From 2f2fad1f801b83409561b18fb3cea576d833bcef Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 10:18:05 -0700 Subject: [PATCH 1/5] Adding a dummy log writer WRITER_NONE that just discards everything. This can be handy when oen doesn't want any output but still get access to filter functionality, including rotation; and also for general testing. --- src/CMakeLists.txt | 1 + src/LogMgr.cc | 2 ++ src/LogWriterNone.cc | 16 ++++++++++++++++ src/LogWriterNone.h | 30 ++++++++++++++++++++++++++++++ src/types.bif | 1 + 5 files changed, 50 insertions(+) create mode 100644 src/LogWriterNone.cc create mode 100644 src/LogWriterNone.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 9c785bddc8..b4779e1557 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -335,6 +335,7 @@ set(bro_SRCS LogMgr.cc LogWriter.cc LogWriterAscii.cc + LogWriterNone.cc Login.cc MIME.cc NCP.cc diff --git a/src/LogMgr.cc b/src/LogMgr.cc index 4fde5d3189..9e320f8810 100644 --- a/src/LogMgr.cc +++ b/src/LogMgr.cc @@ -9,6 +9,7 @@ #include "Net.h" #include "LogWriterAscii.h" +#include "LogWriterNone.h" // Structure describing a log writer type. struct LogWriterDefinition { @@ -20,6 +21,7 @@ struct LogWriterDefinition { // Static table defining all availabel log writers. LogWriterDefinition log_writers[] = { + { BifEnum::Log::WRITER_NONE, "None", 0, LogWriterNone::Instantiate }, { BifEnum::Log::WRITER_ASCII, "Ascii", 0, LogWriterAscii::Instantiate }, // End marker, don't touch. diff --git a/src/LogWriterNone.cc b/src/LogWriterNone.cc new file mode 100644 index 0000000000..592772afdb --- /dev/null +++ b/src/LogWriterNone.cc @@ -0,0 +1,16 @@ + +#include "LogWriterNone.h" + +bool LogWriterNone::DoRotate(string rotated_path, double open, + double close, bool terminating) + { + if ( ! FinishedRotation(string("/dev/null"), Path(), open, close, terminating)) + { + Error(Fmt("error rotating %s", Path().c_str())); + return false; + } + + return true; + } + + diff --git a/src/LogWriterNone.h b/src/LogWriterNone.h new file mode 100644 index 0000000000..3811a19469 --- /dev/null +++ b/src/LogWriterNone.h @@ -0,0 +1,30 @@ +// See the file "COPYING" in the main distribution directory for copyright. +// +// Dummy log writer that just discards everything (but still pretends to rotate). + +#ifndef LOGWRITERNONE_H +#define LOGWRITERNONE_H + +#include "LogWriter.h" + +class LogWriterNone : public LogWriter { +public: + LogWriterNone() {} + ~LogWriterNone() {}; + + static LogWriter* Instantiate() { return new LogWriterNone; } + +protected: + virtual bool DoInit(string path, int num_fields, + const LogField* const * fields) { return true; } + + virtual bool DoWrite(int num_fields, const LogField* const * fields, + LogVal** vals) { return true; } + virtual bool DoSetBuf(bool enabled) { return true; } + virtual bool DoRotate(string rotated_path, double open, double close, + bool terminating); + virtual bool DoFlush() { return true; } + virtual void DoFinish() {} +}; + +#endif diff --git a/src/types.bif b/src/types.bif index 8bc5ab8510..da6bd6e031 100644 --- a/src/types.bif +++ b/src/types.bif @@ -159,6 +159,7 @@ module Log; enum Writer %{ WRITER_DEFAULT, + WRITER_NONE, WRITER_ASCII, %} From 73d5643302c232f32c3b3253a7d12be8a959ae33 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 10:19:10 -0700 Subject: [PATCH 2/5] A new notice script that pretty-prints alarms in the summary email. It works already, but the actual pretty-printing is still missing. --- scripts/base/frameworks/notice/__load__.bro | 1 + .../frameworks/notice/actions/pp-alarms.bro | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 scripts/base/frameworks/notice/actions/pp-alarms.bro diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro index 08a99c5a5b..36c608ef43 100644 --- a/scripts/base/frameworks/notice/__load__.bro +++ b/scripts/base/frameworks/notice/__load__.bro @@ -7,6 +7,7 @@ @load ./actions/email_admin @load ./actions/page @load ./actions/add-geodata +@load ./actions/pp-alarms # There shouldn't be any default overhead from loading these since they # *should* only do anything when notices have the ACTION_EMAIL action applied. diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro new file mode 100644 index 0000000000..074c375253 --- /dev/null +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -0,0 +1,96 @@ +#! Notice extension that mails out a pretty-printed version of alarm.log +#! in regular intervals, formatted for better human readability. If activated, +#! that replaces the default summary mail having the raw log output. + +module Notice; + +export { + ## Activate pretty-printed alarm summaries. + const pretty_print_alarms = T &redef; + + ## Function that renders a single alarm. Can be overidden. + global pretty_print_alarm: function(out: file, n: Info) &redef; +} + +# We maintain an old-style file recording the pretty-printed alarms. +const pp_alarms_name = "alarm-mail.txt"; +global pp_alarms: file; +global pp_alarms_open: bool = F; + +# Returns True if pretty-printed alarm summaries are activated. +function want_pp() : bool + { + # return (pretty_print_alarms && ! reading_traces() && mail_dest != ""); + print (pretty_print_alarms && mail_dest != ""); + return (pretty_print_alarms && mail_dest != ""); + } + +# Opens and intializes the output file. +function pp_open() + { + if ( pp_alarms_open ) + return; + + pp_alarms_open = T; + pp_alarms = open(pp_alarms_name); + + local headers = email_headers("Alarm Summary", mail_dest); + write_file(pp_alarms, headers + "\n"); + } + +# Closes and mails out the current output file. +function pp_send() + { + if ( ! pp_alarms_open ) + return; + + write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n"); + + system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", + pp_alarms_name, sendmail, pp_alarms_name)); + + pp_alarms_open = F; + } + +# Postprocessor function that triggers the email. +function pp_postprocessor(info: Log::RotationInfo): bool + { + if ( want_pp() ) + pp_send(); + } + +event bro_init() + { + if ( ! want_pp() ) + return; + + # This replaces the standard non-pretty-printing filter. + Log::add_filter(Notice::ALARM_LOG, + [$name="alarm-mail", $writer=Log::WRITER_NONE, + $interv=Log::default_rotation_interval, + $postprocessor=pp_postprocessor]); + } + +event notice(n: Notice::Info) &priority=-5 + { + if ( ! want_pp() ) + return; + + if ( ACTION_ALARM !in n$actions ) + return; + + if ( ! pp_alarms_open ) + pp_open(); + + pretty_print_alarm(pp_alarms, n); + } + +# Default pretty-printer. +function pretty_print_alarm(out: file, n: Info) + { + print out, n; + } + + + + From 39ed48902817bc7db9fe2d42551842a9219817c5 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 10:52:14 -0700 Subject: [PATCH 3/5] Small fixes, and new option to specify a different dest address. --- .../frameworks/notice/actions/pp-alarms.bro | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index 074c375253..c6863b0c1c 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -8,6 +8,10 @@ export { ## Activate pretty-printed alarm summaries. const pretty_print_alarms = T &redef; + ## Address to send the pretty-printed reports to. Default if not set is + ## :bro:id:`Notice::mail_dest`. + const mail_dest_pretty_printed = "" &redef; + ## Function that renders a single alarm. Can be overidden. global pretty_print_alarm: function(out: file, n: Info) &redef; } @@ -20,9 +24,8 @@ global pp_alarms_open: bool = F; # Returns True if pretty-printed alarm summaries are activated. function want_pp() : bool { - # return (pretty_print_alarms && ! reading_traces() && mail_dest != ""); - print (pretty_print_alarms && mail_dest != ""); - return (pretty_print_alarms && mail_dest != ""); + return (pretty_print_alarms && ! reading_traces() + && (mail_dest != "" || mail_dest_pretty_printed != "")); } # Opens and intializes the output file. @@ -33,8 +36,11 @@ function pp_open() pp_alarms_open = T; pp_alarms = open(pp_alarms_name); + + local dest = mail_dest_pretty_printed != "" ? mail_dest_pretty_printed + : mail_dest; - local headers = email_headers("Alarm Summary", mail_dest); + local headers = email_headers("Alarm summary", dest); write_file(pp_alarms, headers + "\n"); } @@ -45,6 +51,7 @@ function pp_send() return; write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n"); + close(pp_alarms); system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", pp_alarms_name, sendmail, pp_alarms_name)); @@ -57,6 +64,8 @@ function pp_postprocessor(info: Log::RotationInfo): bool { if ( want_pp() ) pp_send(); + + return T; } event bro_init() From eb6313adcb61759ca9887c20ff701437a9bc5abe Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 13:42:42 -0700 Subject: [PATCH 4/5] Now actually pretty-printing the notices. Output is similar to Bro 1.x. --- scripts/base/frameworks/notice/__load__.bro | 4 +- .../frameworks/notice/actions/pp-alarms.bro | 95 +++++++++++++++++-- 2 files changed, 89 insertions(+), 10 deletions(-) diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro index 36c608ef43..4548e98dc2 100644 --- a/scripts/base/frameworks/notice/__load__.bro +++ b/scripts/base/frameworks/notice/__load__.bro @@ -7,7 +7,6 @@ @load ./actions/email_admin @load ./actions/page @load ./actions/add-geodata -@load ./actions/pp-alarms # There shouldn't be any default overhead from loading these since they # *should* only do anything when notices have the ACTION_EMAIL action applied. @@ -19,3 +18,6 @@ @if ( Cluster::is_enabled() ) @load ./cluster @endif + +# Load here so that it can check whether clustering is enabled. +@load ./actions/pp-alarms diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index c6863b0c1c..e60b41eb86 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -12,6 +12,12 @@ export { ## :bro:id:`Notice::mail_dest`. const mail_dest_pretty_printed = "" &redef; + ## If an address from one of these networks is involved in alarm, we mark + ## the entry with a quote symbol (i.e., ">"). Many mailers highlight such + ## lines in some way. + global flag_nets: set[subnet] &redef; + + ## Function that renders a single alarm. Can be overidden. global pretty_print_alarm: function(out: file, n: Info) &redef; } @@ -24,6 +30,7 @@ global pp_alarms_open: bool = F; # Returns True if pretty-printed alarm summaries are activated. function want_pp() : bool { + return T; return (pretty_print_alarms && ! reading_traces() && (mail_dest != "" || mail_dest_pretty_printed != "")); } @@ -53,8 +60,8 @@ function pp_send() write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n"); close(pp_alarms); - system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", - pp_alarms_name, sendmail, pp_alarms_name)); + #system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", + # pp_alarms_name, sendmail, pp_alarms_name)); pp_alarms_open = F; } @@ -84,8 +91,8 @@ event notice(n: Notice::Info) &priority=-5 { if ( ! want_pp() ) return; - - if ( ACTION_ALARM !in n$actions ) + + if ( ACTION_LOG !in n$actions ) return; if ( ! pp_alarms_open ) @@ -94,12 +101,82 @@ event notice(n: Notice::Info) &priority=-5 pretty_print_alarm(pp_alarms, n); } +function do_msg(out: file, n: Info, line1: string, line2: string, line3: string, host: addr, name: string) + { + if ( host != 0.0.0.0 ) + { + local country = ""; + if ( n?$remote_location && n$remote_location?$country_code ) + country = fmt(" (%s)", n$remote_location$country_code); + + name = fmt(" %s = %s%s", host, name, country); + } + + + line1 = cat(line1, name); + + print out, line1; + print out, line2; + if ( line3 != "" ) + print out, line3; + } + # Default pretty-printer. function pretty_print_alarm(out: file, n: Info) { - print out, n; + local pdescr = ""; + +@if ( Cluster::is_enabled() ) + pdescr = "local"; + + if ( n?$src_peer ) + pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host); + + pdescr = fmt("<%s> ", pdescr); +@endif + + local msg = fmt( "%s%s%s", pdescr, n$msg, n?$sub ? cat(" ", n$sub) : ""); + + local orig = 0.0.0.0; + local resp = 0.0.0.0; + local host = 0.0.0.0; + + if ( n?$src ) + orig = host = n$src; + + if ( n?$id ) + { + orig = n$id$orig_h; + resp = n$id$resp_h; + } + + if ( host == 0.0.0.0 ) + host = orig; + + local flag = (orig in flag_nets || resp in flag_nets); + + local location = ""; + + if ( host != 0.0.0.0 ) + location = Site::is_local_addr(host) ? "(L)" : "(R)"; + + local line1 = fmt(">%s %D %s %s", (flag ? ">" : " "), network_time(), n$note, location); + local line2 = fmt(" %s", msg); + local line3 = ""; # Could use later. + + if ( host == 0.0.0.0 ) + { + do_msg(out, n, line1, line2, line3, 0.0.0.0, ""); + return; + } + + when ( local name = lookup_addr(host) ) + { + do_msg(out, n, line1, line2, line3, host, name); + } + timeout 5secs + { + do_msg(out, n, line1, line2, line3, host, "(dns timeout)"); + } } - - - - + From 314e9c41f9dcdb2d7aa51139036c40a3b2e34f9f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 26 Oct 2011 14:39:07 -0700 Subject: [PATCH 5/5] Removing debugging code. --- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- scripts/base/frameworks/notice/actions/pp-alarms.bro | 5 ++--- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index 4d4df8818c..30d59813ad 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 4d4df8818c184c5ef0ea20466f137e2a7f13de23 +Subproject commit 30d59813ada9294867b89b7f335ef52651be683d diff --git a/aux/broccoli b/aux/broccoli index d2c2828772..13c87ac2f4 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit d2c2828772a17b55f445d7a36bd6657205d113b3 +Subproject commit 13c87ac2f4561c77562bfaf8816caad0c2651291 diff --git a/aux/broctl b/aux/broctl index e4fef7ed45..a59d4ee1dd 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit e4fef7ed45b185c6805b4a163b274d192d8206d5 +Subproject commit a59d4ee1ddc4dcde54cb3e3cedea870314a3b380 diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro index e60b41eb86..e932fcb54f 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro @@ -30,7 +30,6 @@ global pp_alarms_open: bool = F; # Returns True if pretty-printed alarm summaries are activated. function want_pp() : bool { - return T; return (pretty_print_alarms && ! reading_traces() && (mail_dest != "" || mail_dest_pretty_printed != "")); } @@ -60,8 +59,8 @@ function pp_send() write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n"); close(pp_alarms); - #system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", - # pp_alarms_name, sendmail, pp_alarms_name)); + system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s", + pp_alarms_name, sendmail, pp_alarms_name)); pp_alarms_open = F; }