Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/bbannier/issue-3276'

Browse source 
* origin/topic/bbannier/issue-3276:
  Propagate failure reason in `spicy::decline_input`/`zeek::reject_protocol`.
This commit is contained in:
Arne Welzel 2023-09-07 15:58:22 +02:00
commit 057bc673a8
10 changed files with 57 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,3 +1,9 @@
6.1.0-dev.374 | 2023-09-07 15:58:22 +0200
* GH-3276: Propagate failure reason in `spicy::decline_input`/`zeek::reject_protocol`. (Benjamin Bannier, Corelight)
Closes #3276.
6.1.0-dev.372 | 2023-09-07 14:26:27 +0200
* ci: update-alternative to have python3 be python3.9 (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
6.1.0-dev.372
6.1.0-dev.374

4
src/spicy/manager.cc
View file

@ -586,8 +586,8 @@ static void hook_decline_input(const std::string& reason) {
if ( auto x = cookie->protocol ) {
auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString()));
return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag);
SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason));
return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag);
}
}

4
src/spicy/runtime-support.cc
View file

@ -450,8 +450,8 @@ void rt::reject_protocol(const std::string& reason) {
if ( auto x = cookie->protocol ) {
auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString()));
return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag);
SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason));
return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag);
}
else
throw ValueUnavailable("no current connection available");

2
src/spicy/runtime-support.h
View file

@ -275,7 +275,7 @@ void confirm_protocol();
*
* @param reason short description of what went wrong
*/
void reject_protocol(const std::string& reason);
void reject_protocol(const std::string& reason = "protocol rejected");
/**
* Opaque handle to a protocol analyzer.

5
testing/btest/Baseline/spicy.decline_input-2/analyzer.log Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
SPICY_FOO my reasons -
SPICY_FOO my reasons -
SPICY_FOO my reasons -
SPICY_FOO my reasons -

5
testing/btest/Baseline/spicy.decline_input/analyzer.log Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
SPICY_FOO my reasons -
SPICY_FOO my reasons -
SPICY_FOO my reasons -
SPICY_FOO my reasons -

2
testing/btest/Baseline/spicy.ssh-banner/analyzer.log
View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
#types time string string string string string addr port addr port string string
XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 protocol rejected -
XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 kaputt -
XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 failed to match regular expression (<...>/ssh.spicy:7:15) POST /post HTTP/1.1\x0d\x0aUser-Agent: curl/7.
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/spicy.ssh-banner/output
View file

@ -7,4 +7,4 @@ SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, res
confirm, Analyzer::ANALYZER_SPICY_SSH
=== violation
violation, Analyzer::ANALYZER_SPICY_SSH, failed to match regular expression (<...>/ssh.spicy:7:15)
violation, Analyzer::ANALYZER_SPICY_SSH, protocol rejected
violation, Analyzer::ANALYZER_SPICY_SSH, kaputt

33
testing/btest/spicy/decline_input.spicy Normal file
View file

@ -0,0 +1,33 @@
# @TEST-REQUIRES: have-spicy
#
# @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt %INPUT
# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto
# @TEST-EXEC: cat analyzer.log | zeek-cut analyzer_name failure_reason failure_data > analyzer.log2 && mv analyzer.log2 analyzer.log
# @TEST-EXEC: btest-diff analyzer.log
#
# @TEST-DOC: Validates that decline_input is propagated properly. This is a regression test for #3276.
# @TEST-START-FILE foo.spicy
module foo;
public type X = unit {
: bytes &eod;
};
# @TEST-END-FILE
# @TEST-START-FILE foo.evt
protocol analyzer spicy::foo over UDP:
parse with foo::X,
ports { 12345/udp, 31337/udp };
# @TEST-END-FILE
module zeek_foo;
import zeek;
import foo;
on foo::X::%done { zeek::reject_protocol("my reasons"); }
# @TEST-START-NEXT
module zeek_foo;
import spicy;
import foo;
on foo::X::%done { spicy::decline_input("my reasons"); }