Merge remote-tracking branch 'origin/topic/robin/pp-alarms'

* origin/topic/robin/pp-alarms: The silliest, tiniest little whitespace fixes. Update missing in last commit to this branch. Adding test for alarm mail. Tuning the pretty-printed alarms output.
2025-10-02 14:48:21 +00:00 · 2012-01-04 13:41:28 -05:00 · 2012-01-04 13:41:28 -05:00 · f8ec98625d
commit f8ec98625d
parent 167b645ed0 adfbed8e56
3 changed files with 92 additions and 53 deletions
--- a/scripts/base/frameworks/notice/actions/pp-alarms.bro
+++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro
@ -15,13 +15,17 @@ export {
 	## :bro:id:`Notice::mail_dest`.
 	const mail_dest_pretty_printed = "" &redef;
 	
-        ## If an address from one of these networks is reported, we mark
+	## If an address from one of these networks is reported, we mark
 	## the entry with an addition quote symbol (i.e., ">"). Many MUAs
 	## then highlight such lines differently.
 	global flag_nets: set[subnet] &redef;
 	
 	## Function that renders a single alarm. Can be overidden.
 	global pretty_print_alarm: function(out: file, n: Info) &redef;
+	
+	## Force generating mail file, even if reading from traces or no mail
+	## destination is defined. This is mainly for testing.
+	global force_email_summaries = F &redef;
 }

 # We maintain an old-style file recording the pretty-printed alarms.
@ -32,6 +36,9 @@ global pp_alarms_open: bool = F;
 # Returns True if pretty-printed alarm summaries are activated.
 function want_pp() : bool
 	{
+	if ( force_email_summaries )
+		return T;
+	
 	return (pretty_print_alarms && ! reading_traces()
 		&& (mail_dest != "" || mail_dest_pretty_printed != ""));
 	}
@ -44,34 +51,45 @@ function pp_open()
 	
 	pp_alarms_open = T;
 	pp_alarms = open(pp_alarms_name);
-
-	local dest = mail_dest_pretty_printed != "" ? mail_dest_pretty_printed
-		: mail_dest;
-
-	local headers = email_headers("Alarm summary", dest);
-	write_file(pp_alarms, headers + "\n");
 	}

 # Closes and mails out the current output file.
-function pp_send()
+function pp_send(rinfo: Log::RotationInfo)
 	{
 	if ( ! pp_alarms_open )
 		return;
 	
 	write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n");
 	close(pp_alarms);
-
-	system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s",
-		   pp_alarms_name, sendmail, pp_alarms_name));
-
 	pp_alarms_open = F;
+	
+	local from = strftime("%H:%M:%S", rinfo$open);
+	local to = strftime("%H:%M:%S", rinfo$close);
+	local subject = fmt("Alarm summary from %s-%s", from, to);
+	local dest = mail_dest_pretty_printed != "" ? mail_dest_pretty_printed
+		: mail_dest;
+	
+	if ( dest == "" )
+		# No mail destination configured, just leave the file alone. This is mainly for
+		# testing.
+		return;
+	
+	local headers = email_headers(subject, dest);
+	
+	local header_name = pp_alarms_name + ".tmp";
+	local header = open(header_name);
+	write_file(header, headers + "\n");
+	close(header);
+	
+	system(fmt("/bin/cat %s %s | %s -t -oi && /bin/rm -f %s %s",
+		   header_name, pp_alarms_name, sendmail, header_name, pp_alarms_name));
 	}

 # Postprocessor function that triggers the email.
 function pp_postprocessor(info: Log::RotationInfo): bool
 	{
 	if ( want_pp() )
-		pp_send();
+		pp_send(info);
 	
 	return T;
 	}
@ -93,7 +111,7 @@ event notice(n: Notice::Info) &priority=-5
 	if ( ! want_pp() )
 		return;
 	
-	if ( ACTION_LOG !in n$actions )
+	if ( ACTION_ALARM !in n$actions )
 		return;
 	
 	if ( ! pp_alarms_open )
@ -154,31 +172,25 @@ function pretty_print_alarm(out: file, n: Info)
 	
 	if ( n?$id )
 		{
-		orig_p = fmt(":%s", n$id$orig_p);
-		resp_p = fmt(":%s", n$id$resp_p);
+		h1 = n$id$orig_h;
+		h2 = n$id$resp_h;
+		who = fmt("%s:%s -> %s:%s", h1, n$id$orig_p, h2, n$id$resp_p);
 		}
-
-	if ( n?$src && n?$dst )
+	else if ( n?$src && n?$dst )
 		{
 		h1 = n$src;
 		h2 = n$dst;
-		who = fmt("%s%s -> %s%s", h1, orig_p, h2, resp_p);
-
-		if ( n?$uid )
-			who = fmt("%s (uid %s)", who, n$uid );
+		who = fmt("%s -> %s", h1, h2);
 		}
-
 	else if ( n?$src )
 		{
-		local p = "";
-
-		if ( n?$p )
-			p = fmt(":%s", n$p);
-		      
 		h1 = n$src;
-		who = fmt("%s%s", h1, p);
+		who = fmt("%s%s", h1, (n?$p ? fmt(":%s", n$p) : ""));
 		}
 	
+	if ( n?$uid )
+		who = fmt("%s (uid %s)", who, n$uid );
+	
 	local flag = (h1 in flag_nets || h2 in flag_nets);
 	
 	local line1 = fmt(">%s %D %s %s", (flag ? ">" : " "), network_time(), n$note, who);
@ -191,6 +203,12 @@ function pretty_print_alarm(out: file, n: Info)
 		return;
 		}
 	
+	if ( reading_traces() )
+		{
+		do_msg(out, n, line1, line2, line3, h1, "<skipped>", h2, "<skipped>");
+		return;
+		}
+	
 	when ( local h1name = lookup_addr(h1) )
 		{
 		if ( h2 == 0.0.0.0 ) 
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
@ -0,0 +1,4 @@
+>  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid arKYeMETxOg)
+   test
+   # 141.42.64.125 = <skipped>  125.190.109.199 = <skipped>
+
--- a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
+++ b/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
+# @TEST-EXEC: btest-diff alarm-mail.txt
+
+redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 1 ] };
+redef Notice::force_email_summaries = T;
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event connection_established(c: connection)
+	{
+	NOTICE([$note=Test_Notice, $conn=c, $msg="test", $identifier="static"]);
+	}
+
+
+