@load notice
@load site

module ServiceProfile;

export  {
	# Define a NOTICE type for our alert. 
	redef enum Notice += {
		NewService
	};

	# If true, only ports <1024 are considered.
	const privileged_only = F &redef;
	
	# Ignore these ports.
	const ignore_ports = { 139/tcp, 445/tcp } &redef;

	# If true, learn but do not alert for new services.
	const learning = F &redef;
}

global services: set[addr, port] &persistent;

event connection_established(c: connection)
	{
	local dst_host = c$id$resp_h;
	local dst_port = c$id$resp_p;
	
	if ( ! is_local_addr(dst_host) )
		# We do not care about remote destinations.
		return;
	
	if ( privileged_only && dst_port >= 1024/tcp )
		# Not much use remembering unprivileged ports. 
		return;
	
	if ( dst_port in ignore_ports )
		# Not supposed to consider these.
		return;
	
	if ( [dst_host, dst_port] in services )
		# Already know that this port accepts connections.
		return;
	
	# Found a new service.
	add services[dst_host, dst_port];

	if ( learning )
		# Not alerts.
		return;
	
	NOTICE([$note=NewService, $conn=c, $p=dst_port,
			$msg=fmt("%s accepted connection on port %s", dst_host, dst_port)]);
	}

event bro_done()
	{
	print "Summary of services running on local hosts:";
	for ( [host, p] in services )
		print fmt("%20s %s", host, p);
	}