Merge remote-tracking branch 'origin/master' into topic/bernhard/software

Conflicts:
	scripts/base/frameworks/software/main.bro
	scripts/policy/protocols/ftp/software.bro

scripts/policy/protocols/conn/known-hosts.bro

@@ -8,8 +8,10 @@
 module Known;
 
 export {
+	## The known-hosts logging stream identifier.
 	redef enum Log::ID += { HOSTS_LOG };
-	
+
+	## The record type which contains the column fields of the known-hosts log.
 	type HostsInfo: record {
 		## The timestamp at which the host was detected.
 		ts:      time &log;
@@ -19,7 +21,7 @@ export {
 	};
 	
 	## The hosts whose existence should be logged and tracked.
-	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	## See :bro:type:`Host` for possible choices.
 	const host_tracking = LOCAL_HOSTS &redef;
 	
 	## The set of all known addresses to store for preventing duplicate 
@@ -28,7 +30,9 @@ export {
 	## Maintain the list of known hosts for 24 hours so that the existence
 	## of each individual address is logged each day.
 	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
-	
+
+	## An event that can be handled to access the :bro:type:`Known::HostsInfo`
+	## record as it is sent on to the logging framework.
 	global log_known_hosts: event(rec: HostsInfo);
 }
 

scripts/policy/protocols/conn/known-services.bro

@@ -8,29 +8,41 @@
 module Known;
 
 export {
+	## The known-services logging stream identifier.
 	redef enum Log::ID += { SERVICES_LOG };
-	
+
+	## The record type which contains the column fields of the known-services
+	## log.
 	type ServicesInfo: record {
+		## The time at which the service was detected.
 		ts:             time            &log;
+		## The host address on which the service is running.
 		host:           addr            &log;
+		## The port number on which the service is running.
 		port_num:       port            &log;
+		## The transport-layer protocol which the service uses.
 		port_proto:     transport_proto &log;
+		## A set of protocols that match the service's connection payloads.
 		service:        set[string]     &log;
-		
-		done:           bool &default=F;
 	};
 	
 	## The hosts whose services should be tracked and logged.
+	## See :bro:type:`Host` for possible choices.
 	const service_tracking = LOCAL_HOSTS &redef;
-	
+
+	## Tracks the set of daily-detected services for preventing the logging
+	## of duplicates, but can also be inspected by other scripts for
+	## different purposes.
 	global known_services: set[addr, port] &create_expire=1day &synchronized;
-	
+
+	## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
+	## record as it is sent on to the logging framework.
 	global log_known_services: event(rec: ServicesInfo);
 }
 
 redef record connection += {
-	## This field is to indicate whether or not the processing for detecting 
-	## and logging the service for this connection is complete.
+	# This field is to indicate whether or not the processing for detecting 
+	# and logging the service for this connection is complete.
 	known_services_done: bool &default=F;
 };
 

scripts/policy/protocols/ftp/detect.bro

@@ -7,7 +7,7 @@ module FTP;
 
 export {
 	redef enum Notice::Type += {
-		## This indicates that a successful response to a "SITE EXEC" 
+		## Indicates that a successful response to a "SITE EXEC" 
 		## command/arg pair was seen.
 		Site_Exec_Success,
 	};

scripts/policy/protocols/ftp/software.bro

@@ -12,8 +12,10 @@ module FTP;
 
 export {
 	redef enum Software::Type += {
-		FTP_CLIENT,
-		FTP_SERVER,
+		## Identifier for FTP clients in the software framework.
+		CLIENT,
+		## Not currently implemented.
+		SERVER,
 	};
 }
 
@@ -21,6 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
 	{
 	if ( command == "CLNT" )
 		{
-		Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=FTP_CLIENT]);
+		Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
 		}
 	}

scripts/policy/protocols/http/detect-MHR.bro

@@ -1,15 +1,18 @@
-##! This script takes MD5 sums of files transferred over HTTP and checks them with
-##! Team Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
+##! Detect file downloads over HTTP that have MD5 sums matching files in Team 
+##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
 ##! By default, not all file transfers will have MD5 sums calculated.  Read the
-##! documentation for the :doc:base/protocols/http/file-hash.bro script to see how to 
-##! configure which transfers will have hashes calculated.
+##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
+##! how to configure which transfers will have hashes calculated.
 
 @load base/frameworks/notice
 @load base/protocols/http
 
+module HTTP;
+
 export {
 	redef enum Notice::Type += { 
-		## If the MD5 sum of a file transferred over HTTP 
+		## The MD5 sum of a file transferred over HTTP matched in the
+		## malware hash registry.
 		Malware_Hash_Registry_Match
 	};
 }

scripts/policy/protocols/http/detect-intel.bro

@@ -1,4 +1,4 @@
-##! Intelligence based HTTP detections.
+##! Intelligence based HTTP detections.  Not yet working!
 
 @load base/protocols/http/main
 @load base/protocols/http/utils

scripts/policy/protocols/http/detect-sqli.bro

@@ -12,12 +12,14 @@ export {
 		SQL_Injection_Attacker,
 		## Indicates that a host was seen to have SQL injection attacks against
 		## it.  This is tracked by IP address as opposed to hostname.
-		SQL_Injection_Attack_Against,
+		SQL_Injection_Victim,
 	};
 	
 	redef enum Metrics::ID += {
-		SQL_ATTACKER,
-		SQL_ATTACKS_AGAINST,
+		## Metric to track SQL injection attackers.
+		SQLI_ATTACKER,
+		## Metrics to track SQL injection victims.
+		SQLI_VICTIM,
 	};
 
 	redef enum Tags += {
@@ -30,17 +32,17 @@ export {
 		COOKIE_SQLI,
 	};
 	
-	## This defines the threshold that determines if an SQL injection attack
+	## Defines the threshold that determines if an SQL injection attack
 	## is ongoing based on the number of requests that appear to be SQL 
 	## injection attacks.
 	const sqli_requests_threshold = 50 &redef;
 	
-	## Interval at which to watch for the :bro:id:`sqli_requests_threshold`
-	## variable to be crossed.  At the end of each interval the counter is 
-	## reset.
+	## Interval at which to watch for the
+	## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+	## At the end of each interval the counter is reset.
 	const sqli_requests_interval = 5min &redef;
 
-	## This regular expression is used to match URI based SQL injections
+	## Regular expression is used to match URI based SQL injections.
 	const match_sql_injection_uri = 
 		  /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
 		| /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
@@ -56,14 +58,14 @@ event bro_init() &priority=3
 	# determine when it looks like an actual attack and how to respond when
 	# thresholds are crossed.
 	
-	Metrics::add_filter(SQL_ATTACKER, [$log=F,
+	Metrics::add_filter(SQLI_ATTACKER, [$log=F,
 	                                   $notice_threshold=sqli_requests_threshold,
 	                                   $break_interval=sqli_requests_interval,
 	                                   $note=SQL_Injection_Attacker]);
-	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, 
-	                                          $notice_threshold=sqli_requests_threshold,
-	                                          $break_interval=sqli_requests_interval, 
-	                                          $note=SQL_Injection_Attack_Against]);
+	Metrics::add_filter(SQLI_VICTIM, [$log=F,
+	                                 $notice_threshold=sqli_requests_threshold,
+	                                 $break_interval=sqli_requests_interval,
+	                                 $note=SQL_Injection_Victim]);
 	}
 
 event http_request(c: connection, method: string, original_URI: string,
@@ -73,7 +75,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];
 		
-		Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
-		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
+		Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
 		}
 	}

scripts/policy/protocols/http/detect-webapps.bro

@@ -1,3 +1,5 @@
+##! Detect and log web applications through the software framework.
+
 @load base/frameworks/signatures
 @load base/frameworks/software
 @load base/protocols/http
@@ -10,10 +12,12 @@ redef Signatures::ignored_ids += /^webapp-/;
 
 export {
 	redef enum Software::Type += {
+		## Identifier for web applications in the software framework.
 		WEB_APPLICATION,
 	};
 
 	redef record Software::Info += {
+		## Most root URL where the software was discovered.
 		url:   string &optional &log;
 	};
 }

scripts/policy/protocols/http/software-browser-plugins.bro

@@ -1,5 +1,5 @@
-##! This script take advantage of a few ways that installed plugin information
-##! leaks from web browsers.
+##! Detect browser plugins as they leak through requests to Omniture 
+##! advertising servers.
 
 @load base/protocols/http
 @load base/frameworks/software
@@ -13,6 +13,7 @@ export {
 	};
 	
 	redef enum Software::Type += {
+		## Identifier for browser plugins in the software framework.
 		BROWSER_PLUGIN
 	};
 }

scripts/policy/protocols/http/software.bro

@@ -6,8 +6,11 @@ module HTTP;
 
 export {
 	redef enum Software::Type += {
+		## Identifier for web servers in the software framework.
 		SERVER,
+		## Identifier for app servers in the software framework.
 		APPSERVER,
+		## Identifier for web browsers in the software framework.
 		BROWSER,
 	};
 

scripts/policy/protocols/http/var-extraction-cookies.bro

@@ -1,4 +1,4 @@
-##! This script extracts and logs variables from cookies sent by clients
+##! Extracts and logs variables names from cookies sent by clients.
 
 @load base/protocols/http/main
 @load base/protocols/http/utils
@@ -6,6 +6,7 @@
 module HTTP;
 
 redef record Info += {
+	## Variable names extracted from all cookies.
 	cookie_vars: vector of string &optional &log;
 };
 

scripts/policy/protocols/http/var-extraction-uri.bro

@@ -1,10 +1,12 @@
-##! This script extracts and logs variables from the requested URI
+##! Extracts and log variables from the requested URI in the default HTTP 
+##! logging stream.
 
 @load base/protocols/http
 
 module HTTP;
 
 redef record Info += {
+	## Variable names from the URI.
 	uri_vars:    vector of string &optional &log;
 };
 

scripts/policy/protocols/ssh/detect-bruteforcing.bro

@@ -1,3 +1,5 @@
+##! Detect hosts which are doing password guessing attacks and/or password
+##! bruteforcing over SSH.
 
 @load base/protocols/ssh
 @load base/frameworks/metrics
@@ -9,17 +11,17 @@ module SSH;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a host has been identified as crossing the 
-		## :bro:id:`password_guesses_limit` threshold with heuristically
+		## :bro:id:`SSH::password_guesses_limit` threshold with heuristically
 		## determined failed logins.
 		Password_Guessing,
 		## Indicates that a host previously identified as a "password guesser"
-		## has now had a heuristically successful login attempt.
+		## has now had a heuristically successful login attempt.  This is not
+		## currently implemented.
 		Login_By_Password_Guesser,
 	};
 	
 	redef enum Metrics::ID  += {
-		## This metric is to measure failed logins with the hope of detecting
-		## bruteforcing hosts.
+		## Metric is to measure failed logins.
 		FAILED_LOGIN,
 	};
 
@@ -37,7 +39,7 @@ export {
 	## client subnets and the yield value represents server subnets.
 	const ignore_guessers: table[subnet] of subnet &redef;
 
-	## Keeps track of hosts identified as guessing passwords.
+	## Tracks hosts identified as guessing passwords.
 	global password_guessers: set[addr] 
 		&read_expire=guessing_timeout+1hr &synchronized &redef;
 }

scripts/policy/protocols/ssh/geo-data.bro

@@ -1,5 +1,4 @@
-##! This implements all of the additional information and geodata detections 
-##! for SSH analysis.
+##! Geodata based detections for SSH analysis.
 
 @load base/frameworks/notice
 @load base/protocols/ssh
@@ -19,8 +18,8 @@ export {
 		remote_location: geo_location &log &optional;
 	};
 	
-	## The set of countries for which you'd like to throw notices upon 
-	## successful login
+	## The set of countries for which you'd like to generate notices upon 
+	## successful login.
 	const watched_countries: set[string] = {"RO"} &redef;
 }
 

scripts/policy/protocols/ssh/interesting-hostnames.bro

@@ -10,9 +10,9 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## Generated if a login originates or responds with a host and the 
+		## Generated if a login originates or responds with a host where the 
 		## reverse hostname lookup resolves to a name matched by the 
-		## :bro:id:`interesting_hostnames` regular expression.
+		## :bro:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};
 	
@@ -36,7 +36,9 @@ event SSH::heuristic_successful_login(c: connection)
 			if ( interesting_hostnames in hostname )
 				{
 				NOTICE([$note=Interesting_Hostname_Login,
-				        $msg=fmt("Interesting login from hostname: %s", hostname),
+				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+				                 Site::is_local_addr(host) ? "local" : "remote",
+				                 host == c$id$orig_h ? "client" : "server"),
 				        $sub=hostname, $conn=c]);
 				}
 			}

scripts/policy/protocols/ssh/software.bro

@@ -1,4 +1,4 @@
-##! This script extracts SSH client and server information from SSH 
+##! Extracts SSH client and server information from SSH 
 ##! connections and forwards it to the software framework.
 
 @load base/frameworks/software
@@ -7,7 +7,9 @@ module SSH;
 
 export {
 	redef enum Software::Type += {
+		## Identifier for SSH clients in the software framework.
 		SERVER,
+		## Identifier for SSH servers in the software framework.
 		CLIENT,
 	};
 }

scripts/policy/protocols/ssl/cert-hash.bro

@@ -1,4 +1,4 @@
-##! This script calculates MD5 sums for server DER formatted certificates.
+##! Calculate MD5 sums for server DER formatted certificates.
 
 @load base/protocols/ssl
 
@@ -6,15 +6,16 @@ module SSL;
 
 export {
 	redef record Info += {
+		## MD5 sum of the raw server certificate.
 		cert_hash: string &log &optional;
 	};
 }
 
-event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=4
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
 	{
 	# We aren't tracking client certificates yet and we are also only tracking
 	# the primary cert.  Watch that this came from an SSL analyzed session too.
-	if ( ! is_server || chain_idx != 0 || ! c?$ssl ) 
+	if ( is_orig || chain_idx != 0 || ! c?$ssl ) 
 		return;
 
 	c$ssl$cert_hash = md5_hash(der_cert);

scripts/policy/protocols/ssl/expiring-certs.bro

@@ -1,6 +1,6 @@
-##! This script can be used to generate notices when X.509 certificates over
-##! SSL/TLS are expired or going to expire based on the date and time values
-##! stored within the certificate.
+##! Generate notices when X.509 certificates over SSL/TLS are expired or 
+##! going to expire soon based on the date and time values stored within the
+##! certificate.
 
 @load base/protocols/ssl
 @load base/frameworks/notice
@@ -24,19 +24,21 @@ export {
 	
 	## The category of hosts you would like to be notified about which have 
 	## certificates that are going to be expiring soon.  By default, these 
-	## notices will be suppressed by the notice framework for 1 day.
+	## notices will be suppressed by the notice framework for 1 day after 
+	## a particular certificate has had a notice generated.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
 	const notify_certs_expiration = LOCAL_HOSTS &redef;
 	
 	## The time before a certificate is going to expire that you would like to
-	## start receiving :bro:enum:`Certificate_Expires_Soon` notices.
+	## start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
 	const notify_when_cert_expiring_in = 30days &redef;
 }
 
-event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
 	# If this isn't the host cert or we aren't interested in the server, just return.
-	if ( chain_idx != 0 ||
+	if ( is_orig || 
+		 chain_idx != 0 ||
 		 ! c$ssl?$cert_hash || 
 		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -2,7 +2,7 @@
 ##! after being converted to PEM files.  The certificates will be stored in
 ##! a single file, one for local certificates and one for remote certificates.
 ##!
-##! A couple of things to think about with this script::
+##! ..note::
 ##!
 ##!     - It doesn't work well on a cluster because each worker will write its 
 ##!       own certificate files and no duplicate checking is done across
@@ -20,15 +20,15 @@
 module SSL;
 
 export {
-	## Setting to control if host certificates offered by the defined hosts 
+	## Control if host certificates offered by the defined hosts 
 	## will be written to the PEM certificates file.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
 	const extract_certs_pem = LOCAL_HOSTS &redef;
 }
 
-## This is an internally maintained variable to prevent relogging of
-## certificates that have already been seen.  It is indexed on an md5 sum of
-## the certificate.
+# This is an internally maintained variable to prevent relogging of
+# certificates that have already been seen.  It is indexed on an md5 sum of
+# the certificate.
 global extracted_certs: set[string] = set() &read_expire=1hr &redef;
 
 event ssl_established(c: connection) &priority=5

scripts/policy/protocols/ssl/known-certs.bro

@@ -1,5 +1,4 @@
-##! This script can be used to log information about certificates while 
-##! attempting to avoid duplicate logging.
+##! Log information about certificates while attempting to avoid duplicate logging.
 
 @load base/utils/directions-and-hosts
 @load base/protocols/ssl
@@ -36,6 +35,8 @@ export {
 	## in the set is for storing the DER formatted certificate's MD5 hash.
 	global certs: set[addr, string] &create_expire=1day &synchronized &redef;
 	
+	## Event that can be handled to access the loggable record as it is sent 
+	## on to the logging framework.
 	global log_known_certs: event(rec: CertsInfo);
 }
 
@@ -44,10 +45,10 @@ event bro_init() &priority=5
 	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
 	}
 
-event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
 	# Make sure this is the server cert and we have a hash for it.
-	if ( chain_idx != 0 || ! c$ssl?$cert_hash ) 
+	if ( is_orig || chain_idx != 0 || ! c$ssl?$cert_hash ) 
 		return;
 	
 	local host = c$id$resp_h;

scripts/policy/protocols/ssl/validate-certs.bro

@@ -14,8 +14,7 @@ export {
 	};
 	
 	redef record Info += {
-		## This stores and logs the result of certificate validation for 
-		## this connection.
+		## Result of certificate validation for this connection.
 		validation_status: string &log &optional;
 	};