mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
Merge remote-tracking branch 'origin/topic/jsiwek/reorg-followup'
This commit is contained in:
Seth Hall
commit
fc5f22cb5d
234 changed files with 295 additions and 104 deletions
|
|
@ -1,7 +1,7 @@
|
|||
# Load the core cluster support.
|
||||
@load ./main
|
||||
|
||||
@if ( Cluster::node != "" )
|
||||
@if ( Cluster::is_enabled() )
|
||||
|
||||
# Give the node being started up it's peer name.
|
||||
redef peer_description = Cluster::node;
|
||||
|
|
@ -26,17 +26,17 @@ redef peer_description = Cluster::node;
|
|||
## Set the port that this node is supposed to listen on.
|
||||
redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p;
|
||||
|
||||
@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::MANAGER )
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
@load ./nodes/manager
|
||||
@endif
|
||||
|
||||
@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::PROXY )
|
||||
@if ( Cluster::local_node_type() == Cluster::PROXY )
|
||||
@load ./nodes/proxy
|
||||
@endif
|
||||
|
||||
@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::WORKER )
|
||||
@if ( Cluster::local_node_type() == Cluster::WORKER )
|
||||
@load ./nodes/worker
|
||||
@endif
|
||||
|
||||
@endif
|
||||
@endif
|
||||
@endif
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load base/frameworks/control
|
||||
|
||||
module Cluster;
|
||||
|
||||
|
|
@ -9,6 +10,7 @@ export {
|
|||
} &log;
|
||||
|
||||
type NodeType: enum {
|
||||
NONE,
|
||||
CONTROL,
|
||||
MANAGER,
|
||||
PROXY,
|
||||
|
|
@ -53,8 +55,8 @@ export {
|
|||
|
||||
## This function can be called at any time to determine what type of
|
||||
## cluster node the current Bro instance is going to be acting as.
|
||||
## :bro:id:`is_enabled` should be called first to find out if this is
|
||||
## actually going to be a cluster node.
|
||||
## If :bro:id:`Cluster::is_enabled` returns false, then
|
||||
## :bro:enum:`Cluster::NONE` is returned.
|
||||
global local_node_type: function(): NodeType;
|
||||
|
||||
## This gives the value for the number of workers currently connected to,
|
||||
|
|
@ -80,15 +82,15 @@ function is_enabled(): bool
|
|||
|
||||
function local_node_type(): NodeType
|
||||
{
|
||||
return nodes[node]$node_type;
|
||||
return is_enabled() ? nodes[node]$node_type : NONE;
|
||||
}
|
||||
|
||||
|
||||
event remote_connection_handshake_done(p: event_peer)
|
||||
{
|
||||
if ( nodes[p$descr]$node_type == WORKER )
|
||||
++worker_count;
|
||||
}
|
||||
|
||||
event remote_connection_closed(p: event_peer)
|
||||
{
|
||||
if ( nodes[p$descr]$node_type == WORKER )
|
||||
|
|
@ -100,10 +102,9 @@ event bro_init() &priority=5
|
|||
# If a node is given, but it's an unknown name we need to fail.
|
||||
if ( node != "" && node !in nodes )
|
||||
{
|
||||
local msg = "You didn't supply a valid node in the Cluster::nodes configuration.";
|
||||
event reporter_error(current_time(), msg, "");
|
||||
Reporter::error(fmt("'%s' is not a valid node in the Cluster::nodes configuration", node));
|
||||
terminate();
|
||||
}
|
||||
|
||||
Log::create_stream(CLUSTER, [$columns=Info]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,8 @@
|
|||
##! This is where the cluster manager sets it's specific settings for other
|
||||
##! frameworks and in the core.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
@prefixes += cluster-manager
|
||||
|
||||
# Load the script for local site configuration for the manager node.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load base/frameworks/notice
|
||||
|
||||
@prefixes += cluster-worker
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
@load ./main
|
||||
@load base/frameworks/communication/main
|
||||
@load base/frameworks/communication
|
||||
|
||||
@if ( Cluster::node in Cluster::nodes )
|
||||
|
||||
module Cluster;
|
||||
|
||||
|
|
@ -79,3 +81,5 @@ event bro_init() &priority=9
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
@endif
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
##! Connect to remote Bro or Broccoli instances to share state and/or transfer
|
||||
##! events.
|
||||
|
||||
@load base/frameworks/packet-filter
|
||||
|
||||
module Communication;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@
|
|||
# canary
|
||||
# friend
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module Intel;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -159,7 +159,7 @@ export {
|
|||
# We keep a script-level copy of all filters so that we can manipulate them.
|
||||
global filters: table[ID, string] of Filter;
|
||||
|
||||
@load logging.bif.bro # Needs Filter and Stream defined.
|
||||
@load base/logging.bif # Needs Filter and Stream defined.
|
||||
|
||||
module Log;
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
##! to be an internal implementation detail.
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load ./main
|
||||
|
||||
module Metrics;
|
||||
|
||||
|
|
@ -258,4 +259,4 @@ event Metrics::cluster_filter_response(uid: string, id: ID, filter_name: string,
|
|||
}
|
||||
}
|
||||
|
||||
@endif
|
||||
@endif
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load ./main
|
||||
|
||||
module Metrics;
|
||||
|
||||
|
|
@ -17,4 +18,4 @@ function data_added(filter: Filter, index: Index, val: count)
|
|||
{
|
||||
if ( check_notice(filter, index, val) )
|
||||
do_notice(filter, index, val);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,10 @@
|
|||
##! probably a safe assumption to make in most cases. If both addresses
|
||||
##! are remote, it will use the $src address.
|
||||
|
||||
@load ../main
|
||||
@load base/frameworks/notice
|
||||
@load base/utils/site
|
||||
|
||||
module Notice;
|
||||
|
||||
export {
|
||||
|
|
@ -44,4 +48,4 @@ event notice(n: Notice::Info) &priority=10
|
|||
else if ( n?$dst && ! Site::is_local_addr(n$dst) )
|
||||
n$remote_location = lookup_location(n$dst);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
##! This script extends the built in notice code to implement the IP address
|
||||
##! dropping functionality.
|
||||
|
||||
@load ../main
|
||||
|
||||
module Notice;
|
||||
|
||||
export {
|
||||
|
|
@ -31,4 +33,4 @@ event bro_init()
|
|||
};
|
||||
|
||||
add Notice::sync_functions[drop_func];
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
@load ../main
|
||||
@load base/utils/site
|
||||
|
||||
module Notice;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load ../main
|
||||
|
||||
module Notice;
|
||||
|
||||
|
|
@ -16,4 +17,4 @@ event notice(n: Notice::Info) &priority=-5
|
|||
{
|
||||
if ( ACTION_PAGE in n$actions )
|
||||
email_notice_to(n, mail_page_dest, F);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load ../main
|
||||
|
||||
module Notice;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
@load base/utils/conn-ids
|
||||
@load base/utils/site
|
||||
@load ./main
|
||||
|
||||
module Weird;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@
|
|||
##! open filter and all filters defined in Bro scripts with the
|
||||
##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module PacketFilter;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
##! This script reports on packet loss from the various packet sources.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module PacketFilter;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
##! Script level signature support.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module Signatures;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,9 @@
|
|||
##! that they analyze. The entry point for providing new software detections
|
||||
##! to this framework is through the :bro:id:`Software::found` function.
|
||||
|
||||
@load base/utils/directions-and-hosts
|
||||
@load base/utils/numbers
|
||||
|
||||
module Software;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
@load const.bif.bro
|
||||
@load types.bif.bro
|
||||
@load base/const.bif
|
||||
@load base/types.bif
|
||||
|
||||
# Type declarations
|
||||
type string_array: table[count] of string;
|
||||
|
|
@ -301,9 +301,9 @@ type entropy_test_result: record {
|
|||
};
|
||||
|
||||
# Prototypes of Bro built-in functions.
|
||||
@load strings.bif.bro
|
||||
@load bro.bif.bro
|
||||
@load reporter.bif.bro
|
||||
@load base/strings.bif
|
||||
@load base/bro.bif
|
||||
@load base/reporter.bif
|
||||
|
||||
global log_file_name: function(tag: string): string &redef;
|
||||
global open_log_file: function(tag: string): file &redef;
|
||||
|
|
@ -1290,7 +1290,7 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
|
|||
## The header table type used by the bittorrenttracker analyzer.
|
||||
type bt_tracker_headers: table[string] of string;
|
||||
|
||||
@load event.bif.bro
|
||||
@load base/event.bif
|
||||
|
||||
# The filter the user has set via the -f command line options, or
|
||||
# empty if none.
|
||||
|
|
|
|||
|
|
@ -8,6 +8,8 @@
|
|||
##! This script does not work well in a cluster context unless it has a
|
||||
##! remotely mounted disk to write the content files to.
|
||||
|
||||
@load base/utils/files
|
||||
|
||||
module Conn;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load base/utils/site
|
||||
|
||||
module Conn;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load ./consts
|
||||
|
||||
module DNS;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
##! File extraction for FTP.
|
||||
|
||||
@load ./main
|
||||
@load base/utils/files
|
||||
|
||||
module FTP;
|
||||
|
||||
export {
|
||||
|
|
@ -62,4 +65,4 @@ event log_ftp(rec: Info) &priority=-10
|
|||
{
|
||||
delete rec$extraction_file;
|
||||
delete rec$extract_file;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,10 @@
|
|||
##!
|
||||
##! * Handle encrypted sessions correctly (get an example?)
|
||||
|
||||
@load ./utils-commands
|
||||
@load base/utils/paths
|
||||
@load base/utils/numbers
|
||||
|
||||
module FTP;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,10 @@
|
|||
##! Extracts the items from HTTP traffic, one per file. At this time only
|
||||
##! the message body from the server can be extracted with this script.
|
||||
|
||||
@load ./main
|
||||
@load ./file-ident
|
||||
@load base/utils/files
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
##! Calculate hashes for HTTP body transfers.
|
||||
|
||||
@load ./file-ident
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,11 @@
|
|||
##! This script is involved in the identification of file types in HTTP
|
||||
##! response bodies.
|
||||
|
||||
@load base/frameworks/signatures
|
||||
@load base/frameworks/notice
|
||||
@load ./main
|
||||
@load ./utils
|
||||
|
||||
# Add the magic number signatures to the core signature set.
|
||||
redef signature_files += "base/protocols/http/file-ident.sig";
|
||||
# Ignore the signatures used to match files
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
@load base/utils/numbers
|
||||
@load base/utils/files
|
||||
|
||||
module HTTP;
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@
|
|||
##!
|
||||
##! This script doesn't work yet and isn't loaded by default.
|
||||
|
||||
@load base/frameworks/notice
|
||||
@load ./main
|
||||
@load ./utils
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
##! Utilities specific for HTTP processing.
|
||||
|
||||
@load ./main
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@
|
|||
##! Example line from IRC server indicating that the DCC SEND is about to start:
|
||||
##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A
|
||||
|
||||
@load ./main
|
||||
@load base/utils/files
|
||||
|
||||
module IRC;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
@load protocols/mime/base
|
||||
@load protocols/mime/file-ident
|
||||
@load protocols/mime/file-extract
|
||||
@load protocols/mime/file-hash
|
||||
@load ./main
|
||||
@load ./file-ident
|
||||
@load ./file-extract
|
||||
@load ./file-hash
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
@load ./file-ident
|
||||
@load base/frameworks/notice
|
||||
|
||||
module MIME;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
@load ./base
|
||||
@load ./main
|
||||
|
||||
module MIME;
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,8 @@
|
|||
# programs for which we don't have an analyzer.
|
||||
#
|
||||
|
||||
@load base/utils/conn-ids
|
||||
|
||||
module RPC;
|
||||
|
||||
export {
|
||||
|
|
@ -1,3 +1,6 @@
|
|||
@load base/frameworks/notice
|
||||
@load base/utils/addrs
|
||||
@load base/utils/directions-and-hosts
|
||||
|
||||
module SMTP;
|
||||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,12 @@
|
|||
##! Requires that :bro:id:`use_conn_size_analyzer` is set to T! The heuristic
|
||||
##! is not attempted if the connection size analyzer isn't enabled.
|
||||
|
||||
@load base/frameworks/notice
|
||||
@load base/utils/site
|
||||
@load base/utils/thresholds
|
||||
@load base/utils/conn-ids
|
||||
@load base/utils/directions-and-hosts
|
||||
|
||||
module SSH;
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
@load ./consts
|
||||
@load base/frameworks/notice
|
||||
|
||||
module SSL;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Don't edit! This file is automatically generated.
|
||||
# Generated at: Wed Jun 29 07:52:38 -0400 2011
|
||||
|
||||
@load base/protocols/ssl
|
||||
module SSL;
|
||||
redef root_certs += {
|
||||
["GTE CyberTrust Global Root"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F",
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
@load ./site
|
||||
|
||||
type Direction: enum {
|
||||
## The connection originator is not within the locally-monitored network,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue