Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/johanna/remove-deprecated-functions-events'

Browse source 
* origin/topic/johanna/remove-deprecated-functions-events:
  Remove deprecated functions/events
This commit is contained in:
Jon Siwek 2019-05-02 19:16:48 -07:00
commit 1a77c1b287
36 changed files with 94 additions and 1335 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-260 | 2019-05-02 19:16:48 -0700
* GH-243: Remove deprecated functions/events from 2.6 and earlier (Johanna Amann, Corelight)
2.6-258 | 2019-05-02 12:26:54 -0700
* GH-340: Improve IPv4/IPv6 regexes, extraction, and validity functions.

55
NEWS
View file

@ -190,10 +190,63 @@ Changed Functionality
Removed Functionality
---------------------
- A number of functions that were deprecated in version 2.6 or below and completely
removed from this release. Most of the functions were used for the old communication
code.
- ``find_ip_addresses``
- ``cat_string_array``
- ``cat_string_array_n``
- ``complete_handshake``
- ``connect``
- ``decode_base64_custom``
- ``disconnect``
- ``enable_communication``
- ``encode_base64_custom``
- ``get_event_peer``
- ``get_local_event_peer``
- ``join_string_array``
- ``listen``
- ``merge_pattern``
- ``request_remote_events``
- ``request_remote_logs``
- ``request_remote_sync``
- ``resume_state_updates``
- ``send_capture_filter``
- ``send_current_packet``
- ``send_id``
- ``send_ping``
- ``set_accept_state``
- ``set_compression_level``
- ``sort_string_array``
- ``split1``
- ``split_all``
- ``split``
- ``suspend_state_updates``
- ``terminate_communication``
- ``split``
- ``send_state``
- ``checkpoint_state``
- ``rescan_state``
- The following events were deprecated in version 2.6 or below and are completely
removed from this release:
- ``ssl_server_curve``
- ``dhcp_ack``
- ``dhcp_decline``
- ``dhcp_discover``
- ``dhcp_inform``
- ``dhcp_nak``
- ``dhcp_offer``
- ``dhcp_release``
- ``dhcp_request``
- ``finished_send_state``
Deprecated Functionality
------------------------
- The ``str_shell_escape` function is now deprecated, use ``safe_shell_quote``
- The ``str_shell_escape`` function is now deprecated, use ``safe_shell_quote``
instead. The later will automatically return a value that is enclosed
in double-quotes.

2
VERSION
View file

@ -1 +1 @@
2.6-258
2.6-260

2
doc

@ -1 +1 @@
Subproject commit f9e6c5c96ea24717d02018719247e345033b3f25
Subproject commit ed52b61d9300141cfa868759faed9c66142a80af

12
scripts/base/init-bare.zeek
View file

@ -775,26 +775,20 @@ type IPAddrAnonymizationClass: enum {
OTHER_ADDR,
};
## A locally unique ID identifying a communication peer. The ID is returned by
## :zeek:id:`connect`.
## A locally unique ID identifying a communication peer.
##
## .. zeek:see:: connect
type peer_id: count;
## A communication peer.
##
## .. zeek:see:: complete_handshake disconnect finished_send_state
## get_event_peer get_local_event_peer remote_capture_filter
## .. zeek:see:: remote_capture_filter
## remote_connection_closed remote_connection_error
## remote_connection_established remote_connection_handshake_done
## remote_event_registered remote_log_peer remote_pong
## request_remote_events request_remote_logs request_remote_sync
## send_capture_filter send_current_packet send_id send_ping send_state
## set_accept_state set_compression_level
##
## .. todo::The type's name is too narrow these days, should rename.
type event_peer: record {
id: peer_id; ##< Locally unique ID of peer (returned by :zeek:id:`connect`).
id: peer_id; ##< Locally unique ID of peer
host: addr; ##< The IP address of the peer.
## Either the port we connected to at the peer; or our port the peer
## connected to if the session is remotely initiated.

18
scripts/base/utils/addrs.zeek
View file

@ -80,24 +80,6 @@ function has_valid_octets(octets: string_vec): bool
return T;
}
## Extracts all IP (v4 or v6) address strings from a given string.
##
## input: a string that may contain an IP address anywhere within it.
##
## Returns: an array containing all valid IP address strings found in *input*.
function find_ip_addresses(input: string): string_array &deprecated
{
local parts = split_string_all(input, ip_addr_regex);
local output: string_array;
for ( i in parts )
{
if ( i % 2 == 1 && is_valid_ip(parts[i]) )
output[|output|] = parts[i];
}
return output;
}
## Extracts all IP (v4 or v6) address strings from a given string.
##
## input: a string that may contain an IP address anywhere within it.

272
scripts/policy/protocols/dhcp/deprecated_events.zeek
View file

@ -1,272 +0,0 @@
##! Bro 2.6 removed certain DHCP events, but scripts in the Bro
##! ecosystem are still relying on those events. As a transition, this
##! script will handle the new event, and generate the old events,
##! which are marked as deprecated. Note: This script should be
##! removed in the next Bro version after 2.6.
@load base/protocols/dhcp
## A DHCP message.
##
## .. note:: This type is included to support the deprecated events dhcp_ack,
## dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer,
## dhcp_release and dhcp_request and is thus similarly deprecated
## itself. Use :zeek:see:`dhcp_message` instead.
##
## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
## dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request
type dhcp_msg: record {
op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count; ##< The type of DHCP message.
xid: count; ##< Transaction ID of a DHCP session.
h_addr: string; ##< Hardware address of the client.
ciaddr: addr; ##< Original IP address of the client.
yiaddr: addr; ##< IP address assigned to the client.
};
## A list of router addresses offered by a DHCP server.
##
## .. note:: This type is included to support the deprecated events dhcp_ack
## and dhcp_offer and is thus similarly deprecated
## itself. Use :zeek:see:`dhcp_message` instead.
##
## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer
type dhcp_router_list: table[count] of addr;
## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
## available servers).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## req_addr: The specific address requested by the client.
##
## host_name: The value of the host name option, if specified by the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
## to DHCPDISCOVER with offer of configuration parameters).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## mask: The subnet mask specified by the message.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specified by the message.
##
## serv_addr: The server address specified by the message.
##
## host_name: Optional host name value. May differ from the host name requested
## from the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
## (a) requesting offered parameters from one server and implicitly declining offers
## from all others, (b) confirming correctness of previously allocated address after,
## e.g., system reboot, or (c) extending the lease on a particular network address.)
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## req_addr: The client address specified by the message.
##
## serv_addr: The server address specified by the message.
##
## host_name: The value of the host name option, if specified by the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
## network address is already in use).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## host_name: Optional host name value.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_ack dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
## parameters, including committed network address).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## mask: The subnet mask specified by the message.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specified by the message.
##
## serv_addr: The server address specified by the message.
##
## host_name: Optional host name value. May differ from the host name requested
## from the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_nak dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
## notion of network address is incorrect (e.g., client has moved to new subnet) or
## client's lease has expired).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## host_name: Optional host name value.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_release dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
## network address and cancelling remaining lease).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## host_name: The value of the host name option, if specified by the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_inform
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
## local configuration parameters; client already has externally configured network
## address).
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## host_name: The value of the host name option, if specified by the client.
##
## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
## dhcp_decline dhcp_ack dhcp_nak dhcp_release
##
## .. note:: This event has been deprecated, and will be removed in the next version.
## Use dhcp_message instead.
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
global dhcp_inform: event(c: connection, msg: dhcp_msg, host_name: string) &deprecated;
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
{
local old_msg: dhcp_msg = [$op=msg$op, $m_type=msg$m_type, $xid=msg$xid,
$h_addr=msg$chaddr, $ciaddr=msg$ciaddr, $yiaddr=msg$yiaddr];
local routers = dhcp_router_list();
if ( options?$routers )
for ( i in options$routers )
routers[|routers|] = options$routers[i];
# These fields are technically optional, but aren't listed as such in the event.
# We give it some defaults in order to suppress errors.
local ar = ( options?$addr_request ) ? options$addr_request : 0.0.0.0;
local hn = ( options?$host_name ) ? options$host_name : "";
local le = ( options?$lease ) ? options$lease : 0 secs;
local sm = ( options?$subnet_mask ) ? options$subnet_mask : 255.255.255.255;
local sa = ( options?$serv_addr ) ? options$serv_addr : 0.0.0.0;
switch ( DHCP::message_types[msg$m_type] ) {
case "DISCOVER":
event dhcp_discover(c, old_msg, ar, hn);
break;
case "OFFER":
event dhcp_offer(c, old_msg, sm, routers, le, sa, hn);
break;
case "REQUEST":
event dhcp_request(c, old_msg, ar, sa, hn);
break;
case "DECLINE":
event dhcp_decline(c, old_msg, hn);
break;
case "ACK":
event dhcp_ack(c, old_msg, sm, routers, le, sa, hn);
break;
case "NAK":
event dhcp_nak(c, old_msg, hn);
break;
case "RELEASE":
event dhcp_release(c, old_msg, hn);
break;
case "INFORM":
event dhcp_inform(c, old_msg, hn);
break;
default:
# This isn't a weird, it's just a DHCP message type the old scripts don't handle
break;
}
}

1
scripts/test-all-policy.zeek
View file

@ -63,7 +63,6 @@
@load protocols/conn/mac-logging.zeek
@load protocols/conn/vlan-logging.zeek
@load protocols/conn/weirds.zeek
#@load protocols/dhcp/deprecated_events.zeek
@load protocols/dhcp/msg-orig.zeek
@load protocols/dhcp/software.zeek
@load protocols/dhcp/sub-opts.zeek

1
scripts/zeexygen/__load__.zeek
View file

@ -6,7 +6,6 @@
@load frameworks/control/controller.zeek
@load frameworks/files/extract-all-files.zeek
@load policy/misc/dump-events.zeek
@load policy/protocols/dhcp/deprecated_events.zeek
@load policy/protocols/smb/__load__.zeek
@load ./example.zeek

2
src/Net.h
View file

@ -83,8 +83,6 @@ extern iosource::PktDumper* pkt_dumper; // where to save packets
extern char* writefile;
extern int old_comm_usage_count;
// Script file we have already scanned (or are in the process of scanning).
// They are identified by inode number.
struct ScannedFile {

42
src/analyzer/protocol/ssl/events.bif
View file

@ -73,7 +73,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
## sent in TLSv1.3 or SSLv2.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_session_ticket_handshake x509_certificate ssl_server_curve
## ssl_session_ticket_handshake x509_certificate
## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms
@ -116,7 +116,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
## ssl_extension_server_name ssl_extension_signature_algorithm
## ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
@ -136,7 +136,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
## ssl_extension_server_name ssl_extension_signature_algorithm
## ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
@ -157,7 +157,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve ssl_extension_key_share
## ssl_extension_server_name ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature
@ -176,32 +176,12 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve
## ssl_extension_server_name
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
## Generated if a named curve is chosen by the server for an SSL/TLS connection.
## The curve is sent by the server in the ServerKeyExchange message as defined
## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
##
## c: The connection.
##
## curve: The curve.
##
## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params
## event. This event will be removed in a future version of Bro.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature
event ssl_server_curve%(c: connection, curve: count%) &deprecated;
## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
## This event contains the named curve name and the server ECDH parameters contained
## in the ServerKeyExchange message as defined in :rfc:`4492`.
@ -213,7 +193,7 @@ event ssl_server_curve%(c: connection, curve: count%) &deprecated;
## point: The server's ECDH public key.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
## ssl_session_ticket_handshake ssl_server_signature
## ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
@ -230,7 +210,7 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
## Ys: The server's DH public key.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
## ssl_session_ticket_handshake ssl_server_signature
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms
event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
@ -253,7 +233,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
## message is used for signing.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
## ssl_session_ticket_handshake ssl_rsa_client_pms
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
@ -266,7 +246,7 @@ event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::Sig
## point: The client's ECDH public key.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
## ssl_session_ticket_handshake ssl_server_signature
## ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
event ssl_ecdh_client_params%(c: connection, point: string%);
@ -279,7 +259,7 @@ event ssl_ecdh_client_params%(c: connection, point: string%);
## Yc: The client's DH public key.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
## ssl_session_ticket_handshake ssl_server_signature
## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
event ssl_dh_client_params%(c: connection, Yc: string%);
@ -292,7 +272,7 @@ event ssl_dh_client_params%(c: connection, Yc: string%);
## pms: The encrypted pre-master secret.
##
## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
## ssl_session_ticket_handshake ssl_server_signature
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
event ssl_rsa_client_pms%(c: connection, pms: string%);

8
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -320,10 +320,6 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE )
return true;
if ( ssl_server_curve )
BifEvent::generate_ssl_server_curve(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve});
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
@ -355,10 +351,6 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE )
return true;
if ( ssl_server_curve )
BifEvent::generate_ssl_server_curve(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve});
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));

483
src/bro.bif
View file

@ -1512,7 +1512,7 @@ function cat%(...%): string
## Returns: A concatenation of all arguments with *sep* between each one and
## empty strings replaced with *def*.
##
## .. zeek:see:: cat string_cat cat_string_array cat_string_array_n
## .. zeek:see:: cat string_cat
function cat_sep%(sep: string, def: string, ...%): string
%{
ODesc d;
@ -1579,7 +1579,7 @@ function cat_sep%(sep: string, def: string, ...%): string
## number of additional arguments for the given format specifier,
## :zeek:id:`fmt` generates a run-time error.
##
## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
## .. zeek:see:: cat cat_sep string_cat
function fmt%(...%): string
%{
if ( @ARGC@ == 0 )
@ -2852,29 +2852,6 @@ function encode_base64%(s: string, a: string &default=""%): string
}
%}
## Encodes a Base64-encoded string with a custom alphabet.
##
## s: The string to encode.
##
## a: The custom alphabet. The string must consist of 64 unique
## characters. The empty string indicates the default alphabet.
##
## Returns: The encoded version of *s*.
##
## .. zeek:see:: encode_base64
function encode_base64_custom%(s: string, a: string%): string &deprecated
%{
BroString* t = encode_base64(s->AsString(), a->AsString());
if ( t )
return new StringVal(t);
else
{
reporter->Error("error in encoding string %s", s->CheckString());
return val_mgr->GetEmptyString();
}
%}
## Decodes a Base64-encoded string.
##
## s: The Base64-encoded string.
@ -2930,28 +2907,6 @@ function decode_base64_conn%(cid: conn_id, s: string, a: string &default=""%): s
}
%}
## Decodes a Base64-encoded string with a custom alphabet.
##
## s: The Base64-encoded string.
##
## a: The custom alphabet. The string must consist of 64 unique characters.
## The empty string indicates the default alphabet.
##
## Returns: The decoded version of *s*.
##
## .. zeek:see:: decode_base64 decode_base64_conn
function decode_base64_custom%(s: string, a: string%): string &deprecated
%{
BroString* t = decode_base64(s->AsString(), a->AsString());
if ( t )
return new StringVal(t);
else
{
reporter->Error("error in decoding string %s", s->CheckString());
return val_mgr->GetEmptyString();
}
%}
%%{
typedef struct {
uint32 time_low;
@ -2995,29 +2950,6 @@ function uuid_to_string%(uuid: string%): string
return new StringVal(s);
%}
## Merges and compiles two regular expressions at initialization time.
##
## p1: The first pattern.
##
## p2: The second pattern.
##
## Returns: The compiled pattern of the concatenation of *p1* and *p2*.
##
## .. zeek:see:: convert_for_pattern string_to_pattern
##
## .. note::
##
## This function must be called at Zeek startup time, e.g., in the event
## :zeek:id:`zeek_init`.
function merge_pattern%(p1: pattern, p2: pattern%): pattern &deprecated
%{
RE_Matcher* re = new RE_Matcher();
re->AddPat(p1->PatternText());
re->AddPat(p2->PatternText());
re->Compile();
return new PatternVal(re);
%}
%%{
char* to_pat_str(int sn, const char* ss)
{
@ -3050,7 +2982,7 @@ char* to_pat_str(int sn, const char* ss)
## Returns: An escaped version of *s* that has the structure of a valid
## :zeek:type:`pattern`.
##
## .. zeek:see:: merge_pattern string_to_pattern
## .. zeek:see:: string_to_pattern
##
function convert_for_pattern%(s: string%): string
%{
@ -3070,7 +3002,7 @@ function convert_for_pattern%(s: string%): string
##
## Returns: *s* as :zeek:type:`pattern`.
##
## .. zeek:see:: convert_for_pattern merge_pattern
## .. zeek:see:: convert_for_pattern
##
## .. note::
##
@ -3374,7 +3306,7 @@ const char* conn_id_string(Val* c)
##
## Returns: True on success.
##
## .. zeek:see:: dump_packet get_current_packet send_current_packet
## .. zeek:see:: dump_packet get_current_packet
function dump_current_packet%(file_name: string%) : bool
%{
const Packet* pkt;
@ -3405,7 +3337,7 @@ function dump_current_packet%(file_name: string%) : bool
## Returns: The currently processed packet, which is a record
## containing the timestamp, ``snaplen``, and packet data.
##
## .. zeek:see:: dump_current_packet dump_packet send_current_packet
## .. zeek:see:: dump_current_packet dump_packet
function get_current_packet%(%) : pcap_packet
%{
const Packet* p;
@ -3461,7 +3393,7 @@ function get_current_packet_header%(%) : raw_pkt_hdr
##
## Returns: True on success
##
## .. zeek:see:: get_current_packet dump_current_packet send_current_packet
## .. zeek:see:: get_current_packet dump_current_packet
function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
%{
if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString())
@ -4953,56 +4885,6 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
return val_mgr->GetBool(sessions->GetPacketFilter()->RemoveDst(snet));
%}
# ===========================================================================
#
# Communication
#
# ===========================================================================
## Enables the communication system. By default, the communication is off until
## explicitly enabled, and all other calls to communication-related functions
## will be ignored until done so.
function enable_communication%(%): any &deprecated
%{
if ( bro_start_network_time != 0.0 )
{
builtin_error("communication must be enabled in zeek_init");
return 0;
}
if ( using_communication )
// Ignore duplicate calls.
return 0;
using_communication = 1;
remote_serializer->Enable();
return 0;
%}
## Flushes in-memory state tagged with the :zeek:attr:`&persistent` attribute
## to disk. The function writes the state to the file ``.state/state.bst`` in
## the directory where Bro was started.
##
## Returns: True on success.
##
## .. zeek:see:: rescan_state
function checkpoint_state%(%) : bool
%{
return val_mgr->GetBool(persistence_serializer->WriteState(true));
%}
## Reads persistent state and populates the in-memory data structures
## accordingly. Persistent state is read from the ``.state`` directory.
## This function is the dual to :zeek:id:`checkpoint_state`.
##
## Returns: True on success.
##
## .. zeek:see:: checkpoint_state
function rescan_state%(%) : bool
%{
return val_mgr->GetBool(persistence_serializer->ReadAll(false, true));
%}
## Writes the binary event stream generated by the core to a given file.
## Use the ``-x <filename>`` command line switch to replay saved events.
##
@ -5041,165 +4923,6 @@ function capture_state_updates%(filename: string%) : bool
(const char*) filename->CheckString()));
%}
## Establishes a connection to a remote Bro or Broccoli instance.
##
## ip: The IP address of the remote peer.
##
## zone_id: If *ip* is a non-global IPv6 address, a particular :rfc:`4007`
## ``zone_id`` can given here. An empty string, ``""``, means
## not to add any ``zone_id``.
##
## p: The port of the remote peer.
##
## our_class: If a non-empty string, then the remote (listening) peer checks it
## against its class name in its peer table and terminates the
## connection if they don't match.
##
## retry: If the connection fails, try to reconnect with the peer after this
## time interval.
##
## ssl: If true, use SSL to encrypt the session.
##
## Returns: A locally unique ID of the new peer.
##
## .. zeek:see:: disconnect
## listen
## request_remote_events
## request_remote_sync
## request_remote_logs
## request_remote_events
## set_accept_state
## set_compression_level
## send_state
## send_id
function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count &deprecated
%{
return val_mgr->GetCount(uint32(remote_serializer->Connect(ip->AsAddr(),
zone_id->CheckString(), p->Port(), our_class->CheckString(),
retry, ssl)));
%}
## Terminate the connection with a peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## Returns: True on success.
##
## .. zeek:see:: connect listen
function disconnect%(p: event_peer%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->CloseConnection(id));
%}
## Subscribes to all events from a remote peer whose names match a given
## pattern.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## handlers: The pattern describing the events to request from peer *p*.
##
## Returns: True on success.
##
## .. zeek:see:: request_remote_sync
## request_remote_logs
## set_accept_state
function request_remote_events%(p: event_peer, handlers: pattern%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->RequestEvents(id, handlers));
%}
## Requests synchronization of IDs with a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## auth: If true, the local instance considers its current state authoritative
## and sends it to *p* right after the handshake.
##
## Returns: True on success.
##
## .. zeek:see:: request_remote_events
## request_remote_logs
## set_accept_state
function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->RequestSync(id, auth));
%}
## Requests logs from a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## Returns: True on success.
##
## .. zeek:see:: request_remote_events
## request_remote_sync
function request_remote_logs%(p: event_peer%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->RequestLogs(id));
%}
## Sets a boolean flag indicating whether Bro accepts state from a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## accept: True if Bro accepts state from peer *p*, or false otherwise.
##
## Returns: True on success.
##
## .. zeek:see:: request_remote_events
## request_remote_sync
## set_compression_level
function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->SetAcceptState(id, accept));
%}
## Sets the compression level of the session with a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## level: Allowed values are in the range *[0, 9]*, where 0 is the default and
## means no compression.
##
## Returns: True on success.
##
## .. zeek:see:: set_accept_state
function set_compression_level%(p: event_peer, level: count%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->SetCompressionLevel(id, level));
%}
## Listens on a given IP address and port for remote connections.
##
## ip: The IP address to bind to.
##
## p: The TCP port to listen on.
##
## ssl: If true, Bro uses SSL to encrypt the session.
##
## ipv6: If true, enable listening on IPv6 addresses.
##
## zone_id: If *ip* is a non-global IPv6 address, a particular :rfc:`4007`
## ``zone_id`` can given here. An empty string, ``""``, means
## not to add any ``zone_id``.
##
## retry_interval: If address *ip* is found to be already in use, this is
## the interval at which to automatically retry binding.
##
## Returns: True on success.
##
## .. zeek:see:: connect disconnect
function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool &deprecated
%{
return val_mgr->GetBool(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval));
%}
## Checks whether the last raised event came from a remote peer.
##
## Returns: True if the last raised event came from a remote peer.
@ -5208,179 +4931,11 @@ function is_remote_event%(%) : bool
return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
%}
## Sends all persistent state to a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## Returns: True on success.
##
## .. zeek:see:: send_id send_ping send_current_packet send_capture_filter
function send_state%(p: event_peer%) : bool
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(persistence_serializer->SendState(id, true));
%}
## Sends a global identifier to a remote peer, which then might install it
## locally.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## id: The identifier to send.
##
## Returns: True on success.
##
## .. zeek:see:: send_state send_ping send_current_packet send_capture_filter
function send_id%(p: event_peer, id: string%) : bool &deprecated
%{
RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
ID* i = global_scope()->Lookup(id->CheckString());
if ( ! i )
{
reporter->Error("send_id: no global id %s", id->CheckString());
return val_mgr->GetBool(0);
}
SerialInfo info(remote_serializer);
return val_mgr->GetBool(remote_serializer->SendID(&info, pid, *i));
%}
## Gracefully finishes communication by first making sure that all remaining
## data from parent and child has been sent out.
##
## Returns: True if the termination process has been started successfully.
function terminate_communication%(%) : bool &deprecated
%{
return val_mgr->GetBool(remote_serializer->Terminate());
%}
## Signals a remote peer that the local Bro instance finished the initial
## handshake.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## Returns: True on success.
function complete_handshake%(p: event_peer%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->CompleteHandshake(id));
%}
## Sends a ping event to a remote peer. In combination with an event handler
## for :zeek:id:`remote_pong`, this function can be used to measure latency
## between two peers.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## seq: A sequence number (also included by :zeek:id:`remote_pong`).
##
## Returns: True if sending the ping succeeds.
##
## .. zeek:see:: send_state send_id send_current_packet send_capture_filter
function send_ping%(p: event_peer, seq: count%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->SendPing(id, seq));
%}
## Sends the currently processed packet to a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## Returns: True if sending the packet succeeds.
##
## .. zeek:see:: send_id send_state send_ping send_capture_filter
## dump_packet dump_current_packet get_current_packet
function send_current_packet%(p: event_peer%) : bool &deprecated
%{
const Packet* pkt;
if ( ! current_pktsrc ||
! current_pktsrc->GetCurrentPacket(&pkt) )
return val_mgr->GetBool(0);
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
SerialInfo info(remote_serializer);
return val_mgr->GetBool(remote_serializer->SendPacket(&info, id, *pkt));
%}
## Returns the peer who generated the last event.
##
## Note, this function is deprecated. It works correctly only for local events and
## events received through the legacy communication system. It does *not* work for
## events received through Broker and will report an error in that case.
##
## Returns: The ID of the peer who generated the last event.
##
## .. zeek:see:: get_local_event_peer
function get_event_peer%(%) : event_peer &deprecated
%{
SourceID src = mgr.CurrentSource();
if ( src == SOURCE_LOCAL )
{
RecordVal* p = mgr.GetLocalPeerVal();
Ref(p);
return p;
}
if ( src == SOURCE_BROKER )
{
reporter->Error("get_event_peer() does not support Broker events");
RecordVal* p = mgr.GetLocalPeerVal();
Ref(p);
return p;
}
if ( ! remote_serializer )
reporter->InternalError("remote_serializer not initialized");
Val* v = remote_serializer->GetPeerVal(src);
if ( ! v )
{
reporter->Error("peer %d does not exist anymore", int(src));
RecordVal* p = mgr.GetLocalPeerVal();
Ref(p);
return p;
}
return v;
%}
## Returns the local peer ID.
##
## Returns: The peer ID of the local Bro instance.
##
## .. zeek:see:: get_event_peer
function get_local_event_peer%(%) : event_peer &deprecated
%{
RecordVal* p = mgr.GetLocalPeerVal();
Ref(p);
return p;
%}
## Sends a capture filter to a remote peer.
##
## p: The peer ID returned from :zeek:id:`connect`.
##
## s: The capture filter.
##
## Returns: True if sending the packet succeeds.
##
## .. zeek:see:: send_id send_state send_ping send_current_packet
function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated
%{
RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
return val_mgr->GetBool(remote_serializer->SendCaptureFilter(id, s->CheckString()));
%}
## Stops Bro's packet processing. This function is used to synchronize
## distributed trace processing with communication enabled
## (*pseudo-realtime* mode).
##
## .. zeek:see:: continue_processing suspend_state_updates resume_state_updates
## .. zeek:see:: continue_processing
function suspend_processing%(%) : any
%{
net_suspend_processing();
@ -5389,33 +4944,13 @@ function suspend_processing%(%) : any
## Resumes Bro's packet processing.
##
## .. zeek:see:: suspend_processing suspend_state_updates resume_state_updates
## .. zeek:see:: suspend_processing
function continue_processing%(%) : any
%{
net_continue_processing();
return 0;
%}
## Stops propagating :zeek:attr:`&synchronized` accesses.
##
## .. zeek:see:: suspend_processing continue_processing resume_state_updates
function suspend_state_updates%(%) : any &deprecated
%{
if ( remote_serializer )
remote_serializer->SuspendStateUpdates();
return 0;
%}
## Resumes propagating :zeek:attr:`&synchronized` accesses.
##
## .. zeek:see:: suspend_processing continue_processing suspend_state_updates
function resume_state_updates%(%) : any &deprecated
%{
if ( remote_serializer )
remote_serializer->ResumeStateUpdates();
return 0;
%}
# ===========================================================================
#
# Internal Functions

17
src/event.bif
View file

@ -676,19 +676,6 @@ event remote_connection_error%(p: event_peer, reason: string%);
## remote_state_inconsistency print_hook
event remote_capture_filter%(p: event_peer, filter: string%);
## Generated after a call to :zeek:id:`send_state` when all data has been
## successfully sent to the remote side. While this event is
## intended primarily for use by Bro's communication framework, it can also
## trigger additional code if helpful.
##
## p: A record describing the remote peer.
##
## .. zeek:see:: remote_capture_filter remote_connection_closed
## remote_connection_error remote_connection_established
## remote_connection_handshake_done remote_event_registered remote_log remote_pong
## remote_state_access_performed remote_state_inconsistency print_hook
event finished_send_state%(p: event_peer%);
## Generated if state synchronization detects an inconsistency. While this
## event is intended primarily for use by Bro's communication framework, it can
## also trigger additional code if helpful. This event is only raised if
@ -757,12 +744,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%);
## Generated when a remote peer has answered to our ping. This event is part of
## Bro's infrastructure for measuring communication latency. One can send a ping
## by calling :zeek:id:`send_ping` and when a corresponding reply is received,
## by calling ``send_ping`` and when a corresponding reply is received,
## this event will be raised.
##
## p: The peer sending us the pong.
##
## seq: The sequence number passed to the original :zeek:id:`send_ping` call.
## seq: The sequence number passed to the original ``send_ping`` call.
## The number is sent back by the peer in its response.
##
## d1: The time interval between sending the ping and receiving the pong. This

82
src/main.cc
View file

@ -116,7 +116,6 @@ char* command_line_policy = 0;
vector<string> params;
set<string> requested_plugins;
char* proc_status_file = 0;
int old_comm_usage_count = 0;
OpaqueType* md5_type = 0;
OpaqueType* sha1_type = 0;
@ -427,70 +426,6 @@ static void bro_new_handler()
out_of_memory("new");
}
static auto old_comm_ids = std::set<const char*, CompareString>{
"connect",
"disconnect",
"request_remote_events",
"request_remote_sync",
"request_remote_logs",
"set_accept_state",
"set_compression_level",
"listen",
"send_id",
"terminate_communication",
"complete_handshake",
"send_ping",
"send_current_packet",
"get_event_peer",
"send_capture_filter",
"suspend_state_updates",
"resume_state_updates",
};
static bool is_old_comm_usage(const ID* id)
{
auto name = id->Name();
if ( old_comm_ids.find(name) == old_comm_ids.end() )
return false;
return true;
}
class OldCommUsageTraversalCallback : public TraversalCallback {
public:
virtual TraversalCode PreExpr(const Expr* expr) override
{
switch ( expr->Tag() ) {
case EXPR_CALL:
{
const CallExpr* call = static_cast<const CallExpr*>(expr);
auto func = call->Func();
if ( func->Tag() == EXPR_NAME )
{
const NameExpr* ne = static_cast<const NameExpr*>(func);
auto id = ne->Id();
if ( is_old_comm_usage(id) )
++old_comm_usage_count;
}
}
break;
default:
break;
}
return TC_CONTINUE;
}
};
static void find_old_comm_usages()
{
OldCommUsageTraversalCallback cb;
traverse_all(&cb);
}
int main(int argc, char** argv)
{
std::set_new_handler(bro_new_handler);
@ -918,23 +853,6 @@ int main(int argc, char** argv)
yyparse();
is_parsing = false;
find_old_comm_usages();
if ( old_comm_usage_count )
{
auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok");
if ( ! old_comm_ack_id->ID_Val()->AsBool() )
reporter->FatalError("Detected old, deprecated communication "
"system usages that will not work unless "
"you explicitly take action to initizialize "
"and set up the old comm. system. "
"Set the 'old_comm_usage_is_ok' flag "
"to bypass this error if you've taken such "
"actions, but the suggested solution is to "
"port scripts to use the new Broker API.");
}
RecordVal::ResizeParseTimeRecords();
init_general_global_var();

1
src/scan.l
View file

@ -326,7 +326,6 @@ when return TOK_WHEN;
}
&synchronized {
++old_comm_usage_count;
deprecated_attr(yytext);
return TOK_ATTR_SYNCHRONIZED;
}

205
src/strings.bif
View file

@ -55,9 +55,9 @@ function levenshtein_distance%(s1: string, s2: string%): count
##
## Returns: The concatenation of all (string) arguments.
##
## .. zeek:see:: cat cat_sep cat_string_array cat_string_array_n
## .. zeek:see:: cat cat_sep
## fmt
## join_string_vec join_string_array
## join_string_vec
function string_cat%(...%): string
%{
int n = 0;
@ -112,85 +112,8 @@ int vs_to_string_array(vector<const BroString*>& vs, TableVal* tbl,
}
return 1;
}
BroString* cat_string_array_n(TableVal* tbl, int start, int end)
{
vector<const BroString*> vs;
string_array_to_vs(tbl, start, end, vs);
return concatenate(vs);
}
%%}
## Concatenates all elements in an array of strings.
##
## a: The :zeek:type:`string_array` (``table[count] of string``).
##
## Returns: The concatenation of all elements in *a*.
##
## .. zeek:see:: cat cat_sep string_cat cat_string_array_n
## fmt
## join_string_vec join_string_array
function cat_string_array%(a: string_array%): string &deprecated
%{
TableVal* tbl = a->AsTableVal();
return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length()));
%}
## Concatenates a specific range of elements in an array of strings.
##
## a: The :zeek:type:`string_array` (``table[count] of string``).
##
## start: The array index of the first element of the range.
##
## end: The array index of the last element of the range.
##
## Returns: The concatenation of the range *[start, end]* in *a*.
##
## .. zeek:see:: cat string_cat cat_string_array
## fmt
## join_string_vec join_string_array
function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated
%{
TableVal* tbl = a->AsTableVal();
return new StringVal(cat_string_array_n(tbl, start, end));
%}
## Joins all values in the given array of strings with a separator placed
## between each element.
##
## sep: The separator to place between each element.
##
## a: The :zeek:type:`string_array` (``table[count] of string``).
##
## Returns: The concatenation of all elements in *a*, with *sep* placed
## between each element.
##
## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
## fmt
## join_string_vec
function join_string_array%(sep: string, a: string_array%): string &deprecated
%{
vector<const BroString*> vs;
TableVal* tbl = a->AsTableVal();
int n = a->AsTable()->Length();
for ( int i = 1; i <= n; ++i )
{
Val* ind = val_mgr->GetCount(i);
Val* v = tbl->Lookup(ind);
if ( ! v )
return 0;
vs.push_back(v->AsString());
Unref(ind);
if ( i < n )
vs.push_back(sep->AsString());
}
return new StringVal(concatenate(vs));
%}
## Joins all values in the given vector of strings with a separator placed
## between each element.
##
@ -201,9 +124,8 @@ function join_string_array%(sep: string, a: string_array%): string &deprecated
## Returns: The concatenation of all elements in *vec*, with *sep* placed
## between each element.
##
## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
## .. zeek:see:: cat cat_sep string_cat
## fmt
## join_string_array
function join_string_vec%(vec: string_vec, sep: string%): string
%{
ODesc d;
@ -231,39 +153,6 @@ function join_string_vec%(vec: string_vec, sep: string%): string
return new StringVal(s);
%}
## Sorts an array of strings.
##
## a: The :zeek:type:`string_array` (``table[count] of string``).
##
## Returns: A sorted copy of *a*.
##
## .. zeek:see:: sort
function sort_string_array%(a: string_array%): string_array &deprecated
%{
TableVal* tbl = a->AsTableVal();
int n = a->AsTable()->Length();
vector<const BroString*> vs;
string_array_to_vs(tbl, 1, n, vs);
unsigned int i, j;
for ( i = 0; i < vs.size(); ++i )
{
const BroString* x = vs[i];
for ( j = i; j > 0; --j )
if ( Bstr_cmp(vs[j-1], x) <= 0 )
break;
else
vs[j] = vs[j-1];
vs[j] = x;
}
// sort(vs.begin(), vs.end(), Bstr_cmp);
TableVal* b = new TableVal(string_array);
vs_to_string_array(vs, b, 1, n);
return b;
%}
## Returns an edited version of a string that applies a special
## "backspace character" (usually ``\x08`` for backspace or ``\x7f`` for DEL).
## For example, ``edit("hello there", "e")`` returns ``"llo t"``.
@ -549,26 +438,6 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all)
}
%%}
## Splits a string into an array of strings according to a pattern.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## Returns: An array of strings where each element corresponds to a substring
## in *str* separated by *re*.
##
## .. zeek:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split
##
## .. note:: The returned table starts at index 1. Note that conceptually the
## return value is meant to be a vector and this might change in the
## future.
##
function split%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 0, 0);
%}
## Splits a string into an array of strings according to a pattern.
##
## str: The string to split.
@ -585,26 +454,6 @@ function split_string%(str: string, re: pattern%): string_vec
return do_split_string(str, re, 0, 0);
%}
## Splits a string *once* into a two-element array of strings according to a
## pattern. This function is the same as :zeek:id:`split`, but *str* is only
## split once (if possible) at the earliest position and an array of two strings
## is returned.
##
## str: The string to split.
##
## re: The pattern describing the separator to split *str* in two pieces.
##
## Returns: An array of strings with two elements in which the first represents
## the substring in *str* up to the first occurence of *re*, and the
## second everything after *re*. An array of one string is returned
## when *s* cannot be split.
##
## .. zeek:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split
function split1%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 0, 1);
%}
## Splits a string *once* into a two-element array of strings according to a
## pattern. This function is the same as :zeek:id:`split_string`, but *str* is
## only split once (if possible) at the earliest position and an array of two
@ -625,26 +474,6 @@ function split_string1%(str: string, re: pattern%): string_vec
return do_split_string(str, re, 0, 1);
%}
## Splits a string into an array of strings according to a pattern. This
## function is the same as :zeek:id:`split`, except that the separators are
## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns
## ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do not match the
## pattern and even-indexed ones do.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## Returns: An array of strings where each two successive elements correspond
## to a substring in *str* of the part not matching *re* (odd-indexed)
## and the part that matches *re* (even-indexed).
##
## .. zeek:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split
function split_all%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 1, 0);
%}
## Splits a string into an array of strings according to a pattern. This
## function is the same as :zeek:id:`split_string`, except that the separators
## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)``
@ -665,32 +494,6 @@ function split_string_all%(str: string, re: pattern%): string_vec
return do_split_string(str, re, 1, 0);
%}
## Splits a string a given number of times into an array of strings according
## to a pattern. This function is similar to :zeek:id:`split1` and
## :zeek:id:`split_all`, but with customizable behavior with respect to
## including separators in the result and the number of times to split.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## incl_sep: A flag indicating whether to include the separator matches in the
## result (as in :zeek:id:`split_all`).
##
## max_num_sep: The number of times to split *str*.
##
## Returns: An array of strings where, if *incl_sep* is true, each two
## successive elements correspond to a substring in *str* of the part
## not matching *re* (odd-indexed) and the part that matches *re*
## (even-indexed).
##
## .. zeek:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split
function split_n%(str: string, re: pattern,
incl_sep: bool, max_num_sep: count%): string_array &deprecated
%{
return do_split(str, re, incl_sep, max_num_sep);
%}
## Splits a string a given number of times into an array of strings according
## to a pattern. This function is similar to :zeek:id:`split_string1` and
## :zeek:id:`split_string_all`, but with customizable behavior with respect to
@ -1022,7 +825,7 @@ function str_smith_waterman%(s1: string, s2: string, params: sw_params%) : sw_su
##
## Returns: A vector of strings.
##
## .. zeek:see:: split split1 split_all split_n
## .. zeek:see:: split_string split_string1 split_string_all split_string_n
function str_split%(s: string, idx: index_vec%): string_vec
%{
vector<Val*>* idx_v = idx->AsVector();

3
testing/btest/Baseline/bifs.cat_string_array/out
View file

@ -1,3 +0,0 @@
isatest
thisisatest
isa

6
testing/btest/Baseline/bifs.decode_base64/out
View file

@ -6,9 +6,3 @@ bro
bro
bro
bro
bro
bro
bro
bro
bro
bro

3
testing/btest/Baseline/bifs.encode_base64/out
View file

@ -2,9 +2,6 @@ YnJv
YnJv
YnJv
}n-v
YnJv
YnJv
}n-v
cGFkZGluZw==
cGFkZGluZzE=
cGFkZGluZzEy

3
testing/btest/Baseline/bifs.join_string/out
View file

@ -1,6 +1,3 @@
this * is * a * test
thisisatest
mytest
this__is__another__test
thisisanothertest
Test

2
testing/btest/Baseline/bifs.merge_pattern/out
View file

@ -1,2 +0,0 @@
match
match

4
testing/btest/Baseline/bifs.sort_string_array/out
View file

@ -1,4 +0,0 @@
a
is
test
this

32
testing/btest/Baseline/bifs.split/out
View file

@ -1,32 +0,0 @@
t
s is a t
t
---------------------
t
s is a test
---------------------
t
hi
s is a t
es
t
---------------------
t
s is a test
---------------------
t
hi
s is a test
---------------------
[, thi, s i, s a tes, t]
---------------------
X-Mailer
Testing Test (http://www.example.com)
---------------------
A
=
B
=
C
=
D

2
testing/btest/Baseline/core.old_comm_usage/out
View file

@ -1,2 +0,0 @@
warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.zeek, line 6: deprecated (terminate_communication)
fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system. Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions, but the suggested solution is to port scripts to use the new Broker API.

20
testing/btest/Baseline/coverage.bare-mode-errors/errors
View file

@ -1,18 +1,2 @@
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform)
warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//zeexygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead"
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform)
warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead"
warning in /Users/johanna/bro/master/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/johanna/bro/master/testing/btest/../../scripts//zeexygen/__load__.zeek:9 "Use '@load base/protocols/smb' instead"
warning in /Users/johanna/bro/master/testing/btest/../../scripts//policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead"

14
testing/btest/bifs/cat_string_array.zeek
View file

@ -1,14 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
event zeek_init()
{
local a: string_array = {
[0] = "this", [1] = "is", [2] = "a", [3] = "test"
};
print cat_string_array(a);
print cat_string_array_n(a, 0, |a|-1);
print cat_string_array_n(a, 1, 2);
}

10
testing/btest/bifs/checkpoint_state.zeek
View file

@ -1,10 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: test -f .state/state.bst
event zeek_init()
{
local a = checkpoint_state();
if ( a != T )
exit(1);
}

6
testing/btest/bifs/decode_base64.zeek
View file

@ -9,14 +9,8 @@ print decode_base64("YnJv");
print decode_base64("YnJv", default_alphabet);
print decode_base64("YnJv", ""); # should use default alpabet
print decode_base64("}n-v", my_alphabet);
print decode_base64_custom("YnJv", default_alphabet);
print decode_base64_custom("YnJv", ""); # should use default alpabet
print decode_base64_custom("}n-v", my_alphabet);
print decode_base64("YnJv");
print decode_base64("YnJv", default_alphabet);
print decode_base64("YnJv", ""); # should use default alpabet
print decode_base64("}n-v", my_alphabet);
print decode_base64_custom("YnJv", default_alphabet);
print decode_base64_custom("YnJv", ""); # should use default alpabet
print decode_base64_custom("}n-v", my_alphabet);

4
testing/btest/bifs/encode_base64.zeek
View file

@ -10,10 +10,6 @@ print encode_base64("bro", default_alphabet);
print encode_base64("bro", ""); # should use default alpabet
print encode_base64("bro", my_alphabet);
print encode_base64_custom("bro", default_alphabet);
print encode_base64_custom("bro", ""); # should use default alpabet
print encode_base64_custom("bro", my_alphabet);
print encode_base64("padding");
print encode_base64("padding1");
print encode_base64("padding12");

8
testing/btest/bifs/join_string.zeek
View file

@ -4,8 +4,8 @@
event zeek_init()
{
local a: string_array = {
[1] = "this", [2] = "is", [3] = "a", [4] = "test"
local a: string_array = {
[1] = "this", [2] = "is", [3] = "a", [4] = "test"
};
local b: string_array = { [1] = "mytest" };
local c: string_vec = vector( "this", "is", "another", "test" );
@ -14,10 +14,6 @@ event zeek_init()
e[3] = "hi";
e[5] = "there";
print join_string_array(" * ", a);
print join_string_array("", a);
print join_string_array("x", b);
print join_string_vec(c, "__");
print join_string_vec(c, "");
print join_string_vec(d, "-");

17
testing/btest/bifs/merge_pattern.zeek
View file

@ -1,17 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
event zeek_init()
{
local a = /foo/;
local b = /b[a-z]+/;
local c = merge_pattern(a, b);
if ( "bar" == c )
print "match";
if ( "foo" == c )
print "match";
}

17
testing/btest/bifs/sort_string_array.zeek
View file

@ -1,17 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
event zeek_init()
{
local a: string_array = {
[1] = "this", [2] = "is", [3] = "a", [4] = "test"
};
local b = sort_string_array(a);
print b[1];
print b[2];
print b[3];
print b[4];
}

58
testing/btest/bifs/split.zeek
View file

@ -1,58 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
event zeek_init()
{
local a = "this is a test";
local pat = /hi|es/;
local idx = vector( 3, 6, 13);
local b = split(a, pat);
local c = split1(a, pat);
local d = split_all(a, pat);
local e1 = split_n(a, pat, F, 1);
local e2 = split_n(a, pat, T, 1);
print b[1];
print b[2];
print b[3];
print "---------------------";
print c[1];
print c[2];
print "---------------------";
print d[1];
print d[2];
print d[3];
print d[4];
print d[5];
print "---------------------";
print e1[1];
print e1[2];
print "---------------------";
print e2[1];
print e2[2];
print e2[3];
print "---------------------";
print str_split(a, idx);
print "---------------------";
a = "X-Mailer: Testing Test (http://www.example.com)";
pat = /:[[:blank:]]*/;
local f = split1(a, pat);
print f[1];
print f[2];
print "---------------------";
a = "A = B = C = D";
pat = /=/;
local g = split_all(a, pat);
print g[1];
print g[2];
print g[3];
print g[4];
print g[5];
print g[6];
print g[7];
}

7
testing/btest/core/old_comm_usage.zeek
View file

@ -1,7 +0,0 @@
# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
event zeek_init()
{
terminate_communication();
}

6
testing/btest/doc/zeexygen/comment_retrieval_bifs.zeek
View file

@ -17,11 +17,7 @@ global print_lines: function(lines: string, prefix: string &default="");
## And some more comments on the function implementation.
function print_lines(lines: string, prefix: string)
{
local v: vector of string;
local line_table = split(lines, /\n/);
for ( i in line_table )
v[i] = line_table[i];
local v = split_string(lines, /\n/);
for ( i in v )
print fmt("%s%s", prefix, v[i]);