Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/master' into topic/johanna/hash-unification

Browse source
This commit is contained in:
Johanna Amann 2020-05-06 16:11:07 -07:00
commit 04ed125941
257 changed files with 4534 additions and 4025 deletions
Download patch file Download diff file Expand all files Collapse all files

146
CHANGES
View file

@ -1,4 +1,150 @@
3.2.0-dev.473 | 2020-05-06 10:40:09 -0700
* Revert addition of final modifier to JSON formatter (Tim Wojtulewicz, Corelight)
3.2.0-dev.471 | 2020-05-06 10:00:58 -0700
* Fix global buffer over-read in POP3 analyzer (Justin Azoff, Corelight)
* Fix SSL scripting error leading to access of unitialized field (Jon Siwek, Corelight)
Reported by Justin Azoff
* Remove outdated comment on set_to_regex. (Johanna Amann, Corelight)
We can add patterns at runtime since 2.6.
3.2.0-dev.467 | 2020-05-04 18:00:35 -0700
* GH-952: Correct spelling of DCE/RPC operation string NetrLogonSameLogonWithFlags
(Jon Siwek, Corelight)
3.2.0-dev.466 | 2020-05-04 17:50:14 -0700
* Add network_time_init() event. (Jan Grashoefer)
This event is generated upon first initialization of network_time.
3.2.0-dev.461 | 2020-05-04 17:08:46 -0700
* Avoid scheduling multiple inactivity timers (Justin Azoff and Jon Siwek, Corelight)
Also updated language.expire_subnet btest which is unduly sensitive to
timer-related changes
3.2.0-dev.459 | 2020-05-01 17:46:20 -0700
* Extend CI config to cover building with libmaxminddb support (Jon Siwek, Corelight)
* Ensure time continues moving forward if a pcap source is suspended (Tim Wojtulewicz, Corelight)
3.2.0-dev.455 | 2020-05-01 09:44:30 -0700
* GH-938: fix IO loop iterations sometimes skipping offline pcap sources (Jon Siwek, Corelight)
3.2.0-dev.451 | 2020-04-29 16:28:34 -0700
* Organized and added to the shipped file identification signatures. (Seth Hall, Corelight)
- Added ISO 9660 disk image
- Created new files for categorizing signatures better.
- executable.sig - Executable (and bytecode) files.
- java.sig - Java related files (class/jar, etc).
- programming.sig - Mostly scripting language identification
3.2.0-dev.447 | 2020-04-29 15:55:03 -0700
* GH-713: Fixed misc/stats.zeek skipping a log entry on termination (Brittany Donowho)
3.2.0-dev.445 | 2020-04-29 15:25:03 -0700
* Add warning message for unknown Broker statuses (Jon Siwek, Corelight)
There's now a couple placeholder/unimplemented status values in Broker
related to upcoming routing features that we don't want to handle
explicitly for compatibility reasons, but also don't want the compiler
warning about unhandled values in the switch.
3.2.0-dev.443 | 2020-04-28 17:10:38 -0700
* GH-941: Fix build when configured to use libmaxminddb (Jon Siwek, Corelight)
3.2.0-dev.441 | 2020-04-27 13:34:22 -0700
* Fix a few more IntrusivePtr deprecation warnings (Tim Wojtulewicz, Corelight)
* Fix cloning of TypeType values (Vern Paxson, Corelight)
3.2.0-dev.437 | 2020-04-27 19:30:24 +0000
* GH-854: provide access to original HTTP/MIME header names
The "http_header" event now has an "original_name" parameter that allows
access to the original header name (the "name" parameter reamins the
same as before: it's the uppercased header name).
The "mime_header_rec" record type now also includes an "original_name"
field to similarly provide access to original header name in the
following events: "http_all_headers", "mime_one_header", and
"mime_all_headers". (Jon Siwek, Corelight)
* Remove error message from empty bloomfilter lookups
If a bloomfilter doesn't have a type, that just means no
bloomfilter_add() has been called yet, so seems undesirable to emit an
error for a lookup against something that's known to be empty. (Jon Siwek, Corelight)
* unused variables found via use-def analysis (plus an indentation micro-nit) (Vern Paxson, Corelight)
3.2.0-dev.431 | 2020-04-27 12:09:30 -0700
* Update various BIFs to return IntrusivePtr (Jon Siwek, Corelight)
3.2.0-dev.428 | 2020-04-24 16:19:45 -0700
* Deprecate returning Val* from BIFs (Jon Siwek, Corelight)
* Deprecate binpac::string_to_val (Jon Siwek, Corelight)
* Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval (Jon Siwek, Corelight)
* Update deprecated BifEvent::generate_* usages (Jon Siwek, Corelight)
* Deprecate Connection::Event and Analyzer::Event methods
And update usages to the "EnqueueEvent" methods. (Jon Siwek, Corelight)
* Deprecate BuildConnVal() methods and update usages to ConnVal()
The later being a new method that returns IntrusivePtr (Jon Siwek, Corelight)
* Update all BIFs to return IntrusivePtr instead of Val* (Jon Siwek, Corelight)
* Update deprecated ValManager::GetPort usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetEmptyString usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetCount usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetInt usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetBool usages (Jon Siwek, Corelight)
* Update deprecated ValManager GetTrue/GetFalse usages (Jon Siwek, Corelight)
* Deprecate all ValManager "Get" methods
Alternate methods that return IntrusivePtr are available in similarly
named methods that omit the "Get" prefix. (Jon Siwek, Corelight)
* Change BIFs to return a wrapper object
That allows returning either Val* or IntrusivePtr<T>. The former could
eventually be deprecated, but it's used extensively at the moment. (Jon Siwek, Corelight)
3.2.0-dev.412 | 2020-04-22 10:43:39 -0700
* Fix buffer over-read in Ident analyzer (Max Kellermann)

31
NEWS
View file

@ -37,6 +37,10 @@ New Functionality
and ``udp_content_delivery_ports_orig`` options is determined. The current value
keeps behavior as it was in previous versions of Zeek.
- Add a file signature to identify ISO9660 disk images (application/x-iso9660-image)
- Add file signature to identify Python bytecode (application/x-python-bytecode)
Changed Functionality
---------------------
@ -76,6 +80,12 @@ Changed Functionality
raise this event (injecting connections via broccoli) was removed a while ago;
the event handler served no purpose anymore.
- Reorganize the file signatures to break them out into more groups. This may
break scripts that had been explicitly loading any signature files that moved.
- The DCE/RPC operation string of "NetrLogonSamLogonWithFlags" has been
corrected from "NetrLogonSameLogonWithFlags".
Removed Functionality
---------------------
@ -96,7 +106,7 @@ Deprecated Functionality
- The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
are now deprecated, use ``EventMgr::Enqueue()`` instead.
- The ``Connection::ConnectionEvent()`` and
- The ``Connection::ConnectionEvent()``, ``Connection::Event()``, and
``Connection::ConnectionEventFast()`` methods are now deprecated, use
``Connection::EnqueueEvent()`` instead.
@ -104,10 +114,25 @@ Deprecated Functionality
arguments are now deprecated, use the overload that takes a ``zeek::Args``
instead.
- The ``analyzer::Analyzer::ConnectionEvent()`` and
``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
- The ``analyzer::Analyzer::ConnectionEvent()``, ``analyzer::Analyzer::Event``,
and ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
``analyzer::Analyzer::EnqueueConnEvent()`` instead.
- All ``val_mgr`` methods starting with "Get" are deprecated, use the new
``val_mgr`` methods that return ``IntrusivePtr``.
- ``Connection::BuildConnVal()`` is deprecated, use ``Connection::ConnVal()``.
- ``Analyzer::BuildConnVal()`` is deprecated, use ``Analyzer::ConnVal()``.
- ``BifEvent::generate_`` functions are deprecated, use ``BifEvent::enqueue_``.
- ``binpac::bytestring_to_val()`` is deprecated, use ``binpac::to_stringval()``.
- ``binpac::string_to_val()`` is deprecated, use ``StringVal`` constructor.
- Returning ``Val*`` from BIFs is deprecated, return ``IntrusivePtr`` instead.
Zeek 3.1.0
==========

2
VERSION
View file

@ -1 +1 @@
3.2.0-dev.412
3.2.0-dev.473

2
aux/bifcl

@ -1 +1 @@
Subproject commit 66b4b30305237f48535276a00a52ca304659400b
Subproject commit e17abfe8cd478fe90500a44c2081f4f97aade897

2
aux/binpac

@ -1 +1 @@
Subproject commit 60681f1a7dca89f71c4f4ca4f7424bf0484f4ee0
Subproject commit e1de4da6b3aee300d0a034ef90d59b7adc3efe34

2
aux/broker

@ -1 +1 @@
Subproject commit 6ea6728218085732ebea5044fdce5b0bf5b052c5
Subproject commit 8b2c9a9e1e67d145af442fa2175dcb18b643a317

2
aux/btest

@ -1 +1 @@
Subproject commit 87896050d7ac189f0e063bb90c3fa37a6c977f83
Subproject commit 0528e8bc8e6e0108ec2f752896b2aa8b5dd949dd

2
aux/zeek-aux

@ -1 +1 @@
Subproject commit a98acb8f80390bbb89f33df483eac8f6b4b6e05d
Subproject commit be04ea0e7b2b265d65b1fac5b644ce646603bdf2

2
aux/zeekctl

@ -1 +1 @@
Subproject commit 7e65a34905ec9684c442da5f737fe75beb94aae6
Subproject commit 1f6290b2b05af07034354ea7621a99f708081fae

1
ci/ubuntu-18.04/Dockerfile
View file

@ -15,6 +15,7 @@ RUN apt-get update && apt-get -y install \
python3-pip\
swig \
zlib1g-dev \
libmaxminddb-dev \
libkrb5-dev \
bsdmainutils \
sqlite3 \

2
cmake

@ -1 +1 @@
Subproject commit 861e37c50410b37d08687a691d5868bfff9694dd
Subproject commit d85153d8e0e62fbd6f1125c498b2741f4bc987dc

2
doc

@ -1 +1 @@
Subproject commit 7b59ef1ab823a77dff78991b6a8808be5ba9072d
Subproject commit 850c5bea8787c315cddc9079a29a17d89db055ec

1
scripts/base/frameworks/cluster/setup-connections.zeek
View file

@ -28,7 +28,6 @@ function connect_peer(node_type: NodeType, node_name: string)
function connect_peers_with_type(node_type: NodeType)
{
local rval: vector of NamedNode = vector();
local nn = nodes_with_type(node_type);
for ( i in nn )

7
scripts/base/frameworks/files/magic/__load__.zeek
View file

@ -1,9 +1,12 @@
@load-sigs ./archive
@load-sigs ./audio
@load-sigs ./executable
@load-sigs ./font
@load-sigs ./general
@load-sigs ./image
@load-sigs ./msoffice
@load-sigs ./java
@load-sigs ./office
@load-sigs ./programming
@load-sigs ./video
@load-sigs ./libmagic
@load-sigs ./libmagic

14
scripts/base/frameworks/files/magic/archive.sig
View file

@ -49,11 +49,17 @@ signature file-xar {
}
# RPM
signature file-magic-auto352 {
signature file-rpm {
file-mime "application/x-rpm", 70
file-magic /^(drpm|\xed\xab\xee\xdb)/
}
# Debian Binary Package
signature file-deb {
file-mime "application/x-debian-package", 171
file-magic /\x21\x3carch\x3e\x0adebian/
}
# StuffIt
signature file-stuffit {
file-mime "application/x-stuffit", 70
@ -179,3 +185,9 @@ signature file-ace-archive {
file-mime "application/x-ace", 100
file-magic /^.{7}\*\*ACE\*\*/
}
# Bzip2 archive file.
signature file-bzip2 {
file-mime "application/x-bzip2", 60
file-magic /^BZh/
}

106
scripts/base/frameworks/files/magic/executable.sig Normal file
View file

@ -0,0 +1,106 @@
# Portable Executable
signature file-pe {
file-mime "application/x-dosexec", 51
file-magic /MZ/
}
signature file-elf-object {
file-mime "application/x-object", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
}
signature file-elf {
file-mime "application/x-executable", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
}
signature file-elf-sharedlib {
file-mime "application/x-sharedlib", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
}
signature file-elf-coredump {
file-mime "application/x-coredump", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
}
# Mac OS X Mach-O executable
signature file-mach-o {
file-magic /^[\xce\xcf]\xfa\xed\xfe/
file-mime "application/x-mach-o-executable", 100
}
# Mac OS X Universal Mach-O executable
signature file-mach-o-universal {
file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/
file-mime "application/x-mach-o-executable", 100
}
# Emacs/XEmacs byte-compiled Lisp
signature file-elc {
file-mime "application/x-elc", 10
file-magic /\x3bELC[\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff]/
}
# Python 1 bytecode
signature file-pyc-1 {
file-magic /^(\xfc\xc4|\x99\x4e)\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 2 bytecode
signature file-pyc-2 {
file-magic /^(\x87\xc6|[\x2a\x2d]\xed|[\x3b\x45\x59\x63\x6d\x77\x81\x8b\x8c\x95\x9f\xa9\xb3\xc7\xd1\xdb\xe5\xef\xf9]\xf2|\x03\xf3)\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.0 bytecode
signature file-pyc-3-0 {
file-magic /^([\xb8\xc2\xcc\xd6\xe0\xea\xf4\xf5\xff]\x0b|[\x09\x13\x1d\x1f\x27\x3b]\x0c)\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.1 bytecode
signature file-pyc-3-1 {
file-magic /^[\x45\x4f]\x0c\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.2 bytecode
signature file-pyc-3-2 {
file-magic /^[\x58\x62\x6c]\x0c\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.3 bytecode
signature file-pyc-3-3 {
file-magic /^[\x76\x80\x94\x9e]\x0c\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.4 bytecode
signature file-pyc-3-4 {
file-magic /^[\xb2\xcc\xc6\xd0\xda\xe4\xee]\x0c\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.5 bytecode
signature file-pyc-3-5 {
file-magic /^(\xf8\x0c|[\x02\x0c\x16\x17]\x0d)\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.6 bytecode
signature file-pyc-3-6 {
file-magic /^[\x20\x21\x2a-\x2d\x2f-\x33]\x0d\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}
# Python 3.7 bytecode
signature file-pyc-3-7 {
file-magic /^[\x3e-\x42]\x0d\x0d\x0a/
file-mime "application/x-python-bytecode", 80
}

131
scripts/base/frameworks/files/magic/general.sig
View file

@ -131,16 +131,6 @@ signature file-afpinfo {
file-magic /^AFP/
}
signature file-jar {
file-mime "application/java-archive", 100
file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/
}
signature file-java-applet {
file-mime "application/x-java-applet", 71
file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
}
# OCSP requests over HTTP.
signature file-ocsp-request {
file-magic /^.{11,19}\x06\x05\x2b\x0e\x03\x02\x1a/
@ -165,18 +155,6 @@ signature file-tnef {
file-mime "application/vnd.ms-tnef", 100
}
# Mac OS X Mach-O executable
signature file-mach-o {
file-magic /^[\xce\xcf]\xfa\xed\xfe/
file-mime "application/x-mach-o-executable", 100
}
# Mac OS X Universal Mach-O executable
signature file-mach-o-universal {
file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/
file-mime "application/x-mach-o-executable", 100
}
signature file-pkcs7 {
file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/
file-mime "application/pkcs7-signature", 100
@ -188,12 +166,6 @@ signature file-pem {
file-mime "application/x-pem"
}
# Java Web Start file.
signature file-jnlp {
file-magic /^\<jnlp\x20/
file-mime "application/x-java-jnlp-file", 100
}
signature file-pcap {
file-magic /^(\xa1\xb2\xc3\xd4|\xd4\xc3\xb2\xa1)/
file-mime "application/vnd.tcpdump.pcap", 70
@ -204,82 +176,6 @@ signature file-pcap-ng {
file-mime "application/vnd.tcpdump.pcap", 100
}
signature file-shellscript {
file-mime "text/x-shellscript", 250
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(ba|tc|c|z|fa|ae|k)?sh/
}
signature file-perl {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?perl/
file-mime "text/x-perl", 60
}
signature file-ruby {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?ruby/
file-mime "text/x-ruby", 60
}
signature file-python {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?python/
file-mime "text/x-python", 60
}
signature file-awk {
file-mime "text/x-awk", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
}
signature file-tcl {
file-mime "text/x-tcl", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
}
signature file-lua {
file-mime "text/x-lua", 49
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
}
signature file-javascript {
file-mime "application/javascript", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
}
signature file-javascript2 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
}
signature file-javascript3 {
file-mime "application/javascript", 60
# This seems to be a somewhat common idiom in javascript.
file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
}
signature file-javascript4 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
}
signature file-javascript5 {
file-mime "application/javascript", 60
file-magic /^\(function\(\)[[:blank:]\n]*\{/
}
signature file-javascript6 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*<script>[\x0d\x0a[:blank:]]*(var|function) /
}
signature file-php {
file-mime "text/x-php", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
}
signature file-php2 {
file-magic /^.*<\?php/
file-mime "text/x-php", 40
}
# Stereolithography ASCII format
signature file-stl-ascii {
file-magic /^solid\x20/
@ -390,26 +286,6 @@ signature file-msqm {
file-magic /^MSQM/
}
signature file-elf-object {
file-mime "application/x-object", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
}
signature file-elf {
file-mime "application/x-executable", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
}
signature file-elf-sharedlib {
file-mime "application/x-sharedlib", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
}
signature file-elf-coredump {
file-mime "application/x-coredump", 50
file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
}
signature file-vim-tmp {
file-mime "application/x-vim-tmp", 100
file-magic /^b0VIM/
@ -420,3 +296,10 @@ signature file-windows-minidump {
file-mime "application/x-windows-minidump", 50
file-magic /^MDMP/
}
# ISO 9660 disk image
signature file-iso9660 {
file-mime "application/x-iso9660-image", 99
file-magic /CD001/
}

31
scripts/base/frameworks/files/magic/java.sig Normal file
View file

@ -0,0 +1,31 @@
signature file-jar {
file-mime "application/java-archive", 100
file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/
}
signature file-java-applet {
file-mime "application/x-java-applet", 71
file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
}
# JAR compressed with pack200
signature file-jar-pack200 {
file-mime "application/x-java-pack200", 1
file-magic /^\xca\xfe\xd0\x0d./
}
# Java Web Start file.
signature file-jnlp {
file-magic /^\<jnlp\x20/
file-mime "application/x-java-jnlp-file", 100
}
signature file-java-keystore {
file-mime "application/x-java-keystore", 70
file-magic /^\xfe\xed\xfe\xed/
}
signature file-java-jce-keystore {
file-mime "application/x-java-jce-keystore", 70
file-magic /^\xce\xce\xce\xce/
}

252
scripts/base/frameworks/files/magic/libmagic.sig
View file

@ -155,12 +155,6 @@ signature file-magic-auto53 {
file-magic /(MAS\x5fUTrack\x5fV00)(\x2f0)/
}
# >0 string,=!<arch>\ndebian (len=14), [""], swap_endian=0
signature file-magic-auto54 {
file-mime "application/x-debian-package", 171
file-magic /(\x21\x3carch\x3e\x0adebian)/
}
# >0 string,=II\032\000\000\000HEAPCCDR (len=14), ["Canon CIFF raw image data"], swap_endian=0
signature file-magic-auto55 {
file-mime "image/x-canon-crw", 170
@ -609,12 +603,6 @@ signature file-magic-auto203 {
# file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xff])(.{1037})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/
#}
# >0 string,=;ELC (len=4), [""], swap_endian=0
# >>4 byte&,<0x20, ["Emacs/XEmacs v%d byte-compiled Lisp data"], swap_endian=0
signature file-magic-auto223 {
file-mime "application/x-elc", 10
file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>4 byte&,=0x14, [""], swap_endian=0
@ -640,174 +628,6 @@ signature file-magic-auto226 {
# file-magic /(.{4})(.{7})(.{2})(.*)(.{2})(.*)(.{2})(.{8})([\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{32})(FAT16)(.{4})/
#}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=text (len=4), [""], swap_endian=0
# >>>>>77 byte&,!0x2d, ["Text"], swap_endian=0
signature file-magic-auto228 {
file-mime "application/vnd.oasis.opendocument.text", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=text (len=4), [""], swap_endian=0
# >>>>>77 string,=-template (len=9), ["Text Template"], swap_endian=0
signature file-magic-auto229 {
file-mime "application/vnd.oasis.opendocument.text-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=text (len=4), [""], swap_endian=0
# >>>>>77 string,=-web (len=4), ["HTML Document Template"], swap_endian=0
signature file-magic-auto230 {
file-mime "application/vnd.oasis.opendocument.text-web", 70
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=text (len=4), [""], swap_endian=0
# >>>>>77 string,=-master (len=7), ["Master Document"], swap_endian=0
signature file-magic-auto231 {
file-mime "application/vnd.oasis.opendocument.text-master", 100
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=graphics (len=8), [""], swap_endian=0
# >>>>>81 byte&,!0x2d, ["Drawing"], swap_endian=0
signature file-magic-auto232 {
file-mime "application/vnd.oasis.opendocument.graphics", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=graphics (len=8), [""], swap_endian=0
# >>>>>81 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto233 {
file-mime "application/vnd.oasis.opendocument.graphics-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=presentation (len=12), [""], swap_endian=0
# >>>>>85 byte&,!0x2d, ["Presentation"], swap_endian=0
signature file-magic-auto234 {
file-mime "application/vnd.oasis.opendocument.presentation", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=presentation (len=12), [""], swap_endian=0
# >>>>>85 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto235 {
file-mime "application/vnd.oasis.opendocument.presentation-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=spreadsheet (len=11), [""], swap_endian=0
# >>>>>84 byte&,!0x2d, ["Spreadsheet"], swap_endian=0
signature file-magic-auto236 {
file-mime "application/vnd.oasis.opendocument.spreadsheet", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=spreadsheet (len=11), [""], swap_endian=0
# >>>>>84 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto237 {
file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=chart (len=5), [""], swap_endian=0
# >>>>>78 byte&,!0x2d, ["Chart"], swap_endian=0
signature file-magic-auto238 {
file-mime "application/vnd.oasis.opendocument.chart", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=chart (len=5), [""], swap_endian=0
# >>>>>78 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto239 {
file-mime "application/vnd.oasis.opendocument.chart-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=formula (len=7), [""], swap_endian=0
# >>>>>80 byte&,!0x2d, ["Formula"], swap_endian=0
signature file-magic-auto240 {
file-mime "application/vnd.oasis.opendocument.formula", 1110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=formula (len=7), [""], swap_endian=0
# >>>>>80 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto241 {
file-mime "application/vnd.oasis.opendocument.formula-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=database (len=8), ["Database"], swap_endian=0
signature file-magic-auto242 {
file-mime "application/vnd.oasis.opendocument.database", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=image (len=5), [""], swap_endian=0
# >>>>>78 byte&,!0x2d, ["Image"], swap_endian=0
signature file-magic-auto243 {
file-mime "application/vnd.oasis.opendocument.image", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
# >>>>73 string,=image (len=5), [""], swap_endian=0
# >>>>>78 string,=-template (len=9), ["Template"], swap_endian=0
signature file-magic-auto244 {
file-mime "application/vnd.oasis.opendocument.image-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/
}
# >0 string,=PK\003\004 (len=4), [""], swap_endian=0
# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
@ -917,18 +737,6 @@ signature file-magic-auto293 {
file-magic /(\x0e\x03\x13\x01)/
}
# >0 belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0
signature file-magic-auto302 {
file-mime "application/x-java-keystore", 70
file-magic /(\xfe\xed\xfe\xed)/
}
# >0 belong&,=-825307442 (0xcececece), ["Java JCE KeyStore"], swap_endian=0
signature file-magic-auto303 {
file-mime "application/x-java-jce-keystore", 70
file-magic /(\xce\xce\xce\xce)/
}
## >1080 string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0
#signature file-magic-auto304 {
# file-mime "audio/x-mod", 70
@ -1264,21 +1072,6 @@ signature file-magic-auto385 {
file-magic /(OggS)/
}
# >0 belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
# >>4 byte&,x, ["%d"], swap_endian=0
signature file-magic-auto387 {
file-mime "application/x-java-pack200", 1
file-magic /(\xca\xfe\xd0\x0d)(.{1})/
}
# >0 belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
# >>4 byte&,x, ["%d"], swap_endian=0
signature file-magic-auto388 {
file-mime "application/x-java-pack200", 1
file-magic /(\xca\xfe\xd0\x0d)(.{1})/
}
## >0 search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
#signature file-magic-auto390 {
# file-mime "text/x-tex", 62
@ -1332,12 +1125,6 @@ signature file-magic-auto405 {
file-magic /(\x04\x25\x21)/
}
# >0 string,=BZh (len=3), ["bzip2 compressed data"], swap_endian=0
signature file-magic-auto406 {
file-mime "application/x-bzip2", 60
file-magic /(BZh)/
}
## >0 search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
#signature file-magic-auto412 {
# file-mime "text/x-tex", 59
@ -1380,12 +1167,6 @@ signature file-magic-auto406 {
# file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
#}
# >0 string/b,=MZ (len=2), [""], swap_endian=0
signature file-magic-auto433 {
file-mime "application/x-dosexec", 51
file-magic /(MZ)/
}
# >20 string,=45 (len=2), [""], swap_endian=0
# >>0 regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0
signature file-magic-auto460 {
@ -1620,39 +1401,6 @@ signature file-magic-auto532 {
# file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])(.*)([\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{26})([\x00])(.*)(.{4})(.*)(.{4})(.*)(.{4})(.{12})([\x00\x01\x02\x03\x04\x05\x06\x07])(.*)(.{2})(.{22})([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
#}
# >0 string/t,=@ (len=1), [""], swap_endian=0
# >>1 string/Wc,= echo off (len=9), ["DOS batch file text"], swap_endian=0
signature file-magic-auto573 {
file-mime "text/x-msdos-batch", 120
file-magic /(\x40)( {1,}[eE][cC][hH][oO] {1,}[oO][fF][fF])/
}
# >0 string/t,=@ (len=1), [""], swap_endian=0
# >>1 string/Wc,=echo off (len=8), ["DOS batch file text"], swap_endian=0
signature file-magic-auto574 {
file-mime "text/x-msdos-batch", 110
file-magic /(\x40)([eE][cC][hH][oO] {1,}[oO][fF][fF])/
}
# >0 string/t,=@ (len=1), [""], swap_endian=0
# >>1 string/Wc,=rem (len=3), ["DOS batch file text"], swap_endian=0
signature file-magic-auto575 {
file-mime "text/x-msdos-batch", 60
file-magic /(\x40)([rR][eE][mM])/
}
# >0 string/t,=@ (len=1), [""], swap_endian=0
# >>1 string/Wc,=set (len=4), ["DOS batch file text"], swap_endian=0
signature file-magic-auto576 {
file-mime "text/x-msdos-batch", 70
file-magic /(\x40)([sS][eE][tT] {1,})/
}
# >0 regex,=^dnl (len=5), ["M4 macro processor script text"], swap_endian=0
signature file-magic-auto578 {
file-mime "text/x-m4", 40
file-magic /(^dnl )/
}
## >0 search/4096,=(defparam (len=10), ["Lisp/Scheme program text"], swap_endian=0
#signature file-magic-auto583 {

34
scripts/base/frameworks/files/magic/msoffice.sig
View file

@ -1,34 +0,0 @@
# This signature is non-specific and terrible but after
# searching for a long time there doesn't seem to be a
# better option.
signature file-msword {
file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
file-mime "application/msword", 50
}
signature file-ooxml {
file-magic /^PK\x03\x04\x14\x00\x06\x00/
file-mime "application/vnd.openxmlformats-officedocument", 50
}
signature file-docx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/
file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80
}
signature file-xlsx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/
file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80
}
signature file-pptx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
}
signature file-msaccess {
file-mime "application/x-msaccess", 180
file-magic /.{4}Standard (Jet|ACE) DB\x00/
}

118
scripts/base/frameworks/files/magic/office.sig Normal file
View file

@ -0,0 +1,118 @@
# This signature is non-specific and terrible but after
# searching for a long time there doesn't seem to be a
# better option.
signature file-msword {
file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
file-mime "application/msword", 50
}
signature file-ooxml {
file-magic /^PK\x03\x04\x14\x00\x06\x00/
file-mime "application/vnd.openxmlformats-officedocument", 50
}
signature file-docx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/
file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80
}
signature file-xlsx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/
file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80
}
signature file-pptx {
file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
}
signature file-msaccess {
file-mime "application/x-msaccess", 180
file-magic /.{4}Standard (Jet|ACE) DB\x00/
}
signature file-opendocument-text {
file-mime "application/vnd.oasis.opendocument.text", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-text-template {
file-mime "application/vnd.oasis.opendocument.text-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/
}
signature file-opendocument-text-web {
file-mime "application/vnd.oasis.opendocument.text-web", 70
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/
}
signature file-opendocument-text-master {
file-mime "application/vnd.oasis.opendocument.text-master", 100
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/
}
signature file-opendocument-graphics {
file-mime "application/vnd.oasis.opendocument.graphics", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-graphics-template {
file-mime "application/vnd.oasis.opendocument.graphics-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/
}
signature file-opendocument-presentation {
file-mime "application/vnd.oasis.opendocument.presentation", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-presentation-template {
file-mime "application/vnd.oasis.opendocument.presentation-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/
}
signature file-opendocument-spreadsheet {
file-mime "application/vnd.oasis.opendocument.spreadsheet", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-spreadsheet-template {
file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/
}
signature file-opendocument-chart {
file-mime "application/vnd.oasis.opendocument.chart", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-chart-template {
file-mime "application/vnd.oasis.opendocument.chart-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/
}
signature file-opendocument-formula {
file-mime "application/vnd.oasis.opendocument.formula", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-opendocument-formula-template {
file-mime "application/vnd.oasis.opendocument.formula-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/
}
signature file-opendocument-database {
file-mime "application/vnd.oasis.opendocument.database", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/
}
signature file-opendocument-image {
file-mime "application/vnd.oasis.opendocument.image", 110
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
}
signature file-image-template {
file-mime "application/vnd.oasis.opendocument.image-template", 120
file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/
}

96
scripts/base/frameworks/files/magic/programming.sig Normal file
View file

@ -0,0 +1,96 @@
signature file-shellscript {
file-mime "text/x-shellscript", 250
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(ba|tc|c|z|fa|ae|k)?sh/
}
signature file-perl {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?perl/
file-mime "text/x-perl", 60
}
signature file-ruby {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?ruby/
file-mime "text/x-ruby", 60
}
signature file-python {
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?python/
file-mime "text/x-python", 60
}
signature file-awk {
file-mime "text/x-awk", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
}
signature file-tcl {
file-mime "text/x-tcl", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
}
signature file-lua {
file-mime "text/x-lua", 49
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
}
signature file-javascript {
file-mime "application/javascript", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
}
signature file-javascript2 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
}
signature file-javascript3 {
file-mime "application/javascript", 60
# This seems to be a somewhat common idiom in javascript.
file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
}
signature file-javascript4 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
}
signature file-javascript5 {
file-mime "application/javascript", 60
file-magic /^\(function\(\)[[:blank:]\n]*\{/
}
signature file-javascript6 {
file-mime "application/javascript", 60
file-magic /^[\x0d\x0a[:blank:]]*<script>[\x0d\x0a[:blank:]]*(var|function) /
}
signature file-php {
file-mime "text/x-php", 60
file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
}
signature file-php2 {
file-magic /^.*<\?php/
file-mime "text/x-php", 40
}
signature file-batch1 {
file-mime "text/x-msdos-batch", 110
file-magic /\x40 *[eE][cC][hH][oO] {1,}[oO][fF][fF]/
}
signature file-batch2 {
file-mime "text/x-msdos-batch", 60
file-magic /\x40[rR][eE][mM]/
}
signature file-batch3 {
file-mime "text/x-msdos-batch", 70
file-magic /\x40[sS][eE][tT] {1,}/
}
# M4 macro processor script text
signature file-m4 {
file-mime "text/x-m4", 40
file-magic /^dnl /
}

2
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -731,7 +731,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
{
local sn_entry = matches[m];
local rule_ids = rules_by_subnets[sn_entry];
for ( rule_id in rules_by_subnets[sn_entry] )
for ( rule_id in rule_ids )
{
if ( rule_id in rules )
ret += rules[rule_id];

2
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
View file

@ -195,7 +195,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
return openflow_match_pred(p, e, v);
}
local proto = OpenFlow::IP_TCP;
# local proto = OpenFlow::IP_TCP;
if ( e$ty == FLOW )
{

3
scripts/base/init-bare.zeek
View file

@ -2076,7 +2076,8 @@ global login_timeouts: set[string] &redef;
##
## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
type mime_header_rec: record {
name: string; ##< The header name.
original_name: string; ##< The header name (unaltered).
name: string; ##< The header name (converted to all upper-case).
value: string; ##< The header value.
};

2
scripts/base/protocols/dce-rpc/consts.zeek
View file

@ -267,7 +267,7 @@ export {
["12345678-1234-abcd-ef00-01234567cffb",0x2a] = "NetrServerTrustPasswordsGet",
["12345678-1234-abcd-ef00-01234567cffb",0x2b] = "DsrGetForestTrustInformation",
["12345678-1234-abcd-ef00-01234567cffb",0x2c] = "NetrGetForestTrustInformation",
["12345678-1234-abcd-ef00-01234567cffb",0x2d] = "NetrLogonSameLogonWithFlags",
["12345678-1234-abcd-ef00-01234567cffb",0x2d] = "NetrLogonSamLogonWithFlags",
["12345678-1234-abcd-ef00-01234567cffb",0x2e] = "NetrServerGetTrustInfo",
["12345678-1234-abcd-ef00-01234567cffb",0x2f] = "unused",
["12345678-1234-abcd-ef00-01234567cffb",0x30] = "DsrUpdateReadOnlyServerDnsRecords",

3
scripts/base/protocols/smtp/main.zeek
View file

@ -336,5 +336,6 @@ function describe(rec: Info): string
(|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""),
(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
}
return "";
return "";
}

2
scripts/base/protocols/ssl/main.zeek
View file

@ -315,12 +315,12 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
event ssl_established(c: connection) &priority=7
{
set_session(c);
c$ssl$established = T;
}
event ssl_established(c: connection) &priority=20
{
set_session(c);
hook ssl_finishing(c);
}

5
scripts/base/utils/addrs.zeek
View file

@ -70,11 +70,10 @@ const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
## Returns: T if every element is between 0 and 255, inclusive, else F.
function has_valid_octets(octets: string_vec): bool
{
local num = 0;
for ( i in octets )
{
num = to_count(octets[i]);
if ( num < 0 || 255 < num )
local num = to_count(octets[i]);
if ( 255 < num )
return F;
}
return T;

2
scripts/base/utils/patterns.zeek
View file

@ -4,7 +4,7 @@ module GLOBAL;
## Given a pattern as a string with two tildes (~~) contained in it, it will
## return a pattern with string set's elements OR'd together where the
## double-tilde was given (this function only works at or before init time).
## double-tilde was given.
##
## ss: a set of strings to OR together.
##

11
scripts/policy/misc/stats.zeek
View file

@ -99,11 +99,6 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
local fs = get_file_analysis_stats();
local ds = get_dns_stats();
if ( zeek_is_terminating() )
# No more stats will be written or scheduled when Zeek is
# shutting down.
return;
local info: Info = [$ts=nettime,
$peer=peer_description,
$mem=ps$mem/1048576,
@ -146,6 +141,12 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
}
Log::write(Stats::LOG, info);
if ( zeek_is_terminating() )
# No more stats will be written or scheduled when Zeek is
# shutting down.
return;
schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
}

8
src/CompHash.cc
View file

@ -768,9 +768,9 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
if ( tag == TYPE_ENUM )
*pval = t->AsEnumType()->GetVal(*kp);
else if ( tag == TYPE_BOOL )
*pval = {AdoptRef{}, val_mgr->GetBool(*kp)};
*pval = val_mgr->Bool(*kp);
else if ( tag == TYPE_INT )
*pval = {AdoptRef{}, val_mgr->GetInt(*kp)};
*pval = val_mgr->Int(*kp);
else
{
reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
@ -787,11 +787,11 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
switch ( tag ) {
case TYPE_COUNT:
case TYPE_COUNTER:
*pval = {AdoptRef{}, val_mgr->GetCount(*kp)};
*pval = val_mgr->Count(*kp);
break;
case TYPE_PORT:
*pval = {AdoptRef{}, val_mgr->GetPort(*kp)};
*pval = val_mgr->Port(*kp);
break;
default:

128
src/Conn.cc
View file

@ -90,7 +90,6 @@ Connection::Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnI
vlan = pkt->vlan;
inner_vlan = pkt->inner_vlan;
conn_val = nullptr;
login_conn = nullptr;
is_active = 1;
@ -131,10 +130,7 @@ Connection::~Connection()
CancelTimers();
if ( conn_val )
{
conn_val->SetOrigin(nullptr);
Unref(conn_val);
}
delete root_analyzer;
delete encapsulation;
@ -148,7 +144,10 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
{
if ( *encapsulation != *arg_encap )
{
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
delete encapsulation;
encapsulation = new EncapsulationStack(*arg_encap);
}
@ -156,15 +155,23 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
else if ( encapsulation )
{
EncapsulationStack empty;
Event(tunnel_changed, nullptr, empty.GetVectorVal());
if ( tunnel_changed )
{
EncapsulationStack empty;
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, empty.GetVectorVal()});
}
delete encapsulation;
encapsulation = nullptr;
}
else if ( arg_encap )
{
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
encapsulation = new EncapsulationStack(*arg_encap);
}
}
@ -203,7 +210,7 @@ void Connection::NextPacket(double t, bool is_orig,
is_successful = true;
if ( ! was_successful && is_successful && connection_successful )
EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(connection_successful, nullptr, ConnVal());
}
else
last_time = t;
@ -260,9 +267,9 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
return;
EnqueueEvent(e, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(threshold)
);
}
@ -276,21 +283,15 @@ void Connection::DeleteTimer(double /* t */)
void Connection::InactivityTimer(double t)
{
// If the inactivity_timeout is zero, there has been an active
// timeout once, but it's disabled now. We do nothing then.
if ( inactivity_timeout )
if ( last_time + inactivity_timeout <= t )
{
if ( last_time + inactivity_timeout <= t )
{
Event(connection_timeout, nullptr);
sessions->Remove(this);
++killed_by_inactivity;
}
else
ADD_TIMER(&Connection::InactivityTimer,
last_time + inactivity_timeout, 0,
TIMER_CONN_INACTIVITY);
Event(connection_timeout, nullptr);
sessions->Remove(this);
++killed_by_inactivity;
}
else
ADD_TIMER(&Connection::InactivityTimer,
last_time + inactivity_timeout, 0, TIMER_CONN_INACTIVITY);
}
void Connection::RemoveConnectionTimer(double t)
@ -301,8 +302,17 @@ void Connection::RemoveConnectionTimer(double t)
void Connection::SetInactivityTimeout(double timeout)
{
// We add a new inactivity timer even if there already is one. When
// it fires, we always use the current value to check for inactivity.
if ( timeout == inactivity_timeout )
return;
// First cancel and remove any existing inactivity timer.
for ( const auto& timer : timers )
if ( timer->Type() == TIMER_CONN_INACTIVITY )
{
timer_mgr->Cancel(timer);
break;
}
if ( timeout )
ADD_TIMER(&Connection::InactivityTimer,
last_time + timeout, 0, TIMER_CONN_INACTIVITY);
@ -323,30 +333,35 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t)
{
EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(connection_status_update, nullptr, ConnVal());
ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE);
}
RecordVal* Connection::BuildConnVal()
{
return ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Connection::ConnVal()
{
if ( ! conn_val )
{
conn_val = new RecordVal(connection_type);
conn_val = make_intrusive<RecordVal>(connection_type);
TransportProto prot_type = ConnTransport();
auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(orig_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(orig_port), prot_type));
id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type));
id_val->Assign(2, make_intrusive<AddrVal>(resp_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(resp_port), prot_type));
id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = make_intrusive<RecordVal>(endpoint);
orig_endp->Assign(0, val_mgr->GetCount(0));
orig_endp->Assign(1, val_mgr->GetCount(0));
orig_endp->Assign(4, val_mgr->GetCount(orig_flow_label));
orig_endp->Assign(0, val_mgr->Count(0));
orig_endp->Assign(1, val_mgr->Count(0));
orig_endp->Assign(4, val_mgr->Count(orig_flow_label));
const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{};
@ -355,9 +370,9 @@ RecordVal* Connection::BuildConnVal()
orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len)));
auto resp_endp = make_intrusive<RecordVal>(endpoint);
resp_endp->Assign(0, val_mgr->GetCount(0));
resp_endp->Assign(1, val_mgr->GetCount(0));
resp_endp->Assign(4, val_mgr->GetCount(resp_flow_label));
resp_endp->Assign(0, val_mgr->Count(0));
resp_endp->Assign(1, val_mgr->Count(0));
resp_endp->Assign(4, val_mgr->Count(resp_flow_label));
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len)));
@ -367,7 +382,7 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(2, std::move(resp_endp));
// 3 and 4 are set below.
conn_val->Assign(5, make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set})); // service
conn_val->Assign(6, val_mgr->GetEmptyString()); // history
conn_val->Assign(6, val_mgr->EmptyString()); // history
if ( ! uid )
uid.Set(bits_per_uid);
@ -378,25 +393,23 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(8, encapsulation->GetVectorVal());
if ( vlan != 0 )
conn_val->Assign(9, val_mgr->GetInt(vlan));
conn_val->Assign(9, val_mgr->Int(vlan));
if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->GetInt(inner_vlan));
conn_val->Assign(10, val_mgr->Int(inner_vlan));
}
if ( root_analyzer )
root_analyzer->UpdateConnVal(conn_val);
root_analyzer->UpdateConnVal(conn_val.get());
conn_val->Assign(3, make_intrusive<Val>(start_time, TYPE_TIME)); // ###
conn_val->Assign(4, make_intrusive<Val>(last_time - start_time, TYPE_INTERVAL));
conn_val->Assign(6, make_intrusive<StringVal>(history.c_str()));
conn_val->Assign(11, val_mgr->GetBool(is_successful));
conn_val->Assign(11, val_mgr->Bool(is_successful));
conn_val->SetOrigin(this);
Ref(conn_val);
return conn_val;
}
@ -417,12 +430,12 @@ analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
void Connection::AppendAddl(const char* str)
{
Unref(BuildConnVal());
const auto& cv = ConnVal();
const char* old = conn_val->Lookup(6)->AsString()->CheckString();
const char* old = cv->Lookup(6)->AsString()->CheckString();
const char* format = *old ? "%s %s" : "%s%s";
conn_val->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
cv->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
}
// Returns true if the character at s separates a version number.
@ -446,7 +459,7 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
void Connection::RemovalEvent()
{
auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()};
auto cv = ConnVal();
if ( connection_state_remove )
EnqueueEvent(connection_state_remove, nullptr, cv);
@ -461,9 +474,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
return;
if ( name )
EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), ConnVal());
else
EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(f, analyzer, ConnVal());
}
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -477,12 +490,12 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
if ( v2 )
EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, v1},
IntrusivePtr{AdoptRef{}, v2});
else
EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, v1});
}
@ -590,7 +603,6 @@ void Connection::FlipRoles()
resp_flow_label = orig_flow_label;
orig_flow_label = tmp_flow;
Unref(conn_val);
conn_val = nullptr;
if ( root_analyzer )
@ -690,17 +702,17 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
if ( conn_val )
{
RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal();
endp->Assign(4, val_mgr->GetCount(flow_label));
endp->Assign(4, val_mgr->Count(flow_label));
}
if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{
EnqueueEvent(connection_flow_label_changed, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)}
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(my_flow_label),
val_mgr->Count(flow_label)
);
}

12
src/Conn.h
View file

@ -163,7 +163,14 @@ public:
// Activate connection_status_update timer.
void EnableStatusUpdateTimer();
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal();
/**
* Returns the associated "connection" record.
*/
const IntrusivePtr<RecordVal>& ConnVal();
void AppendAddl(const char* str);
LoginConn* AsLoginConn() { return login_conn; }
@ -186,6 +193,7 @@ public:
// 'v1' and 'v2' reference counts get decremented. The event's first
// argument is the connection value, second argument is 'v1', and if 'v2'
// is given that will be it's third argument.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = nullptr);
// If a handler exists for 'f', an event will be generated. In any case,
@ -316,8 +324,6 @@ public:
protected:
Connection() { }
// Add the given timer to expire at time t. If do_expire
// is true, then the timer is also evaluated when Bro terminates,
// otherwise not.
@ -349,7 +355,7 @@ protected:
u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available
double start_time, last_time;
double inactivity_timeout;
RecordVal* conn_val;
IntrusivePtr<RecordVal> conn_val;
LoginConn* login_conn; // either nil, or this
const EncapsulationStack* encapsulation; // tunnels
int suppress_event; // suppress certain events to once per conn.

2
src/DNS_Mgr.cc
View file

@ -737,7 +737,7 @@ IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
r->Assign(0, make_intrusive<Val>(dm->CreationTime(), TYPE_TIME));
r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->GetBool(dm->Valid()));
r->Assign(3, val_mgr->Bool(dm->Valid()));
auto h = dm->Host();
r->Assign(4, h ? h.release() : new StringVal("<none>"));

48
src/Expr.cc
View file

@ -683,11 +683,11 @@ IntrusivePtr<Val> BinaryExpr::Fold(Val* v1, Val* v2) const
else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return make_intrusive<Val>(d3, ret_type->Tag());
else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
return {AdoptRef{}, val_mgr->GetCount(u3)};
return val_mgr->Count(u3);
else if ( ret_type->Tag() == TYPE_BOOL )
return {AdoptRef{}, val_mgr->GetBool(i3)};
return val_mgr->Bool(i3);
else
return {AdoptRef{}, val_mgr->GetInt(i3)};
return val_mgr->Int(i3);
}
IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
@ -721,7 +721,7 @@ IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::StringFold", expr_name(tag));
}
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
@ -797,7 +797,7 @@ IntrusivePtr<Val> BinaryExpr::SetFold(Val* v1, Val* v2) const
return nullptr;
}
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
@ -831,7 +831,7 @@ IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::AddrFold", expr_name(tag));
}
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
@ -844,7 +844,7 @@ IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
if ( tag == EXPR_NE )
result = ! result;
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
void BinaryExpr::SwapOps()
@ -959,9 +959,9 @@ IntrusivePtr<Val> IncrExpr::DoSingleEval(Frame* f, Val* v) const
ret_type = Type()->YieldType();
if ( ret_type->Tag() == TYPE_INT )
return {AdoptRef{}, val_mgr->GetInt(k)};
return val_mgr->Int(k);
else
return {AdoptRef{}, val_mgr->GetCount(k)};
return val_mgr->Count(k);
}
@ -1019,7 +1019,7 @@ ComplementExpr::ComplementExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> ComplementExpr::Fold(Val* v) const
{
return {AdoptRef{}, val_mgr->GetCount(~ v->InternalUnsigned())};
return val_mgr->Count(~ v->InternalUnsigned());
}
NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
@ -1038,7 +1038,7 @@ NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> NotExpr::Fold(Val* v) const
{
return {AdoptRef{}, val_mgr->GetBool(! v->InternalInt())};
return val_mgr->Bool(! v->InternalInt());
}
PosExpr::PosExpr(IntrusivePtr<Expr> arg_op)
@ -1076,7 +1076,7 @@ IntrusivePtr<Val> PosExpr::Fold(Val* v) const
if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
return {NewRef{}, v};
else
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
return val_mgr->Int(v->CoerceToInt());
}
NegExpr::NegExpr(IntrusivePtr<Expr> arg_op)
@ -1114,7 +1114,7 @@ IntrusivePtr<Val> NegExpr::Fold(Val* v) const
else if ( v->Type()->Tag() == TYPE_INTERVAL )
return make_intrusive<IntervalVal>(- v->InternalDouble(), 1.0);
else
return {AdoptRef{}, val_mgr->GetInt(- v->CoerceToInt())};
return val_mgr->Int(- v->CoerceToInt());
}
SizeExpr::SizeExpr(IntrusivePtr<Expr> arg_op)
@ -1621,7 +1621,7 @@ IntrusivePtr<Val> BoolExpr::Eval(Frame* f) const
(! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero());
result->Assign(i, val_mgr->GetBool(local_result));
result->Assign(i, val_mgr->Bool(local_result));
}
else
result->Assign(i, nullptr);
@ -1776,9 +1776,9 @@ IntrusivePtr<Val> EqExpr::Fold(Val* v1, Val* v2) const
RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString();
if ( tag == EXPR_EQ )
return {AdoptRef{}, val_mgr->GetBool(re->MatchExactly(s))};
return val_mgr->Bool(re->MatchExactly(s));
else
return {AdoptRef{}, val_mgr->GetBool(! re->MatchExactly(s))};
return val_mgr->Bool(! re->MatchExactly(s));
}
else
@ -2973,7 +2973,7 @@ HasFieldExpr::~HasFieldExpr()
IntrusivePtr<Val> HasFieldExpr::Fold(Val* v) const
{
auto rv = v->AsRecordVal();
return {AdoptRef{}, val_mgr->GetBool(rv->Lookup(field))};
return val_mgr->Bool(rv->Lookup(field));
}
void HasFieldExpr::ExprDescribe(ODesc* d) const
@ -3486,10 +3486,10 @@ IntrusivePtr<Val> ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) cons
return make_intrusive<Val>(v->CoerceToDouble(), TYPE_DOUBLE);
case TYPE_INTERNAL_INT:
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
return val_mgr->Int(v->CoerceToInt());
case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
return val_mgr->Count(v->CoerceToUnsigned());
default:
RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold");
@ -4025,7 +4025,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
{
RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString();
return {AdoptRef{}, val_mgr->GetBool(re->MatchAnywhere(s) != 0)};
return val_mgr->Bool(re->MatchAnywhere(s) != 0);
}
if ( v2->Type()->Tag() == TYPE_STRING )
@ -4036,12 +4036,12 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
// Could do better here e.g. Boyer-Moore if done repeatedly.
auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
if ( v1->Type()->Tag() == TYPE_ADDR &&
v2->Type()->Tag() == TYPE_SUBNET )
return {AdoptRef{}, val_mgr->GetBool(v2->AsSubNetVal()->Contains(v1->AsAddr()))};
return val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr()));
bool res;
@ -4050,7 +4050,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
else
res = (bool)v2->AsTableVal()->Lookup(v1, false);
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
CallExpr::CallExpr(IntrusivePtr<Expr> arg_func,
@ -4907,7 +4907,7 @@ IntrusivePtr<Val> IsExpr::Fold(Val* v) const
if ( IsError() )
return nullptr;
return {AdoptRef{}, val_mgr->GetBool(can_cast_value_to_type(v, t.get()))};
return val_mgr->Bool(can_cast_value_to_type(v, t.get()));
}
void IsExpr::ExprDescribe(ODesc* d) const

15
src/Func.cc
View file

@ -321,7 +321,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
{
// Can only happen for events and hooks.
assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr;
return Flavor() == FUNC_FLAVOR_HOOK ? val_mgr->True() : nullptr;
}
auto f = make_intrusive<Frame>(frame_size, this, &args);
@ -407,7 +407,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( flow == FLOW_BREAK )
{
// Short-circuit execution of remaining hook handler bodies.
result = {AdoptRef{}, val_mgr->GetFalse()};
result = val_mgr->False();
break;
}
}
@ -418,7 +418,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( Flavor() == FUNC_FLAVOR_HOOK )
{
if ( ! result )
result = {AdoptRef{}, val_mgr->GetTrue()};
result = val_mgr->True();
}
// Warn if the function returns something, but we returned from
@ -633,7 +633,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
call_stack.emplace_back(CallInfo{call_expr, this, args});
IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)};
auto result = std::move(func(parent, &args).rval);
call_stack.pop_back();
if ( result && g_trace_state.DoTrace() )
@ -890,3 +890,10 @@ function_ingredients::~function_ingredients()
delete inits;
}
BifReturnVal::BifReturnVal(std::nullptr_t) noexcept
{ }
BifReturnVal::BifReturnVal(Val* v) noexcept
: rval(AdoptRef{}, v)
{ }

27
src/Func.h
View file

@ -188,7 +188,32 @@ private:
bool weak_closure_ref = false;
};
using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args);
/**
* A simple wrapper class to use for the return value of BIFs so that
* they may return either a Val* or IntrusivePtr<Val> (the former could
* potentially be deprecated).
*/
class BifReturnVal {
public:
template <typename T>
BifReturnVal(IntrusivePtr<T> v) noexcept
: rval(AdoptRef{}, v.release())
{ }
BifReturnVal(std::nullptr_t) noexcept;
[[deprecated("Remove in v4.1. Return an IntrusivePtr instead.")]]
BifReturnVal(Val* v) noexcept;
private:
friend class BuiltinFunc;
IntrusivePtr<Val> rval;
};
using built_in_func = BifReturnVal (*)(Frame* frame, const zeek::Args* args);
class BuiltinFunc final : public Func {
public:

5
src/Hash.h
View file

@ -29,8 +29,9 @@ class BroString;
#include "ZeekArgs.h"
class Val;
class Frame;
class BifReturnVal;
namespace BifFunc {
extern Val* bro_md5_hmac(Frame* frame, const zeek::Args*);
extern BifReturnVal bro_md5_hmac(Frame* frame, const zeek::Args*);
}
typedef uint64_t hash_t;
@ -195,7 +196,7 @@ private:
inline static bool seeds_initialized = false;
friend void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16]);
friend Val* BifFunc::bro_md5_hmac(Frame* frame, const zeek::Args*);
friend BifReturnVal BifFunc::bro_md5_hmac(Frame* frame, const zeek::Args*);
};
typedef enum {

158
src/IP.cc
View file

@ -50,13 +50,13 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{
const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option"));
rv->Assign(0, val_mgr->GetCount(opt->ip6o_type));
rv->Assign(0, val_mgr->Count(opt->ip6o_type));
if ( opt->ip6o_type == 0 )
{
// Pad1 option
rv->Assign(1, val_mgr->GetCount(0));
rv->Assign(2, val_mgr->GetEmptyString());
rv->Assign(1, val_mgr->Count(0));
rv->Assign(2, val_mgr->EmptyString());
data += sizeof(uint8_t);
len -= sizeof(uint8_t);
}
@ -64,7 +64,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{
// PadN or other option
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->GetCount(opt->ip6o_len));
rv->Assign(1, val_mgr->Count(opt->ip6o_len));
rv->Assign(2, make_intrusive<StringVal>(
new BroString(data + off, opt->ip6o_len, true)));
data += opt->ip6o_len + off;
@ -86,11 +86,11 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->GetCount((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->GetCount(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->GetCount(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->GetCount(ip6->ip6_nxt));
rv->Assign(4, val_mgr->GetCount(ip6->ip6_hlim));
rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->Count(ip6->ip6_nxt));
rv->Assign(4, val_mgr->Count(ip6->ip6_hlim));
rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain )
@ -104,8 +104,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->GetCount(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->GetCount(hbh->ip6h_len));
rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->Count(hbh->ip6h_len));
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -116,8 +116,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->GetCount(dst->ip6d_nxt));
rv->Assign(1, val_mgr->GetCount(dst->ip6d_len));
rv->Assign(0, val_mgr->Count(dst->ip6d_nxt));
rv->Assign(1, val_mgr->Count(dst->ip6d_len));
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
@ -127,10 +127,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->GetCount(rt->ip6r_nxt));
rv->Assign(1, val_mgr->GetCount(rt->ip6r_len));
rv->Assign(2, val_mgr->GetCount(rt->ip6r_type));
rv->Assign(3, val_mgr->GetCount(rt->ip6r_segleft));
rv->Assign(0, val_mgr->Count(rt->ip6r_nxt));
rv->Assign(1, val_mgr->Count(rt->ip6r_len));
rv->Assign(2, val_mgr->Count(rt->ip6r_type));
rv->Assign(3, val_mgr->Count(rt->ip6r_segleft));
uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
}
@ -140,28 +140,28 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->GetCount(frag->ip6f_nxt));
rv->Assign(1, val_mgr->GetCount(frag->ip6f_reserved));
rv->Assign(2, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->GetBool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->GetCount(ntohl(frag->ip6f_ident)));
rv->Assign(0, val_mgr->Count(frag->ip6f_nxt));
rv->Assign(1, val_mgr->Count(frag->ip6f_reserved));
rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident)));
}
break;
case IPPROTO_AH:
{
rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
rv->Assign(0, val_mgr->GetCount(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->GetCount(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->GetCount(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->GetCount(ntohl(((uint32_t*)data)[1])));
rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1])));
if ( Length() >= 12 )
{
// Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->GetCount(ntohl(((uint32_t*)data)[2])));
rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2])));
uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
}
@ -172,8 +172,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->GetCount(ntohl(esp[0])));
rv->Assign(1, val_mgr->GetCount(ntohl(esp[1])));
rv->Assign(0, val_mgr->Count(ntohl(esp[0])));
rv->Assign(1, val_mgr->Count(ntohl(esp[1])));
}
break;
@ -182,14 +182,14 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_mob_type, "ip6_mobility_hdr"));
const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->GetCount(mob->ip6mob_payload));
rv->Assign(1, val_mgr->GetCount(mob->ip6mob_len));
rv->Assign(2, val_mgr->GetCount(mob->ip6mob_type));
rv->Assign(3, val_mgr->GetCount(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->GetCount(ntohs(mob->ip6mob_chksum)));
rv->Assign(0, val_mgr->Count(mob->ip6mob_payload));
rv->Assign(1, val_mgr->Count(mob->ip6mob_len));
rv->Assign(2, val_mgr->Count(mob->ip6mob_type));
rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum)));
RecordVal* msg = new RecordVal(hdrType(ip6_mob_msg_type, "ip6_mobility_msg"));
msg->Assign(0, val_mgr->GetCount(mob->ip6mob_type));
msg->Assign(0, val_mgr->Count(mob->ip6mob_type));
uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off;
@ -198,7 +198,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 0:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_brr"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, m);
@ -208,8 +208,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 1:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hoti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, m);
@ -219,8 +219,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 2:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_coti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, m);
@ -230,9 +230,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 3:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, m);
@ -242,9 +242,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 4:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_cot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, m);
@ -254,12 +254,12 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 5:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_bu"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, m);
@ -269,10 +269,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 6:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_back"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->GetBool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, m);
@ -282,7 +282,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 7:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_be"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr);
@ -335,12 +335,12 @@ RecordVal* IP_Hdr::BuildIPHdrVal() const
if ( ip4 )
{
rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
rval->Assign(0, val_mgr->GetCount(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->GetCount(ip4->ip_tos));
rval->Assign(2, val_mgr->GetCount(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->GetCount(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->GetCount(ip4->ip_ttl));
rval->Assign(5, val_mgr->GetCount(ip4->ip_p));
rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->Count(ip4->ip_tos));
rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->Count(ip4->ip_ttl));
rval->Assign(5, val_mgr->Count(ip4->ip_p));
rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
}
@ -394,15 +394,15 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, val_mgr->GetPort(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->GetPort(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->GetCount(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->GetCount(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->GetCount(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->GetCount(data_len));
tcp_hdr->Assign(6, val_mgr->GetCount(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->GetCount(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->GetCount(ntohs(tp->th_win)));
tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->Count(data_len));
tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win)));
pkt_hdr->Assign(sindex + 2, tcp_hdr);
break;
@ -413,9 +413,9 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->GetCount(ntohs(up->uh_ulen)));
udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen)));
pkt_hdr->Assign(sindex + 3, udp_hdr);
break;
@ -426,7 +426,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp_type));
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr);
break;
@ -437,7 +437,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp6_type));
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr);
break;
@ -696,7 +696,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
RecordVal* v = chain[i]->BuildRecordVal();
RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->GetCount(type));
ext_hdr->Assign(0, val_mgr->Count(type));
switch (type) {
case IPPROTO_HOPOPTS:

5
src/Net.cc
View file

@ -223,8 +223,13 @@ void expire_timers(iosource::PktSrc* src_ps)
void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
{
if ( ! bro_start_network_time )
{
bro_start_network_time = t;
if ( network_time_init )
mgr.Enqueue(network_time_init, zeek::Args{});
}
// network_time never goes back.
net_update_time(timer_mgr->Time() < t ? t : timer_mgr->Time());

13
src/OpaqueVal.cc
View file

@ -171,8 +171,7 @@ bool HashVal::Init()
IntrusivePtr<StringVal> HashVal::Get()
{
if ( ! valid )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
auto result = DoGet();
valid = false;
@ -203,7 +202,7 @@ bool HashVal::DoFeed(const void*, size_t)
IntrusivePtr<StringVal> HashVal::DoGet()
{
assert(! "missing implementation of DoGet()");
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
return val_mgr->EmptyString();
}
HashVal::HashVal(OpaqueType* t) : OpaqueVal(t)
@ -275,7 +274,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> MD5Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[MD5_DIGEST_LENGTH];
hash_final(ctx, digest);
@ -395,8 +394,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA1Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[SHA_DIGEST_LENGTH];
hash_final(ctx, digest);
@ -519,8 +517,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA256Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[SHA256_DIGEST_LENGTH];
hash_final(ctx, digest);

4
src/Reporter.cc
View file

@ -355,7 +355,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
return;
}
WeirdHelper(conn_weird, {conn->BuildConnVal(), new StringVal(addl)},
WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)},
"%s", name);
}
@ -492,7 +492,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));
if ( conn )
vl.emplace_back(AdoptRef{}, conn->BuildConnVal());
vl.emplace_back(conn->ConnVal());
if ( addl )
for ( auto v : *addl )

2
src/RuleAction.cc
View file

@ -24,7 +24,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
mgr.Enqueue(signature_match,
IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
make_intrusive<StringVal>(msg),
data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}
data ? make_intrusive<StringVal>(len, (const char*)data) : val_mgr->EmptyString()
);
}

2
src/RuleCondition.cc
View file

@ -174,7 +174,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
if ( data )
args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
else
args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
args.emplace_back(val_mgr->EmptyString());
bool result = false;

6
src/RuleMatcher.cc
View file

@ -81,9 +81,9 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
{
RecordVal* val = new RecordVal(signature_state);
val->Assign(0, make_intrusive<StringVal>(rule->ID()));
val->Assign(1, state->GetAnalyzer()->BuildConnVal());
val->Assign(2, val_mgr->GetBool(state->is_orig));
val->Assign(3, val_mgr->GetCount(state->payload_size));
val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->Bool(state->is_orig));
val->Assign(3, val_mgr->Count(state->payload_size));
return val;
}

8
src/Sessions.cc
View file

@ -691,12 +691,14 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->BuildPktHdrVal();
conn->Event(ipv6_ext_headers, nullptr, pkt_hdr_val);
conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->ConnVal(),
IntrusivePtr{AdoptRef{}, pkt_hdr_val});
}
if ( new_packet )
conn->Event(new_packet, nullptr,
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
conn->EnqueueEvent(new_packet, nullptr, conn->ConnVal(), pkt_hdr_val ?
IntrusivePtr{NewRef{}, pkt_hdr_val} :
IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
record_packet, record_content, pkt);

4
src/SmithWaterman.cc
View file

@ -95,13 +95,13 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
auto align_val = make_intrusive<RecordVal>(sw_align_type);
align_val->Assign(0, make_intrusive<StringVal>(new BroString(*align.string)));
align_val->Assign(1, val_mgr->GetCount(align.index));
align_val->Assign(1, val_mgr->Count(align.index));
aligns->Assign(j + 1, std::move(align_val));
}
st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->GetBool(bst->IsNewAlignment()));
st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment()));
result->Assign(i + 1, std::move(st_val));
}
}

4
src/Stats.cc
View file

@ -314,7 +314,7 @@ void ProfileLogger::Log()
Ref(file);
mgr.Dispatch(new Event(profiling_update, {
make_intrusive<Val>(file),
{AdoptRef{}, val_mgr->GetBool(expensive)},
val_mgr->Bool(expensive),
}));
}
}
@ -374,7 +374,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
mgr.Enqueue(load_sample,
IntrusivePtr{NewRef{}, load_samples},
make_intrusive<IntervalVal>(dtime, Seconds),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)}
val_mgr->Int(dmem)
);
}

3
src/Stmt.cc
View file

@ -1232,8 +1232,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
// Set the loop variable to the current index, and make
// another pass over the loop body.
f->SetElement((*loop_vars)[0],
val_mgr->GetCount(i));
f->SetElement((*loop_vars)[0], val_mgr->Count(i).release());
flow = FLOW_NEXT;
ret = body->Exec(f, flow);

2
src/Timer.cc
View file

@ -93,7 +93,7 @@ void TimerMgr::Process()
// pseudo-realtime), advance the timer here to the current time since otherwise it won't
// move forward and the timers won't fire correctly.
iosource::PktSrc* pkt_src = iosource_mgr->GetPktSrc();
if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live )
if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live || net_is_processing_suspended() )
net_update_time(current_time());
// Just advance the timer manager based on the current network time. This won't actually

4
src/TunnelEncapsulation.cc
View file

@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(src_port), proto));
id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(dst_port), proto));
id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
rv->Assign(0, std::move(id_val));
rv->Assign(1, BifType::Enum::Tunnel::Type->GetVal(type));

9
src/Type.cc
View file

@ -840,7 +840,7 @@ IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
string s = container_type_name(ft);
nr->Assign(0, make_intrusive<StringVal>(s));
nr->Assign(1, val_mgr->GetBool(logged));
nr->Assign(1, val_mgr->Bool(logged));
nr->Assign(2, fv);
nr->Assign(3, FieldDefault(i));
Val* field_name = new StringVal(FieldName(i));
@ -1615,7 +1615,12 @@ bool same_type(const BroType* t1, const BroType* t2, bool is_init, bool match_re
}
case TYPE_TYPE:
return same_type(t1, t2, is_init, match_record_field_names);
{
auto tt1 = t1->AsTypeType();
auto tt2 = t2->AsTypeType();
return same_type(tt1->Type(), tt1->Type(),
is_init, match_record_field_names);
}
case TYPE_UNION:
reporter->Error("union type in same_type()");

3
src/Type.h
View file

@ -506,7 +506,8 @@ public:
explicit TypeType(IntrusivePtr<BroType> t) : BroType(TYPE_TYPE), type(std::move(t)) {}
TypeType* ShallowClone() override { return new TypeType(type); }
BroType* Type() { return type.get(); }
BroType* Type() { return type.get(); }
const BroType* Type() const { return type.get(); }
protected:
IntrusivePtr<BroType> type;

113
src/Val.cc
View file

@ -136,6 +136,10 @@ IntrusivePtr<Val> Val::DoClone(CloneState* state)
return {NewRef{}, this};
}
if ( type->Tag() == TYPE_TYPE )
// These are immutable, essentially.
return {NewRef{}, this};
// Fall-through.
default:
@ -250,19 +254,19 @@ IntrusivePtr<Val> Val::SizeVal() const
// Return abs value. However abs() only works on ints and llabs
// doesn't work on Mac OS X 10.5. So we do it by hand
if ( val.int_val < 0 )
return {AdoptRef{}, val_mgr->GetCount(-val.int_val)};
return val_mgr->Count(-val.int_val);
else
return {AdoptRef{}, val_mgr->GetCount(val.int_val)};
return val_mgr->Count(val.int_val);
case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(val.uint_val)};
return val_mgr->Count(val.uint_val);
case TYPE_INTERNAL_DOUBLE:
return make_intrusive<Val>(fabs(val.double_val), TYPE_DOUBLE);
case TYPE_INTERNAL_OTHER:
if ( type->Tag() == TYPE_FUNC )
return {AdoptRef{}, val_mgr->GetCount(val.func_val->FType()->ArgTypes()->Types()->length())};
return val_mgr->Count(val.func_val->FType()->ArgTypes()->Types()->length());
if ( type->Tag() == TYPE_FILE )
return make_intrusive<Val>(val.file_val->Size(), TYPE_DOUBLE);
@ -272,7 +276,7 @@ IntrusivePtr<Val> Val::SizeVal() const
break;
}
return {AdoptRef{}, val_mgr->GetCount(0)};
return val_mgr->Count(0);
}
unsigned int Val::MemoryAllocation() const
@ -583,9 +587,8 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
{
auto blank = make_intrusive<StringVal>("");
auto fn_val = make_intrusive<StringVal>(field_name);
auto key_val = fn_val->Substitute(re, blank.get(), false)->AsStringVal();
auto key_val = fn_val->Substitute(re, blank.get(), false);
key_str = key_val->ToStdString();
Unref(key_val);
}
else
key_str = field_name;
@ -732,7 +735,7 @@ void IntervalVal::ValDescribe(ODesc* d) const
IntrusivePtr<Val> PortVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetInt(val.uint_val)};
return val_mgr->Int(val.uint_val);
}
uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type)
@ -851,9 +854,9 @@ unsigned int AddrVal::MemoryAllocation() const
IntrusivePtr<Val> AddrVal::SizeVal() const
{
if ( val.addr_val->GetFamily() == IPv4 )
return {AdoptRef{}, val_mgr->GetCount(32)};
return val_mgr->Count(32);
else
return {AdoptRef{}, val_mgr->GetCount(128)};
return val_mgr->Count(128);
}
IntrusivePtr<Val> AddrVal::DoClone(CloneState* state)
@ -979,7 +982,7 @@ StringVal::StringVal(const string& s) : StringVal(s.length(), s.data())
IntrusivePtr<Val> StringVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(val.string_val->Len())};
return val_mgr->Count(val.string_val->Len());
}
int StringVal::Len()
@ -1024,7 +1027,7 @@ unsigned int StringVal::MemoryAllocation() const
return padded_sizeof(*this) + val.string_val->MemoryAllocation();
}
Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
IntrusivePtr<StringVal> StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
{
const u_char* s = Bytes();
int offset = 0;
@ -1105,7 +1108,7 @@ Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
// the NUL.
r[0] = '\0';
return new StringVal(new BroString(true, result, r - result));
return make_intrusive<StringVal>(new BroString(true, result, r - result));
}
IntrusivePtr<Val> StringVal::DoClone(CloneState* state)
@ -1193,7 +1196,7 @@ ListVal::~ListVal()
IntrusivePtr<Val> ListVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(vals.length())};
return val_mgr->Count(vals.length());
}
RE_Matcher* ListVal::BuildRE() const
@ -1564,7 +1567,7 @@ bool TableVal::Assign(Val* index, HashKey* k, Val* new_val)
IntrusivePtr<Val> TableVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(Size())};
return val_mgr->Count(Size());
}
bool TableVal::AddTo(Val* val, bool is_first_init) const
@ -2683,7 +2686,7 @@ RecordVal::~RecordVal()
IntrusivePtr<Val> RecordVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(Type()->AsRecordType()->NumFields())};
return val_mgr->Count(Type()->AsRecordType()->NumFields());
}
void RecordVal::Assign(int field, IntrusivePtr<Val> new_val)
@ -2931,7 +2934,7 @@ unsigned int RecordVal::MemoryAllocation() const
IntrusivePtr<Val> EnumVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetInt(val.int_val)};
return val_mgr->Int(val.int_val);
}
void EnumVal::ValDescribe(ODesc* d) const
@ -2968,7 +2971,7 @@ VectorVal::~VectorVal()
IntrusivePtr<Val> VectorVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(uint32_t(val.vector_val->size()))};
return val_mgr->Count(uint32_t(val.vector_val->size()));
}
bool VectorVal::Assign(unsigned int index, IntrusivePtr<Val> element)
@ -3205,7 +3208,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr;
}
else if ( t_tag == TYPE_INT )
promoted_v = {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
promoted_v = val_mgr->Int(v->CoerceToInt());
else // enum
{
reporter->InternalError("bad internal type in check_and_promote()");
@ -3221,7 +3224,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr;
}
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
promoted_v = val_mgr->Count(v->CoerceToUnsigned());
else // port
{
reporter->InternalError("bad internal type in check_and_promote()");
@ -3398,13 +3401,26 @@ bool can_cast_value_to_type(const BroType* s, BroType* t)
return false;
}
IntrusivePtr<Val> Val::MakeBool(bool b)
{
return IntrusivePtr{AdoptRef{}, new Val(bro_int_t(b), TYPE_BOOL)};
}
IntrusivePtr<Val> Val::MakeInt(bro_int_t i)
{
return IntrusivePtr{AdoptRef{}, new Val(i, TYPE_INT)};
}
IntrusivePtr<Val> Val::MakeCount(bro_uint_t u)
{
return IntrusivePtr{AdoptRef{}, new Val(u, TYPE_COUNT)};
}
ValManager::ValManager()
{
empty_string = new StringVal("");
empty_string = make_intrusive<StringVal>("");
b_false = Val::MakeBool(false);
b_true = Val::MakeBool(true);
counts = new Val*[PREALLOCATED_COUNTS];
ints = new Val*[PREALLOCATED_INTS];
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
counts[i] = Val::MakeCount(i);
@ -3418,37 +3434,16 @@ ValManager::ValManager()
auto port_type = (TransportProto)i;
for ( auto j = 0u; j < arr.size(); ++j )
arr[j] = new PortVal(PortVal::Mask(j, port_type));
arr[j] = IntrusivePtr{AdoptRef{}, new PortVal(PortVal::Mask(j, port_type))};
}
}
ValManager::~ValManager()
{
Unref(empty_string);
Unref(b_true);
Unref(b_false);
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
Unref(counts[i]);
for ( auto i = 0u; i < PREALLOCATED_INTS; ++i )
Unref(ints[i]);
delete [] counts;
delete [] ints;
for ( auto& arr : ports )
for ( auto& pv : arr )
Unref(pv);
}
StringVal* ValManager::GetEmptyString() const
{
::Ref(empty_string);
return empty_string;
return empty_string->Ref()->AsStringVal();
}
PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num, TransportProto port_type) const
{
if ( port_num >= 65536 )
{
@ -3456,22 +3451,30 @@ PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
port_num = 0;
}
auto rval = ports[port_type][port_num];
::Ref(rval);
return rval;
return ports[port_type][port_num];
}
PortVal* ValManager::GetPort(uint32_t port_num) const
PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
{
return Port(port_num, port_type)->Ref()->AsPortVal();
}
const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num) const
{
auto mask = port_num & PORT_SPACE_MASK;
port_num &= ~PORT_SPACE_MASK;
if ( mask == TCP_PORT_MASK )
return GetPort(port_num, TRANSPORT_TCP);
return Port(port_num, TRANSPORT_TCP);
else if ( mask == UDP_PORT_MASK )
return GetPort(port_num, TRANSPORT_UDP);
return Port(port_num, TRANSPORT_UDP);
else if ( mask == ICMP_PORT_MASK )
return GetPort(port_num, TRANSPORT_ICMP);
return Port(port_num, TRANSPORT_ICMP);
else
return GetPort(port_num, TRANSPORT_UNKNOWN);
return Port(port_num, TRANSPORT_UNKNOWN);
}
PortVal* ValManager::GetPort(uint32_t port_num) const
{
return Port(port_num)->Ref()->AsPortVal();
}

74
src/Val.h
View file

@ -335,20 +335,9 @@ protected:
virtual void ValDescribe(ODesc* d) const;
virtual void ValDescribeReST(ODesc* d) const;
static Val* MakeBool(bool b)
{
return new Val(bro_int_t(b), TYPE_BOOL);
}
static Val* MakeInt(bro_int_t i)
{
return new Val(i, TYPE_INT);
}
static Val* MakeCount(bro_uint_t u)
{
return new Val(u, TYPE_COUNT);
}
static IntrusivePtr<Val> MakeBool(bool b);
static IntrusivePtr<Val> MakeInt(bro_int_t i);
static IntrusivePtr<Val> MakeCount(bro_uint_t u);
template<typename V>
Val(V &&v, TypeTag t) noexcept
@ -406,44 +395,79 @@ public:
ValManager();
~ValManager();
[[deprecated("Remove in v4.1. Use val_mgr->True() instead.")]]
inline Val* GetTrue() const
{ return b_true->Ref(); }
inline const IntrusivePtr<Val>& True() const
{ return b_true; }
[[deprecated("Remove in v4.1. Use val_mgr->False() instead.")]]
inline Val* GetFalse() const
{ return b_false->Ref(); }
inline const IntrusivePtr<Val>& False() const
{ return b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Bool() instead.")]]
inline Val* GetBool(bool b) const
{ return b ? b_true->Ref() : b_false->Ref(); }
inline const IntrusivePtr<Val>& Bool(bool b) const
{ return b ? b_true : b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Int() instead.")]]
inline Val* GetInt(int64_t i) const
{
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
Val::MakeInt(i).release() : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
}
inline IntrusivePtr<Val> Int(int64_t i) const
{
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST];
}
[[deprecated("Remove in v4.1. Use val_mgr->Count() instead.")]]
inline Val* GetCount(uint64_t i) const
{
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i]->Ref();
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref();
}
inline IntrusivePtr<Val> Count(uint64_t i) const
{
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i];
}
[[deprecated("Remove in v4.1. Use val_mgr->EmptyString() instead.")]]
StringVal* GetEmptyString() const;
inline const IntrusivePtr<StringVal>& EmptyString() const
{ return empty_string; }
// Port number given in host order.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num, TransportProto port_type) const;
// Port number given in host order.
const IntrusivePtr<PortVal>& Port(uint32_t port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num) const;
// Host-order port number already masked with port space protocol mask.
const IntrusivePtr<PortVal>& Port(uint32_t port_num) const;
private:
std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
StringVal* empty_string;
Val* b_true;
Val* b_false;
Val** counts;
Val** ints;
std::array<std::array<IntrusivePtr<PortVal>, 65536>, NUM_PORT_SPACES> ports;
std::array<IntrusivePtr<Val>, PREALLOCATED_COUNTS> counts;
std::array<IntrusivePtr<Val>, PREALLOCATED_INTS> ints;
IntrusivePtr<StringVal> empty_string;
IntrusivePtr<Val> b_true;
IntrusivePtr<Val> b_false;
};
extern ValManager* val_mgr;
@ -569,7 +593,7 @@ public:
unsigned int MemoryAllocation() const override;
Val* Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
IntrusivePtr<StringVal> Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
protected:
void ValDescribe(ODesc* d) const override;

25
src/analyzer/Analyzer.cc
View file

@ -690,9 +690,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
mgr.Enqueue(protocol_confirmation,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}
val_mgr->Count(id)
);
}
@ -717,9 +717,9 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
EnumVal* tval = tag.AsEnumVal();
mgr.Enqueue(protocol_violation,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)},
val_mgr->Count(id),
IntrusivePtr{AdoptRef{}, r}
);
}
@ -788,7 +788,12 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val)
RecordVal* Analyzer::BuildConnVal()
{
return conn->BuildConnVal();
return conn->ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Analyzer::ConnVal()
{
return conn->ConnVal();
}
void Analyzer::Event(EventHandlerPtr f, const char* name)
@ -798,7 +803,11 @@ void Analyzer::Event(EventHandlerPtr f, const char* name)
void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)
{
conn->Event(f, this, v1, v2);
IntrusivePtr val1{AdoptRef{}, v1};
IntrusivePtr val2{AdoptRef{}, v2};
if ( f )
conn->EnqueueEvent(f, this, conn->ConnVal(), std::move(val1), std::move(val2));
}
void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
@ -930,7 +939,7 @@ void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
if ( packet_contents && len > 0 )
{
BroString* cbs = new BroString(data, len, true);
Val* contents = new StringVal(cbs);
Event(packet_contents, contents);
auto contents = make_intrusive<StringVal>(cbs);
EnqueueConnEvent(packet_contents, ConnVal(), std::move(contents));
}
}

8
src/analyzer/Analyzer.h
View file

@ -549,8 +549,15 @@ public:
* Convenience function that forwards directly to
* Connection::BuildConnVal().
*/
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal();
/**
* Convenience function that forwards directly to
* Connection::ConnVal().
*/
const IntrusivePtr<RecordVal>& ConnVal();
/**
* Convenience function that forwards directly to the corresponding
* Connection::Event().
@ -561,6 +568,7 @@ public:
* Convenience function that forwards directly to the corresponding
* Connection::Event().
*/
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead (note it doesn't automatically ad the connection argument).")]]
void Event(EventHandlerPtr f, Val* v1, Val* v2 = nullptr);
/**

15
src/analyzer/Manager.cc
View file

@ -440,15 +440,13 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( tcp_contents && ! reass )
{
auto dport = val_mgr->GetPort(ntohs(conn->RespPort()), TRANSPORT_TCP);
const auto& dport = val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP);
if ( ! reass )
reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport);
reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport.get());
if ( ! reass )
reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport);
Unref(dport);
reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport.get());
}
if ( reass )
@ -626,9 +624,10 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
parent->AddChildAnalyzer(analyzer, init);
EnumVal* tag = it->AsEnumVal();
Ref(tag);
conn->Event(scheduled_analyzer_applied, nullptr, tag);
if ( scheduled_analyzer_applied )
conn->EnqueueEvent(scheduled_analyzer_applied, nullptr,
conn->ConnVal(),
IntrusivePtr{NewRef{}, it->AsEnumVal()});
DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
analyzer_mgr->GetComponentName(*it).c_str());

14
src/analyzer/analyzer.bif
View file

@ -11,41 +11,41 @@ module Analyzer;
function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__disable_all_analyzers%(%) : any
%{
analyzer_mgr->DisableAllAnalyzers();
return 0;
return nullptr;
%}
function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
%{
bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval%) : bool
%{
analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
return val_mgr->GetTrue();
return val_mgr->True();
%}
function __name%(atype: Analyzer::Tag%) : string
%{
return new StringVal(analyzer_mgr->GetComponentName(atype));
return make_intrusive<StringVal>(analyzer_mgr->GetComponentName(atype));
%}
function __tag%(name: string%) : Analyzer::Tag
%{
analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString());
return t.AsEnumVal()->Ref();
return IntrusivePtr{NewRef{}, t.AsEnumVal()};
%}

10
src/analyzer/protocol/asn1/asn1.pac
View file

@ -113,15 +113,15 @@ Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t)
switch ( t ) {
case TYPE_BOOL:
return val_mgr->GetBool(v);
return val_mgr->Bool(v)->Ref();
case TYPE_INT:
return val_mgr->GetInt(v);
return val_mgr->Int(v).release();
case TYPE_COUNT:
case TYPE_COUNTER:
return val_mgr->GetCount(v);
return val_mgr->Count(v).release();
default:
reporter->Error("bad asn1_integer_to_val tag: %s", type_name(t));
return val_mgr->GetCount(v);
return val_mgr->Count(v).release();
}
}
@ -152,7 +152,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
// Underflow.
return val_mgr->GetEmptyString();
return val_mgr->EmptyString()->Ref()->AsStringVal();
for ( size_t i = 0; i < subidentifiers.size(); ++i )
{

4
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,8 +120,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg)
);
}

18
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg)
);
}
@ -348,7 +348,7 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
if ( bt_tracker_request )
EnqueueConnEvent(bt_tracker_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, req_val_uri},
IntrusivePtr{AdoptRef{}, req_val_headers}
);
@ -402,8 +402,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{
if ( bt_tracker_response_not_ok )
EnqueueConnEvent(bt_tracker_response_not_ok,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
ConnVal(),
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers}
);
res_val_headers = nullptr;
@ -480,7 +480,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* peer = new RecordVal(bittorrent_peer);
peer->Assign(0, make_intrusive<AddrVal>(ad));
peer->Assign(1, val_mgr->GetPort(pt, TRANSPORT_TCP));
peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(peer, nullptr);
Unref(peer);
@ -503,7 +503,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
StringVal* name_ = new StringVal(name_len, name);
benc_value->Assign(type, val_mgr->GetInt(value));
benc_value->Assign(type, val_mgr->Int(value));
res_val_benc->Assign(name_, benc_value);
Unref(name_);
@ -789,8 +789,8 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
ConnVal(),
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers},
IntrusivePtr{AdoptRef{}, res_val_peers},
IntrusivePtr{AdoptRef{}, res_val_benc}

38
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -61,13 +61,13 @@ flow BitTorrent_Flow(is_orig: bool) {
handshake_ok = true;
if ( ::bittorrent_peer_handshake )
{
BifEvent::generate_bittorrent_peer_handshake(
BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(reserved),
bytestring_to_val(info_hash),
bytestring_to_val(peer_id));
to_stringval(reserved),
to_stringval(info_hash),
to_stringval(peer_id));
}
connection()->bro_analyzer()->ProtocolConfirmation();
@ -79,7 +79,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_keep_alive )
{
BifEvent::generate_bittorrent_peer_keep_alive(
BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -92,7 +92,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_choke )
{
BifEvent::generate_bittorrent_peer_choke(
BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -105,7 +105,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unchoke )
{
BifEvent::generate_bittorrent_peer_unchoke(
BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -118,7 +118,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_interested )
{
BifEvent::generate_bittorrent_peer_interested(
BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -131,7 +131,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_not_interested )
{
BifEvent::generate_bittorrent_peer_not_interested(
BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -144,7 +144,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_have )
{
BifEvent::generate_bittorrent_peer_have(
BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -158,11 +158,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_bitfield )
{
BifEvent::generate_bittorrent_peer_bitfield(
BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(bitfield));
to_stringval(bitfield));
}
return true;
@ -173,7 +173,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_request )
{
BifEvent::generate_bittorrent_peer_request(
BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -188,7 +188,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_piece )
{
BifEvent::generate_bittorrent_peer_piece(
BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -203,7 +203,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_cancel )
{
BifEvent::generate_bittorrent_peer_cancel(
BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -217,11 +217,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_port )
{
BifEvent::generate_bittorrent_peer_port(
BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
val_mgr->GetPort(listen_port, TRANSPORT_TCP));
val_mgr->Port(listen_port, TRANSPORT_TCP));
}
return true;
@ -231,12 +231,12 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unknown )
{
BifEvent::generate_bittorrent_peer_unknown(
BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
id,
bytestring_to_val(data));
to_stringval(data));
}
return true;

18
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -51,9 +51,9 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
ConnVal(),
val_mgr->Count(threshold),
val_mgr->Bool(is_orig)
);
}
@ -93,9 +93,9 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{
EnqueueConnEvent(conn_duration_threshold_crossed,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
val_mgr->Bool(is_orig)
);
duration_thresh = 0;
}
@ -183,10 +183,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->GetCount(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->GetCount(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->GetCount(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->GetCount(resp_bytes));
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val);
}

24
src/analyzer/protocol/conn-size/functions.bif
View file

@ -35,11 +35,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return val_mgr->GetTrue();
return val_mgr->True();
%}
## Sets a threshold for connection packets, overwtiting any potential old thresholds.
@ -59,11 +59,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return val_mgr->GetTrue();
return val_mgr->True();
%}
## Sets the current duration threshold for connection, overwriting any potential old
@ -81,11 +81,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return val_mgr->GetTrue();
return val_mgr->True();
%}
# Gets the current byte threshold size for a connection.
@ -103,9 +103,9 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetCount(0);
return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%}
## Gets the current packet threshold size for a connection.
@ -122,9 +122,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetCount(0);
return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%}
## Gets the current duration threshold size for a connection.
@ -139,7 +139,7 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0.0, TYPE_INTERVAL);
return make_intrusive<Val>(0.0, TYPE_INTERVAL);
return new Val(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
return make_intrusive<Val>(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
%}

89
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -37,12 +37,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_message )
{
BifEvent::generate_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}).release());
BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}));
}
return true;
%}
@ -51,13 +51,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind )
{
BifEvent::generate_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -67,13 +67,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context )
{
BifEvent::generate_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -83,22 +83,19 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind_ack )
{
StringVal *sec_addr;
IntrusivePtr<StringVal> sec_addr;
// Remove the null from the end of the string if it's there.
if ( ${bind.sec_addr}.length() > 0 &&
*(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 )
{
sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
else
{
sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
sec_addr);
BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
std::move(sec_addr));
}
return true;
%}
@ -107,9 +104,9 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context_resp )
{
BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
}
return true;
%}
@ -118,12 +115,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_request )
{
BifEvent::generate_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
}
set_cont_id_opnum_map(${req.context_id},
@ -135,12 +132,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_response )
{
BifEvent::generate_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
}
return true;

37
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -1,8 +1,8 @@
refine flow DHCP_Flow += {
%member{
RecordVal* options;
VectorVal* all_options;
IntrusivePtr<RecordVal> options;
IntrusivePtr<VectorVal> all_options;
%}
%init{
@ -11,10 +11,7 @@ refine flow DHCP_Flow += {
%}
%cleanup{
Unref(options);
options = nullptr;
Unref(all_options);
all_options = nullptr;
%}
@ -22,9 +19,9 @@ refine flow DHCP_Flow += {
%{
if ( ! options )
{
options = new RecordVal(BifType::Record::DHCP::Options);
all_options = new VectorVal(index_vec);
options->Assign(0, all_options->Ref());
options = make_intrusive<RecordVal>(BifType::Record::DHCP::Options);
all_options = make_intrusive<VectorVal>(index_vec);
options->Assign(0, all_options);
}
return true;
@ -35,8 +32,7 @@ refine flow DHCP_Flow += {
init_options();
if ( code != 255 )
all_options->Assign(all_options->Size(),
val_mgr->GetCount(code));
all_options->Assign(all_options->Size(), val_mgr->Count(code));
return true;
%}
@ -57,12 +53,12 @@ refine flow DHCP_Flow += {
std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->GetCount(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->GetCount(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->GetCount(${msg.xid}));
auto dhcp_msg_val = make_intrusive<RecordVal>(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid}));
dhcp_msg_val->Assign(3, make_intrusive<Val>(secs, TYPE_INTERVAL));
dhcp_msg_val->Assign(4, val_mgr->GetCount(${msg.flags}));
dhcp_msg_val->Assign(4, val_mgr->Count(${msg.flags}));
dhcp_msg_val->Assign(5, make_intrusive<AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, make_intrusive<AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, make_intrusive<AddrVal>(htonl(${msg.siaddr})));
@ -95,14 +91,13 @@ refine flow DHCP_Flow += {
init_options();
BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
dhcp_msg_val,
options);
BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
std::move(dhcp_msg_val),
std::move(options));
options = nullptr;
Unref(all_options);
all_options = nullptr;
}

22
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset}));
${context.flow}->options->Assign(25, val_mgr->Int(${v.time_offset}));
return true;
%}
};
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(6, val_mgr->GetBool(${v.forwarding} == 0 ? false : true));
${context.flow}->options->Assign(6, val_mgr->Bool(${v.forwarding} == 0 ? false : true));
return true;
%}
@ -469,7 +469,7 @@ refine flow DHCP_Flow += {
for ( int i = 0; i < num_parms; ++i )
{
uint8 param = (*plist)[i];
params->Assign(i, val_mgr->GetCount(param));
params->Assign(i, val_mgr->Count(param));
}
${context.flow}->options->Assign(13, params);
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(15, val_mgr->GetCount(${v.max_msg_size}));
${context.flow}->options->Assign(15, val_mgr->Count(${v.max_msg_size}));
return true;
%}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool
%{
RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
client_id->Assign(0, val_mgr->GetCount(${v.client_id.hwtype}));
client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype}));
client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
${context.flow}->options->Assign(19, client_id);
@ -686,9 +686,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool
%{
RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, val_mgr->GetCount(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->GetCount(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->GetCount(${v.client_fqdn.rcode2}));
client_fqdn->Assign(0, val_mgr->Count(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->Count(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->Count(${v.client_fqdn.rcode2}));
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, make_intrusive<StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -751,8 +751,8 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{
auto r = new RecordVal(BifType::Record::DHCP::SubOpt);
r->Assign(0, val_mgr->GetCount((*ptrsubopt)->code()));
r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
r->Assign(0, val_mgr->Count((*ptrsubopt)->code()));
r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, r);
++i;
@ -781,7 +781,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(23, val_mgr->GetBool(${v.auto_config} == 0 ? false : true));
${context.flow}->options->Assign(23, val_mgr->Bool(${v.auto_config} == 0 ? false : true));
return true;
%}

110
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -29,7 +29,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_header_block )
{
BifEvent::generate_dnp3_header_block(
BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr);
@ -42,11 +42,11 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_request_header )
{
BifEvent::generate_dnp3_application_request_header(
BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
application_control,
application_control,
fc
);
}
@ -57,7 +57,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_response_header )
{
BifEvent::generate_dnp3_application_response_header(
BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -73,7 +73,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_header )
{
BifEvent::generate_dnp3_object_header(
BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high);
@ -86,7 +86,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_prefix )
{
BifEvent::generate_dnp3_object_prefix(
BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), prefix_value);
@ -99,7 +99,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_response_data_object )
{
BifEvent::generate_dnp3_response_data_object(
BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_value);
@ -113,10 +113,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_attribute_common )
{
BifEvent::generate_dnp3_attribute_common(
BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) );
is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
}
return true;
@ -127,7 +127,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_crob )
{
BifEvent::generate_dnp3_crob(
BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -141,7 +141,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_pcb )
{
BifEvent::generate_dnp3_pcb(
BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -155,7 +155,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32wFlag )
{
BifEvent::generate_dnp3_counter_32wFlag(
BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -169,7 +169,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16wFlag )
{
BifEvent::generate_dnp3_counter_16wFlag(
BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -183,7 +183,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32woFlag )
{
BifEvent::generate_dnp3_counter_32woFlag(
BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -197,7 +197,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16woFlag )
{
BifEvent::generate_dnp3_counter_16woFlag(
BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -211,7 +211,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlag )
{
BifEvent::generate_dnp3_frozen_counter_32wFlag(
BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -225,7 +225,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlag )
{
BifEvent::generate_dnp3_frozen_counter_16wFlag(
BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -239,7 +239,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -253,7 +253,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -267,7 +267,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32woFlag )
{
BifEvent::generate_dnp3_frozen_counter_32woFlag(
BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -281,7 +281,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16woFlag )
{
BifEvent::generate_dnp3_frozen_counter_16woFlag(
BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -295,7 +295,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32wFlag )
{
BifEvent::generate_dnp3_analog_input_32wFlag(
BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -309,7 +309,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16wFlag )
{
BifEvent::generate_dnp3_analog_input_16wFlag(
BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -323,7 +323,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32woFlag )
{
BifEvent::generate_dnp3_analog_input_32woFlag(
BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -337,7 +337,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16woFlag )
{
BifEvent::generate_dnp3_analog_input_16woFlag(
BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -351,7 +351,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -365,7 +365,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -379,7 +379,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -393,7 +393,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -407,7 +407,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -421,7 +421,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -435,7 +435,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -449,7 +449,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -463,7 +463,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -477,7 +477,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -491,7 +491,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -505,7 +505,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -519,7 +519,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -533,7 +533,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -547,7 +547,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -561,7 +561,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -575,7 +575,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -589,7 +589,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
@ -603,7 +603,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -617,7 +617,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -631,7 +631,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -645,7 +645,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -659,7 +659,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -673,7 +673,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -687,7 +687,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -701,7 +701,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
@ -715,10 +715,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_file_transport )
{
BifEvent::generate_dnp3_file_transport(
BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), file_handle, block_num, bytestring_to_val(file_data));
is_orig(), file_handle, block_num, to_stringval(file_data));
}
return true;
@ -729,10 +729,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_debug_byte )
{
BifEvent::generate_dnp3_debug_byte (
BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), bytestring_to_val(debug));
is_orig(), to_stringval(debug));
}
return true;

162
src/analyzer/protocol/dns/DNS.cc
View file

@ -49,10 +49,10 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message )
analyzer->EnqueueConnEvent(dns_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
analyzer->ConnVal(),
val_mgr->Bool(is_query),
IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
val_mgr->Count(len)
);
// There is a great deal of non-DNS traffic that runs on port 53.
@ -134,7 +134,7 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{
if ( dns_end )
analyzer->EnqueueConnEvent(dns_end,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
);
}
@ -337,7 +337,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_unknown_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
);
@ -550,7 +550,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event )
analyzer->EnqueueConnEvent(reply_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true))
@ -596,14 +596,14 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true)));
r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->GetCount(serial));
r->Assign(2, val_mgr->Count(serial));
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->EnqueueConnEvent(dns_SOA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(r)
@ -633,11 +633,11 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_MX_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
val_mgr->Count(preference)
);
return true;
@ -674,13 +674,13 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_SRV_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
val_mgr->Count(priority),
val_mgr->Count(weight),
val_mgr->Count(port)
);
return true;
@ -695,7 +695,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_EDNS_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
);
@ -772,7 +772,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
tsig.rr_error = rr_error;
analyzer->EnqueueConnEvent(dns_TSIG_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
);
@ -873,7 +873,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signature = sign;
analyzer->EnqueueConnEvent(dns_RRSIG,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
@ -968,7 +968,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.public_key = key;
analyzer->EnqueueConnEvent(dns_DNSKEY,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
@ -1020,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
if ( dns_NSEC )
analyzer->EnqueueConnEvent(dns_NSEC,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
@ -1106,7 +1106,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.bitmaps = char_strings;
analyzer->EnqueueConnEvent(dns_NSEC3,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
@ -1166,7 +1166,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_val = ds_digest;
analyzer->EnqueueConnEvent(dns_DS,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
@ -1189,7 +1189,7 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_A_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(htonl(addr))
@ -1225,7 +1225,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
if ( event && ! msg->skip_event )
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(addr)
@ -1299,7 +1299,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
if ( dns_TXT_reply )
analyzer->EnqueueConnEvent(dns_TXT_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
@ -1327,7 +1327,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
if ( dns_SPF_reply )
analyzer->EnqueueConnEvent(dns_SPF_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
@ -1368,10 +1368,10 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
if ( dns_CAA_reply )
analyzer->EnqueueConnEvent(dns_CAA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
val_mgr->Count(flags),
make_intrusive<StringVal>(tag),
make_intrusive<StringVal>(value)
);
@ -1396,11 +1396,11 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
assert(event);
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
make_intrusive<StringVal>(question_name),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
val_mgr->Count(qtype),
val_mgr->Count(qclass)
);
}
@ -1446,19 +1446,19 @@ Val* DNS_MsgInfo::BuildHdrVal()
{
RecordVal* r = new RecordVal(dns_msg);
r->Assign(0, val_mgr->GetCount(id));
r->Assign(1, val_mgr->GetCount(opcode));
r->Assign(2, val_mgr->GetCount(rcode));
r->Assign(3, val_mgr->GetBool(QR));
r->Assign(4, val_mgr->GetBool(AA));
r->Assign(5, val_mgr->GetBool(TC));
r->Assign(6, val_mgr->GetBool(RD));
r->Assign(7, val_mgr->GetBool(RA));
r->Assign(8, val_mgr->GetCount(Z));
r->Assign(9, val_mgr->GetCount(qdcount));
r->Assign(10, val_mgr->GetCount(ancount));
r->Assign(11, val_mgr->GetCount(nscount));
r->Assign(12, val_mgr->GetCount(arcount));
r->Assign(0, val_mgr->Count(id));
r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, val_mgr->Count(Z));
r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, val_mgr->Count(arcount));
return r;
}
@ -1468,10 +1468,10 @@ Val* DNS_MsgInfo::BuildAnswerVal()
RecordVal* r = new RecordVal(dns_answer);
Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
r->Assign(2, val_mgr->GetCount(atype));
r->Assign(3, val_mgr->GetCount(aclass));
r->Assign(2, val_mgr->Count(atype));
r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
return r;
@ -1484,14 +1484,14 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
RecordVal* r = new RecordVal(dns_edns_additional);
Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->GetCount(atype));
r->Assign(2, val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->GetCount(aclass));
r->Assign(3, val_mgr->Count(aclass));
// Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------]
@ -1504,11 +1504,11 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->GetCount(return_error));
r->Assign(5, val_mgr->GetCount(version));
r->Assign(6, val_mgr->GetCount(z));
r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, val_mgr->Count(version));
r->Assign(6, val_mgr->Count(z));
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->GetCount(is_query));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
@ -1519,16 +1519,16 @@ Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
double rtime = tsig->time_s + tsig->time_ms / 1000.0;
Ref(query_name);
// r->Assign(0, val_mgr->GetCount(int(answer_type)));
// r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, make_intrusive<Val>(rtime, TYPE_TIME));
r->Assign(5, make_intrusive<Val>(double(tsig->fudge), TYPE_TIME));
r->Assign(6, val_mgr->GetCount(tsig->orig_id));
r->Assign(7, val_mgr->GetCount(tsig->rr_error));
r->Assign(8, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
@ -1539,17 +1539,17 @@ Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(rrsig->type_covered));
r->Assign(3, val_mgr->GetCount(rrsig->algorithm));
r->Assign(4, val_mgr->GetCount(rrsig->labels));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, make_intrusive<Val>(double(rrsig->sig_exp), TYPE_TIME));
r->Assign(7, make_intrusive<Val>(double(rrsig->sig_incep), TYPE_TIME));
r->Assign(8, val_mgr->GetCount(rrsig->key_tag));
r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, val_mgr->GetCount(is_query));
r->Assign(11, val_mgr->Count(is_query));
return r;
}
@ -1560,12 +1560,12 @@ Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(dnskey->dflags));
r->Assign(3, val_mgr->GetCount(dnskey->dprotocol));
r->Assign(4, val_mgr->GetCount(dnskey->dalgorithm));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(is_query));
return r;
}
@ -1576,16 +1576,16 @@ Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(nsec3->nsec_flags));
r->Assign(3, val_mgr->GetCount(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->GetCount(nsec3->nsec_iter));
r->Assign(5, val_mgr->GetCount(nsec3->nsec_salt_len));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->GetCount(nsec3->nsec_hlen));
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(9, nsec3->bitmaps);
r->Assign(10, val_mgr->GetCount(is_query));
r->Assign(10, val_mgr->Count(is_query));
return r;
}
@ -1596,12 +1596,12 @@ Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(ds->key_tag));
r->Assign(3, val_mgr->GetCount(ds->algorithm));
r->Assign(4, val_mgr->GetCount(ds->digest_type));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(is_query));
return r;
}

2
src/analyzer/protocol/file/File.cc
View file

@ -80,7 +80,7 @@ void File_Analyzer::Identify()
if ( file_transferred )
EnqueueConnEvent(file_transferred,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(buffer_len, buffer),
make_intrusive<StringVal>("<unknown>"),
make_intrusive<StringVal>(match)

6
src/analyzer/protocol/finger/Finger.cc
View file

@ -68,8 +68,8 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request )
EnqueueConnEvent(finger_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
ConnVal(),
val_mgr->Bool(long_cnt),
make_intrusive<StringVal>(at - line, line),
make_intrusive<StringVal>(end_of_line - host, host)
);
@ -86,7 +86,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
return;
EnqueueConnEvent(finger_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(end_of_line - line, line)
);
}

8
src/analyzer/protocol/ftp/FTP.cc
View file

@ -97,7 +97,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, cmd_str},
make_intrusive<StringVal>(end_of_line - line, line),
};
@ -176,10 +176,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
}
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
ConnVal(),
val_mgr->Count(reply_code),
make_intrusive<StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
val_mgr->Bool(cont_resp)
};
f = ftp_reply;

24
src/analyzer/protocol/ftp/functions.bif
View file

@ -4,9 +4,9 @@ type ftp_port: record;
%%{
#include "Reporter.h"
static Val* parse_port(const char* line)
static IntrusivePtr<Val> parse_port(const char* line)
{
RecordVal* r = new RecordVal(BifType::Record::ftp_port);
auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int bytes[6];
if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
@ -34,22 +34,22 @@ static Val* parse_port(const char* line)
}
r->Assign(0, make_intrusive<AddrVal>(htonl(addr)));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good));
}
else
{
r->Assign(0, make_intrusive<AddrVal>(uint32_t(0)));
r->Assign(1, val_mgr->GetPort(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetFalse());
r->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->False());
}
return r;
}
static Val* parse_eftp(const char* line)
static IntrusivePtr<Val> parse_eftp(const char* line)
{
RecordVal* r = new RecordVal(BifType::Record::ftp_port);
auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int net_proto = 0; // currently not used
IPAddr addr; // unspecified IPv6 address (all 128 bits zero)
@ -110,8 +110,8 @@ static Val* parse_eftp(const char* line)
}
r->Assign(0, make_intrusive<AddrVal>(addr));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good));
return r;
}
@ -206,7 +206,7 @@ function fmt_ftp_port%(a: addr, p: port%): string
{
uint32_t a = ntohl(addr[0]);
uint32_t pn = p->Port();
return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
return make_intrusive<StringVal>(fmt("%d,%d,%d,%d,%d,%d",
a >> 24, (a >> 16) & 0xff,
(a >> 8) & 0xff, a & 0xff,
pn >> 8, pn & 0xff));
@ -215,6 +215,6 @@ function fmt_ftp_port%(a: addr, p: port%): string
{
builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
@ARG@[0]);
return val_mgr->GetEmptyString();
return val_mgr->EmptyString();
}
%}

36
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
if ( Established() && gnutella_establish )
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_establish, ConnVal());
else if ( ! Established () && gnutella_not_establish )
EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_not_establish, ConnVal());
}
if ( gnutella_partial_binary_msg )
@ -72,10 +72,10 @@ void Gnutella_Analyzer::Done()
{
if ( ! p->msg_sent && p->msg_pos )
EnqueueConnEvent(gnutella_partial_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(p->msg),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
val_mgr->Bool((i == 0)),
val_mgr->Count(p->msg_pos)
);
else if ( ! p->msg_sent && p->payload_left )
@ -118,7 +118,7 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
return false;
if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_http_notify, ConnVal());
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -177,8 +177,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(ms->headers.data())
);
@ -189,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
sent_establish = 1;
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_establish, ConnVal());
}
}
}
@ -215,16 +215,16 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(p->msg_type),
val_mgr->Count(p->msg_ttl),
val_mgr->Count(p->msg_hops),
val_mgr->Count(p->msg_len),
make_intrusive<StringVal>(p->payload),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
val_mgr->Count(p->payload_len),
val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
val_mgr->Bool((p->payload_left == 0))
);
}

6
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -61,9 +61,9 @@ refine connection GSSAPI_Conn += {
%{
if ( gssapi_neg_result )
{
BifEvent::generate_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
}
return true;

142
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -4,90 +4,90 @@
%}
%code{
RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
IntrusivePtr<RecordVal> BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
auto rv = make_intrusive<RecordVal>(BifType::Record::gtpv1_hdr);
rv->Assign(0, val_mgr->GetCount(pdu->version()));
rv->Assign(1, val_mgr->GetBool(pdu->pt_flag()));
rv->Assign(2, val_mgr->GetBool(pdu->rsv()));
rv->Assign(3, val_mgr->GetBool(pdu->e_flag()));
rv->Assign(4, val_mgr->GetBool(pdu->s_flag()));
rv->Assign(5, val_mgr->GetBool(pdu->pn_flag()));
rv->Assign(6, val_mgr->GetCount(pdu->msg_type()));
rv->Assign(7, val_mgr->GetCount(pdu->length()));
rv->Assign(8, val_mgr->GetCount(pdu->teid()));
rv->Assign(0, val_mgr->Count(pdu->version()));
rv->Assign(1, val_mgr->Bool(pdu->pt_flag()));
rv->Assign(2, val_mgr->Bool(pdu->rsv()));
rv->Assign(3, val_mgr->Bool(pdu->e_flag()));
rv->Assign(4, val_mgr->Bool(pdu->s_flag()));
rv->Assign(5, val_mgr->Bool(pdu->pn_flag()));
rv->Assign(6, val_mgr->Count(pdu->msg_type()));
rv->Assign(7, val_mgr->Count(pdu->length()));
rv->Assign(8, val_mgr->Count(pdu->teid()));
if ( pdu->has_opt() )
{
rv->Assign(9, val_mgr->GetCount(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->GetCount(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->GetCount(pdu->opt_hdr()->next_type()));
rv->Assign(9, val_mgr->Count(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->Count(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->Count(pdu->opt_hdr()->next_type()));
}
return rv;
}
Val* BuildIMSI(const InformationElement* ie)
static IntrusivePtr<Val> BuildIMSI(const InformationElement* ie)
{
return val_mgr->GetCount(ie->imsi()->value());
return val_mgr->Count(ie->imsi()->value());
}
Val* BuildRAI(const InformationElement* ie)
static IntrusivePtr<Val> BuildRAI(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->GetCount(ie->rai()->mcc()));
ev->Assign(1, val_mgr->GetCount(ie->rai()->mnc()));
ev->Assign(2, val_mgr->GetCount(ie->rai()->lac()));
ev->Assign(3, val_mgr->GetCount(ie->rai()->rac()));
auto ev = make_intrusive<RecordVal>(BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->Count(ie->rai()->mcc()));
ev->Assign(1, val_mgr->Count(ie->rai()->mnc()));
ev->Assign(2, val_mgr->Count(ie->rai()->lac()));
ev->Assign(3, val_mgr->Count(ie->rai()->rac()));
return ev;
}
Val* BuildRecovery(const InformationElement* ie)
static IntrusivePtr<Val> BuildRecovery(const InformationElement* ie)
{
return val_mgr->GetCount(ie->recovery()->restart_counter());
return val_mgr->Count(ie->recovery()->restart_counter());
}
Val* BuildSelectionMode(const InformationElement* ie)
static IntrusivePtr<Val> BuildSelectionMode(const InformationElement* ie)
{
return val_mgr->GetCount(ie->selection_mode()->mode());
return val_mgr->Count(ie->selection_mode()->mode());
}
Val* BuildTEID1(const InformationElement* ie)
static IntrusivePtr<Val> BuildTEID1(const InformationElement* ie)
{
return val_mgr->GetCount(ie->teid1()->value());
return val_mgr->Count(ie->teid1()->value());
}
Val* BuildTEID_ControlPlane(const InformationElement* ie)
static IntrusivePtr<Val> BuildTEID_ControlPlane(const InformationElement* ie)
{
return val_mgr->GetCount(ie->teidcp()->value());
return val_mgr->Count(ie->teidcp()->value());
}
Val* BuildNSAPI(const InformationElement* ie)
static IntrusivePtr<Val> BuildNSAPI(const InformationElement* ie)
{
return val_mgr->GetCount(ie->nsapi()->nsapi());
return val_mgr->Count(ie->nsapi()->nsapi());
}
Val* BuildChargingCharacteristics(const InformationElement* ie)
static IntrusivePtr<Val> BuildChargingCharacteristics(const InformationElement* ie)
{
return val_mgr->GetCount(ie->charging_characteristics()->value());
return val_mgr->Count(ie->charging_characteristics()->value());
}
Val* BuildTraceReference(const InformationElement* ie)
static IntrusivePtr<Val> BuildTraceReference(const InformationElement* ie)
{
return val_mgr->GetCount(ie->trace_reference()->value());
return val_mgr->Count(ie->trace_reference()->value());
}
Val* BuildTraceType(const InformationElement* ie)
static IntrusivePtr<Val> BuildTraceType(const InformationElement* ie)
{
return val_mgr->GetCount(ie->trace_type()->value());
return val_mgr->Count(ie->trace_type()->value());
}
Val* BuildEndUserAddr(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
ev->Assign(0, val_mgr->GetCount(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->GetCount(ie->end_user_addr()->pdp_type_num()));
ev->Assign(0, val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
int len = ie->end_user_addr()->pdp_addr().length();
@ -161,7 +161,7 @@ Val* BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length();
ev->Assign(0, val_mgr->GetCount(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(0, val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(1, make_intrusive<StringVal>(new BroString(d, len, false)));
return ev;
@ -195,25 +195,25 @@ Val* BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length();
ev->Assign(0, val_mgr->GetCount(ie->private_ext()->id()));
ev->Assign(0, val_mgr->Count(ie->private_ext()->id()));
ev->Assign(1, make_intrusive<StringVal>(new BroString((const u_char*) d, len, false)));
return ev;
}
Val* BuildCause(const InformationElement* ie)
static IntrusivePtr<Val> BuildCause(const InformationElement* ie)
{
return val_mgr->GetCount(ie->cause()->value());
return val_mgr->Count(ie->cause()->value());
}
Val* BuildReorderReq(const InformationElement* ie)
static IntrusivePtr<Val> BuildReorderReq(const InformationElement* ie)
{
return val_mgr->GetBool(ie->reorder_req()->req());
return val_mgr->Bool(ie->reorder_req()->req());
}
Val* BuildChargingID(const InformationElement* ie)
static IntrusivePtr<Val> BuildChargingID(const InformationElement* ie)
{
return val_mgr->GetCount(ie->charging_id()->value());;
return val_mgr->Count(ie->charging_id()->value());;
}
Val* BuildChargingGatewayAddr(const InformationElement* ie)
@ -228,16 +228,16 @@ Val* BuildChargingGatewayAddr(const InformationElement* ie)
return 0;
}
Val* BuildTeardownInd(const InformationElement* ie)
static IntrusivePtr<Val> BuildTeardownInd(const InformationElement* ie)
{
return val_mgr->GetBool(ie->teardown_ind()->ind());
return val_mgr->Bool(ie->teardown_ind()->ind());
}
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
@ -328,8 +328,8 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -337,7 +337,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
@ -397,8 +397,8 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -406,7 +406,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
@ -475,8 +475,8 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -484,7 +484,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
@ -535,8 +535,8 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -544,7 +544,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
@ -569,8 +569,8 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -578,7 +578,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
@ -600,8 +600,8 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
%}
@ -679,7 +679,7 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_message )
BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
switch ( ${pdu.msg_type} ) {
case 16:
@ -759,8 +759,8 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_g_pdu_packet )
BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
inner->BuildPktHdrVal());
BifEvent::enqueue_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
{AdoptRef{}, inner->BuildPktHdrVal()});
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);

55
src/analyzer/protocol/http/HTTP.cc
View file

@ -618,11 +618,11 @@ Val* HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
RecordVal* stat = new RecordVal(http_message_stat);
int field = 0;
stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME));
stat->Assign(field++, val_mgr->GetBool(interrupted));
stat->Assign(field++, val_mgr->Bool(interrupted));
stat->Assign(field++, make_intrusive<StringVal>(msg));
stat->Assign(field++, val_mgr->GetCount(body_length));
stat->Assign(field++, val_mgr->GetCount(content_gap_length));
stat->Assign(field++, val_mgr->GetCount(header_length));
stat->Assign(field++, val_mgr->Count(body_length));
stat->Assign(field++, val_mgr->Count(content_gap_length));
stat->Assign(field++, val_mgr->Count(header_length));
return stat;
}
@ -650,8 +650,8 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
if ( http_message_done )
GetAnalyzer()->EnqueueConnEvent(http_message_done,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
);
@ -681,8 +681,8 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity )
analyzer->EnqueueConnEvent(http_begin_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
analyzer->ConnVal(),
val_mgr->Bool(is_orig)
);
}
@ -696,8 +696,8 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity )
analyzer->EnqueueConnEvent(http_end_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
analyzer->ConnVal(),
val_mgr->Bool(is_orig)
);
current_entity = (HTTP_Entity*) entity->Parent();
@ -735,8 +735,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{
if ( http_all_headers )
analyzer->EnqueueConnEvent(http_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
@ -746,8 +746,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
StringVal* subty = current_entity->ContentSubType();
analyzer->EnqueueConnEvent(http_content_type,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{NewRef{}, ty},
IntrusivePtr{NewRef{}, subty}
);
@ -1172,13 +1172,13 @@ void HTTP_Analyzer::GenStats()
if ( http_stats )
{
auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->GetCount(num_requests));
r->Assign(1, val_mgr->GetCount(num_replies));
r->Assign(0, val_mgr->Count(num_requests));
r->Assign(1, val_mgr->Count(num_replies));
r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time);
EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
EnqueueConnEvent(http_stats, ConnVal(), std::move(r));
}
}
@ -1378,7 +1378,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
if ( http_event )
// DEBUG_MSG("%.6f http_event\n", network_time);
EnqueueConnEvent(http_event,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(category),
IntrusivePtr{AdoptRef{}, detail}
);
@ -1417,7 +1417,7 @@ void HTTP_Analyzer::HTTP_Request()
if ( http_request )
// DEBUG_MSG("%.6f http_request\n", network_time);
EnqueueConnEvent(http_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, request_method},
IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
@ -1429,9 +1429,9 @@ void HTTP_Analyzer::HTTP_Reply()
{
if ( http_reply )
EnqueueConnEvent(http_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
val_mgr->Count(reply_code),
reply_reason_phrase ?
IntrusivePtr{NewRef{}, reply_reason_phrase} :
make_intrusive<StringVal>("<empty>")
@ -1506,7 +1506,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg)
if ( http_connection_upgrade )
EnqueueConnEvent(http_connection_upgrade,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(upgrade_protocol)
);
}
@ -1670,8 +1670,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
DEBUG_MSG("%.6f http_header\n", network_time);
EnqueueConnEvent(http_header,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
);
@ -1682,9 +1683,9 @@ void HTTP_Analyzer::HTTP_EntityData(bool is_orig, BroString* entity_data)
{
if ( http_entity_data )
EnqueueConnEvent(http_entity_data,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(entity_data->Len()),
make_intrusive<StringVal>(entity_data)
);
else

5
src/analyzer/protocol/http/events.bif
View file

@ -54,7 +54,9 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
##
## is_orig: True if the header was sent by the originator of the TCP connection.
##
## name: The name of the header.
## original_name: The name of the header (unaltered).
##
## name: The name of the header (converted to all uppercase).
##
## value: The value of the header.
##
@ -64,6 +66,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
##
## .. note:: This event is also raised for headers found in nested body
## entities.
event http_header%(c: connection, is_orig: bool, original_name: string, name: string, value: string%);
event http_header%(c: connection, is_orig: bool, name: string, value: string%);
## Generated for HTTP headers, passing on all headers of an HTTP message at

4
src/analyzer/protocol/http/functions.bif
View file

@ -31,7 +31,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
else
reporter->Error("no analyzer associated with connection record");
return 0;
return nullptr;
%}
## Unescapes all characters in a URI (decode every ``%xx`` group).
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len();
return new StringVal(analyzer::http::unescape_URI(line, line_end, 0));
return make_intrusive<StringVal>(analyzer::http::unescape_URI(line, line_end, 0));
%}

114
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -203,7 +203,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{
if ( icmp_sent )
EnqueueConnEvent(icmp_sent,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
);
@ -212,7 +212,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
BroString* payload = new BroString(data, std::min(len, caplen), false);
EnqueueConnEvent(icmp_sent_payload,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
make_intrusive<StringVal>(payload)
);
@ -228,11 +228,11 @@ RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, val_mgr->GetCount(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->GetCount(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->GetCount(len));
icmp_conn_val->Assign(5, val_mgr->GetCount(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->GetBool(icmpv6));
icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->Count(len));
icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
}
Ref(icmp_conn_val);
@ -355,18 +355,18 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
iprec->Assign(5, val_mgr->GetBool(bad_checksum));
iprec->Assign(6, val_mgr->GetBool(MF));
iprec->Assign(7, val_mgr->GetBool(DF));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
@ -414,19 +414,19 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->GetFalse());
iprec->Assign(6, val_mgr->GetBool(MF));
iprec->Assign(7, val_mgr->GetBool(DF));
iprec->Assign(5, val_mgr->False());
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
@ -474,14 +474,14 @@ void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
int size = is_orig ? request_len : reply_len;
if ( size < 0 )
{
endp->Assign(0, val_mgr->GetCount(0));
endp->Assign(1, val_mgr->GetCount(int(ICMP_INACTIVE)));
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
}
else
{
endp->Assign(0, val_mgr->GetCount(size));
endp->Assign(1, val_mgr->GetCount(int(ICMP_ACTIVE)));
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
}
}
@ -515,10 +515,10 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, false);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
val_mgr->Count(iid),
val_mgr->Count(iseq),
make_intrusive<StringVal>(payload)
);
}
@ -543,15 +543,15 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
@ -576,11 +576,11 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
@ -603,7 +603,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
@ -630,7 +630,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr),
@ -648,7 +648,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
);
@ -673,9 +673,9 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f )
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
);
}
@ -711,9 +711,9 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f )
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
);
}
@ -752,8 +752,8 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
}
RecordVal* rv = new RecordVal(icmp6_nd_option_type);
rv->Assign(0, val_mgr->GetCount(type));
rv->Assign(1, val_mgr->GetCount(length));
rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2;
@ -792,9 +792,9 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->GetCount(prefix_len));
info->Assign(1, val_mgr->GetBool(L_flag));
info->Assign(2, val_mgr->GetBool(A_flag));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
@ -825,7 +825,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, val_mgr->GetCount(ntohl(*((const uint32_t*)(data + 2)))));
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else
set_payload_field = true;

18
src/analyzer/protocol/ident/Ident.cc
View file

@ -85,9 +85,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
}
EnqueueConnEvent(ident_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP)
);
did_deliver = true;
@ -146,9 +146,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
if ( ident_error )
EnqueueConnEvent(ident_error,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line)
);
}
@ -179,9 +179,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line);
EnqueueConnEvent(ident_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line),
make_intrusive<StringVal>(sys_type_s)
);

7
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection IMAP_Conn += {
bro_analyzer()->StartTLS();
if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@ -59,14 +59,15 @@ refine connection IMAP_Conn += {
if ( ! imap_capabilities )
return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
auto capv = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ )
{
const bytestring& capability = (*capabilities)[i]->cap();
capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data()));
}
BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
return true;
%}

176
src/analyzer/protocol/irc/IRC.cc
View file

@ -235,11 +235,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_network_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers)
);
}
break;
@ -282,8 +282,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_names_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(type.c_str()),
make_intrusive<StringVal>(channel.c_str()),
std::move(set)
@ -316,11 +316,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_server_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers)
);
}
break;
@ -338,9 +338,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
channels = atoi(parts[i - 1].c_str());
EnqueueConnEvent(irc_channel_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(channels)
);
}
break;
@ -370,8 +370,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_global_users,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(eop - prefix, prefix),
make_intrusive<StringVal>(++msg)
);
@ -396,8 +396,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
@ -435,8 +435,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_whois_operator_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str())
);
}
@ -473,8 +473,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_whois_channel_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set)
);
@ -504,8 +504,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
++t;
EnqueueConnEvent(irc_channel_topic,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(t)
);
@ -538,8 +538,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[7] = parts[7].substr(1);
EnqueueConnEvent(irc_who_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
@ -547,7 +547,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
make_intrusive<StringVal>(parts[4].c_str()),
make_intrusive<StringVal>(parts[5].c_str()),
make_intrusive<StringVal>(parts[6].c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
val_mgr->Int(atoi(parts[7].c_str())),
make_intrusive<StringVal>(parts[8].c_str())
);
}
@ -560,8 +560,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436:
if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
ConnVal(),
val_mgr->Bool(orig)
);
break;
@ -570,9 +570,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator
if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Bool(code == 381)
);
break;
@ -585,10 +585,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
default:
if ( irc_reply )
EnqueueConnEvent(irc_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
val_mgr->Count(code),
make_intrusive<StringVal>(params.c_str())
);
break;
@ -656,17 +656,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<AddrVal>(htonl(raw_ip)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0)}
val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
);
}
@ -674,8 +672,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -699,8 +697,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
EnqueueConnEvent(irc_notice_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -723,8 +721,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
EnqueueConnEvent(irc_squery_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -737,20 +735,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' ');
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
if ( parts.size() > 0 )
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 1 )
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 2 )
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
string realname;
for ( unsigned int i = 3; i < parts.size(); i++ )
@ -772,8 +770,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
@ -794,8 +792,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
@ -812,7 +810,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
}
else
vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
vl.emplace_back(val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl));
}
@ -863,8 +861,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -923,8 +921,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -962,8 +960,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_part_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set),
make_intrusive<StringVal>(message.c_str())
@ -985,8 +983,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_quit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nickname.c_str()),
make_intrusive<StringVal>(message.c_str())
);
@ -999,8 +997,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(1);
EnqueueConnEvent(irc_nick_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(nick.c_str())
);
@ -1024,12 +1022,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[0] = parts[0].substr(1);
EnqueueConnEvent(irc_who_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
parts.size() > 0 ?
make_intrusive<StringVal>(parts[0].c_str()) :
IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
val_mgr->EmptyString(),
val_mgr->Bool(oper)
);
}
@ -1054,8 +1052,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
users = parts[0];
EnqueueConnEvent(irc_whois_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(users.c_str())
);
@ -1067,8 +1065,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
params = params.substr(1);
EnqueueConnEvent(irc_error_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
@ -1083,8 +1081,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1);
EnqueueConnEvent(irc_invite_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
@ -1098,8 +1096,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
@ -1111,8 +1109,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" )
{
EnqueueConnEvent(irc_password_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(params.c_str())
);
}
@ -1133,8 +1131,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_squit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -1147,8 +1145,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_request )
{
EnqueueConnEvent(irc_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
@ -1161,8 +1159,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_message )
{
EnqueueConnEvent(irc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
@ -1196,7 +1194,7 @@ void IRC_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( irc_starttls )
EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(irc_starttls, ConnVal());
}
vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

6
src/analyzer/protocol/krb/KRB.cc
View file

@ -87,7 +87,9 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
}
StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
IntrusivePtr<StringVal> KRB_Analyzer::GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{
#ifdef USE_KRB5
if ( !krb_available )
@ -145,7 +147,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
return nullptr;
}
StringVal* ret = new StringVal(cp);
auto ret = make_intrusive<StringVal>(cp);
krb5_free_unparsed_name(krb_context, cp);
krb5_free_ticket(krb_context, tkt);

4
src/analyzer/protocol/krb/KRB.h
View file

@ -25,7 +25,9 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype);
protected:

5
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -21,7 +21,10 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return val_mgr->GetEmptyString(); }
IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{ return val_mgr->EmptyString(); }
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }

86
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts)
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options);
rv->Assign(0, val_mgr->GetBool(opts->forwardable()));
rv->Assign(1, val_mgr->GetBool(opts->forwarded()));
rv->Assign(2, val_mgr->GetBool(opts->proxiable()));
rv->Assign(3, val_mgr->GetBool(opts->proxy()));
rv->Assign(4, val_mgr->GetBool(opts->allow_postdate()));
rv->Assign(5, val_mgr->GetBool(opts->postdated()));
rv->Assign(6, val_mgr->GetBool(opts->renewable()));
rv->Assign(7, val_mgr->GetBool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->GetBool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->GetBool(opts->renewable_ok()));
rv->Assign(10, val_mgr->GetBool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->GetBool(opts->renew()));
rv->Assign(12, val_mgr->GetBool(opts->validate()));
rv->Assign(0, val_mgr->Bool(opts->forwardable()));
rv->Assign(1, val_mgr->Bool(opts->forwarded()));
rv->Assign(2, val_mgr->Bool(opts->proxiable()));
rv->Assign(3, val_mgr->Bool(opts->proxy()));
rv->Assign(4, val_mgr->Bool(opts->allow_postdate()));
rv->Assign(5, val_mgr->Bool(opts->postdated()));
rv->Assign(6, val_mgr->Bool(opts->renewable()));
rv->Assign(7, val_mgr->Bool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->Bool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->Bool(opts->renewable_ok()));
rv->Assign(10, val_mgr->Bool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->Bool(opts->renew()));
rv->Assign(12, val_mgr->Bool(opts->validate()));
return rv;
}
@ -49,7 +49,7 @@ RecordVal* proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_an
rv->Assign(4, GetStringFromPrincipalName(element->data()->principal()));
break;
case 2:
rv->Assign(5, bytestring_to_val(element->data()->realm()->encoding()->content()));
rv->Assign(5, to_stringval(element->data()->realm()->encoding()->content()));
break;
case 3:
rv->Assign(6, GetStringFromPrincipalName(element->data()->sname()));
@ -139,19 +139,19 @@ bool proc_error_arguments(RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args
break;
// ctime/stime handled above
case 7:
rv->Assign(5, bytestring_to_val((*args)[i]->args()->crealm()->encoding()->content()));
rv->Assign(5, to_stringval((*args)[i]->args()->crealm()->encoding()->content()));
break;
case 8:
rv->Assign(6, GetStringFromPrincipalName((*args)[i]->args()->cname()));
break;
case 9:
rv->Assign(7, bytestring_to_val((*args)[i]->args()->realm()->encoding()->content()));
rv->Assign(7, to_stringval((*args)[i]->args()->realm()->encoding()->content()));
break;
case 10:
rv->Assign(8, GetStringFromPrincipalName((*args)[i]->args()->sname()));
break;
case 11:
rv->Assign(9, bytestring_to_val((*args)[i]->args()->e_text()->encoding()->content()));
rv->Assign(9, to_stringval((*args)[i]->args()->e_text()->encoding()->content()));
break;
case 12:
if ( error_code == KDC_ERR_PREAUTH_REQUIRED )
@ -180,7 +180,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -190,7 +190,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -201,9 +201,9 @@ refine connection KRB_Conn += {
%{
bro_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> RecordVal*
auto make_arg = [this, msg]() -> IntrusivePtr<RecordVal>
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::KDC_Response);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -211,7 +211,7 @@ refine connection KRB_Conn += {
if ( ${msg.padata.has_padata} )
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false));
rv->Assign(3, bytestring_to_val(${msg.client_realm.encoding.content}));
rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
rv->Assign(5, proc_ticket(${msg.ticket}));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response )
return false;
BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response )
return false;
BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -244,11 +244,11 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_error )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv, ${msg.args1}, 0);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT));
proc_error_arguments(rv, ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv);
proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
}
return true;
%}
@ -258,16 +258,18 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_request )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->GetBool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->GetBool(${msg.ap_options.mutual_required}));
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
RecordVal* rvticket = proc_ticket(${msg.ticket});
StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo);
BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
rvticket, rv);
BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
std::move(rvticket), std::move(rv));
}
return true;
%}
@ -277,7 +279,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_response )
{
BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
}
return true;
%}
@ -287,7 +289,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_safe )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::SAFE_Msg);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -320,7 +322,7 @@ refine connection KRB_Conn += {
switch ( ${msg.safe_body.args[i].seq_meta.index} )
{
case 0:
rv->Assign(3, bytestring_to_val(${msg.safe_body.args[i].args.user_data.encoding.content}));
rv->Assign(3, to_stringval(${msg.safe_body.args[i].args.user_data.encoding.content}));
break;
case 3:
rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, TYPE_COUNT));
@ -335,7 +337,7 @@ refine connection KRB_Conn += {
break;
}
}
BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv);
BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
}
return true;
%}
@ -345,7 +347,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_priv )
{
BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
}
return true;
%}
@ -355,8 +357,8 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_cred )
{
BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
}
return true;

17
src/analyzer/protocol/krb/krb-asn1.pac
View file

@ -2,21 +2,20 @@
%include ../asn1/asn1.pac
%header{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs);
IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs);
%}
%code{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
{
StringVal* atime_bytestring = bytestring_to_val(atime->time());
Val* result = GetTimeFromAsn1(atime_bytestring, usecs);
Unref(atime_bytestring);
auto atime_bytestring = to_stringval(atime->time());
auto result = GetTimeFromAsn1(atime_bytestring.get(), usecs);
return result;
}
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs)
{
time_t lResult = 0;
@ -27,7 +26,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
char * pString = (char *) atime->Bytes();
if ( lTimeLength != 15 && lTimeLength != 17 )
return 0;
return nullptr;
if (lTimeLength == 17 )
pString = pString + 2;
@ -52,7 +51,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
if ( !lResult )
lResult = 0;
return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME);
return make_intrusive<Val>(double(lResult + double(usecs/100000.0)), TYPE_TIME);
}
%}

16
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -37,24 +37,24 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
case PA_PW_SALT:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), type_val);
break;
}
case PA_ENCTYPE_INFO:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info()->salt()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), type_val);
break;
}
case PA_ENCTYPE_INFO2:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info2()->salt()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), type_val);
break;
}
@ -111,8 +111,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->unknown()->content()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), type_val);
}
break;

41
src/analyzer/protocol/krb/krb-types.pac
View file

@ -1,28 +1,28 @@
# Fundamental KRB types
%header{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname);
IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname);
VectorVal* proc_cipher_list(const Array* list);
VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list);
RecordVal* proc_ticket(const KRB_Ticket* ticket);
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket);
%}
%code{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname)
IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname)
{
if ( pname->data()->size() == 1 )
return bytestring_to_val(pname->data()[0][0]->encoding()->content());
return to_stringval(pname->data()[0][0]->encoding()->content());
if ( pname->data()->size() == 2 )
return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
return make_intrusive<StringVal>(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name
return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
return make_intrusive<StringVal>(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
return new StringVal("unknown");
return make_intrusive<StringVal>("unknown");
}
VectorVal* proc_cipher_list(const Array* list)
@ -78,7 +78,7 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
}
case 20:
{
rv->Assign(1, bytestring_to_val(addr_bytes));
rv->Assign(1, to_stringval(addr_bytes));
return rv;
}
default:
@ -87,14 +87,15 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value);
unk->Assign(0, asn1_integer_to_val(addr->addr_type(), TYPE_COUNT));
unk->Assign(1, bytestring_to_val(addr_bytes));
unk->Assign(1, to_stringval(addr_bytes));
rv->Assign(2, unk);
return rv;
}
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
{
VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType());
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list)
{
auto tickets = make_intrusive<VectorVal>(internal_type("KRB::Ticket_Vector")->AsVectorType());
for ( uint i = 0; i < list->tickets()->size(); ++i )
{
KRB_Ticket* element = (*list->tickets())[i];
@ -102,20 +103,20 @@ VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
}
return tickets;
}
}
RecordVal* proc_ticket(const KRB_Ticket* ticket)
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Ticket);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket)
{
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Ticket);
rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
rv->Assign(1, to_stringval(ticket->realm()->data()->content()));
rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
rv->Assign(4, to_stringval(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
return rv;
}
}
%}
type KRB_Principal_Name = record {

20
src/analyzer/protocol/login/Login.cc
View file

@ -290,7 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
else if ( IsSkipAuthentication(line) )
{
if ( authentication_skipped )
EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(authentication_skipped, ConnVal());
state = LOGIN_STATE_SKIP;
SetSkip(true);
@ -332,19 +332,19 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
else if ( login_display && streq(name, "DISPLAY") )
EnqueueConnEvent(login_display,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
else if ( login_prompt && streq(name, "TTYPROMPT") )
EnqueueConnEvent(login_prompt,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
}
@ -420,10 +420,10 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
PopUserTextVal() : new StringVal("<none>");
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, username},
client_name ? IntrusivePtr{NewRef{}, client_name}
: IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
: val_mgr->EmptyString(),
IntrusivePtr{AdoptRef{}, password},
make_intrusive<StringVal>(line)
);
@ -443,7 +443,7 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(line)
);
}
@ -455,7 +455,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused )
EnqueueConnEvent(login_confused,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(line)
);
@ -479,7 +479,7 @@ void Login_Analyzer::ConfusionText(const char* line)
{
if ( login_confused_text )
EnqueueConnEvent(login_confused_text,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(line)
);
}
@ -593,7 +593,7 @@ Val* Login_Analyzer::PopUserTextVal()
if ( s )
return new StringVal(new BroString(true, byte_vec(s), strlen(s)));
else
return val_mgr->GetEmptyString();
return val_mgr->EmptyString()->Ref();
}
bool Login_Analyzer::MatchesTypeahead(const char* line) const

2
src/analyzer/protocol/login/NVT.cc
View file

@ -460,7 +460,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{
if ( login_terminal )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(new BroString(terminal, len, false))
);
}

6
src/analyzer/protocol/login/RSH.cc
View file

@ -172,7 +172,7 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
vl.reserve(4 + orig);
const char* line = (const char*) data;
line = skip_whitespace(line);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(ConnVal());
if ( client_name )
vl.emplace_back(NewRef{}, client_name);
@ -190,9 +190,9 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input
vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
vl.emplace_back(val_mgr->True());
else
vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
vl.emplace_back(val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl));
}

2
src/analyzer/protocol/login/Rlogin.cc
View file

@ -245,7 +245,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{
if ( login_terminal )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(s)
);
}

12
src/analyzer/protocol/login/functions.bif
View file

@ -28,13 +28,13 @@ function get_login_state%(cid: conn_id%): count
%{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
return val_mgr->GetFalse();
return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return val_mgr->GetFalse();
return val_mgr->False();
return val_mgr->GetCount(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
return val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
%}
## Sets the login state of a connection with a login analyzer.
@ -52,12 +52,12 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
%{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
return val_mgr->GetFalse();
return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
return val_mgr->GetTrue();
return val_mgr->True();
%}

37
src/analyzer/protocol/mime/MIME.cc
View file

@ -1292,8 +1292,9 @@ void MIME_Entity::DebugPrintHeaders()
RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
{
RecordVal* header_record = new RecordVal(mime_header_rec);
header_record->Assign(0, new_string_val(h->get_name())->ToUpper());
header_record->Assign(1, new_string_val(h->get_value()));
header_record->Assign(0, new_string_val(h->get_name()));
header_record->Assign(1, new_string_val(h->get_name())->ToUpper());
header_record->Assign(2, new_string_val(h->get_value()));
return header_record;
}
@ -1303,14 +1304,12 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
for ( unsigned int i = 0; i < hlist.size(); ++i )
{
Val* index = val_mgr->GetCount(i+1); // index starting from 1
auto index = val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i];
RecordVal* header_record = BuildHeaderVal(h);
t->Assign(index, header_record);
Unref(index);
t->Assign(index.get(), header_record);
}
return t;
@ -1366,8 +1365,8 @@ void MIME_Mail::Done()
md5_hash = nullptr;
analyzer->EnqueueConnEvent(mime_content_hash,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
analyzer->ConnVal(),
val_mgr->Count(content_hash_length),
make_intrusive<StringVal>(new BroString(true, digest, 16))
);
}
@ -1393,7 +1392,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear();
if ( mime_begin_entity )
analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_begin_entity, analyzer->ConnVal());
buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0);
@ -1406,8 +1405,8 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
BroString* s = concatenate(entity_content);
analyzer->EnqueueConnEvent(mime_entity_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
analyzer->ConnVal(),
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
@ -1418,7 +1417,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
}
if ( mime_end_entity )
analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear();
@ -1428,7 +1427,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{
if ( mime_one_header )
analyzer->EnqueueConnEvent(mime_one_header,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
);
}
@ -1437,7 +1436,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{
if ( mime_all_headers )
analyzer->EnqueueConnEvent(mime_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
}
@ -1473,8 +1472,8 @@ void MIME_Mail::SubmitData(int len, const char* buf)
int data_len = (buf + len) - data;
analyzer->EnqueueConnEvent(mime_segment_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
analyzer->ConnVal(),
val_mgr->Count(data_len),
make_intrusive<StringVal>(data_len, data)
);
}
@ -1520,8 +1519,8 @@ void MIME_Mail::SubmitAllData()
delete_strings(all_content);
analyzer->EnqueueConnEvent(mime_all_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
analyzer->ConnVal(),
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
}
@ -1548,7 +1547,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event )
analyzer->EnqueueConnEvent(mime_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
make_intrusive<StringVal>(category),
make_intrusive<StringVal>(detail)
);

327
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -8,39 +8,39 @@
#
%header{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity);
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header);
VectorVal* create_vector_of_count();
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity);
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header);
IntrusivePtr<VectorVal> create_vector_of_count();
%}
%code{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity)
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity)
{
VectorVal* modbus_coils = new VectorVal(BifType::Vector::ModbusCoils);
auto modbus_coils = make_intrusive<VectorVal>(BifType::Vector::ModbusCoils);
for ( uint i = 0; i < quantity; i++ )
{
char currentCoil = (coils[i/8] >> (i % 8)) % 2;
modbus_coils->Assign(i, val_mgr->GetBool(currentCoil));
modbus_coils->Assign(i, val_mgr->Bool(currentCoil));
}
return modbus_coils;
}
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header)
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header)
{
RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->GetCount(header->tid()));
modbus_header->Assign(1, val_mgr->GetCount(header->pid()));
modbus_header->Assign(2, val_mgr->GetCount(header->uid()));
modbus_header->Assign(3, val_mgr->GetCount(header->fc()));
auto modbus_header = make_intrusive<RecordVal>(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->Count(header->tid()));
modbus_header->Assign(1, val_mgr->Count(header->pid()));
modbus_header->Assign(2, val_mgr->Count(header->uid()));
modbus_header->Assign(3, val_mgr->Count(header->fc()));
return modbus_header;
}
VectorVal* create_vector_of_count()
IntrusivePtr<VectorVal> create_vector_of_count()
{
VectorType* vt = new VectorType(base_type(TYPE_COUNT));
VectorVal* vv = new VectorVal(vt);
Unref(vt);
auto vt = make_intrusive<VectorType>(base_type(TYPE_COUNT));
auto vv = make_intrusive<VectorVal>(vt.get());
return vv;
}
@ -88,10 +88,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_message )
{
BifEvent::generate_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
is_orig());
BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
is_orig());
}
return true;
@ -117,10 +117,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_exception )
{
BifEvent::generate_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.code});
BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.code});
}
return true;
@ -131,11 +131,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_request )
{
BifEvent::generate_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
${message.quantity});
BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
${message.quantity});
}
return true;
@ -146,10 +146,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_response )
{
BifEvent::generate_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
%}
@ -159,10 +159,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_request )
{
BifEvent::generate_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -173,10 +173,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_response )
{
BifEvent::generate_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
@ -188,10 +188,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_holding_registers_request )
{
BifEvent::generate_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -209,18 +209,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_holding_registers_response )
{
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -232,10 +232,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_input_registers_request )
{
BifEvent::generate_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -253,17 +253,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_input_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -287,11 +288,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -314,11 +315,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -330,10 +331,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_request )
{
BifEvent::generate_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -344,10 +345,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_response )
{
BifEvent::generate_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -359,11 +360,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_request )
{
BifEvent::generate_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
}
return true;
@ -374,10 +375,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_response )
{
BifEvent::generate_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -396,17 +397,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_write_multiple_registers_request )
{
VectorVal * t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, t);
BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, std::move(t));
}
return true;
@ -417,10 +419,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_registers_response )
{
BifEvent::generate_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -432,22 +434,22 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_file_record_request )
{
//TODO: this need to be a vector of some Reference Request record type
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* k = val_mgr->GetCount((${message.references[i].file_num}));
// auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k);
//
// Val* l = val_mgr->GetCount((${message.references[i].record_num}));
// auto l = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, l);
// }
BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -458,17 +460,17 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_file_record_response )
{
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// {
// //TODO: work the reference type in here somewhere
// Val* r = val_mgr->GetCount(${message.references[i].record_data}));
// auto r = val_mgr->Count(${message.references[i].record_data}));
// t->Assign(i, r);
// }
BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -479,28 +481,28 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_request )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* k = val_mgr->GetCount((${message.references[i].file_num}));
// auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k);
//
// Val* n = val_mgr->GetCount((${message.references[i].record_num}));
// auto n = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, n);
//
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
// {
// k = val_mgr->GetCount((${message.references[i].register_value[j]}));
// k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
// }
BifEvent::generate_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -512,27 +514,27 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_response )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* f = val_mgr->GetCount((${message.references[i].file_num}));
// auto f = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, f);
//
// Val* rn = val_mgr->GetCount((${message.references[i].record_num}));
// auto rn = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, rn);
//
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
// {
// Val* k = val_mgr->GetCount((${message.references[i].register_value[j]}));
// auto k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -543,11 +545,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_request )
{
BifEvent::generate_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -558,11 +560,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_response )
{
BifEvent::generate_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -580,20 +582,21 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_request )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.write_register_values[i]});
auto r = val_mgr->Count(${message.write_register_values[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
std::move(t));
}
return true;
@ -611,17 +614,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -632,10 +636,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_fifo_queue_request )
{
BifEvent::generate_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address});
BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address});
}
return true;
@ -654,17 +658,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_fifo_queue_response )
{
VectorVal* t = create_vector_of_count();
auto t = create_vector_of_count();
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.register_data[i]});
auto r = val_mgr->Count(${message.register_data[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;

12
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -15,12 +15,12 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_connack )
{
auto m = new RecordVal(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->GetCount(${msg.return_code}));
m->Assign(1, val_mgr->GetBool(${msg.session_present}));
BifEvent::generate_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
m);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->Count(${msg.return_code}));
m->Assign(1, val_mgr->Bool(${msg.session_present}));
BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(m));
}
return true;

Some files were not shown because too many files have changed in this diff Show more