diff --git a/scripts/spicy/zeek_rt.hlt b/scripts/spicy/zeek_rt.hlt index 3f4dd28adc..801c49a9b1 100644 --- a/scripts/spicy/zeek_rt.hlt +++ b/scripts/spicy/zeek_rt.hlt @@ -18,7 +18,7 @@ type ZeekTypeTag = enum { } &cxxname="::zeek::spicy::rt::ZeekTypeTag"; declare public void register_spicy_module_begin(string name, string description) &cxxname="zeek::spicy::rt::register_spicy_module_begin"; -declare public void register_protocol_analyzer(string name, hilti::Protocol protocol, vector ports, string parser_orig, string parser_resp, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_protocol_analyzer" &have_prototype; +declare public void register_protocol_analyzer(string name, hilti::Protocol protocol, string parser_orig, string parser_resp, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_protocol_analyzer" &have_prototype; declare public void register_file_analyzer(string name, vector mime_types, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_file_analyzer" &have_prototype; declare public void register_packet_analyzer(string name, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_packet_analyzer" &have_prototype; declare public void register_type(string ns, string id, BroType t) &cxxname="zeek::spicy::rt::register_type" &have_prototype; diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc index 1a9420e22a..7919380111 100644 --- a/src/spicy/manager.cc +++ b/src/spicy/manager.cc @@ -61,7 +61,6 @@ void Manager::registerSpicyModuleEnd() { } void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, - const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, const std::string& parser_orig, const std::string& parser_resp, const std::string& replaces, const std::string& linker_scope) { SPICY_DEBUG(hilti::rt::fmt("Have Spicy protocol analyzer %s", name)); @@ -74,7 +73,6 @@ void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Proto info.name_zeek = hilti::rt::replace(name, "::", "_"); info.name_zeekygen = hilti::rt::fmt("", name); info.protocol = proto; - info.ports = ports; info.linker_scope = linker_scope; // We may have that analyzer already iff it was previously pre-registered @@ -701,25 +699,6 @@ void Manager::InitPostScript() { if ( ! tag ) reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str()); - for ( const auto& ports : p.ports ) { - const auto proto = ports.begin.protocol(); - - // Port ranges are closed intervals. - for ( auto port = ports.begin.port(); port <= ports.end.port(); ++port ) { - const auto port_ = hilti::rt::Port(port, proto); - SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_)); - analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port); - - // Don't double register in case of single-port ranges. - if ( ports.begin.port() == ports.end.port() ) - break; - - // Explicitly prevent overflow. - if ( port == std::numeric_limits::max() ) - break; - } - } - if ( p.parser_resp ) { for ( auto port : p.parser_resp->ports ) { if ( port.direction != ::spicy::rt::Direction::Both && diff --git a/src/spicy/manager.h b/src/spicy/manager.h index 118e03b6c3..195ae3adf1 100644 --- a/src/spicy/manager.h +++ b/src/spicy/manager.h @@ -85,7 +85,6 @@ public: * * @param name name of the analyzer as defined in its EVT file * @param proto analyzer's transport-layer protocol - * @param prts well-known ports for the analyzer; it'll be activated automatically for these * @param parser_orig name of the Spicy parser for the originator side; must match the name that * Spicy registers the unit's parser with * @param parser_resp name of the Spicy parser for the originator side; must match the name that @@ -95,10 +94,9 @@ public: * @param linker_scope scope of current HLTO file, which will restrict visibility of the * registration */ - void registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, - const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, - const std::string& parser_orig, const std::string& parser_resp, - const std::string& replaces, const std::string& linker_scope); + void registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, const std::string& parser_orig, + const std::string& parser_resp, const std::string& replaces, + const std::string& linker_scope); /** * Runtime method to register a file analyzer with its Zeek-side @@ -343,7 +341,6 @@ private: std::string name_parser_resp; std::string name_replaces; hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; - hilti::rt::Vector<::zeek::spicy::rt::PortRange> ports; std::string linker_scope; // Computed and available once the analyzer has been registered. @@ -357,7 +354,7 @@ private: bool operator==(const ProtocolAnalyzerInfo& other) const { return name_analyzer == other.name_analyzer && name_parser_orig == other.name_parser_orig && name_parser_resp == other.name_parser_resp && name_replaces == other.name_replaces && - protocol == other.protocol && ports == other.ports && linker_scope == other.linker_scope; + protocol == other.protocol && linker_scope == other.linker_scope; } bool operator!=(const ProtocolAnalyzerInfo& other) const { return ! (*this == other); } diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc index f5afd37461..8dbf0c39a7 100644 --- a/src/spicy/runtime-support.cc +++ b/src/spicy/runtime-support.cc @@ -26,12 +26,11 @@ void rt::register_spicy_module_begin(const std::string& name, const std::string& void rt::register_spicy_module_end() { spicy_mgr->registerSpicyModuleEnd(); } -void rt::register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto, - const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, - const std::string& parser_orig, const std::string& parser_resp, - const std::string& replaces, const std::string& linker_scope) { +void rt::register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto, const std::string& parser_orig, + const std::string& parser_resp, const std::string& replaces, + const std::string& linker_scope) { auto _ = hilti::rt::profiler::start("zeek/rt/register_protocol_analyzer"); - spicy_mgr->registerProtocolAnalyzer(name, proto, ports, parser_orig, parser_resp, replaces, linker_scope); + spicy_mgr->registerProtocolAnalyzer(name, proto, parser_orig, parser_resp, replaces, linker_scope); } void rt::register_file_analyzer(const std::string& name, const hilti::rt::Vector& mime_types, diff --git a/src/spicy/runtime-support.h b/src/spicy/runtime-support.h index 0397dc86cc..c0bf9f4631 100644 --- a/src/spicy/runtime-support.h +++ b/src/spicy/runtime-support.h @@ -106,10 +106,9 @@ void register_spicy_module_begin(const std::string& id, const std::string& descr * Registers a Spicy protocol analyzer with its EVT meta information with the * plugin's runtime. */ -void register_protocol_analyzer(const std::string& id, hilti::rt::Protocol proto, - const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, - const std::string& parser_orig, const std::string& parser_resp, - const std::string& replaces, const std::string& linker_scope); +void register_protocol_analyzer(const std::string& id, hilti::rt::Protocol proto, const std::string& parser_orig, + const std::string& parser_resp, const std::string& replaces, + const std::string& linker_scope); /** * Registers a Spicy file analyzer with its EVT meta information with the diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc index e9240ed245..9f992c6538 100644 --- a/src/spicy/spicyz/glue-compiler.cc +++ b/src/spicy/spicyz/glue-compiler.cc @@ -260,79 +260,6 @@ static std::string extract_expr(const std::string& chunk, size_t* i) { return expr; } -static hilti::rt::Port extract_port(const std::string& chunk, size_t* i) { - eat_spaces(chunk, i); - - std::string s; - size_t j = *i; - - while ( j < chunk.size() && isdigit(chunk[j]) ) - ++j; - - if ( *i == j ) - throw ParseError("cannot parse port specification"); - - hilti::rt::Protocol proto; - uint64_t port = std::numeric_limits::max(); - - s = chunk.substr(*i, j - *i); - hilti::util::atoi_n(s.begin(), s.end(), 10, &port); - - if ( port > 65535 ) - throw ParseError("port outside of valid range"); - - *i = j; - - if ( chunk[*i] != '/' ) - throw ParseError("cannot parse port specification"); - - (*i)++; - - if ( looking_at(chunk, *i, "tcp") ) { - proto = hilti::rt::Protocol::TCP; - eat_token(chunk, i, "tcp"); - } - - else if ( looking_at(chunk, *i, "udp") ) { - proto = hilti::rt::Protocol::UDP; - eat_token(chunk, i, "udp"); - } - - else if ( looking_at(chunk, *i, "icmp") ) { - proto = hilti::rt::Protocol::ICMP; - eat_token(chunk, i, "icmp"); - } - - else - throw ParseError("cannot parse port specification"); - - return {static_cast(port), proto}; -} - -static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk, size_t* i) { - auto start = extract_port(chunk, i); - auto end = std::optional(); - - if ( looking_at(chunk, *i, "-") ) { - eat_token(chunk, i, "-"); - end = extract_port(chunk, i); - } - - if ( end ) { - if ( start.protocol() != end->protocol() ) - throw ParseError("start and end of port range must have same protocol"); - - if ( start.port() > end->port() ) - throw ParseError("start of port range cannot be after its end"); - } - - if ( ! end ) - // EVT port ranges are a closed. - end = hilti::rt::Port(start.port(), start.protocol()); - - return {start, *end}; -} - void GlueCompiler::init(Driver* driver, int zeek_version) { _driver = driver; _zeek_version = zeek_version; @@ -704,27 +631,6 @@ glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& ch } } - else if ( looking_at(chunk, i, "ports") ) { - eat_token(chunk, &i, "ports"); - eat_token(chunk, &i, "{"); - - while ( true ) { - a.ports.push_back(extract_port_range(chunk, &i)); - - if ( looking_at(chunk, i, "}") ) { - eat_token(chunk, &i, "}"); - break; - } - - eat_token(chunk, &i, ","); - } - } - - else if ( looking_at(chunk, i, "port") ) { - eat_token(chunk, &i, "port"); - a.ports.push_back(extract_port_range(chunk, &i)); - } - else if ( looking_at(chunk, i, "replaces") ) { eat_token(chunk, &i, "replaces"); a.replaces = extract_id(chunk, &i); @@ -739,14 +645,6 @@ glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& ch eat_token(chunk, &i, ","); } - if ( ! a.ports.empty() ) - hilti::logger().warning( - hilti::rt:: - fmt("Remove in v7.1: Analyzer %s is using the deprecated 'port' or 'ports' keyword to register " - "well-known ports. Use Analyzer::register_for_ports() in the accompanying Zeek script instead.", - a.name), - a.location); - return a; } @@ -1034,13 +932,6 @@ bool GlueCompiler::compile() { preinit_body.addCall("zeek_rt::register_protocol_analyzer", {builder()->stringMutable(a.name.str()), builder()->id(protocol), - builder()->vector( - hilti::util::transform(a.ports, - [this](const auto& p) -> hilti::Expression* { - return builder()->call("zeek_rt::make_port_range", - {builder()->port(p.begin), - builder()->port(p.end)}); - })), builder()->stringMutable(a.unit_name_orig.str()), builder()->stringMutable(a.unit_name_resp.str()), builder()->stringMutable(a.replaces), builder()->scope()}); diff --git a/src/spicy/spicyz/glue-compiler.h b/src/spicy/spicyz/glue-compiler.h index 58e42909f3..22ffcdc332 100644 --- a/src/spicy/spicyz/glue-compiler.h +++ b/src/spicy/spicyz/glue-compiler.h @@ -45,7 +45,6 @@ struct ProtocolAnalyzer { hilti::Location location; /**< Location where the analyzer was defined. */ hilti::ID name; /**< Name of the analyzer. */ hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; /**< The transport layer the analyzer uses. */ - std::vector<::zeek::spicy::rt::PortRange> ports; /**< The ports associated with the analyzer. */ hilti::ID unit_name_orig; /**< The fully-qualified name of the unit type to parse the originator side. */ hilti::ID unit_name_resp; /**< The fully-qualified name of the unit type to parse the originator diff --git a/testing/btest/spicy/event-user-type b/testing/btest/spicy/event-user-type index 75f99b4042..14b0883d5f 100644 --- a/testing/btest/spicy/event-user-type +++ b/testing/btest/spicy/event-user-type @@ -25,8 +25,7 @@ type Y = unit { # @TEST-START-FILE foo.evt protocol analyzer spicy::foo over UDP: - parse with foo::X, - ports { 12345/udp, 31337/udp }; + parse with foo::X; import foo; @@ -36,6 +35,13 @@ on foo::X -> event foo::X($conn, $is_orig, self.y); # @TEST-END-FILE # @TEST-START-FILE foo.zeek +const foo_ports = { 12345/udp, 31337/udp}; + +event zeek_init() +{ + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_FOO, foo_ports); +} + event foo::X(c: connection, is_orig: bool, y: foo::Y) { print fmt("is_orig=%d y=%s", is_orig, y); diff --git a/testing/btest/spicy/port-deprecated.evt b/testing/btest/spicy/port-deprecated.evt deleted file mode 100644 index 220a9d1faf..0000000000 --- a/testing/btest/spicy/port-deprecated.evt +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-REQUIRES: have-spicy -# -# @TEST-EXEC: spicyz -d -o test.hlto ./udp-test.evt 2>out.stderr -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.stderr -# -# @TEST-DOC: Remove with v7.1: Specifying ports is deprecated. - -module Test; - -import zeek; - -public type Message = unit { - data: bytes &eod {} -}; - -# @TEST-START-FILE udp-test.evt -protocol analyzer spicy::TEST over UDP: - parse with Test::Message, - port 11337/udp-11340/udp, - ports {31337/udp-31340/udp}; -# @TEST-END-FILE diff --git a/testing/btest/spicy/port-fail.evt b/testing/btest/spicy/port-fail.evt deleted file mode 100644 index e51ca0fb79..0000000000 --- a/testing/btest/spicy/port-fail.evt +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-REQUIRES: have-spicy -# -# @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1 -# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output -# -# @TEST-DOC: Remove with v7.1 - -protocol analyzer spicy::SSH over TCP: - port 123456/udp; - -@TEST-START-NEXT - -protocol analyzer spicy::SSH over TCP: - port -1/udp; - -@TEST-START-NEXT - -protocol analyzer spicy::SSH over TCP: - port 1/udp-2/tcp; - -@TEST-START-NEXT - -protocol analyzer spicy::SSH over TCP: - port 2/udp-1/udp; diff --git a/testing/btest/spicy/port-range-one-port.zeek b/testing/btest/spicy/port-range-one-port.zeek deleted file mode 100644 index 95c32f2b27..0000000000 --- a/testing/btest/spicy/port-range-one-port.zeek +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-REQUIRES: have-spicy -# -# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt -# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1 -# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered -# @TEST-EXEC: btest-diff out.filtered - -# @TEST-DOC: Remove with v7.1. Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. - -# @TEST-START-FILE udp-test.spicy -module UDPTest; - -public type Message = unit { - data: bytes &eod { - assert False: "not reached"; - } -}; -# @TEST-END-FILE - -# @TEST-START-FILE udp-test.evt -protocol analyzer spicy::UDP_TEST over UDP: - parse with UDPTest::Message, - port 31336/udp; -# @TEST-END-FILE