Merge remote-tracking branch 'origin/master' into topic/johanna/tls12-decryption

scripts/policy/protocols/conn/known-hosts.zeek

@@ -1,5 +1,5 @@
 ##! This script logs hosts that Zeek determines have performed complete TCP
-##! handshakes and logs the address once per day (by default).  The log that 
+##! handshakes and logs the address once per day (by default).  The log that
 ##! is output provides an easy way to determine a count of the IP addresses in
 ##! use on a network per day.
 
@@ -29,11 +29,11 @@ export {
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_host_store = T &redef;
-	
+
 	## The hosts whose existence should be logged and tracked.
 	## See :zeek:type:`Host` for possible choices.
 	option host_tracking = LOCAL_HOSTS;
-	
+
 	## Holds the set of all known hosts.  Keys in the store are addresses
 	## and their associated value will always be the "true" boolean.
 	global host_store: Cluster::StoreInfo;
@@ -49,8 +49,8 @@ export {
 	## :zeek:see:`Known::host_store`.
 	option host_store_timeout = 15sec;
 
-	## The set of all known addresses to store for preventing duplicate 
-	## logging of addresses.  It can also be used from other scripts to 
+	## The set of all known addresses to store for preventing duplicate
+	## logging of addresses.  It can also be used from other scripts to
 	## inspect if an address has been seen in use.
 	## Maintain the list of known hosts for 24 hours so that the existence
 	## of each individual address is logged each day.

scripts/policy/protocols/conn/known-services.zeek

@@ -84,7 +84,7 @@ export {
 }
 
 redef record connection += {
-	# This field is to indicate whether or not the processing for detecting 
+	# This field is to indicate whether or not the processing for detecting
 	# and logging the service for this connection is complete.
 	known_services_done: bool &default=F;
 };
@@ -262,7 +262,7 @@ function known_services_done(c: connection)
 		}
 
 	if ( ! has_active_service(c) )
-		# If we're here during a protocol_confirmation, it's still premature
+		# If we're here during a analyzer_confirmation, it's still premature
 		# to declare there's an actual service, so wait for the connection
 		# removal to check again (to get more timely reporting we'd have
 		# schedule some recurring event to poll for handshake/activity).
@@ -293,7 +293,7 @@ function known_services_done(c: connection)
 		event service_info_commit(info);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-5
 	{
 	known_services_done(c);
 	}
@@ -314,4 +314,3 @@ event zeek_init() &priority=5
 	                                         $path="known_services",
 						 $policy=log_policy_services]);
 	}
-

scripts/policy/protocols/dns/detect-external-names.zeek

@@ -1,6 +1,6 @@
 ##! This script detects names which are not within zones considered to be
-##! local but resolving to addresses considered local.  
-##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for 
+##! local but resolving to addresses considered local.
+##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
 ##! this detection.
 
 @load base/frameworks/notice
@@ -9,7 +9,7 @@
 module DNS;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## Raised when a non-local name is found to be pointing at a
 		## local host.  The :zeek:id:`Site::local_zones` variable
 		## **must** be set appropriately for this detection.
@@ -21,7 +21,7 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 	{
 	if ( |Site::local_zones| == 0 )
 		return;
-	
+
 	# Check for responses from remote hosts that point at local hosts
 	# but the name is not considered to be within a "local" zone.
 	if ( Site::is_local_addr(a) &&            # referring to a local host
@@ -29,7 +29,7 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 		{
 		NOTICE([$note=External_Name,
 		        $msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
-		        $conn=c, 
+		        $conn=c,
 		        $identifier=cat(a,ans$query)]);
 		}
 	}

scripts/policy/protocols/ftp/detect.zeek

@@ -7,7 +7,7 @@ module FTP;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a successful response to a "SITE EXEC" 
+		## Indicates that a successful response to a "SITE EXEC"
 		## command/arg pair was seen.
 		Site_Exec_Success,
 	};
@@ -16,10 +16,10 @@ export {
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=3
 	{
 	local response_xyz = parse_ftp_reply_code(code);
-	
+
 	# If a successful SITE EXEC command is executed, raise a notice.
 	if ( response_xyz$x == 2 &&
-	     c$ftp$cmdarg$cmd == "SITE" && 
+	     c$ftp$cmdarg$cmd == "SITE" &&
 	     /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
 		{
 		NOTICE([$note=Site_Exec_Success, $conn=c,

scripts/policy/protocols/http/detect-webapps.zeek

@@ -26,7 +26,7 @@ export {
 event signature_match(state: signature_state, msg: string, data: string) &priority=5
 	{
 	if ( /^webapp-/ !in state$sig_id ) return;
-	
+
 	local c = state$conn;
 	local si: Software::Info;
 	si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];

scripts/policy/protocols/http/header-names.zeek

@@ -11,15 +11,15 @@ export {
 		## The vector of HTTP header names sent by the client.  No
 		## header values are included here, just the header names.
 		client_header_names:  vector of string &log &optional;
-		
+
 		## The vector of HTTP header names sent by the server.  No
 		## header values are included here, just the header names.
 		server_header_names:  vector of string &log &optional;
 	};
-	
+
 	## A boolean value to determine if client header names are to be logged.
 	option log_client_header_names = T;
-	
+
 	## A boolean value to determine if server header names are to be logged.
 	option log_server_header_names = F;
 }

scripts/policy/protocols/http/var-extraction-uri.zeek

@@ -1,4 +1,4 @@
-##! Extracts and logs variables from the requested URI in the default HTTP 
+##! Extracts and logs variables from the requested URI in the default HTTP
 ##! logging stream.
 
 @load base/protocols/http

scripts/policy/protocols/modbus/track-memmap.zeek

@@ -82,10 +82,10 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
 			if ( slave_regs[c$modbus$track_address]$value != registers[i] )
 				{
 				local delta = network_time() - slave_regs[c$modbus$track_address]$last_set;
-				event Modbus::changed_register(c, c$modbus$track_address, 
+				event Modbus::changed_register(c, c$modbus$track_address,
 				                               slave_regs[c$modbus$track_address]$value, registers[i],
 				                               delta);
-				
+
 				slave_regs[c$modbus$track_address]$last_set = network_time();
 				slave_regs[c$modbus$track_address]$value = registers[i];
 				}
@@ -102,7 +102,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
 
 event Modbus::changed_register(c: connection, register: count, old_val: count, new_val: count, delta: interval)
 	{
-	local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, 
+	local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id,
 	                         $register=register, $old_val=old_val, $new_val=new_val, $delta=delta];
 	Log::write(REGISTER_CHANGE_LOG, rec);
 	}

scripts/policy/protocols/smb/log-cmds.zeek

@@ -39,7 +39,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 
 	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
 		return;
-	
+
 	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
 		return;
 

scripts/policy/protocols/smtp/blocklists.zeek

@@ -6,7 +6,7 @@
 module SMTP;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## An SMTP server sent a reply mentioning an SMTP block list.
 		Blocklist_Error_Message,
 		## The originator's address is seen in the block list error message.
@@ -21,19 +21,19 @@ export {
 		  /spamhaus\.org\//
 		| /sophos\.com\/security\//
 		| /spamcop\.net\/bl/
-		| /cbl\.abuseat\.org\// 
-		| /sorbs\.net\// 
+		| /cbl\.abuseat\.org\//
+		| /sorbs\.net\//
 		| /bsn\.borderware\.com\//
 		| /mail-abuse\.com\//
 		| /b\.barracudacentral\.com\//
-		| /psbl\.surriel\.com\// 
-		| /antispam\.imp\.ch\// 
+		| /psbl\.surriel\.com\//
+		| /antispam\.imp\.ch\//
 		| /dyndns\.com\/.*spam/
 		| /rbl\.knology\.net\//
 		| /intercept\.datapacket\.net\//
 		| /uceprotect\.net\//
 		| /hostkarma\.junkemailfilter\.com\//;
-	
+
 }
 
 event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
@@ -55,8 +55,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 				note = Blocklist_Blocked_Host;
 				message = fmt("%s is on an SMTP block list", c$id$orig_h);
 				}
-			
-			NOTICE([$note=note, $conn=c, $msg=message, $sub=msg, 
+
+			NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
 			        $identifier=cat(c$id$orig_h)]);
 			}
 		}

scripts/policy/protocols/smtp/detect-suspicious-orig.zeek

@@ -24,7 +24,7 @@ event log_smtp(rec: Info)
 		{
 		ip = rec$x_originating_ip;
 		loc = lookup_location(ip);
-		
+
 		if ( (loc?$country_code &&
 			 loc$country_code in suspicious_origination_countries) ||
 			 ip in suspicious_origination_networks )

scripts/policy/protocols/smtp/software.zeek

@@ -1,10 +1,10 @@
 ##! This script feeds software detected through email into the software
-##! framework.  Mail clients and webmail interfaces are the only thing 
+##! framework.  Mail clients and webmail interfaces are the only thing
 ##! currently detected.
-##! 
+##!
 ##! TODO:
 ##!
-##! * Find some heuristic to determine if email was sent through 
+##! * Find some heuristic to determine if email was sent through
 ##!   a MS Exchange webmail interface as opposed to a desktop client.
 
 @load base/frameworks/software/main
@@ -18,13 +18,13 @@ export {
 		MAIL_SERVER,
 		WEBMAIL_SERVER
 	};
-	
+
 	redef record Info += {
 		## Boolean indicator of if the message was sent through a
 		## webmail interface.
 		is_webmail: bool &log &default=F;
 	};
-	
+
 	## Assuming that local mail servers are more trustworthy with the
 	## headers they insert into message envelopes, this default makes Zeek
 	## not attempt to detect software in inbound message bodies.  If mail
@@ -34,15 +34,15 @@ export {
 	## incoming messages (network traffic originating from a non-local
 	## address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
 	option detect_clients_in_messages_from = LOCAL_HOSTS;
-	
-	## A regular expression to match USER-AGENT-like headers to find if a 
+
+	## A regular expression to match USER-AGENT-like headers to find if a
 	## message was sent with a webmail interface.
 	option webmail_user_agents =
-	                     /^iPlanet Messenger/ 
+	                     /^iPlanet Messenger/
 	                   | /^Sun Java\(tm\) System Messenger Express/
 	                   | /\(IMP\)/  # Horde Internet Messaging Program
 	                   | /^SquirrelMail/
-	                   | /^NeoMail/ 
+	                   | /^NeoMail/
 	                   | /ZimbraWebClient/;
 }
 
@@ -66,12 +66,12 @@ event log_smtp(rec: Info)
 			{
 			s_type = WEBMAIL_SERVER;
 			# If the earliest received header indicates that the connection
-			# was via HTTP, then that likely means the actual mail software 
+			# was via HTTP, then that likely means the actual mail software
 			# is installed on the second address in the path.
 			if ( rec?$first_received && /via HTTP/ in rec$first_received )
 				client_ip = rec$path[|rec$path|-2];
 			}
-		
+
 		if ( addr_matches_host(rec$id$orig_h,
 		                       detect_clients_in_messages_from) )
 			{
@@ -79,4 +79,3 @@ event log_smtp(rec: Info)
 			}
 		}
 	}
-

scripts/policy/protocols/ssh/interesting-hostnames.zeek

@@ -1,7 +1,7 @@
-##! This script will generate a notice if an apparent SSH login originates 
-##! or heads to a host with a reverse hostname that looks suspicious.  By 
-##! default, the regular expression to match "interesting" hostnames includes 
-##! names that are typically used for infrastructure hosts like nameservers, 
+##! This script will generate a notice if an apparent SSH login originates
+##! or heads to a host with a reverse hostname that looks suspicious.  By
+##! default, the regular expression to match "interesting" hostnames includes
+##! names that are typically used for infrastructure hosts like nameservers,
 ##! mail servers, web servers and ftp servers.
 
 @load base/frameworks/notice
@@ -15,7 +15,7 @@ export {
 		## :zeek:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};
-	
+
 	## Strange/bad host names to see successful SSH logins from or to.
 	option interesting_hostnames =
 			/^d?ns[0-9]*\./ |
@@ -49,4 +49,3 @@ event ssh_auth_successful(c: connection, auth_method_none: bool)
 		check_ssh_hostname(c$id, c$uid, host);
 		}
 	}
-

scripts/policy/protocols/ssh/software.zeek

@@ -1,4 +1,4 @@
-##! Extracts SSH client and server information from SSH 
+##! Extracts SSH client and server information from SSH
 ##! connections and forwards it to the software framework.
 
 @load base/frameworks/software

scripts/policy/protocols/ssl/expiring-certs.zeek

@@ -1,4 +1,4 @@
-##! Generate notices when X.509 certificates over SSL/TLS are expired or 
+##! Generate notices when X.509 certificates over SSL/TLS are expired or
 ##! going to expire soon based on the date and time values stored within the
 ##! certificate.
 

scripts/policy/protocols/ssl/known-certs.zeek

@@ -12,13 +12,13 @@ export {
 	redef enum Log::ID += { CERTS_LOG };
 
 	global log_policy_certs: Log::PolicyHook;
-	
+
 	type CertsInfo: record {
 		## The timestamp when the certificate was detected.
 		ts:             time   &log;
 		## The address that offered the certificate.
 		host:           addr   &log;
-		## If the certificate was handed out by a server, this is the 
+		## If the certificate was handed out by a server, this is the
 		## port that the server was listening on.
 		port_num:       port   &log &optional;
 		## Certificate subject.
@@ -28,7 +28,7 @@ export {
 		## Serial number for the certificate.
 		serial:         string &log &optional;
 	};
-	
+
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	option cert_tracking = LOCAL_HOSTS;
@@ -38,7 +38,7 @@ export {
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_cert_store = T &redef;
-	
+
 	type AddrCertHashPair: record {
 		host: addr;
 		hash: string;
@@ -60,15 +60,15 @@ export {
 	## :zeek:see:`Known::cert_store`.
 	option cert_store_timeout = 15sec;
 
-	## The set of all known certificates to store for preventing duplicate 
-	## logging. It can also be used from other scripts to 
-	## inspect if a certificate has been seen in use. The string value 
+	## The set of all known certificates to store for preventing duplicate
+	## logging. It can also be used from other scripts to
+	## inspect if a certificate has been seen in use. The string value
 	## in the set is for storing the DER formatted certificate' SHA1 hash.
 	##
 	## In cluster operation, this set is uniformly distributed across
 	## proxy nodes.
 	global certs: set[addr, string] &create_expire=1day &redef;
-	
+
 	## Event that can be handled to access the loggable record as it is sent
 	## on to the logging framework.
 	global log_known_certs: event(rec: CertsInfo);