Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Label session adapters in the output of zeek -NN

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-05-28 13:51:23 -07:00
parent 5433f2936e
commit 1f94b8f250
10 changed files with 18 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/Component.cc
View file

@ -8,8 +8,9 @@
namespace zeek::analyzer { namespace zeek::analyzer {
Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype,
: plugin::Component(plugin::component::ANALYZER, name), bool arg_enabled, bool arg_partial, bool arg_adapter)
: plugin::Component(arg_adapter ? plugin::component::SESSION_ADAPTER : plugin::component::ANALYZER, name),
plugin::TaggedComponent<analyzer::Tag>(arg_subtype) plugin::TaggedComponent<analyzer::Tag>(arg_subtype)
{ {
factory = arg_factory; factory = arg_factory;

8
src/analyzer/Component.h
View file

@ -53,12 +53,16 @@ public:
* manager, including from script-land. * manager, including from script-land.
* *
* @param partial If true, the analyzer can deal with payload from * @param partial If true, the analyzer can deal with payload from
* partial connections, i.e., when Bro enters the stream mid-way * partial connections, i.e., when Zeek enters the stream mid-way
* after not seeing the beginning. Note that handling of partial * after not seeing the beginning. Note that handling of partial
* connections has generally not seen much testing yet as virtually * connections has generally not seen much testing yet as virtually
* no existing analyzer supports it. * no existing analyzer supports it.
*
* @param adapter If true, this analyzer is a session adapter from
* the packet analyzer framework.
*/ */
Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0,
bool enabled = true, bool partial = false, bool adapter = false);
/** /**
* Destructor. * Destructor.

5
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h
View file

@ -14,11 +14,6 @@ public:
ICMPSessionAdapter(Connection* conn) : ICMPSessionAdapter(Connection* conn) :
IP::SessionAdapter("ICMP", conn) { } IP::SessionAdapter("ICMP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new ICMPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override; void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override; void UpdateConnVal(RecordVal* conn_val) override;
void UpdateEndpointVal(const ValPtr& endp, bool is_orig); void UpdateEndpointVal(const ValPtr& endp, bool is_orig);

3
src/packet_analysis/protocol/icmp/Plugin.cc
View file

@ -14,8 +14,7 @@ public:
{ {
AddComponent(new zeek::packet_analysis::Component("ICMP", AddComponent(new zeek::packet_analysis::Component("ICMP",
zeek::packet_analysis::ICMP::ICMPAnalyzer::Instantiate)); zeek::packet_analysis::ICMP::ICMPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ICMP", AddComponent(new zeek::analyzer::Component("ICMP", nullptr, 0, true, false, true));
zeek::packet_analysis::ICMP::ICMPSessionAdapter::Instantiate));
zeek::plugin::Configuration config; zeek::plugin::Configuration config;
config.name = "Zeek::ICMP"; config.name = "Zeek::ICMP";

3
src/packet_analysis/protocol/tcp/Plugin.cc
View file

@ -14,8 +14,7 @@ public:
{ {
AddComponent(new zeek::packet_analysis::Component("TCP", AddComponent(new zeek::packet_analysis::Component("TCP",
zeek::packet_analysis::TCP::TCPAnalyzer::Instantiate)); zeek::packet_analysis::TCP::TCPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("TCP", AddComponent(new zeek::analyzer::Component("TCP", nullptr, 0, true, false, true));
zeek::packet_analysis::TCP::TCPSessionAdapter::Instantiate));
zeek::plugin::Configuration config; zeek::plugin::Configuration config;
config.name = "Zeek::TCP_PKT"; config.name = "Zeek::TCP_PKT";

3
src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
View file

@ -69,9 +69,6 @@ public:
// From Analyzer.h // From Analyzer.h
void UpdateConnVal(RecordVal *conn_val) override; void UpdateConnVal(RecordVal *conn_val) override;
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new TCPSessionAdapter(conn); }
void AddExtraAnalyzers(Connection* conn) override; void AddExtraAnalyzers(Connection* conn) override;
protected: protected:

3
src/packet_analysis/protocol/udp/Plugin.cc
View file

@ -14,8 +14,7 @@ public:
{ {
AddComponent(new zeek::packet_analysis::Component("UDP", AddComponent(new zeek::packet_analysis::Component("UDP",
zeek::packet_analysis::UDP::UDPAnalyzer::Instantiate)); zeek::packet_analysis::UDP::UDPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("UDP", AddComponent(new zeek::analyzer::Component("UDP", nullptr, 0, true, false, true));
zeek::packet_analysis::UDP::UDPSessionAdapter::Instantiate));
zeek::plugin::Configuration config; zeek::plugin::Configuration config;
config.name = "Zeek::UDP"; config.name = "Zeek::UDP";

5
src/packet_analysis/protocol/udp/UDPSessionAdapter.h
View file

@ -13,11 +13,6 @@ public:
UDPSessionAdapter(Connection* conn) : UDPSessionAdapter(Connection* conn) :
IP::SessionAdapter("UDP", conn) { } IP::SessionAdapter("UDP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new UDPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override; void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override; void UpdateConnVal(RecordVal* conn_val) override;

4
src/plugin/Component.cc
View file

@ -66,6 +66,10 @@ void Component::Describe(ODesc* d) const
d->Add("Packet Dumper"); d->Add("Packet Dumper");
break; break;
case component::SESSION_ADAPTER:
d->Add("Session Adapter");
break;
default: default:
reporter->InternalWarning("unknown component type in plugin::Component::Describe"); reporter->InternalWarning("unknown component type in plugin::Component::Describe");
d->Add("<unknown component type>"); d->Add("<unknown component type>");

3
src/plugin/Component.h
View file

@ -23,7 +23,8 @@ enum Type {
FILE_ANALYZER, /// A file analyzer. FILE_ANALYZER, /// A file analyzer.
IOSOURCE, /// An I/O source, excluding packet sources. IOSOURCE, /// An I/O source, excluding packet sources.
PKTSRC, /// A packet source. PKTSRC, /// A packet source.
PKTDUMPER /// A packet dumper. PKTDUMPER, /// A packet dumper.
SESSION_ADAPTER, /// A session adapter analyzer.
}; };
} // namespace component } // namespace component