diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index 60279f65c9..b87b01d9f7 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -95,7 +95,7 @@ the information associated with a file for which Bro's file analysis framework h generated a hash. The event handler is passed the file itself as ``f``, the type of digest algorithm used as ``kind`` and the hash generated as ``hash``. -On line 3, an ``if`` statement is used to check for the correct type of hash, in this case +On line 34, an ``if`` statement is used to check for the correct type of hash, in this case a SHA1 hash. It also checks for a mime type we've defined as being of interest as defined in the constant ``match_file_types``. The comparison is made against the expression ``f$mime_type``, which uses the ``$`` dereference operator to check the value ``mime_type`` inside the variable ``f``. Once both @@ -113,22 +113,22 @@ this event continues and upon receipt of the values returned by the malware was first detected and the detection rate by splitting on an text space and storing the values returned in a local table variable. In line 12, if the table returned by ``split1`` has two entries, indicating a successful split, we store the detection -date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 14 and 15 respectively +date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 18 and 14 respectively using the appropriate conversion functions. From this point on, Bro knows it has seen a file transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest of the script is dedicated to producing a notice. -On line 17, the detection time is processed into a string representation and stored in +On line 19, the detection time is processed into a string representation and stored in ``readable_first_detected``. The script then compares the detection rate against the ``notice_threshold`` that was defined earlier. If the detection rate is high enough, the script -creates a concise description of the notice on line 22, a possible URL to check the sample against +creates a concise description of the notice on line 20, a possible URL to check the sample against ``virustotal.com``'s database, and makes the call to :bro:id:`NOTICE` to hand the relevant information off to the Notice framework. -In approximately 25 lines of code, Bro provides an amazing +In approximately a few dozen lines of code, Bro provides an amazing utility that would be incredibly difficult to implement and deploy -with other products. In truth, claiming that Bro does this in 25 -lines is a misdirection; there is a truly massive number of things +with other products. In truth, claiming that Bro does this in such a small +number of lines is a misdirection; there is a truly massive number of things going on behind-the-scenes in Bro, but it is the inclusion of the scripting language that gives analysts access to those underlying layers in a succinct and well defined manner. @@ -657,7 +657,7 @@ using a 20 bit subnet mask. Because this is a script that doesn't use any kind of network analysis, we can handle the event :bro:id:`bro_init` which is always -generated by Bro's core upon startup. On lines six and seven, two +generated by Bro's core upon startup. On lines five and six, two locally scoped vectors are created to hold our lists of subnets and IP addresses respectively. Then, using a set of nested ``for`` loops, we iterate over every subnet and every IP address and use an ``if`` @@ -760,7 +760,7 @@ string against which it will be tested to be on the right. In the sample above, two local variables are declared to hold our sample sentence and regular expression. Our regular expression in this case will return true if the string contains either the word -``quick`` or the word ``fox``. The ``if`` statement on line six uses +``quick`` or the word ``fox``. The ``if`` statement on line eight uses embedded matching and the ``in`` operator to check for the existence of the pattern within the string. If the statement resolves to true, :bro:id:`split` is called to break the string into separate pieces. @@ -1001,7 +1001,7 @@ filename for the current call to ``Log::write``. The definition for this function has to take as its parameters a ``Log::ID`` called id, a string called ``path`` and the appropriate record type for the logs called ``rec``. You can see the definition of ``mod5`` used in this example on -line one conforms to that requirement. The function simply returns +line 38 conforms to that requirement. The function simply returns ``factor-mod5`` if the factorial is divisible evenly by 5, otherwise, it returns ``factor-non5``. In the additional ``bro_init`` event handler, we define a locally scoped ``Log::Filter`` and assign it a @@ -1153,7 +1153,7 @@ possible while staying concise. While much of the script relates to the actual detection, the parts specific to the Notice Framework are actually quite interesting in -themselves. On line 18 the script's ``export`` block adds the value +themselves. On line 13 the script's ``export`` block adds the value ``SSH::Interesting_Hostname_Login`` to the enumerable constant ``Notice::Type`` to indicate to the Bro core that a new type of notice is being defined. The script then calls ``NOTICE`` and defines the