- It's ok to always load the framework. If you don't
specifiy the CLUSTER_NODE environment variable it doesn't
ultimately do anything.
- The $CLUSTER_NODE variable causes the framework to try and
load a script named cluster-layout.bro which must be located
somewhere in your $BROPATH. The value of the $CLUSTER_NODE
variable is a count that indicates a node in the Cluster::nodes
variable that is set in the cluster-layout.bro script.
- The Cluster::nodes variable is a flat configuration because
it's assumed that it would be automatically generated by a
utility such as BroControl. This will facilitate the tiered or
"deep" clustering that is coming.
It had some conceptual problems because notices aren't
always logged and in some cases are fairly infrequently
logged which resulted in a lot of notice tags being
attached to connections where the notice didn't show
up in a log file. Also, the rule of thumb here is that
frameworks should never load protocols. It's just bad
practice and probably indicates incorrect design somewhere.
The link between the conn log and the notice log should
now be made with the connections unique ID which is logged
in both logs and is more reliable.
* remotes/origin/topic/policy-scripts-new:
Fixed another SSL analyzer memory leak.
Attempting to fix another SSL bug.
Fixing a ref counting bug in the SSL analyzer that I just introduced.
Fixing memory leaks in SSL analyzer.
Fixed a parsing bug in the SSL analyzer thanks to tracefile from Aashish Sharma.
Removing my fix from earlier. This is indicating the script-land generated events priority problem.
Updates to the DPD framework.
Fixed a bug in the auth-addl DNS script.
Conflicts:
src/bro.bif
* origin/topic/robin/reporting:
Syslog BiF now goes through the reporter as well.
Avoiding infinite loops when an error message handlers triggers errors itself.
Renaming the Logger to Reporter.
Overhauling the internal reporting of messages to the user.
Updating a bunch of tests/baselines as well.
Conflicts:
aux/broccoli
policy.old/alarm.bro
policy/all.bro
policy/bro.init
policy/frameworks/notice/weird.bro
policy/notice.bro
src/SSL-binpac.cc
src/bro.bif
src/main.cc
- Removed the ProtocolViolation notice. I'd like to hear
if someone actually used that notice for something.
- Folded the dyn-disable functionality into the dpd/base script.
- Other small cleanup.
This is for testing only. There are also two test: one that checks
that test-all.bro loads correctly, and one that ensures that test-all
is actually loading all scripts found in policy/*.
- Fixed a pretty major eternal looping bug in the SSL analyzer and
a few other parsing problems.
- New core scripts and log for SSL connection analysis.
- New known-certs script for logging certificate assets.
- Fixed problem where notices were logged even if they
didn't have the ACTION_FILE action applied.
- New PolicyItem element, $halt. It's used for halting
the policy processing if a predicate returns T.
This replaces the ACTION_STOP action.
- Initial hacky email extension mechanism.
- Removed the IDMEF line. When that added back later
it will likely be done more modularly.
* origin/topic/seth/net-stats-bif:
Removing a stray print statement.
Changed netstats (packet loss) handling to script-land.
Nice idea to pass the old data into a regular scheduled event!
Conflicts:
src/event.bif
The Logger class is now in charge of reporting all errors, warnings,
informational messages, weirds, and syslogs. All other components
route their messages through the global bro_logger singleton.
The Logger class comes with these reporting methods:
void Message(const char* fmt, ...);
void Warning(const char* fmt, ...);
void Error(const char* fmt, ...);
void FatalError(const char* fmt, ...); // Terminate Bro.
void Weird(const char* name);
[ .. some more Weird() variants ... ]
void Syslog(const char* fmt, ...);
void InternalWarning(const char* fmt, ...);
void InternalError(const char* fmt, ...); // Terminates Bro.
See Logger.h for more information on these.
Generally, the reporting now works as follows:
- All non-fatal message are reported in one of two ways:
(1) At startup (i.e., before we start processing packets),
they are logged to stderr.
(2) During processing, they turn into events:
event log_message%(msg: string, location: string%);
event log_warning%(msg: string, location: string%);
event log_error%(msg: string, location: string%);
The script level can then handle them as desired.
If we don't have an event handler, we fall back to
reporting on stderr.
- All fatal errors are logged to stderr and Bro terminates
immediately.
- Syslog(msg) directly syslogs, but doesn't do anything else.
The three main types of messages can also be generated on the
scripting layer via new Log::* bifs:
Log::error(msg: string);
Log::warning(msg: string);
Log::message(msg: string);
These pass through the bro_logger as well and thus are handled in the
same way. Their output includes location information.
More changes:
- Removed the alarm statement and the alarm_hook event.
- Adapted lots of locations to use the bro_logger, including some
of the messages that were previously either just written to
stdout, or even funneled through the alarm mechanism.
- No distinction anymore between Error() and RunTime(). There's
now only one class of errors; the line was quite blurred already
anyway.
- util.h: all the error()/warn()/message()/run_time()/pinpoint()
functions are gone. Use the bro_logger instead now.
- Script errors are formatted a bit differently due to the
changes. What I've seen so far looks ok to me, but let me know
if there's something odd.
Notes:
- The default handlers for the new log_* events are just dummy
implementations for now since we need to integrate all this into
the new scripts anyway.
- I'm not too happy with the names of the Logger class and its
instance bro_logger. We now have a LogMgr as well, which makes
this all a bit confusing. But I didn't have a good idea for
better names so I stuck with them for now.
Perhaps we should merge Logger and LogMgr?
- When ACTION_EMAIL_ADMIN_ORIG or ACTION_EMAIL_ADMIN_RESP
is applied to a notice,
the email addresses associated with the address
are collected from the new local_admins table
and the email is sent to all discovered email addresses.
- The site.bro script is now in the Site module.
- Some other small cleanup.
- New log file for auditing the notice policy to
see at a specific point in time what the fully
ordered (by priority) notice policy was.
- New notice action "ACTION_STOP" to stop processing
the notice policy. This is essentially how the old
IGNORE action can be done with the accumulative
notices actions. It just needs to be set as the
$result at an at an appropriately high priority.
- No longer using the "match" statement as it didn't
provide the flexibility to implement accumulative
notice actions. The functionality is now implemented
completely in script-land.
- Beginning removal of action-filters script.
Still need to come up with a way to implement
some of the functionality of that script.
- Small documentation updates.
