sethhall

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://corelight.com/software-sensor.schema.json",
  "title": "Corelight Logs",
  "description": "Definition of all of the potential logs for this installation",
  "definitions": {
    "time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
    "port": {"type": "integer", "minimum": 0, "maximum": 65535},
    "count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
    "int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},

sethhall

##! Add Business Unit to all logs with an "id" field.

module BusinessUnit;

export {
        option BusinessUnit::networks: table[subnet] of string = set();
}

redef record conn_id += {
        ## The business unit seen as the connection originator.

sethhall

function next_interval(i: interval): interval
    {
    local now = current_time();
    local ii = double_to_count(interval_to_double(i));
    local sofar = double_to_count(time_to_double(now)) % ii;
    local togo = ii - sofar;
    local dur = double_to_interval(togo);
    return dur;
    }

sethhall

const stdout = open("/dev/stdout") &raw_output;

const WIDTH = 80;
const HEIGHT = 25;

const characters = vector(" ", ".", ":", "-", "#", "o", "*", ">");#, ")", #, "|", "&", "I", "H", "%", "*", "#");
function CalculateRow(y: double, factor: double, shiftRight: double)
	{
	local output: vector of string = vector();
	local XCenter = -0.45;

sethhall

redef record HTTP::Info += {
	potential_fname: string &optional;
};

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5
	{
	# Get rid of uri arguments
	local path = split_string(c$http$uri, /\?/)[0];

sethhall

global watching_icmp: table[conn_id, count] of time &create_expire=3secs;

event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
	{
	watching_icmp[c$id, seq] = network_time();
	}

event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
	{
	if ( [c$id, seq] !in watching_icmp )

sethhall

##! This script is to avoid CVE-2015-1788 which is explained in
##! detail at http://jpb.io.  It is a denial of service against
##! OpenSSL which will cause Bro processes to lock up.
##! WARNING - This script should only be used temporarily until
##!           your OpenSSL library is upgraded.  This script can
##!           then be removed.


@if(  /2\.3/ in bro_version() )
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-100

sethhall

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index d0b1ea2..c1e5e3d 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -505,10 +505,12 @@ void File::EndOfFile()
       if ( ! bof_buffer.full )
               {
               DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str());
-               bof_buffer.full = true;
+               bof_buffer.full                                                          = true;

sethhall

# Detect bad guys

sethhall

module GIF;

import BinPAC;


type Header = unit {
	%byteorder = BinPAC::ByteOrder::Little;

	signature : bytes &length=3; #This needs to either be a literal b"GIF" or have a &check attribute when that exists
	version   : bytes &length=3;