[Bro-Dev] [JIRA] (BIT-1063) Patch for documentation
Anthony Verez created BIT-1063: -- Summary: Patch for documentation Key: BIT-1063 URL: https://bro-tracker.atlassian.net/browse/BIT-1063 Project: Bro Issue Tracker Issue Type: Patch Components: Website Affects Versions: git/master Reporter: Anthony Verez I fixed examples, a link and a typing error in the docs for the git/master version. Great docs btw ;-) Patch: diff --git a/doc/notice.rst b/doc/notice.rst index 76d5bcd..b4b375c 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -98,9 +98,9 @@ type :bro:see:`SSH::Password_Guessing` if the server is 10.0.0.1: .. note:: -Keep in mind that the semantics of the SSH::Password_Guessing notice are -such that it is only raised when Bro heuristically detects a failed -login. +Keep in mind that the semantics of the :bro:see:`SSH::Password_Guessing` +notice are such that it is only raised when Bro heuristically detects +a failed login. Hooks can also have priorities applied to order their execution like events with a default priority of 0. Greater values are executed first. Setting @@ -339,7 +339,7 @@ included below. hook Notice::policy(n: Notice::Info) { if ( n?$conn n$conn?$http n$conn$http?$host ) -n$email_body_sections[|email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); +n$email_body_sections[|n$email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); } @@ -348,7 +348,7 @@ Cluster Considerations As a user/developer of Bro, the main cluster concern with the notice framework is understanding what runs where. When a notice is generated on a worker, the -worker checks to see if the notice shoudl be suppressed based on information +worker checks to see if the notice should be suppressed based on information locally maintained in the worker process. If it's not being suppressed, the worker forwards the notice directly to the manager and does no more local processing. The manager then runs the :bro:see:`Notice::policy` hook and diff --git a/doc/quickstart.rst b/doc/quickstart.rst index 9f64e36..b5ac4ee 100644 --- a/doc/quickstart.rst +++ b/doc/quickstart.rst @@ -270,14 +270,11 @@ that only takes the email action for SSH logins to a defined set of servers: 192.168.1.102, } redef; -redef Notice::policy += { -[$action = Notice::ACTION_EMAIL, - $pred(n: Notice::Info) = -{ -return n$note == SSH::Login n$id$resp_h in watched_servers; -} -] -}; +hook Notice::policy(n: Notice::Info) +{ +if ( n$note == SSH::SUCCESSFUL_LOGIN n$id$resp_h in watched_servers ) + add n$actions[Notice::ACTION_EMAIL]; +} You'll just have to trust the syntax for now, but what we've done is first declare our own variable to hold a set of watched addresses, -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1063) Patch for documentation
[ https://bro-tracker.atlassian.net/browse/BIT-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13701#comment-13701 ] Robin Sommer commented on BIT-1063: --- Please attach the patch as a separate file. Patch for documentation --- Key: BIT-1063 URL: https://bro-tracker.atlassian.net/browse/BIT-1063 Project: Bro Issue Tracker Issue Type: Patch Components: Website Affects Versions: git/master Reporter: Anthony Verez I fixed examples, a link and a typing error in the docs for the git/master version. Great docs btw ;-) Patch: diff --git a/doc/notice.rst b/doc/notice.rst index 76d5bcd..b4b375c 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -98,9 +98,9 @@ type :bro:see:`SSH::Password_Guessing` if the server is 10.0.0.1: .. note:: -Keep in mind that the semantics of the SSH::Password_Guessing notice are -such that it is only raised when Bro heuristically detects a failed -login. +Keep in mind that the semantics of the :bro:see:`SSH::Password_Guessing` +notice are such that it is only raised when Bro heuristically detects +a failed login. Hooks can also have priorities applied to order their execution like events with a default priority of 0. Greater values are executed first. Setting @@ -339,7 +339,7 @@ included below. hook Notice::policy(n: Notice::Info) { if ( n?$conn n$conn?$http n$conn$http?$host ) -n$email_body_sections[|email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); +n$email_body_sections[|n$email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); } @@ -348,7 +348,7 @@ Cluster Considerations As a user/developer of Bro, the main cluster concern with the notice framework is understanding what runs where. When a notice is generated on a worker, the -worker checks to see if the notice shoudl be suppressed based on information +worker checks to see if the notice should be suppressed based on information locally maintained in the worker process. If it's not being suppressed, the worker forwards the notice directly to the manager and does no more local processing. The manager then runs the :bro:see:`Notice::policy` hook and diff --git a/doc/quickstart.rst b/doc/quickstart.rst index 9f64e36..b5ac4ee 100644 --- a/doc/quickstart.rst +++ b/doc/quickstart.rst @@ -270,14 +270,11 @@ that only takes the email action for SSH logins to a defined set of servers: 192.168.1.102, } redef; -redef Notice::policy += { -[$action = Notice::ACTION_EMAIL, - $pred(n: Notice::Info) = -{ -return n$note == SSH::Login n$id$resp_h in watched_servers; -} -] -}; +hook Notice::policy(n: Notice::Info) +{ +if ( n$note == SSH::SUCCESSFUL_LOGIN n$id$resp_h in watched_servers ) + add n$actions[Notice::ACTION_EMAIL]; +} You'll just have to trust the syntax for now, but what we've done is first declare our own variable to hold a set of watched addresses, -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1063) Patch for documentation
[ https://bro-tracker.atlassian.net/browse/BIT-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13702#comment-13702 ] Anthony Verez edited comment on BIT-1063 at 8/21/13 7:02 PM: - Sure, here is the patch. was (Author: netantho): Patch Patch for documentation --- Key: BIT-1063 URL: https://bro-tracker.atlassian.net/browse/BIT-1063 Project: Bro Issue Tracker Issue Type: Patch Components: Website Affects Versions: git/master Reporter: Anthony Verez Attachments: 0001-Docs-fix.patch I fixed examples, a link and a typing error in the docs for the git/master version. Great docs btw ;-) Patch: diff --git a/doc/notice.rst b/doc/notice.rst index 76d5bcd..b4b375c 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -98,9 +98,9 @@ type :bro:see:`SSH::Password_Guessing` if the server is 10.0.0.1: .. note:: -Keep in mind that the semantics of the SSH::Password_Guessing notice are -such that it is only raised when Bro heuristically detects a failed -login. +Keep in mind that the semantics of the :bro:see:`SSH::Password_Guessing` +notice are such that it is only raised when Bro heuristically detects +a failed login. Hooks can also have priorities applied to order their execution like events with a default priority of 0. Greater values are executed first. Setting @@ -339,7 +339,7 @@ included below. hook Notice::policy(n: Notice::Info) { if ( n?$conn n$conn?$http n$conn$http?$host ) -n$email_body_sections[|email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); +n$email_body_sections[|n$email_body_sections|] = fmt(HTTP host header: %s, n$conn$http$host); } @@ -348,7 +348,7 @@ Cluster Considerations As a user/developer of Bro, the main cluster concern with the notice framework is understanding what runs where. When a notice is generated on a worker, the -worker checks to see if the notice shoudl be suppressed based on information +worker checks to see if the notice should be suppressed based on information locally maintained in the worker process. If it's not being suppressed, the worker forwards the notice directly to the manager and does no more local processing. The manager then runs the :bro:see:`Notice::policy` hook and diff --git a/doc/quickstart.rst b/doc/quickstart.rst index 9f64e36..b5ac4ee 100644 --- a/doc/quickstart.rst +++ b/doc/quickstart.rst @@ -270,14 +270,11 @@ that only takes the email action for SSH logins to a defined set of servers: 192.168.1.102, } redef; -redef Notice::policy += { -[$action = Notice::ACTION_EMAIL, - $pred(n: Notice::Info) = -{ -return n$note == SSH::Login n$id$resp_h in watched_servers; -} -] -}; +hook Notice::policy(n: Notice::Info) +{ +if ( n$note == SSH::SUCCESSFUL_LOGIN n$id$resp_h in watched_servers ) + add n$actions[Notice::ACTION_EMAIL]; +} You'll just have to trust the syntax for now, but what we've done is first declare our own variable to hold a set of watched addresses, -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev