[Bro-Dev] Deprecating events

Robin Sommer robin at icir.org
Tue Nov 29 10:23:37 PST 2011


I'd like to deprecate the events below for 2.0, with the goal to
remove them for 2.1. Any objections?

Reason for deprecation is that these (1) are hardly used anywhere
anymore; and/or (2) use a model that doesn't fit well with how other
scripts are structured (like: do a lot of stuff inside the event
engine); and/or (3) have better ways to do it now (like the backdoor
events: signatures and DPD).

For the file-related events, I'm thinking that with the new logging
framework, we should remove all the "extra" functionality from
script-level files that we have added over time (rotation,
postprocessing, etc). The log framework provides all of that and is
the preferred way of doing it. Having two separate mechanisms for the
same functionality doesn't seem good. (To be clear, I want to keep
files themselves as a script-level data type, but without all the
bells and whistles)

There are more events that fit (1)-(3), in particular the
pattern-matching login_* events. Undecided whether those should go
too, but I have documented them for now.

Robin

-------------------------

## Deprecated. Will be removed.
event stp_create_endp%(c: connection, e: int, is_orig: bool%);

## Deprecated. Will be removed.
event stp_resume_endp%(e: int%);

## Deprecated. Will be removed.
event stp_correlate_pair%(e1: int, e2: int%);

## Deprecated. Will be removed.
event stp_remove_pair%(e1: int, e2: int%);

## Deprecated. Will be removed.
event stp_remove_endp%(e: int%);

## Deprecated. Will be removed.
event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);

## Deprecated. Will be removed.
event interconn_remove_conn%(c: connection%);

## Deprecated. Will be removed.
event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);

## Deprecated. Will be removed.
event backdoor_remove_conn%(c: connection%);

## Deprecated. Will be removed.
event ssh_signature_found%(c: connection, is_orig: bool%);

## Deprecated. Will be removed.
event telnet_signature_found%(c: connection, is_orig: bool, len: count%);

## Deprecated. Will be removed.
event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);

## Deprecated. Will be removed.
event root_backdoor_signature_found%(c: connection%);

## Deprecated. Will be removed.
event ftp_signature_found%(c: connection%);

## Deprecated. Will be removed.
event napster_signature_found%(c: connection%);

## Deprecated. Will be removed.
event gnutella_signature_found%(c: connection%);

## Deprecated. Will be removed.
event kazaa_signature_found%(c: connection%);

## Deprecated. Will be removed.
event http_signature_found%(c: connection%);

## Deprecated. Will be removed.
event http_proxy_signature_found%(c: connection%);

## Deprecated. Will be removed.
event smtp_signature_found%(c: connection%);

## Deprecated. Will be removed.
event irc_signature_found%(c: connection%);

## Deprecated. Will be removed.
event gaobot_signature_found%(c: connection%);

## Deprecated. Will be removed.
##
## .. todo:: Unclear what this event is for; it's never raised. We should just
##    remove it.
event dns_full_request%(%) &group="dns";

## Deprecated. Will be removed.
event anonymization_mapping%(orig: addr, mapped: addr%);

## Deprecated. Will be removed.
event rotate_interval%(f: file%);

## Deprecated. Will be removed.
event rotate_size%(f: file%);

## Deprecated. Will be removed.
event print_hook%(f:file, s: string%);



-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list