Provide infrastructure to migrate legacy analyzers to Spicy.

As initial examples, this branch ports the Syslog and Finger analyzers over. We leave the old analyzers in place for now and activate them iff we compile without any Spicy. Needs `zeek-spicy-infra` branches in `spicy/`, `spicy-plugin/`, `CMake/`, and `zeek/zeek-testing-private`. Note that the analyzer events remain associated with the Spicy plugin for now: that's where they will show up with `-NN`, and also inside the Zeekygen documentation. We switch CMake over to linking the runtime library into the plugin, vs. at the top-level through object libraries.
2025-10-02 06:38:20 +00:00 · 2022-11-08 09:54:08 +01:00 · 2022-11-08 09:54:08 +01:00 · 04a1ead978
commit 04a1ead978
parent 283bea346b
48 changed files with 359 additions and 124 deletions
--- a/scripts/base/protocols/finger/load.zeek
+++ b/scripts/base/protocols/finger/load.zeek
@ -0,0 +1,2 @@
+@load ./spicy-events
+@load ./main
--- a/scripts/base/protocols/finger/main.zeek
+++ b/scripts/base/protocols/finger/main.zeek
@ -0,0 +1,14 @@
+##! Implements base functionality for Finger analysis. We currently do not generate
+##! a log file, but just configure the analyzer.
+
+module Finger;
+
+export {
+	const ports = { 79/tcp };
+	redef likely_server_ports += { ports };
+}
+
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, ports);
+	}
--- a/scripts/base/protocols/finger/spicy-events.zeek
+++ b/scripts/base/protocols/finger/spicy-events.zeek
@ -0,0 +1,33 @@
+##! Events generated by the Finger analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for Finger requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## full: True if verbose information is requested (``/W`` switch).
+##
+## username: The request's user name.
+##
+## hostname: The request's host name.
+##
+## .. zeek:see:: finger_reply
+global finger_request: event(c: connection, full: bool, username: string, hostname: string);
+
+## Generated for Finger replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## reply_line: The reply as returned by the server
+##
+## .. zeek:see:: finger_request
+global finger_reply: event(c: connection, reply_line: string);
+
+@endif
--- a/scripts/base/protocols/syslog/load.zeek
+++ b/scripts/base/protocols/syslog/load.zeek
@ -1,2 +1,3 @@
+@load ./spicy-events
@load ./consts
-@load ./main
+@load ./main
--- a/scripts/base/protocols/syslog/spicy-events.zeek
+++ b/scripts/base/protocols/syslog/spicy-events.zeek
@ -0,0 +1,21 @@
+##! Events generated by the Syslog analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for monitored Syslog messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+## information about the Syslog protocol.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## facility: The "facility" included in the message.
+##
+## severity: The "severity" included in the message.
+##
+## msg: The message logged.
+##
+## .. note:: Zeek currently parses only UDP syslog traffic.
+global syslog_message: event(c: connection, facility: count, severity: count, msg: string);
+
+@endif