Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move IP Addr/Prefix/Header classes into namespaces

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-07-16 16:26:22 -07:00
parent 35c61697d9
commit 25c0fc7ab2
100 changed files with 495 additions and 460 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/CompHash.cc
View file

@ -817,7 +817,7 @@ const char* CompositeHash::RecoverOneVal(
const uint32_t* const kp = AlignType<uint32_t>(kp0); const uint32_t* const kp = AlignType<uint32_t>(kp0);
kp1 = reinterpret_cast<const char*>(kp+4); kp1 = reinterpret_cast<const char*>(kp+4);
IPAddr addr(IPv6, kp, IPAddr::Network); zeek::IPAddr addr(IPv6, kp, zeek::IPAddr::Network);
switch ( tag ) { switch ( tag ) {
case zeek::TYPE_ADDR: case zeek::TYPE_ADDR:

14
src/Conn.cc
View file

@ -57,7 +57,7 @@ void ConnectionTimer::Dispatch(double t, bool is_expire)
uint64_t Connection::total_connections = 0; uint64_t Connection::total_connections = 0;
uint64_t Connection::current_connections = 0; uint64_t Connection::current_connections = 0;
Connection::Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnID* id, Connection::Connection(NetSessions* s, const zeek::detail::ConnIDKey& k, double t, const ConnID* id,
uint32_t flow, const Packet* pkt, uint32_t flow, const Packet* pkt,
const EncapsulationStack* arg_encap) const EncapsulationStack* arg_encap)
{ {
@ -183,11 +183,11 @@ void Connection::Done()
} }
void Connection::NextPacket(double t, bool is_orig, void Connection::NextPacket(double t, bool is_orig,
const IP_Hdr* ip, int len, int caplen, const zeek::IP_Hdr* ip, int len, int caplen,
const u_char*& data, const u_char*& data,
int& record_packet, int& record_content, int& record_packet, int& record_content,
// arguments for reproducing packets // arguments for reproducing packets
const Packet *pkt) const Packet *pkt)
{ {
current_timestamp = t; current_timestamp = t;
current_pkt = pkt; current_pkt = pkt;
@ -577,7 +577,7 @@ void Connection::CancelTimers()
void Connection::FlipRoles() void Connection::FlipRoles()
{ {
IPAddr tmp_addr = resp_addr; zeek::IPAddr tmp_addr = resp_addr;
resp_addr = orig_addr; resp_addr = orig_addr;
orig_addr = tmp_addr; orig_addr = tmp_addr;

32
src/Conn.h
View file

@ -50,22 +50,22 @@ typedef enum {
typedef void (Connection::*timer_func)(double t); typedef void (Connection::*timer_func)(double t);
struct ConnID { struct ConnID {
IPAddr src_addr; zeek::IPAddr src_addr;
IPAddr dst_addr; zeek::IPAddr dst_addr;
uint32_t src_port; uint32_t src_port;
uint32_t dst_port; uint32_t dst_port;
bool is_one_way; // if true, don't canonicalize order bool is_one_way; // if true, don't canonicalize order
}; };
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, static inline int addr_port_canon_lt(const zeek::IPAddr& addr1, uint32_t p1,
const IPAddr& addr2, uint32_t p2) const zeek::IPAddr& addr2, uint32_t p2)
{ {
return addr1 < addr2 || (addr1 == addr2 && p1 < p2); return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
} }
class Connection final : public zeek::Obj { class Connection final : public zeek::Obj {
public: public:
Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnID* id, Connection(NetSessions* s, const zeek::detail::ConnIDKey& k, double t, const ConnID* id,
uint32_t flow, const Packet* pkt, const EncapsulationStack* arg_encap); uint32_t flow, const Packet* pkt, const EncapsulationStack* arg_encap);
~Connection() override; ~Connection() override;
@ -92,16 +92,16 @@ public:
// be recorded, otherwise just up through the transport header. // be recorded, otherwise just up through the transport header.
// Both are assumed set to true when called. // Both are assumed set to true when called.
void NextPacket(double t, bool is_orig, void NextPacket(double t, bool is_orig,
const IP_Hdr* ip, int len, int caplen, const zeek::IP_Hdr* ip, int len, int caplen,
const u_char*& data, const u_char*& data,
int& record_packet, int& record_content, int& record_packet, int& record_content,
// arguments for reproducing packets // arguments for reproducing packets
const Packet *pkt); const Packet *pkt);
// Keys are only considered valid for a connection when a // Keys are only considered valid for a connection when a
// connection is in the session map. If it is removed, the key // connection is in the session map. If it is removed, the key
// should be marked invalid. // should be marked invalid.
const ConnIDKey& Key() const { return key; } const zeek::detail::ConnIDKey& Key() const { return key; }
void ClearKey() { key_valid = false; } void ClearKey() { key_valid = false; }
bool IsKeyValid() const { return key_valid; } bool IsKeyValid() const { return key_valid; }
@ -110,8 +110,8 @@ public:
double LastTime() const { return last_time; } double LastTime() const { return last_time; }
void SetLastTime(double t) { last_time = t; } void SetLastTime(double t) { last_time = t; }
const IPAddr& OrigAddr() const { return orig_addr; } const zeek::IPAddr& OrigAddr() const { return orig_addr; }
const IPAddr& RespAddr() const { return resp_addr; } const zeek::IPAddr& RespAddr() const { return resp_addr; }
uint32_t OrigPort() const { return orig_port; } uint32_t OrigPort() const { return orig_port; }
uint32_t RespPort() const { return resp_port; } uint32_t RespPort() const { return resp_port; }
@ -344,13 +344,13 @@ protected:
void RemoveConnectionTimer(double t); void RemoveConnectionTimer(double t);
NetSessions* sessions; NetSessions* sessions;
ConnIDKey key; zeek::detail::ConnIDKey key;
bool key_valid; bool key_valid;
timer_list timers; timer_list timers;
IPAddr orig_addr; zeek::IPAddr orig_addr;
IPAddr resp_addr; zeek::IPAddr resp_addr;
uint32_t orig_port, resp_port; // in network order uint32_t orig_port, resp_port; // in network order
TransportProto proto; TransportProto proto;
uint32_t orig_flow_label, resp_flow_label; // most recent IPv6 flow labels uint32_t orig_flow_label, resp_flow_label; // most recent IPv6 flow labels

52
src/DNS_Mgr.cc
View file

@ -60,7 +60,7 @@ public:
request_pending() request_pending()
{ } { }
DNS_Mgr_Request(const IPAddr& a) DNS_Mgr_Request(const zeek::IPAddr& a)
: host(), fam(), qtype(), addr(a), request_pending() : host(), fam(), qtype(), addr(a), request_pending()
{ } { }
@ -68,7 +68,7 @@ public:
// Returns nil if this was an address request. // Returns nil if this was an address request.
const char* ReqHost() const { return host; } const char* ReqHost() const { return host; }
const IPAddr& ReqAddr() const { return addr; } const zeek::IPAddr& ReqAddr() const { return addr; }
bool ReqIsTxt() const { return qtype == 16; } bool ReqIsTxt() const { return qtype == 16; }
int MakeRequest(nb_dns_info* nb_dns); int MakeRequest(nb_dns_info* nb_dns);
@ -80,7 +80,7 @@ protected:
char* host; // if non-nil, this is a host request char* host; // if non-nil, this is a host request
int fam; // address family query type for host requests int fam; // address family query type for host requests
int qtype; // Query type int qtype; // Query type
IPAddr addr; zeek::IPAddr addr;
int request_pending; int request_pending;
}; };
@ -106,7 +106,7 @@ int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
class DNS_Mapping { class DNS_Mapping {
public: public:
DNS_Mapping(const char* host, struct hostent* h, uint32_t ttl); DNS_Mapping(const char* host, struct hostent* h, uint32_t ttl);
DNS_Mapping(const IPAddr& addr, struct hostent* h, uint32_t ttl); DNS_Mapping(const zeek::IPAddr& addr, struct hostent* h, uint32_t ttl);
DNS_Mapping(FILE* f); DNS_Mapping(FILE* f);
bool NoMapping() const { return no_mapping; } bool NoMapping() const { return no_mapping; }
@ -116,7 +116,7 @@ public:
// Returns nil if this was an address request. // Returns nil if this was an address request.
const char* ReqHost() const { return req_host; } const char* ReqHost() const { return req_host; }
IPAddr ReqAddr() const { return req_addr; } zeek::IPAddr ReqAddr() const { return req_addr; }
string ReqStr() const string ReqStr() const
{ {
return req_host ? req_host : req_addr.AsString(); return req_host ? req_host : req_addr.AsString();
@ -150,7 +150,7 @@ protected:
void Clear(); void Clear();
char* req_host; char* req_host;
IPAddr req_addr; zeek::IPAddr req_addr;
uint32_t req_ttl; uint32_t req_ttl;
int num_names; int num_names;
@ -158,7 +158,7 @@ protected:
zeek::StringValPtr host_val; zeek::StringValPtr host_val;
int num_addrs; int num_addrs;
IPAddr* addrs; zeek::IPAddr* addrs;
zeek::ListValPtr addrs_val; zeek::ListValPtr addrs_val;
double creation_time; double creation_time;
@ -192,7 +192,7 @@ DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h, uint32_t ttl)
names[0] = copy_string(host); names[0] = copy_string(host);
} }
DNS_Mapping::DNS_Mapping(const IPAddr& addr, struct hostent* h, uint32_t ttl) DNS_Mapping::DNS_Mapping(const zeek::IPAddr& addr, struct hostent* h, uint32_t ttl)
{ {
Init(h); Init(h);
req_addr = addr; req_addr = addr;
@ -231,7 +231,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
if ( is_req_host ) if ( is_req_host )
req_host = copy_string(req_buf); req_host = copy_string(req_buf);
else else
req_addr = IPAddr(req_buf); req_addr = zeek::IPAddr(req_buf);
num_names = 1; num_names = 1;
names = new char*[num_names]; names = new char*[num_names];
@ -239,7 +239,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
if ( num_addrs > 0 ) if ( num_addrs > 0 )
{ {
addrs = new IPAddr[num_addrs]; addrs = new zeek::IPAddr[num_addrs];
for ( int i = 0; i < num_addrs; ++i ) for ( int i = 0; i < num_addrs; ++i )
{ {
@ -253,7 +253,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
if ( newline ) if ( newline )
*newline = '\0'; *newline = '\0';
addrs[i] = IPAddr(buf); addrs[i] = zeek::IPAddr(buf);
} }
} }
else else
@ -336,14 +336,14 @@ void DNS_Mapping::Init(struct hostent* h)
if ( num_addrs > 0 ) if ( num_addrs > 0 )
{ {
addrs = new IPAddr[num_addrs]; addrs = new zeek::IPAddr[num_addrs];
for ( int i = 0; i < num_addrs; ++i ) for ( int i = 0; i < num_addrs; ++i )
if ( h->h_addrtype == AF_INET ) if ( h->h_addrtype == AF_INET )
addrs[i] = IPAddr(IPv4, (uint32_t*)h->h_addr_list[i], addrs[i] = zeek::IPAddr(IPv4, (uint32_t*)h->h_addr_list[i],
IPAddr::Network); zeek::IPAddr::Network);
else if ( h->h_addrtype == AF_INET6 ) else if ( h->h_addrtype == AF_INET6 )
addrs[i] = IPAddr(IPv6, (uint32_t*)h->h_addr_list[i], addrs[i] = zeek::IPAddr(IPv6, (uint32_t*)h->h_addr_list[i],
IPAddr::Network); zeek::IPAddr::Network);
} }
else else
addrs = nullptr; addrs = nullptr;
@ -410,10 +410,10 @@ void DNS_Mgr::InitSource()
// configured to the user's desired address at the time when we need to to // configured to the user's desired address at the time when we need to to
// the lookup. // the lookup.
auto dns_resolver = zeekenv("ZEEK_DNS_RESOLVER"); auto dns_resolver = zeekenv("ZEEK_DNS_RESOLVER");
auto dns_resolver_addr = dns_resolver ? IPAddr(dns_resolver) : IPAddr(); auto dns_resolver_addr = dns_resolver ? zeek::IPAddr(dns_resolver) : zeek::IPAddr();
char err[NB_DNS_ERRSIZE]; char err[NB_DNS_ERRSIZE];
if ( dns_resolver_addr == IPAddr() ) if ( dns_resolver_addr == zeek::IPAddr() )
nb_dns = nb_dns_init(err); nb_dns = nb_dns_init(err);
else else
{ {
@ -477,7 +477,7 @@ static const char* fake_text_lookup_result(const char* name)
return tmp; return tmp;
} }
static const char* fake_addr_lookup_result(const IPAddr& addr) static const char* fake_addr_lookup_result(const zeek::IPAddr& addr)
{ {
static char tmp[128]; static char tmp[128];
snprintf(tmp, sizeof(tmp), "fake_addr_lookup_result_%s", snprintf(tmp, sizeof(tmp), "fake_addr_lookup_result_%s",
@ -542,7 +542,7 @@ zeek::TableValPtr DNS_Mgr::LookupHost(const char* name)
} }
} }
zeek::ValPtr DNS_Mgr::LookupAddr(const IPAddr& addr) zeek::ValPtr DNS_Mgr::LookupAddr(const zeek::IPAddr& addr)
{ {
InitSource(); InitSource();
@ -876,12 +876,12 @@ zeek::ListValPtr DNS_Mgr::AddrListDelta(zeek::ListVal* al1, zeek::ListVal* al2)
for ( int i = 0; i < al1->Length(); ++i ) for ( int i = 0; i < al1->Length(); ++i )
{ {
const IPAddr& al1_i = al1->Idx(i)->AsAddr(); const zeek::IPAddr& al1_i = al1->Idx(i)->AsAddr();
int j; int j;
for ( j = 0; j < al2->Length(); ++j ) for ( j = 0; j < al2->Length(); ++j )
{ {
const IPAddr& al2_j = al2->Idx(j)->AsAddr(); const zeek::IPAddr& al2_j = al2->Idx(j)->AsAddr();
if ( al1_i == al2_j ) if ( al1_i == al2_j )
break; break;
} }
@ -898,7 +898,7 @@ void DNS_Mgr::DumpAddrList(FILE* f, zeek::ListVal* al)
{ {
for ( int i = 0; i < al->Length(); ++i ) for ( int i = 0; i < al->Length(); ++i )
{ {
const IPAddr& al_i = al->Idx(i)->AsAddr(); const zeek::IPAddr& al_i = al->Idx(i)->AsAddr();
fprintf(f, "%s%s", i > 0 ? "," : "", al_i.AsString().c_str()); fprintf(f, "%s%s", i > 0 ? "," : "", al_i.AsString().c_str());
} }
} }
@ -959,7 +959,7 @@ void DNS_Mgr::Save(FILE* f, const HostMap& m)
} }
} }
const char* DNS_Mgr::LookupAddrInCache(const IPAddr& addr) const char* DNS_Mgr::LookupAddrInCache(const zeek::IPAddr& addr)
{ {
AddrMap::iterator it = addr_mappings.find(addr); AddrMap::iterator it = addr_mappings.find(addr);
@ -1043,7 +1043,7 @@ static void resolve_lookup_cb(DNS_Mgr::LookupCallback* callback,
delete callback; delete callback;
} }
void DNS_Mgr::AsyncLookupAddr(const IPAddr& host, LookupCallback* callback) void DNS_Mgr::AsyncLookupAddr(const zeek::IPAddr& host, LookupCallback* callback)
{ {
InitSource(); InitSource();
@ -1209,7 +1209,7 @@ void DNS_Mgr::IssueAsyncRequests()
} }
} }
void DNS_Mgr::CheckAsyncAddrRequest(const IPAddr& addr, bool timeout) void DNS_Mgr::CheckAsyncAddrRequest(const zeek::IPAddr& addr, bool timeout)
{ {
// Note that this code is a mirror of that for CheckAsyncHostRequest. // Note that this code is a mirror of that for CheckAsyncHostRequest.

14
src/DNS_Mgr.h
View file

@ -57,7 +57,7 @@ public:
// a set of addr. // a set of addr.
zeek::TableValPtr LookupHost(const char* host); zeek::TableValPtr LookupHost(const char* host);
zeek::ValPtr LookupAddr(const IPAddr& addr); zeek::ValPtr LookupAddr(const zeek::IPAddr& addr);
// Define the directory where to store the data. // Define the directory where to store the data.
void SetDir(const char* arg_dir) { dir = copy_string(arg_dir); } void SetDir(const char* arg_dir) { dir = copy_string(arg_dir); }
@ -66,7 +66,7 @@ public:
void Resolve(); void Resolve();
bool Save(); bool Save();
const char* LookupAddrInCache(const IPAddr& addr); const char* LookupAddrInCache(const zeek::IPAddr& addr);
zeek::TableValPtr LookupNameInCache(const std::string& name); zeek::TableValPtr LookupNameInCache(const std::string& name);
const char* LookupTextInCache(const std::string& name); const char* LookupTextInCache(const std::string& name);
@ -81,7 +81,7 @@ public:
virtual void Timeout() = 0; virtual void Timeout() = 0;
}; };
void AsyncLookupAddr(const IPAddr& host, LookupCallback* callback); void AsyncLookupAddr(const zeek::IPAddr& host, LookupCallback* callback);
void AsyncLookupName(const std::string& name, LookupCallback* callback); void AsyncLookupName(const std::string& name, LookupCallback* callback);
void AsyncLookupNameText(const std::string& name, LookupCallback* callback); void AsyncLookupNameText(const std::string& name, LookupCallback* callback);
@ -116,7 +116,7 @@ protected:
void DumpAddrList(FILE* f, zeek::ListVal* al); void DumpAddrList(FILE* f, zeek::ListVal* al);
typedef std::map<std::string, std::pair<DNS_Mapping*, DNS_Mapping*> > HostMap; typedef std::map<std::string, std::pair<DNS_Mapping*, DNS_Mapping*> > HostMap;
typedef std::map<IPAddr, DNS_Mapping*> AddrMap; typedef std::map<zeek::IPAddr, DNS_Mapping*> AddrMap;
typedef std::map<std::string, DNS_Mapping*> TextMap; typedef std::map<std::string, DNS_Mapping*> TextMap;
void LoadCache(FILE* f); void LoadCache(FILE* f);
void Save(FILE* f, const AddrMap& m); void Save(FILE* f, const AddrMap& m);
@ -132,7 +132,7 @@ protected:
// Finish the request if we have a result. If not, time it out if // Finish the request if we have a result. If not, time it out if
// requested. // requested.
void CheckAsyncAddrRequest(const IPAddr& addr, bool timeout); void CheckAsyncAddrRequest(const zeek::IPAddr& addr, bool timeout);
void CheckAsyncHostRequest(const char* host, bool timeout); void CheckAsyncHostRequest(const char* host, bool timeout);
void CheckAsyncTextRequest(const char* host, bool timeout); void CheckAsyncTextRequest(const char* host, bool timeout);
@ -162,7 +162,7 @@ protected:
struct AsyncRequest { struct AsyncRequest {
double time; double time;
IPAddr host; zeek::IPAddr host;
std::string name; std::string name;
CallbackList callbacks; CallbackList callbacks;
bool is_txt; bool is_txt;
@ -210,7 +210,7 @@ protected:
}; };
typedef std::map<IPAddr, AsyncRequest*> AsyncRequestAddrMap; typedef std::map<zeek::IPAddr, AsyncRequest*> AsyncRequestAddrMap;
AsyncRequestAddrMap asyncs_addrs; AsyncRequestAddrMap asyncs_addrs;
typedef std::map<std::string, AsyncRequest*> AsyncRequestNameMap; typedef std::map<std::string, AsyncRequest*> AsyncRequestNameMap;

4
src/Desc.cc
View file

@ -178,12 +178,12 @@ void ODesc::Add(double d, bool no_exp)
} }
} }
void ODesc::Add(const IPAddr& addr) void ODesc::Add(const zeek::IPAddr& addr)
{ {
Add(addr.AsString()); Add(addr.AsString());
} }
void ODesc::Add(const IPPrefix& prefix) void ODesc::Add(const zeek::IPPrefix& prefix)
{ {
Add(prefix.AsString()); Add(prefix.AsString());
} }

9
src/Desc.h
View file

@ -23,8 +23,9 @@ typedef enum {
} desc_style; } desc_style;
class BroFile; class BroFile;
class IPAddr;
class IPPrefix; ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
namespace zeek { class Type; } namespace zeek { class Type; }
using BroType [[deprecated("Remove in v4.1. Use zeek::Type instead.")]] = zeek::Type; using BroType [[deprecated("Remove in v4.1. Use zeek::Type instead.")]] = zeek::Type;
@ -87,8 +88,8 @@ public:
void Add(int64_t i); void Add(int64_t i);
void Add(uint64_t u); void Add(uint64_t u);
void Add(double d, bool no_exp=false); void Add(double d, bool no_exp=false);
void Add(const IPAddr& addr); void Add(const zeek::IPAddr& addr);
void Add(const IPPrefix& prefix); void Add(const zeek::IPPrefix& prefix);
// Add s as a counted string. // Add s as a counted string.
void AddCS(const char* s); void AddCS(const char* s);

2
src/Discard.cc
View file

@ -33,7 +33,7 @@ bool Discarder::IsActive()
return check_ip || check_tcp || check_udp || check_icmp; return check_ip || check_tcp || check_udp || check_icmp;
} }
bool Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen) bool Discarder::NextPacket(const zeek::IP_Hdr* ip, int len, int caplen)
{ {
bool discard_packet = false; bool discard_packet = false;

5
src/Discard.h
View file

@ -6,8 +6,7 @@
#include "IntrusivePtr.h" #include "IntrusivePtr.h"
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
@ -22,7 +21,7 @@ public:
bool IsActive(); bool IsActive();
bool NextPacket(const IP_Hdr* ip, int len, int caplen); bool NextPacket(const zeek::IP_Hdr* ip, int len, int caplen);
protected: protected:
zeek::Val* BuildData(const u_char* data, int hdrlen, int len, int caplen); zeek::Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);

14
src/Frag.cc
View file

@ -27,7 +27,7 @@ void FragTimer::Dispatch(double t, bool /* is_expire */)
} }
FragReassembler::FragReassembler(NetSessions* arg_s, FragReassembler::FragReassembler(NetSessions* arg_s,
const IP_Hdr* ip, const u_char* pkt, const zeek::IP_Hdr* ip, const u_char* pkt,
const FragReassemblerKey& k, double t) const FragReassemblerKey& k, double t)
: Reassembler(0, REASSEM_FRAG) : Reassembler(0, REASSEM_FRAG)
{ {
@ -71,7 +71,7 @@ FragReassembler::~FragReassembler()
delete reassembled_pkt; delete reassembled_pkt;
} }
void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) void FragReassembler::AddFragment(double t, const zeek::IP_Hdr* ip, const u_char* pkt)
{ {
const struct ip* ip4 = ip->IP4_Hdr(); const struct ip* ip4 = ip->IP4_Hdr();
@ -161,13 +161,13 @@ void FragReassembler::Weird(const char* name) const
if ( version == 4 ) if ( version == 4 )
{ {
IP_Hdr hdr((const ip*)proto_hdr, false); zeek::IP_Hdr hdr((const ip*)proto_hdr, false);
s->Weird(name, &hdr); s->Weird(name, &hdr);
} }
else if ( version == 6 ) else if ( version == 6 )
{ {
IP_Hdr hdr((const ip6_hdr*)proto_hdr, false, proto_hdr_len); zeek::IP_Hdr hdr((const ip6_hdr*)proto_hdr, false, proto_hdr_len);
s->Weird(name, &hdr); s->Weird(name, &hdr);
} }
@ -293,7 +293,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */)
{ {
struct ip* reassem4 = (struct ip*) pkt_start; struct ip* reassem4 = (struct ip*) pkt_start;
reassem4->ip_len = htons(frag_size + proto_hdr_len); reassem4->ip_len = htons(frag_size + proto_hdr_len);
reassembled_pkt = new IP_Hdr(reassem4, true); reassembled_pkt = new zeek::IP_Hdr(reassem4, true);
DeleteTimer(); DeleteTimer();
} }
@ -301,8 +301,8 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */)
{ {
struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start; struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start;
reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40); reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40);
const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto, n); const zeek::IPv6_Hdr_Chain* chain = new zeek::IPv6_Hdr_Chain(reassem6, next_proto, n);
reassembled_pkt = new IP_Hdr(reassem6, true, n, chain); reassembled_pkt = new zeek::IP_Hdr(reassem6, true, n, chain);
DeleteTimer(); DeleteTimer();
} }

14
src/Frag.h
View file

@ -13,28 +13,28 @@
class HashKey; class HashKey;
class NetSessions; class NetSessions;
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
class FragReassembler; class FragReassembler;
class FragTimer; class FragTimer;
typedef void (FragReassembler::*frag_timer_func)(double t); typedef void (FragReassembler::*frag_timer_func)(double t);
using FragReassemblerKey = std::tuple<IPAddr, IPAddr, bro_uint_t>; using FragReassemblerKey = std::tuple<zeek::IPAddr, zeek::IPAddr, bro_uint_t>;
class FragReassembler : public Reassembler { class FragReassembler : public Reassembler {
public: public:
FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt, FragReassembler(NetSessions* s, const zeek::IP_Hdr* ip, const u_char* pkt,
const FragReassemblerKey& k, double t); const FragReassemblerKey& k, double t);
~FragReassembler() override; ~FragReassembler() override;
void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt); void AddFragment(double t, const zeek::IP_Hdr* ip, const u_char* pkt);
void Expire(double t); void Expire(double t);
void DeleteTimer(); void DeleteTimer();
void ClearTimer() { expire_timer = nullptr; } void ClearTimer() { expire_timer = nullptr; }
const IP_Hdr* ReassembledPkt() { return reassembled_pkt; } const zeek::IP_Hdr* ReassembledPkt() { return reassembled_pkt; }
const FragReassemblerKey& Key() const { return key; } const FragReassemblerKey& Key() const { return key; }
protected: protected:
@ -43,7 +43,7 @@ protected:
void Weird(const char* name) const; void Weird(const char* name) const;
u_char* proto_hdr; u_char* proto_hdr;
IP_Hdr* reassembled_pkt; zeek::IP_Hdr* reassembled_pkt;
NetSessions* s; NetSessions* s;
uint64_t frag_size; // size of fully reassembled fragment uint64_t frag_size; // size of fully reassembled fragment
FragReassemblerKey key; FragReassemblerKey key;

4
src/IP.cc
View file

@ -49,6 +49,8 @@ static zeek::VectorValPtr BuildOptionsVal(const u_char* data, int len)
return vv; return vv;
} }
namespace zeek {
zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const zeek::RecordValPtr IPv6_Hdr::ToVal(zeek::VectorValPtr chain) const
{ {
zeek::RecordValPtr rv; zeek::RecordValPtr rv;
@ -782,3 +784,5 @@ IPv6_Hdr_Chain* IPv6_Hdr_Chain::Copy(const ip6_hdr* new_hdr) const
return rval; return rval;
} }
} // namespace zeek

34
src/IP.h
View file

@ -16,15 +16,15 @@
#include "IntrusivePtr.h" #include "IntrusivePtr.h"
class IPAddr; ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek);
class FragReassembler;
namespace zeek { namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>; using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
using VectorValPtr = zeek::IntrusivePtr<VectorVal>; using VectorValPtr = zeek::IntrusivePtr<VectorVal>;
}
#ifdef ENABLE_MOBILE_IPV6 #ifdef ENABLE_MOBILE_IPV6
@ -222,14 +222,14 @@ public:
* option as defined by Mobile IPv6 (RFC 6275), then return it, else * option as defined by Mobile IPv6 (RFC 6275), then return it, else
* return the source address in the main IPv6 header. * return the source address in the main IPv6 header.
*/ */
IPAddr SrcAddr() const; zeek::IPAddr SrcAddr() const;
/** /**
* If the chain contains a Routing header with non-zero segments left, * If the chain contains a Routing header with non-zero segments left,
* then return the last address of the first such header, else return * then return the last address of the first such header, else return
* the destination address of the main IPv6 header. * the destination address of the main IPv6 header.
*/ */
IPAddr DstAddr() const; zeek::IPAddr DstAddr() const;
/** /**
* Returns a vector of ip6_ext_hdr RecordVals that includes script-layer * Returns a vector of ip6_ext_hdr RecordVals that includes script-layer
@ -243,7 +243,7 @@ public:
protected: protected:
// for access to protected ctor that changes next header values that // for access to protected ctor that changes next header values that
// point to a fragment // point to a fragment
friend class FragReassembler; friend class ::FragReassembler;
IPv6_Hdr_Chain() = default; IPv6_Hdr_Chain() = default;
@ -287,14 +287,14 @@ protected:
/** /**
* Home Address of the packet's source as defined by Mobile IPv6 (RFC 6275). * Home Address of the packet's source as defined by Mobile IPv6 (RFC 6275).
*/ */
IPAddr* homeAddr = nullptr; zeek::IPAddr* homeAddr = nullptr;
#endif #endif
/** /**
* The final destination address in chain's first Routing header that has * The final destination address in chain's first Routing header that has
* non-zero segments left. * non-zero segments left.
*/ */
IPAddr* finalDst = nullptr; zeek::IPAddr* finalDst = nullptr;
}; };
/** /**
@ -366,19 +366,19 @@ public:
/** /**
* Returns the source address held in the IP header. * Returns the source address held in the IP header.
*/ */
IPAddr IPHeaderSrcAddr() const; zeek::IPAddr IPHeaderSrcAddr() const;
/** /**
* Returns the destination address held in the IP header. * Returns the destination address held in the IP header.
*/ */
IPAddr IPHeaderDstAddr() const; zeek::IPAddr IPHeaderDstAddr() const;
/** /**
* For IPv4 or IPv6 headers that don't contain a Home Address option * For IPv4 or IPv6 headers that don't contain a Home Address option
* (Mobile IPv6, RFC 6275), return source address held in the IP header. * (Mobile IPv6, RFC 6275), return source address held in the IP header.
* For IPv6 headers that contain a Home Address option, return that address. * For IPv6 headers that contain a Home Address option, return that address.
*/ */
IPAddr SrcAddr() const; zeek::IPAddr SrcAddr() const;
/** /**
* For IPv4 or IPv6 headers that don't contain a Routing header with * For IPv4 or IPv6 headers that don't contain a Routing header with
@ -386,7 +386,7 @@ public:
* For IPv6 headers with a Routing header that has non-zero segments left, * For IPv6 headers with a Routing header that has non-zero segments left,
* return the last address in the first such Routing header. * return the last address in the first such Routing header.
*/ */
IPAddr DstAddr() const; zeek::IPAddr DstAddr() const;
/** /**
* Returns a pointer to the payload of the IP packet, usually an * Returns a pointer to the payload of the IP packet, usually an
@ -561,3 +561,13 @@ private:
const IPv6_Hdr_Chain* ip6_hdrs = nullptr; const IPv6_Hdr_Chain* ip6_hdrs = nullptr;
bool del; bool del;
}; };
} // namespace zeek
#ifdef ENABLE_MOBILE_IPV6
using ip6_mobility [[deprecated("Remove in v4.1. Use zeek::ip6_mobility.")]] = zeek::ip6_mobility;
#endif
using IPv6_Hdr [[deprecated("Remove in v4.1. Use zeek::IPv6_Hdr.")]] = zeek::IPv6_Hdr;
using IPv6_Hdr_Chain [[deprecated("Remove in v4.1. Use zeek::IPv6_Hdr_Chain.")]] = zeek::IPv6_Hdr_Chain;
using IP_Hdr [[deprecated("Remove in v4.1. Use zeek::IP_Hdr.")]] = zeek::IP_Hdr;

16
src/IPAddr.cc
View file

@ -12,15 +12,15 @@
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0, constexpr uint8_t zeek::IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0xff, 0xff }; 0, 0, 0xff, 0xff };
const IPAddr IPAddr::v4_unspecified = IPAddr(in4_addr{}); const zeek::IPAddr zeek::IPAddr::v4_unspecified = zeek::IPAddr(in4_addr{});
const IPAddr IPAddr::v6_unspecified = IPAddr(); const zeek::IPAddr zeek::IPAddr::v6_unspecified = zeek::IPAddr();
ConnIDKey BuildConnIDKey(const ConnID& id) zeek::detail::ConnIDKey zeek::detail::BuildConnIDKey(const ConnID& id)
{ {
ConnIDKey key; ConnIDKey key;
@ -47,6 +47,8 @@ ConnIDKey BuildConnIDKey(const ConnID& id)
return key; return key;
} }
namespace zeek {
IPAddr::IPAddr(const zeek::String& s) IPAddr::IPAddr(const zeek::String& s)
{ {
Init(s.CheckString()); Init(s.CheckString());
@ -345,3 +347,5 @@ bool IPPrefix::ConvertString(const char* text, IPPrefix* result)
*result = IPPrefix(ip, len); *result = IPPrefix(ip, len);
return true; return true;
} }
} // namespace zeek

25
src/IPAddr.h
View file

@ -19,6 +19,9 @@ namespace analyzer { class ExpectedConn; }
typedef in_addr in4_addr; typedef in_addr in4_addr;
namespace zeek {
namespace detail {
struct ConnIDKey { struct ConnIDKey {
in6_addr ip1; in6_addr ip1;
in6_addr ip2; in6_addr ip2;
@ -43,6 +46,13 @@ struct ConnIDKey {
} }
}; };
/**
* Returns a map key for a given ConnID.
*/
ConnIDKey BuildConnIDKey(const ConnID& id);
} // namespace detail
/** /**
* Class storing both IPv4 and IPv6 addresses. * Class storing both IPv4 and IPv6 addresses.
*/ */
@ -382,7 +392,7 @@ public:
*/ */
void ConvertToThreadingValue(threading::Value::addr_t* v) const; void ConvertToThreadingValue(threading::Value::addr_t* v) const;
friend ConnIDKey BuildConnIDKey(const ConnID& id); friend detail::ConnIDKey detail::BuildConnIDKey(const ConnID& id);
unsigned int MemoryAllocation() const { return padded_sizeof(*this); } unsigned int MemoryAllocation() const { return padded_sizeof(*this); }
@ -514,11 +524,6 @@ inline void IPAddr::ConvertToThreadingValue(threading::Value::addr_t* v) const
} }
} }
/**
* Returns a map key for a given ConnID.
*/
ConnIDKey BuildConnIDKey(const ConnID& id);
/** /**
* Class storing both IPv4 and IPv6 prefixes * Class storing both IPv4 and IPv6 prefixes
* (i.e., \c 192.168.1.1/16 and \c FD00::/8. * (i.e., \c 192.168.1.1/16 and \c FD00::/8.
@ -721,3 +726,11 @@ private:
IPAddr prefix; // We store it as an address with the non-prefix bits masked out via Mask(). IPAddr prefix; // We store it as an address with the non-prefix bits masked out via Mask().
uint8_t length = 0; // The bit length of the prefix relative to full IPv6 addr. uint8_t length = 0; // The bit length of the prefix relative to full IPv6 addr.
}; };
} // namespace zeek
using ConnIDKey [[deprecated("Remove in v4.1. Use zeek::detail::ConnIDKey.")]] = zeek::detail::ConnIDKey;
using IPAddr [[deprecated("Remove in v4.1. Use zeek::IPAddr.")]] = zeek::IPAddr;
using IPPrefix [[deprecated("Remove in v4.1. Use zeek::IPPrefix.")]] = zeek::IPPrefix;
constexpr auto BuildConnIDKey [[deprecated("Remove in v4.1. Use zeek::detail::BuildConnIDKey.")]] = zeek::detail::BuildConnIDKey;

14
src/PacketFilter.cc
View file

@ -14,7 +14,7 @@ PacketFilter::PacketFilter(bool arg_default)
dst_filter.SetDeleteFunction(PacketFilter::DeleteFilter); dst_filter.SetDeleteFunction(PacketFilter::DeleteFilter);
} }
void PacketFilter::AddSrc(const IPAddr& src, uint32_t tcp_flags, double probability) void PacketFilter::AddSrc(const zeek::IPAddr& src, uint32_t tcp_flags, double probability)
{ {
Filter* f = new Filter; Filter* f = new Filter;
f->tcp_flags = tcp_flags; f->tcp_flags = tcp_flags;
@ -32,7 +32,7 @@ void PacketFilter::AddSrc(zeek::Val* src, uint32_t tcp_flags, double probability
delete prev; delete prev;
} }
void PacketFilter::AddDst(const IPAddr& dst, uint32_t tcp_flags, double probability) void PacketFilter::AddDst(const zeek::IPAddr& dst, uint32_t tcp_flags, double probability)
{ {
Filter* f = new Filter; Filter* f = new Filter;
f->tcp_flags = tcp_flags; f->tcp_flags = tcp_flags;
@ -50,7 +50,7 @@ void PacketFilter::AddDst(zeek::Val* dst, uint32_t tcp_flags, double probability
delete prev; delete prev;
} }
bool PacketFilter::RemoveSrc(const IPAddr& src) bool PacketFilter::RemoveSrc(const zeek::IPAddr& src)
{ {
auto f = static_cast<Filter*>(src_filter.Remove(src, 128)); auto f = static_cast<Filter*>(src_filter.Remove(src, 128));
delete f; delete f;
@ -64,7 +64,7 @@ bool PacketFilter::RemoveSrc(zeek::Val* src)
return f != nullptr; return f != nullptr;
} }
bool PacketFilter::RemoveDst(const IPAddr& dst) bool PacketFilter::RemoveDst(const zeek::IPAddr& dst)
{ {
auto f = static_cast<Filter*>(dst_filter.Remove(dst, 128)); auto f = static_cast<Filter*>(dst_filter.Remove(dst, 128));
delete f; delete f;
@ -78,7 +78,7 @@ bool PacketFilter::RemoveDst(zeek::Val* dst)
return f != nullptr; return f != nullptr;
} }
bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen) bool PacketFilter::Match(const zeek::IP_Hdr* ip, int len, int caplen)
{ {
Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(), 128); Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(), 128);
if ( f ) if ( f )
@ -91,8 +91,8 @@ bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen)
return default_match; return default_match;
} }
bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip, bool PacketFilter::MatchFilter(const Filter& f, const zeek::IP_Hdr& ip,
int len, int caplen) int len, int caplen)
{ {
if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags ) if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
{ {

14
src/PacketFilter.h
View file

@ -5,7 +5,7 @@
#include "IPAddr.h" #include "IPAddr.h"
#include "PrefixTable.h" #include "PrefixTable.h"
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
class PacketFilter { class PacketFilter {
@ -16,20 +16,20 @@ public:
// Drops all packets from a particular source (which may be given // Drops all packets from a particular source (which may be given
// as an AddrVal or a SubnetVal) which hasn't any of TCP flags set // as an AddrVal or a SubnetVal) which hasn't any of TCP flags set
// (TH_*) with the given probability (from 0..MAX_PROB). // (TH_*) with the given probability (from 0..MAX_PROB).
void AddSrc(const IPAddr& src, uint32_t tcp_flags, double probability); void AddSrc(const zeek::IPAddr& src, uint32_t tcp_flags, double probability);
void AddSrc(zeek::Val* src, uint32_t tcp_flags, double probability); void AddSrc(zeek::Val* src, uint32_t tcp_flags, double probability);
void AddDst(const IPAddr& src, uint32_t tcp_flags, double probability); void AddDst(const zeek::IPAddr& src, uint32_t tcp_flags, double probability);
void AddDst(zeek::Val* src, uint32_t tcp_flags, double probability); void AddDst(zeek::Val* src, uint32_t tcp_flags, double probability);
// Removes the filter entry for the given src/dst // Removes the filter entry for the given src/dst
// Returns false if filter doesn not exist. // Returns false if filter doesn not exist.
bool RemoveSrc(const IPAddr& src); bool RemoveSrc(const zeek::IPAddr& src);
bool RemoveSrc(zeek::Val* dst); bool RemoveSrc(zeek::Val* dst);
bool RemoveDst(const IPAddr& dst); bool RemoveDst(const zeek::IPAddr& dst);
bool RemoveDst(zeek::Val* dst); bool RemoveDst(zeek::Val* dst);
// Returns true if packet matches a drop filter // Returns true if packet matches a drop filter
bool Match(const IP_Hdr* ip, int len, int caplen); bool Match(const zeek::IP_Hdr* ip, int len, int caplen);
private: private:
struct Filter { struct Filter {
@ -39,7 +39,7 @@ private:
static void DeleteFilter(void* data); static void DeleteFilter(void* data);
bool MatchFilter(const Filter& f, const IP_Hdr& ip, int len, int caplen); bool MatchFilter(const Filter& f, const zeek::IP_Hdr& ip, int len, int caplen);
bool default_match; bool default_match;
PrefixTable src_filter; PrefixTable src_filter;

18
src/PrefixTable.cc
View file

@ -2,7 +2,7 @@
#include "Reporter.h" #include "Reporter.h"
#include "Val.h" #include "Val.h"
prefix_t* PrefixTable::MakePrefix(const IPAddr& addr, int width) prefix_t* PrefixTable::MakePrefix(const zeek::IPAddr& addr, int width)
{ {
prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t)); prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
@ -14,12 +14,12 @@ prefix_t* PrefixTable::MakePrefix(const IPAddr& addr, int width)
return prefix; return prefix;
} }
IPPrefix PrefixTable::PrefixToIPPrefix(prefix_t* prefix) zeek::IPPrefix PrefixTable::PrefixToIPPrefix(prefix_t* prefix)
{ {
return IPPrefix(IPAddr(IPv6, reinterpret_cast<const uint32_t*>(&prefix->add.sin6), IPAddr::Network), prefix->bitlen, true); return zeek::IPPrefix(zeek::IPAddr(IPv6, reinterpret_cast<const uint32_t*>(&prefix->add.sin6), zeek::IPAddr::Network), prefix->bitlen, true);
} }
void* PrefixTable::Insert(const IPAddr& addr, int width, void* data) void* PrefixTable::Insert(const zeek::IPAddr& addr, int width, void* data)
{ {
prefix_t* prefix = MakePrefix(addr, width); prefix_t* prefix = MakePrefix(addr, width);
patricia_node_t* node = patricia_lookup(tree, prefix); patricia_node_t* node = patricia_lookup(tree, prefix);
@ -63,9 +63,9 @@ void* PrefixTable::Insert(const zeek::Val* value, void* data)
} }
} }
std::list<std::tuple<IPPrefix,void*>> PrefixTable::FindAll(const IPAddr& addr, int width) const std::list<std::tuple<zeek::IPPrefix,void*>> PrefixTable::FindAll(const zeek::IPAddr& addr, int width) const
{ {
std::list<std::tuple<IPPrefix,void*>> out; std::list<std::tuple<zeek::IPPrefix,void*>> out;
prefix_t* prefix = MakePrefix(addr, width); prefix_t* prefix = MakePrefix(addr, width);
int elems = 0; int elems = 0;
@ -81,12 +81,12 @@ std::list<std::tuple<IPPrefix,void*>> PrefixTable::FindAll(const IPAddr& addr, i
return out; return out;
} }
std::list<std::tuple<IPPrefix,void*>> PrefixTable::FindAll(const zeek::SubNetVal* value) const std::list<std::tuple<zeek::IPPrefix,void*>> PrefixTable::FindAll(const zeek::SubNetVal* value) const
{ {
return FindAll(value->AsSubNet().Prefix(), value->AsSubNet().LengthIPv6()); return FindAll(value->AsSubNet().Prefix(), value->AsSubNet().LengthIPv6());
} }
void* PrefixTable::Lookup(const IPAddr& addr, int width, bool exact) const void* PrefixTable::Lookup(const zeek::IPAddr& addr, int width, bool exact) const
{ {
prefix_t* prefix = MakePrefix(addr, width); prefix_t* prefix = MakePrefix(addr, width);
patricia_node_t* node = patricia_node_t* node =
@ -124,7 +124,7 @@ void* PrefixTable::Lookup(const zeek::Val* value, bool exact) const
} }
} }
void* PrefixTable::Remove(const IPAddr& addr, int width) void* PrefixTable::Remove(const zeek::IPAddr& addr, int width)
{ {
prefix_t* prefix = MakePrefix(addr, width); prefix_t* prefix = MakePrefix(addr, width);
patricia_node_t* node = patricia_search_exact(tree, prefix); patricia_node_t* node = patricia_search_exact(tree, prefix);

14
src/PrefixTable.h
View file

@ -27,7 +27,7 @@ public:
// Addr in network byte order. If data is zero, acts like a set. // Addr in network byte order. If data is zero, acts like a set.
// Returns ptr to old data if already existing. // Returns ptr to old data if already existing.
// For existing items without data, returns non-nil if found. // For existing items without data, returns non-nil if found.
void* Insert(const IPAddr& addr, int width, void* data = nullptr); void* Insert(const zeek::IPAddr& addr, int width, void* data = nullptr);
// Value may be addr or subnet. // Value may be addr or subnet.
void* Insert(const zeek::Val* value, void* data = nullptr); void* Insert(const zeek::Val* value, void* data = nullptr);
@ -35,15 +35,15 @@ public:
// Returns nil if not found, pointer to data otherwise. // Returns nil if not found, pointer to data otherwise.
// For items without data, returns non-nil if found. // For items without data, returns non-nil if found.
// If exact is false, performs exact rather than longest-prefix match. // If exact is false, performs exact rather than longest-prefix match.
void* Lookup(const IPAddr& addr, int width, bool exact = false) const; void* Lookup(const zeek::IPAddr& addr, int width, bool exact = false) const;
void* Lookup(const zeek::Val* value, bool exact = false) const; void* Lookup(const zeek::Val* value, bool exact = false) const;
// Returns list of all found matches or empty list otherwise. // Returns list of all found matches or empty list otherwise.
std::list<std::tuple<IPPrefix,void*>> FindAll(const IPAddr& addr, int width) const; std::list<std::tuple<zeek::IPPrefix, void*>> FindAll(const zeek::IPAddr& addr, int width) const;
std::list<std::tuple<IPPrefix,void*>> FindAll(const zeek::SubNetVal* value) const; std::list<std::tuple<zeek::IPPrefix, void*>> FindAll(const zeek::SubNetVal* value) const;
// Returns pointer to data or nil if not found. // Returns pointer to data or nil if not found.
void* Remove(const IPAddr& addr, int width); void* Remove(const zeek::IPAddr& addr, int width);
void* Remove(const zeek::Val* value); void* Remove(const zeek::Val* value);
void Clear() { Clear_Patricia(tree, delete_function); } void Clear() { Clear_Patricia(tree, delete_function); }
@ -55,8 +55,8 @@ public:
void* GetNext(iterator* i); void* GetNext(iterator* i);
private: private:
static prefix_t* MakePrefix(const IPAddr& addr, int width); static prefix_t* MakePrefix(const zeek::IPAddr& addr, int width);
static IPPrefix PrefixToIPPrefix(prefix_t* p); static zeek::IPPrefix PrefixToIPPrefix(prefix_t* p);
patricia_tree_t* tree; patricia_tree_t* tree;
data_fn_t delete_function; data_fn_t delete_function;

8
src/Reporter.cc
View file

@ -260,7 +260,7 @@ public:
class FlowWeirdTimer final : public Timer { class FlowWeirdTimer final : public Timer {
public: public:
using IPPair = std::pair<IPAddr, IPAddr>; using IPPair = std::pair<zeek::IPAddr, zeek::IPAddr>;
FlowWeirdTimer(double t, IPPair p, double timeout) FlowWeirdTimer(double t, IPPair p, double timeout)
: Timer(t + timeout, TIMER_FLOW_WEIRD_EXPIRE), endpoints(std::move(p)) : Timer(t + timeout, TIMER_FLOW_WEIRD_EXPIRE), endpoints(std::move(p))
@ -292,7 +292,7 @@ void Reporter::ResetNetWeird(const std::string& name)
net_weird_state.erase(name); net_weird_state.erase(name);
} }
void Reporter::ResetFlowWeird(const IPAddr& orig, const IPAddr& resp) void Reporter::ResetFlowWeird(const zeek::IPAddr& orig, const zeek::IPAddr& resp)
{ {
flow_weird_state.erase(std::make_pair(orig, resp)); flow_weird_state.erase(std::make_pair(orig, resp));
} }
@ -322,7 +322,7 @@ bool Reporter::PermitNetWeird(const char* name)
} }
bool Reporter::PermitFlowWeird(const char* name, bool Reporter::PermitFlowWeird(const char* name,
const IPAddr& orig, const IPAddr& resp) const zeek::IPAddr& orig, const zeek::IPAddr& resp)
{ {
auto endpoints = std::make_pair(orig, resp); auto endpoints = std::make_pair(orig, resp);
auto& map = flow_weird_state[endpoints]; auto& map = flow_weird_state[endpoints];
@ -432,7 +432,7 @@ void Reporter::Weird(zeek::RecordValPtr conn_id, zeek::StringValPtr uid,
"%s", name); "%s", name);
} }
void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl) void Reporter::Weird(const zeek::IPAddr& orig, const zeek::IPAddr& resp, const char* name, const char* addl)
{ {
UpdateWeirdStats(name); UpdateWeirdStats(name);

13
src/Reporter.h
View file

@ -30,6 +30,7 @@ using StringValPtr = zeek::IntrusivePtr<StringVal>;
} }
ZEEK_FORWARD_DECLARE_NAMESPACED(Location, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(Location, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
// One cannot raise this exception directly, go through the // One cannot raise this exception directly, go through the
// Reporter's methods instead. // Reporter's methods instead.
@ -46,16 +47,14 @@ protected:
InterpreterException() {} InterpreterException() {}
}; };
class IPAddr;
ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(Expr, zeek::detail);
#define FMT_ATTR __attribute__((format(printf, 2, 3))) // sic! 1st is "this" I guess. #define FMT_ATTR __attribute__((format(printf, 2, 3))) // sic! 1st is "this" I guess.
class Reporter { class Reporter {
public: public:
using IPPair = std::pair<IPAddr, IPAddr>; using IPPair = std::pair<zeek::IPAddr, zeek::IPAddr>;
using ConnTuple = std::tuple<IPAddr, IPAddr, uint32_t, uint32_t, TransportProto>; using ConnTuple = std::tuple<zeek::IPAddr, zeek::IPAddr, uint32_t, uint32_t, TransportProto>;
using WeirdCountMap = std::unordered_map<std::string, uint64_t>; using WeirdCountMap = std::unordered_map<std::string, uint64_t>;
using WeirdFlowMap = std::map<IPPair, WeirdCountMap>; using WeirdFlowMap = std::map<IPPair, WeirdCountMap>;
using WeirdConnTupleMap = std::map<ConnTuple, WeirdCountMap>; using WeirdConnTupleMap = std::map<ConnTuple, WeirdCountMap>;
@ -104,7 +103,7 @@ public:
void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird(). void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird().
void Weird(zeek::RecordValPtr conn_id, zeek::StringValPtr uid, void Weird(zeek::RecordValPtr conn_id, zeek::StringValPtr uid,
const char* name, const char* addl = ""); // Raises expired_conn_weird(). const char* name, const char* addl = ""); // Raises expired_conn_weird().
void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl = ""); // Raises flow_weird(). void Weird(const zeek::IPAddr& orig, const zeek::IPAddr& resp, const char* name, const char* addl = ""); // Raises flow_weird().
// Syslog a message. This methods does nothing if we're running // Syslog a message. This methods does nothing if we're running
// offline from a trace. // offline from a trace.
@ -155,7 +154,7 @@ public:
/** /**
* Reset/cleanup state tracking for a "flow" weird. * Reset/cleanup state tracking for a "flow" weird.
*/ */
void ResetFlowWeird(const IPAddr& orig, const IPAddr& resp); void ResetFlowWeird(const zeek::IPAddr& orig, const zeek::IPAddr& resp);
/** /**
* Reset/cleanup state tracking for a "expired conn" weird. * Reset/cleanup state tracking for a "expired conn" weird.
@ -274,7 +273,7 @@ private:
inline bool WeirdOnSamplingWhiteList(const char* name) inline bool WeirdOnSamplingWhiteList(const char* name)
{ return weird_sampling_whitelist.find(name) != weird_sampling_whitelist.end(); } { return weird_sampling_whitelist.find(name) != weird_sampling_whitelist.end(); }
bool PermitNetWeird(const char* name); bool PermitNetWeird(const char* name);
bool PermitFlowWeird(const char* name, const IPAddr& o, const IPAddr& r); bool PermitFlowWeird(const char* name, const zeek::IPAddr& o, const zeek::IPAddr& r);
bool PermitExpiredConnWeird(const char* name, const zeek::RecordVal& conn_id); bool PermitExpiredConnWeird(const char* name, const zeek::RecordVal& conn_id);
bool EmitToStderr(bool flag) bool EmitToStderr(bool flag)

40
src/RuleMatcher.cc
View file

@ -61,7 +61,7 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, uint32_t arg_offset, uint32_t arg_size,
level = 0; level = 0;
} }
RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v) RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<zeek::IPPrefix> arg_v)
{ {
prot = arg_prot; prot = arg_prot;
offset = 0; offset = 0;
@ -503,12 +503,12 @@ static inline bool match_or(const maskedvalue_list& mvals, uint32_t v, FuncT com
// Evaluate a prefix list (matches if at least one value matches). // Evaluate a prefix list (matches if at least one value matches).
template <typename FuncT> template <typename FuncT>
static inline bool match_or(const vector<IPPrefix>& prefixes, const IPAddr& a, static inline bool match_or(const vector<zeek::IPPrefix>& prefixes, const zeek::IPAddr& a,
FuncT comp) FuncT comp)
{ {
for ( size_t i = 0; i < prefixes.size(); ++i ) for ( size_t i = 0; i < prefixes.size(); ++i )
{ {
IPAddr masked(a); zeek::IPAddr masked(a);
masked.Mask(prefixes[i].LengthIPv6()); masked.Mask(prefixes[i].LengthIPv6());
if ( comp(masked, prefixes[i].Prefix()) ) if ( comp(masked, prefixes[i].Prefix()) )
return true; return true;
@ -532,12 +532,12 @@ static inline bool match_not_and(const maskedvalue_list& mvals, uint32_t v,
// Evaluate a prefix list (doesn't match if any value matches). // Evaluate a prefix list (doesn't match if any value matches).
template <typename FuncT> template <typename FuncT>
static inline bool match_not_and(const vector<IPPrefix>& prefixes, static inline bool match_not_and(const vector<zeek::IPPrefix>& prefixes,
const IPAddr& a, FuncT comp) const zeek::IPAddr& a, FuncT comp)
{ {
for ( size_t i = 0; i < prefixes.size(); ++i ) for ( size_t i = 0; i < prefixes.size(); ++i )
{ {
IPAddr masked(a); zeek::IPAddr masked(a);
masked.Mask(prefixes[i].LengthIPv6()); masked.Mask(prefixes[i].LengthIPv6());
if ( comp(masked, prefixes[i].Prefix()) ) if ( comp(masked, prefixes[i].Prefix()) )
return false; return false;
@ -580,32 +580,32 @@ static inline bool compare(const maskedvalue_list& mvals, uint32_t v,
return false; return false;
} }
static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a, static inline bool compare(const vector<zeek::IPPrefix>& prefixes, const zeek::IPAddr& a,
RuleHdrTest::Comp comp) RuleHdrTest::Comp comp)
{ {
switch ( comp ) { switch ( comp ) {
case RuleHdrTest::EQ: case RuleHdrTest::EQ:
return match_or(prefixes, a, std::equal_to<IPAddr>()); return match_or(prefixes, a, std::equal_to<zeek::IPAddr>());
break; break;
case RuleHdrTest::NE: case RuleHdrTest::NE:
return match_not_and(prefixes, a, std::equal_to<IPAddr>()); return match_not_and(prefixes, a, std::equal_to<zeek::IPAddr>());
break; break;
case RuleHdrTest::LT: case RuleHdrTest::LT:
return match_or(prefixes, a, std::less<IPAddr>()); return match_or(prefixes, a, std::less<zeek::IPAddr>());
break; break;
case RuleHdrTest::GT: case RuleHdrTest::GT:
return match_or(prefixes, a, std::greater<IPAddr>()); return match_or(prefixes, a, std::greater<zeek::IPAddr>());
break; break;
case RuleHdrTest::LE: case RuleHdrTest::LE:
return match_or(prefixes, a, std::less_equal<IPAddr>()); return match_or(prefixes, a, std::less_equal<zeek::IPAddr>());
break; break;
case RuleHdrTest::GE: case RuleHdrTest::GE:
return match_or(prefixes, a, std::greater_equal<IPAddr>()); return match_or(prefixes, a, std::greater_equal<zeek::IPAddr>());
break; break;
default: default:
@ -737,9 +737,9 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
} }
RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer, RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
const IP_Hdr* ip, int caplen, const zeek::IP_Hdr* ip, int caplen,
RuleEndpointState* opposite, RuleEndpointState* opposite,
bool from_orig, analyzer::pia::PIA* pia) bool from_orig, analyzer::pia::PIA* pia)
{ {
RuleEndpointState* state = RuleEndpointState* state =
new RuleEndpointState(analyzer, from_orig, opposite, pia); new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -1289,7 +1289,7 @@ static zeek::Val* get_bro_val(const char* label)
// if the prefix_vector param isn't null, appending to that is preferred // if the prefix_vector param isn't null, appending to that is preferred
// over appending to the masked val list. // over appending to the masked val list.
static bool val_to_maskedval(zeek::Val* v, maskedvalue_list* append_to, static bool val_to_maskedval(zeek::Val* v, maskedvalue_list* append_to,
vector<IPPrefix>* prefix_vector) vector<zeek::IPPrefix>* prefix_vector)
{ {
MaskedValue* mval = new MaskedValue; MaskedValue* mval = new MaskedValue;
@ -1356,7 +1356,7 @@ static bool val_to_maskedval(zeek::Val* v, maskedvalue_list* append_to,
} }
void id_to_maskedvallist(const char* id, maskedvalue_list* append_to, void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
vector<IPPrefix>* prefix_vector) vector<zeek::IPPrefix>* prefix_vector)
{ {
zeek::Val* v = get_bro_val(id); zeek::Val* v = get_bro_val(id);
if ( ! v ) if ( ! v )
@ -1417,8 +1417,8 @@ uint32_t id_to_uint(const char* id)
return 0; return 0;
} }
void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip, void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia) int caplen, bool from_orig, analyzer::pia::PIA* pia)
{ {
if ( ! rule_matcher ) if ( ! rule_matcher )
return; return;

19
src/RuleMatcher.h
View file

@ -29,13 +29,13 @@ extern const char* current_rule_file;
class BroFile; class BroFile;
class IntSet; class IntSet;
class IP_Hdr;
class IPPrefix;
class RE_Match_State; class RE_Match_State;
class Specific_RE_Matcher; class Specific_RE_Matcher;
class RuleMatcher; class RuleMatcher;
extern RuleMatcher* rule_matcher; extern RuleMatcher* rule_matcher;
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer); ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
@ -63,7 +63,7 @@ using bstr_list = zeek::PList<zeek::String>;
// Get values from Bro's script-level variables. // Get values from Bro's script-level variables.
extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to, extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
std::vector<IPPrefix>* prefix_vector = nullptr); std::vector<zeek::IPPrefix>* prefix_vector = nullptr);
extern char* id_to_str(const char* id); extern char* id_to_str(const char* id);
extern uint32_t id_to_uint(const char* id); extern uint32_t id_to_uint(const char* id);
@ -75,7 +75,7 @@ public:
RuleHdrTest(Prot arg_prot, uint32_t arg_offset, uint32_t arg_size, RuleHdrTest(Prot arg_prot, uint32_t arg_offset, uint32_t arg_size,
Comp arg_comp, maskedvalue_list* arg_vals); Comp arg_comp, maskedvalue_list* arg_vals);
RuleHdrTest(Prot arg_prot, Comp arg_comp, std::vector<IPPrefix> arg_v); RuleHdrTest(Prot arg_prot, Comp arg_comp, std::vector<zeek::IPPrefix> arg_v);
~RuleHdrTest(); ~RuleHdrTest();
void PrintDebug(); void PrintDebug();
@ -92,7 +92,7 @@ private:
Prot prot; Prot prot;
Comp comp; Comp comp;
maskedvalue_list* vals; maskedvalue_list* vals;
std::vector<IPPrefix> prefix_vals; // for use with IPSrc/IPDst comparisons std::vector<zeek::IPPrefix> prefix_vals; // for use with IPSrc/IPDst comparisons
uint32_t offset; uint32_t offset;
uint32_t size; uint32_t size;
@ -263,8 +263,9 @@ public:
// the given packet (which should be the first packet encountered for // the given packet (which should be the first packet encountered for
// this endpoint). If the matching is triggered by an PIA, a pointer to // this endpoint). If the matching is triggered by an PIA, a pointer to
// it needs to be given. // it needs to be given.
RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip, RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia); int caplen, RuleEndpointState* opposite, bool is_orig,
analyzer::pia::PIA* pia);
// Finish matching for this stream. // Finish matching for this stream.
void FinishEndpoint(RuleEndpointState* state); void FinishEndpoint(RuleEndpointState* state);
@ -372,8 +373,8 @@ public:
{ delete orig_match_state; delete resp_match_state; } { delete orig_match_state; delete resp_match_state; }
// ip may be nil. // ip may be nil.
void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const IP_Hdr* ip, void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
int caplen, bool from_orig, analyzer::pia::PIA* pia = nullptr); int caplen, bool from_orig, analyzer::pia::PIA* pia = nullptr);
// bol/eol should be set to false for type Rule::PAYLOAD; they're // bol/eol should be set to false for type Rule::PAYLOAD; they're
// deduced automatically. // deduced automatically.

16
src/SerializationFormat.cc
View file

@ -234,7 +234,7 @@ bool BinarySerializationFormat::Read(std::string* v, const char* tag)
return true; return true;
} }
bool BinarySerializationFormat::Read(IPAddr* addr, const char* tag) bool BinarySerializationFormat::Read(zeek::IPAddr* addr, const char* tag)
{ {
int n = 0; int n = 0;
if ( ! Read(&n, "addr-len") ) if ( ! Read(&n, "addr-len") )
@ -254,22 +254,22 @@ bool BinarySerializationFormat::Read(IPAddr* addr, const char* tag)
} }
if ( n == 1 ) if ( n == 1 )
*addr = IPAddr(IPv4, raw, IPAddr::Network); *addr = zeek::IPAddr(IPv4, raw, zeek::IPAddr::Network);
else else
*addr = IPAddr(IPv6, raw, IPAddr::Network); *addr = zeek::IPAddr(IPv6, raw, zeek::IPAddr::Network);
return true; return true;
} }
bool BinarySerializationFormat::Read(IPPrefix* prefix, const char* tag) bool BinarySerializationFormat::Read(zeek::IPPrefix* prefix, const char* tag)
{ {
IPAddr addr; zeek::IPAddr addr;
int len; int len;
if ( ! (Read(&addr, "prefix") && Read(&len, "width")) ) if ( ! (Read(&addr, "prefix") && Read(&len, "width")) )
return false; return false;
*prefix = IPPrefix(addr, len); *prefix = zeek::IPPrefix(addr, len);
return true; return true;
} }
@ -368,7 +368,7 @@ bool BinarySerializationFormat::Write(const std::string& s, const char* tag)
return Write(s.data(), s.size(), tag); return Write(s.data(), s.size(), tag);
} }
bool BinarySerializationFormat::Write(const IPAddr& addr, const char* tag) bool BinarySerializationFormat::Write(const zeek::IPAddr& addr, const char* tag)
{ {
const uint32_t* raw; const uint32_t* raw;
int n = addr.GetBytes(&raw); int n = addr.GetBytes(&raw);
@ -387,7 +387,7 @@ bool BinarySerializationFormat::Write(const IPAddr& addr, const char* tag)
return true; return true;
} }
bool BinarySerializationFormat::Write(const IPPrefix& prefix, const char* tag) bool BinarySerializationFormat::Write(const zeek::IPPrefix& prefix, const char* tag)
{ {
return Write(prefix.Prefix(), "prefix") && Write(prefix.Length(), "width"); return Write(prefix.Prefix(), "prefix") && Write(prefix.Length(), "width");
} }

23
src/SerializationFormat.h
View file

@ -2,12 +2,13 @@
#pragma once #pragma once
#include <string> #include "zeek-config.h"
#include <string>
#include <stdint.h> #include <stdint.h>
class IPAddr; ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
class IPPrefix; ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
// Abstract base class. // Abstract base class.
class SerializationFormat { class SerializationFormat {
@ -28,8 +29,8 @@ public:
virtual bool Read(bool* v, const char* tag) = 0; virtual bool Read(bool* v, const char* tag) = 0;
virtual bool Read(double* d, const char* tag) = 0; virtual bool Read(double* d, const char* tag) = 0;
virtual bool Read(std::string* s, const char* tag) = 0; virtual bool Read(std::string* s, const char* tag) = 0;
virtual bool Read(IPAddr* addr, const char* tag) = 0; virtual bool Read(zeek::IPAddr* addr, const char* tag) = 0;
virtual bool Read(IPPrefix* prefix, const char* tag) = 0; virtual bool Read(zeek::IPPrefix* prefix, const char* tag) = 0;
virtual bool Read(struct in_addr* addr, const char* tag) = 0; virtual bool Read(struct in_addr* addr, const char* tag) = 0;
virtual bool Read(struct in6_addr* addr, const char* tag) = 0; virtual bool Read(struct in6_addr* addr, const char* tag) = 0;
@ -62,8 +63,8 @@ public:
virtual bool Write(const char* s, const char* tag) = 0; virtual bool Write(const char* s, const char* tag) = 0;
virtual bool Write(const char* buf, int len, const char* tag) = 0; virtual bool Write(const char* buf, int len, const char* tag) = 0;
virtual bool Write(const std::string& s, const char* tag) = 0; virtual bool Write(const std::string& s, const char* tag) = 0;
virtual bool Write(const IPAddr& addr, const char* tag) = 0; virtual bool Write(const zeek::IPAddr& addr, const char* tag) = 0;
virtual bool Write(const IPPrefix& prefix, const char* tag) = 0; virtual bool Write(const zeek::IPPrefix& prefix, const char* tag) = 0;
virtual bool Write(const struct in_addr& addr, const char* tag) = 0; virtual bool Write(const struct in_addr& addr, const char* tag) = 0;
virtual bool Write(const struct in6_addr& addr, const char* tag) = 0; virtual bool Write(const struct in6_addr& addr, const char* tag) = 0;
@ -107,8 +108,8 @@ public:
bool Read(double* d, const char* tag) override; bool Read(double* d, const char* tag) override;
bool Read(char** str, int* len, const char* tag) override; bool Read(char** str, int* len, const char* tag) override;
bool Read(std::string* s, const char* tag) override; bool Read(std::string* s, const char* tag) override;
bool Read(IPAddr* addr, const char* tag) override; bool Read(zeek::IPAddr* addr, const char* tag) override;
bool Read(IPPrefix* prefix, const char* tag) override; bool Read(zeek::IPPrefix* prefix, const char* tag) override;
bool Read(struct in_addr* addr, const char* tag) override; bool Read(struct in_addr* addr, const char* tag) override;
bool Read(struct in6_addr* addr, const char* tag) override; bool Read(struct in6_addr* addr, const char* tag) override;
bool Write(int v, const char* tag) override; bool Write(int v, const char* tag) override;
@ -122,8 +123,8 @@ public:
bool Write(const char* s, const char* tag) override; bool Write(const char* s, const char* tag) override;
bool Write(const char* buf, int len, const char* tag) override; bool Write(const char* buf, int len, const char* tag) override;
bool Write(const std::string& s, const char* tag) override; bool Write(const std::string& s, const char* tag) override;
bool Write(const IPAddr& addr, const char* tag) override; bool Write(const zeek::IPAddr& addr, const char* tag) override;
bool Write(const IPPrefix& prefix, const char* tag) override; bool Write(const zeek::IPPrefix& prefix, const char* tag) override;
bool Write(const struct in_addr& addr, const char* tag) override; bool Write(const struct in_addr& addr, const char* tag) override;
bool Write(const struct in6_addr& addr, const char* tag) override; bool Write(const struct in6_addr& addr, const char* tag) override;
bool WriteOpenTag(const char* tag) override; bool WriteOpenTag(const char* tag) override;

44
src/Sessions.cc
View file

@ -153,7 +153,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
} }
const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size); const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size);
IP_Hdr ip_hdr(ip, false); zeek::IP_Hdr ip_hdr(ip, false);
DoNextPacket(t, pkt, &ip_hdr, nullptr); DoNextPacket(t, pkt, &ip_hdr, nullptr);
} }
@ -165,7 +165,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
return; return;
} }
IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt->data + pkt->hdr_size), false, caplen); zeek::IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt->data + pkt->hdr_size), false, caplen);
DoNextPacket(t, pkt, &ip_hdr, nullptr); DoNextPacket(t, pkt, &ip_hdr, nullptr);
} }
@ -211,8 +211,8 @@ static unsigned int gre_header_len(uint16_t flags)
return len; return len;
} }
void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr, void NetSessions::DoNextPacket(double t, const Packet* pkt, const zeek::IP_Hdr* ip_hdr,
const EncapsulationStack* encapsulation) const EncapsulationStack* encapsulation)
{ {
uint32_t caplen = pkt->cap_len - pkt->hdr_size; uint32_t caplen = pkt->cap_len - pkt->hdr_size;
const struct ip* ip4 = ip_hdr->IP4_Hdr(); const struct ip* ip4 = ip_hdr->IP4_Hdr();
@ -298,7 +298,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
else else
{ {
f = NextFragment(t, ip_hdr, pkt->data + pkt->hdr_size); f = NextFragment(t, ip_hdr, pkt->data + pkt->hdr_size);
const IP_Hdr* ih = f->ReassembledPkt(); const zeek::IP_Hdr* ih = f->ReassembledPkt();
if ( ! ih ) if ( ! ih )
// It didn't reassemble into anything yet. // It didn't reassemble into anything yet.
return; return;
@ -591,7 +591,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
return; return;
} }
IP_Hdr* inner = nullptr; zeek::IP_Hdr* inner = nullptr;
if ( gre_version != 0 ) if ( gre_version != 0 )
{ {
@ -659,7 +659,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
return; return;
} }
ConnIDKey key = BuildConnIDKey(id); zeek::detail::ConnIDKey key = zeek::detail::BuildConnIDKey(id);
Connection* conn = nullptr; Connection* conn = nullptr;
// FIXME: The following is getting pretty complex. Need to split up // FIXME: The following is getting pretty complex. Need to split up
@ -739,8 +739,8 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
} }
void NetSessions::DoNextInnerPacket(double t, const Packet* pkt, void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
const IP_Hdr* inner, const EncapsulationStack* prev, const zeek::IP_Hdr* inner, const EncapsulationStack* prev,
const EncapsulatingConn& ec) const EncapsulatingConn& ec)
{ {
uint32_t caplen, len; uint32_t caplen, len;
caplen = len = inner->TotalLen(); caplen = len = inner->TotalLen();
@ -813,7 +813,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
} }
int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto, int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
IP_Hdr*& inner) zeek::IP_Hdr*& inner)
{ {
if ( proto == IPPROTO_IPV6 ) if ( proto == IPPROTO_IPV6 )
{ {
@ -821,7 +821,7 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
return -1; return -1;
const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt; const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
inner = new IP_Hdr(ip6, false, caplen); inner = new zeek::IP_Hdr(ip6, false, caplen);
if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 ) if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
return -2; return -2;
} }
@ -832,7 +832,7 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
return -1; return -1;
const struct ip* ip4 = (const struct ip*) pkt; const struct ip* ip4 = (const struct ip*) pkt;
inner = new IP_Hdr(ip4, false); inner = new zeek::IP_Hdr(ip4, false);
if ( ip4->ip_v != 4 ) if ( ip4->ip_v != 4 )
return -2; return -2;
} }
@ -895,8 +895,8 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32_t len, uint32_t caplen,
return false; return false;
} }
FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip, FragReassembler* NetSessions::NextFragment(double t, const zeek::IP_Hdr* ip,
const u_char* pkt) const u_char* pkt)
{ {
uint32_t frag_id = ip->ID(); uint32_t frag_id = ip->ID();
@ -955,8 +955,8 @@ Connection* NetSessions::FindConnection(zeek::Val* v)
// types, too. // types, too.
} }
const IPAddr& orig_addr = (*vl)[orig_h]->AsAddr(); const zeek::IPAddr& orig_addr = (*vl)[orig_h]->AsAddr();
const IPAddr& resp_addr = (*vl)[resp_h]->AsAddr(); const zeek::IPAddr& resp_addr = (*vl)[resp_h]->AsAddr();
zeek::PortVal* orig_portv = (*vl)[orig_p]->AsPortVal(); zeek::PortVal* orig_portv = (*vl)[orig_p]->AsPortVal();
zeek::PortVal* resp_portv = (*vl)[resp_p]->AsPortVal(); zeek::PortVal* resp_portv = (*vl)[resp_p]->AsPortVal();
@ -971,7 +971,7 @@ Connection* NetSessions::FindConnection(zeek::Val* v)
id.is_one_way = false; // ### incorrect for ICMP connections id.is_one_way = false; // ### incorrect for ICMP connections
ConnIDKey key = BuildConnIDKey(id); zeek::detail::ConnIDKey key = zeek::detail::BuildConnIDKey(id);
ConnectionMap* d; ConnectionMap* d;
if ( orig_portv->IsTCP() ) if ( orig_portv->IsTCP() )
@ -1000,7 +1000,7 @@ void NetSessions::Remove(Connection* c)
{ {
if ( c->IsKeyValid() ) if ( c->IsKeyValid() )
{ {
const ConnIDKey& key = c->Key(); const zeek::detail::ConnIDKey& key = c->Key();
c->CancelTimers(); c->CancelTimers();
if ( c->ConnTransport() == TRANSPORT_TCP ) if ( c->ConnTransport() == TRANSPORT_TCP )
@ -1159,7 +1159,7 @@ void NetSessions::GetStats(SessionStats& s) const
s.max_fragments = stats.max_fragments; s.max_fragments = stats.max_fragments;
} }
Connection* NetSessions::NewConn(const ConnIDKey& k, double t, const ConnID* id, Connection* NetSessions::NewConn(const zeek::detail::ConnIDKey& k, double t, const ConnID* id,
const u_char* data, int proto, uint32_t flow_label, const u_char* data, int proto, uint32_t flow_label,
const Packet* pkt, const EncapsulationStack* encapsulation) const Packet* pkt, const EncapsulationStack* encapsulation)
{ {
@ -1219,7 +1219,7 @@ Connection* NetSessions::NewConn(const ConnIDKey& k, double t, const ConnID* id,
return conn; return conn;
} }
Connection* NetSessions::LookupConn(const ConnectionMap& conns, const ConnIDKey& key) Connection* NetSessions::LookupConn(const ConnectionMap& conns, const zeek::detail::ConnIDKey& key)
{ {
auto it = conns.find(key); auto it = conns.find(key);
if ( it != conns.end() ) if ( it != conns.end() )
@ -1330,7 +1330,7 @@ void NetSessions::Weird(const char* name, const Packet* pkt,
reporter->Weird(name, addl); reporter->Weird(name, addl);
} }
void NetSessions::Weird(const char* name, const IP_Hdr* ip, void NetSessions::Weird(const char* name, const zeek::IP_Hdr* ip,
const EncapsulationStack* encap, const char* addl) const EncapsulationStack* encap, const char* addl)
{ {
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
@ -1396,7 +1396,7 @@ unsigned int NetSessions::MemoryAllocation()
; ;
} }
void NetSessions::InsertConnection(ConnectionMap* m, const ConnIDKey& key, Connection* conn) void NetSessions::InsertConnection(ConnectionMap* m, const zeek::detail::ConnIDKey& key, Connection* conn)
{ {
(*m)[key] = conn; (*m)[key] = conn;

30
src/Sessions.h
View file

@ -55,8 +55,8 @@ public:
// Returns a reassembled packet, or nil if there are still // Returns a reassembled packet, or nil if there are still
// some missing fragments. // some missing fragments.
FragReassembler* NextFragment(double t, const IP_Hdr* ip, FragReassembler* NextFragment(double t, const zeek::IP_Hdr* ip,
const u_char* pkt); const u_char* pkt);
// Looks up the connection referred to by the given Val, // Looks up the connection referred to by the given Val,
// which should be a conn_id record. Returns nil if there's // which should be a conn_id record. Returns nil if there's
@ -78,9 +78,9 @@ public:
void GetStats(SessionStats& s) const; void GetStats(SessionStats& s) const;
void Weird(const char* name, const Packet* pkt, void Weird(const char* name, const Packet* pkt,
const EncapsulationStack* encap = nullptr, const char* addl = ""); const EncapsulationStack* encap = nullptr, const char* addl = "");
void Weird(const char* name, const IP_Hdr* ip, void Weird(const char* name, const zeek::IP_Hdr* ip,
const EncapsulationStack* encap = nullptr, const char* addl = ""); const EncapsulationStack* encap = nullptr, const char* addl = "");
PacketFilter* GetPacketFilter() PacketFilter* GetPacketFilter()
{ {
@ -96,8 +96,8 @@ public:
return tcp_conns.size() + udp_conns.size() + icmp_conns.size(); return tcp_conns.size() + udp_conns.size() + icmp_conns.size();
} }
void DoNextPacket(double t, const Packet *pkt, const IP_Hdr* ip_hdr, void DoNextPacket(double t, const Packet *pkt, const zeek::IP_Hdr* ip_hdr,
const EncapsulationStack* encapsulation); const EncapsulationStack* encapsulation);
/** /**
* Wrapper that recurses on DoNextPacket for encapsulated IP packets. * Wrapper that recurses on DoNextPacket for encapsulated IP packets.
@ -114,8 +114,8 @@ public:
* @param ec The most-recently found depth of encapsulation. * @param ec The most-recently found depth of encapsulation.
*/ */
void DoNextInnerPacket(double t, const Packet *pkt, void DoNextInnerPacket(double t, const Packet *pkt,
const IP_Hdr* inner, const EncapsulationStack* prev, const zeek::IP_Hdr* inner, const EncapsulationStack* prev,
const EncapsulatingConn& ec); const EncapsulatingConn& ec);
/** /**
* Recurses on DoNextPacket for encapsulated Ethernet/IP packets. * Recurses on DoNextPacket for encapsulated Ethernet/IP packets.
@ -161,7 +161,7 @@ public:
* for other return values. * for other return values.
*/ */
int ParseIPPacket(int caplen, const u_char* const pkt, int proto, int ParseIPPacket(int caplen, const u_char* const pkt, int proto,
IP_Hdr*& inner); zeek::IP_Hdr*& inner);
unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsage();
unsigned int ConnectionMemoryUsageConnVals(); unsigned int ConnectionMemoryUsageConnVals();
@ -172,14 +172,14 @@ protected:
friend class ConnCompressor; friend class ConnCompressor;
friend class IPTunnelTimer; friend class IPTunnelTimer;
using ConnectionMap = std::map<ConnIDKey, Connection*>; using ConnectionMap = std::map<zeek::detail::ConnIDKey, Connection*>;
using FragmentMap = std::map<FragReassemblerKey, FragReassembler*>; using FragmentMap = std::map<FragReassemblerKey, FragReassembler*>;
Connection* NewConn(const ConnIDKey& k, double t, const ConnID* id, Connection* NewConn(const zeek::detail::ConnIDKey& k, double t, const ConnID* id,
const u_char* data, int proto, uint32_t flow_label, const u_char* data, int proto, uint32_t flow_label,
const Packet* pkt, const EncapsulationStack* encapsulation); const Packet* pkt, const EncapsulationStack* encapsulation);
Connection* LookupConn(const ConnectionMap& conns, const ConnIDKey& key); Connection* LookupConn(const ConnectionMap& conns, const zeek::detail::ConnIDKey& key);
// Returns true if the port corresonds to an application // Returns true if the port corresonds to an application
// for which there's a Bro analyzer (even if it might not // for which there's a Bro analyzer (even if it might not
@ -215,7 +215,7 @@ protected:
// the new one. Connection count stats get updated either way (so most // the new one. Connection count stats get updated either way (so most
// cases should likely check that the key is not already in the map to // cases should likely check that the key is not already in the map to
// avoid unnecessary incrementing of connecting counts). // avoid unnecessary incrementing of connecting counts).
void InsertConnection(ConnectionMap* m, const ConnIDKey& key, Connection* conn); void InsertConnection(ConnectionMap* m, const zeek::detail::ConnIDKey& key, Connection* conn);
ConnectionMap tcp_conns; ConnectionMap tcp_conns;
ConnectionMap udp_conns; ConnectionMap udp_conns;
@ -224,7 +224,7 @@ protected:
SessionStats stats; SessionStats stats;
using IPPair = std::pair<IPAddr, IPAddr>; using IPPair = std::pair<zeek::IPAddr, zeek::IPAddr>;
using TunnelActivity = std::pair<EncapsulatingConn, double>; using TunnelActivity = std::pair<EncapsulatingConn, double>;
using IPTunnelMap = std::map<IPPair, TunnelActivity>; using IPTunnelMap = std::map<IPPair, TunnelActivity>;
IPTunnelMap ip_tunnels; IPTunnelMap ip_tunnels;

6
src/TunnelEncapsulation.h
View file

@ -40,7 +40,7 @@ public:
* @param d The tunnel destination address, likely taken from an IP header. * @param d The tunnel destination address, likely taken from an IP header.
* @param t The type of IP tunnel. * @param t The type of IP tunnel.
*/ */
EncapsulatingConn(const IPAddr& s, const IPAddr& d, EncapsulatingConn(const zeek::IPAddr& s, const zeek::IPAddr& d,
BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP) BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
: src_addr(s), dst_addr(d), src_port(0), dst_port(0), : src_addr(s), dst_addr(d), src_port(0), dst_port(0),
proto(TRANSPORT_UNKNOWN), type(t), proto(TRANSPORT_UNKNOWN), type(t),
@ -119,8 +119,8 @@ public:
} }
protected: protected:
IPAddr src_addr; zeek::IPAddr src_addr;
IPAddr dst_addr; zeek::IPAddr dst_addr;
uint16_t src_port; uint16_t src_port;
uint16_t dst_port; uint16_t dst_port;
TransportProto proto; TransportProto proto;

4
src/Val.h
View file

@ -35,14 +35,14 @@ using BroString [[deprecated("Remove in v4.1. Use zeek::String instead.")]] = ze
ZEEK_FORWARD_DECLARE_NAMESPACED(IterCookie, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(IterCookie, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
namespace zeek::detail { class ScriptFunc; } namespace zeek::detail { class ScriptFunc; }
using BroFunc [[deprecated("Remove in v4.1. Use zeek::detail::ScriptFunc instead.")]] = zeek::detail::ScriptFunc; using BroFunc [[deprecated("Remove in v4.1. Use zeek::detail::ScriptFunc instead.")]] = zeek::detail::ScriptFunc;
class BroFile; class BroFile;
class PrefixTable; class PrefixTable;
class IPAddr;
class IPPrefix;
class StateAccess; class StateAccess;
class RE_Matcher; class RE_Matcher;

8
src/analyzer/Analyzer.cc
View file

@ -214,7 +214,7 @@ void Analyzer::Done()
} }
void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64_t seq, void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64_t seq,
const IP_Hdr* ip, int caplen) const zeek::IP_Hdr* ip, int caplen)
{ {
if ( skip ) if ( skip )
return; return;
@ -297,7 +297,7 @@ void Analyzer::NextEndOfData(bool is_orig)
} }
void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig, void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
if ( output_handler ) if ( output_handler )
output_handler->DeliverPacket(len, data, is_orig, seq, output_handler->DeliverPacket(len, data, is_orig, seq,
@ -644,7 +644,7 @@ SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig)
} }
void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]",
fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen, fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen,
@ -858,7 +858,7 @@ SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const
} }
void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig, void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
// We do not call parent's method, as we're replacing the functionality. // We do not call parent's method, as we're replacing the functionality.

12
src/analyzer/Analyzer.h
View file

@ -21,7 +21,7 @@ using BroFilePtr = zeek::IntrusivePtr<BroFile>;
class Rule; class Rule;
class Connection; class Connection;
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
namespace zeek { namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>; using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
@ -59,7 +59,7 @@ public:
*/ */
virtual void DeliverPacket(int len, const u_char* data, virtual void DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, bool orig, uint64_t seq,
const IP_Hdr* ip, int caplen) const zeek::IP_Hdr* ip, int caplen)
{ } { }
/** /**
@ -157,7 +157,7 @@ public:
* @param caplen The packet's capture length, if available. * @param caplen The packet's capture length, if available.
*/ */
void NextPacket(int len, const u_char* data, bool is_orig, void NextPacket(int len, const u_char* data, bool is_orig,
uint64_t seq = -1, const IP_Hdr* ip = nullptr, int caplen = 0); uint64_t seq = -1, const zeek::IP_Hdr* ip = nullptr, int caplen = 0);
/** /**
* Passes stream input to the analyzer for processing. The analyzer * Passes stream input to the analyzer for processing. The analyzer
@ -210,7 +210,7 @@ public:
*/ */
virtual void ForwardPacket(int len, const u_char* data, virtual void ForwardPacket(int len, const u_char* data,
bool orig, uint64_t seq, bool orig, uint64_t seq,
const IP_Hdr* ip, int caplen); const zeek::IP_Hdr* ip, int caplen);
/** /**
* Forwards stream input on to all child analyzers. If the analyzer * Forwards stream input on to all child analyzers. If the analyzer
@ -241,7 +241,7 @@ public:
* Parameters are the same. * Parameters are the same.
*/ */
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen); uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
/** /**
* Hook for accessing stream input for parsing. This is called by * Hook for accessing stream input for parsing. This is called by
@ -839,7 +839,7 @@ public:
* Parameters same as for Analyzer::ForwardPacket. * Parameters same as for Analyzer::ForwardPacket.
*/ */
void ForwardPacket(int len, const u_char* data, bool orig, void ForwardPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
/** /**
* Passes stream input to the next sibling SupportAnalyzer if any, or * Passes stream input to the next sibling SupportAnalyzer if any, or

2
src/analyzer/protocol/ayiya/AYIYA.cc
View file

@ -21,7 +21,7 @@ void AYIYA_Analyzer::Done()
Event(udp_session_done); Event(udp_session_done);
} }
void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/ayiya/AYIYA.h
View file

@ -11,7 +11,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen); uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new AYIYA_Analyzer(conn); } { return new AYIYA_Analyzer(conn); }

2
src/analyzer/protocol/ayiya/ayiya-analyzer.pac
View file

@ -56,7 +56,7 @@ flow AYIYA_Flow
return false; return false;
} }
IP_Hdr* inner = 0; zeek::IP_Hdr* inner = 0;
int result = sessions->ParseIPPacket(${pdu.packet}.length(), int result = sessions->ParseIPPacket(${pdu.packet}.length(),
${pdu.packet}.data(), ${pdu.next_header}, inner); ${pdu.packet}.data(), ${pdu.next_header}, inner);

2
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -102,7 +102,7 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
} }
} }
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);

2
src/analyzer/protocol/conn-size/ConnSize.h
View file

@ -31,7 +31,7 @@ public:
protected: protected:
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void CheckThresholds(bool is_orig); void CheckThresholds(bool is_orig);
void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig); void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig);

2
src/analyzer/protocol/dhcp/DHCP.cc
View file

@ -22,7 +22,7 @@ void DHCP_Analyzer::Done()
} }
void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/dhcp/DHCP.h
View file

@ -13,7 +13,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DHCP_Analyzer(conn); } { return new DHCP_Analyzer(conn); }

2
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -440,7 +440,7 @@ DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer()
{ {
} }
void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -81,7 +81,7 @@ public:
~DNP3_UDP_Analyzer() override; ~DNP3_UDP_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNP3_UDP_Analyzer(conn); } { return new DNP3_UDP_Analyzer(conn); }

2
src/analyzer/protocol/dns/DNS.cc
View file

@ -1832,7 +1832,7 @@ void DNS_Analyzer::Done()
} }
void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->ParseMessage(data, len, orig ? 1 : 0); interp->ParseMessage(data, len, orig ? 1 : 0);

2
src/analyzer/protocol/dns/DNS.h
View file

@ -385,7 +385,7 @@ public:
~DNS_Analyzer() override; ~DNS_Analyzer() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void Init() override; void Init() override;
void Done() override; void Done() override;

4
src/analyzer/protocol/ftp/functions.bif
View file

@ -52,7 +52,7 @@ static zeek::ValPtr parse_eftp(const char* line)
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ftp_port); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ftp_port);
int net_proto = 0; // currently not used int net_proto = 0; // currently not used
IPAddr addr; // unspecified IPv6 address (all 128 bits zero) zeek::IPAddr addr; // unspecified IPv6 address (all 128 bits zero)
int port = 0; int port = 0;
int good = 0; int good = 0;
@ -87,7 +87,7 @@ static zeek::ValPtr parse_eftp(const char* line)
} }
std::string s(line, nptr-line); // extract IP address std::string s(line, nptr-line); // extract IP address
IPAddr tmp(s); zeek::IPAddr tmp(s);
// on error, "tmp" will have all 128 bits zero // on error, "tmp" will have all 128 bits zero
if ( tmp == addr ) if ( tmp == addr )
good = 0; good = 0;

2
src/analyzer/protocol/gtpv1/GTPv1.cc
View file

@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done()
Event(udp_session_done); Event(udp_session_done);
} }
void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
try try

2
src/analyzer/protocol/gtpv1/GTPv1.h
View file

@ -11,7 +11,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen); uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new GTPv1_Analyzer(conn); } { return new GTPv1_Analyzer(conn); }

14
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -98,11 +98,11 @@ zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
switch ( ie->end_user_addr()->pdp_type_num() ) { switch ( ie->end_user_addr()->pdp_type_num() ) {
case 0x21: case 0x21:
ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>( ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
IPAddr(IPv4, (const uint32*) d, IPAddr::Network))); zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
break; break;
case 0x57: case 0x57:
ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>( ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
IPAddr(IPv6, (const uint32*) d, IPAddr::Network))); zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
break; break;
default: default:
ev->Assign(3, zeek::make_intrusive<zeek::StringVal>( ev->Assign(3, zeek::make_intrusive<zeek::StringVal>(
@ -137,10 +137,10 @@ zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
if ( len == 4 ) if ( len == 4 )
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>( ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
IPAddr(IPv4, (const uint32*) d, IPAddr::Network))); zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
else if ( len == 16 ) else if ( len == 16 )
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>( ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
IPAddr(IPv6, (const uint32*) d, IPAddr::Network))); zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
else else
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false))); ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false)));
@ -221,9 +221,9 @@ zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
const uint8* d = ie->charging_gateway_addr()->value().data(); const uint8* d = ie->charging_gateway_addr()->value().data();
int len = ie->charging_gateway_addr()->value().length(); int len = ie->charging_gateway_addr()->value().length();
if ( len == 4 ) if ( len == 4 )
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network));
else if ( len == 16 ) else if ( len == 16 )
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, (const uint32*) d, IPAddr::Network)); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network));
else else
return nullptr; return nullptr;
} }
@ -729,7 +729,7 @@ flow GTPv1_Flow(is_orig: bool)
return false; return false;
} }
IP_Hdr* inner = 0; zeek::IP_Hdr* inner = nullptr;
int result = sessions->ParseIPPacket(${pdu.packet}.length(), int result = sessions->ParseIPPacket(${pdu.packet}.length(),
${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4, ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4,
inner); inner);

60
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -35,7 +35,7 @@ void ICMP_Analyzer::Done()
} }
void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
assert(ip); assert(ip);
@ -119,7 +119,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
} }
void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr ) const u_char*& data, const zeek::IP_Hdr* ip_hdr )
{ {
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -140,7 +140,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c
} }
void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr ) const u_char*& data, const zeek::IP_Hdr* ip_hdr )
{ {
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
@ -199,7 +199,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
int icmpv6, const u_char* data, int icmpv6, const u_char* data,
const IP_Hdr* ip_hdr) const zeek::IP_Hdr* ip_hdr)
{ {
if ( icmp_sent ) if ( icmp_sent )
EnqueueConnEvent(icmp_sent, EnqueueConnEvent(icmp_sent,
@ -222,7 +222,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
} }
zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const IP_Hdr* ip_hdr) int icmpv6, const zeek::IP_Hdr* ip_hdr)
{ {
if ( ! icmp_conn_val ) if ( ! icmp_conn_val )
{ {
@ -242,7 +242,7 @@ zeek::RecordValPtr ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len
} }
zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len, zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr) bool icmpv6, const zeek::IP_Hdr* ip_hdr)
{ {
static auto icmp_info = zeek::id::find_type<zeek::RecordType>("icmp_info"); static auto icmp_info = zeek::id::find_type<zeek::RecordType>("icmp_info");
auto rval = zeek::make_intrusive<zeek::RecordVal>(icmp_info); auto rval = zeek::make_intrusive<zeek::RecordVal>(icmp_info);
@ -254,7 +254,7 @@ zeek::RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
return rval; return rval;
} }
TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port) TransportProto ICMP_Analyzer::GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
{ {
const u_char* transport_hdr; const u_char* transport_hdr;
uint32_t ip_hdr_len = ip_hdr->HdrLen(); uint32_t ip_hdr_len = ip_hdr->HdrLen();
@ -321,15 +321,15 @@ TransportProto ICMP_Analyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t*
zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data) zeek::RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
{ {
const IP_Hdr ip_hdr_data((const struct ip*) data, false); const zeek::IP_Hdr ip_hdr_data((const struct ip*) data, false);
const IP_Hdr* ip_hdr = &ip_hdr_data; const zeek::IP_Hdr* ip_hdr = &ip_hdr_data;
uint32_t ip_hdr_len = ip_hdr->HdrLen(); uint32_t ip_hdr_len = ip_hdr->HdrLen();
uint32_t ip_len, frag_offset; uint32_t ip_len, frag_offset;
TransportProto proto = TRANSPORT_UNKNOWN; TransportProto proto = TRANSPORT_UNKNOWN;
int DF, MF, bad_hdr_len, bad_checksum; int DF, MF, bad_hdr_len, bad_checksum;
IPAddr src_addr, dst_addr; zeek::IPAddr src_addr, dst_addr;
uint32_t src_port, dst_port; uint32_t src_port, dst_port;
if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) ) if ( len < (int)sizeof(struct ip) || ip_hdr_len > uint32_t(len) )
@ -391,8 +391,8 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
int DF = 0, MF = 0, bad_hdr_len = 0; int DF = 0, MF = 0, bad_hdr_len = 0;
TransportProto proto = TRANSPORT_UNKNOWN; TransportProto proto = TRANSPORT_UNKNOWN;
IPAddr src_addr; zeek::IPAddr src_addr;
IPAddr dst_addr; zeek::IPAddr dst_addr;
uint32_t ip_len, frag_offset = 0; uint32_t ip_len, frag_offset = 0;
uint32_t src_port, dst_port; uint32_t src_port, dst_port;
@ -404,8 +404,8 @@ zeek::RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& da
} }
else else
{ {
const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len); const zeek::IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
const IP_Hdr* ip_hdr = &ip_hdr_data; const zeek::IP_Hdr* ip_hdr = &ip_hdr_data;
ip_len = ip_hdr->TotalLen(); ip_len = ip_hdr->TotalLen();
src_addr = ip_hdr->SrcAddr(); src_addr = ip_hdr->SrcAddr();
@ -512,7 +512,7 @@ unsigned int ICMP_Analyzer::MemoryAllocation() const
void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
// For handling all Echo related ICMP messages // For handling all Echo related ICMP messages
EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
@ -544,7 +544,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_router_advertisement; EventHandlerPtr f = icmp_router_advertisement;
@ -581,17 +581,17 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_neighbor_advertisement; EventHandlerPtr f = icmp_neighbor_advertisement;
if ( ! f ) if ( ! f )
return; return;
IPAddr tgtaddr; zeek::IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
@ -609,17 +609,17 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_neighbor_solicitation; EventHandlerPtr f = icmp_neighbor_solicitation;
if ( ! f ) if ( ! f )
return; return;
IPAddr tgtaddr; zeek::IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
@ -634,20 +634,20 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_redirect; EventHandlerPtr f = icmp_redirect;
if ( ! f ) if ( ! f )
return; return;
IPAddr tgtaddr, dstaddr; zeek::IPAddr tgtaddr, dstaddr;
if ( caplen >= (int)sizeof(in6_addr) ) if ( caplen >= (int)sizeof(in6_addr) )
tgtaddr = IPAddr(*((const in6_addr*)data)); tgtaddr = zeek::IPAddr(*((const in6_addr*)data));
if ( caplen >= 2 * (int)sizeof(in6_addr) ) if ( caplen >= 2 * (int)sizeof(in6_addr) )
dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); dstaddr = zeek::IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
@ -663,7 +663,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = icmp_router_solicitation; EventHandlerPtr f = icmp_router_solicitation;
@ -680,7 +680,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
@ -707,7 +707,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
{ {
EventHandlerPtr f = nullptr; EventHandlerPtr f = nullptr;
@ -816,7 +816,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
info->Assign(2, zeek::val_mgr->Bool(A_flag)); info->Assign(2, zeek::val_mgr->Bool(A_flag));
info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds)); info->Assign(3, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds)); info->Assign(4, zeek::make_intrusive<zeek::IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(IPAddr(prefix))); info->Assign(5, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(prefix)));
rv->Assign(3, std::move(info)); rv->Assign(3, std::move(info));
} }

30
src/analyzer/protocol/icmp/ICMP.h
View file

@ -32,52 +32,52 @@ public:
protected: protected:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
bool IsReuse(double t, const u_char* pkt) override; bool IsReuse(double t, const u_char* pkt) override;
unsigned int MemoryAllocation() const override; unsigned int MemoryAllocation() const override;
void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
const u_char* data, const IP_Hdr* ip_hdr); const u_char* data, const zeek::IP_Hdr* ip_hdr);
void Echo(double t, const struct icmp* icmpp, int len, void Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void Redirect(double t, const struct icmp* icmpp, int len, void Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void RouterAdvert(double t, const struct icmp* icmpp, int len, void RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void NeighborAdvert(double t, const struct icmp* icmpp, int len, void NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void NeighborSolicit(double t, const struct icmp* icmpp, int len, void NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void RouterSolicit(double t, const struct icmp* icmpp, int len, void RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr);
void Describe(ODesc* d) const; void Describe(ODesc* d) const;
zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len, zeek::RecordValPtr BuildICMPVal(const struct icmp* icmpp, int len,
int icmpv6, const IP_Hdr* ip_hdr); int icmpv6, const zeek::IP_Hdr* ip_hdr);
zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len, zeek::RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr); bool icmpv6, const zeek::IP_Hdr* ip_hdr);
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr ); const u_char*& data, const zeek::IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP4Context(int len, const u_char*& data); zeek::RecordValPtr ExtractICMP4Context(int len, const u_char*& data);
void Context4(double t, const struct icmp* icmpp, int len, int caplen, void Context4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr); const u_char*& data, const zeek::IP_Hdr* ip_hdr);
TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, TransportProto GetContextProtocol(const zeek::IP_Hdr* ip_hdr, uint32_t* src_port,
uint32_t* dst_port); uint32_t* dst_port);
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr ); const u_char*& data, const zeek::IP_Hdr* ip_hdr );
zeek::RecordValPtr ExtractICMP6Context(int len, const u_char*& data); zeek::RecordValPtr ExtractICMP6Context(int len, const u_char*& data);
void Context6(double t, const struct icmp* icmpp, int len, int caplen, void Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr); const u_char*& data, const zeek::IP_Hdr* ip_hdr);
// RFC 4861 Neighbor Discover message options // RFC 4861 Neighbor Discover message options
zeek::VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data); zeek::VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data);

2
src/analyzer/protocol/krb/KRB.cc
View file

@ -73,7 +73,7 @@ void KRB_Analyzer::Done()
} }
void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/krb/KRB.h
View file

@ -20,7 +20,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen); uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }

4
src/analyzer/protocol/krb/krb-types.pac
View file

@ -61,7 +61,7 @@ zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address
} }
auto bytes = reinterpret_cast<const uint32_t*>(addr_bytes.data()); auto bytes = reinterpret_cast<const uint32_t*>(addr_bytes.data());
rv->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv4, bytes, IPAddr::Network))); rv->Assign(0, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, bytes, zeek::IPAddr::Network)));
return rv; return rv;
} }
case 24: case 24:
@ -73,7 +73,7 @@ zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address
} }
auto bytes = reinterpret_cast<const uint32_t*>(addr_bytes.data()); auto bytes = reinterpret_cast<const uint32_t*>(addr_bytes.data());
rv->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, bytes, IPAddr::Network))); rv->Assign(0, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, bytes, zeek::IPAddr::Network)));
return rv; return rv;
} }
case 20: case 20:

2
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -511,7 +511,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
} }
void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -146,7 +146,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NetbiosSSN_Analyzer(conn); } { return new NetbiosSSN_Analyzer(conn); }

2
src/analyzer/protocol/ntp/NTP.cc
View file

@ -24,7 +24,7 @@ NTP_Analyzer::~NTP_Analyzer()
} }
void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/ntp/NTP.h
View file

@ -17,7 +17,7 @@ public:
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new NTP_Analyzer(conn); } { return new NTP_Analyzer(conn); }

2
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -54,7 +54,7 @@
default: default:
{ {
const uint8* d = ${nsm.reference_id}.data(); const uint8* d = ${nsm.reference_id}.data();
rv->Assign(7, zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv4, (const uint32*) d, IPAddr::Network))); rv->Assign(7, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
} }
break; break;
} }

14
src/analyzer/protocol/pia/PIA.cc
View file

@ -36,7 +36,7 @@ void PIA::ClearBuffer(Buffer* buffer)
} }
void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
bool is_orig, const IP_Hdr* ip) bool is_orig, const zeek::IP_Hdr* ip)
{ {
u_char* tmp = nullptr; u_char* tmp = nullptr;
@ -66,7 +66,7 @@ void PIA::AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data,
} }
void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig, void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig,
const IP_Hdr* ip) const zeek::IP_Hdr* ip)
{ {
AddToBuffer(buffer, -1, len, data, is_orig, ip); AddToBuffer(buffer, -1, len, data, is_orig, ip);
} }
@ -85,7 +85,7 @@ void PIA::PIA_Done()
} }
void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,
const IP_Hdr* ip, int caplen, bool clear_state) const zeek::IP_Hdr* ip, int caplen, bool clear_state)
{ {
if ( pkt_buffer.state == SKIPPING ) if ( pkt_buffer.state == SKIPPING )
return; return;
@ -130,7 +130,7 @@ void PIA::Match(Rule::PatternType type, const u_char* data, int len,
} }
void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bool clear_state, const IP_Hdr* ip) bool clear_state, const zeek::IP_Hdr* ip)
{ {
if ( ! rule_matcher ) if ( ! rule_matcher )
return; return;
@ -203,12 +203,12 @@ void PIA_TCP::Init()
} }
} }
void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
{ {
static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)]; static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)];
static struct ip* ip4 = nullptr; static struct ip* ip4 = nullptr;
static struct tcphdr* tcp4 = nullptr; static struct tcphdr* tcp4 = nullptr;
static IP_Hdr* ip4_hdr = nullptr; static zeek::IP_Hdr* ip4_hdr = nullptr;
DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F"));
@ -226,7 +226,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip)
ip4->ip_p = IPPROTO_TCP; ip4->ip_p = IPPROTO_TCP;
// Cast to const so that it doesn't delete it. // Cast to const so that it doesn't delete it.
ip4_hdr = new IP_Hdr(ip4, false); ip4_hdr = new zeek::IP_Hdr(ip4, false);
} }
if ( is_orig ) if ( is_orig )

16
src/analyzer/protocol/pia/PIA.h
View file

@ -42,14 +42,14 @@ public:
protected: protected:
void PIA_Done(); void PIA_Done();
void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen, bool clear_state); uint64_t seq, const zeek::IP_Hdr* ip, int caplen, bool clear_state);
enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state; enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
// Buffers one chunk of data. Used both for packet payload (incl. // Buffers one chunk of data. Used both for packet payload (incl.
// sequence numbers for TCP) and chunks of a reassembled stream. // sequence numbers for TCP) and chunks of a reassembled stream.
struct DataBlock { struct DataBlock {
IP_Hdr* ip; zeek::IP_Hdr* ip;
const u_char* data; const u_char* data;
bool is_orig; bool is_orig;
int len; int len;
@ -67,15 +67,15 @@ protected:
}; };
void AddToBuffer(Buffer* buffer, uint64_t seq, int len, void AddToBuffer(Buffer* buffer, uint64_t seq, int len,
const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr); const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr);
void AddToBuffer(Buffer* buffer, int len, void AddToBuffer(Buffer* buffer, int len,
const u_char* data, bool is_orig, const IP_Hdr* ip = nullptr); const u_char* data, bool is_orig, const zeek::IP_Hdr* ip = nullptr);
void ClearBuffer(Buffer* buffer); void ClearBuffer(Buffer* buffer);
DataBlock* CurrentPacket() { return &current_packet; } DataBlock* CurrentPacket() { return &current_packet; }
void DoMatch(const u_char* data, int len, bool is_orig, bool bol, void DoMatch(const u_char* data, int len, bool is_orig, bool bol,
bool eol, bool clear_state, const IP_Hdr* ip = nullptr); bool eol, bool clear_state, const zeek::IP_Hdr* ip = nullptr);
void SetConn(Connection* c) { conn = c; } void SetConn(Connection* c) { conn = c; }
@ -106,7 +106,7 @@ protected:
} }
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
@ -136,7 +136,7 @@ public:
// matcher in the case that we already get reassembled input, // matcher in the case that we already get reassembled input,
// and making it part of the general analyzer interface seems // and making it part of the general analyzer interface seems
// to be unnecessary overhead.) // to be unnecessary overhead.)
void FirstPacket(bool is_orig, const IP_Hdr* ip); void FirstPacket(bool is_orig, const zeek::IP_Hdr* ip);
void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer); void ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer);
@ -151,7 +151,7 @@ protected:
} }
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false); PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);

2
src/analyzer/protocol/radius/RADIUS.cc
View file

@ -25,7 +25,7 @@ void RADIUS_Analyzer::Done()
} }
void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/radius/RADIUS.h
View file

@ -19,7 +19,7 @@ public:
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new RADIUS_Analyzer(conn); } { return new RADIUS_Analyzer(conn); }

2
src/analyzer/protocol/rdp/RDPEUDP.cc
View file

@ -22,7 +22,7 @@ void RDP_Analyzer::Done()
} }
void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/rdp/RDPEUDP.h
View file

@ -13,7 +13,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) static zeek::analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new RDP_Analyzer(conn); } { return new RDP_Analyzer(conn); }

2
src/analyzer/protocol/rpc/RPC.cc
View file

@ -736,7 +736,7 @@ RPC_Analyzer::~RPC_Analyzer()
} }
void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
len = std::min(len, caplen); len = std::min(len, caplen);

2
src/analyzer/protocol/rpc/RPC.h
View file

@ -240,7 +240,7 @@ public:
protected: protected:
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void ExpireTimer(double t); void ExpireTimer(double t);

2
src/analyzer/protocol/sip/SIP.cc
View file

@ -21,7 +21,7 @@ void SIP_Analyzer::Done()
} }
void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
bool real_orig = true; bool real_orig = true;
if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' ) if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )

2
src/analyzer/protocol/sip/SIP.h
View file

@ -16,7 +16,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SIP_Analyzer(conn); } { return new SIP_Analyzer(conn); }

2
src/analyzer/protocol/snmp/SNMP.cc
View file

@ -26,7 +26,7 @@ void SNMP_Analyzer::Done()
} }
void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/snmp/SNMP.h
View file

@ -15,7 +15,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig, virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen); uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
static zeek::analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) static zeek::analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new SNMP_Analyzer(conn); } { return new SNMP_Analyzer(conn); }

2
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -35,7 +35,7 @@ zeek::AddrValPtr network_address_to_val(const ASN1Encoding* na)
// but standards don't seem to currently make any provisions for IPv6, // but standards don't seem to currently make any provisions for IPv6,
// so ignore anything that can't be IPv4. // so ignore anything that can't be IPv4.
if ( bs.length() != 4 ) if ( bs.length() != 4 )
return zeek::make_intrusive<zeek::AddrVal>(IPAddr()); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr());
const u_char* data = reinterpret_cast<const u_char*>(bs.data()); const u_char* data = reinterpret_cast<const u_char*>(bs.data());
uint32 network_order = extract_uint32(data); uint32 network_order = extract_uint32(data);

4
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -98,7 +98,7 @@ refine connection SOCKS_Conn += {
break; break;
case 4: case 4:
sa->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, (const uint32_t*) ${request.remote_name.ipv6}, IPAddr::Network))); sa->Assign(0, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32_t*) ${request.remote_name.ipv6}, zeek::IPAddr::Network)));
break; break;
default: default:
@ -138,7 +138,7 @@ refine connection SOCKS_Conn += {
break; break;
case 4: case 4:
sa->Assign(0, zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, (const uint32_t*) ${reply.bound.ipv6}, IPAddr::Network))); sa->Assign(0, zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32_t*) ${reply.bound.ipv6}, zeek::IPAddr::Network)));
break; break;
default: default:

2
src/analyzer/protocol/ssl/DTLS.cc
View file

@ -32,7 +32,7 @@ void DTLS_Analyzer::Done()
handshake_interp->FlowEOF(false); handshake_interp->FlowEOF(false);
} }
void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

2
src/analyzer/protocol/ssl/DTLS.h
View file

@ -18,7 +18,7 @@ public:
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void EndOfData(bool is_orig) override; void EndOfData(bool is_orig) override;
void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig); void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig);

4
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -61,7 +61,7 @@ void SteppingStoneEndpoint::Done()
} }
bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen, bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen,
const u_char* data, const IP_Hdr* /* ip */, const u_char* data, const zeek::IP_Hdr* /* ip */,
const struct tcphdr* tp) const struct tcphdr* tp)
{ {
if ( caplen < len ) if ( caplen < len )
@ -172,7 +172,7 @@ void SteppingStone_Analyzer::Init()
void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq, bool is_orig, uint64_t seq,
const IP_Hdr* ip, int caplen) const zeek::IP_Hdr* ip, int caplen)
{ {
tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
ip, caplen); ip, caplen);

4
src/analyzer/protocol/stepping-stone/SteppingStone.h
View file

@ -19,7 +19,7 @@ public:
void Done(); void Done();
bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp); const zeek::IP_Hdr* ip, const struct tcphdr* tp);
protected: protected:
void Event(EventHandlerPtr f, int id1, int id2 = -1); void Event(EventHandlerPtr f, int id1, int id2 = -1);
@ -55,7 +55,7 @@ protected:
// We support both packet and stream input and can be put in place even // We support both packet and stream input and can be put in place even
// if the TCP analyzer is not yet reassebmling. // if the TCP analyzer is not yet reassebmling.
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void DeliverStream(int len, const u_char* data, bool is_orig) override; void DeliverStream(int len, const u_char* data, bool is_orig) override;
int orig_stream_pos; int orig_stream_pos;

2
src/analyzer/protocol/syslog/Syslog.cc
View file

@ -28,7 +28,7 @@ void Syslog_Analyzer::Done()
Event(udp_session_done); Event(udp_session_done);
} }
void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->NewData(orig, data, data + len); interp->NewData(orig, data, data + len);

2
src/analyzer/protocol/syslog/Syslog.h
View file

@ -15,7 +15,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Syslog_Analyzer(conn); } { return new Syslog_Analyzer(conn); }

14
src/analyzer/protocol/tcp/TCP.cc
View file

@ -42,7 +42,7 @@ namespace { // local namespace
static const int ORIG = 1; static const int ORIG = 1;
static const int RESP = 2; static const int RESP = 2;
static zeek::RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip, static zeek::RecordVal* build_syn_packet_val(bool is_orig, const zeek::IP_Hdr* ip,
const struct tcphdr* tcp) const struct tcphdr* tcp)
{ {
int winscale = -1; int winscale = -1;
@ -800,7 +800,7 @@ void TCP_Analyzer::GeneratePacketEvent(
} }
bool TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen, bool TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
const IP_Hdr* ip, const struct tcphdr* tp, const zeek::IP_Hdr* ip, const struct tcphdr* tp,
TCP_Endpoint* endpoint, uint64_t rel_data_seq, TCP_Endpoint* endpoint, uint64_t rel_data_seq,
bool is_orig, TCP_Flags flags) bool is_orig, TCP_Flags flags)
{ {
@ -818,7 +818,7 @@ void TCP_Analyzer::CheckRecording(bool need_contents, TCP_Flags flags)
Conn()->SetRecordCurrentPacket(record_current_packet); Conn()->SetRecordCurrentPacket(record_current_packet);
} }
void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const IP_Hdr* ip) void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
{ {
if ( is_orig && ! (first_packet_seen & ORIG) ) if ( is_orig && ! (first_packet_seen & ORIG) )
{ {
@ -1045,7 +1045,7 @@ static int32_t update_last_seq(TCP_Endpoint* endpoint, uint32_t last_seq,
} }
void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -1902,7 +1902,7 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason,
void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, uint64_t seq, bool is_orig, uint64_t seq,
const IP_Hdr* ip, int caplen) const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]",
@ -1984,7 +1984,7 @@ int endian_flip(int n)
bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caplen, bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caplen,
const u_char* /* data */, const u_char* /* data */,
const IP_Hdr* ip, const struct tcphdr* /* tp */) const zeek::IP_Hdr* ip, const struct tcphdr* /* tp */)
{ {
if ( ++num_pkts == 1 ) if ( ++num_pkts == 1 )
{ // First packet. { // First packet.
@ -2124,7 +2124,7 @@ void TCPStats_Analyzer::Done()
); );
} }
void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);

17
src/analyzer/protocol/tcp/TCP.h
View file

@ -79,7 +79,8 @@ protected:
// Analyzer interface. // Analyzer interface.
void Init() override; void Init() override;
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) override; void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
const zeek::IP_Hdr* ip, int caplen) override;
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override; void Undelivered(uint64_t seq, int len, bool orig) override;
void FlipRoles() override; void FlipRoles() override;
@ -134,12 +135,12 @@ protected:
bool is_orig, TCP_Flags flags); bool is_orig, TCP_Flags flags);
bool DeliverData(double t, const u_char* data, int len, int caplen, bool DeliverData(double t, const u_char* data, int len, int caplen,
const IP_Hdr* ip, const struct tcphdr* tp, const zeek::IP_Hdr* ip, const struct tcphdr* tp,
TCP_Endpoint* endpoint, uint64_t rel_data_seq, TCP_Endpoint* endpoint, uint64_t rel_data_seq,
bool is_orig, TCP_Flags flags); bool is_orig, TCP_Flags flags);
void CheckRecording(bool need_contents, TCP_Flags flags); void CheckRecording(bool need_contents, TCP_Flags flags);
void CheckPIA_FirstPacket(bool is_orig, const IP_Hdr* ip); void CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip);
friend class ConnectionTimer; friend class ConnectionTimer;
void AttemptTimer(double t); void AttemptTimer(double t);
@ -227,7 +228,7 @@ public:
virtual void PacketWithRST(); virtual void PacketWithRST();
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
void Init() override; void Init() override;
// This suppresses violations if the TCP connection wasn't // This suppresses violations if the TCP connection wasn't
@ -265,7 +266,7 @@ public:
explicit TCPStats_Endpoint(TCP_Endpoint* endp); explicit TCPStats_Endpoint(TCP_Endpoint* endp);
bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp); const zeek::IP_Hdr* ip, const struct tcphdr* tp);
zeek::RecordVal* BuildStats(); zeek::RecordVal* BuildStats();
@ -295,7 +296,7 @@ public:
protected: protected:
void DeliverPacket(int len, const u_char* data, bool is_orig, void DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
TCPStats_Endpoint* orig_stats; TCPStats_Endpoint* orig_stats;
TCPStats_Endpoint* resp_stats; TCPStats_Endpoint* resp_stats;

4
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -200,8 +200,8 @@ uint64_t TCP_Endpoint::Size() const
} }
bool TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen, bool TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
const u_char* data, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp) const zeek::IP_Hdr* ip, const struct tcphdr* tp)
{ {
bool status = false; bool status = false;

9
src/analyzer/protocol/tcp/TCP_Endpoint.h
View file

@ -6,7 +6,8 @@
#include "File.h" #include "File.h"
class Connection; class Connection;
class IP_Hdr;
ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
namespace analyzer { namespace tcp { namespace analyzer { namespace tcp {
@ -183,7 +184,7 @@ public:
// Returns true if the data was used (and hence should be recorded // Returns true if the data was used (and hence should be recorded
// in the save file), false otherwise. // in the save file), false otherwise.
bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp); const zeek::IP_Hdr* ip, const struct tcphdr* tp);
void AckReceived(uint64_t seq); void AckReceived(uint64_t seq);
@ -215,8 +216,8 @@ public:
uint32_t checksum_base; uint32_t checksum_base;
double start_time, last_time; double start_time, last_time;
IPAddr src_addr; // the other endpoint zeek::IPAddr src_addr; // the other endpoint
IPAddr dst_addr; // this endpoint zeek::IPAddr dst_addr; // this endpoint
uint32_t window; // current advertised window (*scaled*, not pre-scaling) uint32_t window; // current advertised window (*scaled*, not pre-scaling)
int window_scale; // from the TCP option int window_scale; // from the TCP option
uint32_t window_ack_seq; // at which ack_seq number did we record 'window' uint32_t window_ack_seq; // at which ack_seq number did we record 'window'

6
src/analyzer/protocol/teredo/Teredo.cc
View file

@ -96,7 +96,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
return false; return false;
} }
zeek::RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const zeek::RecordValPtr TeredoEncapsulation::BuildVal(const zeek::IP_Hdr* inner) const
{ {
static auto teredo_hdr_type = zeek::id::find_type<zeek::RecordType>("teredo_hdr"); static auto teredo_hdr_type = zeek::id::find_type<zeek::RecordType>("teredo_hdr");
static auto teredo_auth_type = zeek::id::find_type<zeek::RecordType>("teredo_auth"); static auto teredo_auth_type = zeek::id::find_type<zeek::RecordType>("teredo_auth");
@ -135,7 +135,7 @@ zeek::RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
} }
void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -160,7 +160,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
return; return;
} }
IP_Hdr* inner = nullptr; zeek::IP_Hdr* inner = nullptr;
int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner); int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
if ( rslt > 0 ) if ( rslt > 0 )

4
src/analyzer/protocol/teredo/Teredo.h
View file

@ -18,7 +18,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new Teredo_Analyzer(conn); } { return new Teredo_Analyzer(conn); }
@ -74,7 +74,7 @@ public:
const u_char* Authentication() const const u_char* Authentication() const
{ return auth; } { return auth; }
zeek::RecordValPtr BuildVal(const IP_Hdr* inner) const; zeek::RecordValPtr BuildVal(const zeek::IP_Hdr* inner) const;
protected: protected:
bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au); bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);

4
src/analyzer/protocol/udp/UDP.cc
View file

@ -42,7 +42,7 @@ void UDP_Analyzer::Done()
} }
void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
assert(ip); assert(ip);
@ -258,7 +258,7 @@ void UDP_Analyzer::ChecksumEvent(bool is_orig, uint32_t threshold)
is_orig, threshold); is_orig, threshold);
} }
bool UDP_Analyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) bool UDP_Analyzer::ValidateChecksum(const zeek::IP_Hdr* ip, const udphdr* up, int len)
{ {
uint32_t sum; uint32_t sum;

4
src/analyzer/protocol/udp/UDP.h
View file

@ -26,14 +26,14 @@ public:
protected: protected:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
bool IsReuse(double t, const u_char* pkt) override; bool IsReuse(double t, const u_char* pkt) override;
unsigned int MemoryAllocation() const override; unsigned int MemoryAllocation() const override;
void ChecksumEvent(bool is_orig, uint32_t threshold); void ChecksumEvent(bool is_orig, uint32_t threshold);
// Returns true if the checksum is valid, false if not // Returns true if the checksum is valid, false if not
static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up, static bool ValidateChecksum(const zeek::IP_Hdr* ip, const struct udphdr* up,
int len); int len);
bro_int_t request_len, reply_len; bro_int_t request_len, reply_len;

4
src/analyzer/protocol/vxlan/VXLAN.cc
View file

@ -25,7 +25,7 @@ void VXLAN_Analyzer::Done()
} }
void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
@ -76,7 +76,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
len -= pkt.hdr_size; len -= pkt.hdr_size;
caplen -= pkt.hdr_size; caplen -= pkt.hdr_size;
IP_Hdr* inner = nullptr; zeek::IP_Hdr* inner = nullptr;
int res = 0; int res = 0;
switch ( pkt.l3_proto ) { switch ( pkt.l3_proto ) {

2
src/analyzer/protocol/vxlan/VXLAN.h
View file

@ -15,7 +15,7 @@ public:
void Done() override; void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64_t seq, const IP_Hdr* ip, int caplen) override; uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{ return new VXLAN_Analyzer(conn); } { return new VXLAN_Analyzer(conn); }

4
src/broker/Data.cc
View file

@ -136,7 +136,7 @@ struct val_converter {
if ( type->Tag() == zeek::TYPE_ADDR ) if ( type->Tag() == zeek::TYPE_ADDR )
{ {
auto bits = reinterpret_cast<const in6_addr*>(&a.bytes()); auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(*bits)); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(*bits));
} }
return nullptr; return nullptr;
@ -147,7 +147,7 @@ struct val_converter {
if ( type->Tag() == zeek::TYPE_SUBNET ) if ( type->Tag() == zeek::TYPE_SUBNET )
{ {
auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes()); auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
return zeek::make_intrusive<zeek::SubNetVal>(IPPrefix(IPAddr(*bits), a.length())); return zeek::make_intrusive<zeek::SubNetVal>(zeek::IPPrefix(zeek::IPAddr(*bits), a.length()));
} }
return nullptr; return nullptr;

4
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -12,12 +12,12 @@ zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<u
{ {
if ( a->size() == 1 ) if ( a->size() == 1 )
{ {
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv4, &(a->at(0)), IPAddr::Host)); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, &(a->at(0)), zeek::IPAddr::Host));
} }
else if ( a->size() == 4 ) else if ( a->size() == 4 )
{ {
uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) }; uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) };
return zeek::make_intrusive<zeek::AddrVal>(IPAddr(IPv6, tmp, IPAddr::Host)); return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, tmp, zeek::IPAddr::Host));
} }
else else
{ {

1
src/file_analysis/analyzer/x509/X509Common.h
View file

@ -14,6 +14,7 @@ class EventHandlerPtr;
class Reporter; class Reporter;
ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
namespace zeek { namespace zeek {
template <class T> class IntrusivePtr; template <class T> class IntrusivePtr;
using StringValPtr = zeek::IntrusivePtr<StringVal>; using StringValPtr = zeek::IntrusivePtr<StringVal>;

12
src/input/Manager.cc
View file

@ -2227,14 +2227,14 @@ zeek::Val* Manager::ValueToVal(const Stream* i, const Value* val, zeek::Type* re
case zeek::TYPE_ADDR: case zeek::TYPE_ADDR:
{ {
IPAddr* addr = nullptr; zeek::IPAddr* addr = nullptr;
switch ( val->val.addr_val.family ) { switch ( val->val.addr_val.family ) {
case IPv4: case IPv4:
addr = new IPAddr(val->val.addr_val.in.in4); addr = new zeek::IPAddr(val->val.addr_val.in.in4);
break; break;
case IPv6: case IPv6:
addr = new IPAddr(val->val.addr_val.in.in6); addr = new zeek::IPAddr(val->val.addr_val.in.in6);
break; break;
default: default:
@ -2248,14 +2248,14 @@ zeek::Val* Manager::ValueToVal(const Stream* i, const Value* val, zeek::Type* re
case zeek::TYPE_SUBNET: case zeek::TYPE_SUBNET:
{ {
IPAddr* addr = nullptr; zeek::IPAddr* addr = nullptr;
switch ( val->val.subnet_val.prefix.family ) { switch ( val->val.subnet_val.prefix.family ) {
case IPv4: case IPv4:
addr = new IPAddr(val->val.subnet_val.prefix.in.in4); addr = new zeek::IPAddr(val->val.subnet_val.prefix.in.in4);
break; break;
case IPv6: case IPv6:
addr = new IPAddr(val->val.subnet_val.prefix.in.in6); addr = new zeek::IPAddr(val->val.subnet_val.prefix.in.in6);
break; break;
default: default:

10
src/iosource/Packet.cc
View file

@ -66,9 +66,9 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen,
ProcessLayer2(); ProcessLayer2();
} }
const IP_Hdr Packet::IP() const const zeek::IP_Hdr Packet::IP() const
{ {
return IP_Hdr((struct ip *) (data + hdr_size), false); return zeek::IP_Hdr((struct ip *) (data + hdr_size), false);
} }
void Packet::Weird(const char* name) void Packet::Weird(const char* name)
@ -654,13 +654,13 @@ zeek::RecordValPtr Packet::ToRawPktHdrVal() const
if ( l3_proto == L3_IPV4 ) if ( l3_proto == L3_IPV4 )
{ {
IP_Hdr ip_hdr((const struct ip*)(data + hdr_size), false); zeek::IP_Hdr ip_hdr((const struct ip*)(data + hdr_size), false);
return ip_hdr.ToPktHdrVal(std::move(pkt_hdr), 1); return ip_hdr.ToPktHdrVal(std::move(pkt_hdr), 1);
} }
else if ( l3_proto == L3_IPV6 ) else if ( l3_proto == L3_IPV6 )
{ {
IP_Hdr ip6_hdr((const struct ip6_hdr*)(data + hdr_size), false, cap_len); zeek::IP_Hdr ip6_hdr((const struct ip6_hdr*)(data + hdr_size), false, cap_len);
return ip6_hdr.ToPktHdrVal(std::move(pkt_hdr), 1); return ip6_hdr.ToPktHdrVal(std::move(pkt_hdr), 1);
} }
@ -683,7 +683,7 @@ zeek::ValPtr Packet::FmtEUI48(const u_char* mac) const
void Packet::Describe(ODesc* d) const void Packet::Describe(ODesc* d) const
{ {
const IP_Hdr ip = IP(); const zeek::IP_Hdr ip = IP();
d->Add(ip.SrcAddr()); d->Add(ip.SrcAddr());
d->Add("->"); d->Add("->");
d->Add(ip.DstAddr()); d->Add(ip.DstAddr());

6
src/iosource/Packet.h
View file

@ -24,7 +24,7 @@ using RecordValPtr = zeek::IntrusivePtr<zeek::RecordVal>;
} }
class ODesc; class ODesc;
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
/** /**
* The Layer 3 type of a packet, as determined by the parsing code in Packet. * The Layer 3 type of a packet, as determined by the parsing code in Packet.
@ -130,11 +130,11 @@ public:
* Interprets the Layer 3 of the packet as IP and returns a * Interprets the Layer 3 of the packet as IP and returns a
* correspondign object. * correspondign object.
*/ */
const IP_Hdr IP() const; const zeek::IP_Hdr IP() const;
/** /**
* Returns a \c raw_pkt_hdr RecordVal, which includes layer 2 and * Returns a \c raw_pkt_hdr RecordVal, which includes layer 2 and
* also everything in IP_Hdr (i.e., IP4/6 + TCP/UDP/ICMP). * also everything in zeek::IP_Hdr (i.e., IP4/6 + TCP/UDP/ICMP).
*/ */
zeek::RecordValPtr ToRawPktHdrVal() const; zeek::RecordValPtr ToRawPktHdrVal() const;

16
src/net_util.cc
View file

@ -35,7 +35,7 @@ int ones_complement_checksum(const void* p, int b, uint32_t sum)
return sum; return sum;
} }
int ones_complement_checksum(const IPAddr& a, uint32_t sum) int ones_complement_checksum(const zeek::IPAddr& a, uint32_t sum)
{ {
const uint32_t* bytes; const uint32_t* bytes;
int len = a.GetBytes(&bytes); int len = a.GetBytes(&bytes);
@ -58,7 +58,7 @@ int icmp_checksum(const struct icmp* icmpp, int len)
} }
#ifdef ENABLE_MOBILE_IPV6 #ifdef ENABLE_MOBILE_IPV6
int mobility_header_checksum(const IP_Hdr* ip) int mobility_header_checksum(const zeek::IP_Hdr* ip)
{ {
const ip6_mobility* mh = ip->MobilityHeader(); const ip6_mobility* mh = ip->MobilityHeader();
@ -83,7 +83,7 @@ int mobility_header_checksum(const IP_Hdr* ip)
} }
#endif #endif
int icmp6_checksum(const struct icmp* icmpp, const IP_Hdr* ip, int len) int icmp6_checksum(const struct icmp* icmpp, const zeek::IP_Hdr* ip, int len)
{ {
// ICMP6 uses the same checksum function as ICMP4 but a different // ICMP6 uses the same checksum function as ICMP4 but a different
// pseudo-header over which it is computed. // pseudo-header over which it is computed.
@ -131,8 +131,8 @@ char addr_to_class(uint32_t addr)
return 'A'; return 'A';
} }
const char* fmt_conn_id(const IPAddr& src_addr, uint32_t src_port, const char* fmt_conn_id(const zeek::IPAddr& src_addr, uint32_t src_port,
const IPAddr& dst_addr, uint32_t dst_port) const zeek::IPAddr& dst_addr, uint32_t dst_port)
{ {
static char buffer[512]; static char buffer[512];
@ -144,10 +144,10 @@ const char* fmt_conn_id(const IPAddr& src_addr, uint32_t src_port,
} }
const char* fmt_conn_id(const uint32_t* src_addr, uint32_t src_port, const char* fmt_conn_id(const uint32_t* src_addr, uint32_t src_port,
const uint32_t* dst_addr, uint32_t dst_port) const uint32_t* dst_addr, uint32_t dst_port)
{ {
IPAddr src(IPv6, src_addr, IPAddr::Network); zeek::IPAddr src(IPv6, src_addr, zeek::IPAddr::Network);
IPAddr dst(IPv6, dst_addr, IPAddr::Network); zeek::IPAddr dst(IPv6, dst_addr, zeek::IPAddr::Network);
return fmt_conn_id(src, src_port, dst, dst_port); return fmt_conn_id(src, src_port, dst, dst_port);
} }

16
src/net_util.h
View file

@ -132,28 +132,28 @@ inline int32_t seq_delta(uint32_t a, uint32_t b)
return a - b; return a - b;
} }
class IPAddr; ZEEK_FORWARD_DECLARE_NAMESPACED(IPAddr, zeek);
class IP_Hdr; ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
// Returns the ones-complement checksum of a chunk of b short-aligned bytes. // Returns the ones-complement checksum of a chunk of b short-aligned bytes.
extern int ones_complement_checksum(const void* p, int b, uint32_t sum); extern int ones_complement_checksum(const void* p, int b, uint32_t sum);
extern int ones_complement_checksum(const IPAddr& a, uint32_t sum); extern int ones_complement_checksum(const zeek::IPAddr& a, uint32_t sum);
extern int icmp6_checksum(const struct icmp* icmpp, const IP_Hdr* ip, int len); extern int icmp6_checksum(const struct icmp* icmpp, const zeek::IP_Hdr* ip, int len);
extern int icmp_checksum(const struct icmp* icmpp, int len); extern int icmp_checksum(const struct icmp* icmpp, int len);
#ifdef ENABLE_MOBILE_IPV6 #ifdef ENABLE_MOBILE_IPV6
extern int mobility_header_checksum(const IP_Hdr* ip); extern int mobility_header_checksum(const zeek::IP_Hdr* ip);
#endif #endif
// Returns 'A', 'B', 'C' or 'D' // Returns 'A', 'B', 'C' or 'D'
extern char addr_to_class(uint32_t addr); extern char addr_to_class(uint32_t addr);
extern const char* fmt_conn_id(const IPAddr& src_addr, uint32_t src_port, extern const char* fmt_conn_id(const zeek::IPAddr& src_addr, uint32_t src_port,
const IPAddr& dst_addr, uint32_t dst_port); const zeek::IPAddr& dst_addr, uint32_t dst_port);
extern const char* fmt_conn_id(const uint32_t* src_addr, uint32_t src_port, extern const char* fmt_conn_id(const uint32_t* src_addr, uint32_t src_port,
const uint32_t* dst_addr, uint32_t dst_port); const uint32_t* dst_addr, uint32_t dst_port);
/** /**
* Given a MAC address, formats it in hex as 00:de:ad:be:ef. * Given a MAC address, formats it in hex as 00:de:ad:be:ef.

12
src/rule-parse.y
View file

@ -81,8 +81,8 @@ static uint8_t ip4_mask_to_len(uint32_t mask)
Rule* rule; Rule* rule;
RuleHdrTest* hdr_test; RuleHdrTest* hdr_test;
maskedvalue_list* vallist; maskedvalue_list* vallist;
std::vector<IPPrefix>* prefix_val_list; std::vector<zeek::IPPrefix>* prefix_val_list;
IPPrefix* prefixval; zeek::IPPrefix* prefixval;
bool bl; bool bl;
int val; int val;
@ -318,12 +318,12 @@ prefix_value_list:
} }
| prefix_value | prefix_value
{ {
$$ = new std::vector<IPPrefix>(); $$ = new std::vector<zeek::IPPrefix>();
$$->push_back(*($1)); $$->push_back(*($1));
} }
| TOK_IDENT | TOK_IDENT
{ {
$$ = new std::vector<IPPrefix>(); $$ = new std::vector<zeek::IPPrefix>();
id_to_maskedvallist($1, 0, $$); id_to_maskedvallist($1, 0, $$);
} }
; ;
@ -331,8 +331,8 @@ prefix_value_list:
prefix_value: prefix_value:
TOK_IP TOK_IP
{ {
$$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host), $$ = new zeek::IPPrefix(zeek::IPAddr(IPv4, &($1.val), zeek::IPAddr::Host),
ip4_mask_to_len($1.mask)); ip4_mask_to_len($1.mask));
} }
| TOK_IP6 | TOK_IP6
; ;

4
src/rule-scan.l
View file

@ -42,14 +42,14 @@ PID {PIDCOMPONENT}(::{PIDCOMPONENT})*
} }
{IP6} { {IP6} {
rules_lval.prefixval = new IPPrefix(IPAddr(extract_ip(yytext)), 128, true); rules_lval.prefixval = new zeek::IPPrefix(zeek::IPAddr(extract_ip(yytext)), 128, true);
return TOK_IP6; return TOK_IP6;
} }
{IP6}{OWS}"/"{OWS}{D} { {IP6}{OWS}"/"{OWS}{D} {
int len = 0; int len = 0;
std::string ip = extract_ip_and_len(yytext, &len); std::string ip = extract_ip_and_len(yytext, &len);
rules_lval.prefixval = new IPPrefix(IPAddr(ip), len, true); rules_lval.prefixval = new zeek::IPPrefix(zeek::IPAddr(ip), len, true);
return TOK_IP6; return TOK_IP6;
} }

4
src/scan.l
View file

@ -181,7 +181,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
{IP6}{OWS}"/"{OWS}{D} { {IP6}{OWS}"/"{OWS}{D} {
int len = 0; int len = 0;
std::string ip = extract_ip_and_len(yytext, &len); std::string ip = extract_ip_and_len(yytext, &len);
RET_CONST(new zeek::SubNetVal(IPPrefix(IPAddr(ip), len, true))) RET_CONST(new zeek::SubNetVal(zeek::IPPrefix(zeek::IPAddr(ip), len, true)))
} }
/* IPv4 literal constant patterns */ /* IPv4 literal constant patterns */
@ -190,7 +190,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
({D}"."){3}{D}{OWS}"/"{OWS}{D} { ({D}"."){3}{D}{OWS}"/"{OWS}{D} {
int len = 0; int len = 0;
std::string ip = extract_ip_and_len(yytext, &len); std::string ip = extract_ip_and_len(yytext, &len);
RET_CONST(new zeek::SubNetVal(IPPrefix(IPAddr(ip), len))) RET_CONST(new zeek::SubNetVal(zeek::IPPrefix(zeek::IPAddr(ip), len)))
} }
[!%*/+\-,:;<=>?()\[\]{}~$|&^] return yytext[0]; [!%*/+\-,:;<=>?()\[\]{}~$|&^] return yytext[0];

12
src/threading/SerialTypes.cc
View file

@ -475,14 +475,14 @@ zeek::Val* Value::ValueToVal(const std::string& source, const Value* val, bool&
case zeek::TYPE_ADDR: case zeek::TYPE_ADDR:
{ {
IPAddr* addr = nullptr; zeek::IPAddr* addr = nullptr;
switch ( val->val.addr_val.family ) { switch ( val->val.addr_val.family ) {
case IPv4: case IPv4:
addr = new IPAddr(val->val.addr_val.in.in4); addr = new zeek::IPAddr(val->val.addr_val.in.in4);
break; break;
case IPv6: case IPv6:
addr = new IPAddr(val->val.addr_val.in.in6); addr = new zeek::IPAddr(val->val.addr_val.in.in6);
break; break;
default: default:
@ -496,14 +496,14 @@ zeek::Val* Value::ValueToVal(const std::string& source, const Value* val, bool&
case zeek::TYPE_SUBNET: case zeek::TYPE_SUBNET:
{ {
IPAddr* addr = nullptr; zeek::IPAddr* addr = nullptr;
switch ( val->val.subnet_val.prefix.family ) { switch ( val->val.subnet_val.prefix.family ) {
case IPv4: case IPv4:
addr = new IPAddr(val->val.subnet_val.prefix.in.in4); addr = new zeek::IPAddr(val->val.subnet_val.prefix.in.in4);
break; break;
case IPv6: case IPv6:
addr = new IPAddr(val->val.subnet_val.prefix.in.in6); addr = new zeek::IPAddr(val->val.subnet_val.prefix.in.in6);
break; break;
default: default:

2
src/threading/SerialTypes.h
View file

@ -210,7 +210,7 @@ struct Value {
static zeek::Val* ValueToVal(const std::string& source, const threading::Value* val, bool& have_error); static zeek::Val* ValueToVal(const std::string& source, const threading::Value* val, bool& have_error);
private: private:
friend class ::IPAddr; friend class IPAddr;
Value(const Value& other) = delete; Value(const Value& other) = delete;
}; };

36
src/zeek.bif
View file

@ -2046,7 +2046,7 @@ function is_local_interface%(ip: addr%) : bool
if ( ip->AsAddr().IsLoopback() ) if ( ip->AsAddr().IsLoopback() )
return zeek::val_mgr->True(); return zeek::val_mgr->True();
list<IPAddr> addrs; list<zeek::IPAddr> addrs;
char host[MAXHOSTNAMELEN]; char host[MAXHOSTNAMELEN];
@ -2059,8 +2059,8 @@ function is_local_interface%(ip: addr%) : bool
if ( ent ) if ( ent )
{ {
for ( unsigned int len = 0; ent->h_addr_list[len]; ++len ) for ( unsigned int len = 0; ent->h_addr_list[len]; ++len )
addrs.push_back(IPAddr(IPv4, (uint32_t*)ent->h_addr_list[len], addrs.push_back(zeek::IPAddr(IPv4, (uint32_t*)ent->h_addr_list[len],
IPAddr::Network)); zeek::IPAddr::Network));
} }
ent = gethostbyname2(host, AF_INET6); ent = gethostbyname2(host, AF_INET6);
@ -2068,11 +2068,11 @@ function is_local_interface%(ip: addr%) : bool
if ( ent ) if ( ent )
{ {
for ( unsigned int len = 0; ent->h_addr_list[len]; ++len ) for ( unsigned int len = 0; ent->h_addr_list[len]; ++len )
addrs.push_back(IPAddr(IPv6, (uint32_t*)ent->h_addr_list[len], addrs.push_back(zeek::IPAddr(IPv6, (uint32_t*)ent->h_addr_list[len],
IPAddr::Network)); zeek::IPAddr::Network));
} }
list<IPAddr>::const_iterator it; list<zeek::IPAddr>::const_iterator it;
for ( it = addrs.begin(); it != addrs.end(); ++it ) for ( it = addrs.begin(); it != addrs.end(); ++it )
{ {
if ( *it == ip->AsAddr() ) if ( *it == ip->AsAddr() )
@ -2241,7 +2241,7 @@ function routing0_data_to_addrs%(s: string%): addr_vec
while ( len > 0 ) while ( len > 0 )
{ {
IPAddr a(IPv6, (const uint32_t*) bytes, IPAddr::Network); zeek::IPAddr a(IPv6, (const uint32_t*) bytes, zeek::IPAddr::Network);
rval->Assign(rval->Size(), zeek::make_intrusive<zeek::AddrVal>(a)); rval->Assign(rval->Size(), zeek::make_intrusive<zeek::AddrVal>(a));
bytes += 16; bytes += 16;
len -= 16; len -= 16;
@ -2484,11 +2484,11 @@ function to_addr%(ip: string%): addr
zeek::ValPtr ret; zeek::ValPtr ret;
in6_addr tmp; in6_addr tmp;
if ( IPAddr::ConvertString(s, &tmp) ) if ( zeek::IPAddr::ConvertString(s, &tmp) )
ret = zeek::make_intrusive<zeek::AddrVal>(IPAddr(tmp)); ret = zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(tmp));
else else
{ {
ret = zeek::make_intrusive<zeek::AddrVal>(IPAddr()); ret = zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr());
zeek::emit_builtin_error("failed converting string to IP address", ip); zeek::emit_builtin_error("failed converting string to IP address", ip);
} }
@ -2504,7 +2504,7 @@ function to_addr%(ip: string%): addr
function is_valid_ip%(ip: string%): bool function is_valid_ip%(ip: string%): bool
%{ %{
char* s = ip->AsString()->Render(); char* s = ip->AsString()->Render();
auto rval = IPAddr::IsValid(s); auto rval = zeek::IPAddr::IsValid(s);
delete [] s; delete [] s;
return zeek::val_mgr->Bool(rval); return zeek::val_mgr->Bool(rval);
%} %}
@ -3206,9 +3206,9 @@ function mask_addr%(a: addr, top_bits_to_keep: count%): subnet
## .. zeek:see:: mask_addr ## .. zeek:see:: mask_addr
function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr
%{ %{
IPAddr addr1(a1->AsAddr()); zeek::IPAddr addr1(a1->AsAddr());
addr1.Mask(top_bits_from_a1); addr1.Mask(top_bits_from_a1);
IPAddr addr2(a2->AsAddr()); zeek::IPAddr addr2(a2->AsAddr());
addr2.ReverseMask(top_bits_from_a1); addr2.ReverseMask(top_bits_from_a1);
return zeek::make_intrusive<zeek::AddrVal>(addr1|addr2); return zeek::make_intrusive<zeek::AddrVal>(addr1|addr2);
%} %}
@ -3375,9 +3375,9 @@ const char* conn_id_string(zeek::Val* c)
const auto& id = (*(c->AsRecord()))[0]; const auto& id = (*(c->AsRecord()))[0];
auto vl = id->AsRecord(); auto vl = id->AsRecord();
const IPAddr& orig_h = (*vl)[0]->AsAddr(); const zeek::IPAddr& orig_h = (*vl)[0]->AsAddr();
uint32_t orig_p = (*vl)[1]->AsPortVal()->Port(); uint32_t orig_p = (*vl)[1]->AsPortVal()->Port();
const IPAddr& resp_h = (*vl)[2]->AsAddr(); const zeek::IPAddr& resp_h = (*vl)[2]->AsAddr();
uint32_t resp_p = (*vl)[3]->AsPortVal()->Port(); uint32_t resp_p = (*vl)[3]->AsPortVal()->Port();
return fmt("%s/%u -> %s/%u\n", orig_h.AsString().c_str(), orig_p, return fmt("%s/%u -> %s/%u\n", orig_h.AsString().c_str(), orig_p,
@ -3859,7 +3859,7 @@ static void mmdb_check_asn()
} }
} }
static bool mmdb_lookup(const IPAddr& addr, MMDB_lookup_result_s& result, static bool mmdb_lookup(const zeek::IPAddr& addr, MMDB_lookup_result_s& result,
bool asn) bool asn)
{ {
struct sockaddr_storage ss = {0}; struct sockaddr_storage ss = {0};
@ -3893,12 +3893,12 @@ static bool mmdb_lookup(const IPAddr& addr, MMDB_lookup_result_s& result,
return result.found_entry; return result.found_entry;
} }
static bool mmdb_lookup_loc(const IPAddr& addr, MMDB_lookup_result_s& result) static bool mmdb_lookup_loc(const zeek::IPAddr& addr, MMDB_lookup_result_s& result)
{ {
return mmdb_lookup(addr, result, false); return mmdb_lookup(addr, result, false);
} }
static bool mmdb_lookup_asn(const IPAddr& addr, MMDB_lookup_result_s& result) static bool mmdb_lookup_asn(const zeek::IPAddr& addr, MMDB_lookup_result_s& result)
{ {
return mmdb_lookup(addr, result, true); return mmdb_lookup(addr, result, true);
} }