grigorescu · February 17, 2020 16:37
diff --git a/finger.bro b/finger.bro
 ##! Analyzes the Finger protocol

 module Finger;

 export {
        redef enum Log::ID += { LOG };
      
        ## The record type which contains the column fields of the DHCP log.
        type Info: record {
                ## The earliest time a finger request or response was seen.
                ts:            time               &log;
                ## A unique identifier of the connection 
                uid:           string             &log;
                ## The connection's 4-tuple of endpoint addresses/ports.
                id:            conn_id            &log;
                ## Username
                username:      string             &log &optional;
                ## Hostname
                hostname:      string             &log &optional;
                ## Reply
                reply:         string             &log &optional;
                ## Verbose
                ## True if verbose information is requested (/W switch).
                verbose:      bool                &log &optional;
        };

        ## Event that can be handled to access the finger
        ## record as it is sent on to the logging framework.
        global log_finger: event(rec: Info);
 }

 redef record connection += {
      ## Finger information
      finger:  Info &optional;
 };

 # DPD configuration

 # Source port 68: client -> server; source port 67: server -> client.
 redef capture_filters += {
      ["finger"] = "tcp and port 79"
 };

 const finger_ports = { 79/tcp };
 redef dpd_config += { [ANALYZER_FINGER] = [$ports=finger_ports] };

 redef likely_server_ports += { 79/tcp };

 event bro_init() &priority=5
        {
        Log::create_stream(Finger::LOG, [$columns=Info, $ev=log_finger]);
        }

 event finger_request(c: connection, full: bool, username: string, hostname: string)
        {
        Log::write(Finger::LOG, [$ts=network_time(), $uid=c$uid, $id=c$id, $username=username,
                                 $hostname=hostname, $verbose=full]);
        }

 event finger_reply(c: connection, reply_line: string)
        {
        Log::write(Finger::LOG, [$ts=network_time(), $uid=c$uid, $id=c$id, $reply=reply_line]);
        }
	##! Analyzes the Finger protocol

	module Finger;

	export {
	redef enum Log::ID += { LOG };

	## The record type which contains the column fields of the DHCP log.
	type Info: record {
	## The earliest time a finger request or response was seen.
	ts: time &log;
	## A unique identifier of the connection
	uid: string &log;
	## The connection's 4-tuple of endpoint addresses/ports.
	id: conn_id &log;
	## Username
	username: string &log &optional;
	## Hostname
	hostname: string &log &optional;
	## Reply
	reply: string &log &optional;
	## Verbose
	## True if verbose information is requested (/W switch).
	verbose: bool &log &optional;
	};

	## Event that can be handled to access the finger
	## record as it is sent on to the logging framework.
	global log_finger: event(rec: Info);
	}

	redef record connection += {
	## Finger information
	finger: Info &optional;
	};

	# DPD configuration

	# Source port 68: client -> server; source port 67: server -> client.
	redef capture_filters += {
	["finger"] = "tcp and port 79"
	};

	const finger_ports = { 79/tcp };
	redef dpd_config += { [ANALYZER_FINGER] = [$ports=finger_ports] };

	redef likely_server_ports += { 79/tcp };

	event bro_init() &priority=5
	{
	Log::create_stream(Finger::LOG, [$columns=Info, $ev=log_finger]);
	}

	event finger_request(c: connection, full: bool, username: string, hostname: string)
	{
	Log::write(Finger::LOG, [$ts=network_time(), $uid=c$uid, $id=c$id, $username=username,
	$hostname=hostname, $verbose=full]);
	}

	event finger_reply(c: connection, reply_line: string)
	{
	Log::write(Finger::LOG, [$ts=network_time(), $uid=c$uid, $id=c$id, $reply=reply_line]);
	}