Option -z

Does anybody remember what Bro's option -z is for?

    -z|--analyze <analysis> | run the specified policy file analysis

Turns out the only supported "analysis" is "notice":

# bro -r x.pcap -z notice
Found NOTICE: PacketFilter::Dropped_Packets
Found NOTICE: PacketFilter::Install_Failure
Found NOTICE: Signatures::Signature_Summary
Found NOTICE: PacketFilter::Compile_Failure
Found NOTICE: Signatures::Multiple_Sig_Responders
Found NOTICE: Signatures::Sensitive_Signature
Found NOTICE: Signatures::Count_Signature
Found NOTICE: PacketFilter::Too_Long_To_Compile_Filter
Found NOTICE: Signatures::Multiple_Signatures

This looks very specific for hard-coded event-engine functionality. I
propose to remove unless somebody still sees a use for this?

Robin

Does anybody remember what Bro's option -z is for?

Well it's there in CHANGES, per the appended. But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also reasonable.

    Vern

0.9a8 Wed Feb 16 17:09:34 PST 2005

....

- Bro now has a geneal mechanism internal for traversing policy scripts
  (Umesh Shankar). Various script analyses can be specified using the
  new -z flag.

  Currently, the one supported form of analysis is "-z notice", which
  prints all of the different types of notices that the script you've
  loaded can generate. For example, "bro -z notice ftp" will generate:

    Found NOTICE: BackscatterSeen
    Found NOTICE: FTP_PrivPort
    Found NOTICE: FTP_BadPort
    Found NOTICE: PortScan
    Found NOTICE: FTP_ExcessiveFilename
    Found NOTICE: ScanSummary
    Found NOTICE: AddressDropped
    Found NOTICE: DroppedPackets
    Found NOTICE: SensitiveConnection
    Found NOTICE: FTP_UnexpectedConn
    Found NOTICE: SSH_Overflow
    Found NOTICE: FTP_Sensitive
    Found NOTICE: TerminatingConnection
    Found NOTICE: PasswordGuessing
    Found NOTICE: AddressDropIgnored
    Found NOTICE: AddressScan

Ah, I didn't realize this is what originally introduced the whole
traversal machinery. That infrastructure is used in a few places now,
and I'm not planing on touching that. Just removing this specific use
of finding NOTICEs, which doesn't seem anybody has been using in a
long time.

Robin

It also has a minor issue that prevents it from being more useful, it outputs

AddressScan

instead of the fully namespaced

Scan::AddressScan

Just removing this specific use
of finding NOTICEs, which doesn't seem anybody has been using in a
long time.

I wonder if they don't use it because it's not on their radar. It's
actually pretty handy, a way of telling when you think the set of NOTICEs
should be X, but it's actually X'. Can help with writing documentation
or finding dead code (of a form), or telling just what happens due to
the hierarchy of @load's that a script pulls in.

    Vern

I see that in principle but hardcoding the functionality in C++-land
doesn't seem to be the ideal way to go about things like this. If one
could express such analyses easily with a few lines of script code,
that would be quite powerful for doing script inspection that's also
easy to customize.

Robin

If one
could express such analyses easily with a few lines of script code,
that would be quite powerful for doing script inspection that's also
easy to customize.

Well sure, but it's not clear one can get to that point without some
significant work under the hood anyway in terms of the features needed to
make the script-level expression a few lines of code.

    Vern