(m)) { - pad += TOP_FOOT_SIZE; /* ensure enough room for segment overhead */ - - if (m->topsize > pad) { - /* Shrink top space in granularity-size units, keeping at least one */ - size_t unit = mparams.granularity; - size_t extra = ((m->topsize - pad + (unit - SIZE_T_ONE)) / unit - - SIZE_T_ONE) * unit; - msegmentptr sp = segment_holding(m, (char*)m->top); - - if (!is_extern_segment(sp)) { - if (is_mmapped_segment(sp)) { - if (HAVE_MMAP && - sp->size >= extra && - !has_segment_link(m, sp)) { /* can't shrink if pinned */ - size_t newsize = sp->size - extra; - /* Prefer mremap, fall back to munmap */ - if ((CALL_MREMAP(sp->base, sp->size, newsize, 0) != MFAIL) || - (CALL_MUNMAP(sp->base + newsize, extra) == 0)) { - released = extra; - } - } - } - else if (HAVE_MORECORE) { - if (extra >= HALF_MAX_SIZE_T) /* Avoid wrapping negative */ - extra = (HALF_MAX_SIZE_T) + SIZE_T_ONE - unit; - ACQUIRE_MORECORE_LOCK(); - { - /* Make sure end of memory is where we last set it. */ - char* old_br = (char*)(CALL_MORECORE(0)); - if (old_br == sp->base + sp->size) { - char* rel_br = (char*)(CALL_MORECORE(-extra)); - char* new_br = (char*)(CALL_MORECORE(0)); - if (rel_br != CMFAIL && new_br < old_br) - released = old_br - new_br; - } - } - RELEASE_MORECORE_LOCK(); - } - } - - if (released != 0) { - sp->size -= released; - m->footprint -= released; - init_top(m, m->top, m->topsize - released); - check_top_chunk(m, m->top); - } - } - - /* Unmap any unused mmapped segments */ - if (HAVE_MMAP) - released += release_unused_segments(m); - - /* On failure, disable autotrim to avoid repeated failed future calls */ - if (released == 0) - m->trim_check = MAX_SIZE_T; - } - - return (released != 0)? 1 : 0; -} - -/* ---------------------------- malloc support --------------------------- */ - -/* allocate a large request from the best fitting chunk in a treebin */ -static void* tmalloc_large(mstate m, size_t nb) { - tchunkptr v = 0; - size_t rsize = -nb; /* Unsigned negation */ - tchunkptr t; - bindex_t idx; - compute_tree_index(nb, idx); - - if ((t = *treebin_at(m, idx)) != 0) { - /* Traverse tree for this bin looking for node with size == nb */ - size_t sizebits = nb << leftshift_for_tree_index(idx); - tchunkptr rst = 0; /* The deepest untaken right subtree */ - for (;;) { - tchunkptr rt; - size_t trem = chunksize(t) - nb; - if (trem < rsize) { - v = t; - if ((rsize = trem) == 0) - break; - } - rt = t->child[1]; - t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1]; - if (rt != 0 && rt != t) - rst = rt; - if (t == 0) { - t = rst; /* set t to least subtree holding sizes > nb */ - break; - } - sizebits <<= 1; - } - } - - if (t == 0 && v == 0) { /* set t to root of next non-empty treebin */ - binmap_t leftbits = left_bits(idx2bit(idx)) & m->treemap; - if (leftbits != 0) { - bindex_t i; - binmap_t leastbit = least_bit(leftbits); - compute_bit2idx(leastbit, i); - t = *treebin_at(m, i); - } - } - - while (t != 0) { /* find smallest of tree or subtree */ - size_t trem = chunksize(t) - nb; - if (trem < rsize) { - rsize = trem; - v = t; - } - t = leftmost_child(t); - } - - /* If dv is a better fit, return 0 so malloc will use it */ - if (v != 0 && rsize < (size_t)(m->dvsize - nb)) { - if (RTCHECK(ok_address(m, v))) { /* split */ - mchunkptr r = chunk_plus_offset(v, nb); - assert(chunksize(v) == rsize + nb); - if (RTCHECK(ok_next(v, r))) { - unlink_large_chunk(m, v); - if (rsize < MIN_CHUNK_SIZE) - set_inuse_and_pinuse(m, v, (rsize + nb)); - else { - set_size_and_pinuse_of_inuse_chunk(m, v, nb); - set_size_and_pinuse_of_free_chunk(r, rsize); - insert_chunk(m, r, rsize); - } - return chunk2mem(v); - } - } - CORRUPTION_ERROR_ACTION(m); - } - return 0; -} - -/* allocate a small request from the best fitting chunk in a treebin */ -static void* tmalloc_small(mstate m, size_t nb) { - tchunkptr t, v; - size_t rsize; - bindex_t i; - binmap_t leastbit = least_bit(m->treemap); - compute_bit2idx(leastbit, i); - - v = t = *treebin_at(m, i); - rsize = chunksize(t) - nb; - - while ((t = leftmost_child(t)) != 0) { - size_t trem = chunksize(t) - nb; - if (trem < rsize) { - rsize = trem; - v = t; - } - } - - if (RTCHECK(ok_address(m, v))) { - mchunkptr r = chunk_plus_offset(v, nb); - assert(chunksize(v) == rsize + nb); - if (RTCHECK(ok_next(v, r))) { - unlink_large_chunk(m, v); - if (rsize < MIN_CHUNK_SIZE) - set_inuse_and_pinuse(m, v, (rsize + nb)); - else { - set_size_and_pinuse_of_inuse_chunk(m, v, nb); - set_size_and_pinuse_of_free_chunk(r, rsize); - replace_dv(m, r, rsize); - } - return chunk2mem(v); - } - } - - CORRUPTION_ERROR_ACTION(m); - return 0; -} - -/* --------------------------- realloc support --------------------------- */ - -static void* internal_realloc(mstate m, void* oldmem, size_t bytes) { - if (bytes >= MAX_REQUEST) { - MALLOC_FAILURE_ACTION; - return 0; - } - if (!PREACTION(m)) { - mchunkptr oldp = mem2chunk(oldmem); - size_t oldsize = chunksize(oldp); - mchunkptr next = chunk_plus_offset(oldp, oldsize); - mchunkptr newp = 0; - void* extra = 0; - - /* Try to either shrink or extend into top. Else malloc-copy-free */ - - if (RTCHECK(ok_address(m, oldp) && ok_cinuse(oldp) && - ok_next(oldp, next) && ok_pinuse(next))) { - size_t nb = request2size(bytes); - if (is_mmapped(oldp)) - newp = mmap_resize(m, oldp, nb); - else if (oldsize >= nb) { /* already big enough */ - size_t rsize = oldsize - nb; - newp = oldp; - if (rsize >= MIN_CHUNK_SIZE) { - mchunkptr remainder = chunk_plus_offset(newp, nb); - set_inuse(m, newp, nb); - set_inuse(m, remainder, rsize); - extra = chunk2mem(remainder); - } - } - else if (next == m->top && oldsize + m->topsize > nb) { - /* Expand into top */ - size_t newsize = oldsize + m->topsize; - size_t newtopsize = newsize - nb; - mchunkptr newtop = chunk_plus_offset(oldp, nb); - set_inuse(m, oldp, nb); - newtop->head = newtopsize |PINUSE_BIT; - m->top = newtop; - m->topsize = newtopsize; - newp = oldp; - } - } - else { - USAGE_ERROR_ACTION(m, oldmem); - POSTACTION(m); - return 0; - } - - POSTACTION(m); - - if (newp != 0) { - if (extra != 0) { - internal_free(m, extra); - } - check_inuse_chunk(m, newp); - return chunk2mem(newp); - } - else { - void* newmem = internal_malloc(m, bytes); - if (newmem != 0) { - size_t oc = oldsize - overhead_for(oldp); - memcpy(newmem, oldmem, (oc < bytes)? oc : bytes); - internal_free(m, oldmem); - } - return newmem; - } - } - return 0; -} - -/* --------------------------- memalign support -------------------------- */ - -static void* internal_memalign(mstate m, size_t alignment, size_t bytes) { - if (alignment <= MALLOC_ALIGNMENT) /* Can just use malloc */ - return internal_malloc(m, bytes); - if (alignment < MIN_CHUNK_SIZE) /* must be at least a minimum chunk size */ - alignment = MIN_CHUNK_SIZE; - if ((alignment & (alignment-SIZE_T_ONE)) != 0) {/* Ensure a power of 2 */ - size_t a = MALLOC_ALIGNMENT << 1; - while (a < alignment) a <<= 1; - alignment = a; - } - - if (bytes >= MAX_REQUEST - alignment) { - if (m != 0) { /* Test isn't needed but avoids compiler warning */ - MALLOC_FAILURE_ACTION; - } - } - else { - size_t nb = request2size(bytes); - size_t req = nb + alignment + MIN_CHUNK_SIZE - CHUNK_OVERHEAD; - char* mem = (char*)internal_malloc(m, req); - if (mem != 0) { - void* leader = 0; - void* trailer = 0; - mchunkptr p = mem2chunk(mem); - - if (PREACTION(m)) return 0; - if ((((size_t)(mem)) % alignment) != 0) { /* misaligned */ - /* - Find an aligned spot inside chunk. Since we need to give - back leading space in a chunk of at least MIN_CHUNK_SIZE, if - the first calculation places us at a spot with less than - MIN_CHUNK_SIZE leader, we can move to the next aligned spot. - We've allocated enough total room so that this is always - possible. - */ - char* br = (char*)mem2chunk((size_t)(((size_t)(mem + - alignment - - SIZE_T_ONE)) & - -alignment)); - char* pos = ((size_t)(br - (char*)(p)) >= MIN_CHUNK_SIZE)? - br : br+alignment; - mchunkptr newp = (mchunkptr)pos; - size_t leadsize = pos - (char*)(p); - size_t newsize = chunksize(p) - leadsize; - - if (is_mmapped(p)) { /* For mmapped chunks, just adjust offset */ - newp->prev_foot = p->prev_foot + leadsize; - newp->head = (newsize|CINUSE_BIT); - } - else { /* Otherwise, give back leader, use the rest */ - set_inuse(m, newp, newsize); - set_inuse(m, p, leadsize); - leader = chunk2mem(p); - } - p = newp; - } - - /* Give back spare room at the end */ - if (!is_mmapped(p)) { - size_t size = chunksize(p); - if (size > nb + MIN_CHUNK_SIZE) { - size_t remainder_size = size - nb; - mchunkptr remainder = chunk_plus_offset(p, nb); - set_inuse(m, p, nb); - set_inuse(m, remainder, remainder_size); - trailer = chunk2mem(remainder); - } - } - - assert (chunksize(p) >= nb); - assert((((size_t)(chunk2mem(p))) % alignment) == 0); - check_inuse_chunk(m, p); - POSTACTION(m); - if (leader != 0) { - internal_free(m, leader); - } - if (trailer != 0) { - internal_free(m, trailer); - } - return chunk2mem(p); - } - } - return 0; -} - -/* ------------------------ comalloc/coalloc support --------------------- */ - -static void** ialloc(mstate m, - size_t n_elements, - size_t* sizes, - int opts, - void* chunks[]) { - /* - This provides common support for independent_X routines, handling - all of the combinations that can result. - - The opts arg has: - bit 0 set if all elements are same size (using sizes[0]) - bit 1 set if elements should be zeroed - */ - - size_t element_size; /* chunksize of each element, if all same */ - size_t contents_size; /* total size of elements */ - size_t array_size; /* request size of pointer array */ - void* mem; /* malloced aggregate space */ - mchunkptr p; /* corresponding chunk */ - size_t remainder_size; /* remaining bytes while splitting */ - void** marray; /* either "chunks" or malloced ptr array */ - mchunkptr array_chunk; /* chunk for malloced ptr array */ - flag_t was_enabled; /* to disable mmap */ - size_t size; - size_t i; - - /* compute array length, if needed */ - if (chunks != 0) { - if (n_elements == 0) - return chunks; /* nothing to do */ - marray = chunks; - array_size = 0; - } - else { - /* if empty req, must still return chunk representing empty array */ - if (n_elements == 0) - return (void**)internal_malloc(m, 0); - marray = 0; - array_size = request2size(n_elements * (sizeof(void*))); - } - - /* compute total element size */ - if (opts & 0x1) { /* all-same-size */ - element_size = request2size(*sizes); - contents_size = n_elements * element_size; - } - else { /* add up all the sizes */ - element_size = 0; - contents_size = 0; - for (i = 0; i != n_elements; ++i) - contents_size += request2size(sizes[i]); - } - - size = contents_size + array_size; - - /* - Allocate the aggregate chunk. First disable direct-mmapping so - malloc won't use it, since we would not be able to later - free/realloc space internal to a segregated mmap region. - */ - was_enabled = use_mmap(m); - disable_mmap(m); - mem = internal_malloc(m, size - CHUNK_OVERHEAD); - if (was_enabled) - enable_mmap(m); - if (mem == 0) - return 0; - - if (PREACTION(m)) return 0; - p = mem2chunk(mem); - remainder_size = chunksize(p); - - assert(!is_mmapped(p)); - - if (opts & 0x2) { /* optionally clear the elements */ - memset((size_t*)mem, 0, remainder_size - SIZE_T_SIZE - array_size); - } - - /* If not provided, allocate the pointer array as final part of chunk */ - if (marray == 0) { - size_t array_chunk_size; - array_chunk = chunk_plus_offset(p, contents_size); - array_chunk_size = remainder_size - contents_size; - marray = (void**) (chunk2mem(array_chunk)); - set_size_and_pinuse_of_inuse_chunk(m, array_chunk, array_chunk_size); - remainder_size = contents_size; - } - - /* split out elements */ - for (i = 0; ; ++i) { - marray[i] = chunk2mem(p); - if (i != n_elements-1) { - if (element_size != 0) - size = element_size; - else - size = request2size(sizes[i]); - remainder_size -= size; - set_size_and_pinuse_of_inuse_chunk(m, p, size); - p = chunk_plus_offset(p, size); - } - else { /* the final element absorbs any overallocation slop */ - set_size_and_pinuse_of_inuse_chunk(m, p, remainder_size); - break; - } - } - -#if DEBUG - if (marray != chunks) { - /* final element must have exactly exhausted chunk */ - if (element_size != 0) { - assert(remainder_size == element_size); - } - else { - assert(remainder_size == request2size(sizes[i])); - } - check_inuse_chunk(m, mem2chunk(marray)); - } - for (i = 0; i != n_elements; ++i) - check_inuse_chunk(m, mem2chunk(marray[i])); - -#endif /* DEBUG */ - - POSTACTION(m); - return marray; -} - - -/* -------------------------- public routines ---------------------------- */ - -#if !ONLY_MSPACES - -void* dlmalloc(size_t bytes) { - /* - Basic algorithm: - If a small request (< 256 bytes minus per-chunk overhead): - 1. If one exists, use a remainderless chunk in associated smallbin. - (Remainderless means that there are too few excess bytes to - represent as a chunk.) - 2. If it is big enough, use the dv chunk, which is normally the - chunk adjacent to the one used for the most recent small request. - 3. If one exists, split the smallest available chunk in a bin, - saving remainder in dv. - 4. If it is big enough, use the top chunk. - 5. If available, get memory from system and use it - Otherwise, for a large request: - 1. Find the smallest available binned chunk that fits, and use it - if it is better fitting than dv chunk, splitting if necessary. - 2. If better fitting than any binned chunk, use the dv chunk. - 3. If it is big enough, use the top chunk. - 4. If request size >= mmap threshold, try to directly mmap this chunk. - 5. If available, get memory from system and use it - - The ugly goto's here ensure that postaction occurs along all paths. - */ - - if (!PREACTION(gm)) { - void* mem; - size_t nb; - if (bytes <= MAX_SMALL_REQUEST) { - bindex_t idx; - binmap_t smallbits; - nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes); - idx = small_index(nb); - smallbits = gm->smallmap >> idx; - - if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */ - mchunkptr b, p; - idx += ~smallbits & 1; /* Uses next bin if idx empty */ - b = smallbin_at(gm, idx); - p = b->fd; - assert(chunksize(p) == small_index2size(idx)); - unlink_first_small_chunk(gm, b, p, idx); - set_inuse_and_pinuse(gm, p, small_index2size(idx)); - mem = chunk2mem(p); - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - - else if (nb > gm->dvsize) { - if (smallbits != 0) { /* Use chunk in next nonempty smallbin */ - mchunkptr b, p, r; - size_t rsize; - bindex_t i; - binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx)); - binmap_t leastbit = least_bit(leftbits); - compute_bit2idx(leastbit, i); - b = smallbin_at(gm, i); - p = b->fd; - assert(chunksize(p) == small_index2size(i)); - unlink_first_small_chunk(gm, b, p, i); - rsize = small_index2size(i) - nb; - /* Fit here cannot be remainderless if 4byte sizes */ - if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE) - set_inuse_and_pinuse(gm, p, small_index2size(i)); - else { - set_size_and_pinuse_of_inuse_chunk(gm, p, nb); - r = chunk_plus_offset(p, nb); - set_size_and_pinuse_of_free_chunk(r, rsize); - replace_dv(gm, r, rsize); - } - mem = chunk2mem(p); - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - - else if (gm->treemap != 0 && (mem = tmalloc_small(gm, nb)) != 0) { - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - } - } - else if (bytes >= MAX_REQUEST) - nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */ - else { - nb = pad_request(bytes); - if (gm->treemap != 0 && (mem = tmalloc_large(gm, nb)) != 0) { - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - } - - if (nb <= gm->dvsize) { - size_t rsize = gm->dvsize - nb; - mchunkptr p = gm->dv; - if (rsize >= MIN_CHUNK_SIZE) { /* split dv */ - mchunkptr r = gm->dv = chunk_plus_offset(p, nb); - gm->dvsize = rsize; - set_size_and_pinuse_of_free_chunk(r, rsize); - set_size_and_pinuse_of_inuse_chunk(gm, p, nb); - } - else { /* exhaust dv */ - size_t dvs = gm->dvsize; - gm->dvsize = 0; - gm->dv = 0; - set_inuse_and_pinuse(gm, p, dvs); - } - mem = chunk2mem(p); - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - - else if (nb < gm->topsize) { /* Split top */ - size_t rsize = gm->topsize -= nb; - mchunkptr p = gm->top; - mchunkptr r = gm->top = chunk_plus_offset(p, nb); - r->head = rsize | PINUSE_BIT; - set_size_and_pinuse_of_inuse_chunk(gm, p, nb); - mem = chunk2mem(p); - check_top_chunk(gm, gm->top); - check_malloced_chunk(gm, mem, nb); - goto postaction; - } - - mem = sys_alloc(gm, nb); - - postaction: - POSTACTION(gm); - return mem; - } - - return 0; -} - -void dlfree(void* mem) { - /* - Consolidate freed chunks with preceeding or succeeding bordering - free chunks, if they exist, and then place in a bin. Intermixed - with special cases for top, dv, mmapped chunks, and usage errors. - */ - - if (mem != 0) { - mchunkptr p = mem2chunk(mem); -#if FOOTERS - mstate fm = get_mstate_for(p); - if (!ok_magic(fm)) { - USAGE_ERROR_ACTION(fm, p); - return; - } -#else /* FOOTERS */ -#define fm gm -#endif /* FOOTERS */ - if (!PREACTION(fm)) { - check_inuse_chunk(fm, p); - if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) { - size_t psize = chunksize(p); - mchunkptr next = chunk_plus_offset(p, psize); - if (!pinuse(p)) { - size_t prevsize = p->prev_foot; - if ((prevsize & IS_MMAPPED_BIT) != 0) { - prevsize &= ~IS_MMAPPED_BIT; - psize += prevsize + MMAP_FOOT_PAD; - if (CALL_MUNMAP((char*)p - prevsize, psize) == 0) - fm->footprint -= psize; - goto postaction; - } - else { - mchunkptr prev = chunk_minus_offset(p, prevsize); - psize += prevsize; - p = prev; - if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */ - if (p != fm->dv) { - unlink_chunk(fm, p, prevsize); - } - else if ((next->head & INUSE_BITS) == INUSE_BITS) { - fm->dvsize = psize; - set_free_with_pinuse(p, psize, next); - goto postaction; - } - } - else - goto erroraction; - } - } - - if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) { - if (!cinuse(next)) { /* consolidate forward */ - if (next == fm->top) { - size_t tsize = fm->topsize += psize; - fm->top = p; - p->head = tsize | PINUSE_BIT; - if (p == fm->dv) { - fm->dv = 0; - fm->dvsize = 0; - } - if (should_trim(fm, tsize)) - sys_trim(fm, 0); - goto postaction; - } - else if (next == fm->dv) { - size_t dsize = fm->dvsize += psize; - fm->dv = p; - set_size_and_pinuse_of_free_chunk(p, dsize); - goto postaction; - } - else { - size_t nsize = chunksize(next); - psize += nsize; - unlink_chunk(fm, next, nsize); - set_size_and_pinuse_of_free_chunk(p, psize); - if (p == fm->dv) { - fm->dvsize = psize; - goto postaction; - } - } - } - else - set_free_with_pinuse(p, psize, next); - insert_chunk(fm, p, psize); - check_free_chunk(fm, p); - goto postaction; - } - } - erroraction: - USAGE_ERROR_ACTION(fm, p); - postaction: - POSTACTION(fm); - } - } -#if !FOOTERS -#undef fm -#endif /* FOOTERS */ -} - -void* dlcalloc(size_t n_elements, size_t elem_size) { - void* mem; - size_t req = 0; - if (n_elements != 0) { - req = n_elements * elem_size; - if (((n_elements | elem_size) & ~(size_t)0xffff) && - (req / n_elements != elem_size)) - req = MAX_SIZE_T; /* force downstream failure on overflow */ - } - mem = dlmalloc(req); - if (mem != 0 && calloc_must_clear(mem2chunk(mem))) - memset(mem, 0, req); - return mem; -} - -void* dlrealloc(void* oldmem, size_t bytes) { - if (oldmem == 0) - return dlmalloc(bytes); -#ifdef REALLOC_ZERO_BYTES_FREES - if (bytes == 0) { - dlfree(oldmem); - return 0; - } -#endif /* REALLOC_ZERO_BYTES_FREES */ - else { -#if ! FOOTERS - mstate m = gm; -#else /* FOOTERS */ - mstate m = get_mstate_for(mem2chunk(oldmem)); - if (!ok_magic(m)) { - USAGE_ERROR_ACTION(m, oldmem); - return 0; - } -#endif /* FOOTERS */ - return internal_realloc(m, oldmem, bytes); - } -} - -void* dlmemalign(size_t alignment, size_t bytes) { - return internal_memalign(gm, alignment, bytes); -} - -void** dlindependent_calloc(size_t n_elements, size_t elem_size, - void* chunks[]) { - size_t sz = elem_size; /* serves as 1-element array */ - return ialloc(gm, n_elements, &sz, 3, chunks); -} - -void** dlindependent_comalloc(size_t n_elements, size_t sizes[], - void* chunks[]) { - return ialloc(gm, n_elements, sizes, 0, chunks); -} - -void* dlvalloc(size_t bytes) { - size_t pagesz; - init_mparams(); - pagesz = mparams.page_size; - return dlmemalign(pagesz, bytes); -} - -void* dlpvalloc(size_t bytes) { - size_t pagesz; - init_mparams(); - pagesz = mparams.page_size; - return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE)); -} - -int dlmalloc_trim(size_t pad) { - int result = 0; - if (!PREACTION(gm)) { - result = sys_trim(gm, pad); - POSTACTION(gm); - } - return result; -} - -size_t dlmalloc_footprint(void) { - return gm->footprint; -} - -size_t dlmalloc_max_footprint(void) { - return gm->max_footprint; -} - -#if !NO_MALLINFO -struct mallinfo dlmallinfo(void) { - return internal_mallinfo(gm); -} -#endif /* NO_MALLINFO */ - -void dlmalloc_stats() { - internal_malloc_stats(gm); -} - -size_t dlmalloc_usable_size(void* mem) { - if (mem != 0) { - mchunkptr p = mem2chunk(mem); - if (cinuse(p)) - return chunksize(p) - overhead_for(p); - } - return 0; -} - -int dlmallopt(int param_number, int value) { - return change_mparam(param_number, value); -} - -#endif /* !ONLY_MSPACES */ - -/* ----------------------------- user mspaces ---------------------------- */ - -#if MSPACES - -static mstate init_user_mstate(char* tbase, size_t tsize) { - size_t msize = pad_request(sizeof(struct malloc_state)); - mchunkptr mn; - mchunkptr msp = align_as_chunk(tbase); - mstate m = (mstate)(chunk2mem(msp)); - memset(m, 0, msize); - INITIAL_LOCK(&m->mutex); - msp->head = (msize|PINUSE_BIT|CINUSE_BIT); - m->seg.base = m->least_addr = tbase; - m->seg.size = m->footprint = m->max_footprint = tsize; - m->magic = mparams.magic; - m->mflags = mparams.default_mflags; - disable_contiguous(m); - init_bins(m); - mn = next_chunk(mem2chunk(m)); - init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) - TOP_FOOT_SIZE); - check_top_chunk(m, m->top); - return m; -} - -mspace create_mspace(size_t capacity, int locked) { - mstate m = 0; - size_t msize = pad_request(sizeof(struct malloc_state)); - init_mparams(); /* Ensure pagesize etc initialized */ - - if (capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) { - size_t rs = ((capacity == 0)? mparams.granularity : - (capacity + TOP_FOOT_SIZE + msize)); - size_t tsize = granularity_align(rs); - char* tbase = (char*)(CALL_MMAP(tsize)); - if (tbase != CMFAIL) { - m = init_user_mstate(tbase, tsize); - m->seg.sflags = IS_MMAPPED_BIT; - set_lock(m, locked); - } - } - return (mspace)m; -} - -mspace create_mspace_with_base(void* base, size_t capacity, int locked) { - mstate m = 0; - size_t msize = pad_request(sizeof(struct malloc_state)); - init_mparams(); /* Ensure pagesize etc initialized */ - - if (capacity > msize + TOP_FOOT_SIZE && - capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) { - m = init_user_mstate((char*)base, capacity); - m->seg.sflags = EXTERN_BIT; - set_lock(m, locked); - } - return (mspace)m; -} - -size_t destroy_mspace(mspace msp) { - size_t freed = 0; - mstate ms = (mstate)msp; - if (ok_magic(ms)) { - msegmentptr sp = &ms->seg; - while (sp != 0) { - char* base = sp->base; - size_t size = sp->size; - flag_t flag = sp->sflags; - sp = sp->next; - if ((flag & IS_MMAPPED_BIT) && !(flag & EXTERN_BIT) && - CALL_MUNMAP(base, size) == 0) - freed += size; - } - } - else { - USAGE_ERROR_ACTION(ms,ms); - } - return freed; -} - -/* - mspace versions of routines are near-clones of the global - versions. This is not so nice but better than the alternatives. -*/ - - -void* mspace_malloc(mspace msp, size_t bytes) { - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - if (!PREACTION(ms)) { - void* mem; - size_t nb; - if (bytes <= MAX_SMALL_REQUEST) { - bindex_t idx; - binmap_t smallbits; - nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes); - idx = small_index(nb); - smallbits = ms->smallmap >> idx; - - if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */ - mchunkptr b, p; - idx += ~smallbits & 1; /* Uses next bin if idx empty */ - b = smallbin_at(ms, idx); - p = b->fd; - assert(chunksize(p) == small_index2size(idx)); - unlink_first_small_chunk(ms, b, p, idx); - set_inuse_and_pinuse(ms, p, small_index2size(idx)); - mem = chunk2mem(p); - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - - else if (nb > ms->dvsize) { - if (smallbits != 0) { /* Use chunk in next nonempty smallbin */ - mchunkptr b, p, r; - size_t rsize; - bindex_t i; - binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx)); - binmap_t leastbit = least_bit(leftbits); - compute_bit2idx(leastbit, i); - b = smallbin_at(ms, i); - p = b->fd; - assert(chunksize(p) == small_index2size(i)); - unlink_first_small_chunk(ms, b, p, i); - rsize = small_index2size(i) - nb; - /* Fit here cannot be remainderless if 4byte sizes */ - if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE) - set_inuse_and_pinuse(ms, p, small_index2size(i)); - else { - set_size_and_pinuse_of_inuse_chunk(ms, p, nb); - r = chunk_plus_offset(p, nb); - set_size_and_pinuse_of_free_chunk(r, rsize); - replace_dv(ms, r, rsize); - } - mem = chunk2mem(p); - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - - else if (ms->treemap != 0 && (mem = tmalloc_small(ms, nb)) != 0) { - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - } - } - else if (bytes >= MAX_REQUEST) - nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */ - else { - nb = pad_request(bytes); - if (ms->treemap != 0 && (mem = tmalloc_large(ms, nb)) != 0) { - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - } - - if (nb <= ms->dvsize) { - size_t rsize = ms->dvsize - nb; - mchunkptr p = ms->dv; - if (rsize >= MIN_CHUNK_SIZE) { /* split dv */ - mchunkptr r = ms->dv = chunk_plus_offset(p, nb); - ms->dvsize = rsize; - set_size_and_pinuse_of_free_chunk(r, rsize); - set_size_and_pinuse_of_inuse_chunk(ms, p, nb); - } - else { /* exhaust dv */ - size_t dvs = ms->dvsize; - ms->dvsize = 0; - ms->dv = 0; - set_inuse_and_pinuse(ms, p, dvs); - } - mem = chunk2mem(p); - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - - else if (nb < ms->topsize) { /* Split top */ - size_t rsize = ms->topsize -= nb; - mchunkptr p = ms->top; - mchunkptr r = ms->top = chunk_plus_offset(p, nb); - r->head = rsize | PINUSE_BIT; - set_size_and_pinuse_of_inuse_chunk(ms, p, nb); - mem = chunk2mem(p); - check_top_chunk(ms, ms->top); - check_malloced_chunk(ms, mem, nb); - goto postaction; - } - - mem = sys_alloc(ms, nb); - - postaction: - POSTACTION(ms); - return mem; - } - - return 0; -} - -void mspace_free(mspace msp, void* mem) { - if (mem != 0) { - mchunkptr p = mem2chunk(mem); -#if FOOTERS - mstate fm = get_mstate_for(p); -#else /* FOOTERS */ - mstate fm = (mstate)msp; -#endif /* FOOTERS */ - if (!ok_magic(fm)) { - USAGE_ERROR_ACTION(fm, p); - return; - } - if (!PREACTION(fm)) { - check_inuse_chunk(fm, p); - if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) { - size_t psize = chunksize(p); - mchunkptr next = chunk_plus_offset(p, psize); - if (!pinuse(p)) { - size_t prevsize = p->prev_foot; - if ((prevsize & IS_MMAPPED_BIT) != 0) { - prevsize &= ~IS_MMAPPED_BIT; - psize += prevsize + MMAP_FOOT_PAD; - if (CALL_MUNMAP((char*)p - prevsize, psize) == 0) - fm->footprint -= psize; - goto postaction; - } - else { - mchunkptr prev = chunk_minus_offset(p, prevsize); - psize += prevsize; - p = prev; - if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */ - if (p != fm->dv) { - unlink_chunk(fm, p, prevsize); - } - else if ((next->head & INUSE_BITS) == INUSE_BITS) { - fm->dvsize = psize; - set_free_with_pinuse(p, psize, next); - goto postaction; - } - } - else - goto erroraction; - } - } - - if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) { - if (!cinuse(next)) { /* consolidate forward */ - if (next == fm->top) { - size_t tsize = fm->topsize += psize; - fm->top = p; - p->head = tsize | PINUSE_BIT; - if (p == fm->dv) { - fm->dv = 0; - fm->dvsize = 0; - } - if (should_trim(fm, tsize)) - sys_trim(fm, 0); - goto postaction; - } - else if (next == fm->dv) { - size_t dsize = fm->dvsize += psize; - fm->dv = p; - set_size_and_pinuse_of_free_chunk(p, dsize); - goto postaction; - } - else { - size_t nsize = chunksize(next); - psize += nsize; - unlink_chunk(fm, next, nsize); - set_size_and_pinuse_of_free_chunk(p, psize); - if (p == fm->dv) { - fm->dvsize = psize; - goto postaction; - } - } - } - else - set_free_with_pinuse(p, psize, next); - insert_chunk(fm, p, psize); - check_free_chunk(fm, p); - goto postaction; - } - } - erroraction: - USAGE_ERROR_ACTION(fm, p); - postaction: - POSTACTION(fm); - } - } -} - -void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size) { - void* mem; - size_t req = 0; - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - if (n_elements != 0) { - req = n_elements * elem_size; - if (((n_elements | elem_size) & ~(size_t)0xffff) && - (req / n_elements != elem_size)) - req = MAX_SIZE_T; /* force downstream failure on overflow */ - } - mem = internal_malloc(ms, req); - if (mem != 0 && calloc_must_clear(mem2chunk(mem))) - memset(mem, 0, req); - return mem; -} - -void* mspace_realloc(mspace msp, void* oldmem, size_t bytes) { - if (oldmem == 0) - return mspace_malloc(msp, bytes); -#ifdef REALLOC_ZERO_BYTES_FREES - if (bytes == 0) { - mspace_free(msp, oldmem); - return 0; - } -#endif /* REALLOC_ZERO_BYTES_FREES */ - else { -#if FOOTERS - mchunkptr p = mem2chunk(oldmem); - mstate ms = get_mstate_for(p); -#else /* FOOTERS */ - mstate ms = (mstate)msp; -#endif /* FOOTERS */ - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - return internal_realloc(ms, oldmem, bytes); - } -} - -void* mspace_memalign(mspace msp, size_t alignment, size_t bytes) { - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - return internal_memalign(ms, alignment, bytes); -} - -void** mspace_independent_calloc(mspace msp, size_t n_elements, - size_t elem_size, void* chunks[]) { - size_t sz = elem_size; /* serves as 1-element array */ - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - return ialloc(ms, n_elements, &sz, 3, chunks); -} - -void** mspace_independent_comalloc(mspace msp, size_t n_elements, - size_t sizes[], void* chunks[]) { - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - return 0; - } - return ialloc(ms, n_elements, sizes, 0, chunks); -} - -int mspace_trim(mspace msp, size_t pad) { - int result = 0; - mstate ms = (mstate)msp; - if (ok_magic(ms)) { - if (!PREACTION(ms)) { - result = sys_trim(ms, pad); - POSTACTION(ms); - } - } - else { - USAGE_ERROR_ACTION(ms,ms); - } - return result; -} - -void mspace_malloc_stats(mspace msp) { - mstate ms = (mstate)msp; - if (ok_magic(ms)) { - internal_malloc_stats(ms); - } - else { - USAGE_ERROR_ACTION(ms,ms); - } -} - -size_t mspace_footprint(mspace msp) { - size_t result; - mstate ms = (mstate)msp; - if (ok_magic(ms)) { - result = ms->footprint; - } - USAGE_ERROR_ACTION(ms,ms); - return result; -} - - -size_t mspace_max_footprint(mspace msp) { - size_t result; - mstate ms = (mstate)msp; - if (ok_magic(ms)) { - result = ms->max_footprint; - } - USAGE_ERROR_ACTION(ms,ms); - return result; -} - - -#if !NO_MALLINFO -struct mallinfo mspace_mallinfo(mspace msp) { - mstate ms = (mstate)msp; - if (!ok_magic(ms)) { - USAGE_ERROR_ACTION(ms,ms); - } - return internal_mallinfo(ms); -} -#endif /* NO_MALLINFO */ - -int mspace_mallopt(int param_number, int value) { - return change_mparam(param_number, value); -} - -#endif /* MSPACES */ - -/* -------------------- Alternative MORECORE functions ------------------- */ - -/* - Guidelines for creating a custom version of MORECORE: - - * For best performance, MORECORE should allocate in multiples of pagesize. - * MORECORE may allocate more memory than requested. (Or even less, - but this will usually result in a malloc failure.) - * MORECORE must not allocate memory when given argument zero, but - instead return one past the end address of memory from previous - nonzero call. - * For best performance, consecutive calls to MORECORE with positive - arguments should return increasing addresses, indicating that - space has been contiguously extended. - * Even though consecutive calls to MORECORE need not return contiguous - addresses, it must be OK for malloc'ed chunks to span multiple - regions in those cases where they do happen to be contiguous. - * MORECORE need not handle negative arguments -- it may instead - just return MFAIL when given negative arguments. - Negative arguments are always multiples of pagesize. MORECORE - must not misinterpret negative args as large positive unsigned - args. You can suppress all such calls from even occurring by defining - MORECORE_CANNOT_TRIM, - - As an example alternative MORECORE, here is a custom allocator - kindly contributed for pre-OSX macOS. It uses virtually but not - necessarily physically contiguous non-paged memory (locked in, - present and won't get swapped out). You can use it by uncommenting - this section, adding some #includes, and setting up the appropriate - defines above: - - #define MORECORE osMoreCore - - There is also a shutdown routine that should somehow be called for - cleanup upon program exit. - - #define MAX_POOL_ENTRIES 100 - #define MINIMUM_MORECORE_SIZE (64 * 1024U) - static int next_os_pool; - void *our_os_pools[MAX_POOL_ENTRIES]; - - void *osMoreCore(int size) - { - void *ptr = 0; - static void *sbrk_top = 0; - - if (size > 0) - { - if (size < MINIMUM_MORECORE_SIZE) - size = MINIMUM_MORECORE_SIZE; - if (CurrentExecutionLevel() == kTaskLevel) - ptr = PoolAllocateResident(size + RM_PAGE_SIZE, 0); - if (ptr == 0) - { - return (void *) MFAIL; - } - // save ptrs so they can be freed during cleanup - our_os_pools[next_os_pool] = ptr; - next_os_pool++; - ptr = (void *) ((((size_t) ptr) + RM_PAGE_MASK) & ~RM_PAGE_MASK); - sbrk_top = (char *) ptr + size; - return ptr; - } - else if (size < 0) - { - // we don't currently support shrink behavior - return (void *) MFAIL; - } - else - { - return sbrk_top; - } - } - - // cleanup any allocated memory pools - // called as last thing before shutting down driver - - void osCleanupMem(void) - { - void **ptr; - - for (ptr = our_os_pools; ptr < &our_os_pools[MAX_POOL_ENTRIES]; ptr++) - if (*ptr) - { - PoolDeallocate(*ptr); - *ptr = 0; - } - } - -*/ - - -/* ----------------------------------------------------------------------- -History: - V2.8.3 Thu Sep 22 11:16:32 2005 Doug Lea (dl at gee) - * Add max_footprint functions - * Ensure all appropriate literals are size_t - * Fix conditional compilation problem for some #define settings - * Avoid concatenating segments with the one provided - in create_mspace_with_base - * Rename some variables to avoid compiler shadowing warnings - * Use explicit lock initialization. - * Better handling of sbrk interference. - * Simplify and fix segment insertion, trimming and mspace_destroy - * Reinstate REALLOC_ZERO_BYTES_FREES option from 2.7.x - * Thanks especially to Dennis Flanagan for help on these. - - V2.8.2 Sun Jun 12 16:01:10 2005 Doug Lea (dl at gee) - * Fix memalign brace error. - - V2.8.1 Wed Jun 8 16:11:46 2005 Doug Lea (dl at gee) - * Fix improper #endif nesting in C++ - * Add explicit casts needed for C++ - - V2.8.0 Mon May 30 14:09:02 2005 Doug Lea (dl at gee) - * Use trees for large bins - * Support mspaces - * Use segments to unify sbrk-based and mmap-based system allocation, - removing need for emulation on most platforms without sbrk. - * Default safety checks - * Optional footer checks. Thanks to William Robertson for the idea. - * Internal code refactoring - * Incorporate suggestions and platform-specific changes. - Thanks to Dennis Flanagan, Colin Plumb, Niall Douglas, - Aaron Bachmann, Emery Berger, and others. - * Speed up non-fastbin processing enough to remove fastbins. - * Remove useless cfree() to avoid conflicts with other apps. - * Remove internal memcpy, memset. Compilers handle builtins better. - * Remove some options that no one ever used and rename others. - - V2.7.2 Sat Aug 17 09:07:30 2002 Doug Lea (dl at gee) - * Fix malloc_state bitmap array misdeclaration - - V2.7.1 Thu Jul 25 10:58:03 2002 Doug Lea (dl at gee) - * Allow tuning of FIRST_SORTED_BIN_SIZE - * Use PTR_UINT as type for all ptr->int casts. Thanks to John Belmonte. - * Better detection and support for non-contiguousness of MORECORE. - Thanks to Andreas Mueller, Conal Walsh, and Wolfram Gloger - * Bypass most of malloc if no frees. Thanks To Emery Berger. - * Fix freeing of old top non-contiguous chunk im sysmalloc. - * Raised default trim and map thresholds to 256K. - * Fix mmap-related #defines. Thanks to Lubos Lunak. - * Fix copy macros; added LACKS_FCNTL_H. Thanks to Neal Walfield. - * Branch-free bin calculation - * Default trim and mmap thresholds now 256K. - - V2.7.0 Sun Mar 11 14:14:06 2001 Doug Lea (dl at gee) - * Introduce independent_comalloc and independent_calloc. - Thanks to Michael Pachos for motivation and help. - * Make optional .h file available - * Allow > 2GB requests on 32bit systems. - * new WIN32 sbrk, mmap, munmap, lock code from . - Thanks also to Andreas Mueller , - and Anonymous. - * Allow override of MALLOC_ALIGNMENT (Thanks to Ruud Waij for - helping test this.) - * memalign: check alignment arg - * realloc: don't try to shift chunks backwards, since this - leads to more fragmentation in some programs and doesn't - seem to help in any others. - * Collect all cases in malloc requiring system memory into sysmalloc - * Use mmap as backup to sbrk - * Place all internal state in malloc_state - * Introduce fastbins (although similar to 2.5.1) - * Many minor tunings and cosmetic improvements - * Introduce USE_PUBLIC_MALLOC_WRAPPERS, USE_MALLOC_LOCK - * Introduce MALLOC_FAILURE_ACTION, MORECORE_CONTIGUOUS - Thanks to Tony E. Bennett and others. - * Include errno.h to support default failure action. - - V2.6.6 Sun Dec 5 07:42:19 1999 Doug Lea (dl at gee) - * return null for negative arguments - * Added Several WIN32 cleanups from Martin C. Fong - * Add 'LACKS_SYS_PARAM_H' for those systems without 'sys/param.h' - (e.g. WIN32 platforms) - * Cleanup header file inclusion for WIN32 platforms - * Cleanup code to avoid Microsoft Visual C++ compiler complaints - * Add 'USE_DL_PREFIX' to quickly allow co-existence with existing - memory allocation routines - * Set 'malloc_getpagesize' for WIN32 platforms (needs more work) - * Use 'assert' rather than 'ASSERT' in WIN32 code to conform to - usage of 'assert' in non-WIN32 code - * Improve WIN32 'sbrk()' emulation's 'findRegion()' routine to - avoid infinite loop - * Always call 'fREe()' rather than 'free()' - - V2.6.5 Wed Jun 17 15:57:31 1998 Doug Lea (dl at gee) - * Fixed ordering problem with boundary-stamping - - V2.6.3 Sun May 19 08:17:58 1996 Doug Lea (dl at gee) - * Added pvalloc, as recommended by H.J. Liu - * Added 64bit pointer support mainly from Wolfram Gloger - * Added anonymously donated WIN32 sbrk emulation - * Malloc, calloc, getpagesize: add optimizations from Raymond Nijssen - * malloc_extend_top: fix mask error that caused wastage after - foreign sbrks - * Add linux mremap support code from HJ Liu - - V2.6.2 Tue Dec 5 06:52:55 1995 Doug Lea (dl at gee) - * Integrated most documentation with the code. - * Add support for mmap, with help from - Wolfram Gloger (Gloger@lrz.uni-muenchen.de). - * Use last_remainder in more cases. - * Pack bins using idea from colin@nyx10.cs.du.edu - * Use ordered bins instead of best-fit threshhold - * Eliminate block-local decls to simplify tracing and debugging. - * Support another case of realloc via move into top - * Fix error occuring when initial sbrk_base not word-aligned. - * Rely on page size for units instead of SBRK_UNIT to - avoid surprises about sbrk alignment conventions. - * Add mallinfo, mallopt. Thanks to Raymond Nijssen - (raymond@es.ele.tue.nl) for the suggestion. - * Add `pad' argument to malloc_trim and top_pad mallopt parameter. - * More precautions for cases where other routines call sbrk, - courtesy of Wolfram Gloger (Gloger@lrz.uni-muenchen.de). - * Added macros etc., allowing use in linux libc from - H.J. Lu (hjl@gnu.ai.mit.edu) - * Inverted this history list - - V2.6.1 Sat Dec 2 14:10:57 1995 Doug Lea (dl at gee) - * Re-tuned and fixed to behave more nicely with V2.6.0 changes. - * Removed all preallocation code since under current scheme - the work required to undo bad preallocations exceeds - the work saved in good cases for most test programs. - * No longer use return list or unconsolidated bins since - no scheme using them consistently outperforms those that don't - given above changes. - * Use best fit for very large chunks to prevent some worst-cases. - * Added some support for debugging - - V2.6.0 Sat Nov 4 07:05:23 1995 Doug Lea (dl at gee) - * Removed footers when chunks are in use. Thanks to - Paul Wilson (wilson@cs.texas.edu) for the suggestion. - - V2.5.4 Wed Nov 1 07:54:51 1995 Doug Lea (dl at gee) - * Added malloc_trim, with help from Wolfram Gloger - (wmglo@Dent.MED.Uni-Muenchen.DE). - - V2.5.3 Tue Apr 26 10:16:01 1994 Doug Lea (dl at g) - - V2.5.2 Tue Apr 5 16:20:40 1994 Doug Lea (dl at g) - * realloc: try to expand in both directions - * malloc: swap order of clean-bin strategy; - * realloc: only conditionally expand backwards - * Try not to scavenge used bins - * Use bin counts as a guide to preallocation - * Occasionally bin return list chunks in first scan - * Add a few optimizations from colin@nyx10.cs.du.edu - - V2.5.1 Sat Aug 14 15:40:43 1993 Doug Lea (dl at g) - * faster bin computation & slightly different binning - * merged all consolidations to one part of malloc proper - (eliminating old malloc_find_space & malloc_clean_bin) - * Scan 2 returns chunks (not just 1) - * Propagate failure in realloc if malloc returns 0 - * Add stuff to allow compilation on non-ANSI compilers - from kpv@research.att.com - - V2.5 Sat Aug 7 07:41:59 1993 Doug Lea (dl at g.oswego.edu) - * removed potential for odd address access in prev_chunk - * removed dependency on getpagesize.h - * misc cosmetics and a bit more internal documentation - * anticosmetics: mangled names in macros to evade debugger strangeness - * tested on sparc, hp-700, dec-mips, rs6000 - with gcc & native cc (hp, dec only) allowing - Detlefs & Zorn comparison study (in SIGPLAN Notices.) - - Trial version Fri Aug 28 13:14:29 1992 Doug Lea (dl at g.oswego.edu) - * Based loosely on libg++-1.2X malloc. (It retains some of the overall - structure of old version, but most details differ.) - -*/ diff --git a/src/md5.c b/src/md5.c index 941c0d37e5..888993b9c4 100644 --- a/src/md5.c +++ b/src/md5.c @@ -21,7 +21,6 @@ ghost@aladdin.com */ -/* $Id: md5.c 80 2004-07-14 20:15:50Z jason $ */ /* Independent implementation of MD5 (RFC 1321). diff --git a/src/md5.h b/src/md5.h index 8cff20d0af..2806b5b9b5 100644 --- a/src/md5.h +++ b/src/md5.h @@ -21,7 +21,6 @@ ghost@aladdin.com */ -/* $Id: md5.h 80 2004-07-14 20:15:50Z jason $ */ /* Independent implementation of MD5 (RFC 1321). diff --git a/src/nb_dns.c b/src/nb_dns.c index 225eb984cf..6f42004dd0 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -1,10 +1,6 @@ /* * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: nb_dns.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif /* * nb_dns - non-blocking dns routines * diff --git a/src/nb_dns.h b/src/nb_dns.h index 5787a3fdb0..d458f61716 100644 --- a/src/nb_dns.h +++ b/src/nb_dns.h @@ -1,5 +1,4 @@ -/* @(#) $Id: nb_dns.h 6219 2008-10-01 05:39:07Z vern $ (LBL) - * +/* * See the file "COPYING" in the main distribution directory for copyright. */ diff --git a/src/ncp.pac b/src/ncp.pac index 8a3fcf1478..86b8bca5da 100644 --- a/src/ncp.pac +++ b/src/ncp.pac @@ -1,5 +1,3 @@ -# $Id: ncp.pac 4608 2007-07-05 18:23:58Z vern $ -# # Netware Core Protocol %include bro.pac diff --git a/src/net_util.cc b/src/net_util.cc index d7dc3f4add..f1cb760f64 100644 --- a/src/net_util.cc +++ b/src/net_util.cc @@ -1,5 +1,3 @@ -// $Id: net_util.cc 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/net_util.h b/src/net_util.h index 25b6b293fc..28abf4dbcb 100644 --- a/src/net_util.h +++ b/src/net_util.h @@ -1,5 +1,3 @@ -// $Id: net_util.h 6219 2008-10-01 05:39:07Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef netutil_h diff --git a/src/netflow-analyzer.pac b/src/netflow-analyzer.pac index 68de4d4a4e..e89a0181a2 100644 --- a/src/netflow-analyzer.pac +++ b/src/netflow-analyzer.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). analyzer NetFlow withcontext { diff --git a/src/netflow-protocol.pac b/src/netflow-protocol.pac index 7d106aed34..6b97b7cee6 100644 --- a/src/netflow-protocol.pac +++ b/src/netflow-protocol.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). type NetFlowPacket = record { diff --git a/src/netflow.pac b/src/netflow.pac index 8484d5fd11..91040aadeb 100644 --- a/src/netflow.pac +++ b/src/netflow.pac @@ -1,4 +1,3 @@ -# $Id:$ # Code written by Bernhard Ager (2007). %extern{ diff --git a/src/parse.y b/src/parse.y index 2410358f81..dcae74a80c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1,5 +1,4 @@ %{ -// $Id: parse.in 6688 2009-04-16 22:44:55Z vern $ // See the file "COPYING" in the main distribution directory for copyright. %} diff --git a/src/patricia.c b/src/patricia.c index 8e40cb5ef6..ef9c008f4b 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -1,5 +1,4 @@ /* - * $Id: patricia.c 80 2004-07-14 20:15:50Z jason $ * Dave Plonka * * This product includes software developed by the University of Michigan, diff --git a/src/patricia.h b/src/patricia.h index 0118679331..4bc2f9b81f 100644 --- a/src/patricia.h +++ b/src/patricia.h @@ -1,5 +1,4 @@ /* - * $Id: patricia.h 967 2005-01-03 07:19:06Z vern $ * Dave Plonka * * This product includes software developed by the University of Michigan, diff --git a/src/re-parse.y b/src/re-parse.y index 26c8ab6716..3847c06f29 100644 --- a/src/re-parse.y +++ b/src/re-parse.y @@ -1,8 +1,6 @@ // parse.y - parser for flex input %{ -// $Id: re-parse.y 5857 2008-06-26 23:00:03Z vern $ - #include #include "CCL.h" diff --git a/src/re-scan.l b/src/re-scan.l index fbd85899a4..0d737f08a6 100644 --- a/src/re-scan.l +++ b/src/re-scan.l @@ -5,8 +5,6 @@ */ %{ -// $Id: re-scan.l 6219 2008-10-01 05:39:07Z vern $ - #include "CCL.h" #include "NFA.h" #include "util.h" diff --git a/src/rule-parse.y b/src/rule-parse.y index 73c04a72ab..c8770c3e22 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -1,6 +1,4 @@ %{ -/* $Id: rule-parse.y 5988 2008-07-19 07:02:12Z vern $ */ - #include #include "RuleMatcher.h" #include "Reporter.h" diff --git a/src/rule-scan.l b/src/rule-scan.l index 0c444543b2..1ba9bed1de 100644 --- a/src/rule-scan.l +++ b/src/rule-scan.l @@ -1,5 +1,3 @@ -/* $Id: rule-scan.l 6914 2009-09-22 00:35:24Z vern $ */ - %{ typedef unsigned int uint32; diff --git a/src/scan.l b/src/scan.l index a6f6d14593..2b1d86929a 100644 --- a/src/scan.l +++ b/src/scan.l @@ -1,4 +1,3 @@ -/* $Id: scan.l 6510 2009-01-08 14:51:04Z vern $ */ %{ // See the file "COPYING" in the main distribution directory for copyright. diff --git a/src/setsignal.c b/src/setsignal.c index f5263bb06d..b49f0784e9 100644 --- a/src/setsignal.c +++ b/src/setsignal.c @@ -2,11 +2,6 @@ * See the file "COPYING" in the main distribution directory for copyright. */ -#ifndef lint -static const char rcsid[] = - "@(#) $Id: setsignal.c 6219 2008-10-01 05:39:07Z vern $ (LBL)"; -#endif - #include "config.h" /* must appear before first ifdef */ #include diff --git a/src/setsignal.h b/src/setsignal.h index 8bacdca8db..b768ed031f 100644 --- a/src/setsignal.h +++ b/src/setsignal.h @@ -1,7 +1,6 @@ /* * See the file "COPYING" in the main distribution directory for copyright. * - * @(#) $Id: setsignal.h 6219 2008-10-01 05:39:07Z vern $ (LBL) */ #ifndef setsignal_h #define setsignal_h diff --git a/src/smb-protocol.pac b/src/smb-protocol.pac index b00613f16c..585edfacd6 100644 --- a/src/smb-protocol.pac +++ b/src/smb-protocol.pac @@ -1,5 +1,3 @@ -# $Id$ -# # CIFS/SMB # TODO: diff --git a/src/smb.pac b/src/smb.pac index 4bd2c34bc5..740ad47991 100644 --- a/src/smb.pac +++ b/src/smb.pac @@ -1,5 +1,3 @@ -# $Id: smb.pac 3929 2007-01-14 00:37:59Z vern $ - %include binpac.pac %include bro.pac diff --git a/src/ssl-defs.pac b/src/ssl-defs.pac index 6a4a91bb36..31d90338f5 100644 --- a/src/ssl-defs.pac +++ b/src/ssl-defs.pac @@ -1,5 +1,3 @@ -# $Id:$ - # Some common definitions for the SSL and SSL record-layer analyzers. %extern{ diff --git a/src/ssl.pac b/src/ssl.pac index 82dd0246c4..25aed7a66f 100644 --- a/src/ssl.pac +++ b/src/ssl.pac @@ -1,5 +1,3 @@ -# $Id:$ - # binpac file for SSL analyzer # split in three parts: diff --git a/src/strings.bif b/src/strings.bif index d13de8accb..3945569f15 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -1,5 +1,3 @@ -# $Id: strings.bif 6920 2009-10-03 20:47:25Z vern $ -# # Definitions of Bro built-in functions related to strings. diff --git a/src/util.cc b/src/util.cc index 8305bf9f9f..054eb5b06c 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1,5 +1,3 @@ -// $Id: util.cc 6916 2009-09-24 20:48:36Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #include "config.h" diff --git a/src/util.h b/src/util.h index f74440bdb0..132aac4eac 100644 --- a/src/util.h +++ b/src/util.h @@ -1,5 +1,3 @@ -// $Id: util.h 6782 2009-06-28 02:19:03Z vern $ -// // See the file "COPYING" in the main distribution directory for copyright. #ifndef util_h diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 59d0e4205e..4d8421ac86 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -1,5 +1,5 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1315248437.500464 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1316124231.969273 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 59d0e4205e..4d8421ac86 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -1,5 +1,5 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1315248437.500464 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1316124231.969273 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index c85a3cad22..f1b0fd02ab 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -1,5 +1,5 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1315248460.480614 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1316124240.720195 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index c85a3cad22..f1b0fd02ab 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -1,5 +1,5 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1315248460.480614 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1316124240.720195 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/language.set-opt-record-index/output b/testing/btest/Baseline/language.set-opt-record-index/output new file mode 100644 index 0000000000..fdc6f9d723 --- /dev/null +++ b/testing/btest/Baseline/language.set-opt-record-index/output @@ -0,0 +1,16 @@ +{ +[a=1, b=], +[a=4, b=5], +[a=3, b=] +} + +[a=1, b=] +[a=4, b=5] +[a=3, b=] + +T +F + +T +F +T diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log index e76a706ebe..4f7215e3c7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log @@ -1,5 +1,5 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) - 346 404 Not Found - - - - - text/html - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 F 346 F 404 Not Found - - - - - text/html - - diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log new file mode 100644 index 0000000000..d8d90cf1fa --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log @@ -0,0 +1,34 @@ +#separator \x09 +#path local +#fields ts id.orig_h +#types time addr +1300475168.652003 141.142.220.118 +1300475168.724007 141.142.220.118 +1300475168.859163 141.142.220.118 +1300475168.902635 141.142.220.118 +1300475168.892936 141.142.220.118 +1300475168.892913 141.142.220.118 +1300475168.855305 141.142.220.118 +1300475168.855330 141.142.220.118 +1300475168.895267 141.142.220.118 +1300475168.853899 141.142.220.118 +1300475168.893988 141.142.220.118 +1300475168.894787 141.142.220.118 +1300475173.117362 141.142.220.226 +1300475173.153679 141.142.220.238 +1300475168.857956 141.142.220.118 +1300475168.854378 141.142.220.118 +1300475168.854837 141.142.220.118 +1300475167.099816 141.142.220.50 +1300475168.891644 141.142.220.118 +1300475168.892037 141.142.220.118 +1300475171.677081 141.142.220.226 +1300475168.894422 141.142.220.118 +1300475167.096535 141.142.220.202 +1300475168.858713 141.142.220.118 +1300475168.902195 141.142.220.118 +1300475169.899438 141.142.220.44 +1300475168.892414 141.142.220.118 +1300475168.858306 141.142.220.118 +1300475168.901749 141.142.220.118 +1300475170.862384 141.142.220.226 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log new file mode 100644 index 0000000000..a17c2821f5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log @@ -0,0 +1,5 @@ +#separator \x09 +#path remote +#fields ts id.orig_h +#types time addr +1300475169.780331 173.192.163.128 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log index 6e38a9459f..d69b3e5b1a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log @@ -1,9 +1,9 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string string file -1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - FAKE_MIME - - -1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - FAKE_MIME - - -1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - FAKE_MIME - - -1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 2349 200 OK - - - - - image/png e0029eea80812e9a8e57b8d05d52938a - -1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 27579 200 OK - - - - - image/png 30aa926344f58019d047e85ba049ca1e - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file +1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - FAKE_MIME - - +1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - FAKE_MIME - - +1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - FAKE_MIME - - +1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - image/png e0029eea80812e9a8e57b8d05d52938a - +1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - image/png 30aa926344f58019d047e85ba049ca1e - diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log index e746701cc4..4ef6d2ee1c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log @@ -1,9 +1,9 @@ #separator \x09 #path http -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file -#types time string addr port addr port string string string string string count count count string string table string string table string file -1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - - - -1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - - - -1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - - - -1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 2349 200 OK - - - - - - - -1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 27579 200 OK - - - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied md5 extraction_file +#types time string addr port addr port string string string string string count bool count bool count string string table string string table string file +1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - - - +1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - - - +1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - - - +1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - - - +1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - - - diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.bro new file mode 100644 index 0000000000..18ec963809 --- /dev/null +++ b/testing/btest/language/set-opt-record-index.bro @@ -0,0 +1,55 @@ +# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: btest-diff output + +# Make sure a set can be indexed with a record that has optional fields + +type FOO: record { + a: count; + b: count &optional; +}; + +event bro_init() + { + local set_of_foo: set[FOO] = set(); + + local f: FOO; + f$a = 1; + + add set_of_foo[f]; + add set_of_foo[[$a=3]]; + + local f3: FOO; # = [$a=4, $b=5]; + f3$a = 4; + f3$b = 5; + + add set_of_foo[f3]; + + add set_of_foo[[$a=4, $b=5]]; + + print set_of_foo; + + print ""; + + for ( i in set_of_foo ) + print i; + + print ""; + + local f2: FOO; + f2$a = 2; + + print f in set_of_foo; + print f2 in set_of_foo; + + print ""; + + f3$a = 4; + print f3 in set_of_foo; + + f3$b = 4; + print f3 in set_of_foo; + + f3$b = 5; + print f3 in set_of_foo; + + } diff --git a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro new file mode 100644 index 0000000000..aff886c2f4 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT +# @TEST-EXEC: btest-diff local.log +# @TEST-EXEC: btest-diff remote.log +# +# The record value passed into the path_func should be allowed to contain a +# subset of the fields in the stream's columns. + +@load base/utils/site +@load base/protocols/conn +@load base/frameworks/notice + +redef Site::local_nets = {141.142.0.0/16}; + +function split_log(id: Log::ID, path: string, rec: record {id:conn_id;}): string +{ + return Site::is_local_addr(rec$id$orig_h) ? "local" : "remote"; +} + +event bro_init() +{ + # Add a new filter to the Conn::LOG stream that logs only + # timestamp and originator address. + local filter: Log::Filter = [$name="dst-only", $path_func=split_log, + $include=set("ts", "id.orig_h")]; + Log::add_filter(Conn::LOG, filter); +} diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro index 55cc4d532e..b89701c72d 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro @@ -26,15 +26,10 @@ function custom_rotate(info: Log::RotationInfo) : bool return T; } -redef Log::rotation_control += { - [Log::WRITER_ASCII, "test2"] = [$interv=30mins, $postprocessor=custom_rotate] -}; - event bro_init() { Log::create_stream(Test::LOG, [$columns=Log]); - Log::add_filter(Test::LOG, [$name="2nd", $path="test2"]); - + Log::add_filter(Test::LOG, [$name="2nd", $path="test2", $interv=30mins, $postprocessor=custom_rotate]); } event new_connection(c: connection) diff --git a/testing/external/scripts/skel/test.skeleton b/testing/external/scripts/skel/test.skeleton index e0291d70df..becd970d78 100644 --- a/testing/external/scripts/skel/test.skeleton +++ b/testing/external/scripts/skel/test.skeleton @@ -1,2 +1,6 @@ -@TEST-EXEC: zcat $TRACES/test.trace.gz | bro -r - test-all-policy -@TEST-EXEC: $SCRIPTS/diff-all *.log +# @TEST-EXEC: zcat $TRACES/trace.gz | bro -r - %INPUT +# @TEST-EXEC: $SCRIPTS/diff-all *.log + +@load testing-setup +@load test-all-policy + diff --git a/testing/external/scripts/testing-setup.bro b/testing/external/scripts/testing-setup.bro new file mode 100644 index 0000000000..fa5664a877 --- /dev/null +++ b/testing/external/scripts/testing-setup.bro @@ -0,0 +1,6 @@ +# Sets some testing specific options. + +@ifdef ( SMTP::never_calc_md5 ) + # MDD5s can depend on libmagic output. + redef SMTP::never_calc_md5 = T; +@endif diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index 7bcb602bf5..dd9a57c879 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -6,12 +6,13 @@ IgnoreDirs = .svn CVS .tmp IgnoreFiles = *.tmp *.swp #* *.trace .gitignore *.skeleton [environment] -BROPATH=`bash -c %(testbase)s/../../../build/bro-path-dev` +BROPATH=`bash -c %(testbase)s/../../../build/bro-path-dev`:%(testbase)s/../scripts BRO_SEED_FILE=%(testbase)s/../random.seed TZ=UTC LC_ALL=C PATH=%(testbase)s/../../../build/src:%(testbase)s/../../../aux/btest:%(default_path)s TEST_DIFF_CANONIFIER=%(testbase)s/../../scripts/diff-canonifier-external +TEST_DIFF_BRIEF=1 TRACES=%(testbase)s/Traces SCRIPTS=%(testbase)s/../scripts DIST=%(testbase)s/../../..