From eb6313adcb61759ca9887c20ff701437a9bc5abe Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 13:42:42 -0700 Subject: [PATCH] Now actually pretty-printing the notices. Output is similar to Bro 1.x. --- scripts/base/frameworks/notice/__load__.bro | 4 +- .../frameworks/notice/actions/pp-alarms.bro | 95 +++++++++++++++++-- 2 files changed, 89 insertions(+), 10 deletions(-) diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro index 36c608ef43..4548e98dc2 100644 --- a/scripts/base/frameworks/notice/__load__.bro +++ b/scripts/base/frameworks/notice/__load__.bro @@ -7,7 +7,6 @@ @load ./actions/email_admin @load ./actions/page @load ./actions/add-geodata -@load ./actions/pp-alarms # There shouldn't be any default overhead from loading these since they # *should* only do anything when notices have the ACTION_EMAIL action applied. @@ -19,3 +18,6 @@ @if ( Cluster::is_enabled() ) @load ./cluster @endif + +# Load here so that it can check whether clustering is enabled. +@load ./actions/pp-alarms diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index c6863b0c1c..e60b41eb86 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -12,6 +12,12 @@ export { ## :bro:id:`Notice::mail_dest`. const mail_dest_pretty_printed = "" &redef; + ## If an address from one of these networks is involved in alarm, we mark + ## the entry with a quote symbol (i.e., ">"). Many mailers highlight such + ## lines in some way. + global flag_nets: set[subnet] &redef; + + ## Function that renders a single alarm. Can be overidden. global pretty_print_alarm: function(out: file, n: Info) &redef; } @@ -24,6 +30,7 @@ global pp_alarms_open: bool = F; # Returns True if pretty-printed alarm summaries are activated. function want_pp() : bool { + return T; return (pretty_print_alarms && ! reading_traces() && (mail_dest != "" || mail_dest_pretty_printed != "")); } @@ -53,8 +60,8 @@ function pp_send() write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n"); close(pp_alarms); - system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", - pp_alarms_name, sendmail, pp_alarms_name)); + #system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", + # pp_alarms_name, sendmail, pp_alarms_name)); pp_alarms_open = F; } @@ -84,8 +91,8 @@ event notice(n: Notice::Info) &priority=-5 { if ( ! want_pp() ) return; - - if ( ACTION_ALARM !in n$actions ) + + if ( ACTION_LOG !in n$actions ) return; if ( ! pp_alarms_open ) @@ -94,12 +101,82 @@ event notice(n: Notice::Info) &priority=-5 pretty_print_alarm(pp_alarms, n); } +function do_msg(out: file, n: Info, line1: string, line2: string, line3: string, host: addr, name: string) + { + if ( host != 0.0.0.0 ) + { + local country = ""; + if ( n?$remote_location && n$remote_location?$country_code ) + country = fmt(" (%s)", n$remote_location$country_code); + + name = fmt(" %s = %s%s", host, name, country); + } + + + line1 = cat(line1, name); + + print out, line1; + print out, line2; + if ( line3 != "" ) + print out, line3; + } + # Default pretty-printer. function pretty_print_alarm(out: file, n: Info) { - print out, n; + local pdescr = ""; + +@if ( Cluster::is_enabled() ) + pdescr = "local"; + + if ( n?$src_peer ) + pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host); + + pdescr = fmt("<%s> ", pdescr); +@endif + + local msg = fmt( "%s%s%s", pdescr, n$msg, n?$sub ? cat(" ", n$sub) : ""); + + local orig = 0.0.0.0; + local resp = 0.0.0.0; + local host = 0.0.0.0; + + if ( n?$src ) + orig = host = n$src; + + if ( n?$id ) + { + orig = n$id$orig_h; + resp = n$id$resp_h; + } + + if ( host == 0.0.0.0 ) + host = orig; + + local flag = (orig in flag_nets || resp in flag_nets); + + local location = ""; + + if ( host != 0.0.0.0 ) + location = Site::is_local_addr(host) ? "(L)" : "(R)"; + + local line1 = fmt(">%s %D %s %s", (flag ? ">" : " "), network_time(), n$note, location); + local line2 = fmt(" %s", msg); + local line3 = ""; # Could use later. + + if ( host == 0.0.0.0 ) + { + do_msg(out, n, line1, line2, line3, 0.0.0.0, ""); + return; + } + + when ( local name = lookup_addr(host) ) + { + do_msg(out, n, line1, line2, line3, host, name); + } + timeout 5secs + { + do_msg(out, n, line1, line2, line3, host, "(dns timeout)"); + } } - - - - +