Reshuffling notice declarations to make them exported.

- Notices were not available outside of their namespaces.

policy/frameworks/dpd/dyn-disable.bro

@@ -6,11 +6,11 @@
 
 module DPD;
 
-redef enum Notice::Type += {
-	ProtocolViolation
-};
-
 export {
+	redef enum Notice::Type += {
+		ProtocolViolation
+	};
+
 	## Ignore violations which go this many bytes into the connection.
 	const max_data_volume = 10 * 1024 &redef;
 }

policy/frameworks/notice/base.bro

@@ -9,11 +9,11 @@
 
 module Notice;
 
-# This couldn't be named NOTICE because that id is already used by the
-# global function NOTICE().
-redef enum Log::ID += { NOTICE_LOG };
-
 export {
+	# This couldn't be named NOTICE because that id is already used by the
+	# global function NOTICE().
+	redef enum Log::ID += { NOTICE_LOG };
+
 	## Scripts creating new notices need to redef this enum to add their own 
 	## specific notice types which would then get used when they call the
 	## :bro:id:`NOTICE` function.  The convention is to give a general category

policy/frameworks/notice/defaults.bro

@@ -2,8 +2,10 @@
 ##! tune out high volume and less useful data from the logs.
 
 @load weird
+@load dpd
 
 # Remove these notices from logging since they can be too noisy.
 redef Notice::action_filters += {
 	[[Weird::ContentGap, Weird::AckAboveHole]] = Notice::ignore_action,
+	[[DPD::ProtocolViolation]] = Notice::ignore_action,
 };

policy/frameworks/signatures/base.bro

@@ -4,29 +4,29 @@
 
 module Signatures;
 
-redef enum Notice::Type += {
-	## Generic for alarm-worthy
-	Sensitive_Signature,
-	## Host has triggered many signatures on the same host.  The number of 
-	## signatures is defined by the :bro:id:`vert_scan_thresholds` variable.
-	Multiple_Signatures,
-	## Host has triggered the same signature on multiple hosts as defined by the
-	## :bro:id:`horiz_scan_thresholds` variable.
-	Multiple_Sig_Responders,
-	## The same signature has triggered multiple times for a host.  The number 
-	## of times the signature has be trigger is defined by the 
-	## :bro:id:`count_thresholds` variable.  To generate this notice, the
-	## :bro:enum:`SIG_COUNT_PER_RESP` action must be set for the signature.
-	Count_Signature,
-	## Summarize the number of times a host triggered a signature.  The 
-	## interval between summaries is defined by the :bro:id:`summary_interval` 
-	## variable.
-	Signature_Summary,
-};
-
-redef enum Log::ID += { SIGNATURES };
-
 export {
+	redef enum Notice::Type += {
+		## Generic for alarm-worthy
+		Sensitive_Signature,
+		## Host has triggered many signatures on the same host.  The number of 
+		## signatures is defined by the :bro:id:`vert_scan_thresholds` variable.
+		Multiple_Signatures,
+		## Host has triggered the same signature on multiple hosts as defined by the
+		## :bro:id:`horiz_scan_thresholds` variable.
+		Multiple_Sig_Responders,
+		## The same signature has triggered multiple times for a host.  The number 
+		## of times the signature has be trigger is defined by the 
+		## :bro:id:`count_thresholds` variable.  To generate this notice, the
+		## :bro:enum:`SIG_COUNT_PER_RESP` action must be set for the signature.
+		Count_Signature,
+		## Summarize the number of times a host triggered a signature.  The 
+		## interval between summaries is defined by the :bro:id:`summary_interval` 
+		## variable.
+		Signature_Summary,
+	};
+
+	redef enum Log::ID += { SIGNATURES };
+
 	## These are the default actions you can apply to signature matches.
 	## All of them write the signature record to the logging stream unless
 	## declared otherwise.

policy/frameworks/software/base.bro

@@ -11,17 +11,17 @@
 
 module Software;
 
-redef enum Notice::Type += { 
-	## For certain softwares, a version changing may matter.  In that case, 
-	## this notice will be generated.  Software that matters if the version
-	## changes can be configured with the 
-	## :bro:id:`Software::interesting_version_changes` variable.
-	Software_Version_Change,
-};
-
-redef enum Log::ID += { SOFTWARE };
-
 export {
+	redef enum Notice::Type += { 
+		## For certain softwares, a version changing may matter.  In that case, 
+		## this notice will be generated.  Software that matters if the version
+		## changes can be configured with the 
+		## :bro:id:`Software::interesting_version_changes` variable.
+		Software_Version_Change,
+	};
+
+	redef enum Log::ID += { SOFTWARE };
+
 	type Type: enum {
 		UNKNOWN,
 		OPERATING_SYSTEM,

policy/protocols/conn/base.bro

@@ -2,9 +2,9 @@
 
 module Conn;
 
-redef enum Log::ID += { CONN };
-
 export {
+	redef enum Log::ID += { CONN };
+
 	type Info: record {
 		## This is the time of the first packet.
 		ts:           time            &log;

policy/protocols/dns/base.bro

@@ -3,9 +3,9 @@
 
 module DNS;
 
-redef enum Log::ID += { DNS };
-
 export {
+	redef enum Log::ID += { DNS };
+	
 	type Info: record {
 		ts:            time            &log;
 		uid:           string          &log;

policy/protocols/dns/detect.bro

@@ -13,12 +13,14 @@
 
 module DNS;
 
-redef enum Notice::Type += { 
-	## Raised when a non-local name is found to be pointing at a local host.
-	## This only works appropriately when all of your authoritative DNS
-	## servers are located in your :bro:id:`local_nets`.
-	DNS_ExternalName, 
-	};
+export {
+	redef enum Notice::Type += { 
+		## Raised when a non-local name is found to be pointing at a local host.
+		## This only works appropriately when all of your authoritative DNS
+		## servers are located in your :bro:id:`local_nets`.
+		DNS_ExternalName, 
+		};
+}
 
 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3
 	{

policy/protocols/ftp/base.bro

@@ -15,9 +15,9 @@
 
 module FTP;
 
-redef enum Log::ID += { FTP };
-
 export {
+	redef enum Log::ID += { FTP };
+
 	## This setting changes if passwords used in FTP sessions are captured or not.
 	const default_capture_password = F &redef;
 

policy/protocols/ftp/detect.bro

@@ -3,11 +3,13 @@
 
 module FTP;
 
-redef enum Notice::Type += {
-	## This indicates that a successful response to a "SITE EXEC" 
-	## command/arg pair was seen.
-	FTP_Site_Exec_Success,
-};
+export {
+	redef enum Notice::Type += {
+		## This indicates that a successful response to a "SITE EXEC" 
+		## command/arg pair was seen.
+		Site_Exec_Success,
+	};
+}
 
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=3
 	{
@@ -18,7 +20,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 	     c$ftp$cmdarg$cmd == "SITE" && 
 	     /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
 		{
-		NOTICE([$note=FTP_Site_Exec_Success, $conn=c,
+		NOTICE([$note=Site_Exec_Success, $conn=c,
 		        $msg=fmt("%s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg)]);
 		}
 	}

policy/protocols/ftp/software.bro

@@ -11,10 +11,12 @@
 
 module FTP;
 
-redef enum Software::Type += {
-	FTP_CLIENT,
-	FTP_SERVER,
-};
+export {
+	redef enum Software::Type += {
+		FTP_CLIENT,
+		FTP_SERVER,
+	};
+}
 
 event ftp_request(c: connection, command: string, arg: string) &priority=4
 	{

policy/protocols/http/base.bro

@@ -2,9 +2,9 @@
 
 module HTTP;
 
-redef enum Log::ID += { HTTP };
-
 export {
+	redef enum Log::ID += { HTTP };
+
 	## Indicate a type of attack or compromise in the record to be logged.
 	type Tags: enum {
 		EMPTY

policy/protocols/http/detect-sqli.bro

@@ -1,25 +1,25 @@
 ##! SQL injection detection in HTTP.
 
 @load http/base
-@load notice
+@load metrics
 
 module HTTP;
 
-redef enum Notice::Type += {
-	SQL_Injection_Attack,
-};
-
-redef enum Tags += {
-	## Indicator of a URI based SQL injection attack.
-	URI_SQLI,
-	## Indicator of client body based SQL injection attack.  This is 
-	## typically the body content of a POST request. Not implemented yet!
-	POST_SQLI,
-	## Indicator of a cookie based SQL injection attack. Not implemented yet!
-	COOKIE_SQLI,
-};
-
 export {
+	redef enum Notice::Type += {
+		SQL_Injection_Attack,
+	};
+
+	redef enum Tags += {
+		## Indicator of a URI based SQL injection attack.
+		URI_SQLI,
+		## Indicator of client body based SQL injection attack.  This is 
+		## typically the body content of a POST request. Not implemented yet!
+		POST_SQLI,
+		## Indicator of a cookie based SQL injection attack. Not implemented yet!
+		COOKIE_SQLI,
+	};
+
 	## This regular expression is used to match URI based SQL injections
 	const match_sql_injection_uri = 
 		/[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/

policy/protocols/http/detect-webapps.bro

@@ -10,13 +10,15 @@ redef signature_files += "http/detect-webapps.sig";
 # Ignore the signatures used to match webapps
 redef Signatures::ignored_ids += /^webapp-/;
 
-redef enum Software::Type += {
-	WEB_APPLICATION,
-};
+export {
+	redef enum Software::Type += {
+		WEB_APPLICATION,
+	};
 
-redef record Software::Info += {
-	url:   string &optional &log;
-};
+	redef record Software::Info += {
+		url:   string &optional &log;
+	};
+}
 
 event signature_match(state: signature_state, msg: string, data: string) &priority=5
 	{

policy/protocols/http/file-extract.bro

@@ -19,23 +19,23 @@ export {
 
 	## The on-disk prefix for files to be extracted from HTTP entity bodies.
 	const extraction_prefix = "http-item" &redef;
+
+	redef record Info += {
+		## This field can be set per-connection to determine if the entity body
+		## will be extracted.  It must be set to T on or before the first 
+		## entity_body_data event.
+		extract_file:        bool &default=F;
+	
+		## This is the holder for the file handle as the file is being written
+		## to disk.
+		extraction_file:      file &log &optional;
+	};
+
+	redef record State += {
+		entity_bodies:       count &optional;
+	};
 }
 
-redef record Info += {
-	## This field can be set per-connection to determine if the entity body
-	## will be extracted.  It must be set to T on or before the first 
-	## entity_body_data event.
-	extract_file:        bool &default=F;
-	
-	## This is the holder for the file handle as the file is being written
-	## to disk.
-	extraction_file:      file &log &optional;
-};
-
-redef record State += {
-	entity_bodies:       count &optional;
-};
-
 ## Mark files to be extracted if they were identified as a mime type matched 
 ## by the extract_file_types variable and they aren't being extracted yet.
 event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=6

policy/protocols/http/file-hash.bro

@@ -5,16 +5,13 @@
 
 module HTTP;
 
-redef enum Notice::Type += {
-	## Indicates an MD5 sum in Team Cymru's Malware Hash Registry.  
-	## http://www.team-cymru.org/Services/MHR/
-	HTTP_MHR_Malware,
-
-	## Notice type when locally defined MD5 sums are encountered.
-	HTTP_MD5,
-};
-
 export {
+	redef enum Notice::Type += {
+		## Indicates an MD5 sum in Team Cymru's Malware Hash Registry.  
+		## http://www.team-cymru.org/Services/MHR/
+		HTTP_MHR_Malware,
+	};
+
 	redef record Info += {
 		## The MD5 sum for a file transferred over HTTP will be stored here.
 		md5:             string   &log &optional;
@@ -29,15 +26,9 @@ export {
 		calculating_md5: bool &default=F;
 	};
 	
-	# Generate MD5 sums for these filetypes.
+	## Generate MD5 sums for these filetypes.
 	const generate_md5 = /application\/x-dosexec/    # Windows and DOS executables
 	                   | /application\/x-executable/ &redef; # *NIX executable binary
-	
-	# MD5 sums that are "interesting" for your local network.
-	# The index is the MD5 sum and the yield value is used as the $msg value
-	# for notices so that you can filter in your local notice policy.
-	# TODO: this will change to use the intelligence framework.
-	const interesting_md5: table[string] of string &redef;
 }
 
 
@@ -76,14 +67,6 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
 		c$http$calculating_md5 = F;
 		c$http$md5 = md5_hash_finish(c$id);
 				
-		if ( c$http$md5 in interesting_md5 )
-			{
-			NOTICE([$note=HTTP_MD5, $conn=c, $method=c$http$method, 
-			        $URL=url,
-			        $msg=interesting_md5[c$http$md5],
-			        $sub=c$http$md5]);
-			}
-		
 		local hash_domain = fmt("%s.malware.hash.cymru.com", c$http$md5);
 		when ( local addrs = lookup_hostname(hash_domain) )
 			{

policy/protocols/http/file-ident.bro

@@ -9,19 +9,18 @@
 
 module HTTP;
 
-redef enum Notice::Type += {
-	# This notice is thrown when the file extension doesn't 
-	# seem to match the file contents.
-	HTTP_IncorrectFileType,
-};
-
-redef record Info += {
-	## This will record the mime_type identified.
-	mime_type:    string   &log &optional;
-};
-
-
 export {
+	redef enum Notice::Type += {
+		# This notice is thrown when the file extension doesn't 
+		# seem to match the file contents.
+		IncorrectFileType,
+	};
+
+	redef record Info += {
+		## This will record the mime_type identified.
+		mime_type:    string   &log &optional;
+	};
+
 	redef enum Tags += {
 		IDENTIFIED_FILE
 	};
@@ -65,7 +64,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
 		{
 		local url = build_url(c$http);
 		local message = fmt("%s %s %s", msg, c$http$method, url);
-		NOTICE([$note=HTTP_IncorrectFileType,
+		NOTICE([$note=IncorrectFileType,
 		        $msg=message,
 		        $conn=c,
 		        $method=c$http$method,

policy/protocols/http/headers.bro

@@ -4,13 +4,15 @@
 
 module HTTP;
 
-redef record Info += {
-	## The vector of HTTP headers.  No header values are included here, just
-	## the header names.
-	## TODO: with an empty vector as &default, the vector isn't coerced to the
-	## correct type.
-	headers:  vector of string &log &optional;
-};
+export {
+	redef record Info += {
+		## The vector of HTTP headers.  No header values are included here, just
+		## the header names.
+		## TODO: with an empty vector as &default, the vector isn't coerced to the
+		## correct type.
+		headers:  vector of string &log &optional;
+	};
+}
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=4
 	{

policy/protocols/http/software.bro

@@ -5,21 +5,20 @@
 
 module HTTP;
 
-redef enum Software::Type += {
-	WEB_SERVER,
-	WEB_BROWSER,
-	WEB_BROWSER_PLUGIN
-};
-
-
 export {
+	redef enum Software::Type += {
+		WEB_SERVER,
+		WEB_BROWSER,
+		WEB_BROWSER_PLUGIN
+	};
+
 	## The pattern of HTTP User-Agents which you would like to ignore.
 	const ignored_user_agents = /NO_DEFAULT/ &redef;
 	
 	## These are patterns to identify browser plugins (including toolbars)
 	## based on the User-Agent header.
-	const plugin_user_agents = /BingBar [0-9\.]*/         # Bing toolbar
-	                          | /GoogleToolbar [0-9\.]*;/ &redef; # Google toolbar
+	const plugin_user_agents = /BingBar [0-9\.]*/                 ##< Bing toolbar
+	                          | /GoogleToolbar [0-9\.]*;/ &redef; ##< Google toolbar
 }
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
@@ -46,8 +45,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	else
 		{
 		if ( name == "SERVER" )
-			{
 			Software::found(c$id, Software::parse(value, c$id$resp_h, WEB_SERVER));
-			}
 		}
 	}

policy/protocols/irc/base.bro

@@ -6,9 +6,9 @@
 
 module IRC;
 
-redef enum Log::ID += { IRC };
-
 export {
+	redef enum Log::ID += { IRC };
+
 	type Tag: enum { 
 		EMPTY 
 	};

policy/protocols/mime/base.bro

@@ -5,9 +5,9 @@
 
 module MIME;
 
-redef enum Log::ID += { MIME };
-
 export {
+	redef enum Log::ID += { MIME };
+
 	# Let's assume for now that nothing transferring files using 
 	# MIME attachments is multiplexing for simplicity's sake.
 	#   We can make the assumption that one connection == one file (at a time)

policy/protocols/smtp/base.bro

@@ -7,18 +7,18 @@
 
 module SMTP;
 
-redef enum Notice::Type += { 
-	## Indicates that the server sent a reply mentioning an SMTP block list.
-	SMTP_BL_Error_Message, 
-	## Indicates the client's address is seen in the block list error message.
-	SMTP_BL_Blocked_Host, 
-	## When mail seems to originate from a suspicious location.
-	SMTP_Suspicious_Origination,
-};
-
-redef enum Log::ID += { SMTP };
-
 export {
+	redef enum Log::ID += { SMTP };
+
+	redef enum Notice::Type += { 
+		## Indicates that the server sent a reply mentioning an SMTP block list.
+		SMTP_BL_Error_Message, 
+		## Indicates the client's address is seen in the block list error message.
+		SMTP_BL_Blocked_Host, 
+		## When mail seems to originate from a suspicious location.
+		SMTP_Suspicious_Origination,
+	};
+
 	type Info: record {
 		ts:                time            &log;
 		uid:               string          &log;

policy/protocols/smtp/software.bro

@@ -6,10 +6,12 @@
 
 module SMTP;
 
-redef enum Software::Type += {
-	MAIL_CLIENT,
-	MAIL_SERVER,
-};
+export {
+	redef enum Software::Type += {
+		MAIL_CLIENT,
+		MAIL_SERVER,
+	};
+}
 
 event log_smtp(rec: Info)
 	{

policy/protocols/smtp/webmail-ident.bro

@@ -12,13 +12,13 @@
 
 module SMTP;
 
-redef record Info += {
-	## Boolean indicator of if the message was sent through a webmail 
-	## interface.
-	is_webmail: bool &log &default=F;
-};
-
 export {
+	redef record Info += {
+		## Boolean indicator of if the message was sent through a webmail 
+		## interface.
+		is_webmail: bool &log &default=F;
+	};
+
 	## A regular expression to match USER-AGENT-like headers to find if a 
 	## message was sent with a webmail interface.
 	const webmail_user_agents = 

policy/protocols/ssh/base.bro

@@ -3,17 +3,17 @@
 
 module SSH;
 
-redef enum Notice::Type += {
-	SSH_Login,
-	SSH_PasswordGuessing,
-	SSH_LoginByPasswordGuesser,
-	SSH_Login_From_Interesting_Hostname,
-	SSH_Bytecount_Inconsistency,
-};
-
-redef enum Log::ID += { SSH };
-
 export {
+	redef enum Log::ID += { SSH };
+
+	redef enum Notice::Type += {
+		Login,
+		PasswordGuessing,
+		LoginByPasswordGuesser,
+		Login_From_Interesting_Hostname,
+		Bytecount_Inconsistency,
+	};
+
 	type Info: record {
 		ts:              time         &log;
 		uid:             string       &log;
@@ -142,7 +142,7 @@ function check_ssh_connection(c: connection, done: bool)
 		if ( default_check_threshold(password_rejections[c$id$orig_h]) )
 			{
 			add password_guessers[c$id$orig_h];
-			NOTICE([$note=SSH_PasswordGuessing,
+			NOTICE([$note=PasswordGuessing,
 			        $conn=c,
 			        $msg=fmt("SSH password guessing by %s", c$id$orig_h),
 			        $sub=fmt("%d failed logins", password_rejections[c$id$orig_h]$n),
@@ -162,7 +162,7 @@ function check_ssh_connection(c: connection, done: bool)
 		     c$id$orig_h !in password_guessers )
 			{
 			add password_guessers[c$id$orig_h];
-			NOTICE([$note=SSH_LoginByPasswordGuesser,
+			NOTICE([$note=LoginByPasswordGuesser,
 			        $conn=c,
 			        $n=password_rejections[c$id$orig_h]$n,
 			        $msg=fmt("Successful SSH login by password guesser %s", c$id$orig_h),
@@ -174,7 +174,7 @@ function check_ssh_connection(c: connection, done: bool)
 		              location$latitude, location$longitude,
 		              id_string(c$id), c$resp$size);
 		# TODO: rewrite the message once a location variable can be put in notices
-		NOTICE([$note=SSH_Login,
+		NOTICE([$note=Login,
 		        $conn=c,
 		        $msg=message,
 		        $sub=location$country_code]);
@@ -184,7 +184,7 @@ function check_ssh_connection(c: connection, done: bool)
 			{
 			if ( interesting_hostnames in hostname )
 				{
-				NOTICE([$note=SSH_Login_From_Interesting_Hostname,
+				NOTICE([$note=Login_From_Interesting_Hostname,
 				        $conn=c,
 				        $msg=fmt("Strange login from %s", hostname),
 				        $sub=hostname]);
@@ -193,7 +193,7 @@ function check_ssh_connection(c: connection, done: bool)
 		}
 	else if ( c$resp$size >= 200000000 ) 
 		{
-		NOTICE([$note=SSH_Bytecount_Inconsistency,
+		NOTICE([$note=Bytecount_Inconsistency,
 		        $conn=c,
 		        $msg="During byte counting in SSH analysis, an overly large value was seen.",
 		        $sub=fmt("%d",c$resp$size)]);

policy/protocols/ssh/software.bro

@@ -3,10 +3,12 @@
 
 module SSH;
 
-redef enum Software::Type += {
-	SSH_SERVER,
-	SSH_CLIENT,
-};
+export {
+	redef enum Software::Type += {
+		SSH_SERVER,
+		SSH_CLIENT,
+	};
+}
 
 event ssh_client_version(c: connection, version: string) &priority=4
 	{