- It's ok to always load the framework. If you don't
specifiy the CLUSTER_NODE environment variable it doesn't
ultimately do anything.
- The $CLUSTER_NODE variable causes the framework to try and
load a script named cluster-layout.bro which must be located
somewhere in your $BROPATH. The value of the $CLUSTER_NODE
variable is a count that indicates a node in the Cluster::nodes
variable that is set in the cluster-layout.bro script.
- The Cluster::nodes variable is a flat configuration because
it's assumed that it would be automatically generated by a
utility such as BroControl. This will facilitate the tiered or
"deep" clustering that is coming.
It had some conceptual problems because notices aren't
always logged and in some cases are fairly infrequently
logged which resulted in a lot of notice tags being
attached to connections where the notice didn't show
up in a log file. Also, the rule of thumb here is that
frameworks should never load protocols. It's just bad
practice and probably indicates incorrect design somewhere.
The link between the conn log and the notice log should
now be made with the connections unique ID which is logged
in both logs and is more reliable.
* remotes/origin/topic/policy-scripts-new:
Fixed another SSL analyzer memory leak.
Attempting to fix another SSL bug.
Fixing a ref counting bug in the SSL analyzer that I just introduced.
Fixing memory leaks in SSL analyzer.
Fixed a parsing bug in the SSL analyzer thanks to tracefile from Aashish Sharma.
Removing my fix from earlier. This is indicating the script-land generated events priority problem.
Updates to the DPD framework.
Fixed a bug in the auth-addl DNS script.
Conflicts:
src/bro.bif
* origin/topic/robin/reporting:
Syslog BiF now goes through the reporter as well.
Avoiding infinite loops when an error message handlers triggers errors itself.
Renaming the Logger to Reporter.
Overhauling the internal reporting of messages to the user.
Updating a bunch of tests/baselines as well.
Conflicts:
aux/broccoli
policy.old/alarm.bro
policy/all.bro
policy/bro.init
policy/frameworks/notice/weird.bro
policy/notice.bro
src/SSL-binpac.cc
src/bro.bif
src/main.cc
- Removed the ProtocolViolation notice. I'd like to hear
if someone actually used that notice for something.
- Folded the dyn-disable functionality into the dpd/base script.
- Other small cleanup.
- Fixed problem where notices were logged even if they
didn't have the ACTION_FILE action applied.
- New PolicyItem element, $halt. It's used for halting
the policy processing if a predicate returns T.
This replaces the ACTION_STOP action.
- Initial hacky email extension mechanism.
- Removed the IDMEF line. When that added back later
it will likely be done more modularly.
- When ACTION_EMAIL_ADMIN_ORIG or ACTION_EMAIL_ADMIN_RESP
is applied to a notice,
the email addresses associated with the address
are collected from the new local_admins table
and the email is sent to all discovered email addresses.
- The site.bro script is now in the Site module.
- Some other small cleanup.
- New log file for auditing the notice policy to
see at a specific point in time what the fully
ordered (by priority) notice policy was.
- New notice action "ACTION_STOP" to stop processing
the notice policy. This is essentially how the old
IGNORE action can be done with the accumulative
notices actions. It just needs to be set as the
$result at an at an appropriately high priority.
- No longer using the "match" statement as it didn't
provide the flexibility to implement accumulative
notice actions. The functionality is now implemented
completely in script-land.
- Beginning removal of action-filters script.
Still need to come up with a way to implement
some of the functionality of that script.
- Small documentation updates.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- The action-filters don't work now because of a
meta-programming limitation so the notice policy
tuning is more manual by fully defining a PolicyItem.
- There are two default action cheats defined. ignore_types
and email_types are sets which will ignore or email
notices of those types.
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts and added it to the
all.bro script.
- Split enum values into two separate enums.
- Renamed to fit the enum naming convention.
- New global variable named default_asset_tracking
that changes default behavior of any script that
tracks assets, usually by storing some amount
of information about the network in memory.
- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
determining which software to track.
- Notices are generated in the cases of being unable
to compile or install a new filter.
- A PacketFilter::install() function is now exported
so that external scripts can update the packet
filter.
- The all.bro script loads tuning/defaults which is
commonly applied tuning.
- Other less common tuning can be placed in the tuning/
directory directly.
I re-added it because it's used by the detect-webapps
script to re-log software that may already be logged
if a more-root URL is found that still represents the
same software.
- New extension mechanism.
- Notices requiring realtime actions can be accomodated with
the notice_functions set which are called synchronously
prior to logging or any further handling.
- Notice::notice event handlers will be called afterward
and follow normal (old) notice handling process. Logging
is done by handling this event.
- Lots of new docs.
- Renaming Action enums to reduce confusion with Type enums.
- Notice tags are attached to the Conn::Info record as a set[string].
