* origin/topic/gilbert/ascii-header:
Updated tests; removed net type from type conversion code.
Updated header format (see #558)
Header modification to LogWriterAscii to make it easier for scripts to understand bro log files.
Notes:
- I've refactored the code a bit, also adapting the style a bit.
Also edited the header format slightly.
- I'm skipping the testing/btest/profiles directory, which seems
unrelated.
- I'm also skipping the baseline updates as they weren't
up-to-date anymore. Will update them in a subsequent commit.
- Log path's are generated in the scripting land
now. The default Log stream ID to path string
mapping works like this:
- Notice::LOG -> "notice"
- Notice::POLICY_LOG -> "notice_policy"
- TestModule::LOG -> "test_module"
- Logging streams updated across all of the shipped
scripts to be more user friendly. Instead of
the logging stream ID HTTP::HTTP, we now have
HTTP::LOG, etc.
- The priorities on some bro_init handlers have
been adjusted to make the process of applying
filters or disabling streams easier for users.
- If the misc/pf-ring-load-balancing script is loaded, the correct
environment variables will be set to enable automatic flow based
load balancing used pf_ring if Bro is built against the pf_ring
libpcap wrapper. Loading the script on non-Linux OSs or when Bro
isn't linked against the correct libpcap has no known side effects
since the script just sets environment variables.
- Added a BiF named setenv for setting environment variables.
- Missing GeoIP databases now generate warnings/errors that go through
the reporter framework instead of hitting GeoIP's internal use of
stderr
- lookup_location now just queries for country code if the city database
was not loaded, which gets rid of invalid database type errors.
- lookup_location now leaves missing fields uninitialized in the
returned geo_location record value. Updated existing scripts to
check for initialized fields in geo_location records before use.
- Fixed support for GeoIP's IPv6 API and databases
This can be used from a Bro script to cause Bro to exit with non-zero
status and a message to stderr. Uses of the exit() BIF in scripts
for terminating Bro because of an error were replaced with this one,
which addresses #564.
* origin/topic/gregor/script-polishing:
Tune when c$conn is set.
Set c$conn (for logging) in new_connection() event.
(Semiautomatically) convert the comments in bare-init.bro into autodoc ones.
Add ConnSize_Analyzer's fields to conn.log
SSH base scripts: make sure ConnSizeAnalyzer variables are available before using them.
Make reference to the other script a link
- Since each host in a cluster has it's own view of the metrics
the only time the manager would get a chance for a global view
is the break_interval. This update improves that time. If a
worker crosses 10% of the full threshold, it will send it's
value to the manager which can then ask the rest of the cluster
for a global view. The manager then adds all of the values for
each workers metric indexes together and will do the notice
if it crosses the threshold so that it isn't dependent on
waiting for the break interval to hit. This functionality
works completely independently of the break_interval too. Logging
will happen as normal.
- Small update for SSH bruteforcer detection to match additions in
the metrics framework API.
- The hope is that this update is mostly invisible from anyone's
perspective. The only affect it should have on users is to better
the detection of metric values crossing thresholds on cluster
deployments.
After discussion with Seth we now set c$conn in
connection_state_remove() with priority 5, and log it with priority -5.
If users want to extend c$conn before connection_state_remove, they can
just create c$conn and add custom fields.
Addresses: #554
- fixing some Metrics::add_data() call signatures
- slight refactors to cluster framework @if and adding a NONE NodeType for
so local_node_type() will return that instead of just emitting an error
when cluster mode isn't enabled
- `make restdoc` target now uses bro's bare-mode
- bro scripts generated from bifs now really only live in the build/src/base/
directory and changed the DocSourcesList.cmake to dynamically figure out
what bifs exist by looking in src/ instead of build/src/
- add some missing @load dependencies
- Metrics now work on cluster deployments with no caveats. It should be
completely transparent. Intermediate updates to speed some detection
will come later.
* origin/topic/jsiwek/autodoc-fixes:
Update doc sources and touch up a few script comments.
Fixes for script auto-documentation.
Conflicts:
scripts/base/frameworks/logging/main.bro
c$conn was originally set in connection_established(), which is only
used by TCP connections, and in connection_state_remove(). Using
new_connection() allows us to have c$conn available for any connection
and for any script that wants to extend logging to conn.log.
- New ACTION_ADD_GEODATA to add geodata to notices in an extension
field named remote_location.
- Loading extend-email/hostnames by default now that it only
does anything when the ACTION_EMAIL action is applied (finally).
The main script now uses the Reporter::error BIF instead of scheduling
a reporter_error event to report an invalid node name. The later only
works if the reporter framework is loaded, but the BIF will do the right
thing and use stderr if there's no event handler.
I also @if'd out most of the setup-connections script when the node is
invalid because that's what the cluster/__load__.bro would normally do.
