diff --git a/policy/frameworks/dpd/dyn-disable.bro b/policy/frameworks/dpd/dyn-disable.bro index bf18bb5405..8fd5c5b836 100644 --- a/policy/frameworks/dpd/dyn-disable.bro +++ b/policy/frameworks/dpd/dyn-disable.bro @@ -6,11 +6,11 @@ module DPD; -redef enum Notice::Type += { - ProtocolViolation -}; - export { + redef enum Notice::Type += { + ProtocolViolation + }; + ## Ignore violations which go this many bytes into the connection. const max_data_volume = 10 * 1024 &redef; } diff --git a/policy/frameworks/notice/base.bro b/policy/frameworks/notice/base.bro index 578b66ba43..f30cec3d6f 100644 --- a/policy/frameworks/notice/base.bro +++ b/policy/frameworks/notice/base.bro @@ -9,11 +9,11 @@ module Notice; -# This couldn't be named NOTICE because that id is already used by the -# global function NOTICE(). -redef enum Log::ID += { NOTICE_LOG }; - export { + # This couldn't be named NOTICE because that id is already used by the + # global function NOTICE(). + redef enum Log::ID += { NOTICE_LOG }; + ## Scripts creating new notices need to redef this enum to add their own ## specific notice types which would then get used when they call the ## :bro:id:`NOTICE` function. The convention is to give a general category diff --git a/policy/frameworks/notice/defaults.bro b/policy/frameworks/notice/defaults.bro index 702f3ce00f..822b7746b4 100644 --- a/policy/frameworks/notice/defaults.bro +++ b/policy/frameworks/notice/defaults.bro @@ -2,8 +2,10 @@ ##! tune out high volume and less useful data from the logs. @load weird +@load dpd # Remove these notices from logging since they can be too noisy. redef Notice::action_filters += { [[Weird::ContentGap, Weird::AckAboveHole]] = Notice::ignore_action, + [[DPD::ProtocolViolation]] = Notice::ignore_action, }; diff --git a/policy/frameworks/signatures/base.bro b/policy/frameworks/signatures/base.bro index 20415550be..0be73e3dad 100644 --- a/policy/frameworks/signatures/base.bro +++ b/policy/frameworks/signatures/base.bro @@ -4,29 +4,29 @@ module Signatures; -redef enum Notice::Type += { - ## Generic for alarm-worthy - Sensitive_Signature, - ## Host has triggered many signatures on the same host. The number of - ## signatures is defined by the :bro:id:`vert_scan_thresholds` variable. - Multiple_Signatures, - ## Host has triggered the same signature on multiple hosts as defined by the - ## :bro:id:`horiz_scan_thresholds` variable. - Multiple_Sig_Responders, - ## The same signature has triggered multiple times for a host. The number - ## of times the signature has be trigger is defined by the - ## :bro:id:`count_thresholds` variable. To generate this notice, the - ## :bro:enum:`SIG_COUNT_PER_RESP` action must be set for the signature. - Count_Signature, - ## Summarize the number of times a host triggered a signature. The - ## interval between summaries is defined by the :bro:id:`summary_interval` - ## variable. - Signature_Summary, -}; - -redef enum Log::ID += { SIGNATURES }; - export { + redef enum Notice::Type += { + ## Generic for alarm-worthy + Sensitive_Signature, + ## Host has triggered many signatures on the same host. The number of + ## signatures is defined by the :bro:id:`vert_scan_thresholds` variable. + Multiple_Signatures, + ## Host has triggered the same signature on multiple hosts as defined by the + ## :bro:id:`horiz_scan_thresholds` variable. + Multiple_Sig_Responders, + ## The same signature has triggered multiple times for a host. The number + ## of times the signature has be trigger is defined by the + ## :bro:id:`count_thresholds` variable. To generate this notice, the + ## :bro:enum:`SIG_COUNT_PER_RESP` action must be set for the signature. + Count_Signature, + ## Summarize the number of times a host triggered a signature. The + ## interval between summaries is defined by the :bro:id:`summary_interval` + ## variable. + Signature_Summary, + }; + + redef enum Log::ID += { SIGNATURES }; + ## These are the default actions you can apply to signature matches. ## All of them write the signature record to the logging stream unless ## declared otherwise. diff --git a/policy/frameworks/software/base.bro b/policy/frameworks/software/base.bro index b15ea4d7bc..964651837c 100644 --- a/policy/frameworks/software/base.bro +++ b/policy/frameworks/software/base.bro @@ -11,17 +11,17 @@ module Software; -redef enum Notice::Type += { - ## For certain softwares, a version changing may matter. In that case, - ## this notice will be generated. Software that matters if the version - ## changes can be configured with the - ## :bro:id:`Software::interesting_version_changes` variable. - Software_Version_Change, -}; - -redef enum Log::ID += { SOFTWARE }; - export { + redef enum Notice::Type += { + ## For certain softwares, a version changing may matter. In that case, + ## this notice will be generated. Software that matters if the version + ## changes can be configured with the + ## :bro:id:`Software::interesting_version_changes` variable. + Software_Version_Change, + }; + + redef enum Log::ID += { SOFTWARE }; + type Type: enum { UNKNOWN, OPERATING_SYSTEM, diff --git a/policy/protocols/conn/base.bro b/policy/protocols/conn/base.bro index 47c914517f..0d8789656d 100644 --- a/policy/protocols/conn/base.bro +++ b/policy/protocols/conn/base.bro @@ -2,9 +2,9 @@ module Conn; -redef enum Log::ID += { CONN }; - export { + redef enum Log::ID += { CONN }; + type Info: record { ## This is the time of the first packet. ts: time &log; diff --git a/policy/protocols/dns/base.bro b/policy/protocols/dns/base.bro index 7efe0ab0b6..713964dc0d 100644 --- a/policy/protocols/dns/base.bro +++ b/policy/protocols/dns/base.bro @@ -3,9 +3,9 @@ module DNS; -redef enum Log::ID += { DNS }; - export { + redef enum Log::ID += { DNS }; + type Info: record { ts: time &log; uid: string &log; diff --git a/policy/protocols/dns/detect.bro b/policy/protocols/dns/detect.bro index 8c0ab65ed9..a1d4575f3b 100644 --- a/policy/protocols/dns/detect.bro +++ b/policy/protocols/dns/detect.bro @@ -13,12 +13,14 @@ module DNS; -redef enum Notice::Type += { - ## Raised when a non-local name is found to be pointing at a local host. - ## This only works appropriately when all of your authoritative DNS - ## servers are located in your :bro:id:`local_nets`. - DNS_ExternalName, - }; +export { + redef enum Notice::Type += { + ## Raised when a non-local name is found to be pointing at a local host. + ## This only works appropriately when all of your authoritative DNS + ## servers are located in your :bro:id:`local_nets`. + DNS_ExternalName, + }; +} event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3 { diff --git a/policy/protocols/ftp/base.bro b/policy/protocols/ftp/base.bro index 292c881f3e..ba8faabe54 100644 --- a/policy/protocols/ftp/base.bro +++ b/policy/protocols/ftp/base.bro @@ -15,9 +15,9 @@ module FTP; -redef enum Log::ID += { FTP }; - export { + redef enum Log::ID += { FTP }; + ## This setting changes if passwords used in FTP sessions are captured or not. const default_capture_password = F &redef; diff --git a/policy/protocols/ftp/detect.bro b/policy/protocols/ftp/detect.bro index 0c7741bd6a..9391f53adc 100644 --- a/policy/protocols/ftp/detect.bro +++ b/policy/protocols/ftp/detect.bro @@ -3,11 +3,13 @@ module FTP; -redef enum Notice::Type += { - ## This indicates that a successful response to a "SITE EXEC" - ## command/arg pair was seen. - FTP_Site_Exec_Success, -}; +export { + redef enum Notice::Type += { + ## This indicates that a successful response to a "SITE EXEC" + ## command/arg pair was seen. + Site_Exec_Success, + }; +} event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=3 { @@ -18,7 +20,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior c$ftp$cmdarg$cmd == "SITE" && /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg ) { - NOTICE([$note=FTP_Site_Exec_Success, $conn=c, + NOTICE([$note=Site_Exec_Success, $conn=c, $msg=fmt("%s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg)]); } } \ No newline at end of file diff --git a/policy/protocols/ftp/software.bro b/policy/protocols/ftp/software.bro index dd88be07f7..3ae2067d26 100644 --- a/policy/protocols/ftp/software.bro +++ b/policy/protocols/ftp/software.bro @@ -11,10 +11,12 @@ module FTP; -redef enum Software::Type += { - FTP_CLIENT, - FTP_SERVER, -}; +export { + redef enum Software::Type += { + FTP_CLIENT, + FTP_SERVER, + }; +} event ftp_request(c: connection, command: string, arg: string) &priority=4 { diff --git a/policy/protocols/http/base.bro b/policy/protocols/http/base.bro index f5e19bd389..5decc49ffc 100644 --- a/policy/protocols/http/base.bro +++ b/policy/protocols/http/base.bro @@ -2,9 +2,9 @@ module HTTP; -redef enum Log::ID += { HTTP }; - export { + redef enum Log::ID += { HTTP }; + ## Indicate a type of attack or compromise in the record to be logged. type Tags: enum { EMPTY diff --git a/policy/protocols/http/detect-sqli.bro b/policy/protocols/http/detect-sqli.bro index 8945405ea8..c04419a16f 100644 --- a/policy/protocols/http/detect-sqli.bro +++ b/policy/protocols/http/detect-sqli.bro @@ -1,25 +1,25 @@ ##! SQL injection detection in HTTP. @load http/base -@load notice +@load metrics module HTTP; -redef enum Notice::Type += { - SQL_Injection_Attack, -}; - -redef enum Tags += { - ## Indicator of a URI based SQL injection attack. - URI_SQLI, - ## Indicator of client body based SQL injection attack. This is - ## typically the body content of a POST request. Not implemented yet! - POST_SQLI, - ## Indicator of a cookie based SQL injection attack. Not implemented yet! - COOKIE_SQLI, -}; - export { + redef enum Notice::Type += { + SQL_Injection_Attack, + }; + + redef enum Tags += { + ## Indicator of a URI based SQL injection attack. + URI_SQLI, + ## Indicator of client body based SQL injection attack. This is + ## typically the body content of a POST request. Not implemented yet! + POST_SQLI, + ## Indicator of a cookie based SQL injection attack. Not implemented yet! + COOKIE_SQLI, + }; + ## This regular expression is used to match URI based SQL injections const match_sql_injection_uri = /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/ diff --git a/policy/protocols/http/detect-webapps.bro b/policy/protocols/http/detect-webapps.bro index 2ca3f30e58..faca849721 100644 --- a/policy/protocols/http/detect-webapps.bro +++ b/policy/protocols/http/detect-webapps.bro @@ -10,13 +10,15 @@ redef signature_files += "http/detect-webapps.sig"; # Ignore the signatures used to match webapps redef Signatures::ignored_ids += /^webapp-/; -redef enum Software::Type += { - WEB_APPLICATION, -}; +export { + redef enum Software::Type += { + WEB_APPLICATION, + }; -redef record Software::Info += { - url: string &optional &log; -}; + redef record Software::Info += { + url: string &optional &log; + }; +} event signature_match(state: signature_state, msg: string, data: string) &priority=5 { diff --git a/policy/protocols/http/file-extract.bro b/policy/protocols/http/file-extract.bro index 46dafece44..178ce0bb5f 100644 --- a/policy/protocols/http/file-extract.bro +++ b/policy/protocols/http/file-extract.bro @@ -19,22 +19,22 @@ export { ## The on-disk prefix for files to be extracted from HTTP entity bodies. const extraction_prefix = "http-item" &redef; -} -redef record Info += { - ## This field can be set per-connection to determine if the entity body - ## will be extracted. It must be set to T on or before the first - ## entity_body_data event. - extract_file: bool &default=F; + redef record Info += { + ## This field can be set per-connection to determine if the entity body + ## will be extracted. It must be set to T on or before the first + ## entity_body_data event. + extract_file: bool &default=F; - ## This is the holder for the file handle as the file is being written - ## to disk. - extraction_file: file &log &optional; -}; + ## This is the holder for the file handle as the file is being written + ## to disk. + extraction_file: file &log &optional; + }; -redef record State += { - entity_bodies: count &optional; -}; + redef record State += { + entity_bodies: count &optional; + }; +} ## Mark files to be extracted if they were identified as a mime type matched ## by the extract_file_types variable and they aren't being extracted yet. diff --git a/policy/protocols/http/file-hash.bro b/policy/protocols/http/file-hash.bro index e4f52291a2..6fed48b3b2 100644 --- a/policy/protocols/http/file-hash.bro +++ b/policy/protocols/http/file-hash.bro @@ -5,16 +5,13 @@ module HTTP; -redef enum Notice::Type += { - ## Indicates an MD5 sum in Team Cymru's Malware Hash Registry. - ## http://www.team-cymru.org/Services/MHR/ - HTTP_MHR_Malware, - - ## Notice type when locally defined MD5 sums are encountered. - HTTP_MD5, -}; - export { + redef enum Notice::Type += { + ## Indicates an MD5 sum in Team Cymru's Malware Hash Registry. + ## http://www.team-cymru.org/Services/MHR/ + HTTP_MHR_Malware, + }; + redef record Info += { ## The MD5 sum for a file transferred over HTTP will be stored here. md5: string &log &optional; @@ -29,15 +26,9 @@ export { calculating_md5: bool &default=F; }; - # Generate MD5 sums for these filetypes. + ## Generate MD5 sums for these filetypes. const generate_md5 = /application\/x-dosexec/ # Windows and DOS executables | /application\/x-executable/ &redef; # *NIX executable binary - - # MD5 sums that are "interesting" for your local network. - # The index is the MD5 sum and the yield value is used as the $msg value - # for notices so that you can filter in your local notice policy. - # TODO: this will change to use the intelligence framework. - const interesting_md5: table[string] of string &redef; } @@ -75,15 +66,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & local url = build_url(c$http); c$http$calculating_md5 = F; c$http$md5 = md5_hash_finish(c$id); - - if ( c$http$md5 in interesting_md5 ) - { - NOTICE([$note=HTTP_MD5, $conn=c, $method=c$http$method, - $URL=url, - $msg=interesting_md5[c$http$md5], - $sub=c$http$md5]); - } - + local hash_domain = fmt("%s.malware.hash.cymru.com", c$http$md5); when ( local addrs = lookup_hostname(hash_domain) ) { diff --git a/policy/protocols/http/file-ident.bro b/policy/protocols/http/file-ident.bro index 00dcf3a87f..0a6b8d3f52 100644 --- a/policy/protocols/http/file-ident.bro +++ b/policy/protocols/http/file-ident.bro @@ -9,19 +9,18 @@ module HTTP; -redef enum Notice::Type += { - # This notice is thrown when the file extension doesn't - # seem to match the file contents. - HTTP_IncorrectFileType, -}; - -redef record Info += { - ## This will record the mime_type identified. - mime_type: string &log &optional; -}; - - export { + redef enum Notice::Type += { + # This notice is thrown when the file extension doesn't + # seem to match the file contents. + IncorrectFileType, + }; + + redef record Info += { + ## This will record the mime_type identified. + mime_type: string &log &optional; + }; + redef enum Tags += { IDENTIFIED_FILE }; @@ -65,7 +64,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori { local url = build_url(c$http); local message = fmt("%s %s %s", msg, c$http$method, url); - NOTICE([$note=HTTP_IncorrectFileType, + NOTICE([$note=IncorrectFileType, $msg=message, $conn=c, $method=c$http$method, diff --git a/policy/protocols/http/headers.bro b/policy/protocols/http/headers.bro index bd3a5cfe4b..57d8af606c 100644 --- a/policy/protocols/http/headers.bro +++ b/policy/protocols/http/headers.bro @@ -4,13 +4,15 @@ module HTTP; -redef record Info += { - ## The vector of HTTP headers. No header values are included here, just - ## the header names. - ## TODO: with an empty vector as &default, the vector isn't coerced to the - ## correct type. - headers: vector of string &log &optional; -}; +export { + redef record Info += { + ## The vector of HTTP headers. No header values are included here, just + ## the header names. + ## TODO: with an empty vector as &default, the vector isn't coerced to the + ## correct type. + headers: vector of string &log &optional; + }; +} event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=4 { diff --git a/policy/protocols/http/software.bro b/policy/protocols/http/software.bro index c8fa851312..28688536a4 100644 --- a/policy/protocols/http/software.bro +++ b/policy/protocols/http/software.bro @@ -5,21 +5,20 @@ module HTTP; -redef enum Software::Type += { - WEB_SERVER, - WEB_BROWSER, - WEB_BROWSER_PLUGIN -}; - - export { + redef enum Software::Type += { + WEB_SERVER, + WEB_BROWSER, + WEB_BROWSER_PLUGIN + }; + ## The pattern of HTTP User-Agents which you would like to ignore. const ignored_user_agents = /NO_DEFAULT/ &redef; ## These are patterns to identify browser plugins (including toolbars) ## based on the User-Agent header. - const plugin_user_agents = /BingBar [0-9\.]*/ # Bing toolbar - | /GoogleToolbar [0-9\.]*;/ &redef; # Google toolbar + const plugin_user_agents = /BingBar [0-9\.]*/ ##< Bing toolbar + | /GoogleToolbar [0-9\.]*;/ &redef; ##< Google toolbar } event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2 @@ -46,8 +45,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else { if ( name == "SERVER" ) - { Software::found(c$id, Software::parse(value, c$id$resp_h, WEB_SERVER)); - } } } \ No newline at end of file diff --git a/policy/protocols/irc/base.bro b/policy/protocols/irc/base.bro index 260bd7a6e3..5dffa34ffc 100644 --- a/policy/protocols/irc/base.bro +++ b/policy/protocols/irc/base.bro @@ -6,9 +6,9 @@ module IRC; -redef enum Log::ID += { IRC }; - export { + redef enum Log::ID += { IRC }; + type Tag: enum { EMPTY }; diff --git a/policy/protocols/mime/base.bro b/policy/protocols/mime/base.bro index 37941348cc..f41d1e18d2 100644 --- a/policy/protocols/mime/base.bro +++ b/policy/protocols/mime/base.bro @@ -5,9 +5,9 @@ module MIME; -redef enum Log::ID += { MIME }; - export { + redef enum Log::ID += { MIME }; + # Let's assume for now that nothing transferring files using # MIME attachments is multiplexing for simplicity's sake. # We can make the assumption that one connection == one file (at a time) diff --git a/policy/protocols/smtp/base.bro b/policy/protocols/smtp/base.bro index ccc7d02f8b..7a6129934e 100644 --- a/policy/protocols/smtp/base.bro +++ b/policy/protocols/smtp/base.bro @@ -7,18 +7,18 @@ module SMTP; -redef enum Notice::Type += { - ## Indicates that the server sent a reply mentioning an SMTP block list. - SMTP_BL_Error_Message, - ## Indicates the client's address is seen in the block list error message. - SMTP_BL_Blocked_Host, - ## When mail seems to originate from a suspicious location. - SMTP_Suspicious_Origination, -}; - -redef enum Log::ID += { SMTP }; - export { + redef enum Log::ID += { SMTP }; + + redef enum Notice::Type += { + ## Indicates that the server sent a reply mentioning an SMTP block list. + SMTP_BL_Error_Message, + ## Indicates the client's address is seen in the block list error message. + SMTP_BL_Blocked_Host, + ## When mail seems to originate from a suspicious location. + SMTP_Suspicious_Origination, + }; + type Info: record { ts: time &log; uid: string &log; diff --git a/policy/protocols/smtp/software.bro b/policy/protocols/smtp/software.bro index 63c1d82ae4..b8751a39cb 100644 --- a/policy/protocols/smtp/software.bro +++ b/policy/protocols/smtp/software.bro @@ -6,10 +6,12 @@ module SMTP; -redef enum Software::Type += { - MAIL_CLIENT, - MAIL_SERVER, -}; +export { + redef enum Software::Type += { + MAIL_CLIENT, + MAIL_SERVER, + }; +} event log_smtp(rec: Info) { diff --git a/policy/protocols/smtp/webmail-ident.bro b/policy/protocols/smtp/webmail-ident.bro index b8b0db98ec..d5d563dfb2 100644 --- a/policy/protocols/smtp/webmail-ident.bro +++ b/policy/protocols/smtp/webmail-ident.bro @@ -12,13 +12,13 @@ module SMTP; -redef record Info += { - ## Boolean indicator of if the message was sent through a webmail - ## interface. - is_webmail: bool &log &default=F; -}; - export { + redef record Info += { + ## Boolean indicator of if the message was sent through a webmail + ## interface. + is_webmail: bool &log &default=F; + }; + ## A regular expression to match USER-AGENT-like headers to find if a ## message was sent with a webmail interface. const webmail_user_agents = diff --git a/policy/protocols/ssh/base.bro b/policy/protocols/ssh/base.bro index 04f3921409..4f3827bd76 100644 --- a/policy/protocols/ssh/base.bro +++ b/policy/protocols/ssh/base.bro @@ -3,17 +3,17 @@ module SSH; -redef enum Notice::Type += { - SSH_Login, - SSH_PasswordGuessing, - SSH_LoginByPasswordGuesser, - SSH_Login_From_Interesting_Hostname, - SSH_Bytecount_Inconsistency, -}; - -redef enum Log::ID += { SSH }; - export { + redef enum Log::ID += { SSH }; + + redef enum Notice::Type += { + Login, + PasswordGuessing, + LoginByPasswordGuesser, + Login_From_Interesting_Hostname, + Bytecount_Inconsistency, + }; + type Info: record { ts: time &log; uid: string &log; @@ -142,7 +142,7 @@ function check_ssh_connection(c: connection, done: bool) if ( default_check_threshold(password_rejections[c$id$orig_h]) ) { add password_guessers[c$id$orig_h]; - NOTICE([$note=SSH_PasswordGuessing, + NOTICE([$note=PasswordGuessing, $conn=c, $msg=fmt("SSH password guessing by %s", c$id$orig_h), $sub=fmt("%d failed logins", password_rejections[c$id$orig_h]$n), @@ -162,7 +162,7 @@ function check_ssh_connection(c: connection, done: bool) c$id$orig_h !in password_guessers ) { add password_guessers[c$id$orig_h]; - NOTICE([$note=SSH_LoginByPasswordGuesser, + NOTICE([$note=LoginByPasswordGuesser, $conn=c, $n=password_rejections[c$id$orig_h]$n, $msg=fmt("Successful SSH login by password guesser %s", c$id$orig_h), @@ -174,7 +174,7 @@ function check_ssh_connection(c: connection, done: bool) location$latitude, location$longitude, id_string(c$id), c$resp$size); # TODO: rewrite the message once a location variable can be put in notices - NOTICE([$note=SSH_Login, + NOTICE([$note=Login, $conn=c, $msg=message, $sub=location$country_code]); @@ -184,7 +184,7 @@ function check_ssh_connection(c: connection, done: bool) { if ( interesting_hostnames in hostname ) { - NOTICE([$note=SSH_Login_From_Interesting_Hostname, + NOTICE([$note=Login_From_Interesting_Hostname, $conn=c, $msg=fmt("Strange login from %s", hostname), $sub=hostname]); @@ -193,7 +193,7 @@ function check_ssh_connection(c: connection, done: bool) } else if ( c$resp$size >= 200000000 ) { - NOTICE([$note=SSH_Bytecount_Inconsistency, + NOTICE([$note=Bytecount_Inconsistency, $conn=c, $msg="During byte counting in SSH analysis, an overly large value was seen.", $sub=fmt("%d",c$resp$size)]); diff --git a/policy/protocols/ssh/software.bro b/policy/protocols/ssh/software.bro index 4dd795ea2c..8294684332 100644 --- a/policy/protocols/ssh/software.bro +++ b/policy/protocols/ssh/software.bro @@ -3,10 +3,12 @@ module SSH; -redef enum Software::Type += { - SSH_SERVER, - SSH_CLIENT, -}; +export { + redef enum Software::Type += { + SSH_SERVER, + SSH_CLIENT, + }; +} event ssh_client_version(c: connection, version: string) &priority=4 {