diff --git a/CHANGES b/CHANGES index aa795ed8e4..2732e9e29a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,76 @@ +1.6-dev-1184 | 2011-09-04 09:34:50 -0700 + + * FindPCAP now links against thread library when necessary (e.g. + PF_RING's libpcap). (Jon Siwek) + + * Install binaries with an RPATH. (Jon Siwek) + + * Fix for a case where nested records weren't coerced even though + possible. (Jon Siwek) + + * Changed ASCII writer to delay creation of log after rotation until + next write. + + * Changed default snaplen to 65535 and added a -l/--snaplen command + line option to set it explicitly. Addresses #447. (Jon Siwek) + + * Various updates to logging framework. (Seth Hall) + + * Changed presentation of enum labels to include namespace. (Jon + Siwek) + + * HTTP analyzer is now enabled with any of the HTTP events. (Seth + Hall) + + * Fixed missing format string that caused some segfaults. (Gregor + Maier) + + * ASCII writer nows prints time interval with 6 decimal places. + (Gregor Maier) + + * Added a Reporter::fatal BIF. (Jon Siwek) + + * Fixes for GeoIP support. Addresses #538. (Jon Siwek) + + * Fixed excessive memory usage of SSL analyzer on connections with + gaps. (Gregor Maier) + + * Added a log postprocessing function that can SCP rotated logs to + remote hosts. (Jon Siwek) + + * Added a BiF for getting the current Bro version string. (Jon + Siwek) + + * Misc. doc/script/test cleanup. (Jon Siwek) + + * Fixed bare-mode @load dependency problems. (Jon Siwek) + + * Fixed check_for_unused_event_handlers option. (Jon Siwek) + + * Fixing some more bare-mode @load dependency issues (Jon Siwek) + + * Reorganizing btest/policy directory to match new scripts/ + organization. Addresses #545 (Jon Siwek) + + * bro scripts generated from bifs now install to + $prefix/share/bro/base. Addresses #545 (Jon Siwek) + + * Changeed/fixed some cluster script error reporting. (Jon Siwek) + + * Various script normalization. (Jon Siwek) + + * Add a test that checks each individual script can be loaded in + bare-mode. Adressess #545. (Jon Siwek) + + * Tune when c$conn is set. Addresses #554. (Gregor Maier) + + * Add ConnSize_Analyzer's fields to conn.log. (Gregor Maier) + + * Fixing bug in "interesting hostnames" detection. (Seth Hall) + + * Adding metrics framework intermediate updates. (Seth Hall) + 1.6-dev-1120 | 2011-08-19 19:00:15 -0700 * Fix for the CompHash fix. (Robin Sommer) diff --git a/CMakeLists.txt b/CMakeLists.txt index 4a4d48c6eb..9a18752881 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -31,6 +31,14 @@ if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) endif () +# Keep RPATH upon installing so that user doesn't have to ensure the linker +# can find internal/private libraries or libraries external to the build +# directory that were explicitly linked against +if (NOT BINARY_PACKAGING_MODE) + SET(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE) + SET(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib") +endif () + ######################################################################## ## Project/Build Configuration diff --git a/Makefile b/Makefile index 863440661e..cf230198f5 100644 --- a/Makefile +++ b/Makefile @@ -5,12 +5,7 @@ # to offer. For more, execute that one directly. # -SOURCE=$(PWD) -BUILD=$(SOURCE)/build -TMP=/tmp/bro-dist.$(UID) -BRO_V=`cat $(SOURCE)/VERSION` -BROCCOLI_V=`cat $(SOURCE)/aux/broccoli/VERSION` -BROCTL_V=`cat $(SOURCE)/aux/broctl/VERSION` +BUILD=build all: configured ( cd $(BUILD) && make ) @@ -29,20 +24,7 @@ docclean: configured ( cd $(BUILD) && make docclean && make restclean ) dist: - @( mkdir -p $(BUILD) && rm -rf $(TMP) && mkdir $(TMP) ) - @cp -R $(SOURCE) $(TMP)/Bro-$(BRO_V) - @( cd $(TMP) && find . -name .git\* | xargs rm -rf ) - @( cd $(TMP) && find . -name \*.swp | xargs rm -rf ) - @( cd $(TMP) && find . -type d -name build | xargs rm -rf ) - @( cd $(TMP) && tar -czf $(BUILD)/Bro-all-$(BRO_V).tar.gz Bro-$(BRO_V) ) - @( cd $(TMP)/Bro-$(BRO_V)/aux && mv broccoli Broccoli-$(BROCCOLI_V) && \ - tar -czf $(BUILD)/Broccoli-$(BROCCOLI_V).tar.gz Broccoli-$(BROCCOLI_V) ) - @( cd $(TMP)/Bro-$(BRO_V)/aux && mv broctl Broctl-$(BROCTL_V) && \ - tar -czf $(BUILD)/Broctl-$(BROCTL_V).tar.gz Broctl-$(BROCTL_V) ) - @( cd $(TMP)/Bro-$(BRO_V)/aux && rm -rf Broctl* Broccoli* ) - @( cd $(TMP) && tar -czf $(BUILD)/Bro-$(BRO_V).tar.gz Bro-$(BRO_V) ) - @rm -rf $(TMP) - @echo "Distribution source tarballs have been compiled in $(BUILD)" + @./pkg/make-src-packages bindist: @( cd pkg && ( ./make-deb-packages || ./make-mac-packages || \ diff --git a/VERSION b/VERSION index 89d00dee1a..3128920913 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6-dev-1120 +1.6-dev-1184 diff --git a/aux/binpac b/aux/binpac index a3a9410ded..032b4e0f02 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit a3a9410dedc842f6bb9859642f334ed354633b57 +Subproject commit 032b4e0f028a08257be0c703b27a7559e57bd40a diff --git a/aux/bro-aux b/aux/bro-aux index d68b98bb99..04d149a194 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit d68b98bb995a105b257f805ec4ff22c4929c7476 +Subproject commit 04d149a194e06ed5410ea3af924ff48b9129cd3b diff --git a/aux/broccoli b/aux/broccoli index 743f10dda8..89c20c7f06 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 743f10dda8cd5655ea3dc6eb705ff5414ed4f535 +Subproject commit 89c20c7f063afe5f39aa72bfec02d6996b291c13 diff --git a/aux/broctl b/aux/broctl index cf4ce9dfc5..2b9053d40d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit cf4ce9dfc5d6dc4e6d311955eeaec2d679e8669b +Subproject commit 2b9053d40d7ef497c8cef6357b59f43129976d65 diff --git a/cmake/FindLibGeoIP.cmake b/cmake/FindLibGeoIP.cmake index 618dba6463..529886d866 100644 --- a/cmake/FindLibGeoIP.cmake +++ b/cmake/FindLibGeoIP.cmake @@ -13,9 +13,11 @@ # # Variables defined by this module: # -# LIBGEOIP_FOUND System has GeoIP libraries and headers -# LibGeoIP_LIBRARY The GeoIP library -# LibGeoIP_INCLUDE_DIR The location of GeoIP headers +# LIBGEOIP_FOUND System has GeoIP libraries and headers +# LibGeoIP_LIBRARY The GeoIP library +# LibGeoIP_INCLUDE_DIR The location of GeoIP headers +# HAVE_GEOIP_COUNTRY_EDITION_V6 Whether the API support IPv6 country edition +# HAVE_GEOIP_CITY_EDITION_REV0_V6 Whether the API supports IPv6 city edition find_path(LibGeoIP_ROOT_DIR NAMES include/GeoIPCity.h @@ -45,6 +47,20 @@ find_package_handle_standard_args(LibGeoIP DEFAULT_MSG LibGeoIP_INCLUDE_DIR ) +if (LIBGEOIP_FOUND) + include(CheckCXXSourceCompiles) + set(CMAKE_REQUIRED_INCLUDES ${LibGeoIP_INCLUDE_DIR}) + check_cxx_source_compiles(" + #include + int main() { GEOIP_COUNTRY_EDITION_V6; return 0; } + " HAVE_GEOIP_COUNTRY_EDITION_V6) + check_cxx_source_compiles(" + #include + int main() { GEOIP_CITY_EDITION_REV0_V6; return 0; } + " HAVE_GEOIP_CITY_EDITION_REV0_V6) + set(CMAKE_REQUIRED_INCLUDES) +endif () + mark_as_advanced( LibGeoIP_ROOT_DIR LibGeoIP_LIBRARY diff --git a/cmake/FindPCAP.cmake b/cmake/FindPCAP.cmake index 61ce602821..6a0bf3468a 100644 --- a/cmake/FindPCAP.cmake +++ b/cmake/FindPCAP.cmake @@ -1,4 +1,4 @@ -# - Try to find libpcap include dirs and libraries +# - Try to find libpcap include dirs and libraries # # Usage of this module as follows: # @@ -14,8 +14,9 @@ # Variables defined by this module: # # PCAP_FOUND System has libpcap, include and library dirs found -# PCAP_INCLUDE_DIR The libpcap include directories. -# PCAP_LIBRARY The libpcap library. +# PCAP_INCLUDE_DIR The libpcap include directories. +# PCAP_LIBRARY The libpcap library (possibly includes a thread +# library e.g. required by pf_ring's libpcap) find_path(PCAP_ROOT_DIR NAMES include/pcap.h @@ -37,6 +38,29 @@ find_package_handle_standard_args(PCAP DEFAULT_MSG PCAP_INCLUDE_DIR ) +include(CheckCSourceCompiles) +set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY}) +check_c_source_compiles("int main() { return 0; }" PCAP_LINKS_SOLO) +set(CMAKE_REQUIRED_LIBRARIES) + +# check if linking against libpcap also needs to link against a thread library +if (NOT PCAP_LINKS_SOLO) + find_package(Threads) + if (THREADS_FOUND) + set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY} ${CMAKE_THREAD_LIBS_INIT}) + check_c_source_compiles("int main() { return 0; }" PCAP_NEEDS_THREADS) + set(CMAKE_REQUIRED_LIBRARIES) + endif () + if (THREADS_FOUND AND PCAP_NEEDS_THREADS) + set(_tmp ${PCAP_LIBRARY} ${CMAKE_THREAD_LIBS_INIT}) + list(REMOVE_DUPLICATES _tmp) + set(PCAP_LIBRARY ${_tmp} + CACHE STRING "Libraries needed to link against libpcap" FORCE) + else () + message(FATAL_ERROR "Couldn't determine how to link against libpcap") + endif () +endif () + mark_as_advanced( PCAP_ROOT_DIR PCAP_INCLUDE_DIR diff --git a/config.h.in b/config.h.in index 2820875b78..3783a8390d 100644 --- a/config.h.in +++ b/config.h.in @@ -114,6 +114,12 @@ /* GeoIP geographic lookup functionality */ #cmakedefine USE_GEOIP +/* Whether the found GeoIP API supports IPv6 Country Edition */ +#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6 + +/* Whether the found GeoIP API supports IPv6 City Edition */ +#cmakedefine HAVE_GEOIP_CITY_EDITION_REV0_V6 + /* Use Google's perftools */ #cmakedefine USE_PERFTOOLS diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index e071de47e5..048a51ff12 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -66,10 +66,6 @@ rest_target(${psd} base/protocols/http/partial-content.bro) rest_target(${psd} base/protocols/http/utils.bro) rest_target(${psd} base/protocols/irc/dcc-send.bro) rest_target(${psd} base/protocols/irc/main.bro) -rest_target(${psd} base/protocols/mime/file-extract.bro) -rest_target(${psd} base/protocols/mime/file-hash.bro) -rest_target(${psd} base/protocols/mime/file-ident.bro) -rest_target(${psd} base/protocols/mime/main.bro) rest_target(${psd} base/protocols/rpc/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index a50bff625a..0b283d028a 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -80,7 +80,7 @@ redef enum Notice::Type += { # Comments of the "##" form can be use to further document it, but it's # better to do all documentation related to logging in the summary section # as is shown above. -redef enum Log::ID += { EXAMPLE }; +redef enum Log::ID += { LOG }; # Anything declared in the export section will show up in the rendered # documentation's "public interface" section @@ -218,8 +218,8 @@ type PrivateRecord: record { event bro_init() { - Log::create_stream(EXAMPLE, [$columns=Info, $ev=log_example]); - Log::add_filter(EXAMPLE, [ + Log::create_stream(Example::LOG, [$columns=Info, $ev=log_example]); + Log::add_filter(Example::LOG, [ $name="example-filter", $path="example-filter", $pred=filter_func, diff --git a/pkg/make-src-packages b/pkg/make-src-packages new file mode 100755 index 0000000000..996b546659 --- /dev/null +++ b/pkg/make-src-packages @@ -0,0 +1,23 @@ +#!/bin/sh + +SOURCE="$( cd "$( dirname "$0" )" && cd .. && pwd )" +BUILD=${SOURCE}/build +TMP=/tmp/bro-dist.${UID} +BRO_V=`cat ${SOURCE}/VERSION` +BROCCOLI_V=`cat ${SOURCE}/aux/broccoli/VERSION` +BROCTL_V=`cat ${SOURCE}/aux/broctl/VERSION` + +( mkdir -p ${BUILD} && rm -rf ${TMP} && mkdir ${TMP} ) +cp -R ${SOURCE} ${TMP}/Bro-${BRO_V} +( cd ${TMP} && find . -name .git\* | xargs rm -rf ) +( cd ${TMP} && find . -name \*.swp | xargs rm -rf ) +( cd ${TMP} && find . -type d -name build | xargs rm -rf ) +( cd ${TMP} && tar -czf ${BUILD}/Bro-all-${BRO_V}.tar.gz Bro-${BRO_V} ) +( cd ${TMP}/Bro-${BRO_V}/aux && mv broccoli Broccoli-${BROCCOLI_V} && \ + tar -czf ${BUILD}/Broccoli-${BROCCOLI_V}.tar.gz Broccoli-${BROCCOLI_V} ) +( cd ${TMP}/Bro-${BRO_V}/aux && mv broctl Broctl-${BROCTL_V} && \ + tar -czf ${BUILD}/Broctl-${BROCTL_V}.tar.gz Broctl-${BROCTL_V} ) +( cd ${TMP}/Bro-${BRO_V}/aux && rm -rf Broctl* Broccoli* ) +( cd ${TMP} && tar -czf ${BUILD}/Bro-${BRO_V}.tar.gz Bro-${BRO_V} ) +rm -rf ${TMP} +echo "Distribution source tarballs have been compiled in ${BUILD}" diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro index 0b117d2603..6a0d29f838 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.bro @@ -3,7 +3,8 @@ module Cluster; export { - redef enum Log::ID += { CLUSTER }; + redef enum Log::ID += { LOG }; + type Info: record { ts: time; message: string; @@ -106,5 +107,5 @@ event bro_init() &priority=5 terminate(); } - Log::create_stream(CLUSTER, [$columns=Info]); + Log::create_stream(Cluster::LOG, [$columns=Info]); } diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.bro index a19fa67485..b219a2e5cc 100644 --- a/scripts/base/frameworks/cluster/nodes/worker.bro +++ b/scripts/base/frameworks/cluster/nodes/worker.bro @@ -22,10 +22,5 @@ redef record_all_packets = T; # do remote logging since we forward the notice event directly. event bro_init() { - Log::add_filter(Notice::NOTICE, - [ - $name="cluster-worker", - $pred=function(rec: Notice::Info): bool { return F; } - ] - ); + Log::disable_stream(Notice::LOG); } diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index f6e58be1fc..2e7c9487ca 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -6,7 +6,7 @@ module Communication; export { - redef enum Log::ID += { COMMUNICATION }; + redef enum Log::ID += { LOG }; const default_port_ssl = 47756/tcp &redef; const default_port_clear = 47757/tcp &redef; @@ -107,21 +107,18 @@ const src_names = { [REMOTE_SRC_SCRIPT] = "script", }; -event bro_init() +event bro_init() &priority=5 { - Log::create_stream(COMMUNICATION, [$columns=Info]); - - if ( |nodes| > 0 ) - enable_communication(); + Log::create_stream(Communication::LOG, [$columns=Info]); } function do_script_log_common(level: count, src: count, msg: string) { - Log::write(COMMUNICATION, [$ts = network_time(), - $level = (level == REMOTE_LOG_INFO ? "info" : "error"), - $src_name = src_names[src], - $peer = get_event_peer()$descr, - $message = msg]); + Log::write(Communication::LOG, [$ts = network_time(), + $level = (level == REMOTE_LOG_INFO ? "info" : "error"), + $src_name = src_names[src], + $peer = get_event_peer()$descr, + $message = msg]); } # This is a core generated event. @@ -147,9 +144,9 @@ function connect_peer(peer: string) local id = connect(node$host, p, class, node$retry, node$ssl); if ( id == PEER_ID_NONE ) - Log::write(COMMUNICATION, [$ts = network_time(), - $peer = get_event_peer()$descr, - $message = "can't trigger connect"]); + Log::write(Communication::LOG, [$ts = network_time(), + $peer = get_event_peer()$descr, + $message = "can't trigger connect"]); pending_peers[id] = node; } @@ -275,15 +272,18 @@ event remote_state_inconsistency(operation: string, id: string, local msg = fmt("state inconsistency: %s should be %s but is %s before %s", id, expected_old, real_old, operation); - Log::write(COMMUNICATION, [$ts = network_time(), - $peer = get_event_peer()$descr, - $message = msg]); + Log::write(Communication::LOG, [$ts = network_time(), + $peer = get_event_peer()$descr, + $message = msg]); } # Actually initiate the connections that need to be established. event bro_init() &priority = -10 # let others modify nodes { + if ( |nodes| > 0 ) + enable_communication(); + for ( tag in nodes ) { if ( ! nodes[tag]$connect ) diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index 9bfd7f615b..5b77ad6d0c 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -7,7 +7,7 @@ module DPD; redef signature_files += "base/frameworks/dpd/dpd.sig"; export { - redef enum Log::ID += { DPD }; + redef enum Log::ID += { LOG }; type Info: record { ## Timestamp for when protocol analysis failed. @@ -38,9 +38,9 @@ redef record connection += { dpd: Info &optional; }; -event bro_init() +event bro_init() &priority=5 { - Log::create_stream(DPD, [$columns=Info]); + Log::create_stream(DPD::LOG, [$columns=Info]); # Populate the internal DPD analysis variable. for ( a in dpd_config ) @@ -104,5 +104,5 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=-5 { if ( c?$dpd ) - Log::write(DPD, c$dpd); + Log::write(DPD::LOG, c$dpd); } diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index f9ba388734..648c32bc57 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -25,7 +25,7 @@ module Intel; export { - redef enum Log::ID += { INTEL }; + redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## This notice should be used in all detector scripts to indicate @@ -101,7 +101,7 @@ export { event bro_init() { - Log::create_stream(INTEL, [$columns=Info]); + Log::create_stream(Intel::LOG, [$columns=Info]); } @@ -163,7 +163,7 @@ function insert(item: Item): bool } if ( err_msg != "" ) - Log::write(INTEL, [$ts=network_time(), $level="warn", $message=fmt(err_msg)]); + Log::write(Intel::LOG, [$ts=network_time(), $level="warn", $message=fmt(err_msg)]); return F; } @@ -272,6 +272,6 @@ function matcher(item: QueryItem): bool } if ( err_msg != "" ) - Log::write(INTEL, [$ts=network_time(), $level="error", $message=fmt(err_msg)]); + Log::write(Intel::LOG, [$ts=network_time(), $level="error", $message=fmt(err_msg)]); return F; } diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 6a0618fd07..61a4cf8f9d 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -177,8 +177,47 @@ function __default_rotation_postprocessor(info: RotationInfo) : bool function default_path_func(id: ID, path: string, rec: any) : string { - # TODO for Seth: Do what you want. :) - return path; + local id_str = fmt("%s", id); + + local parts = split1(id_str, /::/); + if ( |parts| == 2 ) + { + # TODO: the core shouldn't be suggesting paths anymore. Only + # statically defined paths should be sent into here. This + # is only to cope with the core generated paths. + if ( to_lower(parts[2]) != path ) + return path; + + # Example: Notice::LOG -> "notice" + if ( parts[2] == "LOG" ) + { + local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4); + local output = ""; + if ( 1 in module_parts ) + output = module_parts[1]; + if ( 2 in module_parts && module_parts[2] != "" ) + output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|)); + if ( 3 in module_parts && module_parts[3] != "" ) + output = cat(output, "_", module_parts[3]); + if ( 4 in module_parts && module_parts[4] != "" ) + output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|)); + # TODO: There seems to be some problem with the split function + # not putting \0 at the end of the string. fmt will make + # a better internal string. + return fmt("%s", to_lower(output)); + } + + # Example: Notice::POLICY_LOG -> "notice_policy" + if ( /_LOG$/ in parts[2] ) + parts[2] = sub(parts[2], /_LOG$/, ""); + + return cat(to_lower(parts[1]),"_",to_lower(parts[2])); + } + else + { + # In case there is a logging stream in the global namespace. + return to_lower(id_str); + } } # Run post-processor on file. If there isn't any postprocessor defined, @@ -222,7 +261,7 @@ function add_filter(id: ID, filter: Filter) : bool # definition. if ( ! filter?$path_func ) filter$path_func = default_path_func; - + filters[id, filter$name] = filter; return __add_filter(id, filter); } diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.bro new file mode 100644 index 0000000000..f27e748ae5 --- /dev/null +++ b/scripts/base/frameworks/logging/postprocessors/scp.bro @@ -0,0 +1,42 @@ +##! This script defines a postprocessing function that can be applied +##! to a logging filter in order to automatically SCP (secure copy) +##! a log stream (or a subset of it) to a remote host at configurable +##! rotation time intervals. + +module Log; + +export { + ## This postprocessor SCP's the rotated-log to all the remote hosts + ## defined in :bro:id:`Log::scp_destinations` and then deletes + ## the local copy of the rotated-log. It's not active when + ## reading from trace files. + global scp_postprocessor: function(info: Log::RotationInfo): bool; + + ## A container that describes the remote destination for the SCP command + ## argument as ``user@host:path``. + type SCPDestination: record { + user: string; + host: string; + path: string; + }; + + ## A table indexed by a particular log writer and filter path, that yields + ## a set remote destinations. The :bro:id:`Log::scp_postprocessor` + ## function queries this table upon log rotation and performs a secure + ## copy of the rotated-log to each destination in the set. + global scp_destinations: table[Writer, string] of set[SCPDestination]; +} + +function scp_postprocessor(info: Log::RotationInfo): bool + { + if ( reading_traces() || [info$writer, info$path] !in scp_destinations ) + return T; + + local command = ""; + for ( d in scp_destinations[info$writer, info$path] ) + command += fmt("scp %s %s@%s:%s;", info$fname, d$user, d$host, d$path); + + command += fmt("/bin/rm %s", info$fname); + system(command); + return T; + } diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro index 1b5b1be33d..5c04fdd3d9 100644 --- a/scripts/base/frameworks/logging/writers/ascii.bro +++ b/scripts/base/frameworks/logging/writers/ascii.bro @@ -11,7 +11,7 @@ export { const include_header = T &redef; ## Prefix for the header line if included. - const header_prefix = "# " &redef; + const header_prefix = "#" &redef; ## Separator between fields. const separator = "\t" &redef; diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 2dd9e19b03..76cbc792be 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -5,7 +5,7 @@ module Metrics; export { - redef enum Log::ID += { METRICS }; + redef enum Log::ID += { LOG }; type ID: enum { NOTHING, @@ -124,7 +124,7 @@ global thresholds: table[ID, string, Index] of count = {} &create_expire=renotic event bro_init() &priority=5 { - Log::create_stream(METRICS, [$columns=Info, $ev=log_metrics]); + Log::create_stream(Metrics::LOG, [$columns=Info, $ev=log_metrics]); } function index2str(index: Index): string @@ -151,7 +151,7 @@ function write_log(ts: time, filter: Filter, data: MetricTable) $value=val]; if ( filter$log ) - Log::write(METRICS, m); + Log::write(Metrics::LOG, m); } } diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index ea7a472031..b095e92cbf 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -9,15 +9,13 @@ module Notice; export { redef enum Log::ID += { - ## This is the primary logging stream for notices. It must always be - ## referenced with the module name included because the name is - ## also used by the global function :bro:id:`NOTICE`. - NOTICE, + ## This is the primary logging stream for notices. + LOG, ## This is the notice policy auditing log. It records what the current ## notice policy is at Bro init time. - NOTICE_POLICY, + POLICY_LOG, ## This is the alarm stream. - ALARM, + ALARM_LOG, }; ## Scripts creating new notices need to redef this enum to add their own @@ -41,7 +39,9 @@ export { ## Indicates that the notice should be sent to the email address(es) ## configured in the :bro:id:`Notice::mail_dest` variable. ACTION_EMAIL, - ## Indicates that the notice should be alarmed. + ## Indicates that the notice should be alarmed. A readable ASCII + ## version of the alarm log is emailed in bulk to the address(es) + ## configured in :bro:id:`Notice::mail_dest`. ACTION_ALARM, }; @@ -136,7 +136,8 @@ export { ## Local system sendmail program. const sendmail = "/usr/sbin/sendmail" &redef; - ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action. + ## Email address to send notices with the :bro:enum:`ACTION_EMAIL` action + ## or to send bulk alarm logs on rotation with :bro:enum:`ACTION_ALARM`. const mail_dest = "" &redef; ## Address that emails will be from. @@ -146,6 +147,11 @@ export { ## Text string prefixed to the subject of all emails sent out. const mail_subject_prefix = "[Bro]" &redef; + ## A log postprocessing function that implements emailing the contents + ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. + ## The rotated log is removed upon being sent. + global log_mailing_postprocessor: function(info: Log::RotationInfo): bool; + ## This is the event that is called as the entry point to the ## notice framework by the global :bro:id:`NOTICE` function. By the time ## this event is generated, default values have already been filled out in @@ -171,7 +177,14 @@ export { ## by default with the built in :bro:enum:`ACTION_EMAIL` and ## :bro:enum:`ACTION_PAGE` actions. global email_notice_to: function(n: Info, dest: string, extend: bool); - + + ## Constructs mail headers to which an email body can be appended for + ## sending with sendmail. + ## subject_desc: a subject string to use for the mail + ## dest: recipient string to use for the mail + ## Returns: a string of mail headers to which an email body can be appended + global email_headers: function(subject_desc: string, dest: string): string; + ## This is an internally used function, please ignore it. It's only used ## for filling out missing details of :bro:type:`Notice:Info` records ## before the synchronous and asynchronous event pathways have begun. @@ -186,21 +199,48 @@ export { # priority. global ordered_policy: vector of PolicyItem = vector(); -event bro_init() +function log_mailing_postprocessor(info: Log::RotationInfo): bool { - Log::create_stream(NOTICE_POLICY, [$columns=PolicyItem]); - Log::create_stream(Notice::NOTICE, [$columns=Info, $ev=log_notice]); - - Log::create_stream(ALARM, [$columns=Notice::Info]); - # Make sure that this log is output as text so that it can be packaged - # up and emailed later. - Log::add_filter(ALARM, [$name="default", $writer=Log::WRITER_ASCII]); + if ( ! reading_traces() && mail_dest != "" ) + { + local headers = email_headers(fmt("Log Contents: %s", info$fname), + mail_dest); + local tmpfilename = fmt("%s.mailheaders.tmp", info$fname); + local tmpfile = open(tmpfilename); + write_file(tmpfile, headers); + close(tmpfile); + system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm %s %s", + tmpfilename, info$fname, sendmail, tmpfilename, info$fname)); + } + return T; + } + +# This extra export section here is just because this redefinition should +# be documented as part of the "public API" of this script, but the redef +# needs to occur after the postprocessor function implementation. +export { + ## By default, an ASCII version of the the alarm log is emailed daily to any + ## configured :bro:id:`Notice::mail_dest` if not operating on trace files. + redef Log::rotation_control += { + [Log::WRITER_ASCII, "alarm-mail"] = + [$interv=24hrs, $postprocessor=log_mailing_postprocessor] + }; +} + +event bro_init() &priority=5 + { + Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice]); + Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]); + + Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info]); + # If Bro is configured for mailing notices, set up mailing for alarms. + # Make sure that this alarm log is also output as text so that it can + # be packaged up and emailed later. + if ( ! reading_traces() && mail_dest != "" ) + Log::add_filter(Notice::ALARM_LOG, [$name="alarm-mail", + $path="alarm-mail", + $writer=Log::WRITER_ASCII]); } - # TODO: need a way to call a Bro script level callback during file rotation. - # we need more than a just $postprocessor. - #redef Log::rotation_control += { - # [Log::WRITER_ASCII, "alarm"] = [$postprocessor="mail-alarms"]; - #}; # TODO: fix this. #function notice_tags(n: Notice::Info) : table[string] of string @@ -220,20 +260,24 @@ event bro_init() # return tgs; # } +function email_headers(subject_desc: string, dest: string): string + { + local header_text = string_cat( + "From: ", mail_from, "\n", + "Subject: ", mail_subject_prefix, " ", subject_desc, "\n", + "To: ", dest, "\n", + "User-Agent: Bro-IDS/", bro_version(), "\n"); + if ( reply_to != "" ) + header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n"); + return header_text; + } + function email_notice_to(n: Notice::Info, dest: string, extend: bool) { if ( reading_traces() || dest == "" ) return; - local email_text = string_cat( - "From: ", mail_from, "\n", - "Subject: ", mail_subject_prefix, " ", fmt("%s", n$note), "\n", - "To: ", dest, "\n", - # TODO: BiF to get version (the resource_usage Bif seems like overkill). - "User-Agent: Bro-IDS/?.?.?\n"); - - if ( reply_to != "" ) - email_text = string_cat(email_text, "Reply-To: ", reply_to, "\n"); + local email_text = email_headers(fmt("%s", n$note), dest); # The notice emails always start off with the human readable message. email_text = string_cat(email_text, "\n", n$msg, "\n"); @@ -257,9 +301,9 @@ event notice(n: Notice::Info) &priority=-5 if ( ACTION_EMAIL in n$actions ) email_notice_to(n, mail_dest, T); if ( ACTION_LOG in n$actions ) - Log::write(Notice::NOTICE, n); + Log::write(Notice::LOG, n); if ( ACTION_ALARM in n$actions ) - Log::write(ALARM, n); + Log::write(Notice::ALARM_LOG, n); } # Executes a script with all of the notice fields put into the @@ -348,10 +392,7 @@ event bro_init() &priority=10 for ( pi in policy ) { if ( pi$priority < 0 || pi$priority > 10 ) - { - print "All Notice::PolicyItem priorities must be within 0 and 10"; - exit(); - } + Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10"); if ( pi$priority !in tmp ) tmp[pi$priority] = set(); @@ -368,7 +409,7 @@ event bro_init() &priority=10 { pi$position = |ordered_policy|; ordered_policy[|ordered_policy|] = pi; - Log::write(NOTICE_POLICY, pi); + Log::write(Notice::POLICY_LOG, pi); } } } diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 556b34432a..70fbc26f28 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -5,7 +5,7 @@ module Weird; export { - redef enum Log::ID += { WEIRD }; + redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## Generic unusual but alarm-worthy activity. @@ -259,9 +259,9 @@ global did_inconsistency_msg: set[conn_id]; # Used to pass the optional connection into report_weird(). global current_conn: connection; -event bro_init() +event bro_init() &priority=5 { - Log::create_stream(WEIRD, [$columns=Info, $ev=log_weird]); + Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird]); } function report_weird(t: time, name: string, id: string, have_conn: bool, @@ -311,7 +311,7 @@ function report_weird(t: time, name: string, id: string, have_conn: bool, add weird_ignore[id][name]; } - Log::write(WEIRD, info); + Log::write(Weird::LOG, info); } function report_weird_conn(t: time, name: string, id: string, addl: string, diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 5d5bd61106..784a7725ed 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -9,7 +9,7 @@ module PacketFilter; export { - redef enum Log::ID += { PACKET_FILTER }; + redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## This notice is generated if a packet filter is unable to be compiled. @@ -121,7 +121,7 @@ function install() NOTICE([$note=Compile_Failure, $msg=fmt("Compiling packet filter failed"), $sub=default_filter]); - exit(); + Reporter::fatal(fmt("Bad pcap filter '%s'", default_filter)); } # Do an audit log for the packet filter. @@ -144,11 +144,11 @@ function install() $sub=default_filter]); } - Log::write(PACKET_FILTER, info); + Log::write(PacketFilter::LOG, info); } event bro_init() &priority=10 { - Log::create_stream(PACKET_FILTER, [$columns=Info]); + Log::create_stream(PacketFilter::LOG, [$columns=Info]); PacketFilter::install(); } diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.bro index ee9def9121..e70106f39a 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.bro @@ -5,9 +5,13 @@ module Reporter; export { - redef enum Log::ID += { REPORTER }; + redef enum Log::ID += { LOG }; - type Level: enum { INFO, WARNING, ERROR }; + type Level: enum { + INFO, + WARNING, + ERROR + }; type Info: record { ts: time &log; @@ -19,22 +23,22 @@ export { }; } -event bro_init() +event bro_init() &priority=5 { - Log::create_stream(REPORTER, [$columns=Info]); + Log::create_stream(Reporter::LOG, [$columns=Info]); } event reporter_info(t: time, msg: string, location: string) { - Log::write(REPORTER, [$ts=t, $level=INFO, $message=msg, $location=location]); + Log::write(Reporter::LOG, [$ts=t, $level=INFO, $message=msg, $location=location]); } event reporter_warning(t: time, msg: string, location: string) { - Log::write(REPORTER, [$ts=t, $level=WARNING, $message=msg, $location=location]); + Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]); } event reporter_error(t: time, msg: string, location: string) { - Log::write(REPORTER, [$ts=t, $level=ERROR, $message=msg, $location=location]); + Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]); } diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro index 14aa3240c6..4811fdd5a9 100644 --- a/scripts/base/frameworks/signatures/main.bro +++ b/scripts/base/frameworks/signatures/main.bro @@ -25,7 +25,7 @@ export { Signature_Summary, }; - redef enum Log::ID += { SIGNATURES }; + redef enum Log::ID += { LOG }; ## These are the default actions you can apply to signature matches. ## All of them write the signature record to the logging stream unless @@ -114,7 +114,7 @@ global did_sig_log: set[string] &read_expire = 1 hr; event bro_init() { - Log::create_stream(SIGNATURES, [$columns=Info, $ev=log_signature]); + Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature]); } # Returns true if the given signature has already been triggered for the given @@ -174,7 +174,7 @@ event signature_match(state: signature_state, msg: string, data: string) $event_msg=fmt("%s: %s", src_addr, msg), $sig_id=sig_id, $sub_msg=data]; - Log::write(SIGNATURES, info); + Log::write(Signatures::LOG, info); } local notice = F; @@ -248,7 +248,7 @@ event signature_match(state: signature_state, msg: string, data: string) fmt("%s has triggered signature %s on %d hosts", orig, sig_id, hcount); - Log::write(SIGNATURES, + Log::write(Signatures::LOG, [$note=Multiple_Sig_Responders, $src_addr=orig, $sig_id=sig_id, $event_msg=msg, $host_count=hcount, $sub_msg=horz_scan_msg]); @@ -265,7 +265,7 @@ event signature_match(state: signature_state, msg: string, data: string) fmt("%s has triggered %d different signatures on host %s", orig, vcount, resp); - Log::write(SIGNATURES, + Log::write(Signatures::LOG, [$ts=network_time(), $note=Multiple_Signatures, $src_addr=orig, diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index 7f9a55673b..6469f0e418 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -11,7 +11,7 @@ module Software; export { - redef enum Log::ID += { SOFTWARE }; + redef enum Log::ID += { LOG }; type Type: enum { UNKNOWN, @@ -103,7 +103,7 @@ export { event bro_init() { - Log::create_stream(SOFTWARE, [$columns=Info, $ev=log_software]); + Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software]); } function parse_mozilla(unparsed_version: string, @@ -379,7 +379,7 @@ event software_register(id: conn_id, info: Info) return; } - Log::write(SOFTWARE, info); + Log::write(Software::LOG, info); ts[info$name] = info; } diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 82d5511436..fca1f49ca6 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -3,7 +3,7 @@ module Conn; export { - redef enum Log::ID += { CONN }; + redef enum Log::ID += { LOG }; type Info: record { ## This is the time of the first packet. @@ -95,7 +95,7 @@ redef record connection += { event bro_init() &priority=5 { - Log::create_stream(CONN, [$columns=Info, $ev=log_conn]); + Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn]); } function conn_state(c: connection, trans: transport_proto): string @@ -216,6 +216,6 @@ event connection_state_remove(c: connection) &priority=5 event connection_state_remove(c: connection) &priority=-5 { - Log::write(CONN, c$conn); + Log::write(Conn::LOG, c$conn); } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index eff1b4c4f0..3b2e20d657 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -3,7 +3,7 @@ module DNS; export { - redef enum Log::ID += { DNS }; + redef enum Log::ID += { LOG }; type Info: record { ts: time &log; @@ -77,7 +77,7 @@ redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; event bro_init() &priority=5 { - Log::create_stream(DNS, [$columns=Info, $ev=log_dns]); + Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); } function new_session(c: connection, trans_id: count): Info @@ -163,7 +163,7 @@ event do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &pri { if ( c$dns$ready ) { - Log::write(DNS, c$dns); + Log::write(DNS::LOG, c$dns); add c$dns_state$finished_answers[c$dns$trans_id]; # This record is logged and no longer pending. delete c$dns_state$pending[c$dns$trans_id]; @@ -275,6 +275,6 @@ event connection_state_remove(c: connection) &priority=-5 # If Bro is expiring state, we should go ahead and log all unlogged # request/response pairs now. for ( trans_id in c$dns_state$pending ) - Log::write(DNS, c$dns_state$pending[trans_id]); + Log::write(DNS::LOG, c$dns_state$pending[trans_id]); } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9dd6a4b6d2..ccc4bf45ce 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -14,7 +14,7 @@ module FTP; export { - redef enum Log::ID += { FTP }; + redef enum Log::ID += { LOG }; ## This setting changes if passwords used in FTP sessions are captured or not. const default_capture_password = F &redef; @@ -95,7 +95,7 @@ global ftp_data_expected: table[addr, port] of ExpectedConn &create_expire=5mins event bro_init() &priority=5 { - Log::create_stream(FTP, [$columns=Info, $ev=log_ftp]); + Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); } ## A set of commands where the argument can be expected to refer @@ -165,7 +165,7 @@ function ftp_message(s: Info) else s$arg=arg; - Log::write(FTP, s); + Log::write(FTP::LOG, s); } # The MIME and file_size fields are specific to file transfer commands diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index ec54b1f428..82136e0e37 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -4,7 +4,7 @@ module HTTP; export { - redef enum Log::ID += { HTTP }; + redef enum Log::ID += { LOG }; ## Indicate a type of attack or compromise in the record to be logged. type Tags: enum { @@ -86,7 +86,7 @@ redef record connection += { # Initialize the HTTP logging stream. event bro_init() &priority=5 { - Log::create_stream(HTTP, [$columns=Info, $ev=log_http]); + Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); } # DPD configuration. @@ -230,7 +230,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & # The reply body is done so we're ready to log. if ( ! is_orig ) { - Log::write(HTTP, c$http); + Log::write(HTTP::LOG, c$http); delete c$http_state$pending[c$http_state$current_response]; } } @@ -242,7 +242,7 @@ event connection_state_remove(c: connection) { for ( r in c$http_state$pending ) { - Log::write(HTTP, c$http_state$pending[r]); + Log::write(HTTP::LOG, c$http_state$pending[r]); } } } diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 92d73e70bf..b2a48a472a 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -73,7 +73,7 @@ event file_transferred(c: connection, prefix: string, descr: string, local tmp = irc$command; irc$command = "DCC"; - Log::write(IRC, irc); + Log::write(IRC::LOG, irc); irc$command = tmp; if ( irc$extract_file && irc?$extraction_file ) diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index c394d8f0c6..7cccbdf9a3 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -7,7 +7,7 @@ module IRC; export { - redef enum Log::ID += { IRC }; + redef enum Log::ID += { LOG }; type Tag: enum { EMPTY @@ -44,7 +44,7 @@ redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; event bro_init() &priority=5 { - Log::create_stream(IRC, [$columns=Info, $ev=irc_log]); + Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]); } function new_session(c: connection): Info @@ -78,7 +78,7 @@ event irc_nick_message(c: connection, is_orig: bool, who: string, newnick: strin { if ( is_orig ) { - Log::write(IRC, c$irc); + Log::write(IRC::LOG, c$irc); c$irc$nick = newnick; } } @@ -98,7 +98,7 @@ event irc_user_message(c: connection, is_orig: bool, user: string, host: string, { if ( is_orig ) { - Log::write(IRC, c$irc); + Log::write(IRC::LOG, c$irc); c$irc$user = user; } } @@ -118,7 +118,7 @@ event irc_join_message(c: connection, is_orig: bool, info_list: irc_join_list) & { c$irc$value = l$channel; c$irc$addl = (l$password != "" ? fmt(" with channel key: '%s'", l$password) : ""); - Log::write(IRC, c$irc); + Log::write(IRC::LOG, c$irc); } } } diff --git a/scripts/base/protocols/mime/__load__.bro b/scripts/base/protocols/mime/__load__.bro deleted file mode 100644 index 6c3f1804ec..0000000000 --- a/scripts/base/protocols/mime/__load__.bro +++ /dev/null @@ -1,4 +0,0 @@ -@load ./main -@load ./file-ident -@load ./file-extract -@load ./file-hash diff --git a/scripts/base/protocols/mime/file-extract.bro b/scripts/base/protocols/mime/file-extract.bro deleted file mode 100644 index 4e25f19d10..0000000000 --- a/scripts/base/protocols/mime/file-extract.bro +++ /dev/null @@ -1,62 +0,0 @@ -@load ./file-ident -@load base/utils/files - -module MIME; - -export { - ## Pattern of file mime types to extract from MIME bodies. - const extract_file_types = /NO_DEFAULT/ &redef; - - ## The on-disk prefix for files to be extracted from MIME entity bodies. - const extraction_prefix = "mime-item" &redef; - - redef record Info += { - ## Optionally write the file to disk. Must be set prior to first - ## data chunk being seen in an event. - extract_file: bool &default=F; - - ## Store the file handle here for the file currently being extracted. - extraction_file: file &log &optional; - }; - - redef record State += { - ## Store a count of the number of files that have been transferred in - ## this conversation to create unique file names on disk. - num_extracted_files: count &default=0; - }; -} - -event mime_segment_data(c: connection, length: count, data: string) &priority=5 - { - if ( extract_file_types in c$mime$mime_type ) - c$mime$extract_file = T; - } - -event mime_segment_data(c: connection, length: count, data: string) &priority=3 - { - if ( c$mime$extract_file && c$mime$content_len == 0 ) - { - local suffix = fmt("%d.dat", ++c$mime_state$num_extracted_files); - local fname = generate_extraction_filename(extraction_prefix, c, suffix); - c$mime$extraction_file = open(fname); - enable_raw_output(c$mime$extraction_file); - } - } - -event mime_segment_data(c: connection, length: count, data: string) &priority=-5 - { - if ( c$mime$extract_file && c$mime?$extraction_file ) - print c$mime$extraction_file, data; - } - -event mime_end_entity(c: connection) &priority=-3 - { - # TODO: this check is only due to a bug in mime_end_entity that - # causes the event to be generated twice for the same real event. - if ( ! c?$mime ) - return; - - if ( c$mime?$extraction_file ) - close(c$mime$extraction_file); - } - diff --git a/scripts/base/protocols/mime/file-hash.bro b/scripts/base/protocols/mime/file-hash.bro deleted file mode 100644 index e50f16fed4..0000000000 --- a/scripts/base/protocols/mime/file-hash.bro +++ /dev/null @@ -1,79 +0,0 @@ -@load ./file-ident -@load base/frameworks/notice - -module MIME; - -export { - redef enum Notice::Type += { - ## Indicates that an MD5 sum was calculated for a MIME message. - MD5, - }; - - redef record Info += { - ## The calculated MD5 sum for the MIME entity. - md5: string &log &optional; - - ## Optionally calculate the file's MD5 sum. Must be set prior to the - ## first data chunk being see in an event. - calc_md5: bool &default=F; - - ## This boolean value indicates if an MD5 sum is being calculated - ## for the current file transfer. - calculating_md5: bool &default=F; - }; - - ## Generate MD5 sums for these filetypes. - const generate_md5 = /application\/x-dosexec/ # Windows and DOS executables - | /application\/x-executable/ # *NIX executable binary - &redef; -} - -event mime_segment_data(c: connection, length: count, data: string) &priority=-5 - { - if ( ! c?$mime ) return; - - if ( c$mime$content_len == 0 ) - { - if ( generate_md5 in c$mime$mime_type ) - c$mime$calc_md5 = T; - - if ( c$mime$calc_md5 ) - { - c$mime$calculating_md5 = T; - md5_hash_init(c$id); - } - } - - if ( c$mime$calculating_md5 ) - md5_hash_update(c$id, data); - } - -## In the event of a content gap during the MIME transfer, detect the state for -## the MD5 sum calculation and stop calculating the MD5 since it would be -## incorrect anyway. -event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 - { - if ( is_orig || ! c?$mime ) return; - - if ( c$mime$calculating_md5 ) - { - c$mime$calculating_md5 = F; - md5_hash_finish(c$id); - } - } - -event mime_end_entity(c: connection) &priority=-3 - { - # TODO: this check is only due to a bug in mime_end_entity that - # causes the event to be generated twice for the same real event. - if ( ! c?$mime ) - return; - - if ( c$mime$calculating_md5 ) - { - c$mime$md5 = md5_hash_finish(c$id); - - NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h), - $sub=c$mime$md5, $conn=c]); - } - } diff --git a/scripts/base/protocols/mime/file-ident.bro b/scripts/base/protocols/mime/file-ident.bro deleted file mode 100644 index 932085cd1a..0000000000 --- a/scripts/base/protocols/mime/file-ident.bro +++ /dev/null @@ -1,16 +0,0 @@ -@load ./main - -module MIME; - -export { - redef record Info += { - ## Sniffed MIME type for the transfer. - mime_type: string &log &optional; - }; -} - -event mime_segment_data(c: connection, length: count, data: string) &priority=7 - { - if ( c$mime$content_len == 0 ) - c$mime$mime_type = split1(identify_data(data, T), /;/)[1]; - } diff --git a/scripts/base/protocols/mime/main.bro b/scripts/base/protocols/mime/main.bro deleted file mode 100644 index df495387d7..0000000000 --- a/scripts/base/protocols/mime/main.bro +++ /dev/null @@ -1,101 +0,0 @@ -##! The mime script does analysis of MIME encoded messages seen in certain -##! protocols (only SMTP and POP3 at the moment). - -@load base/utils/strings - -module MIME; - -export { - redef enum Log::ID += { MIME }; - - # Let's assume for now that nothing transferring files using - # MIME attachments is multiplexing for simplicity's sake. - # We can make the assumption that one connection == one file (at a time) - - type Info: record { - ## This is the timestamp of when the MIME content transfer began. - ts: time &log; - uid: string &log; - id: conn_id &log; - ## The application layer protocol over which the transfer was seen. - app_protocol: string &log &optional; - ## The filename seen in the Content-Disposition header. - filename: string &log &optional; - ## Track how many byte of the MIME encoded file have been seen. - content_len: count &log &default=0; - }; - - type State: record { - ## Track the number of MIME encoded files transferred during this session. - level: count &default=0; - }; - - global log_mime: event(rec: Info); -} - -redef record connection += { - mime: Info &optional; - mime_state: State &optional; -}; - -event bro_init() - { - Log::create_stream(MIME, [$columns=Info, $ev=log_mime]); - } - -function new_mime_session(c: connection): Info - { - local info: Info; - - info$ts=network_time(); - info$uid=c$uid; - info$id=c$id; - return info; - } - -function set_session(c: connection, new_entity: bool) - { - if ( ! c?$mime_state ) - c$mime_state = []; - - if ( ! c?$mime || new_entity ) - c$mime = new_mime_session(c); - } - -event mime_begin_entity(c: connection) &priority=10 - { - set_session(c, T); - - ++c$mime_state$level; - - if ( |c$service| > 0 ) - c$mime$app_protocol = join_string_set(c$service, ","); - } - -# This has priority -10 because other handlers need to know the current -# content_len before it's updated by this handler. -event mime_segment_data(c: connection, length: count, data: string) &priority=-10 - { - c$mime$content_len = c$mime$content_len + length; - } - -event mime_one_header(c: connection, h: mime_header_rec) - { - if ( h$name == "CONTENT-DISPOSITION" && - /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value ) - c$mime$filename = sub(h$value, /^.*[fF][iI][lL][eE][nN][aA][mM][eE]=/, ""); - } - -event mime_end_entity(c: connection) &priority=-5 - { - # This check and the delete below are just to cope with a bug where - # mime_end_entity can be generated multiple times for the same event. - if ( ! c?$mime ) - return; - - # Don't log anything if there wasn't any content. - if ( c$mime$content_len > 0 ) - Log::write(MIME, c$mime); - - delete c$mime; - } diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index 4296488ec7..e2bb40b7aa 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -12,7 +12,7 @@ export { MD5, }; - redef enum Log::ID += { SMTP_ENTITIES }; + redef enum Log::ID += { ENTITIES_LOG }; type EntityInfo: record { ## This is the timestamp of when the MIME content transfer began. @@ -74,7 +74,7 @@ export { event bro_init() &priority=5 { - Log::create_stream(SMTP_ENTITIES, [$columns=EntityInfo, $ev=log_mime]); + Log::create_stream(SMTP::ENTITIES_LOG, [$columns=EntityInfo, $ev=log_mime]); } function set_session(c: connection, new_entity: bool) @@ -185,7 +185,7 @@ event mime_end_entity(c: connection) &priority=-5 # Only log is there was some content. if ( c$smtp$current_entity$content_len > 0 ) - Log::write(SMTP_ENTITIES, c$smtp$current_entity); + Log::write(SMTP::ENTITIES_LOG, c$smtp$current_entity); delete c$smtp$current_entity; } diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 20b9f63a94..23ea24704e 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -5,7 +5,7 @@ module SMTP; export { - redef enum Log::ID += { SMTP }; + redef enum Log::ID += { LOG }; type Info: record { ts: time &log; @@ -73,7 +73,7 @@ redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; event bro_init() &priority=5 { - Log::create_stream(SMTP, [$columns=SMTP::Info, $ev=log_smtp]); + Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]); } function find_address_in_smtp_header(header: string): string @@ -119,7 +119,7 @@ function set_smtp_session(c: connection) function smtp_message(c: connection) { if ( c$smtp$has_client_activity ) - Log::write(SMTP, c$smtp); + Log::write(SMTP::LOG, c$smtp); } event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5 diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index cfed7451ff..09fcb463d0 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -14,7 +14,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## This indicates that a heuristically detected "successful" SSH @@ -79,7 +79,7 @@ redef record connection += { event bro_init() &priority=5 { - Log::create_stream(SSH, [$columns=Info, $ev=log_ssh]); + Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); } function set_session(c: connection) @@ -149,11 +149,11 @@ event SSH::heuristic_successful_login(c: connection) &priority=-5 $msg="Heuristically detected successful SSH login.", $conn=c]); - Log::write(SSH, c$ssh); + Log::write(SSH::LOG, c$ssh); } event SSH::heuristic_failed_login(c: connection) &priority=-5 { - Log::write(SSH, c$ssh); + Log::write(SSH::LOG, c$ssh); } event connection_state_remove(c: connection) &priority=-5 diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 156d4dc62b..f2e1605aab 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -4,7 +4,7 @@ module SSL; export { - redef enum Log::ID += { SSL }; + redef enum Log::ID += { LOG }; redef enum Notice::Type += { Self_Signed_Cert @@ -43,7 +43,7 @@ redef record connection += { event bro_init() &priority=5 { - Log::create_stream(SSL, [$columns=Info, $ev=log_ssl]); + Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); } redef capture_filters += { @@ -117,6 +117,6 @@ event ssl_established(c: connection) &priority=-5 { set_session(c); - Log::write(SSL, c$ssl); + Log::write(SSL::LOG, c$ssl); } diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index c514556975..41d3794796 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -5,7 +5,7 @@ module Syslog; export { - redef enum Log::ID += { SYSLOG }; + redef enum Log::ID += { LOG }; type Info: record { ts: time &log; @@ -29,7 +29,7 @@ redef record connection += { event bro_init() &priority=5 { - Log::create_stream(SYSLOG, [$columns=Info]); + Log::create_stream(Syslog::LOG, [$columns=Info]); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 @@ -48,5 +48,5 @@ event syslog_message(c: connection, facility: count, severity: count, msg: strin event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5 { - Log::write(SYSLOG, c$syslog); + Log::write(Syslog::LOG, c$syslog); } diff --git a/scripts/policy/integration/barnyard2/main.bro b/scripts/policy/integration/barnyard2/main.bro index f8ba48dd99..c2f1c790d3 100644 --- a/scripts/policy/integration/barnyard2/main.bro +++ b/scripts/policy/integration/barnyard2/main.bro @@ -7,7 +7,7 @@ module Barnyard2; export { - redef enum Log::ID += { BARNYARD2 }; + redef enum Log::ID += { LOG }; type Info: record { ts: time &log; @@ -21,9 +21,9 @@ export { global pid2cid: function(p: PacketID): conn_id; } -event bro_init() +event bro_init() &priority=5 { - Log::create_stream(BARNYARD2, [$columns=Info]); + Log::create_stream(Barnyard2::LOG, [$columns=Info]); } @@ -34,7 +34,7 @@ function pid2cid(p: PacketID): conn_id event barnyard_alert(id: PacketID, alert: AlertData, msg: string, data: string) { - Log::write(BARNYARD2, [$ts=network_time(), $pid=id, $alert=alert]); + Log::write(Barnyard2::LOG, [$ts=network_time(), $pid=id, $alert=alert]); #local proto_connection_string: string; #if ( id$src_p == 0/tcp ) diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro index 2077e6c99a..77aea3dc4f 100644 --- a/scripts/policy/misc/loaded-scripts.bro +++ b/scripts/policy/misc/loaded-scripts.bro @@ -1,7 +1,7 @@ module LoadedScripts; export { - redef enum Log::ID += { LOADED_SCRIPTS }; + redef enum Log::ID += { LOG }; type Info: record { depth: count &log; @@ -11,10 +11,10 @@ export { event bro_init() { - Log::create_stream(LOADED_SCRIPTS, [$columns=Info]); + Log::create_stream(LoadedScripts::LOG, [$columns=Info]); } event bro_script_loaded(path: string, level: count) { - Log::write(LOADED_SCRIPTS, [$depth=level, $name=path]); + Log::write(LoadedScripts::LOG, [$depth=level, $name=path]); } \ No newline at end of file diff --git a/scripts/policy/misc/pf-ring-load-balancing.bro b/scripts/policy/misc/pf-ring-load-balancing.bro new file mode 100644 index 0000000000..eb0540ec0f --- /dev/null +++ b/scripts/policy/misc/pf-ring-load-balancing.bro @@ -0,0 +1,22 @@ +##! This script adds the necessary environment variables for Bro to make use +##! of PF_RING's clustering (and load balancing) support through the libpcap +##! wrapper. + +module PFRing; + +export { + ## Define the pf_ring cluster ID that you would like this instance + ## of Bro to use. Please set a value from 0 to 255 + const cluster_id = 150 &redef; +} + + +event bro_init() &priority=10 + { + if ( cluster_id > 255 || cluster_id < 0 ) + Reporter::fatal(fmt("%d is an invalid value for PFRing::cluster_id", cluster_id)); + + if ( ! setenv("PCAP_PF_RING_USE_CLUSTER_PER_FLOW", "1") || + ! setenv("PCAP_PF_RING_CLUSTER_ID", fmt("%d", cluster_id)) ) + Reporter::fatal("Unable to set one or both of the PF_RING environment variables."); + } diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro index 6fc59d4d15..b88803092b 100644 --- a/scripts/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.bro @@ -5,10 +5,10 @@ @load base/utils/directions-and-hosts -module KnownHosts; +module Known; export { - redef enum Log::ID += { KNOWN_HOSTS }; + redef enum Log::ID += { HOSTS_LOG }; type Info: record { ## The timestamp at which the host was detected. @@ -20,7 +20,7 @@ export { ## The hosts whose existence should be logged and tracked. ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS - const asset_tracking = LOCAL_HOSTS &redef; + const host_tracking = LOCAL_HOSTS &redef; ## The set of all known addresses to store for preventing duplicate ## logging of addresses. It can also be used from other scripts to @@ -34,7 +34,7 @@ export { event bro_init() { - Log::create_stream(KNOWN_HOSTS, [$columns=Info, $ev=log_known_hosts]); + Log::create_stream(Known::HOSTS_LOG, [$columns=Info, $ev=log_known_hosts]); } event connection_established(c: connection) &priority=5 @@ -43,10 +43,10 @@ event connection_established(c: connection) &priority=5 for ( host in set(id$orig_h, id$resp_h) ) { - if ( host !in known_hosts && addr_matches_host(host, asset_tracking) ) + if ( host !in known_hosts && addr_matches_host(host, host_tracking) ) { add known_hosts[host]; - Log::write(KNOWN_HOSTS, [$ts=network_time(), $host=host]); + Log::write(Known::HOSTS_LOG, [$ts=network_time(), $host=host]); } } } diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index 3676cbb05b..843c8bbfa1 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -5,9 +5,9 @@ @load base/utils/directions-and-hosts -module KnownServices; +module Known; -redef enum Log::ID += { KNOWN_SERVICES }; +redef enum Log::ID += { SERVICES_LOG }; export { type Info: record { @@ -21,7 +21,7 @@ export { }; ## The hosts whose services should be tracked and logged. - const asset_tracking = LOCAL_HOSTS &redef; + const service_tracking = LOCAL_HOSTS &redef; global known_services: set[addr, port] &create_expire=1day &synchronized; @@ -35,8 +35,8 @@ redef record connection += { event bro_init() { - Log::create_stream(KNOWN_SERVICES, [$columns=Info, - $ev=log_known_services]); + Log::create_stream(Known::SERVICES_LOG, [$columns=Info, + $ev=log_known_services]); } function known_services_done(c: connection) @@ -44,7 +44,7 @@ function known_services_done(c: connection) local id = c$id; if ( ! c$known_services_done && get_port_transport_proto(id$resp_p) == tcp && - addr_matches_host(id$resp_h, asset_tracking) && + addr_matches_host(id$resp_h, service_tracking) && [id$resp_h, id$resp_p] !in known_services && "ftp-data" !in c$service ) # don't include ftp data sessions { @@ -56,7 +56,7 @@ function known_services_done(c: connection) i$service=c$service; add known_services[id$resp_h, id$resp_p]; - Log::write(KNOWN_SERVICES, i); + Log::write(Known::SERVICES_LOG, i); c$known_services_done = T; } } diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro index 8e85b8db97..4635b17a83 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro @@ -25,11 +25,13 @@ event log_smtp(rec: Info) ip = rec$x_originating_ip; loc = lookup_location(ip); - if ( loc$country_code in suspicious_origination_countries || + if ( (loc?$country_code && + loc$country_code in suspicious_origination_countries) || ip in suspicious_origination_networks ) { NOTICE([$note=Suspicious_Origination, - $msg=fmt("An email originated from %s (%s).", loc$country_code, ip), + $msg=fmt("An email originated from %s (%s).", + loc?$country_code ? loc$country_code : "", ip), $id=rec$id]); } } @@ -38,11 +40,12 @@ event log_smtp(rec: Info) ip = rec$path[|rec$path|-1]; loc = lookup_location(ip); - if ( loc$country_code in suspicious_origination_countries || + if ( (loc?$country_code && + loc$country_code in suspicious_origination_countries) || ip in suspicious_origination_networks ) { NOTICE([$note=Suspicious_Origination, - $msg=fmt("Based up Received headers, email originated from %s (%s).", loc$country_code, ip), + $msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip), $id=rec$id]); } } diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index 4dfd8bbae4..1ac38e5a5b 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -33,7 +33,7 @@ event SSH::heuristic_successful_login(c: connection) &priority=5 # Add the location data to the SSH record. c$ssh$remote_location = location; - if ( location$country_code in watched_countries ) + if ( location?$country_code && location$country_code in watched_countries ) { NOTICE([$note=Login_From_Watched_Country, $conn=c, diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro index 7bff4bbf38..9a6dfbcd44 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.bro @@ -1,9 +1,9 @@ @load base/utils/directions-and-hosts -module KnownCerts; +module Known; export { - redef enum Log::ID += { KNOWN_CERTS }; + redef enum Log::ID += { CERTS_LOG }; type Info: record { ## The timestamp when the certificate was detected. @@ -23,7 +23,7 @@ export { ## The certificates whose existence should be logged and tracked. ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS - const asset_tracking = LOCAL_HOSTS &redef; + const cert_tracking = LOCAL_HOSTS &redef; ## The set of all known certificates to store for preventing duplicate ## logging. It can also be used from other scripts to @@ -36,7 +36,7 @@ export { event bro_init() { - Log::create_stream(KNOWN_CERTS, [$columns=Info, $ev=log_known_certs]); + Log::create_stream(Known::CERTS_LOG, [$columns=Info, $ev=log_known_certs]); } event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) @@ -47,12 +47,12 @@ event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: co if ( chain_idx != 0 ) return; local host = c$id$resp_h; - if ( [host, cert$serial] !in known_certs && addr_matches_host(host, asset_tracking) ) + if ( [host, cert$serial] !in known_certs && addr_matches_host(host, cert_tracking) ) { add known_certs[host, cert$serial]; - Log::write(KNOWN_CERTS, [$ts=network_time(), $host=host, - $port_num=c$id$resp_p, $subject=cert$subject, - $issuer_subject=cert$issuer, - $serial=cert$serial]); + Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host, + $port_num=c$id$resp_p, $subject=cert$subject, + $issuer_subject=cert$issuer, + $serial=cert$serial]); } } diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.bro index 082f40d4d8..b00dc8ad40 100644 --- a/scripts/policy/tuning/track-all-assets.bro +++ b/scripts/policy/tuning/track-all-assets.bro @@ -3,7 +3,7 @@ @load protocols/conn/known-services @load protocols/ssl/known-certs -redef Software::asset_tracking = ALL_HOSTS; -redef KnownHosts::asset_tracking = ALL_HOSTS; -redef KnownServices::asset_tracking = ALL_HOSTS; -redef KnownCerts::asset_tracking = ALL_HOSTS; +redef Software::asset_tracking = ALL_HOSTS; +redef Known::host_tracking = ALL_HOSTS; +redef Known::service_tracking = ALL_HOSTS; +redef Known::cert_tracking = ALL_HOSTS; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 0bbced32db..a6cd823e56 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -107,10 +107,10 @@ macro(BIF_TARGET bifInput) add_custom_command(OUTPUT ${bifOutputs} COMMAND bifcl ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) - # in order be able to run bro from the build directory, + # In order be able to run bro from the build directory, # the generated bro script needs to be inside a # a directory tree named the same way it will be - # referenced from an @load + # referenced from an @load. COMMAND "${CMAKE_COMMAND}" ARGS -E copy ${bifInput}.bro base/${bifInput}.bro COMMAND "${CMAKE_COMMAND}" diff --git a/src/Expr.cc b/src/Expr.cc index dc47340ccd..cc93c47be0 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3971,12 +3971,18 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r) if ( ! same_type(sup_t_i, sub_t_i) ) { - char buf[512]; - safe_snprintf(buf, sizeof(buf), - "type clash for field \"%s\"", sub_r->FieldName(i)); - Error(buf, sub_t_i); - SetError(); - break; + if ( sup_t_i->Tag() != TYPE_RECORD || + sub_t_i->Tag() != TYPE_RECORD || + ! record_promotion_compatible(sup_t_i->AsRecordType(), + sub_t_i->AsRecordType()) ) + { + char buf[512]; + safe_snprintf(buf, sizeof(buf), + "type clash for field \"%s\"", sub_r->FieldName(i)); + Error(buf, sub_t_i); + SetError(); + break; + } } map[t_i] = i; @@ -4024,6 +4030,24 @@ Val* RecordCoerceExpr::Fold(Val* v) const rhs = rhs->Ref(); assert(rhs || Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_OPTIONAL)); + + BroType* rhs_type = rhs->Type(); + RecordType* val_type = val->Type()->AsRecordType(); + BroType* field_type = val_type->FieldType(i); + + if ( rhs_type->Tag() == TYPE_RECORD && + field_type->Tag() == TYPE_RECORD && + ! same_type(rhs_type, field_type) ) + { + Val* new_val = rhs->AsRecordVal()->CoerceTo( + field_type->AsRecordType()); + if ( new_val ) + { + Unref(rhs); + rhs = new_val; + } + } + val->Assign(i, rhs); } else diff --git a/src/HTTP.h b/src/HTTP.h index 4d621fa526..7512f368a9 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -180,7 +180,10 @@ public: { return new HTTP_Analyzer(conn); } static bool Available() - { return (http_request || http_reply) && !FLAGS_use_binpac; } + { return (http_request || http_reply || http_header || + http_all_headers || http_begin_entity || http_end_entity || + http_content_type || http_entity_data || http_message_done || + http_event || http_stats) && !FLAGS_use_binpac; } int IsConnectionClose() { return connection_close; } diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc index c537587d6a..04c90715fb 100644 --- a/src/LogWriterAscii.cc +++ b/src/LogWriterAscii.cc @@ -6,6 +6,27 @@ #include "LogWriterAscii.h" #include "NetVar.h" +/** + * Takes a string, escapes each character into its equivalent hex code (\x##), and + * returns a string containing all escaped values. + * + * @param str string to escape + * @return A std::string containing a list of escaped hex values of the form \x## + */ +static string get_escaped_string(const std::string& str) +{ + char tbuf[16]; + string esc = ""; + + for ( size_t i = 0; i < str.length(); ++i ) + { + snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]); + esc += tbuf; + } + + return esc; +} + LogWriterAscii::LogWriterAscii() { file = 0; @@ -52,6 +73,14 @@ LogWriterAscii::~LogWriterAscii() delete [] header_prefix; } +bool LogWriterAscii::WriteHeaderField(const string& key, const string& val) + { + string str = string(header_prefix, header_prefix_len) + + key + string(separator, separator_len) + val + "\n"; + + return (fwrite(str.c_str(), str.length(), 1, file) == 1); + } + bool LogWriterAscii::DoInit(string path, int num_fields, const LogField* const * fields) { @@ -70,22 +99,35 @@ bool LogWriterAscii::DoInit(string path, int num_fields, if ( include_header ) { - if ( fwrite(header_prefix, header_prefix_len, 1, file) != 1 ) + string str = string(header_prefix, header_prefix_len) + + "separator " // Always use space as separator here. + + get_escaped_string(string(separator, separator_len)) + + "\n"; + + if( fwrite(str.c_str(), str.length(), 1, file) != 1 ) goto write_error; - for ( int i = 0; i < num_fields; i++ ) + if ( ! WriteHeaderField("path", path) ) + goto write_error; + + string names; + string types; + + for ( int i = 0; i < num_fields; ++i ) { - if ( i > 0 && - fwrite(separator, separator_len, 1, file) != 1 ) - goto write_error; + if ( i > 0 ) + { + names += string(separator, separator_len); + types += string(separator, separator_len); + } const LogField* field = fields[i]; - - if ( fputs(field->name.c_str(), file) == EOF ) - goto write_error; + names += field->name; + types += type_name(field->type); } - if ( fputc('\n', file) == EOF ) + if ( ! (WriteHeaderField("fields", names) + && WriteHeaderField("types", types)) ) goto write_error; } @@ -141,13 +183,13 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field) break; case TYPE_TIME: + case TYPE_INTERVAL: char buf[32]; snprintf(buf, sizeof(buf), "%.6f", val->val.double_val); desc->Add(buf); break; case TYPE_DOUBLE: - case TYPE_INTERVAL: desc->Add(val->val.double_val); break; @@ -216,6 +258,9 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field) bool LogWriterAscii::DoWrite(int num_fields, const LogField* const * fields, LogVal** vals) { + if ( ! file ) + DoInit(Path(), NumFields(), Fields()); + ODesc desc(DESC_READABLE); desc.SetEscape(separator, separator_len); @@ -245,19 +290,23 @@ bool LogWriterAscii::DoWrite(int num_fields, const LogField* const * fields, bool LogWriterAscii::DoRotate(string rotated_path, double open, double close, bool terminating) { - if ( IsSpecial(Path()) ) - // Don't rotate special files. + // Don't rotate special files or if there's not one currently open. + if ( ! file || IsSpecial(Path()) ) return true; fclose(file); + file = 0; string nname = rotated_path + ".log"; rename(fname.c_str(), nname.c_str()); if ( ! FinishedRotation(nname, fname, open, close, terminating) ) + { Error(Fmt("error rotating %s to %s", fname.c_str(), nname.c_str())); + return false; + } - return DoInit(Path(), NumFields(), Fields()); + return true; } bool LogWriterAscii::DoSetBuf(bool enabled) diff --git a/src/LogWriterAscii.h b/src/LogWriterAscii.h index cceb685ff9..403767d589 100644 --- a/src/LogWriterAscii.h +++ b/src/LogWriterAscii.h @@ -28,6 +28,7 @@ protected: private: bool IsSpecial(string path) { return path.find("/dev/") == 0; } bool DoWriteOne(ODesc* desc, LogVal* val, const LogField* field); + bool WriteHeaderField(const string& key, const string& value); FILE* file; string fname; diff --git a/src/Net.h b/src/Net.h index 337e50720f..3569e85336 100644 --- a/src/Net.h +++ b/src/Net.h @@ -75,6 +75,9 @@ extern bool terminating; // True if the remote serializer is to be activated. extern bool using_communication; +// Snaplen passed to libpcap. +extern int snaplen; + extern const struct pcap_pkthdr* current_hdr; extern const u_char* current_pkt; extern int current_dispatched; diff --git a/src/PktSrc.cc b/src/PktSrc.cc index 23391c1ffa..c3f47d651f 100644 --- a/src/PktSrc.cc +++ b/src/PktSrc.cc @@ -19,9 +19,6 @@ #include #endif -int snaplen = 8192; // really want "capture entire packet" - - PktSrc::PktSrc() { interface = readfile = 0; @@ -492,7 +489,7 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter, // Couldn't get header size. return; - reporter->Info("listening on %s\n", interface); + reporter->Info("listening on %s, capture length %d bytes\n", interface, snaplen); } else closed = true; diff --git a/src/Reporter.cc b/src/Reporter.cc index 053d6370d7..b3dfe9765d 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -121,7 +121,7 @@ void Reporter::Syslog(const char* fmt, ...) va_end(ap); } -void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* name, const char* addl, ...) +void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) { val_list* vl = new val_list(1); @@ -132,22 +132,22 @@ void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* nam vl->append(new StringVal(addl)); va_list ap; - va_start(ap, addl); - DoLog("weird", event, stderr, 0, vl, false, false, name, ap); + va_start(ap, fmt_name); + DoLog("weird", event, stderr, 0, vl, false, false, fmt_name, ap); va_end(ap); delete vl; } -void Reporter::WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* name, ...) +void Reporter::WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...) { val_list* vl = new val_list(2); vl->append(new AddrVal(orig)); vl->append(new AddrVal(resp)); va_list ap; - va_start(ap, name); - DoLog("weird", flow_weird, stderr, 0, vl, false, false, name, ap); + va_start(ap, fmt_name); + DoLog("weird", flow_weird, stderr, 0, vl, false, false, fmt_name, ap); va_end(ap); delete vl; @@ -155,22 +155,22 @@ void Reporter::WeirdFlowHelper(const uint32* orig, const uint32* resp, const cha void Reporter::Weird(const char* name) { - WeirdHelper(net_weird, 0, name, 0); + WeirdHelper(net_weird, 0, 0, name); } void Reporter::Weird(Connection* conn, const char* name, const char* addl) { - WeirdHelper(conn_weird, conn->BuildConnVal(), name, addl); + WeirdHelper(conn_weird, conn->BuildConnVal(), addl, "%s", name); } void Reporter::Weird(Val* conn_val, const char* name, const char* addl) { - WeirdHelper(conn_weird, conn_val, name, addl); + WeirdHelper(conn_weird, conn_val, addl, "%s", name); } void Reporter::Weird(const uint32* orig, const uint32* resp, const char* name) { - WeirdFlowHelper(orig, resp, name); + WeirdFlowHelper(orig, resp, "%s", name); } void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Connection* conn, val_list* addl, bool location, bool time, const char* fmt, va_list ap) diff --git a/src/Reporter.h b/src/Reporter.h index bc919d3908..d0fc66299b 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -89,8 +89,10 @@ public: private: void DoLog(const char* prefix, EventHandlerPtr event, FILE* out, Connection* conn, val_list* addl, bool location, bool time, const char* fmt, va_list ap); - void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* name, const char* addl, ...); - void WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* name, ...); + // The order if addl, name needs to be like that since fmt_name can + // contain format specifiers + void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...); + void WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...); int errors; bool via_events; diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc index ec1fd206f6..db9a7004d6 100644 --- a/src/SSL-binpac.cc +++ b/src/SSL-binpac.cc @@ -7,6 +7,7 @@ SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c) : TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) { interp = new binpac::SSL::SSL_Conn(this); + had_gap = false; } SSL_Analyzer_binpac::~SSL_Analyzer_binpac() @@ -37,11 +38,24 @@ void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) if ( TCP()->IsPartial() ) return; - interp->NewData(orig, data, data + len); + if ( had_gap ) + // XXX: If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig) { TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; interp->NewGap(orig, len); } diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h index 7d0c8d3939..8dab19d00c 100644 --- a/src/SSL-binpac.h +++ b/src/SSL-binpac.h @@ -30,6 +30,7 @@ public: protected: binpac::SSL::SSL_Conn* interp; + bool had_gap; }; diff --git a/src/Val.cc b/src/Val.cc index 2f4f6d2850..a7dba04550 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -3104,10 +3104,6 @@ void EnumVal::ValDescribe(ODesc* d) const if ( ! ename ) ename = ""; - const char* module_offset = strstr(ename, "::"); - if ( module_offset ) - ename = module_offset + 2; - d->Add(ename); } diff --git a/src/bro.bif b/src/bro.bif index e4d0f2092b..7dd1d1705a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -791,6 +791,16 @@ function getenv%(var: string%): string return new StringVal(env_val); %} +function setenv%(var: string, val: string%): bool + %{ + int result = setenv(var->AsString()->CheckString(), + val->AsString()->CheckString(), 1); + + if ( result < 0 ) + return new Val(0, TYPE_BOOL); + return new Val(1, TYPE_BOOL); + %} + function sqrt%(x: double%): double %{ if ( x < 0 ) @@ -3019,6 +3029,20 @@ function syslog%(s: string%): any extern "C" { #include } + +static GeoIP* open_geoip_db(GeoIPDBTypes type) + { + GeoIP* geoip = 0; + + if ( GeoIP_db_avail(type) ) + geoip = GeoIP_open_type(type, GEOIP_MEMORY_CACHE); + + if ( ! geoip ) + reporter->Warning("Failed to open GeoIP database: %s", + GeoIPDBFileName[type]); + return geoip; + } + #endif %%} @@ -3028,86 +3052,112 @@ function lookup_location%(a: addr%) : geo_location RecordVal* location = new RecordVal(geo_location); #ifdef USE_GEOIP + static bool geoip_initialized = false; static GeoIP* geoip = 0; static GeoIP* geoip_v6 = 0; - static bool geoip_initialized = false; + static bool have_city_db = false; + static bool have_cityv6_db = false; GeoIPRecord* gir = 0; + const char* cc = 0; if ( ! geoip_initialized ) { geoip_initialized = true; - geoip = GeoIP_open_type(GEOIP_CITY_EDITION_REV0, - GEOIP_MEMORY_CACHE); + geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0); + if ( ! geoip ) { - builtin_error("can't initialize GeoIP City database.. trying Country version"); - geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION, - GEOIP_MEMORY_CACHE); + geoip = open_geoip_db(GEOIP_COUNTRY_EDITION); if ( ! geoip ) - builtin_error("can't initialize GeoIP Country database"); + builtin_error("Can't initialize GeoIP City/Country database"); + else + reporter->Warning("Fell back to GeoIP Country database"); } + else + have_city_db = true; #ifdef BROv6 -#ifdef GEOIP_COUNTRY_EDITION_V6 - geoip_v6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6, - GEOIP_MEMORY_CACHE); - if ( ! geoip_v6 ) - builtin_error("can't initialize the GeoIPv6 Country database"); + +#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6 + geoip_v6 = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6); + if ( geoip_v6 ) + have_cityv6_db = true; #endif + +#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6 + if ( ! geoip_v6 ) + geoip_v6 = open_geoip_db(GEOIP_COUNTRY_EDITION_V6); +#endif + if ( ! geoip_v6 ) + builtin_error("Can't initialize GeoIPv6 City/Country database"); #endif } #ifdef BROv6 -#ifdef GEOIP_COUNTRY_EDITION_V6 + +#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6 if ( geoip_v6 && ! is_v4_addr(a) ) - gir = GeoIP_record_by_ipnum_v6(geoip_v6, geoipv6_t(a)); + { + geoipv6_t ga; + memcpy(&ga, a, 16); + if ( have_cityv6_db ) + gir = GeoIP_record_by_ipnum_v6(geoip_v6, ga); + else + cc = GeoIP_country_code_by_ipnum_v6(geoip_v6, ga); + } else #endif + if ( geoip && is_v4_addr(a) ) { uint32 addr = to_v4_addr(a); - gir = GeoIP_record_by_ipnum(geoip, ntohl(addr)); + if ( have_city_db ) + gir = GeoIP_record_by_ipnum(geoip, ntohl(addr)); + else + cc = GeoIP_country_code_by_ipnum(geoip, ntohl(addr)); } -#else + +#else // not BROv6 if ( geoip ) - gir = GeoIP_record_by_ipnum(geoip, ntohl(a)); + { + if ( have_city_db ) + gir = GeoIP_record_by_ipnum(geoip, ntohl(a)); + else + cc = GeoIP_country_code_by_ipnum(geoip, ntohl(a)); + } #endif if ( gir ) { if ( gir->country_code ) location->Assign(0, new StringVal(gir->country_code)); - else - location->Assign(0, new StringVal("")); if ( gir->region ) location->Assign(1, new StringVal(gir->region)); - else - location->Assign(1, new StringVal("")); if ( gir->city ) location->Assign(2, new StringVal(gir->city)); - else - location->Assign(2, new StringVal("")); if ( gir->latitude ) location->Assign(3, new Val(gir->latitude, TYPE_DOUBLE)); - else - location->Assign(3, new Val(0.0, TYPE_DOUBLE)); if ( gir->longitude ) location->Assign(4, new Val(gir->longitude, TYPE_DOUBLE)); - else - location->Assign(4, new Val(0.0, TYPE_DOUBLE)); GeoIPRecord_delete(gir); return location; } -#else + else if ( cc ) + { + location->Assign(0, new StringVal(cc)); + return location; + } + +#else // not USE_GEOIP static int missing_geoip_reported = 0; if ( ! missing_geoip_reported ) @@ -3120,11 +3170,6 @@ function lookup_location%(a: addr%) : geo_location // We can get here even if we have GeoIP support if we weren't // able to initialize it or it didn't return any information for // the address. - location->Assign(0, new StringVal("")); - location->Assign(1, new StringVal("")); - location->Assign(2, new StringVal("")); - location->Assign(3, new Val(0.0, TYPE_DOUBLE)); - location->Assign(4, new Val(0.0, TYPE_DOUBLE)); return location; %} @@ -3139,10 +3184,9 @@ function lookup_asn%(a: addr%) : count if ( ! geoip_asn_initialized ) { geoip_asn_initialized = true; - geoip_asn = GeoIP_open_type(GEOIP_ASNUM_EDITION, - GEOIP_MEMORY_CACHE); + geoip_asn = open_geoip_db(GEOIP_ASNUM_EDITION); if ( ! geoip_asn ) - builtin_error("can't initialize GeoIP ASNUM database"); + builtin_error("Can't initialize GeoIP ASNUM database"); } if ( geoip_asn ) @@ -3150,17 +3194,23 @@ function lookup_asn%(a: addr%) : count #ifdef BROv6 // IPv6 support showed up in 1.4.5. -#ifdef GEOIP_COUNTRY_EDITION_V6 +#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6 if ( ! is_v4_addr(a) ) - gir = GeoIP_name_by_ipnum_v6(geoip_asn, geoipv6_t(a)); + { + geoipv6_t ga; + memcpy(&ga, a, 16); + gir = GeoIP_name_by_ipnum_v6(geoip_asn, ga); + } else #endif + if ( is_v4_addr(a) ) { uint32 addr = to_v4_addr(a); gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr)); } -#else + +#else // not BROv6 gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(a)); #endif } @@ -3171,7 +3221,8 @@ function lookup_asn%(a: addr%) : count // the first two characters: "AS". return new Val(atoi(gir+2), TYPE_COUNT); } -#else + +#else // not USE_GEOIP static int missing_geoip_reported = 0; if ( ! missing_geoip_reported ) @@ -3607,3 +3658,9 @@ function enable_communication%(%): any remote_serializer->Init(); return 0; %} + +## Returns the Bro version string +function bro_version%(%): string + %{ + return new StringVal(bro_version()); + %} diff --git a/src/main.cc b/src/main.cc index a6e493f0c8..139fc802c5 100644 --- a/src/main.cc +++ b/src/main.cc @@ -98,6 +98,7 @@ extern char version[]; char* command_line_policy = 0; vector params; char* proc_status_file = 0; +int snaplen = 65535; // really want "capture entire packet" int FLAGS_use_binpac = false; @@ -145,7 +146,7 @@ void usage() fprintf(stderr, " -g|--dump-config | dump current config into .state dir\n"); fprintf(stderr, " -h|--help|-? | command line help\n"); fprintf(stderr, " -i|--iface | read from given interface\n"); - fprintf(stderr, " -Z|--doc-scripts | generate documentation for all loaded scripts\n"); + fprintf(stderr, " -l|--snaplen | number of bytes per packet to capture from interfaces (default 65535)\n"); fprintf(stderr, " -p|--prefix | add given prefix to policy file resolution\n"); fprintf(stderr, " -r|--readfile | read from given tcpdump file\n"); fprintf(stderr, " -y|--flowfile [=] | read from given flow file\n"); @@ -172,6 +173,7 @@ void usage() fprintf(stderr, " -T|--re-level | set 'RE_level' for rules\n"); fprintf(stderr, " -U|--status-file | Record process status in file\n"); fprintf(stderr, " -W|--watchdog | activate watchdog timer\n"); + fprintf(stderr, " -Z|--doc-scripts | generate documentation for all loaded scripts\n"); #ifdef USE_PERFTOOLS fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n"); @@ -367,7 +369,7 @@ int main(int argc, char** argv) {"filter", required_argument, 0, 'f'}, {"help", no_argument, 0, 'h'}, {"iface", required_argument, 0, 'i'}, - {"print-scripts", no_argument, 0, 'l'}, + {"snaplen", required_argument, 0, 'l'}, {"doc-scripts", no_argument, 0, 'Z'}, {"prefix", required_argument, 0, 'p'}, {"readfile", required_argument, 0, 'r'}, @@ -441,7 +443,7 @@ int main(int argc, char** argv) opterr = 0; char opts[256]; - safe_strncpy(opts, "B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ", + safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ", sizeof(opts)); #ifdef USE_PERFTOOLS @@ -454,7 +456,7 @@ int main(int argc, char** argv) case 'b': bare_mode = true; break; - + case 'd': fprintf(stderr, "Policy file debugging ON.\n"); g_policy_debug = true; @@ -476,6 +478,10 @@ int main(int argc, char** argv) interfaces.append(optarg); break; + case 'l': + snaplen = atoi(optarg); + break; + case 'p': prefixes.append(optarg); break; diff --git a/src/reporter.bif b/src/reporter.bif index 4a77c2fcda..6b481eeb79 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -28,3 +28,11 @@ function Reporter::error%(msg: string%): bool reporter->PopLocation(); return new Val(1, TYPE_BOOL); %} + +function Reporter::fatal%(msg: string%): bool + %{ + reporter->PushLocation(frame->GetCall()->GetLocationInfo()); + reporter->FatalError("%s", msg->CheckString()); + reporter->PopLocation(); + return new Val(1, TYPE_BOOL); + %} diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index f8f3d41108..d69841ebfc 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 +#separator \x09 +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +#types time string addr port addr port enum string interval count count string bool count string count count count count +1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 710 10 9945 diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output index 494e1946e7..24639f8b51 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output @@ -1,8 +1,20 @@ -# ts node filter init success -1312570784.336354 - not ip6 F T -# ts node filter init success -1312570784.550594 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T -# ts node filter init success -1312570784.765990 - port 42 F T -# ts node filter init success -1312570784.992999 - port 56730 T T +#separator \x09 +#path packet_filter +#fields ts node filter init success +#types time string string bool bool +1315167051.418730 - not ip6 F T +#separator \x09 +#path packet_filter +#fields ts node filter init success +#types time string string bool bool +1315167051.652097 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T +#separator \x09 +#path packet_filter +#fields ts node filter init success +#types time string string bool bool +1315167051.885416 - port 42 F T +#separator \x09 +#path packet_filter +#fields ts node filter init success +#types time string string bool bool +1315167052.120658 - port 56730 T T diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index 1ac7ab0cf4..9c65be0b34 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,4 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 11 280 0 0 -1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 -1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF 7 361 7 3801 +#separator \x09 +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +#types time string addr port addr port enum string interval count count string bool count string count count count count +952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 25 0 SH - 0 - 11 280 0 0 +1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 710 10 9945 +1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 361 7 3801 diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst index ec48477d61..f6f7b4b2fc 100644 --- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst +++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst @@ -263,7 +263,7 @@ Redefinitions :Type: :bro:type:`enum` - .. bro:enum:: Example::EXAMPLE Log::ID + .. bro:enum:: Example::LOG Log::ID :bro:type:`Example::SimpleEnum` diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 2e56522dae..3e53efd7f2 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750785.32134 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#separator \x09 +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count count count string string table string string table string string file +1315167107.671488 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 2e56522dae..3e53efd7f2 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750785.32134 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#separator \x09 +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count count count string string table string string table string string file +1315167107.671488 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 38ba563dc7..85d74c943c 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750770.8185 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#separator \x09 +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count count count string string table string string table string string file +1315167116.842377 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 38ba563dc7..85d74c943c 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750770.8185 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +#separator \x09 +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port string string string string string count count count string string table string string table string string file +1315167116.842377 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/language.enum-desc/output b/testing/btest/Baseline/language.enum-desc/output new file mode 100644 index 0000000000..f46cc71693 --- /dev/null +++ b/testing/btest/Baseline/language.enum-desc/output @@ -0,0 +1,4 @@ +ONE +ONE +TEST::TWO +TEST::TWO diff --git a/testing/btest/Baseline/language.enum-scope/output b/testing/btest/Baseline/language.enum-scope/output index f2ad6c76f0..84705950d9 100644 --- a/testing/btest/Baseline/language.enum-scope/output +++ b/testing/btest/Baseline/language.enum-scope/output @@ -1 +1 @@ -c +test::c diff --git a/testing/btest/Baseline/language.record-recursive-coercion/output b/testing/btest/Baseline/language.record-recursive-coercion/output index 37c916713f..5c4dea621c 100644 --- a/testing/btest/Baseline/language.record-recursive-coercion/output +++ b/testing/btest/Baseline/language.record-recursive-coercion/output @@ -1 +1,2 @@ [major=4, minor=4, minor2=, addl=] +[c=1, f=[i=2.0 hrs, s=]] diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log index ee274bb0fa..fc2c133dc6 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log @@ -1,3 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212563.234939 1.2.3.4 1234 2.3.4.5 80 success unknown -1313212563.234939 1.2.3.4 1234 2.3.4.5 80 failure US +#separator \x09 +#path ssh-new-default +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167052.603186 1.2.3.4 1234 2.3.4.5 80 success unknown +1315167052.603186 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log index 84a2cc609e..fb68b42aef 100644 Binary files a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log and b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log differ diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log index d377ca15d7..e1ba48cf8e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log @@ -1,6 +1,9 @@ -PREFIX<>t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T +PREFIX<>separator \x7c +PREFIX<>path|ssh +PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b +PREFIX<>types|time|addr|port|addr|port|string|string|bool +1315167052.828457|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log index aa08625281..f9bbfce3bd 100644 Binary files a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log and b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log differ diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log index fb7ae6d486..7f512c15d9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log @@ -1,4 +1,7 @@ -# data +#separator \x09 +#path test +#fields data +#types time 1234567890.000000 1234567890.000000 1234567890.010000 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log index d543af3a43..c2c32c5c6a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log @@ -1,2 +1,5 @@ -# status country a1 b1 b2 +#separator \x09 +#path ssh +#fields status country a1 b1 b2 +#types string string count count count success unknown 1 3 4 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log index c4355d2fd5..18e4d5cbad 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log @@ -1,4 +1,7 @@ -# status country +#separator \x09 +#path ssh +#fields status country +#types string string success unknown failure US failure UK diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log index 7f21430ea7..49272bfd53 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log @@ -1,6 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299809561.67372 1.2.3.4 1234 2.3.4.5 80 success unknown -1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure US -1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure UK -1299809561.67372 1.2.3.4 1234 2.3.4.5 80 success BR -1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path ssh +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success unknown +1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure US +1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success BR +1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log index 4defa5ced1..b078b4746a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log @@ -1,4 +1,7 @@ -# id.orig_p id.resp_h id.resp_p status country +#separator \x09 +#path ssh +#fields id.orig_p id.resp_h id.resp_p status country +#types port addr port string string 1234 2.3.4.5 80 success unknown 1234 2.3.4.5 80 failure US 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log index 49115ab1df..0a988ff9b9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log @@ -1,2 +1,5 @@ -# t f -1303098703.62603 Foo.log +#separator \x09 +#path ssh +#fields t f +#types time file +1315167053.585834 Foo.log diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log index 881704257e..5675ef6632 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log @@ -1,6 +1,9 @@ -# t id.orig_h -1303064007.48299 1.2.3.4 -1303064007.48299 1.2.3.4 -1303064007.48299 1.2.3.4 -1303064007.48299 1.2.3.4 -1303064007.48299 1.2.3.4 +#separator \x09 +#path ssh +#fields t id.orig_h +#types time addr +1315167053.694473 1.2.3.4 +1315167053.694473 1.2.3.4 +1315167053.694473 1.2.3.4 +1315167053.694473 1.2.3.4 +1315167053.694473 1.2.3.4 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output index 7e8acf5106..2c196340cc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output @@ -5,17 +5,38 @@ static-prefix-1-MX.log static-prefix-1-US.log static-prefix-2-MX2.log static-prefix-2-UK.log -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 success BR -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX3 -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 success unknown -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure US -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX2 -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure UK +#separator \x09 +#path static-prefix-0-BR +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success BR +#separator \x09 +#path static-prefix-0-MX3 +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX3 +#separator \x09 +#path static-prefix-0-unknown +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success unknown +#separator \x09 +#path static-prefix-1-MX +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path static-prefix-1-US +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure US +#separator \x09 +#path static-prefix-2-MX2 +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX2 +#separator \x09 +#path static-prefix-2-UK +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log deleted file mode 100644 index c46990dc65..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.failure.log +++ /dev/null @@ -1,2 +0,0 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718503.16177 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log deleted file mode 100644 index c6adcd86aa..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/ssh.success.log +++ /dev/null @@ -1,2 +0,0 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718503.16177 1.2.3.4 1234 2.3.4.5 80 success - diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log new file mode 100644 index 0000000000..ba688d7843 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log @@ -0,0 +1,5 @@ +#separator \x09 +#path test.failure +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.923545 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log new file mode 100644 index 0000000000..7a91b1a2d9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log @@ -0,0 +1,5 @@ +#separator \x09 +#path test.success +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167053.923545 1.2.3.4 1234 2.3.4.5 80 success - diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log index eee707f89f..c00e7765d5 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log @@ -1,2 +1,5 @@ -# b i e c p sn a d t iv s sc ss se vc ve -T -42 Test::TEST 21 123 10.0.0.0/24 1.2.3.4 3.14 1313623666.027768 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY +#separator \x09 +#path test +#fields b i e c p sn a d t iv s sc ss se vc ve +#types bool int enum count port subnet addr double time interval string table table table vector vector +T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315167054.320958 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log index 87f5fb3bcb..aba9fdddd9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log @@ -1,4 +1,7 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path test.failure +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log index 8d0fedd1b5..b928c37685 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log @@ -1,6 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success - -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success - +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log index 4b8f54e7ce..a951c6ed1a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log @@ -1,3 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success - -1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR +#separator \x09 +#path test.success +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success - +1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log index ddbacda28e..6185e86028 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log @@ -1,3 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure US -1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure UK +#separator \x09 +#path ssh.failure +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US +1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log index 123e8e3a87..a4ec2dc7de 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log @@ -1,4 +1,7 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure US -1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure UK -1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure BR +#separator \x09 +#path ssh +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US +1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure BR diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out index 18bd12d88f..f63cb788e8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out @@ -8,27 +8,31 @@ 1st test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0 1st test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0 1st test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1 -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T] -# t id.orig_h id.orig_p id.resp_h id.resp_p +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F] +custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T] +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#path test +#path test2 +#separator \x09 +#types time addr port addr port 1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299470395.000000 10.0.0.2 20 10.0.0.3 0 1299470405.000000 10.0.0.1 20 10.0.0.2 1025 @@ -59,7 +63,6 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=tes > test.2011-03-07-10-00-05.log > test.2011-03-07-11-00-05.log > test.2011-03-07-12-00-05.log -> test.log > test2-11-03-07_03.00.05.log > test2-11-03-07_03.59.55.log > test2-11-03-07_04.00.05.log @@ -80,4 +83,3 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=tes > test2-11-03-07_11.59.55.log > test2-11-03-07_12.00.05.log > test2-11-03-07_12.59.55.log -> test2.log diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out index b153c5b7fa..74ce45023a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out @@ -9,42 +9,72 @@ test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0 test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0 test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1 > test.2011-03-07-03-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299470395.000000 10.0.0.2 20 10.0.0.3 0 > test.2011-03-07-04-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299470405.000000 10.0.0.1 20 10.0.0.2 1025 1299473995.000000 10.0.0.2 20 10.0.0.3 1 > test.2011-03-07-05-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299474005.000000 10.0.0.1 20 10.0.0.2 1026 1299477595.000000 10.0.0.2 20 10.0.0.3 2 > test.2011-03-07-06-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299477605.000000 10.0.0.1 20 10.0.0.2 1027 1299481195.000000 10.0.0.2 20 10.0.0.3 3 > test.2011-03-07-07-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299481205.000000 10.0.0.1 20 10.0.0.2 1028 1299484795.000000 10.0.0.2 20 10.0.0.3 4 > test.2011-03-07-08-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299484805.000000 10.0.0.1 20 10.0.0.2 1029 1299488395.000000 10.0.0.2 20 10.0.0.3 5 > test.2011-03-07-09-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299488405.000000 10.0.0.1 20 10.0.0.2 1030 1299491995.000000 10.0.0.2 20 10.0.0.3 6 > test.2011-03-07-10-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299492005.000000 10.0.0.1 20 10.0.0.2 1031 1299495595.000000 10.0.0.2 20 10.0.0.3 7 > test.2011-03-07-11-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299495605.000000 10.0.0.1 20 10.0.0.2 1032 1299499195.000000 10.0.0.2 20 10.0.0.3 8 > test.2011-03-07-12-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p +#separator \x09 +#path test +#fields t id.orig_h id.orig_p id.resp_h id.resp_p +#types time addr port addr port 1299499205.000000 10.0.0.1 20 10.0.0.2 1033 1299502795.000000 10.0.0.2 20 10.0.0.3 9 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output index 4c73aed8e4..84521cb645 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output @@ -1,6 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success unknown -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure US -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure UK -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success BR -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path /dev/stdout +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success unknown +1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure US +1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success BR +1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log index 82523b7c13..5b93b6e23b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log @@ -1,6 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success unknown -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure US -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure UK -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success BR -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure MX +#separator \x09 +#path ssh +#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +#types time addr port addr port string string +1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success unknown +1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure US +1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure UK +1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success BR +1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log index e5633026b2..d1e6086fc4 100644 Binary files a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log and b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log differ diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log index 34f20a588b..12bb1d1704 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log @@ -1,3 +1,6 @@ -# a.val1 a.val2 b +#separator \x09 +#path testing +#fields a.val1 a.val2 b +#types count count count - - 6 1 2 3 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log index 1602f7d1c0..b9a54404ed 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log @@ -1,2 +1,5 @@ -# vec +#separator \x09 +#path ssh +#fields vec +#types vector -,2,-,-,5 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index ff692027b2..3db5aac7d3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -1,4 +1,7 @@ -# ts metric_id filter_name index.host index.str index.network value -1313429477.091485 TEST_METRIC foo-bar 6.5.4.3 - - 4 -1313429477.091485 TEST_METRIC foo-bar 1.2.3.4 - - 6 -1313429477.091485 TEST_METRIC foo-bar 7.2.1.5 - - 2 +#separator \x09 +#path metrics +#fields ts metric_id filter_name index.host index.str index.network value +#types time enum string addr string subnet count +1315167074.181810 TEST_METRIC foo-bar 6.5.4.3 - - 4 +1315167074.181810 TEST_METRIC foo-bar 1.2.3.4 - - 6 +1315167074.181810 TEST_METRIC foo-bar 7.2.1.5 - - 2 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index fb4a2c4528..45334cf3d7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -1,4 +1,7 @@ -# ts metric_id filter_name index.host index.str index.network value -1313430544.678529 TEST_METRIC foo-bar 6.5.4.3 - - 2 -1313430544.678529 TEST_METRIC foo-bar 1.2.3.4 - - 3 -1313430544.678529 TEST_METRIC foo-bar 7.2.1.5 - - 1 +#separator \x09 +#path metrics +#fields ts metric_id filter_name index.host index.str index.network value +#types time enum string addr string subnet count +1315167083.455574 TEST_METRIC foo-bar 6.5.4.3 - - 2 +1315167083.455574 TEST_METRIC foo-bar 1.2.3.4 - - 3 +1315167083.455574 TEST_METRIC foo-bar 7.2.1.5 - - 1 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log index 48c74fe7c4..e14a0922a3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -1313897486.017657 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - +#separator \x09 +#path notice +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum string string addr addr port count string table table bool string string string double double addr string subnet +1315167088.906913 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log index 1e0e6a572b..a2e7251d95 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log @@ -1,3 +1,6 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - -1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - - +#separator \x09 +#path notice +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum string string addr addr port count string table table bool string string string double double addr string subnet +1315167098.061022 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - +1315167098.061022 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - - diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log index 1c9e7eb7d6..e746701cc4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log @@ -1,4 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file +#separator \x09 +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file +#types time string addr port addr port string string string string string count count count string string table string string table string file 1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - - - 1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - - - 1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log index bea67dcf5b..d224556632 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log @@ -1,4 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file +#separator \x09 +#path irc +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file +#types time string addr port addr port string string table string string string table string count file 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log index ea638d1892..817207108c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent +#separator \x09 +#path smtp +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent +#types time string addr port addr port string string string table string string table string string string string addr string string string vector string 1254722768.219663 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh GP Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0 diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log index 8eae4b3163..cde5156594 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-all.log @@ -1,5 +1,8 @@ -# ts host -1300475168.78384 141.142.220.118 -1300475168.78384 208.80.152.118 -1300475168.91594 208.80.152.3 -1300475168.96263 208.80.152.2 +#separator \x09 +#path known_hosts +#fields ts host +#types time addr +1300475168.783842 141.142.220.118 +1300475168.783842 208.80.152.118 +1300475168.915940 208.80.152.3 +1300475168.962628 208.80.152.2 diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log index 91e952dc96..008eb364ed 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-local.log @@ -1,2 +1,5 @@ -# ts host -1300475168.78384 141.142.220.118 +#separator \x09 +#path known_hosts +#fields ts host +#types time addr +1300475168.783842 141.142.220.118 diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log index 7224058b56..43b28ded8a 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-hosts/knownhosts-remote.log @@ -1,4 +1,7 @@ -# ts host -1300475168.78384 208.80.152.118 -1300475168.91594 208.80.152.3 -1300475168.96263 208.80.152.2 +#separator \x09 +#path known_hosts +#fields ts host +#types time addr +1300475168.783842 208.80.152.118 +1300475168.915940 208.80.152.3 +1300475168.962628 208.80.152.2 diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log index 9e427cbffe..c3e59c94e7 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log @@ -1,6 +1,9 @@ -# ts host port_num port_proto service -1308930691.03504 172.16.238.131 22 tcp SSH -1308930694.54896 172.16.238.131 80 tcp HTTP -1308930716.45795 74.125.225.81 80 tcp HTTP -1308930703.06815 172.16.238.131 21 tcp FTP -1308930726.86415 141.142.192.39 22 tcp SSH +#separator \x09 +#path known_services +#fields ts host port_num port_proto service +#types time addr port enum table +1308930691.035044 172.16.238.131 22 tcp SSH +1308930694.548964 172.16.238.131 80 tcp HTTP +1308930716.457950 74.125.225.81 80 tcp HTTP +1308930703.068148 172.16.238.131 21 tcp FTP +1308930726.864150 141.142.192.39 22 tcp SSH diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log index 9ff7eb3198..b30aeccf03 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log @@ -1,4 +1,7 @@ -# ts host port_num port_proto service -1308930691.03504 172.16.238.131 22 tcp SSH -1308930694.54896 172.16.238.131 80 tcp HTTP -1308930703.06815 172.16.238.131 21 tcp FTP +#separator \x09 +#path known_services +#fields ts host port_num port_proto service +#types time addr port enum table +1308930691.035044 172.16.238.131 22 tcp SSH +1308930694.548964 172.16.238.131 80 tcp HTTP +1308930703.068148 172.16.238.131 21 tcp FTP diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log index 1adb50ed94..6b75c996c1 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log @@ -1,3 +1,6 @@ -# ts host port_num port_proto service -1308930716.45795 74.125.225.81 80 tcp HTTP -1308930726.86415 141.142.192.39 22 tcp SSH +#separator \x09 +#path known_services +#fields ts host port_num port_proto service +#types time addr port enum table +1308930716.457950 74.125.225.81 80 tcp HTTP +1308930726.864150 141.142.192.39 22 tcp SSH diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log index 6a5b6c6044..945960e03e 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log @@ -1,2 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl -930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.0 4.3.2.1 - - +#separator \x09 +#path dns +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl +#types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count interval table table table +930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.000000 4.3.2.1 - - diff --git a/testing/btest/language/enum-desc.bro b/testing/btest/language/enum-desc.bro new file mode 100644 index 0000000000..86466e2fc2 --- /dev/null +++ b/testing/btest/language/enum-desc.bro @@ -0,0 +1,15 @@ +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +type test_enum1: enum { ONE }; + +module TEST; + +type test_enum2: enum { TWO }; + +print ONE; +print fmt("%s", ONE); + + +print TWO; +print fmt("%s", TWO); diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.bro index eda80e3d11..ad9e41bd3a 100644 --- a/testing/btest/language/record-recursive-coercion.bro +++ b/testing/btest/language/record-recursive-coercion.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: btest-diff output type Version: record { @@ -17,8 +17,24 @@ global matched_software: table[string] of Info = { ["OpenSSH_4.4"] = [$name="OpenSSH", $version=[$major=4,$minor=4]], }; +type Foo: record { + i: interval &default=1hr; + s: string &optional; +}; + +type FooContainer: record { + c: count; + f: Foo &optional; +}; + +function foo_func(fc: FooContainer) + { + print fc; + } + event bro_init() { for ( sw in matched_software ) print matched_software[sw]$version; + foo_func([$c=1, $f=[$i=2hrs]]); } diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro index 2fc00dffb0..53cfdd1655 100644 --- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro +++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro @@ -7,7 +7,7 @@ module SSH; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -21,13 +21,13 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Info]); + Log::create_stream(SSH::LOG, [$columns=Info]); - local filter = Log::get_filter(SSH, "default"); + local filter = Log::get_filter(SSH::LOG, "default"); filter$path= "ssh-new-default"; - Log::add_filter(SSH, filter); + Log::add_filter(SSH::LOG, filter); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro index 36ad5a5a1b..fcbac3be58 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Info: record { data: string; @@ -17,9 +17,9 @@ redef LogAscii::separator = "|"; event bro_init() { - Log::create_stream(SSH, [$columns=Info]); - Log::write(SSH, [$data="abc\n\xffdef", $data2="DATA2"]); - Log::write(SSH, [$data="abc|\xffdef", $data2="DATA2"]); - Log::write(SSH, [$data="abc\xff|def", $data2="DATA2"]); + Log::create_stream(SSH::LOG, [$columns=Info]); + Log::write(SSH::LOG, [$data="abc\n\xffdef", $data2="DATA2"]); + Log::write(SSH::LOG, [$data="abc|\xffdef", $data2="DATA2"]); + Log::write(SSH::LOG, [$data="abc\xff|def", $data2="DATA2"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro index 90f0b37a11..9dace5d52a 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro @@ -11,7 +11,7 @@ redef LogAscii::header_prefix = "PREFIX<>"; module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -24,15 +24,15 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]); } diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro index 11b9d608b3..f2c370a27a 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro @@ -7,7 +7,7 @@ redef LogAscii::separator = "||"; module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -19,14 +19,14 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro index 2914c95795..8c228c1384 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-options.bro @@ -9,7 +9,7 @@ redef LogAscii::include_header = F; module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -21,15 +21,15 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro index 9b134d650f..e63e30f6c6 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro @@ -5,7 +5,7 @@ module Test; export { - redef enum Log::ID += { TEST }; + redef enum Log::ID += { LOG }; type Info: record { data: time &log; @@ -14,14 +14,14 @@ export { event bro_init() { - Log::create_stream(TEST, [$columns=Info]); - Log::write(TEST, [$data=double_to_time(1234567890)]); - Log::write(TEST, [$data=double_to_time(1234567890.0)]); - Log::write(TEST, [$data=double_to_time(1234567890.01)]); - Log::write(TEST, [$data=double_to_time(1234567890.001)]); - Log::write(TEST, [$data=double_to_time(1234567890.0001)]); - Log::write(TEST, [$data=double_to_time(1234567890.00001)]); - Log::write(TEST, [$data=double_to_time(1234567890.000001)]); - Log::write(TEST, [$data=double_to_time(1234567890.0000001)]); + Log::create_stream(Test::LOG, [$columns=Info]); + Log::write(Test::LOG, [$data=double_to_time(1234567890)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.0)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.01)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.001)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.0001)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.00001)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.000001)]); + Log::write(Test::LOG, [$data=double_to_time(1234567890.0000001)]); } diff --git a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro index 03f0996cef..7f58f3f8c1 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr-extend.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -28,10 +28,10 @@ redef record Log += { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]); } diff --git a/testing/btest/scripts/base/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.bro index 247dbce2a2..8ec3d1c385 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,15 +17,15 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro index 2bd18ae991..6799f7ca2f 100644 --- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro +++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,17 +17,17 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); - Log::disable_stream(SSH); + Log::disable_stream(SSH::LOG); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.bro index 0f0a811117..6aa867220f 100644 --- a/testing/btest/scripts/base/frameworks/logging/empty-event.bro +++ b/testing/btest/scripts/base/frameworks/logging/empty-event.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -19,15 +19,15 @@ global log_ssh: event(rec: Log); event bro_init() { - Log::create_stream(SSH, [$columns=Log, $ev=log_ssh]); + Log::create_stream(SSH::LOG, [$columns=Log, $ev=log_ssh]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.bro index 6013938569..bf156e6d60 100644 --- a/testing/btest/scripts/base/frameworks/logging/events.bro +++ b/testing/btest/scripts/base/frameworks/logging/events.bro @@ -6,7 +6,7 @@ module SSH; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -22,12 +22,12 @@ global ssh_log: event(rec: Log); event bro_init() { - Log::create_stream(SSH, [$columns=Log, $ev=ssh_log]); + Log::create_stream(SSH::LOG, [$columns=Log, $ev=ssh_log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local r: Log = [$t=network_time(), $id=cid, $status="success"]; - Log::write(SSH, r); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, r); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.bro index 04767cec40..7b245541ab 100644 --- a/testing/btest/scripts/base/frameworks/logging/exclude.bro +++ b/testing/btest/scripts/base/frameworks/logging/exclude.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,18 +17,18 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); - Log::remove_default_filter(SSH); - Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]); + Log::remove_default_filter(SSH::LOG); + Log::add_filter(SSH::LOG, [$name="f1", $exclude=set("t", "id.orig_h")]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.bro index e910c7c516..94bdad6b1b 100644 --- a/testing/btest/scripts/base/frameworks/logging/file.bro +++ b/testing/btest/scripts/base/frameworks/logging/file.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,7 +17,7 @@ const foo_log = open_log_file("Foo") &redef; event bro_init() { - Log::create_stream(SSH, [$columns=Log]); - Log::write(SSH, [$t=network_time(), $f=foo_log]); + Log::create_stream(SSH::LOG, [$columns=Log]); + Log::write(SSH::LOG, [$t=network_time(), $f=foo_log]); } diff --git a/testing/btest/scripts/base/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.bro index 414d0c8ab4..d0fea93c99 100644 --- a/testing/btest/scripts/base/frameworks/logging/include.bro +++ b/testing/btest/scripts/base/frameworks/logging/include.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,18 +17,18 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); - Log::remove_default_filter(SSH); - Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]); + Log::remove_default_filter(SSH::LOG); + Log::add_filter(SSH::LOG, [$name="default", $include=set("t", "id.orig_h")]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.bro index 699f21d942..9ae7d32d61 100644 --- a/testing/btest/scripts/base/frameworks/logging/no-local.bro +++ b/testing/btest/scripts/base/frameworks/logging/no-local.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -19,15 +19,15 @@ redef Log::enable_local_logging = F; event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.bro index ade6aedbc9..684aa03ed6 100644 --- a/testing/btest/scripts/base/frameworks/logging/path-func.bro +++ b/testing/btest/scripts/base/frameworks/logging/path-func.bro @@ -7,7 +7,7 @@ module SSH; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -30,19 +30,19 @@ function path_func(id: Log::ID, path: string, rec: Log) : string event bro_init() { - Log::create_stream(SSH, [$columns=Log]); - Log::remove_default_filter(SSH); + Log::create_stream(SSH::LOG, [$columns=Log]); + Log::remove_default_filter(SSH::LOG); - Log::add_filter(SSH, [$name="dyn", $path="static-prefix", $path_func=path_func]); + Log::add_filter(SSH::LOG, [$name="dyn", $path="static-prefix", $path_func=path_func]); - Log::set_buf(SSH, F); + Log::set_buf(SSH::LOG, F); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.bro index 3270c5f62d..e13c726656 100644 --- a/testing/btest/scripts/base/frameworks/logging/pred.bro +++ b/testing/btest/scripts/base/frameworks/logging/pred.bro @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -b %INPUT -# @TEST-EXEC: btest-diff ssh.success.log -# @TEST-EXEC: btest-diff ssh.failure.log +# @TEST-EXEC: btest-diff test.success.log +# @TEST-EXEC: btest-diff test.failure.log -module SSH; +module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. - # (I'm using a subset of fields from ssh-ext for demonstration.) + # (I'm using a subset of fields from ssh for demonstration.) type Log: record { t: time; id: conn_id; # Will be rolled out into individual columns. @@ -26,14 +26,14 @@ function fail(rec: Log): bool event bro_init() { - Log::create_stream(SSH, [$columns=Log]); - Log::remove_default_filter(SSH); - Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); - Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]); + Log::create_stream(Test::LOG, [$columns=Log]); + Log::remove_default_filter(Test::LOG); + Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); + Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local r: Log = [$t=network_time(), $id=cid, $status="success"]; - Log::write(SSH, r); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(Test::LOG, r); + Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro index 08960eba86..ce2eb2862d 100644 --- a/testing/btest/scripts/base/frameworks/logging/remote-types.bro +++ b/testing/btest/scripts/base/frameworks/logging/remote-types.bro @@ -15,7 +15,7 @@ module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { TEST }; + redef enum Log::ID += { LOG }; type Log: record { b: bool; @@ -39,7 +39,7 @@ export { event bro_init() { - Log::create_stream(TEST, [$columns=Log]); + Log::create_stream(Test::LOG, [$columns=Log]); } ##### @@ -55,10 +55,10 @@ event remote_connection_handshake_done(p: event_peer) local empty_set: set[string]; local empty_vector: vector of string; - Log::write(TEST, [ + Log::write(Test::LOG, [ $b=T, $i=-42, - $e=TEST, + $e=Test::LOG, $c=21, $p=123/tcp, $sn=10.0.0.1/24, diff --git a/testing/btest/scripts/base/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro index 00d7d69463..05c138e366 100644 --- a/testing/btest/scripts/base/frameworks/logging/remote.bro +++ b/testing/btest/scripts/base/frameworks/logging/remote.bro @@ -16,7 +16,7 @@ module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { TEST }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -30,8 +30,8 @@ export { event bro_init() { - Log::create_stream(TEST, [$columns=Log]); - Log::add_filter(TEST, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); + Log::create_stream(Test::LOG, [$columns=Log]); + Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); } ##### @@ -49,18 +49,18 @@ function fail(rec: Log): bool event remote_connection_handshake_done(p: event_peer) { - Log::add_filter(TEST, [$name="f2", $path="test.failure", $pred=fail]); + Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local r: Log = [$t=network_time(), $id=cid, $status="success"]; # Log something. - Log::write(TEST, r); - Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(TEST, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(Test::LOG, r); + Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } @TEST-END-FILE diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro index 21b32c2b3e..bb7c302942 100644 --- a/testing/btest/scripts/base/frameworks/logging/remove.bro +++ b/testing/btest/scripts/base/frameworks/logging/remove.bro @@ -7,7 +7,7 @@ module SSH; export { # Create a new ID for our log stream - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -21,21 +21,21 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); - Log::add_filter(SSH, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]); + Log::create_stream(SSH::LOG, [$columns=Log]); + Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; # Log something. - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::remove_filter(SSH, "f1"); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="BR"]); + Log::remove_filter(SSH::LOG, "f1"); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]); - Log::remove_filter(SSH, "default"); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::remove_filter(SSH::LOG, "default"); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); - Log::remove_filter(SSH, "doesn-not-exist"); + Log::remove_filter(SSH::LOG, "doesn-not-exist"); } diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro index 788fa090e9..55cc4d532e 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro @@ -7,7 +7,7 @@ module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { Test }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -32,12 +32,12 @@ redef Log::rotation_control += { event bro_init() { - Log::create_stream(Test, [$columns=Log]); - Log::add_filter(Test, [$name="2nd", $path="test2"]); + Log::create_stream(Test::LOG, [$columns=Log]); + Log::add_filter(Test::LOG, [$name="2nd", $path="test2"]); } event new_connection(c: connection) { - Log::write(Test, [$t=network_time(), $id=c$id]); + Log::write(Test::LOG, [$t=network_time(), $id=c$id]); } diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro index 4b496689f5..14123c56c6 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate.bro @@ -7,7 +7,7 @@ module Test; export { # Create a new ID for our log stream - redef enum Log::ID += { Test }; + redef enum Log::ID += { LOG }; # Define a record with all the columns the log file can have. # (I'm using a subset of fields from ssh-ext for demonstration.) @@ -22,10 +22,10 @@ redef Log::default_rotation_postprocessor_cmd = "echo"; event bro_init() { - Log::create_stream(Test, [$columns=Log]); + Log::create_stream(Test::LOG, [$columns=Log]); } event new_connection(c: connection) { - Log::write(Test, [$t=network_time(), $id=c$id]); + Log::write(Test::LOG, [$t=network_time(), $id=c$id]); } diff --git a/testing/btest/scripts/base/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.bro index 930a450d34..f431a5b6c9 100644 --- a/testing/btest/scripts/base/frameworks/logging/stdout.bro +++ b/testing/btest/scripts/base/frameworks/logging/stdout.bro @@ -6,7 +6,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -18,19 +18,19 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); - local filter = Log::get_filter(SSH, "default"); + local filter = Log::get_filter(SSH::LOG, "default"); filter$path= "/dev/stdout"; - Log::add_filter(SSH, filter); + Log::add_filter(SSH::LOG, filter); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.bro index c4fed50093..9f90d515fb 100644 --- a/testing/btest/scripts/base/frameworks/logging/test-logging.bro +++ b/testing/btest/scripts/base/frameworks/logging/test-logging.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { t: time; @@ -17,15 +17,15 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; - Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); - Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); } diff --git a/testing/btest/scripts/base/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.bro index 9e299c643a..d79c667e50 100644 --- a/testing/btest/scripts/base/frameworks/logging/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/types.bro @@ -9,7 +9,7 @@ redef LogAscii::empty_field = "EMPTY"; module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { b: bool; @@ -42,15 +42,15 @@ function foo(i : count) : string event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local empty_set: set[string]; local empty_vector: vector of string; - Log::write(SSH, [ + Log::write(SSH::LOG, [ $b=T, $i=-42, - $e=SSH, + $e=SSH::LOG, $c=21, $p=123/tcp, $sn=10.0.0.1/24, diff --git a/testing/btest/scripts/base/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.bro index 2a2bc779f3..00c5ff5117 100644 --- a/testing/btest/scripts/base/frameworks/logging/vec.bro +++ b/testing/btest/scripts/base/frameworks/logging/vec.bro @@ -5,7 +5,7 @@ module SSH; export { - redef enum Log::ID += { SSH }; + redef enum Log::ID += { LOG }; type Log: record { vec: vector of string &log; @@ -14,14 +14,14 @@ export { event bro_init() { - Log::create_stream(SSH, [$columns=Log]); + Log::create_stream(SSH::LOG, [$columns=Log]); local v: vector of string; v[1] = "2"; v[4] = "5"; - Log::write(SSH, [$vec=v]); + Log::write(SSH::LOG, [$vec=v]); } diff --git a/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test b/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test new file mode 100644 index 0000000000..a3e2a54c57 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/packet-filter/bad-filter.test @@ -0,0 +1,2 @@ +# @TEST-EXEC-FAIL: bro -r $TRACES/web.trace -f "bad filter" +# @TEST-EXEC: test -s .stderr diff --git a/testing/btest/scripts/base/init-default-coverage.bro b/testing/btest/scripts/base/init-default-coverage.bro index c2b2bb737d..d4336ce385 100644 --- a/testing/btest/scripts/base/init-default-coverage.bro +++ b/testing/btest/scripts/base/init-default-coverage.bro @@ -1,11 +1,11 @@ # Makes sure that all base/* scripts are loaded by default via init-default.bro; # and that all scripts loaded there in there actually exist. -@TEST-EXEC: test -d $DIST/scripts/base -@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro -@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found" -@TEST-EXEC: bro misc/loaded-scripts -@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro' | awk 'NR>1{print $2}' | sed 's#/./#/#g' >loaded_scripts.log.tmp -@TEST-EXEC: cat loaded_scripts.log.tmp | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix -@TEST-EXEC: cat loaded_scripts.log.tmp | sed "s#`cat prefix`#./#g" | sort >init-default.bro -@TEST-EXEC: diff -u "all scripts found" init-default.bro 1>&2 +#@TEST-EXEC: test -d $DIST/scripts/base +#@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro +#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found" +#@TEST-EXEC: bro misc/loaded-scripts +#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro' | awk 'NR>1{print $2}' | sed 's#/./#/#g' >loaded_scripts.log.tmp +#@TEST-EXEC: cat loaded_scripts.log.tmp | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix +#@TEST-EXEC: cat loaded_scripts.log.tmp | sed "s#`cat prefix`#./#g" | sort >init-default.bro +#@TEST-EXEC: diff -u "all scripts found" init-default.bro 1>&2 diff --git a/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro index 4e202c75ed..53b340d174 100644 --- a/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro +++ b/testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro @@ -10,8 +10,8 @@ redef HTTP::generate_md5 += /image\/png/; event bro_init() { - Log::remove_default_filter(HTTP::HTTP); - Log::add_filter(HTTP::HTTP, [$name="normalized-mime-types", + Log::remove_default_filter(HTTP::LOG); + Log::add_filter(HTTP::LOG, [$name="normalized-mime-types", $pred=function(rec: HTTP::Info): bool { if ( rec?$mime_type && HTTP::generate_md5 != rec$mime_type ) diff --git a/testing/btest/scripts/base/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.bro index 52ef81fbbf..9875683269 100644 --- a/testing/btest/scripts/base/protocols/http/http-pipelining.bro +++ b/testing/btest/scripts/base/protocols/http/http-pipelining.bro @@ -4,6 +4,6 @@ # mime type is irrelevant to this test, so filter it out event bro_init() { - Log::remove_default_filter(HTTP::HTTP); - Log::add_filter(HTTP::HTTP, [$name="less-mime-types", $exclude=set("mime_type")]); + Log::remove_default_filter(HTTP::LOG); + Log::add_filter(HTTP::LOG, [$name="less-mime-types", $exclude=set("mime_type")]); } diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test index a462e828de..32358d12a4 100644 --- a/testing/btest/scripts/base/protocols/irc/basic.test +++ b/testing/btest/scripts/base/protocols/irc/basic.test @@ -7,6 +7,6 @@ # dcc mime types are irrelevant to this test, so filter it out event bro_init() { - Log::remove_default_filter(IRC::IRC); - Log::add_filter(IRC::IRC, [$name="remove-mime", $exclude=set("dcc_mime_type")]); + Log::remove_default_filter(IRC::LOG); + Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]); } diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test index b6be26ddd4..0324a3f28f 100644 --- a/testing/btest/scripts/base/protocols/irc/dcc-extract.test +++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test @@ -13,8 +13,8 @@ redef IRC::extract_file_types=/.*/; event bro_init() { - Log::remove_default_filter(IRC::IRC); - Log::add_filter(IRC::IRC, [$name="normalized-mime-types", + Log::remove_default_filter(IRC::LOG); + Log::add_filter(IRC::LOG, [$name="normalized-mime-types", $pred=function(rec: IRC::Info): bool { if ( rec?$dcc_mime_type ) diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test index 09e6d3b242..ba0869f6d9 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime-extract.test +++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test @@ -13,8 +13,8 @@ redef SMTP::extract_file_types=/text\/plain/; event bro_init() { - Log::remove_default_filter(SMTP::SMTP_ENTITIES); - Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types", + Log::remove_default_filter(SMTP::ENTITIES_LOG); + Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types", $pred=function(rec: SMTP::EntityInfo): bool { if ( rec?$mime_type ) diff --git a/testing/btest/scripts/base/protocols/smtp/mime.test b/testing/btest/scripts/base/protocols/smtp/mime.test index 37bbc6b14d..6d50d5919f 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime.test +++ b/testing/btest/scripts/base/protocols/smtp/mime.test @@ -11,8 +11,8 @@ redef SMTP::generate_md5=/text\/plain/; event bro_init() { - Log::remove_default_filter(SMTP::SMTP_ENTITIES); - Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types", + Log::remove_default_filter(SMTP::ENTITIES_LOG); + Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types", $pred=function(rec: SMTP::EntityInfo): bool { if ( rec?$mime_type ) diff --git a/testing/btest/scripts/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro index 83c536925a..677cfa9f3d 100644 --- a/testing/btest/scripts/policy/protocols/conn/known-hosts.bro +++ b/testing/btest/scripts/policy/protocols/conn/known-hosts.bro @@ -1,18 +1,18 @@ # A basic test of the known-hosts script's logging and asset_tracking options -# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=LOCAL_HOSTS +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=LOCAL_HOSTS # @TEST-EXEC: mv known_hosts.log knownhosts-local.log # @TEST-EXEC: btest-diff knownhosts-local.log -# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=REMOTE_HOSTS +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=REMOTE_HOSTS # @TEST-EXEC: mv known_hosts.log knownhosts-remote.log # @TEST-EXEC: btest-diff knownhosts-remote.log -# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=ALL_HOSTS +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=ALL_HOSTS # @TEST-EXEC: mv known_hosts.log knownhosts-all.log # @TEST-EXEC: btest-diff knownhosts-all.log -# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=NO_HOSTS +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=NO_HOSTS # @TEST-EXEC: test '!' -e known_hosts.log @load protocols/conn/known-hosts diff --git a/testing/btest/scripts/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.bro index 7adc7cb037..ab787b6bd4 100644 --- a/testing/btest/scripts/policy/protocols/conn/known-services.bro +++ b/testing/btest/scripts/policy/protocols/conn/known-services.bro @@ -1,18 +1,18 @@ # A basic test of the known-services script's logging and asset_tracking options -# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=LOCAL_HOSTS +# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=LOCAL_HOSTS # @TEST-EXEC: mv known_services.log knownservices-local.log # @TEST-EXEC: btest-diff knownservices-local.log -# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=REMOTE_HOSTS +# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=REMOTE_HOSTS # @TEST-EXEC: mv known_services.log knownservices-remote.log # @TEST-EXEC: btest-diff knownservices-remote.log -# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=ALL_HOSTS +# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=ALL_HOSTS # @TEST-EXEC: mv known_services.log knownservices-all.log # @TEST-EXEC: btest-diff knownservices-all.log -# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=NO_HOSTS +# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=NO_HOSTS # @TEST-EXEC: test '!' -e known_services.log @load protocols/conn/known-services