Portmapper.bro's interaction with NOTICEs, logging, and other policy script. Or to put it another way: how portmapper.bro interacts with other policy scripts and log files. * pm_request ... successful portmapper request answered successfully. * pm_attempt ... portmapper call by answer failed (no answer, or denied, or no success, or... ). One cannot distinguish the error case. General ------- * Create SensitivePortmapperAcess NOTICE depending on rules below * Add 'addl' data to conn.log (e.g., conn.log will have a string describing what calls/replies were in this portmapper connection. * Add entries to RPC_server_map. This is used by conn.bro to set the service field for portmapper connections. Notice Generation ----------------- Notice generation is controlled by a lot of intrinsic interactions and some global redef'able variables. A notice is generated if * Never for pm_attempts. Disabled in pm_attempt() function. Not configurable. Note however, that ``RPC_do_not_complain`` has settings for pm_attempt and pm_requests, but it is ignored. * For some requests, exact rules vary by request procedure (see details below), + but **not** if the request procedure is in RPC_do_not_complain + **always** (overriding almost everything else) if connection is hot * Per request procedure rules. Coded in the pm_requests_Xm pm_attempt_X event_handlers. Normally the notice is always created except in the following cases. + pm_null, pm_set, pm_unset: always create notice + callit: if NOT in suppress_pm_log (more details on that follow) + dump: if orig_h:resp_h NOT in RPC_dump_okay + getport: - Not if orig_h in RPC_okay_nets - Not if resp_h:prog in any_RPC_okay - Not if resp_h:orig_h:prog in RPC_okay * Repeat NOTICE control. Two more tables ensure that NOTICES are only generated once: + did_pm_log: Make sure that every host:host:procedure is logged only once! + pm_suppress_log: if program=="walld", then pm_suppress_log ensures that each orig_h:program is NOTICE'd only once. Note that although this table has a field for the RPC program, it is only used for walld. Also, it is evaluated twice (in pm_activity and in pm_{request|attempt}_callit.