diff --git a/src/Sessions.cc b/src/Sessions.cc index 1b375b0e09..79014f2808 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -22,8 +22,6 @@ #include "analyzer/protocol/stepping-stone/SteppingStone.h" #include "analyzer/protocol/stepping-stone/events.bif.h" -#include "analyzer/protocol/arp/ARP.h" -#include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" @@ -33,6 +31,8 @@ #include "iosource/IOSource.h" #include "iosource/PktDumper.h" +#include "pcap.h" + // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server // port or one of these. @@ -96,11 +96,6 @@ NetSessions::NetSessions() else pkt_profiler = nullptr; - if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new analyzer::arp::ARP_Analyzer(); - else - arp_analyzer = nullptr; - memset(&stats, 0, sizeof(SessionStats)); } @@ -108,7 +103,6 @@ NetSessions::~NetSessions() { delete packet_filter; delete pkt_profiler; - Unref(arp_analyzer); delete discarder; delete stp_manager; @@ -178,8 +172,8 @@ void NetSessions::NextPacket(double t, const Packet* pkt) else if ( pkt->l3_proto == L3_ARP ) { - if ( arp_analyzer ) - arp_analyzer->NextPacket(t, pkt); + // Do nothing here as ARP has moved into a packet analyzer + //TODO: Revisit the use of packet's l3_proto } else diff --git a/src/Sessions.h b/src/Sessions.h index fe483ca0b8..8539fe4b0b 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -234,8 +234,6 @@ protected: using IPTunnelMap = std::map; IPTunnelMap ip_tunnels; - analyzer::arp::ARP_Analyzer* arp_analyzer; - analyzer::stepping_stone::SteppingStoneManager* stp_manager; detail::Discarder* discarder; detail::PacketFilter* packet_filter; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index a6f091fa45..f63d021ccd 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -1,5 +1,4 @@ -add_subdirectory(arp) add_subdirectory(ayiya) add_subdirectory(bittorrent) add_subdirectory(conn-size) diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc deleted file mode 100644 index 3da870ead4..0000000000 --- a/src/analyzer/protocol/arp/ARP.cc +++ /dev/null @@ -1,244 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "ARP.h" -#include "Event.h" -#include "Reporter.h" -#include "Desc.h" - -#include "events.bif.h" - -namespace zeek::analyzer::arp { - -ARP_Analyzer::ARP_Analyzer() - { - } - -ARP_Analyzer::~ARP_Analyzer() - { - } - -// Argh! FreeBSD and Linux have almost completely different net/if_arp.h . -// ... and on Solaris we are missing half of the ARPOP codes, so define -// them here as necessary: - -#ifndef ARPOP_REQUEST -#define ARPOP_REQUEST 1 // ARP request. -#endif -#ifndef ARPOP_REPLY -#define ARPOP_REPLY 2 // ARP reply. -#endif -#ifndef ARPOP_PREQUEST -#define ARPOP_RREQUEST 3 // RARP request. -#endif -#ifndef ARPOP_RREPLY -#define ARPOP_RREPLY 4 // RARP reply. -#endif -#ifndef ARPOP_InREQUEST -#define ARPOP_InREQUEST 8 // InARP request. -#endif -#ifndef ARPOP_InREPLY -#define ARPOP_InREPLY 9 // InARP reply. -#endif -#ifndef ARPOP_NAK -#define ARPOP_NAK 10 // (ATM)ARP NAK. -#endif - -#ifndef ar_sha -#define ar_sha(ap) ((caddr_t((ap)+1)) + 0) -#endif - -#ifndef ar_spa -#define ar_spa(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln) -#endif - -#ifndef ar_tha -#define ar_tha(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln) -#endif - -#ifndef ar_tpa -#define ar_tpa(ap) ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln) -#endif - -#ifndef ARPOP_REVREQUEST -#define ARPOP_REVREQUEST ARPOP_RREQUEST -#endif - -#ifndef ARPOP_REVREPLY -#define ARPOP_REVREPLY ARPOP_RREPLY -#endif - -#ifndef ARPOP_INVREQUEST -#define ARPOP_INVREQUEST ARPOP_InREQUEST -#endif - -#ifndef ARPOP_INVREPLY -#define ARPOP_INVREPLY ARPOP_InREPLY -#endif - - -void ARP_Analyzer::NextPacket(double t, const Packet* pkt) - { - const u_char *data = pkt->data; - // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). - const struct arp_pkthdr* ah = - (const struct arp_pkthdr*) (data + pkt->hdr_size); - - // Check the size. - int min_length = (ar_tpa(ah) - (char*) (data + pkt->hdr_size)) + ah->ar_pln; - int real_length = pkt->cap_len - pkt->hdr_size; - if ( min_length > real_length ) - { - Corrupted("truncated_ARP"); - return; - } - - char errbuf[1024]; - - // Check the address description fields. - switch ( ntohs(ah->ar_hrd) ) { - case ARPHRD_ETHER: - if ( ah->ar_hln != 6 ) - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (hrd=%i, hln=%i)", - ntohs(ah->ar_hrd), ah->ar_hln); - BadARP(ah, errbuf); - return; - } - break; - - default: - { // don't know how to proceed - snprintf(errbuf, sizeof(errbuf), - "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); - BadARP(ah, errbuf); - return; - } - } - - // ### Note, we don't support IPv6 addresses yet. - switch ( ntohs(ah->ar_pro) ) { - case ETHERTYPE_IP: - if ( ah->ar_pln != 4 ) - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (pro=%i, pln=%i)", - ntohs(ah->ar_pro), ah->ar_pln); - BadARP(ah, errbuf); - return; - } - break; - - default: - { // don't know how to proceed - snprintf(errbuf, sizeof(errbuf), - "unknown-arp-proto-address (pro=%i)", - ntohs(ah->ar_pro)); - BadARP(ah, errbuf); - return; - } - } - - - // Check MAC src address = ARP sender MAC address. - if ( memcmp(pkt->l2_src, ar_sha(ah), ah->ar_hln) ) - { - BadARP(ah, "weird-arp-sha"); - return; - } - - // Check the code is supported. - switch ( ntohs(ah->ar_op) ) { - case ARPOP_REQUEST: - RREvent(arp_request, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); - break; - - case ARPOP_REPLY: - RREvent(arp_reply, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); - break; - - case ARPOP_REVREQUEST: - case ARPOP_REVREPLY: - case ARPOP_INVREQUEST: - case ARPOP_INVREPLY: - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); - BadARP(ah, errbuf); - break; - } - - default: - { // invalid opcode - snprintf(errbuf, sizeof(errbuf), - "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); - BadARP(ah, errbuf); - return; - } - } - } - -void ARP_Analyzer::Describe(ODesc* d) const - { - d->Add(""); - d->NL(); - } - -void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg) - { - if ( ! bad_arp ) - return; - - event_mgr.Enqueue(bad_arp, - ToAddrVal(ar_spa(hdr)), - ToEthAddrStr((const u_char*) ar_sha(hdr)), - ToAddrVal(ar_tpa(hdr)), - ToEthAddrStr((const u_char*) ar_tha(hdr)), - make_intrusive(msg)); - } - -void ARP_Analyzer::Corrupted(const char* msg) - { - reporter->Weird(msg); - } - -void ARP_Analyzer::RREvent(EventHandlerPtr e, - const u_char* src, const u_char *dst, - const char* spa, const char* sha, - const char* tpa, const char* tha) - { - if ( ! e ) - return; - - event_mgr.Enqueue(e, - ToEthAddrStr(src), - ToEthAddrStr(dst), - ToAddrVal(spa), - ToEthAddrStr((const u_char*) sha), - ToAddrVal(tpa), - ToEthAddrStr((const u_char*) tha)); - } - -AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) - { return ToAddrVal(addr).release(); } - -AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr) - { - // ### For now, we only handle IPv4 addresses. - return make_intrusive(*(const uint32_t*) addr); - } - -StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr) - { return ToEthAddrStr(addr).release(); } - -StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) - { - char buf[1024]; - snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); - return make_intrusive(buf); - } - -} // namespace zeek::analyzer::arp diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h deleted file mode 100644 index 8d2f1b5fed..0000000000 --- a/src/analyzer/protocol/arp/ARP.h +++ /dev/null @@ -1,66 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include "zeek-config.h" -#include -#include -#include -#include -#include -#ifdef HAVE_NET_ETHERNET_H -#include -#elif defined(HAVE_SYS_ETHERNET_H) -#include -#elif defined(HAVE_NETINET_IF_ETHER_H) -#include -#elif defined(HAVE_NET_ETHERTYPES_H) -#include -#endif - -#ifndef arp_pkthdr -#define arp_pkthdr arphdr -#endif - -#include "NetVar.h" - -ZEEK_FORWARD_DECLARE_NAMESPACED(Packet, zeek); - -extern "C" { -#include -} - -namespace zeek::analyzer::arp { - -class ARP_Analyzer : public Obj { -public: - ARP_Analyzer(); - ~ARP_Analyzer() override; - - void NextPacket(double t, const Packet* pkt); - - void Describe(ODesc* d) const override; - void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst, - const char* spa, const char* sha, - const char* tpa, const char* tha); - -protected: - - [[deprecated("Remove in v4.1. Use ToAddrVal().")]] - AddrVal* ConstructAddrVal(const void* addr); - [[deprecated("Remove in v4.1. Use ToEthAddrStr().")]] - StringVal* EthAddrToStr(const u_char* addr); - - AddrValPtr ToAddrVal(const void* addr); - StringValPtr ToEthAddrStr(const u_char* addr); - void BadARP(const struct arp_pkthdr* hdr, const char* string); - void Corrupted(const char* string); -}; - -} // namespace zeek::analyzer::arp - -namespace analyzer::arp { - -using ARP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::arp::ARP_Analyzer.")]] = zeek::analyzer::arp::ARP_Analyzer; - -} // namespace analyzer::arp diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt deleted file mode 100644 index 0b911b1979..0000000000 --- a/src/analyzer/protocol/arp/CMakeLists.txt +++ /dev/null @@ -1,15 +0,0 @@ - -# This is not an actual analyzer, but used by the core. We still -# maintain it here along with the other analyzers because conceptually -# it's also parsing a protocol just like them. The current structure -# is merely a left-over from when this code was written. - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek ARP) -zeek_plugin_cc(ARP.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() - diff --git a/src/analyzer/protocol/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc deleted file mode 100644 index 1ff5f08c63..0000000000 --- a/src/analyzer/protocol/arp/Plugin.cc +++ /dev/null @@ -1,18 +0,0 @@ -// See the file in the main distribution directory for copyright. - -#include "plugin/Plugin.h" - -namespace zeek::plugin::detail::Zeek_ARP { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() override - { - zeek::plugin::Configuration config; - config.name = "Zeek::ARP"; - config.description = "ARP Parsing"; - return config; - } -} plugin; - -} // namespace zeek::plugin::detail::Zeek_ARP diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index 681dad1f82..6ece492dce 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -1,3 +1,4 @@ + include(ZeekSubdir) include_directories(BEFORE diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index 27d71d807d..ae9844be58 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -1,6 +1,20 @@ // See the file "COPYING" in the main distribution directory for copyright. #include "ARP.h" +#include "Event.h" + +#include "events.bif.h" + +#include "zeek-config.h" +#ifdef HAVE_NET_ETHERNET_H +#include +#elif defined(HAVE_SYS_ETHERNET_H) +#include +#elif defined(HAVE_NETINET_IF_ETHER_H) +#include +#elif defined(HAVE_NET_ETHERTYPES_H) +#include +#endif using namespace zeek::packet_analysis::ARP; @@ -9,11 +23,202 @@ ARPAnalyzer::ARPAnalyzer() { } +// Argh! FreeBSD and Linux have almost completely different net/if_arp.h . +// ... and on Solaris we are missing half of the ARPOP codes, so define +// them here as necessary: + +#ifndef ARPOP_REQUEST +#define ARPOP_REQUEST 1 // ARP request. +#endif +#ifndef ARPOP_REPLY +#define ARPOP_REPLY 2 // ARP reply. +#endif +#ifndef ARPOP_PREQUEST +#define ARPOP_RREQUEST 3 // RARP request. +#endif +#ifndef ARPOP_RREPLY +#define ARPOP_RREPLY 4 // RARP reply. +#endif +#ifndef ARPOP_InREQUEST +#define ARPOP_InREQUEST 8 // InARP request. +#endif +#ifndef ARPOP_InREPLY +#define ARPOP_InREPLY 9 // InARP reply. +#endif +#ifndef ARPOP_NAK +#define ARPOP_NAK 10 // (ATM)ARP NAK. +#endif + +#ifndef ar_sha +#define ar_sha(ap) ((caddr_t((ap)+1)) + 0) +#endif + +#ifndef ar_spa +#define ar_spa(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln) +#endif + +#ifndef ar_tha +#define ar_tha(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln) +#endif + +#ifndef ar_tpa +#define ar_tpa(ap) ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln) +#endif + +#ifndef ARPOP_REVREQUEST +#define ARPOP_REVREQUEST ARPOP_RREQUEST +#endif + +#ifndef ARPOP_REVREPLY +#define ARPOP_REVREPLY ARPOP_RREPLY +#endif + +#ifndef ARPOP_INVREQUEST +#define ARPOP_INVREQUEST ARPOP_InREQUEST +#endif + +#ifndef ARPOP_INVREPLY +#define ARPOP_INVREPLY ARPOP_InREPLY +#endif + zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; + // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). + auto ah = (const struct arp_pkthdr*) data; + + // Check the size. + auto min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; + auto pkt_hdr_len = data - packet->data; + auto real_length = packet->cap_len - pkt_hdr_len; + if ( min_length > real_length ) + { + packet->Weird("truncated_ARP"); + return AnalyzerResult::Failed; + } + + // Check the address description fields. + switch ( ntohs(ah->ar_hrd) ) { + case ARPHRD_ETHER: + if ( ah->ar_hln != 6 ) + { + // don't know how to handle the opcode + BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", + ntohs(ah->ar_hrd), ah->ar_hln); + return AnalyzerResult::Failed; + } + break; + + default: + { + // don't know how to proceed + BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); + return AnalyzerResult::Failed; + } + } + + // Note: We don't support IPv6 addresses. + switch ( ntohs(ah->ar_pro) ) { + case ETHERTYPE_IP: + if ( ah->ar_pln != 4 ) + { + // don't know how to handle the opcode + BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)", + ntohs(ah->ar_pro), ah->ar_pln); + return AnalyzerResult::Failed; + } + break; + + default: + { + // don't know how to proceed + BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro)); + return AnalyzerResult::Failed; + } + } + + + // Check MAC src address = ARP sender MAC address. + if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 ) + { + BadARPEvent(ah, "weird-arp-sha"); + return AnalyzerResult::Failed; + } + + // Check the code is supported. + switch ( ntohs(ah->ar_op) ) { + case ARPOP_REQUEST: + RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst, + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + break; + + case ARPOP_REPLY: + RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst, + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + break; + + case ARPOP_REVREQUEST: + case ARPOP_REVREPLY: + case ARPOP_INVREQUEST: + case ARPOP_INVREPLY: + { + // don't know how to handle the opcode + BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); + return AnalyzerResult::Failed; + } + + default: + { + // invalid opcode + BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); + return AnalyzerResult::Failed; + } + } + + // Leave packet analyzer land return AnalyzerResult::Terminate; } + +zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr) + { + //Note: We only handle IPv4 addresses. + return zeek::make_intrusive(*(const uint32_t*) addr); + } + +zeek::StringValPtr ARPAnalyzer::ToEthAddrStr(const u_char* addr) + { + char buf[1024]; + snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", + addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); + return zeek::make_intrusive(buf); + } + +void ARPAnalyzer::BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) + { + if ( ! bad_arp ) + return; + + char msg[1024]; + va_list args; + va_start(args, fmt); + vsnprintf(msg, sizeof(msg), fmt, args); + va_end(args); + + event_mgr.Enqueue(bad_arp, + ToAddrVal(ar_spa(hdr)), ToEthAddrStr((const u_char*) ar_sha(hdr)), + ToAddrVal(ar_tpa(hdr)), ToEthAddrStr((const u_char*) ar_tha(hdr)), + zeek::make_intrusive(msg)); + } + +void ARPAnalyzer::RequestReplyEvent(EventHandlerPtr e, const u_char *src, const u_char *dst, + const char *spa, const char *sha, const char *tpa, const char *tha) + { + if ( ! e ) + return; + + event_mgr.Enqueue(e, ToEthAddrStr(src), ToEthAddrStr(dst), + ToAddrVal(spa), ToEthAddrStr((const u_char*) sha), + ToAddrVal(tpa), ToEthAddrStr((const u_char*) tha)); + } diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index a6a7a445c1..b6f590dc9a 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -5,6 +5,12 @@ #include #include +#include + +#ifndef arp_pkthdr +#define arp_pkthdr arphdr +#endif + namespace zeek::packet_analysis::ARP { class ARPAnalyzer : public Analyzer { @@ -18,6 +24,15 @@ public: { return std::make_shared(); } + +private: + zeek::AddrValPtr ToAddrVal(const void* addr); + zeek::StringValPtr ToEthAddrStr(const u_char* addr); + + void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) + __attribute__((format(printf, 3, 4))); + void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst, + const char* spa, const char* sha, const char* tpa, const char* tha); }; } diff --git a/src/packet_analysis/protocol/arp/CMakeLists.txt b/src/packet_analysis/protocol/arp/CMakeLists.txt index f2a482e4e1..ad3c7f732f 100644 --- a/src/packet_analysis/protocol/arp/CMakeLists.txt +++ b/src/packet_analysis/protocol/arp/CMakeLists.txt @@ -1,8 +1,9 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(PacketAnalyzer ARP) +zeek_plugin_begin(Zeek ARP) zeek_plugin_cc(ARP.cc Plugin.cc) +zeek_plugin_bif(events.bif) zeek_plugin_end() diff --git a/src/analyzer/protocol/arp/events.bif b/src/packet_analysis/protocol/arp/events.bif similarity index 100% rename from src/analyzer/protocol/arp/events.bif rename to src/packet_analysis/protocol/arp/events.bif diff --git a/src/packet_analysis/protocol/ipv6/CMakeLists.txt b/src/packet_analysis/protocol/ipv6/CMakeLists.txt index 566652cc73..f2614beedf 100644 --- a/src/packet_analysis/protocol/ipv6/CMakeLists.txt +++ b/src/packet_analysis/protocol/ipv6/CMakeLists.txt @@ -1,7 +1,7 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer IPv6) zeek_plugin_cc(IPv6.cc Plugin.cc) diff --git a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt index 8476d2524a..8e00b95609 100644 --- a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt +++ b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt @@ -1,7 +1,7 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer LinuxSLL) zeek_plugin_cc(LinuxSLL.cc Plugin.cc) diff --git a/src/packet_analysis/protocol/null/CMakeLists.txt b/src/packet_analysis/protocol/null/CMakeLists.txt index 7a3c062af7..960c1dd031 100644 --- a/src/packet_analysis/protocol/null/CMakeLists.txt +++ b/src/packet_analysis/protocol/null/CMakeLists.txt @@ -1,6 +1,6 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer Null) zeek_plugin_cc(Null.cc Plugin.cc) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 06e46c20d5..fc541cc1b1 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-08-26-12-08-09 +#open 2020-08-28-14-19-59 #fields name #types string scripts/base/init-bare.zeek @@ -91,7 +91,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/cardinality-counter.bif.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek - build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek @@ -190,6 +189,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek @@ -212,4 +212,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-08-26-12-08-09 +#close 2020-08-28-14-19-59 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 53c9751365..cb80b86ab0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-16-59-24 +#open 2020-09-22-17-05-35 #fields name #types string scripts/base/init-bare.zeek @@ -91,7 +91,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/cardinality-counter.bif.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek - build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek @@ -190,6 +189,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek @@ -408,4 +408,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-16-59-24 +#close 2020-09-22-17-05-36