mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge
This commit is contained in:
Seth Hall
commit
f8be65ca56
111 changed files with 1596 additions and 810 deletions
|
|
@ -11,6 +11,24 @@ export {
|
|||
## The default reader mode used. Defaults to `MANUAL`.
|
||||
const default_mode = MANUAL &redef;
|
||||
|
||||
## Separator between fields.
|
||||
## Please note that the separator has to be exactly one character long.
|
||||
## Can be overwritten by individual writers.
|
||||
const separator = "\t" &redef;
|
||||
|
||||
## Separator between set elements.
|
||||
## Please note that the separator has to be exactly one character long.
|
||||
## Can be overwritten by individual writers.
|
||||
const set_separator = "," &redef;
|
||||
|
||||
## String to use for empty fields.
|
||||
## Can be overwritten by individual writers.
|
||||
const empty_field = "(empty)" &redef;
|
||||
|
||||
## String to use for an unset &optional field.
|
||||
## Can be overwritten by individual writers.
|
||||
const unset_field = "-" &redef;
|
||||
|
||||
## Flag that controls if the input framework accepts records
|
||||
## that contain types that are not supported (at the moment
|
||||
## file and function). If true, the input framework will
|
||||
|
|
@ -115,7 +133,7 @@ export {
|
|||
global add_event: function(description: Input::EventDescription) : bool;
|
||||
|
||||
## Remove a input stream. Returns true on success and false if the named stream was
|
||||
## not found.
|
||||
## not found.
|
||||
##
|
||||
## id: string value identifying the stream to be removed
|
||||
global remove: function(id: string) : bool;
|
||||
|
|
|
|||
|
|
@ -7,15 +7,15 @@ module InputAscii;
|
|||
export {
|
||||
## Separator between fields.
|
||||
## Please note that the separator has to be exactly one character long
|
||||
const separator = "\t" &redef;
|
||||
const separator = Input::separator &redef;
|
||||
|
||||
## Separator between set elements.
|
||||
## Please note that the separator has to be exactly one character long
|
||||
const set_separator = "," &redef;
|
||||
const set_separator = Input::set_separator &redef;
|
||||
|
||||
## String to use for empty fields.
|
||||
const empty_field = "(empty)" &redef;
|
||||
const empty_field = Input::empty_field &redef;
|
||||
|
||||
## String to use for an unset &optional field.
|
||||
const unset_field = "-" &redef;
|
||||
const unset_field = Input::unset_field &redef;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,23 @@ export {
|
|||
## anything else.
|
||||
const default_writer = WRITER_ASCII &redef;
|
||||
|
||||
## Default separator between fields for logwriters.
|
||||
## Can be overwritten by individual writers.
|
||||
const separator = "\t" &redef;
|
||||
|
||||
## Separator between set elements.
|
||||
## Can be overwritten by individual writers.
|
||||
const set_separator = "," &redef;
|
||||
|
||||
## String to use for empty fields. This should be different from
|
||||
## *unset_field* to make the output non-ambigious.
|
||||
## Can be overwritten by individual writers.
|
||||
const empty_field = "(empty)" &redef;
|
||||
|
||||
## String to use for an unset &optional field.
|
||||
## Can be overwritten by individual writers.
|
||||
const unset_field = "-" &redef;
|
||||
|
||||
## Type defining the content of a logging stream.
|
||||
type Stream: record {
|
||||
## A record type defining the log's columns.
|
||||
|
|
|
|||
|
|
@ -28,17 +28,17 @@ export {
|
|||
const meta_prefix = "#" &redef;
|
||||
|
||||
## Separator between fields.
|
||||
const separator = "\t" &redef;
|
||||
const separator = Log::separator &redef;
|
||||
|
||||
## Separator between set elements.
|
||||
const set_separator = "," &redef;
|
||||
const set_separator = Log::set_separator &redef;
|
||||
|
||||
## String to use for empty fields. This should be different from
|
||||
## *unset_field* to make the output non-ambigious.
|
||||
const empty_field = "(empty)" &redef;
|
||||
const empty_field = Log::empty_field &redef;
|
||||
|
||||
## String to use for an unset &optional field.
|
||||
const unset_field = "-" &redef;
|
||||
const unset_field = Log::unset_field &redef;
|
||||
}
|
||||
|
||||
# Default function to postprocess a rotated ASCII log file. It moves the rotated
|
||||
|
|
|
|||
|
|
@ -1,10 +1,15 @@
|
|||
##! This framework is intended to create an output and filtering path for
|
||||
##! internal messages/warnings/errors. It should typically be loaded to
|
||||
##! avoid Bro spewing internal messages to standard error and instead log
|
||||
##! them to a file in a standard way. Note that this framework deals with
|
||||
##! the handling of internally-generated reporter messages, for the
|
||||
##! interface into actually creating reporter messages from the scripting
|
||||
##! layer, use the built-in functions in :doc:`/scripts/base/reporter.bif`.
|
||||
##! log such messages to a file in a standard way. For the options to
|
||||
##! toggle whether messages are additionally written to STDERR, see
|
||||
##! :bro:see:`Reporter::info_to_stderr`,
|
||||
##! :bro:see:`Reporter::warnings_to_stderr`, and
|
||||
##! :bro:see:`Reporter::errors_to_stderr`.
|
||||
##!
|
||||
##! Note that this framework deals with the handling of internally generated
|
||||
##! reporter messages, for the interface in to actually creating interface
|
||||
##! into actually creating reporter messages from the scripting layer, use
|
||||
##! the built-in functions in :doc:`/scripts/base/reporter.bif`.
|
||||
|
||||
module Reporter;
|
||||
|
||||
|
|
@ -36,26 +41,11 @@ export {
|
|||
## Not all reporter messages will have locations in them though.
|
||||
location: string &log &optional;
|
||||
};
|
||||
|
||||
## Tunable for sending reporter warning messages to STDERR. The option to
|
||||
## turn it off is presented here in case Bro is being run by some
|
||||
## external harness and shouldn't output anything to the console.
|
||||
const warnings_to_stderr = T &redef;
|
||||
|
||||
## Tunable for sending reporter error messages to STDERR. The option to
|
||||
## turn it off is presented here in case Bro is being run by some
|
||||
## external harness and shouldn't output anything to the console.
|
||||
const errors_to_stderr = T &redef;
|
||||
}
|
||||
|
||||
global stderr: file;
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Reporter::LOG, [$columns=Info]);
|
||||
|
||||
if ( errors_to_stderr || warnings_to_stderr )
|
||||
stderr = open("/dev/stderr");
|
||||
}
|
||||
|
||||
event reporter_info(t: time, msg: string, location: string) &priority=-5
|
||||
|
|
@ -65,26 +55,10 @@ event reporter_info(t: time, msg: string, location: string) &priority=-5
|
|||
|
||||
event reporter_warning(t: time, msg: string, location: string) &priority=-5
|
||||
{
|
||||
if ( warnings_to_stderr )
|
||||
{
|
||||
if ( t > double_to_time(0.0) )
|
||||
print stderr, fmt("WARNING: %.6f %s (%s)", t, msg, location);
|
||||
else
|
||||
print stderr, fmt("WARNING: %s (%s)", msg, location);
|
||||
}
|
||||
|
||||
Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]);
|
||||
}
|
||||
|
||||
event reporter_error(t: time, msg: string, location: string) &priority=-5
|
||||
{
|
||||
if ( errors_to_stderr )
|
||||
{
|
||||
if ( t > double_to_time(0.0) )
|
||||
print stderr, fmt("ERROR: %.6f %s (%s)", t, msg, location);
|
||||
else
|
||||
print stderr, fmt("ERROR: %s (%s)", msg, location);
|
||||
}
|
||||
|
||||
Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -148,7 +148,7 @@ function has_signature_matched(id: string, orig: addr, resp: addr): bool
|
|||
event sig_summary(orig: addr, id: string, msg: string)
|
||||
{
|
||||
NOTICE([$note=Signature_Summary, $src=orig,
|
||||
$filename=id, $msg=fmt("%s: %s", orig, msg),
|
||||
$msg=fmt("%s: %s", orig, msg),
|
||||
$n=count_per_orig[orig,id] ]);
|
||||
}
|
||||
|
||||
|
|
@ -209,7 +209,6 @@ event signature_match(state: signature_state, msg: string, data: string)
|
|||
{
|
||||
NOTICE([$note=Count_Signature, $conn=state$conn,
|
||||
$msg=msg,
|
||||
$filename=sig_id,
|
||||
$n=count_per_resp[dst,sig_id],
|
||||
$sub=fmt("%d matches of signature %s on host %s",
|
||||
count_per_resp[dst,sig_id],
|
||||
|
|
@ -240,7 +239,7 @@ event signature_match(state: signature_state, msg: string, data: string)
|
|||
if ( notice )
|
||||
NOTICE([$note=Sensitive_Signature,
|
||||
$conn=state$conn, $src=src_addr,
|
||||
$dst=dst_addr, $filename=sig_id, $msg=fmt("%s: %s", src_addr, msg),
|
||||
$dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
|
||||
$sub=data]);
|
||||
|
||||
if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
|
||||
|
|
@ -274,7 +273,7 @@ event signature_match(state: signature_state, msg: string, data: string)
|
|||
$src_addr=orig, $sig_id=sig_id, $event_msg=msg,
|
||||
$host_count=hcount, $sub_msg=horz_scan_msg]);
|
||||
|
||||
NOTICE([$note=Multiple_Sig_Responders, $src=orig, $filename=sig_id,
|
||||
NOTICE([$note=Multiple_Sig_Responders, $src=orig,
|
||||
$msg=msg, $n=hcount, $sub=horz_scan_msg]);
|
||||
|
||||
last_hthresh[orig] = hcount;
|
||||
|
|
@ -295,7 +294,6 @@ event signature_match(state: signature_state, msg: string, data: string)
|
|||
$sub_msg=vert_scan_msg]);
|
||||
|
||||
NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
|
||||
$filename=sig_id,
|
||||
$msg=fmt("%s different signatures triggered", vcount),
|
||||
$n=vcount, $sub=vert_scan_msg]);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue