Merge branch 'master' into topic/jsiwek/file-analysis

Conflicts: scripts/base/protocols/ftp/main.bro src/OpaqueVal.h testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
2025-10-16 13:38:19 +00:00 · 2013-05-06 10:21:16 -05:00 · 2013-05-06 10:21:16 -05:00 · ec50cad9db
commit ec50cad9db
parent 0141f51801 69c7363147
90 changed files with 3004 additions and 1415 deletions
--- a/scripts/policy/frameworks/metrics/conn-example.bro
+++ b/scripts/policy/frameworks/metrics/conn-example.bro
@ -1,25 +0,0 @@
-##! An example of using the metrics framework to collect connection metrics 
-##! aggregated into /24 CIDR ranges.
-
-@load base/frameworks/metrics
-@load base/utils/site
-
-redef enum Metrics::ID += { 
-	CONNS_ORIGINATED, 
-	CONNS_RESPONDED 
-};
-
-event bro_init()
-	{
-	Metrics::add_filter(CONNS_ORIGINATED, [$aggregation_mask=24, $break_interval=1mins]);
-	
-	# Site::local_nets must be defined in order for this to actually do anything.
-	Metrics::add_filter(CONNS_RESPONDED,  [$aggregation_table=Site::local_nets_table, $break_interval=1mins]);
-	}
-
-event connection_established(c: connection)
-	{
-	Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1);
-	Metrics::add_data(CONNS_RESPONDED,  [$host=c$id$resp_h], 1);
-	}
-	
--- a/scripts/policy/frameworks/metrics/http-example.bro
+++ b/scripts/policy/frameworks/metrics/http-example.bro
@ -1,37 +0,0 @@
-##! Provides an example of aggregating and limiting collection down to 
-##! only local networks.  Additionally, the status code for the response from
-##! the request is added into the metric.
-
-@load base/frameworks/metrics
-@load base/protocols/http
-@load base/utils/site
-
-redef enum Metrics::ID += {
-	## Measures HTTP requests indexed on both the request host and the response
-	## code from the server.
-	HTTP_REQUESTS_BY_STATUS_CODE,
-
-	## Currently unfinished and not working.
-	HTTP_REQUESTS_BY_HOST_HEADER,
-};
-
-event bro_init()
-	{
-	# TODO: these are waiting on a fix with table vals + records before they will work.
-	#Metrics::add_filter(HTTP_REQUESTS_BY_HOST_HEADER, 
-	#                    [$pred(index: Metrics::Index) = { return Site::is_local_addr(index$host); },
-	#                     $aggregation_mask=24,
-	#                     $break_interval=1min]);
-	
-	# Site::local_nets must be defined in order for this to actually do anything.
-	Metrics::add_filter(HTTP_REQUESTS_BY_STATUS_CODE, [$aggregation_table=Site::local_nets_table,
-	                                                   $break_interval=1min]);
-	}
-
-event HTTP::log_http(rec: HTTP::Info)
-	{
-	if ( rec?$host )
-		Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1);
-	if ( rec?$status_code )
-		Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1);
-	}
--- a/scripts/policy/frameworks/metrics/ssl-example.bro
+++ b/scripts/policy/frameworks/metrics/ssl-example.bro
@ -1,28 +0,0 @@
-##! Provides an example of using the metrics framework to collect the number
-##! of times a specific server name indicator value is seen in SSL session
-##! establishments.  Names ending in google.com are being filtered out as an
-##! example of the predicate based filtering in metrics filters.
-
-@load base/frameworks/metrics
-@load base/protocols/ssl
-
-redef enum Metrics::ID += {
-	SSL_SERVERNAME,
-};
-
-event bro_init()
-	{
-	Metrics::add_filter(SSL_SERVERNAME, 
-		[$name="no-google-ssl-servers",
-		 $pred(index: Metrics::Index) = { 
-		    return (/google\.com$/ !in index$str); 
-		 },
-		 $break_interval=10secs
-		]);
-	}
-
-event SSL::log_ssl(rec: SSL::Info)
-	{
-	if ( rec?$server_name )
-		Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1);
-	}
--- a/scripts/policy/frameworks/software/vulnerable.bro
+++ b/scripts/policy/frameworks/software/vulnerable.bro
@ -43,15 +43,6 @@ export {

 global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table();

-event Control::configuration_update()
-	{
-	internal_vulnerable_versions = table();
-
-	# Copy the const vulnerable versions into the global modifiable one.
-	for ( sw in vulnerable_versions )
-		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
-	}
-
 function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRange
 	{
 	# Create a max value with a dunce value only because the $max field
@ -115,11 +106,27 @@ event grab_vulnerable_versions(i: count)
 		}
 	}

-event bro_init()
+function update_vulnerable_sw()
 	{
+	internal_vulnerable_versions = table();
+
+	# Copy the const vulnerable versions into the global modifiable one.
+	for ( sw in vulnerable_versions )
+		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
+
 	event grab_vulnerable_versions(1);
 	}

+event bro_init() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
+event Control::configuration_update() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
 event log_software(rec: Info)
 	{
 	if ( rec$name !in internal_vulnerable_versions )