Remove unused software_version_found events

- software_version_found
- software_unparsed_version_found
- software_parse_error

NEWS

@@ -406,6 +406,9 @@ Removed Functionality
     - ``remote_log``
     - ``finished_send_state``
     - ``remote_pong``
+    - ``software_version_found``
+    - ``software_unparsed_version_found``
+    - ``software_parse_error``
 
 - The following types/records were deprecated in version 2.6 or below and are
   removed from this release:
@@ -413,6 +416,8 @@ Removed Functionality
     - ``peer_id``
     - ``event_peer``
     - ``packet``
+    - ``software``
+    - ``software_version``
 
 - The following configuration options were deprecated in version 2.6 or below and are
   removed from this release:

scripts/base/init-bare.zeek

@@ -3930,26 +3930,6 @@ type signature_state: record {
 	payload_size: count;	##< Payload size of the first matching packet of current endpoint.
 };
 
-# Deprecated.
-#
-# .. todo:: This type is no longer used. Remove any reference of this from the
-#    core.
-type software_version: record {
-	major: int;
-	minor: int;
-	minor2: int;
-	addl: string;
-};
-
-# Deprecated.
-#
-# .. todo:: This type is no longer used. Remove any reference of this from the
-#    core.
-type software: record {
-	name: string;
-	version: software_version;
-};
-
 # Type used to report load samples via :zeek:see:`load_sample`. For now, it's a
 # set of names (event names, source file names, and perhaps ``<source file, line
 # number>``), which were seen during the sample.

src/Conn.cc

@@ -448,173 +448,6 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
 		primary_PIA->Match(type, data, len, is_orig, bol, eol, clear_state);
 	}
 
-Val* Connection::BuildVersionVal(const char* s, int len)
-	{
-	Val* name = 0;
-	Val* major = 0;
-	Val* minor = 0;
-	Val* minor2 = 0;
-	Val* addl = 0;
-
-	const char* last = s + len;
-	const char* e = s;
-
-	// This is all just a guess...
-
-	// Eat non-alpha-numerical chars.
-	for ( ; s < last && ! isalnum(*s); ++s )
-		;
-
-	// Leading characters are the program name.
-	// (first character must not be a digit)
-	if ( isalpha(*s) )
-		{
-		for ( e = s; e < last && ! is_version_sep(e, last); ++e )
-			;
-
-		if ( s != e )
-			name = new StringVal(e - s, s);
-		}
-
-	// Find first number - that's the major version.
-	for ( s = e; s < last && ! isdigit(*s); ++s )
-		;
-	for ( e = s; e < last && isdigit(*e); ++e )
-		;
-
-	if ( s != e )
-		major = val_mgr->GetInt(atoi(s));
-
-	// Find second number seperated only by punctuation chars -
-	// that's the minor version.
-	for ( s = e; s < last && ispunct(*s); ++s )
-		;
-	for ( e = s; e < last && isdigit(*e); ++e )
-		;
-
-	if ( s != e )
-		minor = val_mgr->GetInt(atoi(s));
-
-	// Find second number seperated only by punctuation chars; -
-	// that's the minor version.
-	for ( s = e; s < last && ispunct(*s); ++s )
-		;
-	for ( e = s; e < last && isdigit(*e); ++e )
-		;
-
-	if ( s != e )
-		minor2 = val_mgr->GetInt(atoi(s));
-
-	// Anything after following punctuation and until next white space is
-	// an additional version string.
-	for ( s = e; s < last && ispunct(*s); ++s )
-		;
-	for ( e = s; e < last && ! isspace(*e); ++e )
-		;
-
-	if ( s != e )
-		addl = new StringVal(e - s, s);
-
-	// If we do not have a name yet, the next alphanumerical string is it.
-	if ( ! name )
-		{ // eat non-alpha-numerical characters
-		for ( s = e; s < last && ! isalpha(*s); ++s )
-			;
-
-		// Get name.
-		for ( e = s; e < last && (isalnum(*e) || *e == '_'); ++e )
-			;
-
-		if ( s != e )
-			name = new StringVal(e - s, s);
-		}
-
-	// We need at least a name.
-	if ( ! name )
-		{
-		Unref(major);
-		Unref(minor);
-		Unref(minor2);
-		Unref(addl);
-		return 0;
-		}
-
-	RecordVal* version = new RecordVal(software_version);
-	version->Assign(0, major ? major : val_mgr->GetInt(-1));
-	version->Assign(1, minor ? minor : val_mgr->GetInt(-1));
-	version->Assign(2, minor2 ? minor2 : val_mgr->GetInt(-1));
-	version->Assign(3, addl ? addl : val_mgr->GetEmptyString());
-
-	RecordVal* sw = new RecordVal(software);
-	sw->Assign(0, name);
-	sw->Assign(1, version);
-
-	return sw;
-	}
-
-int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
-					analyzer::Analyzer* analyzer)
-	{
-	if ( ! software_version_found && ! software_parse_error )
-		return 1;
-
-	if ( ! is_printable(s, len) )
-		return 0;
-
-	Val* val = BuildVersionVal(s, len);
-	if ( ! val )
-		{
-		if ( software_parse_error )
-			{
-			ConnectionEventFast(software_parse_error, analyzer, {
-				BuildConnVal(),
-				new AddrVal(addr),
-				new StringVal(len, s),
-			});
-			}
-		return 0;
-		}
-
-	if ( software_version_found )
-		{
-		ConnectionEventFast(software_version_found, 0, {
-			BuildConnVal(),
-			new AddrVal(addr),
-			val,
-			new StringVal(len, s),
-		});
-		}
-	else
-		Unref(val);
-
-	return 1;
-	}
-
-int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
-					const char* full, int len, analyzer::Analyzer* analyzer)
-	{
-	// Skip leading white space.
-	while ( len && isspace(*full) )
-		{
-		--len;
-		++full;
-		}
-
-	if ( ! is_printable(full, len) )
-		return 0;
-
-	if ( software_unparsed_version_found )
-		{
-		ConnectionEventFast(software_unparsed_version_found, analyzer, {
-			BuildConnVal(),
-			new AddrVal(addr),
-			new StringVal(len, full),
-		});
-		}
-
-	return 1;
-	}
-
 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
 	{
 	if ( ! f )

src/Conn.h

@@ -160,18 +160,6 @@ public:
 	void Match(Rule::PatternType type, const u_char* data, int len,
 			bool is_orig, bool bol, bool eol, bool clear_state);
 
-	// Tries really hard to extract a program name and a version.
-	Val* BuildVersionVal(const char* s, int len);
-
-	// Raises a software_version_found event based on the
-	// given string (returns false if it's not parseable).
-	int VersionFoundEvent(const IPAddr& addr, const char* s, int len,
-				analyzer::Analyzer* analyzer = 0);
-
-	// Raises a software_unparsed_version_found event.
-	int UnparsedVersionFoundEvent(const IPAddr& addr,
-			const char* full_descr, int len, analyzer::Analyzer* analyzer);
-
 	// If a handler exists for 'f', an event will be generated.  If 'name' is
 	// given that event's first argument will be it, and it's second will be
 	// the connection value.  If 'name' is null, then the event's first

src/NetVar.cc

@@ -138,9 +138,6 @@ double backdoor_stat_backoff;
 
 RecordType* backdoor_endp_stats;
 
-RecordType* software;
-RecordType* software_version;
-
 double table_expire_interval;
 double table_expire_delay;
 int table_incremental_step;
@@ -408,9 +405,6 @@ void init_net_var()
 	backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff");
 	backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType();
 
-	software = internal_type("software")->AsRecordType();
-	software_version = internal_type("software_version")->AsRecordType();
-
 	orig_addr_anonymization = opt_internal_int("orig_addr_anonymization");
 	resp_addr_anonymization = opt_internal_int("resp_addr_anonymization");
 	other_addr_anonymization = opt_internal_int("other_addr_anonymization");

src/NetVar.h

@@ -141,9 +141,6 @@ extern double backdoor_stat_backoff;
 
 extern RecordType* backdoor_endp_stats;
 
-extern RecordType* software;
-extern RecordType* software_version;
-
 extern double table_expire_interval;
 extern double table_expire_delay;
 extern int table_incremental_step;

src/analyzer/protocol/http/HTTP.cc

@@ -1640,17 +1640,6 @@ int HTTP_Analyzer::ExpectReplyMessageBody()
 
 void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	{
-#if 0
-	// ### Only call ParseVersion if we're tracking versions:
-	if ( istrequal(h->get_name(), "server") )
-		ParseVersion(h->get_value(),
-				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), false);
-
-	else if ( istrequal(h->get_name(), "user-agent") )
-		ParseVersion(h->get_value(),
-				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), true);
-#endif
-
 	// To be "liberal", we only look at "keep-alive" on the client
 	// side, and if seen assume the connection to be persistent.
 	// This seems fairly safe - at worst, the client does indeed
@@ -1702,127 +1691,6 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 		}
 	}
 
-void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
-				bool user_agent)
-	{
-	int len = ver.length;
-	const char* data = ver.data;
-
-	if ( software_unparsed_version_found )
-		Conn()->UnparsedVersionFoundEvent(host, data, len, this);
-
-	// The RFC defines:
-	//
-	//	product		= token ["/" product-version]
-	//	product-version = token
-	//	Server		= "Server" ":" 1*( product | comment )
-
-	int offset;
-	data_chunk_t product, product_version;
-	int num_version = 0;
-
-	while ( len > 0 )
-		{
-		// Skip white space.
-		while ( len && mime::is_lws(*data) )
-			{
-			++data;
-			--len;
-			}
-
-		// See if a comment is coming next. For User-Agent,
-		// we parse it, too.
-		if ( user_agent && len && *data == '(' )
-			{
-			// Find end of comment.
-			const char* data_start = data;
-			const char* eoc =
-				data + mime::MIME_skip_lws_comments(len, data);
-
-			// Split into parts.
-			// (This may get confused by nested comments,
-			// but we ignore this for now.)
-			const char* eot;
-			++data;
-			while ( 1 )
-				{
-				// Eat spaces.
-				while ( data < eoc && mime::is_lws(*data) )
-					++data;
-
-				// Find end of token.
-				for ( eot = data;
-				      eot < eoc && *eot != ';' && *eot != ')';
-				      ++eot )
-					;
-
-				if ( eot == eoc )
-					break;
-
-				// Delete spaces at end of token.
-				for ( ; eot > data && mime::is_lws(*(eot-1)); --eot )
-					;
-
-				if ( data != eot && software_version_found )
-					Conn()->VersionFoundEvent(host, data, eot - data, this);
-				data = eot + 1;
-				}
-
-			len -= eoc - data_start;
-			data = eoc;
-			continue;
-			}
-
-		offset = mime::MIME_get_slash_token_pair(len, data,
-						&product, &product_version);
-		if ( offset < 0 )
-			{
-			// I guess version detection is best-effort,
-			// so we do not complain in the final version
-			if ( num_version == 0 )
-				HTTP_Event("bad_HTTP_version",
-						mime::new_string_val(len, data));
-
-			// Try to simply skip next token.
-			offset = mime::MIME_get_token(len, data, &product);
-			if ( offset < 0 )
-				break;
-
-			len -= offset;
-			data += offset;
-			}
-
-		else
-			{
-			len -= offset;
-			data += offset;
-
-			int version_len =
-				product.length + 1 + product_version.length;
-
-			char* version_str = new char[version_len+1];
-			char* s = version_str;
-
-			memcpy(s, product.data, product.length);
-
-			s += product.length;
-			*(s++) = '/';
-
-			memcpy(s, product_version.data, product_version.length);
-
-			s += product_version.length;
-			*s = 0;
-
-			if ( software_version_found )
-				Conn()->VersionFoundEvent(host,	version_str,
-							version_len, this);
-
-			delete [] version_str;
-			++num_version;
-			}
-		}
-	}
-
 void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )

src/analyzer/protocol/http/HTTP.h

@@ -220,7 +220,6 @@ protected:
 
 	const BroString* UnansweredRequestMethod();
 
-	void ParseVersion(data_chunk_t ver, const IPAddr& host, bool user_agent);
 	int HTTP_ReplyCode(const char* code_str);
 	int ExpectReplyMessageBody();
 

src/event.bif

@@ -530,59 +530,6 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 ##       triggering the match will be passed on to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
 
-## Generated when a protocol analyzer finds an identification of a software
-## used on a system. This is a protocol-independent event that is fed by
-## different analyzers. For example, the HTTP analyzer reports user-agent and
-## server software by raising this event, assuming it can parse it (if not,
-## :zeek:id:`software_parse_error` will be generated instead).
-##
-## c: The connection.
-##
-## host: The host running the reported software.
-##
-## s: A description of the software found.
-##
-## descr: The raw (unparsed) software identification string as extracted from
-##        the protocol.
-##
-## .. zeek:see:: software_parse_error software_unparsed_version_found
-event software_version_found%(c: connection, host: addr,
-			      s: software, descr: string%);
-
-## Generated when a protocol analyzer finds an identification of a software
-## used on a system but cannot parse it. This is a protocol-independent event
-## that is fed by different analyzers. For example, the HTTP analyzer reports
-## user-agent and server software by raising this event if it cannot parse them
-## directly (if it can :zeek:id:`software_version_found` will be generated
-## instead).
-##
-## c: The connection.
-##
-## host: The host running the reported software.
-##
-## descr: The raw (unparsed) software identification string as extracted from
-##        the protocol.
-##
-## .. zeek:see:: software_version_found software_unparsed_version_found
-event software_parse_error%(c: connection, host: addr, descr: string%);
-
-## Generated when a protocol analyzer finds an identification of a software
-## used on a system. This is a protocol-independent event that is fed by
-## different analyzers. For example, the HTTP analyzer reports user-agent and
-## server software by raising this event. Different from
-## :zeek:id:`software_version_found`  and :zeek:id:`software_parse_error`, this
-## event is always raised, independent of whether Zeek can parse the version
-## string.
-##
-## c: The connection.
-##
-## host: The host running the reported software.
-##
-## str: The software identification string as extracted from the protocol.
-##
-## .. zeek:see:: software_parse_error software_version_found
-event software_unparsed_version_found%(c: connection, host: addr, str: string%);
-
 ## Generated each time Zeek's internal profiling log is updated. The file is
 ## defined by :zeek:id:`profiling_file`, and its update frequency by
 ## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.