From cb53a930a2ec2a342c3f35738323cb7df42b59b8 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 20 Sep 2016 02:04:15 +0200 Subject: [PATCH 1/2] Separated file and default info added to matches. --- scripts/base/frameworks/intel/files.bro | 17 +---------------- scripts/base/frameworks/intel/main.bro | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.bro index b786a6fefb..454f63352c 100644 --- a/scripts/base/frameworks/intel/files.bro +++ b/scripts/base/frameworks/intel/files.bro @@ -45,7 +45,7 @@ export { } # Add file information to matches if available. -hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5 +hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=6 { if ( s?$f ) { @@ -66,19 +66,4 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5 if ( s?$fuid ) info$fuid = s$fuid; - - if ( s?$conn ) - { - s$uid = s$conn$uid; - info$id = s$conn$id; - } - - if ( s?$uid ) - info$uid = s$uid; - - for ( item in items ) - { - add info$sources[item$meta$source]; - add info$matched[item$indicator_type]; - } } diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 401b48e2d5..1456182fd9 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -369,6 +369,25 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5 Log::write(Intel::LOG, info); } +hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5 + { + # Add default information to matches. + if ( s?$conn ) + { + s$uid = s$conn$uid; + info$id = s$conn$id; + } + + if ( s?$uid ) + info$uid = s$uid; + + for ( item in items ) + { + add info$sources[item$meta$source]; + add info$matched[item$indicator_type]; + } + } + function insert(item: Item) { # Create and fill out the metadata item. From 8c024ca094fa6434accc0d21d272bdb744acc917 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 21 Sep 2016 00:37:38 +0200 Subject: [PATCH 2/2] Handle removing non-existent intel items. The intel framework raises a reporter info on removing non-existent intel items. An according test case has been added. Fixes #1679. --- scripts/base/frameworks/intel/main.bro | 24 ++++++++++++++ .../output | 11 +++++++ .../frameworks/intel/remove-non-existing.bro | 31 +++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output create mode 100644 testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 1456182fd9..a9128d62f2 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -455,6 +455,22 @@ function insert(item: Item) event Intel::new_item(item); } +# Function to check whether an item is present. +function item_exists(item: Item): bool + { + local ds = have_full_data ? data_store : min_data_store; + + switch ( item$indicator_type ) + { + case ADDR: + return to_addr(item$indicator) in ds$host_data; + case SUBNET: + return to_subnet(item$indicator) in ds$subnet_data; + default: + return [item$indicator, item$indicator_type] in ds$string_data; + } + } + # Function to remove metadata of an item. The function returns T # if there is no metadata left for the given indicator. function remove_meta_data(item: Item): bool @@ -484,6 +500,14 @@ function remove_meta_data(item: Item): bool function remove(item: Item, purge_indicator: bool) { + # Check whether the indicator is present + if ( ! item_exists(item) ) + { + Reporter::info(fmt("Tried to remove non-existing item '%s' (%s).", + item$indicator, item$indicator_type)); + return; + } + # Delegate removal if we are on a worker if ( !have_full_data ) { diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output new file mode 100644 index 0000000000..7b4e5003c4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path reporter +#open 2016-09-20-22-35-58 +#fields ts level message location +#types time enum string string +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 506-507 +0.000000 Reporter::INFO received termination signal (empty) +#close 2016-09-20-22-35-59 diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro new file mode 100644 index 0000000000..204300342f --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro @@ -0,0 +1,31 @@ +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: cat broproc/reporter.log > output +# @TEST-EXEC: cat broproc/.stdout >> output +# @TEST-EXEC: btest-diff output + +# @TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +192.168.1.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1 +# @TEST-END-FILE + +@load frameworks/communication/listen + +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +event do_it() + { + # not existing meta data: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source23"]]); + # existing: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + # not existing item: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + terminate(); + } + +event bro_init() &priority=-10 + { + schedule 1sec { do_it() }; + }