From e34d24df8f832c5d58ea907abe0cb626172ff172 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 21 Apr 2011 14:25:09 -0400
Subject: [PATCH] Moved the packet segment logging into it's own script.

---
 policy/dpd.bro                        | 71 +--------------------------
 policy/dpd/base.bro                   | 70 ++++++++++++++++++++++++++
 policy/dpd/packet-segment-logging.bro | 23 +++++++++
 3 files changed, 94 insertions(+), 70 deletions(-)
 create mode 100644 policy/dpd/base.bro
 create mode 100644 policy/dpd/packet-segment-logging.bro

diff --git a/policy/dpd.bro b/policy/dpd.bro
index 4f6559fa96..66f5f0e034 100644
--- a/policy/dpd.bro
+++ b/policy/dpd.bro
@@ -1,70 +1 @@
-##! Activates port-independent protocol detection.
-
-@load functions
-@load signatures
-
-module DPD;
-
-# Add the DPD signatures.
-redef signature_files += "dpd.sig";
-redef enum Log::ID += { DPD };
-
-export {
-	type Info: record {
-		ts:             time            &log;
-		id:             conn_id         &log;
-		proto:          transport_proto &log;
-		analyzer:       string          &log;
-		failure_reason: string          &log;
-		packet_segment: string          &log;
-	};
-	
-	## Size of the packet segment to display in the DPD log.
-	const packet_segment_size: int = 255 &redef;
-}
-
-redef record connection += {
-	dpd: Info &optional;
-};
-
-event bro_init()
-	{
-	Log::create_stream(DPD, [$columns=Info]);
-	
-	for ( a in dpd_config )
-		{
-		for ( p in dpd_config[a]$ports )
-			{
-			if ( p !in dpd_analyzer_ports )
-				dpd_analyzer_ports[p] = set();
-			add dpd_analyzer_ports[p][a];
-			}
-		}
-	}
-
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
-	{
-	if ( fmt("-%s",analyzer_name(atype)) in c$service )
-		delete c$service[fmt("-%s", analyzer_name(atype))];
-
-	add c$service[analyzer_name(atype)];
-	}
-
-event protocol_violation(c: connection, atype: count, aid: count,
-				reason: string) &priority=10
-	{
-	if ( analyzer_name(atype) in c$service )
-		delete c$service[analyzer_name(atype)];
-	add c$service[fmt("-%s", analyzer_name(atype))];
-	
-	# Get the content of the currently analyzed packet and trim it down to a shorter size
-	local packet_segment = sub_bytes(get_current_packet()$data, 0, packet_segment_size);
-	
-	Log::write(DPD, [$ts=network_time(),
-	                 $id=c$id,
-	                 $proto=get_conn_transport_proto(c$id),
-	                 $analyzer=analyzer_name(atype),
-	                 $failure_reason=reason,
-	                 $packet_segment=fmt("%s", packet_segment)]);
-	}
-
+@load dpd/base
\ No newline at end of file
diff --git a/policy/dpd/base.bro b/policy/dpd/base.bro
new file mode 100644
index 0000000000..a311041005
--- /dev/null
+++ b/policy/dpd/base.bro
@@ -0,0 +1,70 @@
+##! Activates port-independent protocol detection.
+
+@load functions
+@load signatures
+
+module DPD;
+
+# Add the DPD signatures.
+redef signature_files += "dpd.sig";
+
+redef enum Log::ID += { DPD };
+
+export {
+	type Info: record {
+		ts:             time            &log;
+		id:             conn_id         &log;
+		proto:          transport_proto &log;
+		analyzer:       string          &log;
+		failure_reason: string          &log;
+	};
+}
+
+redef record connection += {
+	dpd: Info &optional;
+};
+
+event bro_init()
+	{
+	Log::create_stream(DPD, [$columns=Info]);
+	
+	for ( a in dpd_config )
+		{
+		for ( p in dpd_config[a]$ports )
+			{
+			if ( p !in dpd_analyzer_ports )
+				dpd_analyzer_ports[p] = set();
+			add dpd_analyzer_ports[p][a];
+			}
+		}
+	}
+
+event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
+	{
+	if ( fmt("-%s",analyzer_name(atype)) in c$service )
+		delete c$service[fmt("-%s", analyzer_name(atype))];
+
+	add c$service[analyzer_name(atype)];
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+                         reason: string) &priority=5
+	{
+	if ( analyzer_name(atype) in c$service )
+		delete c$service[analyzer_name(atype)];
+	add c$service[fmt("-%s", analyzer_name(atype))];
+	
+	local info: Info;
+	info$ts=network_time();
+	info$id=c$id;
+	info$proto=get_conn_transport_proto(c$id);
+	info$analyzer=analyzer_name(atype);
+	info$failure_reason=reason;
+	c$dpd = info;
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+				reason: string) &priority=-5
+	{
+	Log::write(DPD, c$dpd);
+	}
\ No newline at end of file
diff --git a/policy/dpd/packet-segment-logging.bro b/policy/dpd/packet-segment-logging.bro
new file mode 100644
index 0000000000..c3fc5c5e19
--- /dev/null
+++ b/policy/dpd/packet-segment-logging.bro
@@ -0,0 +1,23 @@
+##! This script enables logging of packet segment data.  The amount of 
+##! data from the packet logged is set by the packet_segment_size variable.
+##! A caveat to logging packet data is that in some cases, the packet may
+##! not be the packet that actually caused the protocol violation.  For this
+##! reason, this script should not be loaded by default in shipped scripts.
+
+module DPD;
+
+export {
+	redef record Info += {
+		packet_segment: string &optional &log;
+	};
+
+	## Size of the packet segment to display in the DPD log.
+	const packet_segment_size: int = 255 &redef;
+}
+
+
+event protocol_violation(c: connection, atype: count, aid: count,
+                         reason: string) &priority=4
+	{
+	c$dpd$packet_segment=fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
+	}
\ No newline at end of file