diff --git a/CHANGES b/CHANGES index ed7dfafd03..da9a6756ba 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +6.1.0-dev.374 | 2023-09-07 15:58:22 +0200 + + * GH-3276: Propagate failure reason in `spicy::decline_input`/`zeek::reject_protocol`. (Benjamin Bannier, Corelight) + + Closes #3276. + 6.1.0-dev.372 | 2023-09-07 14:26:27 +0200 * ci: update-alternative to have python3 be python3.9 (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 46841fa0d1..6b0f82fbf2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.1.0-dev.372 +6.1.0-dev.374 diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc index b7c99e6e06..3a8373959e 100644 --- a/src/spicy/manager.cc +++ b/src/spicy/manager.cc @@ -586,8 +586,8 @@ static void hook_decline_input(const std::string& reason) { if ( auto x = cookie->protocol ) { auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); - SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString())); - return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag); + SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason)); + return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag); } } diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc index 8d9fe3127b..de942aaf40 100644 --- a/src/spicy/runtime-support.cc +++ b/src/spicy/runtime-support.cc @@ -450,8 +450,8 @@ void rt::reject_protocol(const std::string& reason) { if ( auto x = cookie->protocol ) { auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); - SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString())); - return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag); + SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason)); + return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag); } else throw ValueUnavailable("no current connection available"); diff --git a/src/spicy/runtime-support.h b/src/spicy/runtime-support.h index 5bd6178d13..0f25eb2dc1 100644 --- a/src/spicy/runtime-support.h +++ b/src/spicy/runtime-support.h @@ -275,7 +275,7 @@ void confirm_protocol(); * * @param reason short description of what went wrong */ -void reject_protocol(const std::string& reason); +void reject_protocol(const std::string& reason = "protocol rejected"); /** * Opaque handle to a protocol analyzer. diff --git a/testing/btest/Baseline/spicy.decline_input-2/analyzer.log b/testing/btest/Baseline/spicy.decline_input-2/analyzer.log new file mode 100644 index 0000000000..a2b522dd32 --- /dev/null +++ b/testing/btest/Baseline/spicy.decline_input-2/analyzer.log @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +SPICY_FOO my reasons - +SPICY_FOO my reasons - +SPICY_FOO my reasons - +SPICY_FOO my reasons - diff --git a/testing/btest/Baseline/spicy.decline_input/analyzer.log b/testing/btest/Baseline/spicy.decline_input/analyzer.log new file mode 100644 index 0000000000..a2b522dd32 --- /dev/null +++ b/testing/btest/Baseline/spicy.decline_input/analyzer.log @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +SPICY_FOO my reasons - +SPICY_FOO my reasons - +SPICY_FOO my reasons - +SPICY_FOO my reasons - diff --git a/testing/btest/Baseline/spicy.ssh-banner/analyzer.log b/testing/btest/Baseline/spicy.ssh-banner/analyzer.log index b60c24d0f9..08d61c5ea6 100644 --- a/testing/btest/Baseline/spicy.ssh-banner/analyzer.log +++ b/testing/btest/Baseline/spicy.ssh-banner/analyzer.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #types time string string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 protocol rejected - +XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 kaputt - XXXXXXXXXX.XXXXXX violation protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 141.142.228.5 53595 54.243.55.129 80 failed to match regular expression (<...>/ssh.spicy:7:15) POST /post HTTP/1.1\x0d\x0aUser-Agent: curl/7. #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/spicy.ssh-banner/output b/testing/btest/Baseline/spicy.ssh-banner/output index 680dd73714..109fca26c9 100644 --- a/testing/btest/Baseline/spicy.ssh-banner/output +++ b/testing/btest/Baseline/spicy.ssh-banner/output @@ -7,4 +7,4 @@ SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, res confirm, Analyzer::ANALYZER_SPICY_SSH === violation violation, Analyzer::ANALYZER_SPICY_SSH, failed to match regular expression (<...>/ssh.spicy:7:15) -violation, Analyzer::ANALYZER_SPICY_SSH, protocol rejected +violation, Analyzer::ANALYZER_SPICY_SSH, kaputt diff --git a/testing/btest/spicy/decline_input.spicy b/testing/btest/spicy/decline_input.spicy new file mode 100644 index 0000000000..5e4855ae52 --- /dev/null +++ b/testing/btest/spicy/decline_input.spicy @@ -0,0 +1,33 @@ +# @TEST-REQUIRES: have-spicy +# +# @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt %INPUT +# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto +# @TEST-EXEC: cat analyzer.log | zeek-cut analyzer_name failure_reason failure_data > analyzer.log2 && mv analyzer.log2 analyzer.log +# @TEST-EXEC: btest-diff analyzer.log +# +# @TEST-DOC: Validates that decline_input is propagated properly. This is a regression test for #3276. + +# @TEST-START-FILE foo.spicy +module foo; + +public type X = unit { + : bytes &eod; +}; +# @TEST-END-FILE + +# @TEST-START-FILE foo.evt +protocol analyzer spicy::foo over UDP: + parse with foo::X, + ports { 12345/udp, 31337/udp }; +# @TEST-END-FILE + +module zeek_foo; +import zeek; +import foo; +on foo::X::%done { zeek::reject_protocol("my reasons"); } + +# @TEST-START-NEXT +module zeek_foo; +import spicy; +import foo; +on foo::X::%done { spicy::decline_input("my reasons"); }