diff --git a/scripts/base/files/pe/main.zeek b/scripts/base/files/pe/main.zeek index 22577079d3..0e1fa6569c 100644 --- a/scripts/base/files/pe/main.zeek +++ b/scripts/base/files/pe/main.zeek @@ -60,13 +60,13 @@ const pe_mime_types = { "application/x-dosexec" }; event zeek_init() &priority=5 { Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types); - Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_pe, $path="pe", $policy=log_policy)); } hook set_file(f: fa_file) &priority=5 { if ( ! f?$pe ) - f$pe = [$ts=f$info$ts, $id=f$id]; + f$pe = PE::Info($ts=f$info$ts, $id=f$id); } event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 diff --git a/scripts/base/files/x509/log-ocsp.zeek b/scripts/base/files/x509/log-ocsp.zeek index 1e1ea32448..9d0eb2c069 100644 --- a/scripts/base/files/x509/log-ocsp.zeek +++ b/scripts/base/files/x509/log-ocsp.zeek @@ -40,7 +40,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy)); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); } diff --git a/scripts/base/files/x509/main.zeek b/scripts/base/files/x509/main.zeek index 3765ff03ae..56355e0675 100644 --- a/scripts/base/files/x509/main.zeek +++ b/scripts/base/files/x509/main.zeek @@ -117,7 +117,7 @@ redef record Files::Info += { event zeek_init() &priority=5 { - Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]); + Log::create_stream(X509::LOG, Log::Stream($columns=Info, $ev=log_x509, $path="x509", $policy=log_policy)); # We use MIME types internally to distinguish between user and CA certificates. # The first certificate in a connection always gets tagged as user-cert, all @@ -167,7 +167,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi { local der_cert = x509_get_certificate_string(cert_ref); local fp = hash_function(der_cert); - f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref]; + f$info$x509 = X509::Info($ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref); if ( f$info$mime_type == "application/x-x509-user-cert" ) f$info$x509$host_cert = T; if ( f$is_orig ) diff --git a/scripts/base/frameworks/analyzer/logging.zeek b/scripts/base/frameworks/analyzer/logging.zeek index 26a9575330..260bb5c4ec 100644 --- a/scripts/base/frameworks/analyzer/logging.zeek +++ b/scripts/base/frameworks/analyzer/logging.zeek @@ -46,7 +46,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy)); } function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) diff --git a/scripts/base/frameworks/broker/log.zeek b/scripts/base/frameworks/broker/log.zeek index 6b133f1ffe..bb549344d6 100644 --- a/scripts/base/frameworks/broker/log.zeek +++ b/scripts/base/frameworks/broker/log.zeek @@ -47,17 +47,17 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Broker::LOG, [$columns=Info, $path="broker", $policy=log_policy]); + Log::create_stream(Broker::LOG, Log::Stream($columns=Info, $path="broker", $policy=log_policy)); } function log_status(ev: string, endpoint: EndpointInfo, msg: string) { local r: Info; - r = [$ts = network_time(), - $ev = ev, - $ty = STATUS, - $message = msg]; + r = Broker::Info($ts = network_time(), + $ev = ev, + $ty = STATUS, + $message = msg); if ( endpoint?$network ) r$peer = endpoint$network; @@ -87,10 +87,10 @@ event Broker::error(code: ErrorCode, msg: string) ev = subst_string(ev, "_", "-"); ev = to_lower(ev); - Log::write(Broker::LOG, [$ts = network_time(), + Log::write(Broker::LOG, Info($ts = network_time(), $ev = ev, $ty = ERROR, - $message = msg]); + $message = msg)); Reporter::error(fmt("Broker error (%s): %s", code, msg)); } @@ -115,8 +115,8 @@ event Broker::internal_log_event(lvl: LogSeverityLevel, id: string, description: severity = Broker::DEBUG_EVENT; break; } - Log::write(Broker::LOG, [$ts = network_time(), + Log::write(Broker::LOG, Info($ts = network_time(), $ty = severity, $ev = id, - $message = description]); + $message = description)); } diff --git a/scripts/base/frameworks/cluster/broker-backpressure.zeek b/scripts/base/frameworks/cluster/broker-backpressure.zeek index e3fe4c9cdd..74abbcc6c6 100644 --- a/scripts/base/frameworks/cluster/broker-backpressure.zeek +++ b/scripts/base/frameworks/cluster/broker-backpressure.zeek @@ -5,13 +5,13 @@ module Cluster; -global broker_backpressure_disconnects_cf = Telemetry::register_counter_family([ +global broker_backpressure_disconnects_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="broker-backpressure-disconnects", $unit="", $label_names=vector("peer"), $help_text="Number of Broker peerings dropped due to a neighbor falling behind in message I/O", -]); +)); event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) { diff --git a/scripts/base/frameworks/cluster/broker-telemetry.zeek b/scripts/base/frameworks/cluster/broker-telemetry.zeek index 913bf1ee08..1b29c11b71 100644 --- a/scripts/base/frameworks/cluster/broker-telemetry.zeek +++ b/scripts/base/frameworks/cluster/broker-telemetry.zeek @@ -7,13 +7,13 @@ module Cluster; ## This gauge tracks the current number of locally queued messages in each ## Broker peering's send buffer. The "peer" label identifies the remote side of ## the peering, containing a Zeek cluster node name. -global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([ +global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts( $prefix="zeek", $name="broker-peer-buffer-messages", $unit="", $label_names=vector("peer"), $help_text="Number of messages queued in Broker's send buffers", -]); +)); ## This gauge tracks recent maximum queue lengths for each Broker peering's send ## buffer. Most of the time the send buffers are nearly empty, so this gauge @@ -23,26 +23,26 @@ global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([ ## observed message. That is, Zeek keeps a timestamp of when the window started, ## and once it notices that the interval has passed, it moves the start of the ## window to current time. -global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family([ +global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts( $prefix="zeek", $name="broker-peer-buffer-recent-max-messages", $unit="", $label_names=vector("peer"), $help_text="Maximum number of messages recently queued in Broker's send buffers", -]); +)); ## This counter tracks for each Broker peering the number of times its send ## buffer has overflowed. For the "disconnect" policy this can at most be 1, ## since Broker stops the peering at this time. For the "drop_oldest" and ## "drop_newest" policies (see :zeek:see:`Broker:peer_overflow_policy`) the count ## instead reflects the number of messages lost. -global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family([ +global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="broker-peer-buffer-overflows", $unit="", $label_names=vector("peer"), $help_text="Number of overflows in Broker's send buffers", -]); +)); # A helper to track overflow counts over past peerings as well as the current diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek index e077eb34e7..3060ee08af 100644 --- a/scripts/base/frameworks/cluster/main.zeek +++ b/scripts/base/frameworks/cluster/main.zeek @@ -492,7 +492,7 @@ function nodeid_to_node(id: string): NamedNode return NamedNode($name=name, $node=n); } - return NamedNode($name="", $node=[$node_type=NONE, $ip=0.0.0.0]); + return NamedNode($name="", $node=Node($node_type=NONE, $ip=0.0.0.0)); } event Cluster::hello(name: string, id: string) &priority=10 @@ -572,7 +572,7 @@ event zeek_init() &priority=5 terminate(); } - Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]); + Log::create_stream(Cluster::LOG, Log::Stream($columns=Info, $path="cluster", $policy=log_policy)); } function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo @@ -654,7 +654,7 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store function log(msg: string) { - Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]); + Log::write(Cluster::LOG, Info($ts = network_time(), $node = node, $message = msg)); } function init(): bool diff --git a/scripts/base/frameworks/cluster/supervisor.zeek b/scripts/base/frameworks/cluster/supervisor.zeek index cea4a6f96c..5d38f48458 100644 --- a/scripts/base/frameworks/cluster/supervisor.zeek +++ b/scripts/base/frameworks/cluster/supervisor.zeek @@ -42,7 +42,7 @@ function __init_cluster_nodes(): bool if ( endp$role in rolemap ) typ = rolemap[endp$role]; - cnode = [$node_type=typ, $ip=endp$host, $p=endp$p]; + cnode = Cluster::Node($node_type=typ, $ip=endp$host, $p=endp$p); if ( |manager_name| > 0 && cnode$node_type != Cluster::MANAGER ) cnode$manager = manager_name; if ( endp?$metrics_port ) diff --git a/scripts/base/frameworks/config/input.zeek b/scripts/base/frameworks/config/input.zeek index 9796d69f57..2e34f7dad2 100644 --- a/scripts/base/frameworks/config/input.zeek +++ b/scripts/base/frameworks/config/input.zeek @@ -40,14 +40,14 @@ event zeek_init() &priority=5 return; for ( fi in config_files ) - Input::add_table([$reader=Input::READER_CONFIG, + Input::add_table(Input::TableDescription($reader=Input::READER_CONFIG, $mode=Input::REREAD, $source=fi, $name=cat("config-", fi), $idx=ConfigItem, $val=ConfigItem, $want_record=F, - $destination=current_config]); + $destination=current_config)); } event InputConfig::new_value(name: string, source: string, id: string, value: any) @@ -67,11 +67,11 @@ function read_config(filename: string) local iname = cat("config-oneshot-", filename); - Input::add_event([$reader=Input::READER_CONFIG, + Input::add_event(Input::EventDescription($reader=Input::READER_CONFIG, $mode=Input::MANUAL, $source=filename, $name=iname, $fields=EventFields, - $ev=config_line]); + $ev=config_line)); Input::remove(iname); } diff --git a/scripts/base/frameworks/config/main.zeek b/scripts/base/frameworks/config/main.zeek index 8503ae95f0..263af121fb 100644 --- a/scripts/base/frameworks/config/main.zeek +++ b/scripts/base/frameworks/config/main.zeek @@ -153,7 +153,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an event zeek_init() &priority=10 { - Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_config, $path="config", $policy=log_policy)); # Limit logging to the manager - everyone else just feeds off it. @if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER ) diff --git a/scripts/base/frameworks/files/main.zeek b/scripts/base/frameworks/files/main.zeek index 31da1a7b51..882301f9f4 100644 --- a/scripts/base/frameworks/files/main.zeek +++ b/scripts/base/frameworks/files/main.zeek @@ -341,7 +341,7 @@ global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: A event zeek_init() &priority=5 { - Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files", $policy=log_policy]); + Log::create_stream(Files::LOG, Log::Stream($columns=Info, $ev=log_files, $path="files", $policy=log_policy)); } function set_info(f: fa_file) diff --git a/scripts/base/frameworks/intel/input.zeek b/scripts/base/frameworks/intel/input.zeek index 84c85313b5..c73d08512a 100644 --- a/scripts/base/frameworks/intel/input.zeek +++ b/scripts/base/frameworks/intel/input.zeek @@ -68,13 +68,13 @@ event zeek_init() &priority=5 if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" ) source = cat(rstrip(path_prefix, "/"), "/", a_file); - Input::add_event([$source=source, - $reader=Input::READER_ASCII, - $mode=Input::REREAD, - $name=cat("intel-", a_file), - $fields=Intel::Item, - $ev=Intel::read_entry, - $error_ev=Intel::read_error]); + Input::add_event(Input::EventDescription($source=source, + $reader=Input::READER_ASCII, + $mode=Input::REREAD, + $name=cat("intel-", a_file), + $fields=Intel::Item, + $ev=Intel::read_entry, + $error_ev=Intel::read_error)); } } } diff --git a/scripts/base/frameworks/intel/main.zeek b/scripts/base/frameworks/intel/main.zeek index 8231e4be8e..01a0dbc1d4 100644 --- a/scripts/base/frameworks/intel/main.zeek +++ b/scripts/base/frameworks/intel/main.zeek @@ -280,7 +280,7 @@ global min_data_store: MinDataStore &redef; event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_intel, $path="intel", $policy=log_policy)); } # Function that abstracts expiration of different types. @@ -289,7 +289,7 @@ function expire_item(indicator: string, indicator_type: Type, metas: set[MetaDat if ( hook item_expired(indicator, indicator_type, metas) ) return item_expiration; else - remove([$indicator=indicator, $indicator_type=indicator_type, $meta=[$source=""]], T); + remove(Item($indicator=indicator, $indicator_type=indicator_type, $meta=MetaData($source="")), T); return 0 sec; } diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index b9f46f4aae..7d236f829e 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -425,7 +425,7 @@ export { }; ## Sentinel value for indicating that a filter was not found when looked up. - const no_filter: Filter = [$name=""]; + const no_filter = Filter($name=""); ## Creates a new logging stream with the default filter. ## @@ -997,7 +997,7 @@ function flush(id: ID): bool function add_default_filter(id: ID) : bool { - return add_filter(id, [$name="default"]); + return add_filter(id, Filter($name="default")); } function remove_default_filter(id: ID) : bool @@ -1008,7 +1008,7 @@ function remove_default_filter(id: ID) : bool event zeek_init() &priority=5 { if ( print_to_log != REDIRECT_NONE ) - Log::create_stream(PRINTLOG, [$columns=PrintLogInfo, $ev=log_print, $path=print_log_path]); + Log::create_stream(PRINTLOG, Log::Stream($columns=PrintLogInfo, $ev=log_print, $path=print_log_path)); } function empty_post_delay_cb(rec: any, id: ID): bool { diff --git a/scripts/base/frameworks/logging/writers/ascii.zeek b/scripts/base/frameworks/logging/writers/ascii.zeek index a65ae290cb..baa7bbdc7d 100644 --- a/scripts/base/frameworks/logging/writers/ascii.zeek +++ b/scripts/base/frameworks/logging/writers/ascii.zeek @@ -7,9 +7,9 @@ ##! names is printed out as meta information, with no "# fields" prepended; no ##! other meta data gets included in that mode. Example filter using this:: ##! -##! local f: Log::Filter = [$name = "my-filter", -##! $writer = Log::WRITER_ASCII, -##! $config = table(["tsv"] = "T")]; +##! local f = Log::Filter($name = "my-filter", +##! $writer = Log::WRITER_ASCII, +##! $config = table(["tsv"] = "T")); ##! module LogAscii; diff --git a/scripts/base/frameworks/netcontrol/drop.zeek b/scripts/base/frameworks/netcontrol/drop.zeek index 8680bd81d3..e113757ad1 100644 --- a/scripts/base/frameworks/netcontrol/drop.zeek +++ b/scripts/base/frameworks/netcontrol/drop.zeek @@ -59,13 +59,13 @@ export { event zeek_init() &priority=5 { - Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop]); + Log::create_stream(NetControl::DROP_LOG, Log::Stream($columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop)); } function drop_connection(c: conn_id, t: interval, location: string &default="") : string { - local e: Entity = [$ty=CONNECTION, $conn=c]; - local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location]; + local e = Entity($ty=CONNECTION, $conn=c); + local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location); if ( ! hook NetControl::drop_rule_policy(r) ) return ""; @@ -88,8 +88,8 @@ function drop_connection(c: conn_id, t: interval, location: string &default="") function drop_address(a: addr, t: interval, location: string &default="") : string { - local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)]; - local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location]; + local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a)); + local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location); if ( ! hook NetControl::drop_rule_policy(r) ) return ""; diff --git a/scripts/base/frameworks/netcontrol/main.zeek b/scripts/base/frameworks/netcontrol/main.zeek index ee18666002..05386e277b 100644 --- a/scripts/base/frameworks/netcontrol/main.zeek +++ b/scripts/base/frameworks/netcontrol/main.zeek @@ -383,7 +383,7 @@ global rule_entities: table[Entity, RuleType] of Rule; event zeek_init() &priority=5 { - Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy]); + Log::create_stream(NetControl::LOG, Log::Stream($columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy)); } function entity_to_info(info: Info, e: Entity) @@ -489,22 +489,22 @@ function rule_to_info(info: Info, r: Rule) function log_msg(msg: string, p: PluginState) { - Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]); + Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p))); } function log_error(msg: string, p: PluginState) { - Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]); + Log::write(LOG, Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p))); } function log_msg_no_plugin(msg: string) { - Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg]); + Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg)); } function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: string &default="") { - local info: Info = [$ts=network_time()]; + local info = Info($ts=network_time()); info$category = RULE; info$cmd = cmd; info$state = state; @@ -519,14 +519,14 @@ function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: s function log_rule_error(r: Rule, msg: string, p: PluginState) { - local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]; + local info = Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)); rule_to_info(info, r); Log::write(LOG, info); } function log_rule_no_plugin(r: Rule, state: InfoState, msg: string) { - local info: Info = [$ts=network_time()]; + local info = Info($ts=network_time()); info$category = RULE; info$state = state; info$msg = msg; @@ -538,16 +538,16 @@ function log_rule_no_plugin(r: Rule, state: InfoState, msg: string) function whitelist_address(a: addr, t: interval, location: string &default="") : string { - local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)]; - local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location]; + local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a)); + local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location); return add_rule(r); } function whitelist_subnet(s: subnet, t: interval, location: string &default="") : string { - local e: Entity = [$ty=ADDRESS, $ip=s]; - local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location]; + local e = Entity($ty=ADDRESS, $ip=s); + local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location); return add_rule(r); } @@ -561,8 +561,8 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin $dst_h=addr_to_subnet(f$dst_h), $dst_p=f$dst_p ); - local e: Entity = [$ty=FLOW, $flow=flow]; - local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port]; + local e = Entity($ty=FLOW, $flow=flow); + local r = Rule($ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port); return add_rule(r); } @@ -570,19 +570,19 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string { local orules: vector of string = vector(); - local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))]; - local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location]; + local edrop = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))); + local rdrop = Rule($ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location); orules += add_rule(rdrop); - local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)]; + local todnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)); local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5); orules += add_rule(todnsr); - local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))]; + local fromdnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))); local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5); orules += add_rule(fromdnsr); - local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)]; + local wle = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)); local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5); orules += add_rule(wlr); diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.zeek b/scripts/base/frameworks/netcontrol/plugins/acld.zeek index 37c1a52b81..a366350743 100644 --- a/scripts/base/frameworks/netcontrol/plugins/acld.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/acld.zeek @@ -303,7 +303,7 @@ function create_acld(config: AcldConfig) : PluginState add netcontrol_acld_topics[config$acld_topic]; local host = cat(config$acld_host); - local p: PluginState = [$acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id]; + local p = PluginState($acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id); if ( [config$acld_port, host] in netcontrol_acld_peers ) Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, config$acld_port)); diff --git a/scripts/base/frameworks/netcontrol/plugins/debug.zeek b/scripts/base/frameworks/netcontrol/plugins/debug.zeek index 66cda5a056..27985b310f 100644 --- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek @@ -117,7 +117,7 @@ global debug_plugin = Plugin( function create_debug(do_something: bool, name: string) : PluginState { - local p: PluginState = [$plugin=debug_plugin]; + local p = PluginState($plugin=debug_plugin); # FIXME: Why's the default not working? p$config = table(); @@ -132,7 +132,7 @@ function create_debug(do_something: bool, name: string) : PluginState function create_debug_error(name: string) : PluginState { - local p: PluginState = copy([$plugin=debug_plugin]); + local p = copy(PluginState($plugin=debug_plugin)); p$config["name"] = name; p$config["all"] = "1"; p$plugin$add_rule = debug_add_rule_error; @@ -141,7 +141,7 @@ function create_debug_error(name: string) : PluginState function create_debug_exists(name: string) : PluginState { - local p: PluginState = copy([$plugin=debug_plugin]); + local p = copy(PluginState($plugin=debug_plugin)); p$config["name"] = name; p$config["all"] = "1"; p$plugin$add_rule = debug_add_rule_exists; diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek index ca6f1553c0..d910737999 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek @@ -447,7 +447,7 @@ global openflow_plugin = Plugin( function create_openflow(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState { - local p: PluginState = [$plugin=openflow_plugin, $of_controller=controller, $of_config=config]; + local p = PluginState($plugin=openflow_plugin, $of_controller=controller, $of_config=config); return p; } diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek index ec3cc24247..ef0656668f 100644 --- a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek @@ -106,7 +106,7 @@ global packetfilter_plugin = Plugin( function create_packetfilter() : PluginState { - local p: PluginState = [$plugin=packetfilter_plugin]; + local p = PluginState($plugin=packetfilter_plugin); return p; } diff --git a/scripts/base/frameworks/netcontrol/shunt.zeek b/scripts/base/frameworks/netcontrol/shunt.zeek index 5eb54cbb70..2e30276cda 100644 --- a/scripts/base/frameworks/netcontrol/shunt.zeek +++ b/scripts/base/frameworks/netcontrol/shunt.zeek @@ -40,7 +40,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt]); + Log::create_stream(NetControl::SHUNT, Log::Stream($columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt)); } function shunt_flow(f: flow_id, t: interval, location: string &default="") : string @@ -51,8 +51,8 @@ function shunt_flow(f: flow_id, t: interval, location: string &default="") : str $dst_h=addr_to_subnet(f$dst_h), $dst_p=f$dst_p ); - local e: Entity = [$ty=FLOW, $flow=flow]; - local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location]; + local e = Entity($ty=FLOW, $flow=flow); + local r = Rule($ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location); local id = add_rule(r); diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.zeek b/scripts/base/frameworks/notice/actions/pp-alarms.zeek index 954ee359a1..26a28a6d85 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.zeek +++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek @@ -102,9 +102,9 @@ event zeek_init() # This replaces the standard non-pretty-printing filter. Log::add_filter(Notice::ALARM_LOG, - [$name="alarm-mail", $writer=Log::WRITER_NONE, - $interv=Log::default_mail_alarms_interval, - $postprocessor=pp_postprocessor]); + Log::Filter($name="alarm-mail", $writer=Log::WRITER_NONE, + $interv=Log::default_mail_alarms_interval, + $postprocessor=pp_postprocessor)); } hook notice(n: Notice::Info) &priority=-5 diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index 26b3c1b9d0..fdc745688b 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -381,16 +381,16 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool event zeek_init() &priority=5 { - Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice", $policy=log_policy]); + Log::create_stream(Notice::LOG, Log::Stream($columns=Info, $ev=log_notice, $path="notice", $policy=log_policy)); - Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm]); + Log::create_stream(Notice::ALARM_LOG, Log::Stream($columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm)); # If Zeek is configured for mailing notices, set up mailing for alarms. # Make sure that this alarm log is also output as text so that it can # be packaged up and emailed later. if ( ! reading_traces() && mail_dest != "" ) Log::add_filter(Notice::ALARM_LOG, - [$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII, - $interv=24hrs, $postprocessor=log_mailing_postprocessor]); + Log::Filter($name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII, + $interv=24hrs, $postprocessor=log_mailing_postprocessor)); } function email_headers(subject_desc: string, dest: string): string diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index 54527a2232..987bed11d2 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -318,7 +318,7 @@ const notice_actions = { event zeek_init() &priority=5 { - Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird", $policy=log_policy]); + Log::create_stream(Weird::LOG, Log::Stream($columns=Info, $ev=log_weird, $path="weird", $policy=log_policy)); } function flow_id_string(src: addr, dst: addr): string diff --git a/scripts/base/frameworks/openflow/plugins/log.zeek b/scripts/base/frameworks/openflow/plugins/log.zeek index 1f25944980..28a40571de 100644 --- a/scripts/base/frameworks/openflow/plugins/log.zeek +++ b/scripts/base/frameworks/openflow/plugins/log.zeek @@ -50,12 +50,12 @@ export { event zeek_init() &priority=5 { - Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy]); + Log::create_stream(OpenFlow::LOG, Log::Stream($columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy)); } function log_flow_mod(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool { - Log::write(OpenFlow::LOG, [$ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod]); + Log::write(LOG, Info($ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod)); if ( state$log_success_event ) event OpenFlow::flow_mod_success(state$_name, match, flow_mod); diff --git a/scripts/base/frameworks/packet-filter/main.zeek b/scripts/base/frameworks/packet-filter/main.zeek index 7a3689f49d..6cf90a0302 100644 --- a/scripts/base/frameworks/packet-filter/main.zeek +++ b/scripts/base/frameworks/packet-filter/main.zeek @@ -175,7 +175,7 @@ event filter_change_tracking() event zeek_init() &priority=5 { - Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter", $policy=log_policy]); + Log::create_stream(PacketFilter::LOG, Log::Stream($columns=Info, $path="packet_filter", $policy=log_policy)); # Preverify the capture and restrict filters to give more granular failure messages. for ( id, cf in capture_filters ) @@ -303,9 +303,9 @@ function install(): bool local error_string : string; if ( state == Pcap::fatal ) { - NOTICE([$note=Compile_Failure, - $msg=fmt("Compiling packet filter failed"), - $sub=tmp_filter]); + NOTICE(Notice::Info($note=Compile_Failure, + $msg=fmt("Compiling packet filter failed"), + $sub=tmp_filter)); error_string = fmt("Bad pcap filter '%s': %s", tmp_filter, Pcap::get_filter_state_string(DefaultPcapFilter)); @@ -326,8 +326,8 @@ function install(): bool } local diff = current_time()-ts; if ( diff > max_filter_compile_time ) - NOTICE([$note=Too_Long_To_Compile_Filter, - $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]); + NOTICE(Notice::Info($note=Too_Long_To_Compile_Filter, + $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff))); # Set it to the current filter if it passed precompiling current_filter = tmp_filter; @@ -350,9 +350,9 @@ function install(): bool info$success = F; info$failure_reason = Pcap::get_filter_state_string(DefaultPcapFilter); - NOTICE([$note=Install_Failure, - $msg=fmt("Installing packet filter failed"), - $sub=current_filter]); + NOTICE(Notice::Info($note=Install_Failure, + $msg=fmt("Installing packet filter failed"), + $sub=current_filter)); } if ( reading_live_traffic() || reading_traces() ) diff --git a/scripts/base/frameworks/packet-filter/netstats.zeek b/scripts/base/frameworks/packet-filter/netstats.zeek index 173f4371cd..a16a1044ae 100644 --- a/scripts/base/frameworks/packet-filter/netstats.zeek +++ b/scripts/base/frameworks/packet-filter/netstats.zeek @@ -24,10 +24,10 @@ event net_stats_update(last_stat: NetStats) { local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd; local new_link = ns$pkts_link - last_stat$pkts_link; - NOTICE([$note=Dropped_Packets, - $msg=fmt("%d packets dropped after filtering, %d received%s", - new_dropped, new_recvd + new_dropped, - new_link != 0 ? fmt(", %d on link", new_link) : "")]); + NOTICE(Notice::Info($note=Dropped_Packets, + $msg=fmt("%d packets dropped after filtering, %d received%s", + new_dropped, new_recvd + new_dropped, + new_link != 0 ? fmt(", %d on link", new_link) : ""))); } schedule stats_collection_interval { net_stats_update(ns) }; diff --git a/scripts/base/frameworks/reporter/main.zeek b/scripts/base/frameworks/reporter/main.zeek index 2edca76732..6104be038c 100644 --- a/scripts/base/frameworks/reporter/main.zeek +++ b/scripts/base/frameworks/reporter/main.zeek @@ -40,20 +40,20 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter", $policy=log_policy]); + Log::create_stream(Reporter::LOG, Log::Stream($columns=Info, $path="reporter", $policy=log_policy)); } event reporter_info(t: time, msg: string, location: string) &priority=-5 { - Log::write(Reporter::LOG, [$ts=t, $level=INFO, $message=msg, $location=location]); + Log::write(Reporter::LOG, Info($ts=t, $level=INFO, $message=msg, $location=location)); } event reporter_warning(t: time, msg: string, location: string) &priority=-5 { - Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]); + Log::write(Reporter::LOG, Info($ts=t, $level=WARNING, $message=msg, $location=location)); } event reporter_error(t: time, msg: string, location: string) &priority=-5 { - Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]); + Log::write(Reporter::LOG, Info($ts=t, $level=ERROR, $message=msg, $location=location)); } diff --git a/scripts/base/frameworks/signatures/main.zeek b/scripts/base/frameworks/signatures/main.zeek index a51ece1bcf..58af75c577 100644 --- a/scripts/base/frameworks/signatures/main.zeek +++ b/scripts/base/frameworks/signatures/main.zeek @@ -145,14 +145,14 @@ global did_sig_log: set[string] &read_expire = 1 hr; event zeek_init() &priority=5 { - Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]); + Log::create_stream(Signatures::LOG, Log::Stream($columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy)); } event sig_summary(orig: addr, id: string, msg: string) { - NOTICE([$note=Signature_Summary, $src=orig, - $msg=fmt("%s: %s", orig, msg), - $n=count_per_orig[orig,id] ]); + NOTICE(Notice::Info($note=Signature_Summary, $src=orig, + $msg=fmt("%s: %s", orig, msg), + $n=count_per_orig[orig,id])); } event signature_match(state: signature_state, msg: string, data: string) @@ -189,16 +189,16 @@ event signature_match(state: signature_state, msg: string, data: string) if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP ) { - local info: Info = [$ts=network_time(), - $note=Sensitive_Signature, - $uid=state$conn$uid, - $src_addr=src_addr, - $src_port=src_port, - $dst_addr=dst_addr, - $dst_port=dst_port, - $event_msg=fmt("%s: %s", src_addr, msg), - $sig_id=sig_id, - $sub_msg=data]; + local info = Info($ts=network_time(), + $note=Sensitive_Signature, + $uid=state$conn$uid, + $src_addr=src_addr, + $src_port=src_port, + $dst_addr=dst_addr, + $dst_port=dst_port, + $event_msg=fmt("%s: %s", src_addr, msg), + $sig_id=sig_id, + $sub_msg=data); Log::write(Signatures::LOG, info); } @@ -211,12 +211,12 @@ event signature_match(state: signature_state, msg: string, data: string) local dst = state$conn$id$resp_h; if ( ++count_per_resp[dst,sig_id] in count_thresholds ) { - NOTICE([$note=Count_Signature, $conn=state$conn, - $msg=msg, - $n=count_per_resp[dst,sig_id], - $sub=fmt("%d matches of signature %s on host %s", - count_per_resp[dst,sig_id], - sig_id, dst)]); + NOTICE(Notice::Info($note=Count_Signature, $conn=state$conn, + $msg=msg, + $n=count_per_resp[dst,sig_id], + $sub=fmt("%d matches of signature %s on host %s", + count_per_resp[dst,sig_id], + sig_id, dst))); } } @@ -241,10 +241,10 @@ event signature_match(state: signature_state, msg: string, data: string) } if ( notice ) - NOTICE([$note=Sensitive_Signature, - $conn=state$conn, $src=src_addr, - $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg), - $sub=data]); + NOTICE(Notice::Info($note=Sensitive_Signature, + $conn=state$conn, $src=src_addr, + $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg), + $sub=data)); if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY ) return; @@ -273,12 +273,12 @@ event signature_match(state: signature_state, msg: string, data: string) orig, sig_id, hcount); Log::write(Signatures::LOG, - [$ts=network_time(), $note=Multiple_Sig_Responders, - $src_addr=orig, $sig_id=sig_id, $event_msg=msg, - $host_count=hcount, $sub_msg=horz_scan_msg]); + Info($ts=network_time(), $note=Multiple_Sig_Responders, + $src_addr=orig, $sig_id=sig_id, $event_msg=msg, + $host_count=hcount, $sub_msg=horz_scan_msg)); - NOTICE([$note=Multiple_Sig_Responders, $src=orig, - $msg=msg, $n=hcount, $sub=horz_scan_msg]); + NOTICE(Notice::Info($note=Multiple_Sig_Responders, $src=orig, + $msg=msg, $n=hcount, $sub=horz_scan_msg)); last_hthresh[orig] = hcount; } @@ -290,16 +290,16 @@ event signature_match(state: signature_state, msg: string, data: string) orig, vcount, resp); Log::write(Signatures::LOG, - [$ts=network_time(), - $note=Multiple_Signatures, - $src_addr=orig, - $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount, - $event_msg=fmt("%s different signatures triggered", vcount), - $sub_msg=vert_scan_msg]); + Info($ts=network_time(), + $note=Multiple_Signatures, + $src_addr=orig, + $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount, + $event_msg=fmt("%s different signatures triggered", vcount), + $sub_msg=vert_scan_msg)); - NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp, - $msg=fmt("%s different signatures triggered", vcount), - $n=vcount, $sub=vert_scan_msg]); + NOTICE(Notice::Info($note=Multiple_Signatures, $src=orig, $dst=resp, + $msg=fmt("%s different signatures triggered", vcount), + $n=vcount, $sub=vert_scan_msg)); last_vthresh[orig] = vcount; } diff --git a/scripts/base/frameworks/software/main.zeek b/scripts/base/frameworks/software/main.zeek index 40d39ee21c..238810521f 100644 --- a/scripts/base/frameworks/software/main.zeek +++ b/scripts/base/frameworks/software/main.zeek @@ -126,7 +126,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]); + Log::create_stream(Software::LOG, Log::Stream($columns=Info, $ev=log_software, $path="software", $policy=log_policy)); } type Description: record { @@ -163,7 +163,7 @@ function parse(unparsed_version: string): Description else v = Version($major=extract_count(vs)); - return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; + return Description($version=v, $unparsed_version=unparsed_version, $name=software_name); } } else @@ -236,7 +236,7 @@ function parse(unparsed_version: string): Description } } - return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]]; + return Description($version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]); } global parse_cache: table[string] of Description &read_expire=65secs; @@ -269,13 +269,13 @@ function parse_mozilla(unparsed_version: string): Description { software_name = "MSIE"; if ( /Trident\/4\.0/ in unparsed_version ) - v = [$major=8,$minor=0]; + v = Version($major=8,$minor=0); else if ( /Trident\/5\.0/ in unparsed_version ) - v = [$major=9,$minor=0]; + v = Version($major=9,$minor=0); else if ( /Trident\/6\.0/ in unparsed_version ) - v = [$major=10,$minor=0]; + v = Version($major=10,$minor=0); else if ( /Trident\/7\.0/ in unparsed_version ) - v = [$major=11,$minor=0]; + v = Version($major=11,$minor=0); else { parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); @@ -373,7 +373,7 @@ function parse_mozilla(unparsed_version: string): Description v = parse(parts[1])$version; } - return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; + return Description($version=v, $unparsed_version=unparsed_version, $name=software_name); } diff --git a/scripts/base/frameworks/spicy/main.zeek b/scripts/base/frameworks/spicy/main.zeek index 6c7684c47b..4a7bb5160b 100644 --- a/scripts/base/frameworks/spicy/main.zeek +++ b/scripts/base/frameworks/spicy/main.zeek @@ -8,8 +8,8 @@ export { event max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count) { - NOTICE([ - $note=Spicy::Spicy_Max_File_Depth_Exceeded, - $msg=fmt("Maximum file depth exceeded for file %s", f$id) - ]); + NOTICE(Notice::Info( + $note=Spicy::Spicy_Max_File_Depth_Exceeded, + $msg=fmt("Maximum file depth exceeded for file %s", f$id) + )); } diff --git a/scripts/base/frameworks/sumstats/main.zeek b/scripts/base/frameworks/sumstats/main.zeek index 5c82fe9212..336d968797 100644 --- a/scripts/base/frameworks/sumstats/main.zeek +++ b/scripts/base/frameworks/sumstats/main.zeek @@ -312,7 +312,7 @@ event zeek_init() &priority=100000 function init_resultval(r: Reducer): ResultVal { - local rv: ResultVal = [$begin=network_time(), $end=network_time()]; + local rv = ResultVal($begin=network_time(), $end=network_time()); hook init_resultval_hook(r, rv); return rv; } diff --git a/scripts/base/frameworks/sumstats/plugins/last.zeek b/scripts/base/frameworks/sumstats/plugins/last.zeek index a2c19f3f51..47072ad5da 100644 --- a/scripts/base/frameworks/sumstats/plugins/last.zeek +++ b/scripts/base/frameworks/sumstats/plugins/last.zeek @@ -54,7 +54,7 @@ hook register_observe_plugins() if ( r$num_last_elements > 0 ) { if ( ! rv?$last_elements ) - rv$last_elements = Queue::init([$max_len=r$num_last_elements]); + rv$last_elements = Queue::init(Queue::Settings($max_len=r$num_last_elements)); Queue::put(rv$last_elements, obs); } }); diff --git a/scripts/base/frameworks/telemetry/main.zeek b/scripts/base/frameworks/telemetry/main.zeek index 2480cd4b88..3be4156228 100644 --- a/scripts/base/frameworks/telemetry/main.zeek +++ b/scripts/base/frameworks/telemetry/main.zeek @@ -296,12 +296,12 @@ function register_counter_family(opts: MetricOpts): CounterFamily } # Fallback Counter returned when there are issues with the labels. -global error_counter_cf = register_counter_family([ +global error_counter_cf = register_counter_family(MetricOpts( $prefix="zeek", $name="telemetry_counter_usage_error", $unit="", $help_text="This counter is returned when label usage for counters is wrong. Check reporter.log if non-zero." -]); +)); function counter_with(cf: CounterFamily, label_values: labels_vector): Counter { @@ -355,12 +355,12 @@ function register_gauge_family(opts: MetricOpts): GaugeFamily } # Fallback Gauge returned when there are issues with the label usage. -global error_gauge_cf = register_gauge_family([ +global error_gauge_cf = register_gauge_family(MetricOpts( $prefix="zeek", $name="telemetry_gauge_usage_error", $unit="", $help_text="This gauge is returned when label usage for gauges is wrong. Check reporter.log if non-zero." -]); +)); function gauge_with(gf: GaugeFamily, label_values: labels_vector): Gauge { @@ -424,13 +424,13 @@ function register_histogram_family(opts: MetricOpts): HistogramFamily } # Fallback Histogram when there are issues with the labels. -global error_histogram_hf = register_histogram_family([ +global error_histogram_hf = register_histogram_family(MetricOpts( $prefix="zeek", $name="telemetry_histogram_usage_error", $unit="", $help_text="This histogram is returned when label usage for histograms is wrong. Check reporter.log if non-zero.", $bounds=vector(1.0) -]); +)); function histogram_with(hf: HistogramFamily, label_values: labels_vector): Histogram { @@ -474,14 +474,14 @@ event run_sync_hook() } # Expose the Zeek version as Prometheus style info metric -global version_gauge_family = Telemetry::register_gauge_family([ +global version_gauge_family = Telemetry::register_gauge_family(Telemetry::MetricOpts( $prefix="zeek", $name="version_info", $unit="", $help_text="The Zeek version", $label_names=vector("version_number", "major", "minor", "patch", "commit", "beta", "debug","version_string") -]); +)); event zeek_init() { diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index 3c4e8adf3d..0c0a7c76d0 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -92,7 +92,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]); + Log::create_stream(Tunnel::LOG, Log::Stream($columns=Info, $path="tunnel", $policy=log_policy)); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 0185129199..d3555982b9 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -178,7 +178,7 @@ redef record connection += { event zeek_init() &priority=5 { - Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn", $policy=log_policy]); + Log::create_stream(Conn::LOG, Log::Stream($columns=Info, $ev=log_conn, $path="conn", $policy=log_policy)); } function conn_state(c: connection, trans: transport_proto): string diff --git a/scripts/base/protocols/dce-rpc/main.zeek b/scripts/base/protocols/dce-rpc/main.zeek index 6c385acc22..6d81d55c84 100644 --- a/scripts/base/protocols/dce-rpc/main.zeek +++ b/scripts/base/protocols/dce-rpc/main.zeek @@ -66,7 +66,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc", $policy=log_policy]); + Log::create_stream(DCE_RPC::LOG, Log::Stream($columns=Info, $path="dce_rpc", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); } diff --git a/scripts/base/protocols/dhcp/main.zeek b/scripts/base/protocols/dhcp/main.zeek index 4f468ffe99..d1a287d200 100644 --- a/scripts/base/protocols/dhcp/main.zeek +++ b/scripts/base/protocols/dhcp/main.zeek @@ -130,7 +130,7 @@ redef likely_server_ports += { 67/udp }; event zeek_init() &priority=5 { - Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy]); + Log::create_stream(DHCP::LOG, Log::Stream($columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); } diff --git a/scripts/base/protocols/dnp3/main.zeek b/scripts/base/protocols/dnp3/main.zeek index d03f00edd2..a8b14a9b4a 100644 --- a/scripts/base/protocols/dnp3/main.zeek +++ b/scripts/base/protocols/dnp3/main.zeek @@ -42,7 +42,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy]); + Log::create_stream(DNP3::LOG, Log::Stream($columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports); } @@ -50,7 +50,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, application_ { if ( ! c?$dnp3 ) { - c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; + c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id); Conn::register_removal_hook(c, finalize_dnp3); } @@ -62,7 +62,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application { if ( ! c?$dnp3 ) { - c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; + c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id); Conn::register_removal_hook(c, finalize_dnp3); } diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index ac7e59793f..4ae48baaac 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -164,7 +164,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns", $policy=log_policy]); + Log::create_stream(DNS::LOG, Log::Stream($columns=Info, $ev=log_dns, $path="dns", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports); } diff --git a/scripts/base/protocols/ftp/files.zeek b/scripts/base/protocols/ftp/files.zeek index e811e72364..e0acc68420 100644 --- a/scripts/base/protocols/ftp/files.zeek +++ b/scripts/base/protocols/ftp/files.zeek @@ -43,8 +43,8 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, - [$get_file_handle = FTP::get_file_handle, - $describe = FTP::describe_file]); + Files::ProtoRegistration($get_file_handle = FTP::get_file_handle, + $describe = FTP::describe_file)); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/ftp/main.zeek b/scripts/base/protocols/ftp/main.zeek index 82d149777c..6826210669 100644 --- a/scripts/base/protocols/ftp/main.zeek +++ b/scripts/base/protocols/ftp/main.zeek @@ -88,7 +88,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy]); + Log::create_stream(FTP::LOG, Log::Stream($columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } @@ -307,8 +307,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 if ( data$valid ) { - add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h, - $resp_h=data$h, $resp_p=data$p]); + add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=F, $orig_h=id$resp_h, + $resp_h=data$h, $resp_p=data$p)); } else { @@ -403,8 +403,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior if ( code == 229 && data$h == [::] ) data$h = c$id$resp_h; - add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h, - $resp_h=data$h, $resp_p=data$p]); + add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=T, $orig_h=c$id$orig_h, + $resp_h=data$h, $resp_p=data$p)); } else { diff --git a/scripts/base/protocols/ftp/utils-commands.zeek b/scripts/base/protocols/ftp/utils-commands.zeek index 6d0c193d38..1141aaf629 100644 --- a/scripts/base/protocols/ftp/utils-commands.zeek +++ b/scripts/base/protocols/ftp/utils-commands.zeek @@ -80,7 +80,7 @@ export { function add_pending_cmd(pc: PendingCmds, seq: count, cmd: string, arg: string): CmdArg { - local ca = [$cmd = cmd, $arg = arg, $seq=seq, $ts=network_time()]; + local ca = CmdArg($cmd = cmd, $arg = arg, $seq=seq, $ts=network_time()); pc[ca$seq] = ca; return ca; diff --git a/scripts/base/protocols/http/files.zeek b/scripts/base/protocols/http/files.zeek index 34adc58c08..05258e6a5d 100644 --- a/scripts/base/protocols/http/files.zeek +++ b/scripts/base/protocols/http/files.zeek @@ -51,6 +51,6 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_HTTP, - [$get_file_handle = HTTP::get_file_handle, - $describe = HTTP::describe_file]); + Files::ProtoRegistration($get_file_handle = HTTP::get_file_handle, + $describe = HTTP::describe_file)); } diff --git a/scripts/base/protocols/http/main.zeek b/scripts/base/protocols/http/main.zeek index e334a83253..983bb37d9a 100644 --- a/scripts/base/protocols/http/main.zeek +++ b/scripts/base/protocols/http/main.zeek @@ -156,7 +156,7 @@ redef likely_server_ports += { ports }; # Initialize the HTTP logging stream and ports. event zeek_init() &priority=5 { - Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http", $policy=log_policy]); + Log::create_stream(HTTP::LOG, Log::Stream($columns=Info, $ev=log_http, $path="http", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); } @@ -299,7 +299,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p # "tunnel". local tid = copy(c$id); tid$orig_p = 0/tcp; - Tunnel::register([$cid=tid, $tunnel_type=Tunnel::HTTP]); + Tunnel::register(Tunnel::EncapsulatingConn($cid=tid, $tunnel_type=Tunnel::HTTP)); } } diff --git a/scripts/base/protocols/irc/files.zeek b/scripts/base/protocols/irc/files.zeek index 33128f57a6..8047c23aa8 100644 --- a/scripts/base/protocols/irc/files.zeek +++ b/scripts/base/protocols/irc/files.zeek @@ -26,7 +26,7 @@ function get_file_handle(c: connection, is_orig: bool): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, - [$get_file_handle = IRC::get_file_handle]); + Files::ProtoRegistration($get_file_handle = IRC::get_file_handle)); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/irc/main.zeek b/scripts/base/protocols/irc/main.zeek index de4d2296ea..2c7c92c098 100644 --- a/scripts/base/protocols/irc/main.zeek +++ b/scripts/base/protocols/irc/main.zeek @@ -45,7 +45,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc", $policy=log_policy]); + Log::create_stream(IRC::LOG, Log::Stream($columns=Info, $ev=irc_log, $path="irc", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); } diff --git a/scripts/base/protocols/krb/files.zeek b/scripts/base/protocols/krb/files.zeek index 51a2f6e3bf..c75f795da6 100644 --- a/scripts/base/protocols/krb/files.zeek +++ b/scripts/base/protocols/krb/files.zeek @@ -64,12 +64,12 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, - [$get_file_handle = KRB::get_file_handle, - $describe = KRB::describe_file]); + Files::ProtoRegistration($get_file_handle = KRB::get_file_handle, + $describe = KRB::describe_file)); Files::register_protocol(Analyzer::ANALYZER_KRB, - [$get_file_handle = KRB::get_file_handle, - $describe = KRB::describe_file]); + Files::ProtoRegistration($get_file_handle = KRB::get_file_handle, + $describe = KRB::describe_file)); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/krb/main.zeek b/scripts/base/protocols/krb/main.zeek index 0b3066f89a..ef0da12657 100644 --- a/scripts/base/protocols/krb/main.zeek +++ b/scripts/base/protocols/krb/main.zeek @@ -83,7 +83,7 @@ event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports); - Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy]); + Log::create_stream(KRB::LOG, Log::Stream($columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy)); } function set_session(c: connection): bool diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index c0a2f90bb3..6ec74ac2fb 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -144,8 +144,8 @@ event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp); Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp); - Log::create_stream(LDAP::LDAP_LOG, [$columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy]); - Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]); + Log::create_stream(LDAP::LDAP_LOG, Log::Stream($columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy)); + Log::create_stream(LDAP::LDAP_SEARCH_LOG, Log::Stream($columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search)); } ############################################################################# @@ -163,17 +163,17 @@ function set_session(c: connection, message_id: int, opcode: LDAP::ProtocolOpcod c$ldap$searches = table(); if ((opcode in OPCODES_SEARCH) && (message_id !in c$ldap$searches)) { - c$ldap$searches[message_id] = [$ts=network_time(), - $uid=c$uid, - $id=c$id, - $message_id=message_id, - $result_count=0]; + c$ldap$searches[message_id] = SearchInfo($ts=network_time(), + $uid=c$uid, + $id=c$id, + $message_id=message_id, + $result_count=0); } else if ((opcode !in OPCODES_SEARCH) && (message_id !in c$ldap$messages)) { - c$ldap$messages[message_id] = [$ts=network_time(), - $uid=c$uid, - $id=c$id, - $message_id=message_id]; + c$ldap$messages[message_id] = MessageInfo($ts=network_time(), + $uid=c$uid, + $id=c$id, + $message_id=message_id); } } diff --git a/scripts/base/protocols/modbus/main.zeek b/scripts/base/protocols/modbus/main.zeek index 94299b2670..3fad7c190b 100644 --- a/scripts/base/protocols/modbus/main.zeek +++ b/scripts/base/protocols/modbus/main.zeek @@ -42,7 +42,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy]); + Log::create_stream(Modbus::LOG, Log::Stream($columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); } @@ -69,7 +69,7 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &prio { if ( ! c?$modbus ) { - c$modbus = [$ts=network_time(), $uid=c$uid, $id=c$id]; + c$modbus = Info($ts=network_time(), $uid=c$uid, $id=c$id); } c$modbus$ts = network_time(); diff --git a/scripts/base/protocols/mqtt/main.zeek b/scripts/base/protocols/mqtt/main.zeek index 2b58a33c29..ad35e290b5 100644 --- a/scripts/base/protocols/mqtt/main.zeek +++ b/scripts/base/protocols/mqtt/main.zeek @@ -150,9 +150,9 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(MQTT::CONNECT_LOG, [$columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect]); - Log::create_stream(MQTT::SUBSCRIBE_LOG, [$columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe]); - Log::create_stream(MQTT::PUBLISH_LOG, [$columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish]); + Log::create_stream(MQTT::CONNECT_LOG, Log::Stream($columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect)); + Log::create_stream(MQTT::SUBSCRIBE_LOG, Log::Stream($columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe)); + Log::create_stream(MQTT::PUBLISH_LOG, Log::Stream($columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish)); Analyzer::register_for_ports(Analyzer::ANALYZER_MQTT, ports); } diff --git a/scripts/base/protocols/mysql/main.zeek b/scripts/base/protocols/mysql/main.zeek index c968ed5326..99ea9d05f1 100644 --- a/scripts/base/protocols/mysql/main.zeek +++ b/scripts/base/protocols/mysql/main.zeek @@ -45,7 +45,7 @@ const ports = { 1434/tcp, 3306/tcp }; event zeek_init() &priority=5 { - Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy]); + Log::create_stream(mysql::LOG, Log::Stream($columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports); } diff --git a/scripts/base/protocols/ntlm/main.zeek b/scripts/base/protocols/ntlm/main.zeek index a96c919b4c..20ad527d1b 100644 --- a/scripts/base/protocols/ntlm/main.zeek +++ b/scripts/base/protocols/ntlm/main.zeek @@ -49,7 +49,7 @@ redef record connection += { event zeek_init() &priority=5 { - Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm", $policy=log_policy]); + Log::create_stream(NTLM::LOG, Log::Stream($columns=Info, $path="ntlm", $policy=log_policy)); } function set_session(c: connection) diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek index d922ae39e3..53706af001 100644 --- a/scripts/base/protocols/ntp/main.zeek +++ b/scripts/base/protocols/ntp/main.zeek @@ -61,7 +61,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports); - Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy]); + Log::create_stream(NTP::LOG, Log::Stream($columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy)); } event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5 diff --git a/scripts/base/protocols/postgresql/main.zeek b/scripts/base/protocols/postgresql/main.zeek index d7cc1cc45f..bf262467d6 100644 --- a/scripts/base/protocols/postgresql/main.zeek +++ b/scripts/base/protocols/postgresql/main.zeek @@ -75,7 +75,7 @@ redef likely_server_ports += { ports }; event zeek_init() { Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports); - Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]); + Log::create_stream(PostgreSQL::LOG, Log::Stream($columns=Info, $ev=log_postgresql, $path="postgresql")); } hook set_session(c: connection) { diff --git a/scripts/base/protocols/quic/main.zeek b/scripts/base/protocols/quic/main.zeek index a7d90f43a5..284107b26a 100644 --- a/scripts/base/protocols/quic/main.zeek +++ b/scripts/base/protocols/quic/main.zeek @@ -236,6 +236,6 @@ hook finalize_quic(c: connection) event zeek_init() { - Log::create_stream(LOG, [$columns=Info, $ev=log_quic, $path="quic", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_quic, $path="quic", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_QUIC, quic_ports); } diff --git a/scripts/base/protocols/radius/main.zeek b/scripts/base/protocols/radius/main.zeek index dc692cac2f..9bf1f4bd4a 100644 --- a/scripts/base/protocols/radius/main.zeek +++ b/scripts/base/protocols/radius/main.zeek @@ -65,7 +65,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius", $policy=log_policy]); + Log::create_stream(RADIUS::LOG, Log::Stream($columns=Info, $ev=log_radius, $path="radius", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports); } diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek index 6246ba3f7a..5e9ee9e4dd 100644 --- a/scripts/base/protocols/rdp/main.zeek +++ b/scripts/base/protocols/rdp/main.zeek @@ -98,7 +98,7 @@ redef likely_server_ports += { rdp_ports, rdpeudp_ports }; event zeek_init() &priority=5 { - Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy]); + Log::create_stream(RDP::LOG, Log::Stream($columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, rdp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_RDPEUDP, rdpeudp_ports); } @@ -155,7 +155,7 @@ function set_session(c: connection) { if ( ! c?$rdp ) { - c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid]; + c$rdp = Info($ts=network_time(),$id=c$id,$uid=c$uid); Conn::register_removal_hook(c, finalize_rdp); # The RDP session is scheduled to be logged from # the time it is first initiated. diff --git a/scripts/base/protocols/redis/main.zeek b/scripts/base/protocols/redis/main.zeek index 07b6a6a61d..58cc53d4f7 100644 --- a/scripts/base/protocols/redis/main.zeek +++ b/scripts/base/protocols/redis/main.zeek @@ -96,8 +96,8 @@ redef likely_server_ports += {ports}; event zeek_init() &priority=5 { - Log::create_stream(Redis::LOG, [$columns=Info, $path="redis", - $policy=log_policy]); + Log::create_stream(Redis::LOG, Log::Stream($columns=Info, $path="redis", + $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_REDIS, ports); } diff --git a/scripts/base/protocols/rfb/main.zeek b/scripts/base/protocols/rfb/main.zeek index ee40a2ae83..b93a65f5f4 100644 --- a/scripts/base/protocols/rfb/main.zeek +++ b/scripts/base/protocols/rfb/main.zeek @@ -85,7 +85,7 @@ redef record connection += { event zeek_init() &priority=5 { - Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy]); + Log::create_stream(RFB::LOG, Log::Stream($columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy)); } function write_log(c:connection) diff --git a/scripts/base/protocols/sip/main.zeek b/scripts/base/protocols/sip/main.zeek index 61715d838c..59154af615 100644 --- a/scripts/base/protocols/sip/main.zeek +++ b/scripts/base/protocols/sip/main.zeek @@ -106,7 +106,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip", $policy=log_policy]); + Log::create_stream(SIP::LOG, Log::Stream($columns=Info, $ev=log_sip, $path="sip", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports); } diff --git a/scripts/base/protocols/smb/const-dos-error.zeek b/scripts/base/protocols/smb/const-dos-error.zeek index 880df222c9..b07ce09f3d 100644 --- a/scripts/base/protocols/smb/const-dos-error.zeek +++ b/scripts/base/protocols/smb/const-dos-error.zeek @@ -129,4 +129,4 @@ redef SMB::statuses += { [0x0bc00001] = [$id="printmonitorinuse", $desc="The specified print monitor is currently in use."], [0x0bc10001] = [$id="printerhasjobsqueued", $desc="The requested operation is not allowed when there are jobs queued to the printer."], [0xffff0002] = [$id="nosupport", $desc="Function not supported."], -}; \ No newline at end of file +}; diff --git a/scripts/base/protocols/smb/consts.zeek b/scripts/base/protocols/smb/consts.zeek index 42ba43639e..36ca0473dd 100644 --- a/scripts/base/protocols/smb/consts.zeek +++ b/scripts/base/protocols/smb/consts.zeek @@ -7,8 +7,8 @@ export { }; const statuses: table[count] of StatusCode = { - [0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."], - } &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; }; + [0x00000000] = StatusCode($id="SUCCESS", $desc="The operation completed successfully."), + } &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return StatusCode($id=unknown, $desc=unknown); }; ## Heuristic detection of named pipes when the pipe ## mapping isn't seen. This variable is defined in diff --git a/scripts/base/protocols/smb/files.zeek b/scripts/base/protocols/smb/files.zeek index 2f5bc07c59..9cd0a8ebf4 100644 --- a/scripts/base/protocols/smb/files.zeek +++ b/scripts/base/protocols/smb/files.zeek @@ -50,8 +50,8 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMB, - [$get_file_handle = SMB::get_file_handle, - $describe = SMB::describe_file]); + Files::ProtoRegistration($get_file_handle = SMB::get_file_handle, + $describe = SMB::describe_file )); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/smb/main.zeek b/scripts/base/protocols/smb/main.zeek index 15228c50af..496cc01f0e 100644 --- a/scripts/base/protocols/smb/main.zeek +++ b/scripts/base/protocols/smb/main.zeek @@ -186,8 +186,8 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files]); - Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping]); + Log::create_stream(SMB::FILES_LOG, Log::Stream($columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files)); + Log::create_stream(SMB::MAPPING_LOG, Log::Stream($columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping)); Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports); } diff --git a/scripts/base/protocols/smtp/files.zeek b/scripts/base/protocols/smtp/files.zeek index 3dd39a018d..e3f14c5765 100644 --- a/scripts/base/protocols/smtp/files.zeek +++ b/scripts/base/protocols/smtp/files.zeek @@ -41,8 +41,8 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMTP, - [$get_file_handle = SMTP::get_file_handle, - $describe = SMTP::describe_file]); + Files::ProtoRegistration($get_file_handle = SMTP::get_file_handle, + $describe = SMTP::describe_file)); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/smtp/main.zeek b/scripts/base/protocols/smtp/main.zeek index e5a9251d2c..43c9a18e09 100644 --- a/scripts/base/protocols/smtp/main.zeek +++ b/scripts/base/protocols/smtp/main.zeek @@ -120,7 +120,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy]); + Log::create_stream(SMTP::LOG, Log::Stream($columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); } diff --git a/scripts/base/protocols/snmp/main.zeek b/scripts/base/protocols/snmp/main.zeek index a9827891fb..cccc6e60c2 100644 --- a/scripts/base/protocols/snmp/main.zeek +++ b/scripts/base/protocols/snmp/main.zeek @@ -73,7 +73,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports); - Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy]); + Log::create_stream(SNMP::LOG, Log::Stream($columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy)); } function init_state(c: connection, h: SNMP::Header): Info diff --git a/scripts/base/protocols/socks/main.zeek b/scripts/base/protocols/socks/main.zeek index 4ce523afd6..b6f1dfd92a 100644 --- a/scripts/base/protocols/socks/main.zeek +++ b/scripts/base/protocols/socks/main.zeek @@ -55,7 +55,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks", $policy=log_policy]); + Log::create_stream(SOCKS::LOG, Log::Stream($columns=Info, $ev=log_socks, $path="socks", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); } @@ -67,7 +67,7 @@ function set_session(c: connection, version: count) { if ( ! c?$socks ) { - c$socks = [$ts=network_time(), $id=c$id, $uid=c$uid, $version=version]; + c$socks = Info($ts=network_time(), $id=c$id, $uid=c$uid, $version=version); Conn::register_removal_hook(c, finalize_socks); } } @@ -85,7 +85,7 @@ event socks_request(c: connection, version: count, request_type: count, # proxied connection. We treat this as a singular "tunnel". local cid = copy(c$id); cid$orig_p = 0/tcp; - Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS]); + Tunnel::register(Tunnel::EncapsulatingConn($cid=cid, $tunnel_type=Tunnel::SOCKS)); } event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5 diff --git a/scripts/base/protocols/ssh/main.zeek b/scripts/base/protocols/ssh/main.zeek index cb63c409ae..b11555d845 100644 --- a/scripts/base/protocols/ssh/main.zeek +++ b/scripts/base/protocols/ssh/main.zeek @@ -139,7 +139,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); - Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy]); + Log::create_stream(SSH::LOG, Log::Stream($columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy)); } function set_session(c: connection) diff --git a/scripts/base/protocols/ssl/files.zeek b/scripts/base/protocols/ssl/files.zeek index 69bfadcc96..a0cf35f0f0 100644 --- a/scripts/base/protocols/ssl/files.zeek +++ b/scripts/base/protocols/ssl/files.zeek @@ -97,13 +97,12 @@ function describe_file(f: fa_file): string event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SSL, - [$get_file_handle = SSL::get_file_handle, - $describe = SSL::describe_file]); + Files::ProtoRegistration($get_file_handle = SSL::get_file_handle, + $describe = SSL::describe_file)); Files::register_protocol(Analyzer::ANALYZER_DTLS, - [$get_file_handle = SSL::get_file_handle, - $describe = SSL::describe_file]); - + Files::ProtoRegistration($get_file_handle = SSL::get_file_handle, + $describe = SSL::describe_file)); local ssl_filter = Log::get_filter(SSL::LOG, "default"); if ( ssl_filter$name != "" ) diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek index 0d56f8ce4b..f985f3e93c 100644 --- a/scripts/base/protocols/ssl/main.zeek +++ b/scripts/base/protocols/ssl/main.zeek @@ -196,7 +196,7 @@ redef likely_server_ports += { ssl_ports, dtls_ports }; # Priority needs to be higher than priority of zeek_init in ssl/files.zeek event zeek_init() &priority=6 { - Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]); + Log::create_stream(SSL::LOG, Log::Stream($columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports); } @@ -205,7 +205,7 @@ function set_session(c: connection) { if ( ! c?$ssl ) { - c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id]; + c$ssl = Info($ts=network_time(), $uid=c$uid, $id=c$id); Conn::register_removal_hook(c, finalize_ssl); } } diff --git a/scripts/base/protocols/syslog/main.zeek b/scripts/base/protocols/syslog/main.zeek index 7a789a9400..8fbc321edb 100644 --- a/scripts/base/protocols/syslog/main.zeek +++ b/scripts/base/protocols/syslog/main.zeek @@ -38,7 +38,7 @@ redef likely_server_ports += { ports }; event zeek_init() &priority=5 { - Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog", $policy=log_policy]); + Log::create_stream(Syslog::LOG, Log::Stream($columns=Info, $path="syslog", $policy=log_policy)); Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); } diff --git a/scripts/base/protocols/websocket/main.zeek b/scripts/base/protocols/websocket/main.zeek index ab11a46a08..50435c10f9 100644 --- a/scripts/base/protocols/websocket/main.zeek +++ b/scripts/base/protocols/websocket/main.zeek @@ -228,5 +228,5 @@ event websocket_established(c: connection, aid: count) &priority=-5 event zeek_init() { - Log::create_stream(LOG, [$columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy)); } diff --git a/scripts/base/utils/active-http.zeek b/scripts/base/utils/active-http.zeek index ed0210ccb6..f9c3c3ed27 100644 --- a/scripts/base/utils/active-http.zeek +++ b/scripts/base/utils/active-http.zeek @@ -98,7 +98,7 @@ function request(req: Request): ActiveHTTP::Response local cmd = request2curl(req, bodyfile, headersfile); local stdin_data = req?$client_data ? req$client_data : ""; - return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) ) + return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run(Exec::Command($cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile))) ) { # If there is no response line then nothing else will work either. if ( ! (result?$files && headersfile in result$files) ) diff --git a/scripts/base/utils/dir.zeek b/scripts/base/utils/dir.zeek index 72823972d3..dce3af2c47 100644 --- a/scripts/base/utils/dir.zeek +++ b/scripts/base/utils/dir.zeek @@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string], callback: function(fname: string), poll_interval: interval) { - when [dir, last_files, callback, poll_interval] ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) ) + when [dir, last_files, callback, poll_interval] ( local result = Exec::run(Exec::Command($cmd=fmt("ls -1 %s/", safe_shell_quote(dir)))) ) { if ( result$exit_code != 0 ) { diff --git a/scripts/base/utils/exec.zeek b/scripts/base/utils/exec.zeek index 1fa7743325..8c05531e6f 100644 --- a/scripts/base/utils/exec.zeek +++ b/scripts/base/utils/exec.zeek @@ -142,12 +142,12 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s delete pending_commands[name]; else for ( read_file in pending_files[name] ) - Input::add_event([$source=fmt("%s", read_file), - $name=fmt("%s_%s", name, read_file), - $reader=Input::READER_RAW, - $want_record=F, - $fields=FileLine, - $ev=Exec::file_line]); + Input::add_event(Input::EventDescription($source=fmt("%s", read_file), + $name=fmt("%s_%s", name, read_file), + $reader=Input::READER_RAW, + $want_record=F, + $fields=FileLine, + $ev=Exec::file_line)); } function run(cmd: Command): Result @@ -169,14 +169,14 @@ function run(cmd: Command): Result ["stdin"] = cmd$stdin, ["read_stderr"] = "1", }; - Input::add_event([$name=cmd$uid, - $source=fmt("%s |", cmd$cmd), - $reader=Input::READER_RAW, - $mode=Input::STREAM, - $fields=Exec::OneLine, - $ev=Exec::line, - $want_record=F, - $config=config_strings]); + Input::add_event(Input::EventDescription($name=cmd$uid, + $source=fmt("%s |", cmd$cmd), + $reader=Input::READER_RAW, + $mode=Input::STREAM, + $fields=Exec::OneLine, + $ev=Exec::line, + $want_record=F, + $config=config_strings)); return when [cmd] ( cmd$uid !in pending_commands ) { diff --git a/scripts/base/utils/patterns.zeek b/scripts/base/utils/patterns.zeek index 0fb7e0b72a..c3f8263c63 100644 --- a/scripts/base/utils/patterns.zeek +++ b/scripts/base/utils/patterns.zeek @@ -61,7 +61,7 @@ function match_pattern(s: string, p: pattern): PatternMatchResult if ( |a| == 1 ) # no match - return [$matched = F, $str = "", $off = 0]; + return PatternMatchResult($matched = F, $str = "", $off = 0); else - return [$matched = T, $str = a[1], $off = |a[0]| + 1]; + return PatternMatchResult($matched = T, $str = a[1], $off = |a[0]| + 1); } diff --git a/scripts/policy/frameworks/analyzer/debug-logging.zeek b/scripts/policy/frameworks/analyzer/debug-logging.zeek index 81b680c740..bf1af410e4 100644 --- a/scripts/policy/frameworks/analyzer/debug-logging.zeek +++ b/scripts/policy/frameworks/analyzer/debug-logging.zeek @@ -69,8 +69,8 @@ export { event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $path="analyzer_debug", $policy=log_policy, - $event_groups=set("Analyzer::DebugLogging")]); + Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer_debug", $policy=log_policy, + $event_groups=set("Analyzer::DebugLogging"))); local enable_handler = function(id: string, new_value: bool): bool { if ( new_value ) diff --git a/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek b/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek index b1e1c35643..444b7573e0 100644 --- a/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek +++ b/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek @@ -33,7 +33,7 @@ redef record connection += { event zeek_init() &priority=5 { - Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]); + Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy)); } # before the same event in dpd.zeek diff --git a/scripts/policy/frameworks/analyzer/detect-protocols.zeek b/scripts/policy/frameworks/analyzer/detect-protocols.zeek index 80aa259fd2..9c889dbe5c 100644 --- a/scripts/policy/frameworks/analyzer/detect-protocols.zeek +++ b/scripts/policy/frameworks/analyzer/detect-protocols.zeek @@ -93,7 +93,7 @@ function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol str = |str| > 0 ? fmt("%s/%s", str, p) : p; } - return [$a=Analyzer::name(a), $sub=str]; + return protocol($a=Analyzer::name(a), $sub=str); } function fmt_protocol(p: protocol) : string @@ -115,9 +115,9 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir) local p = get_protocol(c, a); local s = fmt_protocol(p); - NOTICE([$note=Protocol_Found, + NOTICE(Notice::Info($note=Protocol_Found, $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c]); + $sub=s, $conn=c)); # We report multiple Server_Found's per host if we find a new # sub-protocol. @@ -130,10 +130,10 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir) if ( (! known || newsub) && a !in suppress_servers ) { - NOTICE([$note=Server_Found, + NOTICE(Notice::Info($note=Server_Found, $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]); + $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h)); if ( ! known ) servers[c$id$resp_h, c$id$resp_p, p$a] = set(); diff --git a/scripts/policy/frameworks/intel/seen/conn-established.zeek b/scripts/policy/frameworks/intel/seen/conn-established.zeek index 20cec43e04..0c46ca412c 100644 --- a/scripts/policy/frameworks/intel/seen/conn-established.zeek +++ b/scripts/policy/frameworks/intel/seen/conn-established.zeek @@ -6,7 +6,7 @@ event connection_established(c: connection) if ( c$orig$state == TCP_ESTABLISHED && c$resp$state == TCP_ESTABLISHED ) { - Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]); - Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]); + Intel::seen(Intel::Seen($host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG)); + Intel::seen(Intel::Seen($host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP)); } } diff --git a/scripts/policy/frameworks/intel/seen/dns.zeek b/scripts/policy/frameworks/intel/seen/dns.zeek index cfc5a6a6c3..cc2c8fe337 100644 --- a/scripts/policy/frameworks/intel/seen/dns.zeek +++ b/scripts/policy/frameworks/intel/seen/dns.zeek @@ -3,8 +3,8 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN" { - Intel::seen([$indicator=query, - $indicator_type=Intel::DOMAIN, - $conn=c, - $where=DNS::IN_REQUEST]); + Intel::seen(Intel::Seen($indicator=query, + $indicator_type=Intel::DOMAIN, + $conn=c, + $where=DNS::IN_REQUEST)); } diff --git a/scripts/policy/frameworks/intel/seen/file-names.zeek b/scripts/policy/frameworks/intel/seen/file-names.zeek index 3280822cf8..c851291202 100644 --- a/scripts/policy/frameworks/intel/seen/file-names.zeek +++ b/scripts/policy/frameworks/intel/seen/file-names.zeek @@ -10,10 +10,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME" return; if ( f?$info && f$info?$filename ) - Intel::seen([$indicator=f$info$filename, - $indicator_type=Intel::FILE_NAME, - $f=f, - $where=Files::IN_NAME]); + Intel::seen(Intel::Seen($indicator=f$info$filename, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=Files::IN_NAME)); } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME" @@ -23,8 +23,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori return; if ( f?$info && f$info?$filename ) - Intel::seen([$indicator=f$info$filename, - $indicator_type=Intel::FILE_NAME, - $f=f, - $where=Files::IN_NAME]); + Intel::seen(Intel::Seen($indicator=f$info$filename, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=Files::IN_NAME)); } diff --git a/scripts/policy/frameworks/intel/seen/http-headers.zeek b/scripts/policy/frameworks/intel/seen/http-headers.zeek index 8d7c379010..2ea013e4c2 100644 --- a/scripts/policy/frameworks/intel/seen/http-headers.zeek +++ b/scripts/policy/frameworks/intel/seen/http-headers.zeek @@ -13,10 +13,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr # Remove the occasional port value that shows up here. local host = gsub(value, /:[[:digit:]]+$/, ""); if ( is_valid_ip(host) ) - Intel::seen([$host=to_addr(host), - $indicator_type=Intel::ADDR, - $conn=c, - $where=HTTP::IN_HOST_HEADER]); + Intel::seen(Intel::Seen($host=to_addr(host), + $indicator_type=Intel::ADDR, + $conn=c, + $where=HTTP::IN_HOST_HEADER)); break; case "X-FORWARDED-FOR": @@ -25,10 +25,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr local addrs = extract_ip_addresses(value); for ( i in addrs ) { - Intel::seen([$host=to_addr(addrs[i]), - $indicator_type=Intel::ADDR, - $conn=c, - $where=HTTP::IN_X_FORWARDED_FOR_HEADER]); + Intel::seen(Intel::Seen($host=to_addr(addrs[i]), + $indicator_type=Intel::ADDR, + $conn=c, + $where=HTTP::IN_X_FORWARDED_FOR_HEADER)); } } break; @@ -38,36 +38,36 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN" { if ( ! is_orig || name != "HOST" ) - return; + return; # Remove the occasional port value that shows up here. local host = gsub(value, /:[[:digit:]]+$/, ""); if ( ! is_valid_ip(host) ) - Intel::seen([$indicator=host, - $indicator_type=Intel::DOMAIN, - $conn=c, - $where=HTTP::IN_HOST_HEADER]); + Intel::seen(Intel::Seen($indicator=host, + $indicator_type=Intel::DOMAIN, + $conn=c, + $where=HTTP::IN_HOST_HEADER)); } event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL" { if ( ! is_orig || name != "REFERER" ) - return; + return; - Intel::seen([$indicator=sub(value, /^.*:\/\//, ""), - $indicator_type=Intel::URL, - $conn=c, - $where=HTTP::IN_REFERRER_HEADER]); + Intel::seen(Intel::Seen($indicator=sub(value, /^.*:\/\//, ""), + $indicator_type=Intel::URL, + $conn=c, + $where=HTTP::IN_REFERRER_HEADER)); } event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE" { if ( ! is_orig || name != "USER-AGENT" ) - return; + return; - Intel::seen([$indicator=value, - $indicator_type=Intel::SOFTWARE, - $conn=c, - $where=HTTP::IN_USER_AGENT_HEADER]); + Intel::seen(Intel::Seen($indicator=value, + $indicator_type=Intel::SOFTWARE, + $conn=c, + $where=HTTP::IN_USER_AGENT_HEADER)); } diff --git a/scripts/policy/frameworks/intel/seen/http-url.zeek b/scripts/policy/frameworks/intel/seen/http-url.zeek index 9611cb1e8e..c18dd5f141 100644 --- a/scripts/policy/frameworks/intel/seen/http-url.zeek +++ b/scripts/policy/frameworks/intel/seen/http-url.zeek @@ -5,8 +5,8 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL" { if ( is_orig && c?$http ) - Intel::seen([$indicator=HTTP::build_url(c$http), - $indicator_type=Intel::URL, - $conn=c, - $where=HTTP::IN_URL]); + Intel::seen(Intel::Seen($indicator=HTTP::build_url(c$http), + $indicator_type=Intel::URL, + $conn=c, + $where=HTTP::IN_URL)); } diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.zeek b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek index 6009959d2e..0ceac24222 100644 --- a/scripts/policy/frameworks/intel/seen/smb-filenames.zeek +++ b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek @@ -14,10 +14,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME" { local split_fname = split_string(c$smb_state$current_file$name, /\\/); local fname = split_fname[|split_fname|-1]; - Intel::seen([$indicator=fname, - $indicator_type=Intel::FILE_NAME, - $f=f, - $where=SMB::IN_FILE_NAME]); + Intel::seen(Intel::Seen($indicator=fname, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=SMB::IN_FILE_NAME)); } } } diff --git a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek index c0a21d5d8c..57b5efa944 100644 --- a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek +++ b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek @@ -13,10 +13,10 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL" local urls = find_all_urls_without_scheme(data); for ( url in urls ) { - Intel::seen([$indicator=url, - $indicator_type=Intel::URL, - $conn=c, - $where=SMTP::IN_MESSAGE]); + Intel::seen(Intel::Seen($indicator=url, + $indicator_type=Intel::URL, + $conn=c, + $where=SMTP::IN_MESSAGE)); } } } @@ -24,5 +24,5 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL" event file_new(f: fa_file) &group="Intel::URL" { if ( f$source == "SMTP" ) - Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]); + Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($stream_event=intel_mime_data)); } diff --git a/scripts/policy/frameworks/intel/seen/smtp.zeek b/scripts/policy/frameworks/intel/seen/smtp.zeek index 940278cb9d..3ec7d9d519 100644 --- a/scripts/policy/frameworks/intel/seen/smtp.zeek +++ b/scripts/policy/frameworks/intel/seen/smtp.zeek @@ -12,16 +12,16 @@ event mime_end_entity(c: connection) &group="Intel::ADDR" local path = c$smtp$path; for ( i in path ) { - Intel::seen([$host=path[i], - $conn=c, - $where=SMTP::IN_RECEIVED_HEADER]); + Intel::seen(Intel::Seen($host=path[i], + $conn=c, + $where=SMTP::IN_RECEIVED_HEADER)); } } if ( c$smtp?$x_originating_ip ) - Intel::seen([$host=c$smtp$x_originating_ip, - $conn=c, - $where=SMTP::IN_X_ORIGINATING_IP_HEADER]); + Intel::seen(Intel::Seen($host=c$smtp$x_originating_ip, + $conn=c, + $where=SMTP::IN_X_ORIGINATING_IP_HEADER)); } } @@ -30,10 +30,10 @@ event mime_end_entity(c: connection) &group="Intel::SOFTWARE" if ( c?$smtp ) { if ( c$smtp?$user_agent ) - Intel::seen([$indicator=c$smtp$user_agent, - $indicator_type=Intel::SOFTWARE, - $conn=c, - $where=SMTP::IN_HEADER]); + Intel::seen(Intel::Seen($indicator=c$smtp$user_agent, + $indicator_type=Intel::SOFTWARE, + $conn=c, + $where=SMTP::IN_HEADER)); } } @@ -43,20 +43,20 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL" { if ( c$smtp?$mailfrom ) { - Intel::seen([$indicator=c$smtp$mailfrom, - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_MAIL_FROM]); + Intel::seen(Intel::Seen($indicator=c$smtp$mailfrom, + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_MAIL_FROM )); } if ( c$smtp?$rcptto ) { for ( rcptto_addr in c$smtp$rcptto ) { - Intel::seen([$indicator=rcptto_addr, - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_RCPT_TO]); + Intel::seen(Intel::Seen($indicator=rcptto_addr, + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_RCPT_TO)); } } @@ -64,10 +64,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL" { for ( from_addr in extract_email_addrs_set(c$smtp$from) ) { - Intel::seen([$indicator=from_addr, - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_FROM]); + Intel::seen(Intel::Seen($indicator=from_addr, + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_FROM)); } } @@ -75,10 +75,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL" { for ( email_to_addr in c$smtp$to ) { - Intel::seen([$indicator=extract_first_email_addr(email_to_addr), - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_TO]); + Intel::seen(Intel::Seen($indicator=extract_first_email_addr(email_to_addr), + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_TO)); } } @@ -86,19 +86,19 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL" { for ( cc_addr in c$smtp$cc ) { - Intel::seen([$indicator=cc_addr, - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_CC]); + Intel::seen(Intel::Seen($indicator=cc_addr, + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_CC)); } } if ( c$smtp?$reply_to ) { - Intel::seen([$indicator=c$smtp$reply_to, - $indicator_type=Intel::EMAIL, - $conn=c, - $where=SMTP::IN_REPLY_TO]); + Intel::seen(Intel::Seen($indicator=c$smtp$reply_to, + $indicator_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_REPLY_TO)); } } } diff --git a/scripts/policy/frameworks/intel/seen/ssl.zeek b/scripts/policy/frameworks/intel/seen/ssl.zeek index 8b00d0720f..764384c565 100644 --- a/scripts/policy/frameworks/intel/seen/ssl.zeek +++ b/scripts/policy/frameworks/intel/seen/ssl.zeek @@ -5,10 +5,10 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN" { if ( is_orig && c?$ssl && c$ssl?$server_name ) - Intel::seen([$indicator=c$ssl$server_name, - $indicator_type=Intel::DOMAIN, - $conn=c, - $where=SSL::IN_SERVER_NAME]); + Intel::seen(Intel::Seen($indicator=c$ssl$server_name, + $indicator_type=Intel::DOMAIN, + $conn=c, + $where=SSL::IN_SERVER_NAME)); } event ssl_established(c: connection) &group="Intel::DOMAIN" @@ -18,9 +18,9 @@ event ssl_established(c: connection) &group="Intel::DOMAIN" return; if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn ) - Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn, + Intel::seen(Intel::Seen($indicator=c$ssl$cert_chain[0]$x509$certificate$cn, $indicator_type=Intel::DOMAIN, $fuid=c$ssl$cert_chain[0]$fuid, $conn=c, - $where=X509::IN_CERT]); + $where=X509::IN_CERT)); } diff --git a/scripts/policy/frameworks/intel/seen/x509.zeek b/scripts/policy/frameworks/intel/seen/x509.zeek index 335a459a9b..6d367b54ce 100644 --- a/scripts/policy/frameworks/intel/seen/x509.zeek +++ b/scripts/policy/frameworks/intel/seen/x509.zeek @@ -5,8 +5,8 @@ module Intel; export { - ## Enables the extraction of subject alternate names from the X509 SAN DNS field - option enable_x509_ext_subject_alternative_name = T; + ## Enables the extraction of subject alternate names from the X509 SAN DNS field + option enable_x509_ext_subject_alternative_name = T; } event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN" @@ -14,10 +14,10 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ if ( enable_x509_ext_subject_alternative_name && ext?$dns ) { for ( i in ext$dns ) - Intel::seen([$indicator=ext$dns[i], + Intel::seen(Intel::Seen($indicator=ext$dns[i], $indicator_type=Intel::DOMAIN, $f=f, - $where=X509::IN_CERT]); + $where=X509::IN_CERT)); } } @@ -27,10 +27,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi { local email = sub(cert$subject, /^.*emailAddress=/, ""); email = sub(email, /,.*$/, ""); - Intel::seen([$indicator=email, - $indicator_type=Intel::EMAIL, - $f=f, - $where=X509::IN_CERT]); + Intel::seen(Intel::Seen($indicator=email, + $indicator_type=Intel::EMAIL, + $f=f, + $where=X509::IN_CERT)); } } @@ -38,10 +38,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi { if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event... { - Intel::seen([$indicator=f$info$sha1, - $indicator_type=Intel::CERT_HASH, - $f=f, - $where=X509::IN_CERT]); + Intel::seen(Intel::Seen($indicator=f$info$sha1, + $indicator_type=Intel::CERT_HASH, + $f=f, + $where=X509::IN_CERT)); } } @@ -50,8 +50,8 @@ event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH if ( ! f?$info || ! f$info?$x509 || kind != "sha1" ) return; - Intel::seen([$indicator=hash, - $indicator_type=Intel::CERT_HASH, - $f=f, - $where=X509::IN_CERT]); + Intel::seen(Intel::Seen($indicator=hash, + $indicator_type=Intel::CERT_HASH, + $f=f, + $where=X509::IN_CERT)); } diff --git a/scripts/policy/frameworks/management/log.zeek b/scripts/policy/frameworks/management/log.zeek index bc952f0971..de75c78a3e 100644 --- a/scripts/policy/frameworks/management/log.zeek +++ b/scripts/policy/frameworks/management/log.zeek @@ -88,8 +88,8 @@ function debug(message: string) return; local node = Supervisor::node(); - Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[DEBUG], - $role=r2s[Management::role], $message=message]); + Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[DEBUG], + $role=r2s[Management::role], $message=message)); } function info(message: string) @@ -98,8 +98,8 @@ function info(message: string) return; local node = Supervisor::node(); - Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[INFO], - $role=r2s[Management::role], $message=message]); + Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[INFO], + $role=r2s[Management::role], $message=message)); } function warning(message: string) @@ -108,8 +108,8 @@ function warning(message: string) return; local node = Supervisor::node(); - Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[WARNING], - $role=r2s[Management::role], $message=message]); + Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[WARNING], + $role=r2s[Management::role], $message=message)); } function error(message: string) @@ -118,8 +118,8 @@ function error(message: string) return; local node = Supervisor::node(); - Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[ERROR], - $role=r2s[Management::role], $message=message]); + Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[ERROR], + $role=r2s[Management::role], $message=message)); } # Bump priority to ensure the log stream exists when other zeek_init handlers use it. diff --git a/scripts/policy/frameworks/management/supervisor/main.zeek b/scripts/policy/frameworks/management/supervisor/main.zeek index 8683a895f7..ca5b595dd9 100644 --- a/scripts/policy/frameworks/management/supervisor/main.zeek +++ b/scripts/policy/frameworks/management/supervisor/main.zeek @@ -29,8 +29,8 @@ global g_outputs: table[string] of NodeOutputStreams; function make_node_output_streams(node: string): NodeOutputStreams { - local stdout = Queue::init([$max_len = Management::Supervisor::output_max_lines]); - local stderr = Queue::init([$max_len = Management::Supervisor::output_max_lines]); + local stdout = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines)); + local stderr = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines)); local res = NodeOutputStreams($stdout=stdout, $stderr=stderr); local status = Supervisor::status(node); diff --git a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek index adf67ed37c..c8a99d75a5 100644 --- a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek +++ b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek @@ -168,7 +168,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs; event zeek_init() &priority=5 { - Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]); + Log::create_stream(NetControl::CATCH_RELEASE, Log::Stream($columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release)); } function get_watch_interval(current_interval: count): interval diff --git a/scripts/policy/frameworks/packet-filter/shunt.zeek b/scripts/policy/frameworks/packet-filter/shunt.zeek index 86c162da3f..269c349e95 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.zeek +++ b/scripts/policy/frameworks/packet-filter/shunt.zeek @@ -78,9 +78,9 @@ function shunt_filters() event zeek_init() &priority=5 { - register_filter_plugin([ + register_filter_plugin(FilterPlugin( $func()={ return shunt_filters(); } - ]); + )); } function current_shunted_conns(): set[conn_id] @@ -97,8 +97,8 @@ function reached_max_shunts(): bool { if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts ) { - NOTICE([$note=No_More_Conn_Shunts_Available, - $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]); + NOTICE(Notice::Info($note=No_More_Conn_Shunts_Available, + $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts))); return T; } else @@ -145,10 +145,10 @@ function shunt_conn(id: conn_id): bool { if ( is_v6_addr(id$orig_h) ) { - NOTICE([$note=Cannot_BPF_Shunt_Conn, - $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF", - $sub="ipv6_conn", - $id=id, $identifier=cat(id)]); + NOTICE(Notice::Info($note=Cannot_BPF_Shunt_Conn, + $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF", + $sub="ipv6_conn", + $id=id, $identifier=cat(id))); return F; } diff --git a/scripts/policy/frameworks/software/version-changes.zeek b/scripts/policy/frameworks/software/version-changes.zeek index 060778584b..c19aa9d3ba 100644 --- a/scripts/policy/frameworks/software/version-changes.zeek +++ b/scripts/policy/frameworks/software/version-changes.zeek @@ -30,8 +30,8 @@ event Software::version_change(old: Software::Info, new: Software::Info) local msg = fmt("%.6f %s '%s' version changed from %s to %s", network_time(), old$software_type, old$name, software_fmt_version(old$version), - software_fmt_version(new$version)); + software_fmt_version(new$version)); - NOTICE([$note=Software_Version_Change, $src=new$host, - $msg=msg, $sub=software_fmt(new)]); + NOTICE(Notice::Info($note=Software_Version_Change, $src=new$host, + $msg=msg, $sub=software_fmt(new))); } diff --git a/scripts/policy/frameworks/software/vulnerable.zeek b/scripts/policy/frameworks/software/vulnerable.zeek index 40e48ffc40..290be00229 100644 --- a/scripts/policy/frameworks/software/vulnerable.zeek +++ b/scripts/policy/frameworks/software/vulnerable.zeek @@ -47,7 +47,7 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang { # Create a max value with a dunce value only because the $max field # is not optional. - local vvr: Software::VulnerableVersionRange = [$max=[$major=0]]; + local vvr = Software::VulnerableVersionRange($max=Software::Version($major=0)); if ( /max=/ !in vuln_sw ) { @@ -138,9 +138,9 @@ event log_software(rec: Info) (!version_range?$min || cmp_versions(rec$version, version_range$min) >= 0) ) { # The software is inside a vulnerable version range. - NOTICE([$note=Vulnerable_Version, $src=rec$host, - $msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)), - $sub=software_fmt(rec)]); + NOTICE(Notice::Info($note=Vulnerable_Version, $src=rec$host, + $msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)), + $sub=software_fmt(rec))); } } } diff --git a/scripts/policy/frameworks/software/windows-version-detection.zeek b/scripts/policy/frameworks/software/windows-version-detection.zeek index 4a327b2d7f..052fa74d4e 100644 --- a/scripts/policy/frameworks/software/windows-version-detection.zeek +++ b/scripts/policy/frameworks/software/windows-version-detection.zeek @@ -59,12 +59,12 @@ event HTTP::log_http(rec: HTTP::Info) &priority=5 { if ( rec$user_agent !in crypto_api_mapping ) { - Software::found(rec$id, [$unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS]); + Software::found(rec$id, Software::Info($unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS)); } else { local result = crypto_api_mapping[rec$user_agent]; - Software::found(rec$id, [$version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS]); + Software::found(rec$id, Software::Info($version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS)); } } } diff --git a/scripts/policy/frameworks/telemetry/log.zeek b/scripts/policy/frameworks/telemetry/log.zeek index a360a7ed4f..ae633f297b 100644 --- a/scripts/policy/frameworks/telemetry/log.zeek +++ b/scripts/policy/frameworks/telemetry/log.zeek @@ -187,8 +187,8 @@ event Telemetry::log() event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy]); - Log::create_stream(LOG_HISTOGRAM, [$columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram]); + Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy)); + Log::create_stream(LOG_HISTOGRAM, Log::Stream($columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram)); schedule log_interval { Telemetry::log() }; } diff --git a/scripts/policy/misc/capture-loss.zeek b/scripts/policy/misc/capture-loss.zeek index 3f53de3e2a..343565723a 100644 --- a/scripts/policy/misc/capture-loss.zeek +++ b/scripts/policy/misc/capture-loss.zeek @@ -75,19 +75,19 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: local acks = g$ack_events - last_acks; local gaps = g$gap_events - last_gaps; local pct_lost = (acks == 0) ? 0.0 : (100 * (1.0 * gaps) / (1.0 * acks)); - local info: Info = [$ts=now, - $ts_delta=now-last_ts, - $peer=peer_description, - $acks=acks, $gaps=gaps, - $percent_lost=pct_lost]; + local info = Info($ts=now, + $ts_delta=now-last_ts, + $peer=peer_description, + $acks=acks, $gaps=gaps, + $percent_lost=pct_lost); if ( pct_lost >= too_much_loss*100 ) - NOTICE([$note=Too_Much_Loss, - $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]); + NOTICE(Notice::Info($note=Too_Much_Loss, + $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost))); if ( acks < minimum_acks ) - NOTICE([$note=Too_Little_Traffic, - $msg=fmt("Only observed %d TCP ACKs and was expecting at least %d.", acks, minimum_acks)]); + NOTICE(Notice::Info($note=Too_Little_Traffic, + $msg=fmt("Only observed %d TCP ACKs and was expecting at least %d.", acks, minimum_acks))); Log::write(LOG, info); schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) }; @@ -95,7 +95,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $path="capture_loss", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $path="capture_loss", $policy=log_policy)); # We only schedule the event if we are capturing packets. if ( reading_live_traffic() || reading_traces() ) diff --git a/scripts/policy/misc/detect-traceroute/main.zeek b/scripts/policy/misc/detect-traceroute/main.zeek index 7408020e7d..da582888f9 100644 --- a/scripts/policy/misc/detect-traceroute/main.zeek +++ b/scripts/policy/misc/detect-traceroute/main.zeek @@ -57,35 +57,35 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute", $policy=log_policy]); + Log::create_stream(Traceroute::LOG, Log::Stream($columns=Info, $ev=log_traceroute, $path="traceroute", $policy=log_policy)); - local r1: SumStats::Reducer = [$stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE)]; - local r2: SumStats::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM)]; - SumStats::create([$name="traceroute-detection", - $epoch=icmp_time_exceeded_interval, - $reducers=set(r1, r2), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - # Give a threshold value of zero depending on if the host - # sends a low ttl packet. - if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) - return 0.0; - else - return result["traceroute.time_exceeded"]$unique+0; - }, - $threshold=icmp_time_exceeded_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local parts = split_string_n(key$str, /-/, F, 2); - local src = to_addr(parts[0]); - local dst = to_addr(parts[1]); - local proto = parts[2]; - Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]); - NOTICE([$note=Traceroute::Detected, - $msg=fmt("%s seems to be running traceroute using %s", src, proto), - $src=src, - $identifier=cat(src,proto)]); - }]); + local r1 = SumStats::Reducer($stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE)); + local r2 = SumStats::Reducer($stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM)); + SumStats::create(SumStats::SumStat($name="traceroute-detection", + $epoch=icmp_time_exceeded_interval, + $reducers=set(r1, r2), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + # Give a threshold value of zero depending on if the host + # sends a low ttl packet. + if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 ) + return 0.0; + else + return result["traceroute.time_exceeded"]$unique+0; + }, + $threshold=icmp_time_exceeded_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local parts = split_string_n(key$str, /-/, F, 2); + local src = to_addr(parts[0]); + local dst = to_addr(parts[1]); + local proto = parts[2]; + Log::write(LOG, Info($ts=network_time(), $src=src, $dst=dst, $proto=proto)); + NOTICE(Notice::Info($note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute using %s", src, proto), + $src=src, + $identifier=cat(src,proto))); + })); } # Low TTL packets are detected with a signature. @@ -93,11 +93,11 @@ event signature_match(state: signature_state, msg: string, data: string) { if ( state$sig_id == /traceroute-detector.*/ ) { - SumStats::observe("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h,"-",get_port_transport_proto(state$conn$id$resp_p))], [$num=1]); + SumStats::observe("traceroute.low_ttl_packet", SumStats::Key($str=cat(state$conn$id$orig_h,"-", state$conn$id$resp_h, "-", get_port_transport_proto(state$conn$id$resp_p))), SumStats::Observation($num=1)); } } event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context) { - SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h,"-",get_port_transport_proto(context$id$resp_p))], [$str=cat(c$id$orig_h)]); + SumStats::observe("traceroute.time_exceeded", SumStats::Key($str=cat(context$id$orig_h,"-", context$id$resp_h, "-", get_port_transport_proto(context$id$resp_p))), SumStats::Observation($str=cat(c$id$orig_h))); } diff --git a/scripts/policy/misc/loaded-scripts.zeek b/scripts/policy/misc/loaded-scripts.zeek index 57d46ee75f..9a2e652f44 100644 --- a/scripts/policy/misc/loaded-scripts.zeek +++ b/scripts/policy/misc/loaded-scripts.zeek @@ -31,10 +31,10 @@ function get_indent(level: count): string event zeek_init() &priority=5 { - Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts", $policy=log_policy]); + Log::create_stream(LoadedScripts::LOG, Log::Stream($columns=Info, $path="loaded_scripts", $policy=log_policy)); } event zeek_script_loaded(path: string, level: count) { - Log::write(LoadedScripts::LOG, [$name=cat(get_indent(level), compress_path(path))]); + Log::write(LOG, Info($name=cat(get_indent(level), compress_path(path)))); } diff --git a/scripts/policy/misc/stats.zeek b/scripts/policy/misc/stats.zeek index cae9a3b16a..4372e46e34 100644 --- a/scripts/policy/misc/stats.zeek +++ b/scripts/policy/misc/stats.zeek @@ -89,56 +89,56 @@ export { global log_stats: event(rec: Info); } -global bytes_received_cf = Telemetry::register_counter_family([ +global bytes_received_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-received-bytes", $unit="", $help_text="Total number of bytes received", -]); +)); -global packets_received_cf = Telemetry::register_counter_family([ +global packets_received_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-received-packets", $unit="", $help_text="Total number of packets received", -]); +)); -global packets_dropped_cf = Telemetry::register_counter_family([ +global packets_dropped_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-dropped-packets", $unit="", $help_text="Total number of packets dropped", -]); +)); -global link_packets_cf = Telemetry::register_counter_family([ +global link_packets_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-link-packets", $unit="", $help_text="Total number of packets on the packet source link before filtering", -]); +)); -global packets_filtered_cf = Telemetry::register_counter_family([ +global packets_filtered_cf = Telemetry::register_counter_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-filtered-packets", $unit="", $help_text="Total number of packets filtered", -]); +)); -global packet_lag_gf = Telemetry::register_gauge_family([ +global packet_lag_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-packet-lag", $unit="seconds", $help_text="Difference of network time and wallclock time in seconds.", -]); +)); # Gauge as motivated by: # https://www.robustperception.io/are-increasing-timestamps-counters-or-gauges/ -global network_time_cf = Telemetry::register_gauge_family([ +global network_time_cf = Telemetry::register_gauge_family(Telemetry::MetricOpts( $prefix="zeek", $name="net-timestamp", $unit="seconds", $help_text="The current network time.", -]); +)); global no_labels: vector of string; @@ -164,7 +164,7 @@ hook Telemetry::sync() event zeek_init() &priority=5 { - Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats", $policy=log_policy]); + Log::create_stream(Stats::LOG, Log::Stream($columns=Info, $ev=log_stats, $path="stats", $policy=log_policy)); } event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats, last_ts: TimerStats, last_fs: FileAnalysisStats, last_ds: DNSStats) @@ -179,36 +179,35 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr local fs = get_file_analysis_stats(); local ds = get_dns_stats(); - local info: Info = [$ts=nettime, - $peer=peer_description, - $mem=ps$mem/1048576, - $pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd, - $bytes_recv = ns$bytes_recvd - last_ns$bytes_recvd, + local info = Info($ts=nettime, + $peer=peer_description, + $mem=ps$mem/1048576, + $pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd, + $bytes_recv = ns$bytes_recvd - last_ns$bytes_recvd, - $active_tcp_conns=cs$num_tcp_conns, - $tcp_conns=cs$cumulative_tcp_conns - last_cs$cumulative_tcp_conns, - $active_udp_conns=cs$num_udp_conns, - $udp_conns=cs$cumulative_udp_conns - last_cs$cumulative_udp_conns, - $active_icmp_conns=cs$num_icmp_conns, - $icmp_conns=cs$cumulative_icmp_conns - last_cs$cumulative_icmp_conns, + $active_tcp_conns=cs$num_tcp_conns, + $tcp_conns=cs$cumulative_tcp_conns - last_cs$cumulative_tcp_conns, + $active_udp_conns=cs$num_udp_conns, + $udp_conns=cs$cumulative_udp_conns - last_cs$cumulative_udp_conns, + $active_icmp_conns=cs$num_icmp_conns, + $icmp_conns=cs$cumulative_icmp_conns - last_cs$cumulative_icmp_conns, - $reassem_tcp_size=rs$tcp_size, - $reassem_file_size=rs$file_size, - $reassem_frag_size=rs$frag_size, - $reassem_unknown_size=rs$unknown_size, + $reassem_tcp_size=rs$tcp_size, + $reassem_file_size=rs$file_size, + $reassem_frag_size=rs$frag_size, + $reassem_unknown_size=rs$unknown_size, - $events_proc=es$dispatched - last_es$dispatched, - $events_queued=es$queued - last_es$queued, + $events_proc=es$dispatched - last_es$dispatched, + $events_queued=es$queued - last_es$queued, - $timers=ts$cumulative - last_ts$cumulative, - $active_timers=ts$current, + $timers=ts$cumulative - last_ts$cumulative, + $active_timers=ts$current, - $files=fs$cumulative - last_fs$cumulative, - $active_files=fs$current, + $files=fs$cumulative - last_fs$cumulative, + $active_files=fs$current, - $dns_requests=ds$requests - last_ds$requests, - $active_dns_requests=ds$pending - ]; + $dns_requests=ds$requests - last_ds$requests, + $active_dns_requests=ds$pending); # Someone's going to have to explain what this is and add a field to the Info record. # info$util = 100.0*((ps$user_time + ps$system_time) - (last_ps$user_time + last_ps$system_time))/(now-then); diff --git a/scripts/policy/misc/unknown-protocols.zeek b/scripts/policy/misc/unknown-protocols.zeek index 4d5323f91c..a05a9a7a9f 100644 --- a/scripts/policy/misc/unknown-protocols.zeek +++ b/scripts/policy/misc/unknown-protocols.zeek @@ -54,5 +54,5 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info, $path="unknown_protocols", $policy=log_policy]); + Log::create_stream(LOG, Log::Stream($columns=Info, $path="unknown_protocols", $policy=log_policy)); } diff --git a/scripts/policy/misc/weird-stats.zeek b/scripts/policy/misc/weird-stats.zeek index 0dfc638938..28d0aebe39 100644 --- a/scripts/policy/misc/weird-stats.zeek +++ b/scripts/policy/misc/weird-stats.zeek @@ -56,14 +56,14 @@ function weird_epoch_finished(ts: time) event zeek_init() &priority=5 { Log::create_stream(WeirdStats::LOG, - [$columns = Info, $ev = log_weird_stats, - $path="weird_stats", $policy=log_policy]); + Log::Stream($columns = Info, $ev = log_weird_stats, + $path="weird_stats", $policy=log_policy)); local r1 = SumStats::Reducer($stream = "weirds.encountered", $apply = set(SumStats::SUM)); - SumStats::create([$name = "weirds.statistics", - $epoch = weird_stat_interval, $reducers = set(r1), - $epoch_result = weird_epoch_results, - $epoch_finished = weird_epoch_finished]); + SumStats::create(SumStats::SumStat($name = "weirds.statistics", + $epoch = weird_stat_interval, $reducers = set(r1), + $epoch_result = weird_epoch_results, + $epoch_finished = weird_epoch_finished)); } module SumStats; diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek index 14b09d9196..7c7ce881d2 100644 --- a/scripts/policy/protocols/conn/known-hosts.zeek +++ b/scripts/policy/protocols/conn/known-hosts.zeek @@ -150,7 +150,7 @@ event Known::host_found(info: HostsInfo) event zeek_init() &priority=5 { - Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts]); + Log::create_stream(Known::HOSTS_LOG, Log::Stream($columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts)); } event connection_established(c: connection) &priority=5 @@ -165,5 +165,5 @@ event connection_established(c: connection) &priority=5 for ( host in set(id$orig_h, id$resp_h) ) if ( addr_matches_host(host, host_tracking) ) - event Known::host_found([$ts = network_time(), $host = host]); + event Known::host_found(Known::HostsInfo($ts = network_time(), $host = host)); } diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek index e8d6e8b5b3..3cb898fb02 100644 --- a/scripts/policy/protocols/conn/known-services.zeek +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -238,9 +238,8 @@ event known_service_add(info: ServicesInfo) } } - @if ( ! Cluster::is_enabled() || - Cluster::local_node_type() == Cluster::PROXY ) - Log::write(Known::SERVICES_LOG, info_to_log); + @if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::PROXY ) + Log::write(Known::SERVICES_LOG, info_to_log); @endif } @@ -376,8 +375,8 @@ event connection_state_remove(c: connection) &priority=-5 event zeek_init() &priority=5 { - Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo, - $ev=log_known_services, - $path="known_services", - $policy=log_policy_services]); + Log::create_stream(Known::SERVICES_LOG, Log::Stream($columns=ServicesInfo, + $ev=log_known_services, + $path="known_services", + $policy=log_policy_services)); } diff --git a/scripts/policy/protocols/conn/weirds.zeek b/scripts/policy/protocols/conn/weirds.zeek index ea3d9a19bc..5640ad1083 100644 --- a/scripts/policy/protocols/conn/weirds.zeek +++ b/scripts/policy/protocols/conn/weirds.zeek @@ -19,16 +19,16 @@ export { event rexmit_inconsistency(c: connection, t1: string, t2: string, tcp_flags: string) { - NOTICE([$note=Retransmission_Inconsistency, - $conn=c, - $msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]", - id_string(c$id), t1, t2, tcp_flags), - $identifier=fmt("%s", c$id)]); + NOTICE(Notice::Info($note=Retransmission_Inconsistency, + $conn=c, + $msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]", + id_string(c$id), t1, t2, tcp_flags), + $identifier=fmt("%s", c$id))); } event content_gap(c: connection, is_orig: bool, seq: count, length: count) { - NOTICE([$note=Content_Gap, $conn=c, - $msg=fmt("%s content gap (%s %d/%d)", - id_string(c$id), is_orig ? ">" : "<", seq, length)]); + NOTICE(Notice::Info($note=Content_Gap, $conn=c, + $msg=fmt("%s content gap (%s %d/%d)", + id_string(c$id), is_orig ? ">" : "<", seq, length))); } diff --git a/scripts/policy/protocols/dhcp/software.zeek b/scripts/policy/protocols/dhcp/software.zeek index cd4a68eb68..87b2317eba 100644 --- a/scripts/policy/protocols/dhcp/software.zeek +++ b/scripts/policy/protocols/dhcp/software.zeek @@ -30,9 +30,9 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms else { log_info$server_software = options$vendor_class; - Software::found(id, [$unparsed_version=options$vendor_class, - $host=id$resp_h, - $software_type=DHCP::SERVER]); + Software::found(id, Software::Info($unparsed_version=options$vendor_class, + $host=id$resp_h, + $software_type=DHCP::SERVER)); } } } @@ -42,24 +42,24 @@ event DHCP::log_dhcp(rec: DHCP::Info) if ( rec?$assigned_addr && rec?$server_addr && (rec?$client_software || rec?$server_software) ) { - local id: conn_id = [$orig_h=rec$assigned_addr, - $orig_p=rec$client_port, - $resp_h=rec$server_addr, - $resp_p=rec$server_port, - $proto=17]; # DHCP is typically UDP + local id = conn_id($orig_h=rec$assigned_addr, + $orig_p=rec$client_port, + $resp_h=rec$server_addr, + $resp_p=rec$server_port, + $proto=17); # DHCP is typically UDP if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 ) { - Software::found(id, [$unparsed_version=rec$client_software, - $host=rec$assigned_addr, $host_p=id$orig_p, - $software_type=DHCP::CLIENT]); + Software::found(id, Software::Info($unparsed_version=rec$client_software, + $host=rec$assigned_addr, $host_p=id$orig_p, + $software_type=DHCP::CLIENT)); } if ( rec?$server_software ) { - Software::found(id, [$unparsed_version=rec$server_software, - $host=rec$server_addr, $host_p=id$resp_p, - $software_type=DHCP::SERVER]); + Software::found(id, Software::Info($unparsed_version=rec$server_software, + $host=rec$server_addr, $host_p=id$resp_p, + $software_type=DHCP::SERVER)); } } } diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek index 78ec8829ab..550823fee6 100644 --- a/scripts/policy/protocols/dns/detect-external-names.zeek +++ b/scripts/policy/protocols/dns/detect-external-names.zeek @@ -33,10 +33,10 @@ function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: if ( Site::is_local_addr(a) && # referring to a local host ! Site::is_local_name(ans$query) ) # name isn't in a local zone. { - NOTICE([$note=External_Name, - $msg=fmt("%s is pointing to a local host - %s.", ans$query, a), - $conn=c, - $identifier=cat(a,ans$query)]); + NOTICE(Notice::Info($note=External_Name, + $msg=fmt("%s is pointing to a local host - %s.", ans$query, a), + $conn=c, + $identifier=cat(a,ans$query))); } } diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.zeek b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek index 4ac7b61efc..1c7760a82c 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.zeek +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek @@ -27,26 +27,26 @@ export { event zeek_init() { - local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; - SumStats::create([$name="ftp-detect-bruteforcing", - $epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ftp.failed_auth"]$num+0.0; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); + local r1 = SumStats::Reducer($stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)); + SumStats::create(SumStats::SumStat($name="ftp-detect-bruteforcing", + $epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["ftp.failed_auth"]$num+0.0; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE(Notice::Info($note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host))); + })); } event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -55,6 +55,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + SumStats::observe("ftp.failed_auth", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=cat(c$id$resp_h))); } } diff --git a/scripts/policy/protocols/ftp/detect.zeek b/scripts/policy/protocols/ftp/detect.zeek index 1b3128065a..7751426f4e 100644 --- a/scripts/policy/protocols/ftp/detect.zeek +++ b/scripts/policy/protocols/ftp/detect.zeek @@ -22,8 +22,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior c$ftp$cmdarg$cmd == "SITE" && /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg ) { - NOTICE([$note=Site_Exec_Success, $conn=c, - $msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg), - $identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")]); + NOTICE(Notice::Info($note=Site_Exec_Success, $conn=c, + $msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg), + $identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC"))); } } diff --git a/scripts/policy/protocols/ftp/software.zeek b/scripts/policy/protocols/ftp/software.zeek index 0ae963d552..e0c5b195fb 100644 --- a/scripts/policy/protocols/ftp/software.zeek +++ b/scripts/policy/protocols/ftp/software.zeek @@ -23,6 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4 { if ( command == "CLNT" ) { - Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]); + Software::found(c$id, Software::Info($unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT)); } } diff --git a/scripts/policy/protocols/http/detect-sql-injection.zeek b/scripts/policy/protocols/http/detect-sql-injection.zeek index 0c2e64311f..b4ccf5e1f0 100644 --- a/scripts/policy/protocols/http/detect-sql-injection.zeek +++ b/scripts/policy/protocols/http/detect-sql-injection.zeek @@ -72,7 +72,7 @@ event zeek_init() &priority=3 $num_samples=1 ); - SumStats::create([ + SumStats::create(SumStats::SumStat( $name="detect-sqli-attackers", $epoch=sqli_requests_interval, $reducers=set(r1), @@ -86,16 +86,16 @@ event zeek_init() &priority=3 local r = result["http.sqli.attacker"]; local dst = to_addr(r$samples[0]$str); local uid = r$samples[0]$uid; - NOTICE([$note=SQL_Injection_Attacker, - $msg="An SQL injection attacker was discovered!", - $uid=uid, - $src=key$host, - $dst=dst, - $identifier=cat(key$host)]); + NOTICE(Notice::Info($note=SQL_Injection_Attacker, + $msg="An SQL injection attacker was discovered!", + $uid=uid, + $src=key$host, + $dst=dst, + $identifier=cat(key$host))); } - ]); + )); - SumStats::create([ + SumStats::create(SumStats::SumStat( $name="detect-sqli-victims", $epoch=sqli_requests_interval, $reducers=set(r2), @@ -109,14 +109,14 @@ event zeek_init() &priority=3 local r = result["http.sqli.victim"]; local src = to_addr(r$samples[0]$str); local uid = r$samples[0]$uid; - NOTICE([$note=SQL_Injection_Victim, - $msg="An SQL injection victim was discovered!", - $uid=uid, - $src=src, - $dst=key$host, - $identifier=cat(key$host)]); + NOTICE(Notice::Info($note=SQL_Injection_Victim, + $msg="An SQL injection victim was discovered!", + $uid=uid, + $src=src, + $dst=key$host, + $identifier=cat(key$host))); } - ]); + )); } event http_request(c: connection, method: string, original_URI: string, diff --git a/scripts/policy/protocols/http/detect-sqli.zeek b/scripts/policy/protocols/http/detect-sqli.zeek index 10798aefa2..ea6b818713 100644 --- a/scripts/policy/protocols/http/detect-sqli.zeek +++ b/scripts/policy/protocols/http/detect-sqli.zeek @@ -87,43 +87,43 @@ event zeek_init() &priority=3 # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when # thresholds are crossed. - local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples]; - SumStats::create([$name="detect-sqli-attackers", - $epoch=sqli_requests_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["http.sqli.attacker"]$sum; - }, - $threshold=sqli_requests_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["http.sqli.attacker"]; - NOTICE([$note=SQL_Injection_Attacker, - $msg="An SQL injection attacker was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), - $src=key$host, - $identifier=cat(key$host)]); - }]); + local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples); + SumStats::create(SumStats::SumStat($name="detect-sqli-attackers", + $epoch=sqli_requests_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["http.sqli.attacker"]$sum; + }, + $threshold=sqli_requests_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["http.sqli.attacker"]; + NOTICE(Notice::Info($note=SQL_Injection_Attacker, + $msg="An SQL injection attacker was discovered!", + $email_body_sections=vector(format_sqli_samples(r$samples)), + $src=key$host, + $identifier=cat(key$host))); + })); - local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples]; - SumStats::create([$name="detect-sqli-victims", - $epoch=sqli_requests_interval, - $reducers=set(r2), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["http.sqli.victim"]$sum; - }, - $threshold=sqli_requests_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["http.sqli.victim"]; - NOTICE([$note=SQL_Injection_Victim, - $msg="An SQL injection victim was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), - $src=key$host, - $identifier=cat(key$host)]); - }]); + local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples); + SumStats::create(SumStats::SumStat($name="detect-sqli-victims", + $epoch=sqli_requests_interval, + $reducers=set(r2), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["http.sqli.victim"]$sum; + }, + $threshold=sqli_requests_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["http.sqli.victim"]; + NOTICE(Notice::Info($note=SQL_Injection_Victim, + $msg="An SQL injection victim was discovered!", + $email_body_sections=vector(format_sqli_samples(r$samples)), + $src=key$host, + $identifier=cat(key$host))); + })); } event http_request(c: connection, method: string, original_URI: string, @@ -136,7 +136,7 @@ event http_request(c: connection, method: string, original_URI: string, { add c$http$tags[URI_SQLI]; - SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]); - SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]); + SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI)); + SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI)); } } diff --git a/scripts/policy/protocols/http/detect-webapps.zeek b/scripts/policy/protocols/http/detect-webapps.zeek index 8b405eae9f..a2b58149b9 100644 --- a/scripts/policy/protocols/http/detect-webapps.zeek +++ b/scripts/policy/protocols/http/detect-webapps.zeek @@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori local c = state$conn; local si: Software::Info; - si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION]; + si = Software::Info($name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION); si$url = build_url_http(c$http); Software::found(c$id, si); } diff --git a/scripts/policy/protocols/http/software-browser-plugins.zeek b/scripts/policy/protocols/http/software-browser-plugins.zeek index 201e32e02f..363ea0c3f4 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.zeek +++ b/scripts/policy/protocols/http/software-browser-plugins.zeek @@ -61,7 +61,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) c$http$flash_version = cat("AdobeAIR-", c$http$flash_version); } - Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]); + Software::found(c$id, Software::Info($unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN)); } } @@ -81,7 +81,7 @@ event log_http(rec: Info) local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) - Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]); + Software::found(rec$id, Software::Info($unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN)); } } } diff --git a/scripts/policy/protocols/http/software.zeek b/scripts/policy/protocols/http/software.zeek index 40cf90bbd3..39b5f95e00 100644 --- a/scripts/policy/protocols/http/software.zeek +++ b/scripts/policy/protocols/http/software.zeek @@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { if ( name == "USER-AGENT" && ignored_user_agents !in value ) - Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]); + Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER)); } else { if ( name == "SERVER" ) - Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]); + Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER)); else if ( name == "X-POWERED-BY" ) - Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]); + Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER)); else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" ) { value = cat("SharePoint/", value); - Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]); + Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER)); } } } diff --git a/scripts/policy/protocols/modbus/known-masters-slaves.zeek b/scripts/policy/protocols/modbus/known-masters-slaves.zeek index fdb80a8c5d..fe309e79ae 100644 --- a/scripts/policy/protocols/modbus/known-masters-slaves.zeek +++ b/scripts/policy/protocols/modbus/known-masters-slaves.zeek @@ -37,7 +37,7 @@ export { event zeek_init() &priority=5 { - Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus]); + Log::create_stream(Known::MODBUS_LOG, Log::Stream($columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus)); } event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) @@ -48,13 +48,13 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) if ( [master, MODBUS_MASTER] !in modbus_nodes ) { add modbus_nodes[master, MODBUS_MASTER]; - Log::write(MODBUS_LOG, [$ts=network_time(), $host=master, $device_type=MODBUS_MASTER]); + Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=master, $device_type=MODBUS_MASTER)); } if ( [slave, MODBUS_SLAVE] !in modbus_nodes ) { add modbus_nodes[slave, MODBUS_SLAVE]; - Log::write(MODBUS_LOG, [$ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE]); + Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE)); } } diff --git a/scripts/policy/protocols/modbus/track-memmap.zeek b/scripts/policy/protocols/modbus/track-memmap.zeek index b92e90b891..c6a032cc02 100644 --- a/scripts/policy/protocols/modbus/track-memmap.zeek +++ b/scripts/policy/protocols/modbus/track-memmap.zeek @@ -56,7 +56,7 @@ redef record Modbus::Info += { event zeek_init() &priority=5 { - Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change]); + Log::create_stream(Modbus::REGISTER_CHANGE_LOG, Log::Stream($columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change)); } event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count) @@ -92,7 +92,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade } else { - local tmp_reg: RegisterValue = [$last_set=network_time(), $value=registers[i]]; + local tmp_reg = RegisterValue($last_set=network_time(), $value=registers[i]); slave_regs[c$modbus$track_address] = tmp_reg; } @@ -102,7 +102,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade event Modbus::changed_register(c: connection, register: count, old_val: count, new_val: count, delta: interval) { - local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, - $register=register, $old_val=old_val, $new_val=new_val, $delta=delta]; + local rec = MemmapInfo($ts=network_time(), $uid=c$uid, $id=c$id, + $register=register, $old_val=old_val, $new_val=new_val, $delta=delta); Log::write(REGISTER_CHANGE_LOG, rec); } diff --git a/scripts/policy/protocols/mysql/software.zeek b/scripts/policy/protocols/mysql/software.zeek index b1cfc3a149..6e684d87c9 100644 --- a/scripts/policy/protocols/mysql/software.zeek +++ b/scripts/policy/protocols/mysql/software.zeek @@ -16,5 +16,5 @@ event mysql_server_version(c: connection, ver: string) if ( ver == "" ) return; - Software::found(c$id, [$unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER]); + Software::found(c$id, Software::Info($unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER)); } diff --git a/scripts/policy/protocols/smb/log-cmds.zeek b/scripts/policy/protocols/smb/log-cmds.zeek index 0d5e4acde3..dd61c57ed0 100644 --- a/scripts/policy/protocols/smb/log-cmds.zeek +++ b/scripts/policy/protocols/smb/log-cmds.zeek @@ -29,7 +29,7 @@ const deferred_logging_cmds: set[string] = { event zeek_init() &priority=5 { - Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy]); + Log::create_stream(SMB::CMD_LOG, Log::Stream($columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy)); } event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5 diff --git a/scripts/policy/protocols/smtp/blocklists.zeek b/scripts/policy/protocols/smtp/blocklists.zeek index 16292c4390..58e4569f76 100644 --- a/scripts/policy/protocols/smtp/blocklists.zeek +++ b/scripts/policy/protocols/smtp/blocklists.zeek @@ -56,8 +56,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, message = fmt("%s is on an SMTP block list", c$id$orig_h); } - NOTICE([$note=note, $conn=c, $msg=message, $sub=msg, - $identifier=cat(c$id$orig_h)]); + NOTICE(Notice::Info($note=note, $conn=c, $msg=message, $sub=msg, + $identifier=cat(c$id$orig_h))); } } } diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek index 94edd62f27..041ba2b536 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek @@ -29,10 +29,10 @@ event log_smtp(rec: Info) loc$country_code in suspicious_origination_countries) || ip in suspicious_origination_networks ) { - NOTICE([$note=Suspicious_Origination, - $msg=fmt("An email originated from %s (%s).", - loc?$country_code ? loc$country_code : "", ip), - $id=rec$id]); + NOTICE(Notice::Info($note=Suspicious_Origination, + $msg=fmt("An email originated from %s (%s).", + loc?$country_code ? loc$country_code : "", ip), + $id=rec$id)); } } if ( rec?$path ) @@ -44,9 +44,9 @@ event log_smtp(rec: Info) loc$country_code in suspicious_origination_countries) || ip in suspicious_origination_networks ) { - NOTICE([$note=Suspicious_Origination, - $msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip), - $id=rec$id]); + NOTICE(Notice::Info($note=Suspicious_Origination, + $msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip), + $id=rec$id)); } } } diff --git a/scripts/policy/protocols/smtp/software.zeek b/scripts/policy/protocols/smtp/software.zeek index 06b4ca6c27..52896d06c5 100644 --- a/scripts/policy/protocols/smtp/software.zeek +++ b/scripts/policy/protocols/smtp/software.zeek @@ -75,7 +75,7 @@ event log_smtp(rec: Info) if ( addr_matches_host(rec$id$orig_h, detect_clients_in_messages_from) ) { - Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]); + Software::found(rec$id, Software::Info($unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type)); } } } diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek index 4368258b98..361302a4eb 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.zeek +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek @@ -41,41 +41,42 @@ export { event zeek_init() { - local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5]; - SumStats::create([$name="detect-ssh-bruteforcing", - $epoch=guessing_timeout, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ssh.login.failure"]$sum; - }, - $threshold=password_guesses_limit, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ssh.login.failure"]; - local sub_msg = fmt("Sampled servers: "); - local samples = r$samples; - for ( i in samples ) - { - if ( samples[i]?$str ) - sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str); - } - # Generate the notice. - NOTICE([$note=Password_Guessing, - $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), - $sub=sub_msg, - $src=key$host, - $identifier=cat(key$host)]); - }]); + local r1 = SumStats::Reducer($stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5); + SumStats::create(SumStats::SumStat( + $name="detect-ssh-bruteforcing", + $epoch=guessing_timeout, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["ssh.login.failure"]$sum; + }, + $threshold=password_guesses_limit, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ssh.login.failure"]; + local sub_msg = fmt("Sampled servers: "); + local samples = r$samples; + for ( i in samples ) + { + if ( samples[i]?$str ) + sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str); + } + # Generate the notice. + NOTICE(Notice::Info($note=Password_Guessing, + $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), + $sub=sub_msg, + $src=key$host, + $identifier=cat(key$host))); + })); } event ssh_auth_successful(c: connection, auth_method_none: bool) { local id = c$id; - Intel::seen([$host=id$orig_h, - $conn=c, - $where=SSH::SUCCESSFUL_LOGIN]); + Intel::seen(Intel::Seen($host=id$orig_h, + $conn=c, + $where=SSH::SUCCESSFUL_LOGIN)); } event ssh_auth_failed(c: connection) @@ -86,5 +87,5 @@ event ssh_auth_failed(c: connection) # be ignored. if ( ! (id$orig_h in ignore_guessers && id$resp_h in ignore_guessers[id$orig_h]) ) - SumStats::observe("ssh.login.failure", [$host=id$orig_h], [$str=cat(id$resp_h)]); + SumStats::observe("ssh.login.failure", SumStats::Key($host=id$orig_h), SumStats::Observation($str=cat(id$resp_h))); } diff --git a/scripts/policy/protocols/ssh/geo-data.zeek b/scripts/policy/protocols/ssh/geo-data.zeek index 5c98f62229..0a3bab4c4e 100644 --- a/scripts/policy/protocols/ssh/geo-data.zeek +++ b/scripts/policy/protocols/ssh/geo-data.zeek @@ -40,11 +40,11 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries ) { - NOTICE([$note=Watched_Country_Login, - $conn=c, - $msg=fmt("SSH login %s watched country: %s", - (c$ssh$direction == OUTBOUND) ? "to" : "from", - c$ssh$remote_location$country_code)]); + NOTICE(Notice::Info($note=Watched_Country_Login, + $conn=c, + $msg=fmt("SSH login %s watched country: %s", + (c$ssh$direction == OUTBOUND) ? "to" : "from", + c$ssh$remote_location$country_code))); } } diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.zeek b/scripts/policy/protocols/ssh/interesting-hostnames.zeek index 2270b049e5..ac0c5a8601 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.zeek +++ b/scripts/policy/protocols/ssh/interesting-hostnames.zeek @@ -33,11 +33,11 @@ function check_ssh_hostname(id: conn_id, uid: string, host: addr) { if ( interesting_hostnames in hostname ) { - NOTICE([$note=Interesting_Hostname_Login, - $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", - Site::is_local_addr(host) ? "local" : "remote", - host == id$orig_h ? "client" : "server"), - $sub=hostname, $id=id, $uid=uid]); + NOTICE(Notice::Info($note=Interesting_Hostname_Login, + $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", + Site::is_local_addr(host) ? "local" : "remote", + host == id$orig_h ? "client" : "server"), + $sub=hostname, $id=id, $uid=uid)); } } } diff --git a/scripts/policy/protocols/ssh/software.zeek b/scripts/policy/protocols/ssh/software.zeek index 4c44636914..f8674e94d2 100644 --- a/scripts/policy/protocols/ssh/software.zeek +++ b/scripts/policy/protocols/ssh/software.zeek @@ -18,12 +18,12 @@ event ssh_client_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, ""); - Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]); + Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT)); } event ssh_server_version(c: connection, version: string) &priority=4 { # Get rid of the protocol information when passing to the software framework. local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, ""); - Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]); + Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER)); } diff --git a/scripts/policy/protocols/ssl/decryption.zeek b/scripts/policy/protocols/ssl/decryption.zeek index e6e7404b60..7e80c5b22d 100644 --- a/scripts/policy/protocols/ssl/decryption.zeek +++ b/scripts/policy/protocols/ssl/decryption.zeek @@ -74,7 +74,7 @@ event zeek_init() if ( keylog_file != "" ) { - Input::add_table([$name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F]); + Input::add_table(Input::TableDescription($name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F)); Input::remove(tls_decrypt_stream_name); } } diff --git a/scripts/policy/protocols/ssl/expiring-certs.zeek b/scripts/policy/protocols/ssl/expiring-certs.zeek index a217c03db4..6aee211bfc 100644 --- a/scripts/policy/protocols/ssl/expiring-certs.zeek +++ b/scripts/policy/protocols/ssl/expiring-certs.zeek @@ -47,23 +47,23 @@ event ssl_established(c: connection) &priority=3 local hash = c$ssl$cert_chain[0]$sha1; if ( cert$not_valid_before > network_time() ) - NOTICE([$note=Certificate_Not_Valid_Yet, - $conn=c, $suppress_for=1day, - $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before), - $identifier=cat(c$id$resp_h, c$id$resp_p, hash), - $fuid=fuid]); + NOTICE(Notice::Info($note=Certificate_Not_Valid_Yet, + $conn=c, $suppress_for=1day, + $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before), + $identifier=cat(c$id$resp_h, c$id$resp_p, hash), + $fuid=fuid)); else if ( cert$not_valid_after < network_time() ) - NOTICE([$note=Certificate_Expired, - $conn=c, $suppress_for=1day, - $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after), - $identifier=cat(c$id$resp_h, c$id$resp_p, hash), - $fuid=fuid]); + NOTICE(Notice::Info($note=Certificate_Expired, + $conn=c, $suppress_for=1day, + $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after), + $identifier=cat(c$id$resp_h, c$id$resp_p, hash), + $fuid=fuid)); else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() ) - NOTICE([$note=Certificate_Expires_Soon, - $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, hash), - $fuid=fuid]); + NOTICE(Notice::Info($note=Certificate_Expires_Soon, + $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p, hash), + $fuid=fuid)); } diff --git a/scripts/policy/protocols/ssl/heartbleed.zeek b/scripts/policy/protocols/ssl/heartbleed.zeek index 64278478d8..a9dae6ad75 100644 --- a/scripts/policy/protocols/ssl/heartbleed.zeek +++ b/scripts/policy/protocols/ssl/heartbleed.zeek @@ -91,30 +91,30 @@ event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_typ if ( payload_length > checklength ) { c$ssl$heartbleed_detected = T; - NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack, - $msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length), - $conn=c, - $identifier=cat(c$uid, length, payload_length) - ]); + NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack, + $msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length), + $conn=c, + $identifier=cat(c$uid, length, payload_length) + )); } else if ( is_client ) { - NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack, - $msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length), - $conn=c, - $n=length, - $identifier=cat(c$uid, length) - ]); + NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack, + $msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length), + $conn=c, + $n=length, + $identifier=cat(c$uid, length) + )); } } if ( heartbeat_type == 2 && c$ssl$heartbleed_detected ) { - NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success, - $msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length), - $conn=c, - $identifier=c$uid - ]); + NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack_Success, + $msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length), + $conn=c, + $identifier=c$uid + )); } } @@ -128,43 +128,43 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count) local duration = network_time() - c$start_time; if ( c$ssl$enc_appdata_packages == 0 ) - NOTICE([$note=SSL_Heartbeat_Attack, - $msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client), - $conn=c, - $n=length, - $identifier=fmt("%s%s", c$uid, "early") - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Attack, + $msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client), + $conn=c, + $n=length, + $identifier=fmt("%s%s", c$uid, "early") + )); else if ( duration < 1min ) - NOTICE([$note=SSL_Heartbeat_Attack, - $msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration), - $conn=c, - $n=length, - $identifier=fmt("%s%s", c$uid, "early") - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Attack, + $msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration), + $conn=c, + $n=length, + $identifier=fmt("%s%s", c$uid, "early") + )); if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 ) - NOTICE([$note=SSL_Heartbeat_Many_Requests, - $msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), - $conn=c, - $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), - $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests, + $msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), + $conn=c, + $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), + $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats + )); if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 ) - NOTICE([$note=SSL_Heartbeat_Many_Requests, - $msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), - $conn=c, - $n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats), - $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests, + $msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), + $conn=c, + $n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats), + $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats + )); if ( is_client && length < 19 ) - NOTICE([$note=SSL_Heartbeat_Odd_Length, - $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration), - $conn=c, - $n=length, - $identifier=fmt("%s-weak-%d", c$uid, length) - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length, + $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration), + $conn=c, + $n=length, + $identifier=fmt("%s-weak-%d", c$uid, length) + )); # Examine request lengths based on used cipher... local min_length_choice: vector of min_length; @@ -179,12 +179,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count) { if ( length < min_length_choice[i]$min_length ) { - NOTICE([$note=SSL_Heartbeat_Odd_Length, - $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher), - $conn=c, - $n=length, - $identifier=fmt("%s-weak-%d", c$uid, length) - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length, + $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher), + $conn=c, + $n=length, + $identifier=fmt("%s-weak-%d", c$uid, length) + )); } break; @@ -207,12 +207,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count) { if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length ) { - NOTICE([$note=SSL_Heartbeat_Attack_Success, - $msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f", - c$ssl$last_originator_heartbeat_request_size, length, duration), - $conn=c, - $identifier=c$uid # only throw once per connection - ]); + NOTICE(Notice::Info($note=SSL_Heartbeat_Attack_Success, + $msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f", + c$ssl$last_originator_heartbeat_request_size, length, duration), + $conn=c, + $identifier=c$uid # only throw once per connection + )); } else if ( ! c$ssl?$last_originator_heartbeat_request_size ) diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek index d5008da394..167b91ccf9 100644 --- a/scripts/policy/protocols/ssl/known-certs.zeek +++ b/scripts/policy/protocols/ssl/known-certs.zeek @@ -197,5 +197,5 @@ event ssl_established(c: connection) &priority=3 event zeek_init() &priority=5 { - Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs]); + Log::create_stream(Known::CERTS_LOG, Log::Stream($columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs)); } diff --git a/scripts/policy/protocols/ssl/validate-certs.zeek b/scripts/policy/protocols/ssl/validate-certs.zeek index 4d7e9fd459..fd155de482 100644 --- a/scripts/policy/protocols/ssl/validate-certs.zeek +++ b/scripts/policy/protocols/ssl/validate-certs.zeek @@ -177,9 +177,9 @@ hook ssl_finishing(c: connection) &priority=20 if ( result$result_string != "ok" ) { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); - NOTICE([$note=Invalid_Server_Cert, $msg=message, - $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, - $fuid=c$ssl$cert_chain[0]$fuid, - $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]); + NOTICE(Notice::Info($note=Invalid_Server_Cert, $msg=message, + $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, + $fuid=c$ssl$cert_chain[0]$fuid, + $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code))); } } diff --git a/scripts/policy/protocols/ssl/validate-ocsp.zeek b/scripts/policy/protocols/ssl/validate-ocsp.zeek index 880f4d832a..7b14896b2f 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.zeek +++ b/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -68,8 +68,8 @@ event ssl_established(c: connection) &priority=3 if( result$result_string != "good" ) { local message = fmt("OCSP response validation failed with (%s)", result$result_string); - NOTICE([$note=Invalid_Ocsp_Response, $msg=message, - $sub=c$ssl$subject, $conn=c, - $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]); + NOTICE(Notice::Info($note=Invalid_Ocsp_Response, $msg=message, + $sub=c$ssl$subject, $conn=c, + $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status))); } } diff --git a/scripts/policy/protocols/ssl/weak-keys.zeek b/scripts/policy/protocols/ssl/weak-keys.zeek index 28e6797753..767683ed2b 100644 --- a/scripts/policy/protocols/ssl/weak-keys.zeek +++ b/scripts/policy/protocols/ssl/weak-keys.zeek @@ -68,13 +68,13 @@ event ssl_established(c: connection) &priority=3 local key_length = cert$key_length; if ( key_length < notify_minimal_key_length ) - NOTICE([$note=Weak_Key, - $msg=fmt("Host uses weak certificate with %d bit key", key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length), - $sub=fmt("Subject: %s", cert$subject), - $file_desc=fmt("Fingerprint: %s", hash) - ]); + NOTICE(Notice::Info($note=Weak_Key, + $msg=fmt("Host uses weak certificate with %d bit key", key_length), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length), + $sub=fmt("Subject: %s", cert$subject), + $file_desc=fmt("Fingerprint: %s", hash) + )); } # Check for old SSL versions and weak connection keys @@ -87,19 +87,19 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos { local minimum_string = version_strings[tls_minimum_version]; local host_string = version_strings[version]; - NOTICE([$note=Old_Version, - $msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p) - ]); + NOTICE(Notice::Info($note=Old_Version, + $msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p) + )); } if ( unsafe_ciphers_regex in c$ssl$cipher ) - NOTICE([$note=Weak_Cipher, - $msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher) - ]); + NOTICE(Notice::Info($note=Weak_Cipher, + $msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher) + )); } event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3 @@ -110,11 +110,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri local key_length = |p| * 8; # length of the used prime number in bits if ( key_length < notify_minimal_key_length ) - NOTICE([$note=Weak_Key, - $msg=fmt("Host uses weak DH parameters with %d key bits", key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, key_length) - ]); + NOTICE(Notice::Info($note=Weak_Key, + $msg=fmt("Host uses weak DH parameters with %d key bits", key_length), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p, key_length) + )); if ( notify_dh_length_shorter_cert_length && c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 && @@ -124,11 +124,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri { if ( c$ssl$cert_chain[0]$x509$certificate?$key_length && c$ssl$cert_chain[0]$x509$certificate$key_length > key_length ) - NOTICE([$note=Weak_Key, - $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", - key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p) - ]); + NOTICE(Notice::Info($note=Weak_Key, + $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", + key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p) + )); } }