Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove deprecated port/ports fields for spicy analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2024-08-06 10:49:31 -07:00
parent 4e9d843cec
commit 15d404dd19
11 changed files with 20 additions and 219 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/spicy/zeek_rt.hlt
View file

@ -18,7 +18,7 @@ type ZeekTypeTag = enum {
} &cxxname="::zeek::spicy::rt::ZeekTypeTag"; } &cxxname="::zeek::spicy::rt::ZeekTypeTag";
declare public void register_spicy_module_begin(string name, string description) &cxxname="zeek::spicy::rt::register_spicy_module_begin"; declare public void register_spicy_module_begin(string name, string description) &cxxname="zeek::spicy::rt::register_spicy_module_begin";
declare public void register_protocol_analyzer(string name, hilti::Protocol protocol, vector<PortRange> ports, string parser_orig, string parser_resp, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_protocol_analyzer" &have_prototype; declare public void register_protocol_analyzer(string name, hilti::Protocol protocol, string parser_orig, string parser_resp, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_protocol_analyzer" &have_prototype;
declare public void register_file_analyzer(string name, vector<string> mime_types, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_file_analyzer" &have_prototype; declare public void register_file_analyzer(string name, vector<string> mime_types, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_file_analyzer" &have_prototype;
declare public void register_packet_analyzer(string name, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_packet_analyzer" &have_prototype; declare public void register_packet_analyzer(string name, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_packet_analyzer" &have_prototype;
declare public void register_type(string ns, string id, BroType t) &cxxname="zeek::spicy::rt::register_type" &have_prototype; declare public void register_type(string ns, string id, BroType t) &cxxname="zeek::spicy::rt::register_type" &have_prototype;

21
src/spicy/manager.cc
View file

@ -61,7 +61,6 @@ void Manager::registerSpicyModuleEnd() {
} }
void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto,
const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports,
const std::string& parser_orig, const std::string& parser_resp, const std::string& parser_orig, const std::string& parser_resp,
const std::string& replaces, const std::string& linker_scope) { const std::string& replaces, const std::string& linker_scope) {
SPICY_DEBUG(hilti::rt::fmt("Have Spicy protocol analyzer %s", name)); SPICY_DEBUG(hilti::rt::fmt("Have Spicy protocol analyzer %s", name));
@ -74,7 +73,6 @@ void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Proto
info.name_zeek = hilti::rt::replace(name, "::", "_"); info.name_zeek = hilti::rt::replace(name, "::", "_");
info.name_zeekygen = hilti::rt::fmt("<Spicy-%s>", name); info.name_zeekygen = hilti::rt::fmt("<Spicy-%s>", name);
info.protocol = proto; info.protocol = proto;
info.ports = ports;
info.linker_scope = linker_scope; info.linker_scope = linker_scope;
// We may have that analyzer already iff it was previously pre-registered // We may have that analyzer already iff it was previously pre-registered
@ -701,25 +699,6 @@ void Manager::InitPostScript() {
if ( ! tag ) if ( ! tag )
reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str()); reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str());
for ( const auto& ports : p.ports ) {
const auto proto = ports.begin.protocol();
// Port ranges are closed intervals.
for ( auto port = ports.begin.port(); port <= ports.end.port(); ++port ) {
const auto port_ = hilti::rt::Port(port, proto);
SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_));
analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);
// Don't double register in case of single-port ranges.
if ( ports.begin.port() == ports.end.port() )
break;
// Explicitly prevent overflow.
if ( port == std::numeric_limits<decltype(port)>::max() )
break;
}
}
if ( p.parser_resp ) { if ( p.parser_resp ) {
for ( auto port : p.parser_resp->ports ) { for ( auto port : p.parser_resp->ports ) {
if ( port.direction != ::spicy::rt::Direction::Both && if ( port.direction != ::spicy::rt::Direction::Both &&

11
src/spicy/manager.h
View file

@ -85,7 +85,6 @@ public:
* *
* @param name name of the analyzer as defined in its EVT file * @param name name of the analyzer as defined in its EVT file
* @param proto analyzer's transport-layer protocol * @param proto analyzer's transport-layer protocol
* @param prts well-known ports for the analyzer; it'll be activated automatically for these
* @param parser_orig name of the Spicy parser for the originator side; must match the name that * @param parser_orig name of the Spicy parser for the originator side; must match the name that
* Spicy registers the unit's parser with * Spicy registers the unit's parser with
* @param parser_resp name of the Spicy parser for the originator side; must match the name that * @param parser_resp name of the Spicy parser for the originator side; must match the name that
@ -95,10 +94,9 @@ public:
* @param linker_scope scope of current HLTO file, which will restrict visibility of the * @param linker_scope scope of current HLTO file, which will restrict visibility of the
* registration * registration
*/ */
void registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, void registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto, const std::string& parser_orig,
const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, const std::string& parser_resp, const std::string& replaces,
const std::string& parser_orig, const std::string& parser_resp, const std::string& linker_scope);
const std::string& replaces, const std::string& linker_scope);
/** /**
* Runtime method to register a file analyzer with its Zeek-side * Runtime method to register a file analyzer with its Zeek-side
@ -343,7 +341,6 @@ private:
std::string name_parser_resp; std::string name_parser_resp;
std::string name_replaces; std::string name_replaces;
hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef;
hilti::rt::Vector<::zeek::spicy::rt::PortRange> ports;
std::string linker_scope; std::string linker_scope;
// Computed and available once the analyzer has been registered. // Computed and available once the analyzer has been registered.
@ -357,7 +354,7 @@ private:
bool operator==(const ProtocolAnalyzerInfo& other) const { bool operator==(const ProtocolAnalyzerInfo& other) const {
return name_analyzer == other.name_analyzer && name_parser_orig == other.name_parser_orig && return name_analyzer == other.name_analyzer && name_parser_orig == other.name_parser_orig &&
name_parser_resp == other.name_parser_resp && name_replaces == other.name_replaces && name_parser_resp == other.name_parser_resp && name_replaces == other.name_replaces &&
protocol == other.protocol && ports == other.ports && linker_scope == other.linker_scope; protocol == other.protocol && linker_scope == other.linker_scope;
} }
bool operator!=(const ProtocolAnalyzerInfo& other) const { return ! (*this == other); } bool operator!=(const ProtocolAnalyzerInfo& other) const { return ! (*this == other); }

9
src/spicy/runtime-support.cc
View file

@ -26,12 +26,11 @@ void rt::register_spicy_module_begin(const std::string& name, const std::string&
void rt::register_spicy_module_end() { spicy_mgr->registerSpicyModuleEnd(); } void rt::register_spicy_module_end() { spicy_mgr->registerSpicyModuleEnd(); }
void rt::register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto, void rt::register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto, const std::string& parser_orig,
const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, const std::string& parser_resp, const std::string& replaces,
const std::string& parser_orig, const std::string& parser_resp, const std::string& linker_scope) {
const std::string& replaces, const std::string& linker_scope) {
auto _ = hilti::rt::profiler::start("zeek/rt/register_protocol_analyzer"); auto _ = hilti::rt::profiler::start("zeek/rt/register_protocol_analyzer");
spicy_mgr->registerProtocolAnalyzer(name, proto, ports, parser_orig, parser_resp, replaces, linker_scope); spicy_mgr->registerProtocolAnalyzer(name, proto, parser_orig, parser_resp, replaces, linker_scope);
} }
void rt::register_file_analyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types, void rt::register_file_analyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types,

7
src/spicy/runtime-support.h
View file

@ -106,10 +106,9 @@ void register_spicy_module_begin(const std::string& id, const std::string& descr
* Registers a Spicy protocol analyzer with its EVT meta information with the * Registers a Spicy protocol analyzer with its EVT meta information with the
* plugin's runtime. * plugin's runtime.
*/ */
void register_protocol_analyzer(const std::string& id, hilti::rt::Protocol proto, void register_protocol_analyzer(const std::string& id, hilti::rt::Protocol proto, const std::string& parser_orig,
const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports, const std::string& parser_resp, const std::string& replaces,
const std::string& parser_orig, const std::string& parser_resp, const std::string& linker_scope);
const std::string& replaces, const std::string& linker_scope);
/** /**
* Registers a Spicy file analyzer with its EVT meta information with the * Registers a Spicy file analyzer with its EVT meta information with the

109
src/spicy/spicyz/glue-compiler.cc
View file

@ -260,79 +260,6 @@ static std::string extract_expr(const std::string& chunk, size_t* i) {
return expr; return expr;
} }
static hilti::rt::Port extract_port(const std::string& chunk, size_t* i) {
eat_spaces(chunk, i);
std::string s;
size_t j = *i;
while ( j < chunk.size() && isdigit(chunk[j]) )
++j;
if ( *i == j )
throw ParseError("cannot parse port specification");
hilti::rt::Protocol proto;
uint64_t port = std::numeric_limits<uint64_t>::max();
s = chunk.substr(*i, j - *i);
hilti::util::atoi_n(s.begin(), s.end(), 10, &port);
if ( port > 65535 )
throw ParseError("port outside of valid range");
*i = j;
if ( chunk[*i] != '/' )
throw ParseError("cannot parse port specification");
(*i)++;
if ( looking_at(chunk, *i, "tcp") ) {
proto = hilti::rt::Protocol::TCP;
eat_token(chunk, i, "tcp");
}
else if ( looking_at(chunk, *i, "udp") ) {
proto = hilti::rt::Protocol::UDP;
eat_token(chunk, i, "udp");
}
else if ( looking_at(chunk, *i, "icmp") ) {
proto = hilti::rt::Protocol::ICMP;
eat_token(chunk, i, "icmp");
}
else
throw ParseError("cannot parse port specification");
return {static_cast<uint16_t>(port), proto};
}
static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk, size_t* i) {
auto start = extract_port(chunk, i);
auto end = std::optional<hilti::rt::Port>();
if ( looking_at(chunk, *i, "-") ) {
eat_token(chunk, i, "-");
end = extract_port(chunk, i);
}
if ( end ) {
if ( start.protocol() != end->protocol() )
throw ParseError("start and end of port range must have same protocol");
if ( start.port() > end->port() )
throw ParseError("start of port range cannot be after its end");
}
if ( ! end )
// EVT port ranges are a closed.
end = hilti::rt::Port(start.port(), start.protocol());
return {start, *end};
}
void GlueCompiler::init(Driver* driver, int zeek_version) { void GlueCompiler::init(Driver* driver, int zeek_version) {
_driver = driver; _driver = driver;
_zeek_version = zeek_version; _zeek_version = zeek_version;
@ -704,27 +631,6 @@ glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& ch
} }
} }
else if ( looking_at(chunk, i, "ports") ) {
eat_token(chunk, &i, "ports");
eat_token(chunk, &i, "{");
while ( true ) {
a.ports.push_back(extract_port_range(chunk, &i));
if ( looking_at(chunk, i, "}") ) {
eat_token(chunk, &i, "}");
break;
}
eat_token(chunk, &i, ",");
}
}
else if ( looking_at(chunk, i, "port") ) {
eat_token(chunk, &i, "port");
a.ports.push_back(extract_port_range(chunk, &i));
}
else if ( looking_at(chunk, i, "replaces") ) { else if ( looking_at(chunk, i, "replaces") ) {
eat_token(chunk, &i, "replaces"); eat_token(chunk, &i, "replaces");
a.replaces = extract_id(chunk, &i); a.replaces = extract_id(chunk, &i);
@ -739,14 +645,6 @@ glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& ch
eat_token(chunk, &i, ","); eat_token(chunk, &i, ",");
} }
if ( ! a.ports.empty() )
hilti::logger().warning(
hilti::rt::
fmt("Remove in v7.1: Analyzer %s is using the deprecated 'port' or 'ports' keyword to register "
"well-known ports. Use Analyzer::register_for_ports() in the accompanying Zeek script instead.",
a.name),
a.location);
return a; return a;
} }
@ -1034,13 +932,6 @@ bool GlueCompiler::compile() {
preinit_body.addCall("zeek_rt::register_protocol_analyzer", preinit_body.addCall("zeek_rt::register_protocol_analyzer",
{builder()->stringMutable(a.name.str()), builder()->id(protocol), {builder()->stringMutable(a.name.str()), builder()->id(protocol),
builder()->vector(
hilti::util::transform(a.ports,
[this](const auto& p) -> hilti::Expression* {
return builder()->call("zeek_rt::make_port_range",
{builder()->port(p.begin),
builder()->port(p.end)});
})),
builder()->stringMutable(a.unit_name_orig.str()), builder()->stringMutable(a.unit_name_orig.str()),
builder()->stringMutable(a.unit_name_resp.str()), builder()->stringMutable(a.replaces), builder()->stringMutable(a.unit_name_resp.str()), builder()->stringMutable(a.replaces),
builder()->scope()}); builder()->scope()});

1
src/spicy/spicyz/glue-compiler.h
View file

@ -45,7 +45,6 @@ struct ProtocolAnalyzer {
hilti::Location location; /**< Location where the analyzer was defined. */ hilti::Location location; /**< Location where the analyzer was defined. */
hilti::ID name; /**< Name of the analyzer. */ hilti::ID name; /**< Name of the analyzer. */
hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; /**< The transport layer the analyzer uses. */ hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; /**< The transport layer the analyzer uses. */
std::vector<::zeek::spicy::rt::PortRange> ports; /**< The ports associated with the analyzer. */
hilti::ID unit_name_orig; /**< The fully-qualified name of the unit type to parse the originator hilti::ID unit_name_orig; /**< The fully-qualified name of the unit type to parse the originator
side. */ side. */
hilti::ID unit_name_resp; /**< The fully-qualified name of the unit type to parse the originator hilti::ID unit_name_resp; /**< The fully-qualified name of the unit type to parse the originator

10
testing/btest/spicy/event-user-type
View file

@ -25,8 +25,7 @@ type Y = unit {
# @TEST-START-FILE foo.evt # @TEST-START-FILE foo.evt
protocol analyzer spicy::foo over UDP: protocol analyzer spicy::foo over UDP:
parse with foo::X, parse with foo::X;
ports { 12345/udp, 31337/udp };
import foo; import foo;
@ -36,6 +35,13 @@ on foo::X -> event foo::X($conn, $is_orig, self.y);
# @TEST-END-FILE # @TEST-END-FILE
# @TEST-START-FILE foo.zeek # @TEST-START-FILE foo.zeek
const foo_ports = { 12345/udp, 31337/udp};
event zeek_init()
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_FOO, foo_ports);
}
event foo::X(c: connection, is_orig: bool, y: foo::Y) event foo::X(c: connection, is_orig: bool, y: foo::Y)
{ {
print fmt("is_orig=%d y=%s", is_orig, y); print fmt("is_orig=%d y=%s", is_orig, y);

21
testing/btest/spicy/port-deprecated.evt
View file

@ -1,21 +0,0 @@
# @TEST-REQUIRES: have-spicy
#
# @TEST-EXEC: spicyz -d -o test.hlto ./udp-test.evt 2>out.stderr
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.stderr
#
# @TEST-DOC: Remove with v7.1: Specifying ports is deprecated.
module Test;
import zeek;
public type Message = unit {
data: bytes &eod {}
};
# @TEST-START-FILE udp-test.evt
protocol analyzer spicy::TEST over UDP:
parse with Test::Message,
port 11337/udp-11340/udp,
ports {31337/udp-31340/udp};
# @TEST-END-FILE

24
testing/btest/spicy/port-fail.evt
View file

@ -1,24 +0,0 @@
# @TEST-REQUIRES: have-spicy
#
# @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
#
# @TEST-DOC: Remove with v7.1
protocol analyzer spicy::SSH over TCP:
port 123456/udp;
@TEST-START-NEXT
protocol analyzer spicy::SSH over TCP:
port -1/udp;
@TEST-START-NEXT
protocol analyzer spicy::SSH over TCP:
port 1/udp-2/tcp;
@TEST-START-NEXT
protocol analyzer spicy::SSH over TCP:
port 2/udp-1/udp;

24
testing/btest/spicy/port-range-one-port.zeek
View file

@ -1,24 +0,0 @@
# @TEST-REQUIRES: have-spicy
#
# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
# @TEST-EXEC: btest-diff out.filtered
# @TEST-DOC: Remove with v7.1. Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
# @TEST-START-FILE udp-test.spicy
module UDPTest;
public type Message = unit {
data: bytes &eod {
assert False: "not reached";
}
};
# @TEST-END-FILE
# @TEST-START-FILE udp-test.evt
protocol analyzer spicy::UDP_TEST over UDP:
parse with UDPTest::Message,
port 31336/udp;
# @TEST-END-FILE