From dc0904a7f3e9f48cc45e9eba1e641e51e30d9690 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 15 Aug 2018 10:17:14 -0500 Subject: [PATCH] Convert some redef-able constants to runtime options --- .../base/frameworks/netcontrol/catch-and-release.bro | 2 +- scripts/base/frameworks/notice/main.bro | 6 +++--- scripts/base/protocols/dhcp/main.bro | 2 +- scripts/base/protocols/ftp/main.bro | 6 +++--- scripts/base/protocols/http/main.bro | 4 ++-- scripts/base/protocols/krb/main.bro | 4 ++-- scripts/base/protocols/sip/main.bro | 4 ++-- .../policy/frameworks/dpd/packet-segment-logging.bro | 2 +- scripts/policy/frameworks/files/detect-MHR.bro | 2 +- scripts/policy/frameworks/software/version-changes.bro | 2 +- scripts/policy/misc/capture-loss.bro | 2 +- scripts/policy/misc/dump-events.bro | 2 +- scripts/policy/misc/stats.bro | 2 +- scripts/policy/protocols/http/header-names.bro | 4 ++-- scripts/policy/protocols/smb/main.bro | 10 +++++----- .../policy/protocols/smtp/detect-suspicious-orig.bro | 4 ++-- scripts/policy/protocols/smtp/entities-excerpt.bro | 2 +- scripts/policy/protocols/ssh/geo-data.bro | 2 +- scripts/policy/protocols/ssl/expiring-certs.bro | 4 ++-- scripts/policy/protocols/ssl/weak-keys.bro | 8 ++++---- 20 files changed, 37 insertions(+), 37 deletions(-) diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index 57f135de10..0b87d0bf85 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -142,7 +142,7 @@ export { ## If true, catch and release warns if packets of an IP address are still seen after it ## should have been blocked. - const catch_release_warn_blocked_ip_encountered = F &redef; + option catch_release_warn_blocked_ip_encountered = F; ## Time intervals for which subsequent drops of the same IP take ## effect. diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index 3d4e354394..21e3d2079c 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -201,14 +201,14 @@ export { ## Address that emails will be from. ## ## Note that this is overridden by the BroControl MailFrom option. - const mail_from = "Big Brother " &redef; + option mail_from = "Big Brother "; ## Reply-to address used in outbound email. - const reply_to = "" &redef; + option reply_to = ""; ## Text string prefixed to the subject of all emails sent out. ## ## Note that this is overridden by the BroControl MailSubjectPrefix ## option. - const mail_subject_prefix = "[Bro]" &redef; + option mail_subject_prefix = "[Bro]"; ## The maximum amount of time a plugin can delay email from being sent. const max_email_delay = 15secs &redef; diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro index ae102e6085..3d3bf42118 100644 --- a/scripts/base/protocols/dhcp/main.bro +++ b/scripts/base/protocols/dhcp/main.bro @@ -77,7 +77,7 @@ export { ## The maximum amount of time that a transation ID will be watched ## for to try and tie messages together into a single DHCP ## transaction narrative. - const DHCP::max_txid_watch_time = 30secs &redef; + option DHCP::max_txid_watch_time = 30secs; ## This event is used internally to distribute data around clusters ## since DHCP doesn't follow the normal "connection" model used by diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 8a24a9d92f..b3eaf79370 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -17,13 +17,13 @@ export { redef enum Log::ID += { LOG }; ## List of commands that should have their command/response pairs logged. - const logged_commands = { + option logged_commands = { "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT", "EPSV" - } &redef; + }; ## User IDs that can be considered "anonymous". - const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; + option guest_ids = { "anonymous", "ftp", "ftpuser", "guest" }; ## This record is to hold a parsed FTP reply code. For example, for the ## 201 status code, the digits would be parsed as: x->2, y->0, z->1. diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 51a89a33b9..5b8b608971 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -109,7 +109,7 @@ export { ## A list of HTTP methods. Other methods will generate a weird. Note ## that the HTTP analyzer will only accept methods consisting solely ## of letters ``[A-Za-z]``. - const http_methods: set[string] = { + option http_methods: set[string] = { "GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", # HTTP methods for distributed authoring: @@ -117,7 +117,7 @@ export { "COPY", "MOVE", "LOCK", "UNLOCK", "POLL", "REPORT", "SUBSCRIBE", "BMOVE", "SEARCH" - } &redef; + }; ## Event that can be handled to access the HTTP record as it is sent on ## to the logging framework. diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index 02abced683..e45ce92cd5 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -48,7 +48,7 @@ export { }; ## The server response error texts which are *not* logged. - const ignored_errors: set[string] = { + option ignored_errors: set[string] = { # This will significantly increase the noisiness of the log. # However, one attack is to iterate over principals, looking # for ones that don't require preauth, and then performn @@ -58,7 +58,7 @@ export { # This is a more specific version of NEEDED_PREAUTH that's used # by Windows AD Kerberos. "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ", - } &redef; + }; ## Event that can be handled to access the KRB record as it is sent on ## to the logging framework. diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro index f4dba22876..c2a78e32af 100644 --- a/scripts/base/protocols/sip/main.bro +++ b/scripts/base/protocols/sip/main.bro @@ -80,9 +80,9 @@ export { ## A list of SIP methods. Other methods will generate a weird. Note ## that the SIP analyzer will only accept methods consisting solely ## of letters ``[A-Za-z]``. - const sip_methods: set[string] = { + option sip_methods: set[string] = { "REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY", "SUBSCRIBE" - } &redef; + }; ## Event that can be handled to access the SIP record as it is sent on ## to the logging framework. diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index c1d6699352..35a52c3870 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -16,7 +16,7 @@ export { }; ## Size of the packet segment to display in the DPD log. - const packet_segment_size: int = 255 &redef; + option packet_segment_size: int = 255; } diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro index 6917212356..760c5b3693 100644 --- a/scripts/policy/frameworks/files/detect-MHR.bro +++ b/scripts/policy/frameworks/files/detect-MHR.bro @@ -32,7 +32,7 @@ export { ## A/V engines. Team Cymru returns a percentage to indicate how ## many A/V engines flagged the sample as malicious. This threshold ## allows you to require a minimum detection rate. - const notice_threshold = 10 &redef; + option notice_threshold = 10; } function do_mhr_lookup(hash: string, fi: Notice::FileInfo) diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro index 5494f14bca..215a64d6b7 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.bro @@ -19,7 +19,7 @@ export { ## Some software is more interesting when the version changes and this ## is a set of all software that should raise a notice when a different ## version is seen on a host. - const interesting_version_changes: set[string] = { } &redef; + option interesting_version_changes: set[string] = {}; } event Software::version_change(old: Software::Info, new: Software::Info) diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.bro index 648e3d6717..8bd0a61a05 100644 --- a/scripts/policy/misc/capture-loss.bro +++ b/scripts/policy/misc/capture-loss.bro @@ -44,7 +44,7 @@ export { ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. - const too_much_loss: double = 0.1 &redef; + option too_much_loss: double = 0.1; } event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: count) diff --git a/scripts/policy/misc/dump-events.bro b/scripts/policy/misc/dump-events.bro index a0c36753cb..78772b265b 100644 --- a/scripts/policy/misc/dump-events.bro +++ b/scripts/policy/misc/dump-events.bro @@ -7,7 +7,7 @@ module DumpEvents; export { ## If true, include event arguments in output. - const include_args = T &redef; + option include_args = T; ## Only include events matching the given pattern into output. By default, the ## pattern matches all events. diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro index c307ece849..0bbf5c8aac 100644 --- a/scripts/policy/misc/stats.bro +++ b/scripts/policy/misc/stats.bro @@ -8,7 +8,7 @@ export { redef enum Log::ID += { LOG }; ## How often stats are reported. - const report_interval = 5min &redef; + option report_interval = 5min; type Info: record { ## Timestamp for the measurement. diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.bro index 1b256226dd..9f4e83638c 100644 --- a/scripts/policy/protocols/http/header-names.bro +++ b/scripts/policy/protocols/http/header-names.bro @@ -18,10 +18,10 @@ export { }; ## A boolean value to determine if client header names are to be logged. - const log_client_header_names = T &redef; + option log_client_header_names = T; ## A boolean value to determine if server header names are to be logged. - const log_server_header_names = F &redef; + option log_server_header_names = F; } event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3 diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index 51aab775c0..5b87882882 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -32,19 +32,19 @@ export { }; ## The file actions which are logged. - const logged_file_actions: set[Action] = { + option logged_file_actions: set[Action] = { FILE_OPEN, FILE_RENAME, FILE_DELETE, PRINT_OPEN, PRINT_CLOSE, - } &redef; + }; ## The server response statuses which are *not* logged. - const ignored_command_statuses: set[string] = { + option ignored_command_statuses: set[string] = { "MORE_PROCESSING_REQUIRED", - } &redef; + }; ## This record is for the smb_files.log type FileInfo: record { @@ -159,7 +159,7 @@ export { ## Optionally write out the SMB commands log. This is ## primarily useful for debugging so is disabled by default. - const write_cmd_log = F &redef; + option write_cmd_log = F; ## Everything below here is used internally in the SMB scripts. diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro index 6fe37e02a8..a39ec185a6 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.bro @@ -11,8 +11,8 @@ export { ## Places where it's suspicious for mail to originate from represented ## as all-capital, two character country codes (e.g., US). It requires ## libGeoIP support built in. - const suspicious_origination_countries: set[string] = {} &redef; - const suspicious_origination_networks: set[subnet] = {} &redef; + option suspicious_origination_countries: set[string] = {}; + option suspicious_origination_networks: set[subnet] = {}; } diff --git a/scripts/policy/protocols/smtp/entities-excerpt.bro b/scripts/policy/protocols/smtp/entities-excerpt.bro index 0e596ebdd1..a3c35507ca 100644 --- a/scripts/policy/protocols/smtp/entities-excerpt.bro +++ b/scripts/policy/protocols/smtp/entities-excerpt.bro @@ -14,7 +14,7 @@ export { ## This is the default value for how much of the entity body should be ## included for all MIME entities. The lesser of this value and ## :bro:see:`default_file_bof_buffer_size` will be used. - const default_entity_excerpt_len = 0 &redef; + option default_entity_excerpt_len = 0; } event file_new(f: fa_file) &priority=5 diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index 7235f24199..c8f73b6ac7 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -21,7 +21,7 @@ export { ## The set of countries for which you'd like to generate notices upon ## successful login. - const watched_countries: set[string] = {"RO"} &redef; + option watched_countries: set[string] = {"RO"}; } function get_location(c: connection): geo_location diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro index 04ebeb3c5a..1e806942d7 100644 --- a/scripts/policy/protocols/ssl/expiring-certs.bro +++ b/scripts/policy/protocols/ssl/expiring-certs.bro @@ -27,11 +27,11 @@ export { ## notices will be suppressed by the notice framework for 1 day after ## a particular certificate has had a notice generated. ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS - const notify_certs_expiration = LOCAL_HOSTS &redef; + option notify_certs_expiration = LOCAL_HOSTS; ## The time before a certificate is going to expire that you would like ## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices. - const notify_when_cert_expiring_in = 30days &redef; + option notify_when_cert_expiring_in = 30days; } event ssl_established(c: connection) &priority=3 diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro index a8859b2e59..afebb035a3 100644 --- a/scripts/policy/protocols/ssl/weak-keys.bro +++ b/scripts/policy/protocols/ssl/weak-keys.bro @@ -21,24 +21,24 @@ export { ## keys/ciphers/protocol_versions. By default, these notices will be suppressed ## by the notice framework for 1 day after a particular host has had a notice ## generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS - const notify_weak_keys = LOCAL_HOSTS &redef; + option notify_weak_keys = LOCAL_HOSTS; ## The minimal key length in bits that is considered to be safe. Any shorter ## (non-EC) key lengths will trigger a notice. - const notify_minimal_key_length = 2048 &redef; + option notify_minimal_key_length = 2048; ## Warn if the DH key length is smaller than the certificate key length. This is ## potentially unsafe because it gives a wrong impression of safety due to the ## certificate key length. However, it is very common and cannot be avoided in some ## settings (e.g. with old jave clients). - const notify_dh_length_shorter_cert_length = T &redef; + option notify_dh_length_shorter_cert_length = T; ## Warn if a server negotiates a SSL session with a protocol version smaller than ## the specified version. By default, the minimal version is TLSv10 because SSLv2 ## and v3 have serious security issued. ## See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00 ## To disable, set to SSLv20 - const tls_minimum_version = TLSv10 &redef; + option tls_minimum_version = TLSv10; ## Warn if a server negotiates an unsafe cipher suite. By default, we only warn when ## encountering old export cipher suites, or RC4 (see RFC7465).