Does anybody remember what Bro's option -z is for?
-z|--analyze <analysis> | run the specified policy file analysis
Turns out the only supported "analysis" is "notice":
# bro -r x.pcap -z notice
Found NOTICE: PacketFilter::Dropped_Packets
Found NOTICE: PacketFilter::Install_Failure
Found NOTICE: Signatures::Signature_Summary
Found NOTICE: PacketFilter::Compile_Failure
Found NOTICE: Signatures::Multiple_Sig_Responders
Found NOTICE: Signatures::Sensitive_Signature
Found NOTICE: Signatures::Count_Signature
Found NOTICE: PacketFilter::Too_Long_To_Compile_Filter
Found NOTICE: Signatures::Multiple_Signatures
This looks very specific for hard-coded event-engine functionality. I
propose to remove unless somebody still sees a use for this?
Does anybody remember what Bro's option -z is for?
Well it's there in CHANGES, per the appended. But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also reasonable.
Vern
0.9a8 Wed Feb 16 17:09:34 PST 2005
....
- Bro now has a geneal mechanism internal for traversing policy scripts
(Umesh Shankar). Various script analyses can be specified using the
new -z flag.
Currently, the one supported form of analysis is "-z notice", which
prints all of the different types of notices that the script you've
loaded can generate. For example, "bro -z notice ftp" will generate:
Found NOTICE: BackscatterSeen
Found NOTICE: FTP_PrivPort
Found NOTICE: FTP_BadPort
Found NOTICE: PortScan
Found NOTICE: FTP_ExcessiveFilename
Found NOTICE: ScanSummary
Found NOTICE: AddressDropped
Found NOTICE: DroppedPackets
Found NOTICE: SensitiveConnection
Found NOTICE: FTP_UnexpectedConn
Found NOTICE: SSH_Overflow
Found NOTICE: FTP_Sensitive
Found NOTICE: TerminatingConnection
Found NOTICE: PasswordGuessing
Found NOTICE: AddressDropIgnored
Found NOTICE: AddressScan
Ah, I didn't realize this is what originally introduced the whole
traversal machinery. That infrastructure is used in a few places now,
and I'm not planing on touching that. Just removing this specific use
of finding NOTICEs, which doesn't seem anybody has been using in a
long time.
Just removing this specific use
of finding NOTICEs, which doesn't seem anybody has been using in a
long time.
I wonder if they don't use it because it's not on their radar. It's
actually pretty handy, a way of telling when you think the set of NOTICEs
should be X, but it's actually X'. Can help with writing documentation
or finding dead code (of a form), or telling just what happens due to
the hierarchy of @load's that a script pulls in.
I see that in principle but hardcoding the functionality in C++-land
doesn't seem to be the ideal way to go about things like this. If one
could express such analyses easily with a few lines of script code,
that would be quite powerful for doing script inspection that's also
easy to customize.
If one
could express such analyses easily with a few lines of script code,
that would be quite powerful for doing script inspection that's also
easy to customize.
Well sure, but it's not clear one can get to that point without some
significant work under the hood anyway in terms of the features needed to
make the script-level expression a few lines of code.