Some styling tweaks

- used transient declarations where appropriate
- fixed brackets
- cleaned up some comments

scripts/base/protocols/rfb/main.bro

@@ -1,4 +1,4 @@
-module Rfb;
+module RFB;
 
 export {
 	redef enum Log::ID += { LOG };
@@ -11,17 +11,27 @@ export {
 		## The connection's 4-tuple of endpoint addresses/ports.
 		id:     conn_id &log;
 
+		## Major version of the client.
 		client_major_version: string &log &optional;
+		## Minor version of the client.
 		client_minor_version: string &log &optional;
+		## Major version of the server.
 		server_major_version: string &log &optional;
+		## Major version of the client.
 		server_minor_version: string &log &optional;
 
+		## Identifier of authentication method used.
 		authentication_method: string &log &optional;
+		## Whether or not authentication was succesful.
 		auth: bool &log &optional;
 
+		## Whether the client has an exclusive or a shared session.
 		share_flag: bool &log &optional;
+		## Name of the screen that is being shared.
 		desktop_name: string &log &optional;
+		## Width of the screen that is being shared.
 		width: count &log &optional;
+		## Height of the screen that is being shared.
 		height: count &log &optional;
 
 		done: bool  &default=F;
@@ -30,7 +40,8 @@ export {
 	global log_rfb: event(rec: Info);
 }
 
-function friendly_auth_name(auth: count): string {
+function friendly_auth_name(auth: count): string
+	{
 	switch (auth) {
 		case 0:
 			return "Invalid";
@@ -56,37 +67,40 @@ function friendly_auth_name(auth: count): string {
 			return "Apple Remote Desktop";
 	}
 	return "RealVNC";
-
 }
 
-
 redef record connection += {
 	rfb_state: Info &optional;
 };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(Rfb::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
 	}
 
-function write_log(c:connection) {
+function write_log(c:connection)
+	{
 	local state = c$rfb_state;
-	if ( state?$done && state$done == T) {
+	if ( state?$done && state$done == T )
+		{
 		return;
-	}
-	Log::write(Rfb::LOG, c$rfb_state);
-	c$rfb_state$done = T;
-}
+		}
 
-function set_session(c: connection) {
-	if ( ! c?$rfb_state ) {
+	Log::write(RFB::LOG, c$rfb_state);
+	c$rfb_state$done = T;
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$rfb_state )
+		{
 		local info: Info;
 		info$ts  = network_time();
 		info$uid = c$uid;
 		info$id  = c$id;
 
 		c$rfb_state = info;
-	}
+		}
 	}
 
 event rfb_event(c: connection)
@@ -121,13 +135,9 @@ event rfb_server_parameters(c: connection, name: string, width: count, height: c
 	write_log(c);
 	}
 
-event rfb_auth_result(c: connection, result: count)
+event rfb_auth_result(c: connection, result: bool)
 	{
-	if ( result ==0 ) {
-		c$rfb_state$auth = T;
-	} else {
-		c$rfb_state$auth = F;
-	}
+	c$rfb_state$auth = !result;
 	}
 
 event rfb_share_flag(c: connection, flag: bool)
@@ -135,8 +145,10 @@ event rfb_share_flag(c: connection, flag: bool)
 	c$rfb_state$share_flag = flag;
 	}
 
-event connection_state_remove(c: connection) {
-	if ( c?$rfb_state ) {
-	write_log(c);
+event connection_state_remove(c: connection)
+	{
+	if ( c?$rfb_state )
+		{
+		write_log(c);
+		}
 	}
-}

src/analyzer/protocol/rfb/CMakeLists.txt

@@ -1,5 +1,3 @@
-# Generated by binpac_quickstart
-
 include(BroPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})

src/analyzer/protocol/rfb/Plugin.cc

@@ -1,5 +1,3 @@
-// Generated by binpac_quickstart
-
 #include "plugin/Plugin.h"
 
 #include "RFB.h"

src/analyzer/protocol/rfb/RFB.cc

@@ -1,5 +1,3 @@
-// Generated by binpac_quickstart
-
 #include "RFB.h"
 
 #include "analyzer/protocol/tcp/TCP_Reassembler.h"

src/analyzer/protocol/rfb/RFB.h

@@ -1,5 +1,3 @@
-// Generated by binpac_quickstart
-
 #ifndef ANALYZER_PROTOCOL_RFB_RFB_H
 #define ANALYZER_PROTOCOL_RFB_RFB_H
 

src/analyzer/protocol/rfb/events.bif

@@ -15,7 +15,7 @@ event rfb_authentication_type%(c: connection, authtype: count%);
 ## c: The connection record for the underlying transport-layer session/flow.
 ##
 ## result: whether or not authentication was succesful
-event rfb_auth_result%(c: connection, result: count%);
+event rfb_auth_result%(c: connection, result: bool%);
 
 ## Generated for RFB event share flag messages
 ##

src/analyzer/protocol/rfb/rfb-analyzer.pac

@@ -7,14 +7,16 @@ refine flow RFB_Flow += {
 
 	function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool
 		%{
-		if (client) {
+		if (client)
+			{
 			BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
 
 			connection()->bro_analyzer()->ProtocolConfirmation();
-
-		} else {
+			}
+			else
+			{
 			BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
-		}
+			}
 		return true;
 		%}
 
@@ -25,28 +27,28 @@ refine flow RFB_Flow += {
 		%}
 
 	function proc_security_types(msg: RFBSecurityTypes) : bool
-	%{
+		%{
 		BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
 		return true;
-	%}
+		%}
 
 	function proc_security_types37(msg: RFBAuthTypeSelected) : bool
-	%{
+		%{
 		BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
 		return true;
-	%}
+		%}
 
 	function proc_handle_server_params(msg:RFBServerInit) : bool
-	%{
+		%{
 		BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
 		return true;
-	%}
+		%}
 
 	function proc_handle_security_result(result : uint32) : bool
-	%{
+		%{
 		BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
 		return true;
-	%}
+		%}
 };
 
 refine connection RFB_Conn += {
@@ -70,113 +72,115 @@ refine connection RFB_Conn += {
 	%}
 
 	function get_state(client: bool) : int
-	%{
+		%{
 		return state;
-	%}
+		%}
 
 	function handle_banners(client: bool, msg: RFBProtocolVersion) : bool
-	%{
-		if ( client ) {
+		%{
+		if ( client )
+			{
 			// Set protocol version on client's version
 			int minor_version = bytestring_to_int(${msg.minor},10);
 
 			// Apple specifies minor version "889" but talks v37
-			if ( minor_version >= 7 ) {
+			if ( minor_version >= 7 )
 				state = AWAITING_SERVER_AUTH_TYPES37;
-			} else {
+			else
 				state = AWAITING_SERVER_AUTH_TYPES;
 			}
-		} else {
-			if ( !client ) {
+			else
 				state = AWAITING_CLIENT_BANNER;
-			}
-		}
+
 		return true;
-	%}
+		%}
 
 	function handle_ard_challenge() : bool
-	%{
+		%{
 		state = AWAITING_CLIENT_ARD_RESPONSE;
 		return true;
-	%}
+		%}
 
 	function handle_ard_response() : bool
-	%{
+		%{
 		state = AWAITING_SERVER_AUTH_RESULT;
 		return true;
-	%}
+		%}
 
 	function handle_auth_request() : bool
-	%{
+		%{
 		state = AWAITING_CLIENT_RESPONSE;
 		return true;
-	%}
+		%}
 
 	function handle_auth_response() : bool
-	%{
+		%{
 		state = AWAITING_SERVER_AUTH_RESULT;
 		return true;
-	%}
+		%}
 
 	function handle_security_result(msg: RFBSecurityResult) : bool
-	%{
-		if ( ${msg.result} == 0 ) //FIXME
-		{
+		%{
+		if ( ${msg.result} == 0 )
+			{
 			state = AWAITING_CLIENT_SHARE_FLAG;
-		}
+			}
 		return true;
-	%}
+		%}
 
 	function handle_client_init(msg: RFBClientInit) : bool
-	%{
+		%{
 		state = AWAITING_SERVER_PARAMS;
-
 		return true;
-	%}
+		%}
 
 	function handle_server_init(msg: RFBServerInit) : bool
-	%{
+		%{
 		state = RFB_MESSAGE;
 		return true;
-	%}
+		%}
 
 	function handle_security_types(msg: RFBSecurityTypes): bool
-	%{
-		if ( msg->sectype() == 0 ) { // No auth
+		%{
+		if ( msg->sectype() == 0 )
+			{ // No auth
 			state = AWAITING_CLIENT_SHARE_FLAG;
 			return true;
-		}
-		if ( msg->sectype() == 2 ) { //VNC
+			}
+
+		if ( msg->sectype() == 2 )
+			{ //VNC
 			state = AWAITING_SERVER_CHALLENGE;
-		}
-		return false;
-	%}
+			}
+		return true;
+		%}
 
 	function handle_security_types37(msg: RFBSecurityTypes37): bool
-	%{
-		if ( ${msg.count} == 0 ) { // No auth
+		%{
+		if ( ${msg.count} == 0 )
+			{ // No auth
 			state = AWAITING_CLIENT_SHARE_FLAG;
 			return true;
-		}
+			}
 		state = AWAITING_CLIENT_AUTH_TYPE_SELECTED37;
 		return true;
-	%}
+		%}
 
 	function handle_auth_type_selected(msg: RFBAuthTypeSelected): bool
-	%{
-		if ( ${msg.type} == 30 ) { // Apple Remote Desktop
-			state = AWAITING_SERVER_ARD_CHALLENGE;
-			return true;
-		}
+		%{
+		if ( ${msg.type} == 30 )
+			{ // Apple Remote Desktop
+				state = AWAITING_SERVER_ARD_CHALLENGE;
+				return true;
+			}
 
-		if ( ${msg.type} == 1 ) { // No Auth
+		if ( ${msg.type} == 1 )
 			state = AWAITING_SERVER_AUTH_RESULT;
-		} else {
-			// Assume VNC
+		else
 			state = AWAITING_SERVER_CHALLENGE;
-		}
+
 		return true;
-	%}
+		%}
 
 	%member{
 		uint8 state = AWAITING_SERVER_BANNER;

src/analyzer/protocol/rfb/rfb-protocol.pac

@@ -16,8 +16,8 @@ enum states {
 		};
 
 type RFBProtocolVersion (client: bool) = record {
-	header : "RFB ";
-	major :bytestring &length=3;
+	header: "RFB ";
+	major: bytestring &length=3;
 	dot: ".";
 	minor: bytestring &length=3;
 	pad: uint8;
@@ -108,8 +108,8 @@ type RFB_PDU_request = record {
 		AWAITING_CLIENT_SHARE_FLAG -> shareflag: RFBClientInit;
 		AWAITING_CLIENT_AUTH_TYPE_SELECTED37 -> authtype: RFBAuthTypeSelected;
 		AWAITING_CLIENT_ARD_RESPONSE -> ard_response: RFBSecurityARDResponse;
-		RFB_MESSAGE -> ignore: bytestring &restofdata;
-		default -> data: bytestring &restofdata;
+		RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+		default -> data: bytestring &restofdata &transient;
 	} &requires(state);
 	} &let {
 		state: uint8 = $context.connection.get_state(true);
@@ -124,8 +124,8 @@ type RFB_PDU_response = record {
 		AWAITING_SERVER_AUTH_RESULT -> authresult : RFBSecurityResult;
 		AWAITING_SERVER_ARD_CHALLENGE -> ard_challenge: RFBSecurityARDChallenge;
 		AWAITING_SERVER_PARAMS -> serverinit: RFBServerInit;
-		RFB_MESSAGE -> ignore: bytestring &restofdata;
-		default -> data: bytestring &restofdata;
+		RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+		default -> data: bytestring &restofdata &transient;
 	} &requires(rstate);
 	} &let {
 		rstate: uint8 = $context.connection.get_state(false);

src/analyzer/protocol/rfb/rfb.pac

@@ -1,5 +1,3 @@
-# Generated by binpac_quickstart
-
 # Analyzer for Parser for rfb (VNC)
 #  - rfb-protocol.pac: describes the rfb protocol messages
 #  - rfb-analyzer.pac: describes the rfb analyzer code
@@ -26,17 +24,7 @@ connection RFB_Conn(bro_analyzer: BroAnalyzer) {
 
 # Now we define the flow:
 flow RFB_Flow(is_orig: bool) {
-
-	# ## TODO: Determine if you want flowunit or datagram parsing:
-
-	# Using flowunit will cause the anlayzer to buffer incremental input.
-	# This is needed for &oneline and &length. If you don't need this, you'll
-	# get better performance with datagram.
-
-	# flowunit = RFB_PDU(is_orig) withcontext(connection, this);
-
 	datagram = RFB_PDU(is_orig) withcontext(connection, this);
-
 };
 
 %include rfb-analyzer.pac